January 19, 2022

Fortify Security Team
Jan 19, 2022

Title: Office 365 Phishing Attack Impersonates the US Department of Labor
Date Published: January 19, 2022


Excerpt: “A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids to steal Office 365 credentials. The phishing campaign has been ongoing for at least a couple of months and utilizes over ten different phishing sites impersonating the government agency. In a new report by email security firm INKY, who shared the report with Bleeping Computer before publication, researchers illustrated how the phishing attack is used to steal credentials.”

Title: Box Flaw Allowed to Bypass MFA and Takeover Accounts
Date Published: January 19, 2022


Excerpt: “A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported. Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Varonis Threat Labs researchers disclosed the vulnerability via HackerOne and the company fixed it in November 2021. Upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /mfa/verification) or a code received via SMS (at /2fa/verification).”

Title: DDoS IRC Bot Malware Spreading Through Korean WebHard Platforms
Date Published: January 18, 2022


Excerpt: An IRC (Internet Relay Chat) bot strain programmed in GoLang is being used to launch distributed denial-of-service (DDoS) attacks targeting users in Korea. “The malware is being distributed under the guise of adult games,” researchers from AhnLab’s Security Emergency-response Center (ASEC) said in a new report published on Wednesday. “Additionally, the DDoS malware was installed via downloader and UDP RAT was used.” The attack works by uploading the malware-laced games to webhards, which refers to a web hard drive or a remote file hosting service, in the form of compressed ZIP archives that, when opened, includes an executable (“Game_Open.exe”) that’s orchestrated to run a malware payload aside from launching the actual game.”

Title: Interpol Arrests 11 BEC Gang Members Linked to 50,000 Targets
Date Published: January 19, 2022


Excerpt: “In coordination with the Nigerian Police Force, Interpol has arrested 11 individuals suspected of participating in an international BEC (business email compromise) ring. BEC is a type of attack conducted via email involving the spear-phishing of certain company employees responsible for approving payments to contractors, suppliers, etc. By impersonating a coworker, a supervisor, or a client/supplier, BEC actors manage to divert payments to their bank accounts, essentially stealing them from the targeted company. In the latest Interpol operation codenamed ‘Falcon II,’ which unfolded between December 12 and 22, 2021, the police followed leads provided by cyber-intelligence firms Group-IB and Palo Alto Networks’ Unit 42 to arrest suspects in Lagos and Asaba.”

Title: Cybercriminals Actively Target VMware vSphere with Cryptominers
Date Published: January 18, 2022


Excerpt: Organizations running sophisticated virtual networks with VMware’s vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected. Uptycs’ Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks. “Cryptojacking campaigns mostly target the systems having high-end resources,” Sharma pointed out. “In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted.”

Title: The Log4j Vulnerability Puts Pressure on the Security World
Date Published: January 18, 2022


Excerpt: “It’s not my intention to be alarmist about the Log4j vulnerability (CVE-2021-44228), known as Log4Shell, but this one is pretty bad. First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times every minute. The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage.”

Title: Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware
Date Published: January 19, 2022


Excerpt: “Potential connections between a subscription-based crimeware-as-a-service (Caas) solution and a cracked copy of Cobalt Strike have been established in what the researchers suspect is being offered as a tool for its customers to stage post-exploitation activities. Prometheus, as the service is called, first came to light in August 2021 when cybersecurity company Group-IB disclosed details of malicious software distribution campaigns undertaken by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in Belgium and the U.S.”

Title: Windows Server 2019 OOB update fixes reboots, Hyper-V, ReFS bugs
Date Published: January 18, 2022


Excerpt: “Microsoft has released an emergency out-of-band (OOB) update for Windows Server 2019 that fixes numerous critical bugs introduced during the January 2022 Patch Tuesday. Soon after Windows Server admins installed the January 2022 updates, they began reporting severe issues, including domain controllers entering into boot loops, Hyper-V no longer starting, L2TP VPN connections failing, and ReFS volumes becoming inaccessible. The issues were severe enough that many admins chose to uninstall the updates and forgo the included security fixes so that their servers could operate correctly again.”

Title: Luxury Fashion Giant Moncler Confirmed a Data Breach After a Ransomware Attack Carried out by the AlphV/BlackCat.
Date Published: January 18, 2022


Excerpt: “Moncler confirmed a data breach after an attack that took place in December. The luxury fashion giant was hit by AlphV/BlackCat ransomware that today published the stolen data on its leak site in the Tor network. In December, malware researchers from Recorded Future and MalwareHunterTeam discovered ALPHV (aka BlackCat), the first professional ransomware strain that was written in the Rust programming language. BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited.”

Title: NSO Group Spyware Reportedly Used by Israeli Police Force
Date Published: January 18, 2022


Excerpt: “Spyware from controversial Israeli software firm NSO Group was reportedly used by the nation’s civilian police force, according to a new report from an Israeli business publication, Calcalist. The new findings allege that the Israeli police conducted warrantless phone taps on Israeli politicians and activists, among others. According to the report, NSO Group, which was sanctioned by the U.S. Department of Commerce in November 2021, provided its flagship spyware product, Pegasus, to the police force, which in turn allegedly monitored local mayors and protesters who criticized former Prime Minister Benjamin Netanyahu. The report – which does not disclose sources – indicates that surveillance proceeded without court supervision or oversight on data use.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...