Title: FBI Warns of Fake Job Postings Used to Steal Money, Personal Info
Date Published: February 1, 2022
Excerpt: “Scammers are trying to steal job seekers’ money and personal information through phishing campaigns using fake advertisements posted on recruitment platforms. The warning was published today as a public service announcement (PSA) on the Bureau’s Internet Crime Complaint Center (IC3). “The FBI warns that malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI says.”
Title: Experts Found 23 Flaws in UEFI Firmware Potentially Impact Millions of Devices
Date Published: February 2, 2022
https://securityaffairs.co/wordpress/127506/breaking-news/uefi-firmware-vulnerabilities.html
Excerpt: “Researchers at firmware security company Binarly have discovered 23 vulnerabilities in UEFI firmware code used by the major device makers. The vulnerabilities could impact millions of enterprise devices, including laptops, servers, routers, and industrial control systems (ICS). All these vulnerabilities affects several vendors, including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos. The flaws reside in the InsydeH2O UEFI firmware provided by Insyde Software and used by the impacted vendors. The analysis of the disassembly code revealed that the majority of these flaws were exploitable vulnerabilities in the System Management Mode (SMM).”
Title: Russia’s Escalation in Ukraine Sounds Cyber Defense Alarms
Date Published: February 2, 2022
https://www.bankinfosecurity.com/russias-escalation-in-ukraine-sounds-cyber-defense-alarms-a-18425
Excerpt: “Russia’s threat to Ukraine is reshaping notions of what it means to employ cyber operations as part of a conflict. Whether Russian President Vladimir Putin has even decided what he will do next remains unclear, experts say. But a number of military options remain available, and all of them would likely involve some form of cyber escalation, and could well impact such critical infrastructure as the energy and financial services sectors, according to Washington think tank Center for Strategic and International Studies.”
Title: Hacker Group ‘Moses Staff’ Using New StrifeWater RAT in Ransomware Attacks
Date Published: February 1, 2022
https://thehackernews.com/2022/02/hacker-group-moses-staff-using-new.html
Excerpt: “A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware “StrifeWater.””The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks,” Tom Fakterman, Cybereason security analyst, said in a report. “The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions.””
Title: Malicious CSV Text Files Used to Install BazarBackdoor Malware
Date Published: February 1, 2022
Excerpt: “A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column.”
Title: Experts Warn of a Spike in APT35 Activity and a Possible Link to Memento Ransomware op
Date Published: February 2, 2022
https://securityaffairs.co/wordpress/127526/apt/apt35-spike-memento-op.html
Excerpt: “The Cybereason Nocturnus Team observed a spike in the activity of the Iran-linked APT group APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team).The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media. Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. The APT group previously targeted medical research organizations in the US and Israel in late 2020, and for targeting academics from the US, France, and the Middle East region in 2019. They have also previously targeted human rights activists, the media sector, and interfered with the US presidential elections.
Title: New Malware Used by SolarWinds Attackers Went Undetected for Years
Date Published: February 2, 2022
https://thehackernews.com/2022/02/new-malware-used-by-solarwinds.html
Excerpt: “The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary’s ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light. Nobelium, the Microsoft-assigned moniker for the SolarWinds intrusion in December 2020, is also tracked by the wider cybersecurity community under the names UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).”
Title: ESET Releases Fixes for Local Privilege Escalation Bug in Windows Applications
Date Published: February 2, 2022
https://securityaffairs.co/wordpress/127536/security/eset-windows-applications-bug.html
Excerpt: “Antivirus firm ESET released security patches to address a high severity local privilege escalation vulnerability, tracked CVE-2021-37852, impacting its Windows clients. An attacker can exploit the vulnerability to misuse the AMSI scanning feature to elevate privileges in specific scenarios. “According to the report, submitted by the Zero Day Initiative (ZDI), an attacker who is able to get SeImpersonatePrivilege can misuse the AMSI scanning feature to elevate to NT AUTHORITY\SYSTEM in some cases.” reads the security advisory published by the company. “The SeImpersonatePrivilege is by default available to the local Administrators group and the device’s Local Service accounts, which are already highly privileged and thus limit the impact of this vulnerability.” The CVE-2021-37852 vulnerability was discovered by the security researcher Michael DePlante (@izobashi) who reported the bug reported to the company through the Zero Day Initiative (ZDI).”
Title: SEO Poisoning Pushes Malware-laced Zoom, TeamViewer, Visual Studio installers
Date Published: February 2, 2022
Excerpt: “A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio. These campaigns rely on the compromise of legitimate websites to plant malicious files or URLs that redirect users to sites that host malware disguised as popular apps. Upon downloading and executing the software installers, the victims unknowingly infect themselves with malware and remote access software.”
Title: Thousands of Malicious npm Packages Threaten Web Apps
Date Published: February 2, 2022
https://threatpost.com/malicious-npm-packages-web-apps/178137/
Excerpt: “More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months — a rapid increase that showcases how npm has become a launchpad for a range of nefarious activities. New research from open-source security and management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications. Any app using a malicious code block could be serving up data theft, cryptojacking, botnet delivery and more to its users.”