January 19, 2022

Fortify Security Team
Jan 19, 2022

Title: Office 365 Phishing Attack Impersonates the US Department of Labor
Date Published: January 19, 2022


Excerpt: “A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids to steal Office 365 credentials. The phishing campaign has been ongoing for at least a couple of months and utilizes over ten different phishing sites impersonating the government agency. In a new report by email security firm INKY, who shared the report with Bleeping Computer before publication, researchers illustrated how the phishing attack is used to steal credentials.”

Title: Box Flaw Allowed to Bypass MFA and Takeover Accounts
Date Published: January 19, 2022


Excerpt: “A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported. Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Varonis Threat Labs researchers disclosed the vulnerability via HackerOne and the company fixed it in November 2021. Upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /mfa/verification) or a code received via SMS (at /2fa/verification).”

Title: DDoS IRC Bot Malware Spreading Through Korean WebHard Platforms
Date Published: January 18, 2022


Excerpt: An IRC (Internet Relay Chat) bot strain programmed in GoLang is being used to launch distributed denial-of-service (DDoS) attacks targeting users in Korea. “The malware is being distributed under the guise of adult games,” researchers from AhnLab’s Security Emergency-response Center (ASEC) said in a new report published on Wednesday. “Additionally, the DDoS malware was installed via downloader and UDP RAT was used.” The attack works by uploading the malware-laced games to webhards, which refers to a web hard drive or a remote file hosting service, in the form of compressed ZIP archives that, when opened, includes an executable (“Game_Open.exe”) that’s orchestrated to run a malware payload aside from launching the actual game.”

Title: Interpol Arrests 11 BEC Gang Members Linked to 50,000 Targets
Date Published: January 19, 2022


Excerpt: “In coordination with the Nigerian Police Force, Interpol has arrested 11 individuals suspected of participating in an international BEC (business email compromise) ring. BEC is a type of attack conducted via email involving the spear-phishing of certain company employees responsible for approving payments to contractors, suppliers, etc. By impersonating a coworker, a supervisor, or a client/supplier, BEC actors manage to divert payments to their bank accounts, essentially stealing them from the targeted company. In the latest Interpol operation codenamed ‘Falcon II,’ which unfolded between December 12 and 22, 2021, the police followed leads provided by cyber-intelligence firms Group-IB and Palo Alto Networks’ Unit 42 to arrest suspects in Lagos and Asaba.”

Title: Cybercriminals Actively Target VMware vSphere with Cryptominers
Date Published: January 18, 2022


Excerpt: Organizations running sophisticated virtual networks with VMware’s vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected. Uptycs’ Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks. “Cryptojacking campaigns mostly target the systems having high-end resources,” Sharma pointed out. “In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted.”

Title: The Log4j Vulnerability Puts Pressure on the Security World
Date Published: January 18, 2022


Excerpt: “It’s not my intention to be alarmist about the Log4j vulnerability (CVE-2021-44228), known as Log4Shell, but this one is pretty bad. First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times every minute. The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage.”

Title: Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware
Date Published: January 19, 2022


Excerpt: “Potential connections between a subscription-based crimeware-as-a-service (Caas) solution and a cracked copy of Cobalt Strike have been established in what the researchers suspect is being offered as a tool for its customers to stage post-exploitation activities. Prometheus, as the service is called, first came to light in August 2021 when cybersecurity company Group-IB disclosed details of malicious software distribution campaigns undertaken by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in Belgium and the U.S.”

Title: Windows Server 2019 OOB update fixes reboots, Hyper-V, ReFS bugs
Date Published: January 18, 2022


Excerpt: “Microsoft has released an emergency out-of-band (OOB) update for Windows Server 2019 that fixes numerous critical bugs introduced during the January 2022 Patch Tuesday. Soon after Windows Server admins installed the January 2022 updates, they began reporting severe issues, including domain controllers entering into boot loops, Hyper-V no longer starting, L2TP VPN connections failing, and ReFS volumes becoming inaccessible. The issues were severe enough that many admins chose to uninstall the updates and forgo the included security fixes so that their servers could operate correctly again.”

Title: Luxury Fashion Giant Moncler Confirmed a Data Breach After a Ransomware Attack Carried out by the AlphV/BlackCat.
Date Published: January 18, 2022


Excerpt: “Moncler confirmed a data breach after an attack that took place in December. The luxury fashion giant was hit by AlphV/BlackCat ransomware that today published the stolen data on its leak site in the Tor network. In December, malware researchers from Recorded Future and MalwareHunterTeam discovered ALPHV (aka BlackCat), the first professional ransomware strain that was written in the Rust programming language. BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited.”

Title: NSO Group Spyware Reportedly Used by Israeli Police Force
Date Published: January 18, 2022


Excerpt: “Spyware from controversial Israeli software firm NSO Group was reportedly used by the nation’s civilian police force, according to a new report from an Israeli business publication, Calcalist. The new findings allege that the Israeli police conducted warrantless phone taps on Israeli politicians and activists, among others. According to the report, NSO Group, which was sanctioned by the U.S. Department of Commerce in November 2021, provided its flagship spyware product, Pegasus, to the police force, which in turn allegedly monitored local mayors and protesters who criticized former Prime Minister Benjamin Netanyahu. The report – which does not disclose sources – indicates that surveillance proceeded without court supervision or oversight on data use.”

Recent Posts

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...