January 25, 2022

Fortify Security Team
Jan 25, 2022

Title: Attackers Now Actively Targeting Critical SonicWall RCE bug
Date Published: January 24, 2022

https://www.bleepingcomputer.com/news/security/attackers-now-actively-targeting-critical-sonicwall-rce-bug/

Excerpt: “A critical severity vulnerability impacting SonicWall’s Secure Mobile Access (SMA) gateways addressed last month is now targeted in ongoing exploitation attempts. The bug, found by Rapid7 Lead Security Researcher Jacob Baines, is an unauthenticated stack-based buffer overflow tracked as CVE-2021-20038 that impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled. Successful exploitation can let remote unauthenticated attackers execute code as the ‘nobody’ user in compromised SonicWall appliances.”

Title: Latest Version of Android RAT BRATA Wipes Devices After Stealing Data
Date Published: January 25, 2022

https://securityaffairs.co/wordpress/127131/cyber-crime/new-android-brata-rat.html

Excerpt: “The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory reset on the device. Security experts at Kaspersky discovered the Android RAT BRATA (the name comes from ‘Brazilian RAT Android’) in 2019, when it was used to spy on Brazilian users. The BRATA RAT was first detected in January 2019 while spreading via WhatsApp and SMS messages. The RAT was delivered through the official Google Play Store and also via unofficial Android app stores. Most of the tainted apps pose as an update to the popular instant messaging application WhatsApp that would address the CVE-2019-3568 flaw in the instant messaging application. Once the malware has infected the victim’s device, it will start keylogging feature, enhancing it with real-time streaming functionality. The malware leverages the Android Accessibility Service feature to interact with other applications installed on the victim’s device.”

Title: MoleRats APT Launches Spy Campaign on Bankers, Politicians, Journalists
Date Published: January 24, 2022

https://threatpost.com/molerats-apt-spy-bankers-politicians-journalists/177907/

Excerpt: “Malicious files doctored up to look like legitimate content related to the Israeli-Palestine conflict are being used to target prominent Palestinians, as well as activists and journalists in Turkey, with spyware. That’s according to a disclosure from Zscaler, which attributes the cyberattacks to the MoleRats advanced persistent threat (APT). Zscaler’s research team was able to tie MoleRats, an Arabic-speaking group with a history of targeting Palestinian interests, to this campaign because of overlap in the .NET payload and command-and-control (C2) servers with previous MoleRats APT attacks.”

Title: Beware of Fake Tax Apps Pushing Malware
Date Published: January 25, 2022

https://www.helpnetsecurity.com/2022/01/25/fake-tax-apps/

Excerpt: “With the self-assessment tax deadline fast approaching in the UK, self-employed individuals will be looking to take advantage of the many apps that are on the market to help make the tax return process as smooth as possible. Unfortunately, there is a real and pervasive problem of tax-related cybercrime. It is not uncommon for cyber scams to be tied to current affairs, as this ensures that they are far-reaching and timely. When it comes to apps, for every good and useful app that exists, there will nearly always be malicious individuals looking to exploit its popularity to try to steal from unsuspecting individuals.”

Title: Suspected REvil Ransomware Spinoff ‘Ransom Cartel’ Debuts
Date Published: January 24, 2022

https://www.bankinfosecurity.com/suspected-revil-ransomware-spinoff-ransom-cartel-debuts-a-18365

Excerpt: “Has the notorious REvil, aka Sodinokibi, ransomware operation rebooted as “Ransom Cartel”? Security experts say the new group has technical and other crossovers with REvil. But whether the new group is a spinoff of REvil, bought the tools, or is simply copying how they work, remains unclear. The anti-malware researchers behind MalwareHunterTeam note that the new crime group debuted by the middle of December 2021, and that while none of the group’s crypto-locking malware has yet been recovered, and it’s not clear how many victims the group might have amassed, it has a number of crossovers with REvil.”

Title: Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks
Date Published: January 25, 2022

https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.html

Excerpt: “A previously undocumented cyber-espionage malware aimed at Apple’s macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with “strong technical capabilities,” calling out the campaign’s overlaps to that of a similar digital offensive disclosed by Google Threat Analysis Group (TAG) in November 2021. The attack chain involved compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, to inject malicious inline frames (aka iframes) between September 30 and November 4, 2021.”

Title: Google Drive Flags Nearly Empty Files for ‘Copyright Infringement’
Date Published: January 25, 2022

https://www.bleepingcomputer.com/news/security/google-drive-flags-nearly-empty-files-for-copyright-infringement/

Excerpt: “Users were left startled as Google Drive’s automated detection systems flagged a nearly empty file for copyright infringement. The file, according to one Drive user, contained nothing other than just the digit “1” within. This week, Assistant Professor at Michigan State University, Dr. Emily Dolson, Ph.D. reported seeing some odd behavior when using Google Drive. One of the files in Dolson’s Google Drive, ‘output04.txt’ was nearly empty—with nothing other than the digit ‘1’ inside it. But according to Google, this file violated the company’s “Copyright Infringement policy” and was hence flagged.”

Title: Trickbot Injections Get Harder to Detect & Analyze
Date Published: January 24, 2022

https://www.darkreading.com/vulnerabilities-threats/trickbot-injections-get-harder-to-detect-analyze

Excerpt: “The authors of the Trickbot Trojan have added multiple layers of defenses around the malware to make it harder for defenders to detect and analyze the injections it uses during malicious operations. The improvements coincide with escalating activity around the malware and appear designed for attacks in which Trickbot is being used to conduct online banking fraud — something the tool was originally designed for before it was repurposed for malware distribution purposes.”

Title: 53% of Medical Devices Have A Known Critical Vulnerability
Date Published: January 25, 2022

https://www.helpnetsecurity.com/2022/01/25/critical-medical-device-risks//

Excerpt: “After a year of unprecedented ransomware attacks on hospitals and healthcare systems – and with healthcare now the #1 target for cybercriminals – critical medical device risks in hospital environments continue to leave hospitals and their patients vulnerable to cyber attacks and data security issues. Cynerio found that security threats related to IoT and related devices within healthcare environments have remained sorely under-addressed, despite increased investments in healthcare cybersecurity. Data shows that 53% of connected medical devices and other IoT devices in hospitals have a known critical vulnerability.”

Title: Missing Microsoft Intune Certs Break Email, VPN on Samsung Devices
Date Published: January 25, 2022

https://www.bleepingcomputer.com/news/microsoft/missing-microsoft-intune-certs-break-email-vpn-on-samsung-devices/

Excerpt:” Microsoft says Samsung devices enrolled in Microsoft Intune using a work profile will experience email and VPN connectivity issues due to missing certificates after upgrading to Android 12. Microsoft Intune is a cloud-based service designed to help admins manage Windows, macOS, iOS/iPadOS, and Android apps and devices in enterprise environments. It also enforces device-specific policies when accessing proprietary data from company-owned or personal devices.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...