Title: SonicWall Shares Temp Fix for Firewalls Stuck in Reboot Loop
Date Published: January 21, 2022
Excerpt: “Following a stream of customer reports that started yesterday evening, security hardware manufacturer SonicWall has provided a temporary workaround for reviving next-gen firewalls running SonicOS 7.0 stuck in a reboot loop. SonicWall’s Gen7 firewalls are the company’s newest firewall devices providing users with encrypted traffic inspection, malware analysis, and cloud app security capabilities. Gen7 models include TZ series firewalls for SMBs and branches, NSA series firewalls for mid-sized enterprises, NSsp series firewalls for large enterprises, data centers, and service providers, and NSv series virtual firewalls.”
Title: Conti Ransomware Gang Started Leaking Files Stolen from Bank Indonesia
Date Published: January 21, 2022
https://securityaffairs.co/wordpress/126988/cyber-crime/bank-indonesia-conti-ransomware.html
Excerpt: “Bank Indonesia confirmed that it was the victim of a ransomware attack that took place last month. The Conti ransomware gang claimed the attack and leaked some allegedly stolen files as proof of the security breach. A bank spokesperson told Reuters that the ransomware attack did not impact services. “We were attacked, but so far so good as we took anticipatory measures and most importantly public services at Bank Indonesia were not disrupted at all,” its spokesperson Erwin Haryono told reporters. According to CNN Indonesia, a spokesman for Indonesia’s cyber agency (BSSN) said no critical data was leaked and the attacks occurred in a Bank Indonesia office on Sumatra island. Conti operators have added Bank Indonesia to the list of victims on their Tor leaks site, the gang claims to have stolen 13.88 GB worth of files.”
Title: Stealthy Firmware Bootkit Leveraged by APT in Targeted Attacks
Date Published: January 21, 2022
https://www.helpnetsecurity.com/2022/01/21/firmware-bootkit/
Excerpt: “Kaspersky researchers have uncovered the third known case of a firmware bootkit in the wild. Dubbed MoonBounce, this malicious implant is hidden within Unified Extensible Firmware Interface (UEFI) firmware, an essential part of computers, in the SPI flash, a storage component external to the hard drive. Such implants are notoriously difficult to remove and are of limited visibility to security products. Having first appeared in the wild in the spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits. The researchers attributed the campaign, with considerable confidence, to the well-known advanced persistent threat (APT) actor APT41.”
Title: FBI Links Diavol Ransomware to the TrickBot Cybercrime Group
Date Published: January 20, 2022
Excerpt: “The FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware developers behind the notorious TrickBot banking trojan. The TrickBot Gang, aka Wizard Spider, are the developers of malware infections that have played havoc on corporate networks for years, commonly leading to Conti and Ryuk ransomware attacks, network infiltration, financial fraud, and corporate espionage. The TrickBot Gang is most known for its namesake, the TrickBot banking trojan, but is also behind the development of the BazarBackdoor and Anchor backdoors.”
Title: Spyware Blitzes Compromise, Cannibalize ICS Networks
Date Published: January 21, 2022
https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/177851/
Excerpt: “Attackers are targeting industrial enterprises with spyware campaigns that hunt for corporate credentials so they can be used both for financial gain and to cannibalize compromised networks to propagate future attacks, researchers have found. The campaigns use off-the-shelf spyware but are unique in that they limit the scope and lifetime of each sample to the bare minimum, according to researchers at Kaspersky ICS CERT who uncovered the campaigns. Researchers dubbed the attacks “anomalous” because they veer from typical spyware attacks, Kaspersky’s Kirill Kruglov wrote in a report published this week on the SecureList blog. Attackers use spearphishing emails sent from compromised corporate mailboxes that include malicious attachments that deliver spyware, he explained.”
Title: Google Drive Starts Warning users About Suspicious Files
Date Published: January 21, 2022
https://www.helpnetsecurity.com/2022/01/21/google-drive-suspicious-files/
Excerpt: “Google has announced on Thursday that it has started warning users when they open potentially suspicious or dangerous files hosted on Google Drive. “We will display a warning banner to help protect [users] and their organization from malware, phishing and ransomware. These warnings are already available when opening Google Docs, Sheets, Slides, and Drawings,” Google noted. Administrators and end users don’t have to do anything – the alerts will start appearing within 15 days.”
Title: McAfee Agent Bug Lets Hackers Run Code with Windows SYSTEM Privileges
Date Published: January 21, 2022
Excerpt: “McAfee has patched a security vulnerability discovered in the company’s McAfee Agent software for Windows enabling attackers to escalate privileges and execute arbitrary code with SYSTEM privileges. McAfee Agent is a client-side component of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints. The company has patched the high severity local privilege escalation (LPE) flaw tracked as CVE-2022-0166 and discovered by CERT/CC vulnerability analyst Will Dormann issued security updates with the release of McAfee Agent 5.7.5 on January 18.”
Title: Wiper Malware in Ukraine Ties to Summer 2021 Intrusions
Date Published: January 21, 2022
https://www.bankinfosecurity.com/wiper-malware-in-ukraine-ties-to-summer-2021-intrusions-a-18356
Excerpt: “Multiple systems at two Ukrainian government agencies were infected by wiper malware disguised as ransomware, as Microsoft first warned Saturday. Two days prior, on Jan. 13, a number of Ukrainian government websites were defaced, possibly in a coordinated effort, and displayed messages warning Ukrainians to “be afraid and expect the worst.” Neither attack has been attributed to any group or nation-state. Ukrainian government officials in Kyiv say early signs point to Russia, possibly working with ally and fellow NATO critic Belarus. Attribution, however, always carries a caveat: When a government casts blame for an attack, it does so for political purposes.”
Title: New BHUNT Stealer Targets Cryptocurrency Wallets
Date Published: January 20, 2022
https://securityaffairs.co/wordpress/126938/malware/bhunt-stealer-targets-cryptocurrency.html
Excerpt: “Bitdefender discovered a new evasive cryptocurrency stealer stealer dubbed BHUNT that is able to exfiltrate wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and data from the clipboard. BHUNT is a modular stealer written in .NET, its binary files are heavily encrypted with commercial packers such as Themida and VMProtect. The samples identified by the experts are digitally signed with a digital certificate issued to a software company, but Bitdefender pointed out that the digital certificate does not match the binaries. The samples analyzed by Bitdefender uses encrypted configuration scripts that are downloaded from public Pastebin pages. According to the experts, the malware spreads via cracked software installers and infected users in multiple countries, including Australia, Egypt, Germany, India, Indonesia, Japan, Malaysia, Norway, Singapore, South Africa, Spain, and the US.”
Title: Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs
Date Published: January 20, 2022
https://threatpost.com/apple-safari-bug-browsing-data-google-ids/177809/
Excerpt: “A security vulnerability in Apple’s browsers for macOS, iOS and iPadOS can lead to information disclosure, researchers have warned. Apple has just marked the issue as “resolved,” but it will take some time for the fixes to roll out, they said, so users should implement mitigations. According to researchers at FingerprintJS, the bug is a same-origin policy violation. Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server. Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.”