January 27, 2022

Fortify Security Team
Jan 27, 2022

Title: 105 Million Android Users Targeted by Subscription Fraud Campaign
Date Published: January 27, 2022


Excerpt: “A premium services subscription scam for Android has been operating for close to two years. Called ‘Dark Herring’, the operation used 470 Google Play Store apps and affected over 100 million users worldwide, potentially causing hundreds of millions of USD in total losses. ‘Dark Herring’ was present in 470 applications on the Google Play Store, Android’s official and most trustworthy source of apps, with the earliest submission dating to March 2020. In total, the fraudulent apps were installed by 105 million users in 70 countries, subscribing them to premium services that charged $15 per month through Direct Carrier Billing (DCB).”

Title: LockBit Expands its Operations by Implementing a Linux Version of LockBit Ransomware that Targets VMware ESXi Servers
Date Published: January 27, 2022


Excerpt: “LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines. The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments. The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum “RAMP” since October.”

Title: Apple Fixes 2 Zero-Day Security Bugs, One Exploited in the Wild
Date Published: January 26, 2022


Excerpt: “Apple on Wednesday released 13 patches for serious security bugs in macOS and 10 for flaws in iOS/iPadOS. They include fixes for two zero-day bugs, one of which may have been exploited by attackers in the wild. The first zero-day (CVE-2022-22587) is a memory-corruption issue that could be exploited by a malicious app to execute arbitrary code with kernel privileges. The bug specifically exists in the IOMobileFrameBuffer – a kernel extension that allows developers to control how a device’s memory handles the screen display, aka a framebuffer. It affects iOS, iPadOS and macOS Monterey, and Apple addressed it with improved input validation.Apple also said it’s aware of a report that indicates it may have been actively exploited in the wild.”

Title: Attackers Connect Rogue Devices to Organizations’ Network with Stolen Office 365 Credentials
Date Published: January 27, 2022


Excerpt: “Attackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations’ network by registering it with their Azure AD. If successful, they are ready to launch the second wave of the campaign, which consists of sending more phishing emails to targets outside the organization as well as within (to expand their foothold).”

Title: US OMB Releases Zero Trust Strategy for Federal Agencies
Date Published: January 26, 2022


Excerpt: “The Office of Management and Budget on Wednesday released a federal strategy to move the U.S. government toward mature zero trust architectures. White House officials say the new strategy – with a focus on “phishing-resistant” multifactor authentication, asset inventories, traffic encryption and more – is a “key step forward in delivering on President Biden’s May 2021 executive order on cybersecurity. The memorandum eliminates rotating passwords with special characters in one year’s time, and it stresses the importance of encryption around DNS requests and HTTP traffic. OMB also plans to pivot away from application authentication via virtual private networks and the use of unsecure dot-gov intranets, opting instead for stronger authentication at the app layer.”

Title: Russian APT29 Hackers’ Stealthy Malware Undetected for Years
Date Published: January 27, 2022


Excerpt: “Hackers associated with the Russian Federation Foreign Intelligence Service (SVR) continued their incursions on networks of multiple organizations after the SolarWinds supply-chain compromise using two recently discovered sophisticated threats. The malicious implants are a variant of the GoldMax backdoor for Linux systems and a completely new malware family that cybersecurity company CrowdStrike now tracks as TrailBlazer. Both threats have been used in StellarParticle campaigns since at least mid-2019 but were identified only two years later, during incident response investigations.”

Title: Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions
Date Published: January 27, 2022


Excerpt: “A financially-motivated malware campaign has compromised over 800 WordPress websites to deliver a banking trojan dubbed Chaes targeting Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.First documented by Cybereason in November 2020, the info-stealing malware is delivered via a sophisticated infection chain that’s engineered to harvest sensitive consumer information, including login credentials, credit card numbers, and other financial information. “Chaes is characterized by the multiple-stage delivery that utilizes scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi, and malicious Google Chrome extensions,” Avast researchers Anh Ho and Igor Morgenstern said. “The ultimate goal of Chaes is to steal credentials stored in Chrome and intercept logins of popular banking websites in Brazil.””

Title: Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHuB
Date Published: January 26, 2022


Excerpt: “The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns. Researchers at AT&T Alien Labs first spotted the malware last November and named it “BotenaGo.” The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE.”

Title: Deceptive Financial Ransomware Variant ‘White Rabbit’ Emerges in Banking
Date Published: January 26, 2022


Excerpt: “U.S. financial institutions may soon find themselves chasing an elusive “White Rabbit” — a tricky recently discovered strain of ransomware with possible ties to long-time financial crime ring, FIN8. White Rabbit is a new family of ransomware exploits that has already been discovered making an attack on at least one major U.S. bank last month, according to cybersecurity researchers at Trend Micro, which revealed its findings last week. While ransomware is nothing new to the financial industry, which is typically one of the top three sectors targeted by such attacks, this ransomware could be more difficult to find and weed out than previous strains.”

Title: A Few Hours Ago Lockbit Ransomware Operators Announced to Have Stolen Data from Ministry of Justice of France
Date Published: January 27, 2022


Excerpt: “The Ministry of Justice of France is a body of the French government, which is responsible for: supervision of the judiciary, its maintenance and administration; participation as Vice President of the Judicial Council; supervision of the prosecutor’s office; prison systems. A few hours ago Lockbit ransomware operators have announced to have stolen data from Ministry of Justice of France and threatened to leak it. The countdown on the Tor leak site of the gang reveals that the gang gave 14 days to the French government to pay the ransom. The deadline for the payment has been fixed on 10 Feb, 2022 11:20:00.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...