January 14, 2022

Fortify Security Team
Jan 14, 2022

Title: Android users can now disable 2G to block Stingray attacks
Date Published: January 13, 2022

https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/

Excerpt: “Google has finally rolled out an option on Android allowing users to disable 2G connections, which come with a host of privacy and security problems exploited by cell-site simulators.The addition of the option was spotted by EFF (Electronic Frontier Foundation), which calls the development a victory for privacy protection.Caught by “stingrays”:A cell-site simulator, also known as “stingray” or IMSI Catcher, is a device that masquerades as a cell tower, forcing cell phones in their range to connect to it.”

Title: Threat actors can bypass malware detection due to Microsoft Defender weakness
Date Published: January 14, 2022

https://securityaffairs.co/wordpress/126689/hacking/microsoft-defender-weakness.html

Excerpt: “Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.”

Title: Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM
Date Published: January 13, 2022

https://thehackernews.com/2022/01/cisco-releases-patch-for-critical-bug.html

Excerpt: Cisco Systems has rolled out security updates for a critical security vulnerability affecting Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited by a remote attacker to take control of an affected system.Tracked as CVE-2022-20658, the vulnerability has been rated 9.6 in severity on the CVSS scoring system, and concerns a privilege escalation flaw arising out of a lack of server-side validation of user permissions that could be weaponized to create rogue Administrator accounts by submitting a crafted HTTP request.”

Title: Microsoft RDP Bug Enables Data Theft, Smart-Card Hijacking
Date Published: January 13, 2022

https://www.darkreading.com/vulnerabilities-threats/rdp-bug-enables-data-theft-smartcard-hijacking

Excerpt: “Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users. Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.”

Title: Hackers buying space from major cloud providers to distribute malware
Date Published: January 13, 2022

https://www.securitymagazine.com/articles/96900-hackers-buying-space-from-major-cloud-providers-to-distribute-malware

Excerpt: “Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users’ information. According to Cisco, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method.The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. Threat actors, Cisco says, are increasingly using cloud technologies to achieve their objectives without resorting to hosting their own infrastructure, allowing them to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track the attackers’ operations.”

Title: Russian government arrests REvil ransomware gang members
Date Published: January 14, 2022

https://www.bleepingcomputer.com/news/security/russian-government-arrests-revil-ransomware-gang-members/

Excerpt: The Federal Security Service (FSB) of the Russian Federation says that they shut down the REvil ransomware gang after U.S. authorities reported on the leader. More than a dozen members of the gang have been arrested following police raids at 25 addresses, the Russian security agency says in a press release today. “The basis for the search activities was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption” – Russia’s Federal Security Service. Russian authorities have detained 14 individuals suspected to be part of the REvil ransomware-as-a-service (RaaS) operation and confiscated cryptocurrency and fiat money as follows:”

Title: Statutory restrictions hindered federal response to SolarWinds, Microsoft Exchange
Date Published: January 13, 2022

https://www.scmagazine.com/analysis/incident-response/statutory-restrictions-hindered-federal-response-to-solarwinds-microsoft-exchange

Excerpt: The SolarWinds and Microsoft Exchange incidents improved coordination between the government and private industry, but also exposed worrying gaps in the government’s information sharing, auditors concluded in a new Government Accountability Office report released Thursday. Specifically, officials from two agencies (the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency) told auditors that information-sharing protocols in the wake of both incidents were “slow” and “a challenge,” largely due to statutory restrictions. Many exchanges with stakeholders of information around the vulnerabilities took place manually through email, instead of through dedicated or automated channels.”

Title: Ukraine Police Bust Ransomware Suspects Tied to 50 Attacks
Date Published: January 13, 2022

https://www.bankinfosecurity.com/ukraine-police-bust-ransomware-suspects-tied-to-50-attacks-a-18302

Excerpt: “Police in Ukraine have arrested five individuals on suspicion of using ransomware to extort more than 50 companies across the United States and Europe. Authorities say the group’s alleged ringleader, a 36-year-old resident of Ukraine’s capital city of Kyiv – formerly known as Kiev – was arrested together with his wife and three alleged accomplices. The National Police of Ukraine’s cyber division says that “according to preliminary estimates, more than 50 companies were affected by the attacks, with the total amount of damage reaching more than $1 million.””

Title: Three Plugins with Same Bug Put 84K WordPress Sites at Risk
Date Published: January 14, 2022

https://threatpost.com/plugins-vulnerability-84k-wordpress-sites/177654/

Excerpt: “Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however. On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday.”

Title: North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide
Date Published: January 14, 2022

https://thehackernews.com/2022/01/north-korean-hackers-stole-millions.html

Excerpt: “Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what’s yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor.Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name “SnatchCrypto,” noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam.”

Recent Posts

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains Date Published: November 15, 2022 https://www.infosecurity-magazine.com/news/chinabased-campaign-42000-phishing/ Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of...

November 14, 2022

Title: Kmsdbot, a New Evasive Bot for Cryptomining Activity and Ddos Attacks Date Published: November 14, 2022 https://securityaffairs.co/wordpress/138514/malware/kmsdbot-golang-malware.html Excerpt: “Researchers spotted a new evasive malware, tracked as KmsdBot, that...