June 21, 2022

Fortify Security Team
Jun 21, 2022

Title: Microsoft 365 Outage Affects Microsoft Teams and Exchange Online
Date Published: June 21, 2022

https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-affects-microsoft-teams-and-exchange-online/

Excerpt: “An ongoing outage affects multiple Microsoft 365 services, with customers worldwide reporting delays, sign-in failures, and issues accessing their accounts. For the last 8 hours, users have been experiencing and reporting being asked to relogin, emails stuck in queues and not getting delivered, while others say they were unable to access their Exchange Online mailboxes via any connection method they tried. The affected services include the Exchange Online hosted email platform for businesses and the Microsoft Teams communication platform, as well as SharePoint Online, the Graph API, and Universal Print.”

Title: New ToddyCat APT Group Targets Exchange Servers in Asia, Europe
Date Published: June 21, 2022

https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/

Excerpt: “An advanced persistent threat (APT) group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year, since at least December 2020. While tracking the group’s activity, security researchers with Kaspersky’s Global Research & Analysis Team (GReAT) have also found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims’ networks.”

Title: Icefall: 56 Flaws Impact Thousands of Exposed Industrial Devices
Date Published: June 21, 2022

https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/

Excerpt: “A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments. The Icefall collection has been discovered by security researchers at Forescout’s Vedere Labs and it impacts devices from ten vendors. The type of security flaws included allow remote code execution, compromising credentials, firmware and configuration changes, authentication bypass, and logic manipulation. Affected vendors count Honeywell, Motorola, Omron, Siemens, Emerson, JTEKT, Bentley Nevada, Phoenix Contract, ProConOS, and Yokogawa. They have been notified in a responsible disclosure coordinated by Phoenix Contact, CERT VDE, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).”

Title: New DFSCoerce NTLM Relay Attack Allows Windows Domain Takeover
Date Published: June 20, 2022

https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/

Excerpt: “A new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft’s Distributed File System, to completely take over a Windows domain. Many organizations utilize Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service that is used to authenticate users, services, and devices on a Windows domain. However, this service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker’s control.”

Title: Recent Windows Server Updates Break VPN, RDP, RRAS Connections
Date Published: June 20, 2022

https://www.bleepingcomputer.com/news/microsoft/recent-windows-server-updates-break-vpn-rdp-rras-connections/

Excerpt: “This month’s Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled. RRAS is a Windows service that offers additional TCP connectivity and routing features, including remote access or site-to-site connectivity with the help of virtual private network (VPN) or dial-up connections. Last week, Microsoft released the Windows Server 2019 2012 R2 KB5014746, the Windows Server 2019 KB5014692, the Windows Server 20H2 KB5014699, and the Windows Server 2022 KB5014678 updates as part of the June 2022 Patch Tuesday.”

Title: Android-wiping BRATA Malware is Evolving into a Persistent Threat
Date Published: June  19, 2022

https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware-is-evolving-into-a-persistent-threat/

Excerpt: “The threat actor behind BRATA banking trojan has evolved their tactics and improved the malware with information-stealing capabilities. Italian mobile security company Cleafy has been tracking BRATA activity and noticed in the most recent campaigns changes that lead to longer persistence on the device. The malware itself has also been updated with new phishing techniques, new classes to request additional permissions on the device, and now also drops a second-stage payload from the command and control (C2) server.”

Title: QNAP NAS Devices Hit by DeadBolt and Ech0raix Ransomware
Date Published: June  20, 2022

https://www.helpnetsecurity.com/2022/06/20/qnap-nas-deadbolt-ech0raix/

Excerpt: “Taiwan-based QNAP Systems is warning consumers and organizations using their network-attached storage (NAS) appliances of a new DeadBolt ransomware campaign. There also appears to be a new ech0raix/QNAPCrypt campaign in progress, according to various sources, though QNAP is yet to comment on that.”

Title: After Being Breached Once, Many Companies are Likely to Be Hit Again
Date Published: June 21, 2022

https://www.helpnetsecurity.com/2022/06/21/companies-hit-by-cybercrime/

Excerpt: “Cymulate announced the results of a survey, revealing that two-thirds of companies who have been hit by cybercrime in the past year have been hit more than once, with almost 10% experiencing 10 or so more attacks a year. Research taken from 858 security professionals surveyed across North America, EMEA, APAC and LATAM across a wide range of industries including technology, banking, finance and government, also highlighted larger companies hit by cybercrime are experiencing shorter disruption time and damage to business with 40% reported low damage compared with medium-size businesses (less than 2,500 employees) which had longer recovery times and more business affecting damage.”

Title: Cybercriminals Use Azure Front Door in Phishing Attacks
Date Published: June 21, 2022

https://securityaffairs.co/wordpress/132458/cyber-crime/azure-front-door-phishing.html

Excerpt: “Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonate various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services.”

Title: Russian APT28 hacker accused of the NATO think tank hack in Germany
Date Published: June 20, 2022

https://securityaffairs.co/wordpress/132452/hacking/apt28-hacked-nato-think-tank.html

Excerpt: “The Attorney General has issued an arrest warrant for the Russian hacker Nikolaj Kozachek (aka “blabla1234565” and “kazak”) who is accused to have carried out a cyber espionage attack against the NATO think tank Joint Air Power Competence Center in Germany. The attack took place in April 2017 and the man is accused of conducting the attack for the Russian military intelligence service GRU. The arrest is the result of an investigation conducted by the Federal Criminal Police Office (BKA) and the Federal Police. According to Spiegel, the Federal Public Prosecutor has obtained an arrest warrant for Kozachek from the Federal Court of Justice.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...