December 3, 2021

Fortify Security Team
Dec 3, 2021

Title: Phishing Actors Start Exploiting the Omicron COVID-19 Variant
Date Published:  December 2, 2021

Excerpt:  “Phishing actors have quickly started to exploit the emergence of the Omicron COVID-19 variant and now use it as a lure in their malicious email campaigns.  Threat actors are quick to adjust to the latest trends and hot topics, and increasing people’s fears is an excellent way to cause people to rush to open an email without first thinking it through.  In this case, the Omicron variant is an emerging strain of COVID-19 that has scientists concerned over its high transmissibility and the potential ineffectiveness of existing vaccines against its mutations.”

Title: Hackers Use In-house Zoho ServiceDesk Exploit to Drop Webshells
Date Published:  December 2, 2021

Excerpt:  “An advanced persistent threat (APT) group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product.  The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077.  Zoho addressed the RCE flaw on September 16, 2021, and on November 22, 2021, the company published a security advisory to alert customers of active exploitation. Users were slow to update, though, and remained vulnerable to attacks.  According to a report from Palo Alto Networks’ Unit42, there is no public proof-of-concept exploit for CVE-2021-44077, which suggests that the APT group leveraging it developed the exploit code itself and are using it exclusively for now.”

Title: NginRAT – A Stealth Malware Targets E-store Hiding on Nginx Servers
Date Published:  December 2, 2021

Excerpt:  “Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.  CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.  While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.  Experts pointed out that a rogue Nginx process could not be distinguished from the original.”

Title: Colorado Energy Company Loses 25 Years of Data after Cyberattack While Still Rebuilding Network
Date Published:  December 2, 2021

Excerpt:  “Colorado’s Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historical data to be lost.  In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6.  “We also tentatively estimate we will be able to resume member billing the week of December 6 – 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022,” the company said on a page that has been updated repeatedly over the last month.”

Title: Password-stealing and Keylogging Malware is Being Spread Through Fake Downloads
Date Published:  December 3, 2021

Excerpt:  “Cyber criminals are using online adverts for fake versions of popular software to trick users into downloading three forms of malware – including a malicious browser extension with the same capabilites as trojan malware – that provide attackers with usernames and passwords, as well as backdoor remote access to infected Windows PCs.  The attacks, which distribute two forms of seemingly undocumented custom-developed malware, have been detailed by cybersecurity researchers at Cisco Talos who’ve named the campaign ‘magnat’. It appears the campaign has been operating in some capacity since 2018 and the malware has been in continuous development.  Over half of the victims are in Canada, but there have also been victims around the world, including in the United States, Europe, Australia and Nigeria.”

Title: There’s Been a Big Jump in Crooks Selling Access to Hacked Networks. Ransomware Gangs Are Their Best Customers
Date Published:  December 3, 2021

Excerpt:  “There’s been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.  Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there’s been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021.  Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more.  With this access, cyber criminals can access a company’s networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.  ”

Title: Phishing Scam Targets Military Families
Date Published:  December 2, 2021

Excerpt:  “Threat researchers at Lookout are helping to take down a phishing campaign that has been targeting members of the United States military and their families.  The scammers behind the long-running campaign impersonate military support organizations and personnel to commit advance fee fraud, stealing sensitive personal and financial information for monetary gain.  “Based on our analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address and phone number,” wrote Lookout’s researchers in a blog post on the scam published today.  “With this information, the actor could easily steal the victim’s identity, empty their bank account and impersonate the individual online.”  The campaign’s backbone is a series of websites that have been designed to appear as though they are affiliated with the military. To bring an added touch of authenticity to the sites, the operators add advertisements for Department of Defense services to their malicious content.”

Title: IoT Devices Must “Protect Consumers from Cyberharm”, Says UK Government
Date Published:  December 2, 2021

Excerpt:  “Very simply put, the UK government wants to set some basic, minimum standards for at least the following:  Default passwords. If Parliament gets its way, there won’t be any. You won’t be allowed to have pre-configured passwords in your devices, so that you can’t flood the market with products that every crook already knows how to get into.  Vulnerability disclosures. You’ll need a reliable way for security researchers who believe in responsible disclosure to contact you, and (we hope) some visible commitment to closing off security holes that you already know about before the crooks figure them out.  Update commitments. You’ll need to tell buyers in advance how long you are going to provide security fixes for the product they’re buying today.  Presumably, the third item in this list will be used hand-in-hand with the second one to stop you unilaterally disowning a tricky security problem by simply abandoning support as soon as it suits you, leaving your users – and the environment! – with a landfill device that became useless long before they might reasonably have expected.”

Title: Key Characteristics of Malicious Domains: Report
Date Published:  December 2, 2021

Excerpt:  “The newness of top-level domains as well as infrastructure located in certain countries continue to be reliable signs of whether network traffic could be malicious, while the use of self-signed Secure Sockets Layer (SSL) certificates — or those issued by the free Let’s Encrypt service — are not abnormally risky, according to new research.  Internet security service DomainTools, in a new report released today, focused on active domains that exceeded certain thresholds in terms of the size of the infrastructure and found that top-level domains, IP autonomous system numbers, and IP geolocations are consistent indicators of risky content, compared with the average domain.  Domains that use name servers maintained by Internap Japan and HostKey in the US, for example, were far more likely to be the source of risky traffic than average, according to the “DomainTools Report for Fall 2021.”  On the other hand, SSL certificates that are self-signed or from free services, such as Let’s Encrypt, were not any more likely to be malicious than average, says Tim Helming, security evangelist with DomainTools.”

Title: Phishing Kits’ Favorite Brand? Amazon
Date Published:  December 3, 2021

Excerpt:  “Research conducted by Egress and Orpheus Cyber has revealed a surge in phishing kits imitating major brands in the lead up to Black Friday, as security experts warn that cybercriminals are stepping up their phishing attacks over the holiday shopping season.  The research has lifted the lid on how cybercriminals prepare to take advantage of the retail event, reporting a 397% increase in typo squatting domains explicitly tied to phishing kits. Amazon was a popular choice for cybercriminals, with a 334.1% increase in phishing kits impersonating the brand ahead of its anticipated Black Friday promotions.  Amazon was the top brand for fraudulent webpages linked to phishing kits, with researchers observing almost 4,000 pages imitating the brand – three times as many as those detected for than the popular online auction site eBay and over four times as many as for retail giant Walmart.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...