December 14, 2021

Fortify Security Team
Dec 14, 2021

Title: Log4j: Getting Ready for the Long Haul (CVE-2021-44228)

Date Published: December 14, 2021

https://isc.sans.edu/diary/rss/28130

Excerpt: “Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term.  Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don’t think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.”

Title: Collecting In the Dark: Tropic Trooper Targets Transportation and Government

Date Published: December 14, 2021

https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

Excerpt: “After further analysis, we found that the threat group developed multiple backdoors capable of communication via common network protocols. We think this indicates that it has the capability to bypass network security systems by using these common protocols to transfer data. We also found that the group tries to launch various backdoors per victim. Furthermore, it also tends to use existing frameworks to make customized backdoors. By using existing frameworks, examples of which are detailed in the following, it builds new backdoor variants more efficiently.”

Title: NLRB Employee Charged for Allegedly Selling Information to Anti-Union Firm

Date Published: December 14, 2021

https://www.vice.com/en/article/qjbkqv/nlrb-employee-charged-for-allegedly-selling-information-to-anti-union-firm

Excerpt: “According to the court documents, Rodrigues worked as a Field Examiner for the NLRB’s Newark, New Jersey regional office and routinely accessed documents outside her area of concern. “All told, between late 2017 and early 2021, Rodrigues accessed over 4,000 documents from outside of her region,” the court said. “Rodrigues regularly accessed documents on the NLRB’s internal computer systems that were not yet available to the public, and that she had no business reason to access.”

Title: ‘Seedworm’ Attackers Target Telcos in Asia, Middle East

Date Published: December 14, 2021

https://threatpost.com/seedworm-attackers-telcos-asia-middle-east/176992/

Excerpt: “Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. Though the identity of attackers also is unconfirmed, they potentially could be linked to the Iranian group Seedworm, aka MuddyWater or TEMP.Zagros, researchers said. This group in the past has engaged in widespread phishing campaigns against organizations in Asia and the Middle East in a mission to steal credentials and gain persistence in the target’s networks.”

Title: Karakurt Rises from Its Lair

Date Published: December 10, 2021

https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation

Excerpt: “Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities.”

Title: Cuba Ransomware Analysis

Date Published: December 14, 2021

https://lab52.io/blog/cuba-ransomware-analysis/

Excerpt: “Nonetheless, the geopolitical analysis has revealed a few details of strategic interest. Firstly, the fact that most of the countries attacked, according to a McAfee report, correspond to those located in Latin America, North America and Europe. Of these, the most targeted were: Spain, Colombia and Germany. However, when looking at the possible link between the countries attacked and the sectors compromised, it has not been possible to identify a clear interest in the attack, since although Colombia is a US ally in Latin America and a NATO observer state, and Spain is a member of the European Union and NATO with a good geostrategic position, none of them stand out among the critical sectors that have been attacked.”

Title: TinyNuke Banking Malware Targets French Entities

Date Published: December 13, 2021

https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities

Excerpt: “Proofpoint identified multiple recent campaigns leveraging invoice-themed lures to distribute the uncommonly observed TinyNuke malware. The activity marks a stark reappearance of this threat, which has not been seen with regularity since 2018. The campaigns target hundreds of customers in various industries including manufacturing, technology, construction, and business services. The campaigns use French language lures with invoice or other financial themes, and almost exclusively target French entities and companies with operations in France.”

Title: Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware

Date Published: December 13, 2021

https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild

Excerpt: “Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The attack leverages the remote code execution flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension “.khonsari” and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files.”

Title: Google Fixed the 17th Zero-Day in Chrome since the Start of the Year

Date Published: December 14, 2021

https://securityaffairs.co/wordpress/125615/security/google-zero-day-chrome.html

Excerpt: “Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild. The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption. “Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” reads the advisory published by Google which did not share additional info regarding these attacks. The vulnerability was reported by an anonymous researcher on 2021-12-09.”

Title: Virginia Legislative Agencies and Commissions Hit With Ransomware Attack

Date Published: December 14, 2021

https://www.zdnet.com/article/virginia-legislative-agencies-and-commissions-hit-with-ransomware-attack/

Excerpt: “The Richmond Times-Dispatch reported that the attack began at the Department of Legislative Automated Systems on Sunday before spreading to “almost all legislative branch websites.” The only things spared were the Legislative Information System on the General Assembly site and the executive branch agencies. In September, the Virginia Defense Force and the Virginia Department of Military Affairs revealed that a cyberattack impacted them in July.  Ransomware groups have made millions from attacking local governments at the city, county and state levels. Experts told The Washington Post in August that for 2020, at least 2,354 governments, healthcare facilities and schools across the US were hit with ransomware.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...