November 9, 2021

Fortify Security Team
Nov 9, 2021

Title: Medical Software Firm Urges Password Resets After Ransomware Attack
Date Published: November 9, 2021

https://www.bleepingcomputer.com/news/security/medical-software-firm-urges-password-resets-after-ransomware-attack/

Excerpt: “The ransomware attack on Mediatixx took place last week, and the company is still recovering, so far only managing to restore email and central telephone systems. Also, regional sales partners and all customer support lines are up and running, so clients can reach out to company representatives to address any concerns they may have. There’s no estimate for when the company will return to normal operational status. Finally, it has not been determined if the actors managed to exfiltrate any client, doctor, or patient data. However, the company states they informed Germany’s data protection authority about the incident and will issue an update after the investigations are concluded.”

Title: Multiple BusyBox Security Bugs Threaten Embedded Linux Devices
Date Published: November 9, 2021

https://threatpost.com/busybox-security-bugs-linux-devices/176098/

Excerpt: “The discovery of the flaws are significant because of the proliferation of BusyBox not just for the embedded Linux world, but also for numerous Linux applications outside of devices, Menashe said in an email to Threatpost. “These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” he said. However, the good news for the security of devices using BusyBox is that generally the vulnerabilities require a bit of effort to exploit, researchers reported.”

Title: The Cyber Insurance Dilemma: The Risks of a Safety Net
Date Published: November 9, 2021

https://www.helpnetsecurity.com/2021/11/09/cyber-insurance-dilemma/

Excerpt: “According to a report published by the Howden Group in June 2021, the average global cyber insurance premium rate has increased by 32% year on year. Additionally, the insurers now require third-party IT companies to conduct a field examination on the companies’ cybersecurity protocols to see if they reach the standard. Before, the checking process was mainly conducted via a self-assessment sheet; now, if the company doesn’t meet the standards, the vendor the insurers hire will tell the applicant companies what they need to add, and the insurer won’t sign the contract until everything is in place.”

Title: Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Date Published: November 5, 2021

https://blogs.blackberry.com/en/2021/11/zebra2104

Excerpt: “This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104. IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign. This discovery presented a great opportunity for us to understand the attribution of IABs. Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.”

Title: Robinhood Reveals Data Breach and Extortion Shakedown
Date Published: November 9, 2021

https://www.bankinfosecurity.com/robinhood-reveals-data-breach-extortion-shakedown-a-17869

Excerpt: “The attacker obtained email addresses for 5 million people and full names for a “different group” of 2 million people, Robinhood says. More personal information and data, meanwhile, were also stolen, albeit for a smaller number of customers. For 310 individuals, this stolen data included their name, birthdate and ZIP code. A group of 10 customers also had “more extensive account details revealed,” but Robinhood did not specify the precise information stolen by the attacker.”

Title: US Charges Ukrainian National for Kaseya Ransomware Attack
Date Published: November 8, 2021

https://www.darkreading.com/attacks-breaches/us-charges-ukrainian-national-for-kaseya-ransomware-attack

Excerpt: “Vasinskyi is one of five individuals who have been arrested worldwide since February 2021 for allegedly deploying REvil (aka Sodinokibi) on systems belonging to organizations in multiple countries, including the US, Germany, and France. Two were arrested Nov. 4 in Romania, two were arrested in South Korea, and Vasinskyi was arrested in October in Poland. It’s not clear when the two REvil-related arrests in South Korea happened. These five are believed to have been responsible for deploying REvil on systems belonging to some 5,000 organizations. In addition to the arrests related to REvil, international law enforcement authorities have arrested two other individuals for deploying Gandcrab, the predecessor to REvil.”

Title: Nation-state Actors Target Critical Sectors by Exploiting the CVE-2021-40539 Flaw
Date Published: November 8, 2021

https://securityaffairs.co/wordpress/124315/hacking/nation-state-actors-critical-sectors-cve-2021-40539.html

Excerpt: “In the middle of September, the FBI, CISA, and the Coast Guard Cyber Command (CGCYBER) warned that nation-state APT groups were actively exploiting the CVE-2021-40539 flaw. Experts also observed a series of unrelated attacks that failed to compromise their targets; these attacks have been attributed to separated threat actors. “As early as Sept. 17 the actor leveraged lease infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.” reads the analysis published by Palo Alto Networks.”

Title: BlackBerry Uncovers Initial Access Broker Linked to 3 Distinct Hacker Groups
Date Published: November 8, 2021

https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html

Excerpt: “”IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web,” BlackBerry researchers noted in a technical report published last week. “Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign.” An August 2021 analysis of more than 1,000 access listings advertised for sale by IABs in underground forums on the dark web found that the average cost of network access was $5,400 for the period July 2020 to June 2021, with the most valuable offers including domain admin privileges to enterprise systems.”

Title: US Sanctions Chatex Cryptoexchange Used by Ransomware Gangs
Date Published: November 8, 2021

https://www.bleepingcomputer.com/news/security/us-sanctions-chatex-cryptoexchange-used-by-ransomware-gangs/

Excerpt: “The US Treasury Department announced today sanctions against the Chatex cryptocurrency exchange for helping ransomware gangs evade sanctions and facilitating ransom transactions. The Treasury also sanctioned the Russian-linked Suex crypto exchange in September for helping at least eight ransomware groups, with over 40% of its known transaction linked to illicit actors. “Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware,” the Treasury Department said.”

Title: US Defense Contractor Discloses Data Breach
Date Published: November 5, 2021

https://www.darkreading.com/attacks-breaches/us-defense-contractor-discloses-data-breach

Excerpt: “Electronic Warfare Associates (EWA), a US defense contractor, has confirmed a data breach in which attackers exfiltrated files containing personal information. The breach began with a phishing attack that had “some limited impact” on EWA email accounts, officials report in a notification letter. Their investigation determined an attacker broke into EWA email accounts on Aug. 2, 2021; the organization learned of the attack when the intruder attempted wire fraud. “We have no reason to believe the purpose of the infiltration was to obtain personal information,” the notification states. “Nevertheless, the threat actor’s activities did result in the exfiltration of files with certain personal information”.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...