December 3, 2021

Fortify Security Team
Dec 3, 2021

Title: Phishing Actors Start Exploiting the Omicron COVID-19 Variant
Date Published:  December 2, 2021

https://www.bleepingcomputer.com/news/security/phishing-actors-start-exploiting-the-omicron-covid-19-variant/

Excerpt:  “Phishing actors have quickly started to exploit the emergence of the Omicron COVID-19 variant and now use it as a lure in their malicious email campaigns.  Threat actors are quick to adjust to the latest trends and hot topics, and increasing people’s fears is an excellent way to cause people to rush to open an email without first thinking it through.  In this case, the Omicron variant is an emerging strain of COVID-19 that has scientists concerned over its high transmissibility and the potential ineffectiveness of existing vaccines against its mutations.”

Title: Hackers Use In-house Zoho ServiceDesk Exploit to Drop Webshells
Date Published:  December 2, 2021

https://www.bleepingcomputer.com/news/security/hackers-use-in-house-zoho-servicedesk-exploit-to-drop-webshells/

Excerpt:  “An advanced persistent threat (APT) group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product.  The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077.  Zoho addressed the RCE flaw on September 16, 2021, and on November 22, 2021, the company published a security advisory to alert customers of active exploitation. Users were slow to update, though, and remained vulnerable to attacks.  According to a report from Palo Alto Networks’ Unit42, there is no public proof-of-concept exploit for CVE-2021-44077, which suggests that the APT group leveraging it developed the exploit code itself and are using it exclusively for now.”

Title: NginRAT – A Stealth Malware Targets E-store Hiding on Nginx Servers
Date Published:  December 2, 2021

https://securityaffairs.co/wordpress/125216/malware/nginrat-magecart-attack.html

Excerpt:  “Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.  CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.  While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.  Experts pointed out that a rogue Nginx process could not be distinguished from the original.”

Title: Colorado Energy Company Loses 25 Years of Data after Cyberattack While Still Rebuilding Network
Date Published:  December 2, 2021

https://www.zdnet.com/article/colorado-energy-company-loses-25-years-of-data-after-cyberattack-still-rebuilding-network/

Excerpt:  “Colorado’s Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historical data to be lost.  In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6.  “We also tentatively estimate we will be able to resume member billing the week of December 6 – 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022,” the company said on a page that has been updated repeatedly over the last month.”

Title: Password-stealing and Keylogging Malware is Being Spread Through Fake Downloads
Date Published:  December 3, 2021

https://www.zdnet.com/article/this-password-stealing-and-keylogging-malware-is-being-spread-through-fake-software-downloads/

Excerpt:  “Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.”

Title: There’s Been a Big Jump in Crooks Selling Access to Hacked Networks. Ransomware Gangs Are Their Best Customers
Date Published:  December 3, 2021

https://www.zdnet.com/article/theres-been-a-big-jump-in-crooks-selling-access-to-hacked-networks-ransomware-gangs-are-their-best-customers/

Excerpt:  “There’s been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.  Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there’s been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021.  Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more.  With this access, cyber criminals can access a company’s networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.  ”

Title: Phishing Scam Targets Military Families
Date Published:  December 2, 2021

https://www.infosecurity-magazine.com/news/phishing-scam-targets-military/

Excerpt:  “Threat researchers at Lookout are helping to take down a phishing campaign that has been targeting members of the United States military and their families.  The scammers behind the long-running campaign impersonate military support organizations and personnel to commit advance fee fraud, stealing sensitive personal and financial information for monetary gain.  “Based on our analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address and phone number,” wrote Lookout’s researchers in a blog post on the scam published today.  “With this information, the actor could easily steal the victim’s identity, empty their bank account and impersonate the individual online.”  The campaign’s backbone is a series of websites that have been designed to appear as though they are affiliated with the military. To bring an added touch of authenticity to the sites, the operators add advertisements for Department of Defense services to their malicious content.”

Title: IoT Devices Must “Protect Consumers from Cyberharm”, Says UK Government
Date Published:  December 2, 2021

https://nakedsecurity.sophos.com/2021/12/02/iot-devices-must-protect-consumers-from-cyberharm-says-uk-government/

Excerpt:  “Very simply put, the UK government wants to set some basic, minimum standards for at least the following:  Default passwords. If Parliament gets its way, there won’t be any. You won’t be allowed to have pre-configured passwords in your devices, so that you can’t flood the market with products that every crook already knows how to get into.  Vulnerability disclosures. You’ll need a reliable way for security researchers who believe in responsible disclosure to contact you, and (we hope) some visible commitment to closing off security holes that you already know about before the crooks figure them out.  Update commitments. You’ll need to tell buyers in advance how long you are going to provide security fixes for the product they’re buying today.  Presumably, the third item in this list will be used hand-in-hand with the second one to stop you unilaterally disowning a tricky security problem by simply abandoning support as soon as it suits you, leaving your users – and the environment! – with a landfill device that became useless long before they might reasonably have expected.”

Title: Key Characteristics of Malicious Domains: Report
Date Published:  December 2, 2021

https://www.darkreading.com/threat-intelligence/research-outs-the-providers-more-likely-to-host-malicious-content

Excerpt:  “The newness of top-level domains as well as infrastructure located in certain countries continue to be reliable signs of whether network traffic could be malicious, while the use of self-signed Secure Sockets Layer (SSL) certificates — or those issued by the free Let’s Encrypt service — are not abnormally risky, according to new research.  Internet security service DomainTools, in a new report released today, focused on active domains that exceeded certain thresholds in terms of the size of the infrastructure and found that top-level domains, IP autonomous system numbers, and IP geolocations are consistent indicators of risky content, compared with the average domain.  Domains that use name servers maintained by Internap Japan and HostKey in the US, for example, were far more likely to be the source of risky traffic than average, according to the “DomainTools Report for Fall 2021.”  On the other hand, SSL certificates that are self-signed or from free services, such as Let’s Encrypt, were not any more likely to be malicious than average, says Tim Helming, security evangelist with DomainTools.”

Title: Phishing Kits’ Favorite Brand? Amazon
Date Published:  December 3, 2021

https://www.helpnetsecurity.com/2021/12/03/phishing-kits-imitating-brands/

Excerpt:  “Research conducted by Egress and Orpheus Cyber has revealed a surge in phishing kits imitating major brands in the lead up to Black Friday, as security experts warn that cybercriminals are stepping up their phishing attacks over the holiday shopping season.  The research has lifted the lid on how cybercriminals prepare to take advantage of the retail event, reporting a 397% increase in typo squatting domains explicitly tied to phishing kits. Amazon was a popular choice for cybercriminals, with a 334.1% increase in phishing kits impersonating the brand ahead of its anticipated Black Friday promotions.  Amazon was the top brand for fraudulent webpages linked to phishing kits, with researchers observing almost 4,000 pages imitating the brand – three times as many as those detected for than the popular online auction site eBay and over four times as many as for retail giant Walmart.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...