December 14, 2021

Fortify Security Team
Dec 14, 2021

Title: Log4j: Getting Ready for the Long Haul (CVE-2021-44228)

Date Published: December 14, 2021

https://isc.sans.edu/diary/rss/28130

Excerpt: “Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term.  Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don’t think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.”

Title: Collecting In the Dark: Tropic Trooper Targets Transportation and Government

Date Published: December 14, 2021

https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

Excerpt: “After further analysis, we found that the threat group developed multiple backdoors capable of communication via common network protocols. We think this indicates that it has the capability to bypass network security systems by using these common protocols to transfer data. We also found that the group tries to launch various backdoors per victim. Furthermore, it also tends to use existing frameworks to make customized backdoors. By using existing frameworks, examples of which are detailed in the following, it builds new backdoor variants more efficiently.”

Title: NLRB Employee Charged for Allegedly Selling Information to Anti-Union Firm

Date Published: December 14, 2021

https://www.vice.com/en/article/qjbkqv/nlrb-employee-charged-for-allegedly-selling-information-to-anti-union-firm

Excerpt: “According to the court documents, Rodrigues worked as a Field Examiner for the NLRB’s Newark, New Jersey regional office and routinely accessed documents outside her area of concern. “All told, between late 2017 and early 2021, Rodrigues accessed over 4,000 documents from outside of her region,” the court said. “Rodrigues regularly accessed documents on the NLRB’s internal computer systems that were not yet available to the public, and that she had no business reason to access.”

Title: ‘Seedworm’ Attackers Target Telcos in Asia, Middle East

Date Published: December 14, 2021

https://threatpost.com/seedworm-attackers-telcos-asia-middle-east/176992/

Excerpt: “Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. Though the identity of attackers also is unconfirmed, they potentially could be linked to the Iranian group Seedworm, aka MuddyWater or TEMP.Zagros, researchers said. This group in the past has engaged in widespread phishing campaigns against organizations in Asia and the Middle East in a mission to steal credentials and gain persistence in the target’s networks.”

Title: Karakurt Rises from Its Lair

Date Published: December 10, 2021

https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation

Excerpt: “Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities.”

Title: Cuba Ransomware Analysis

Date Published: December 14, 2021

https://lab52.io/blog/cuba-ransomware-analysis/

Excerpt: “Nonetheless, the geopolitical analysis has revealed a few details of strategic interest. Firstly, the fact that most of the countries attacked, according to a McAfee report, correspond to those located in Latin America, North America and Europe. Of these, the most targeted were: Spain, Colombia and Germany. However, when looking at the possible link between the countries attacked and the sectors compromised, it has not been possible to identify a clear interest in the attack, since although Colombia is a US ally in Latin America and a NATO observer state, and Spain is a member of the European Union and NATO with a good geostrategic position, none of them stand out among the critical sectors that have been attacked.”

Title: TinyNuke Banking Malware Targets French Entities

Date Published: December 13, 2021

https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities

Excerpt: “Proofpoint identified multiple recent campaigns leveraging invoice-themed lures to distribute the uncommonly observed TinyNuke malware. The activity marks a stark reappearance of this threat, which has not been seen with regularity since 2018. The campaigns target hundreds of customers in various industries including manufacturing, technology, construction, and business services. The campaigns use French language lures with invoice or other financial themes, and almost exclusively target French entities and companies with operations in France.”

Title: Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware

Date Published: December 13, 2021

https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild

Excerpt: “Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The attack leverages the remote code execution flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension “.khonsari” and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files.”

Title: Google Fixed the 17th Zero-Day in Chrome since the Start of the Year

Date Published: December 14, 2021

https://securityaffairs.co/wordpress/125615/security/google-zero-day-chrome.html

Excerpt: “Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild. The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption. “Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” reads the advisory published by Google which did not share additional info regarding these attacks. The vulnerability was reported by an anonymous researcher on 2021-12-09.”

Title: Virginia Legislative Agencies and Commissions Hit With Ransomware Attack

Date Published: December 14, 2021

https://www.zdnet.com/article/virginia-legislative-agencies-and-commissions-hit-with-ransomware-attack/

Excerpt: “The Richmond Times-Dispatch reported that the attack began at the Department of Legislative Automated Systems on Sunday before spreading to “almost all legislative branch websites.” The only things spared were the Legislative Information System on the General Assembly site and the executive branch agencies. In September, the Virginia Defense Force and the Virginia Department of Military Affairs revealed that a cyberattack impacted them in July.  Ransomware groups have made millions from attacking local governments at the city, county and state levels. Experts told The Washington Post in August that for 2020, at least 2,354 governments, healthcare facilities and schools across the US were hit with ransomware.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...