June 27, 2022

Fortify Security Team
Jun 27, 2022

Title: CafePress Fined $500,000 for Breach Affecting 23 Million Users
Date Published: June 24, 2022


Excerpt: “The U.S. Federal Trade Commission (FTC) has ordered Residual Pumpkin Entity, the former owner of the CafePress t-shirt and merchandise site, to pay a $500,000 fine for covering up a data breach impacting more than 23 million customers and failing to protect their data. As the consumer protection watchdog explained in a complaint from March 2022, Residual Pumpkin Entity stored its customers’ Social Security numbers and password reset answers in plain text and longer than necessary. The company also failed to apply available protections and respond to security incidents. After its servers were breached multiple times, it tried to cover up the major data breach resulting from its sloppy security practices.”

Title: Mitel Zero-Day Used by Hackers in Suspected Ransomware Attack
Date Published: June 24, 2022


Excerpt: “Hackers used a zero-day exploit on Linux-based Mitel MiVoice VOIP appliances for initial access in what is believed to be the beginning of a ransomware attack. Mitel VOIP devices are used by critical organizations in various sectors for telephony services and were recently exploited by threat actors for high-volume DDoS amplification attacks. In a new report by CrowdStrike, the company says that a zero-day remote code execution flaw, now tracked as CVE-2022-29499 (CVSS v3 score: 9.8 – critical), was used to gain initial access to the network.”

Title: The Week in Ransomware – June 24th 2022 – Splinter Cells
Date Published: June 24, 2022


Excerpt: “The Conti ransomware gang has finally ended their charade and turned off their Tor data leak and negotiation sites, effectively shutting down the operation. Since May, a lone Conti member has been posting data from older victims to make the gang appear alive, but in reality, Conti shut down last month. The members are now long spread out in smaller cells among different operations, making it more challenging to target the crime syndicate.”

Title: PyPi Python Packages Caught Sending Stolen AWS Keys to Unsecured Sites
Date Published: June 25, 2022


Excerpt: “Multiple malicious Python packages available on the PyPI repository were caught stealing sensitive information like AWS credentials and transmitting it to publicly exposed endpoints accessible by anyone. PyPI is a repository of open-source packages that software developers use to pick the building blocks of their Python-based projects or share their work with the community. While PyPI is usually quick to respond to reports of malicious packages on the platform, there’s no real vetting before submission, so dangerous packages may lurk there for a while.”

Title: Clever Phishing Method Bypasses MFA Using Microsoft WebView2 Apps
Date Published: June 26, 2022


Excerpt: “A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. With the large number of data breaches, remote access trojan attacks, and phishing campaigns, stolen login credentials have become abundant. However, the increasing adoption of multi-factor authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also has access to the target’s one-time MFA passcodes or security keys.”

Title: Fake Copyright Infringement Emails Install LockBit Ransomware
Date Published: June  26, 2022


Excerpt: “LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims. The recipients of these emails are warned about a copyright violation, allegedly having used media files without the creator’s license. These emails demand that the recipient remove the infringing content from their websites, or they will face legal action. The emails, spotted by analysts at AhnLab, Korea, do not determine which files were unfairly used in the body and instead tell the recipient to download and open the attached file to see the infringement content.”

Title: Cybercriminals use Azure Front Door in Phishing Attacks
Date Published: June  27, 2022


Excerpt: “Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonated various services appearing to be legitimately created on the “azurefd.net” domain. This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign and Amazon customers, along with several other major Japanese and Middle East online-service providers and corporations. According to experts, such tactics confirm how the bad actors are continuously looking to enhance their tactics and procedures to avoid phishing detection using world-known cloud services. Based on the analyzed phishing templates, the attackers are likely using an automated way to generate their phishing letters, by doing so they’re able to scale their campaigns to ultimately target a broader number of customers globally.”

Title: Ukrainian Telecommunications Operators Hit by DarkCrystal RAT Malware
Date Published: June 27, 2022


Excerpt: “The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a malware campaign targeting Ukrainian telecommunications operators with the DarkCrystal RAT. The malspam messages have the topic “Free primary legal aid” use a password-protected attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar.” The RAR archive analyzed by the Ukrainian CERT-UA contains the document “Algorithm_LegalAid.xlsm.” Upon opening the document and enabling the macro, a PowerShell command will be executed. The script will download and run the .NET bootloader “MSCommondll.exe,” which in turn will download and run the malware DarkCrystal RAT.”

Title: Cyberattack Halted the Production at the Iranian State-Owned Khuzestan Steel Company
Date Published: June 27, 2022


Excerpt: “The Khuzestan Steel Company is one of the major steel companies owned by the Iranian government. The company was forced to halt production due to a cyberattack. According to the Associated Press, Khuzestan Steel Company has a monopoly on steel production in Iran along with two other major state-owned firms. The website of the company is still down at the time of this writing. The company was forced to halt production to avoid damage to the production lines and impact on the supply chains it belongs to. The Iranian news channel Jamaran reported that the attack failed because at the time of the attack an electricity outage had interrupted the operations at the plant.”

Title: Global Police Crack Down on Online Sexual Exploitation
Date Published: June 27, 2022


Excerpt: “Police from Europe and South America have teamed up to take action against an organized crime group involved in human trafficking for sexual exploitation. Between 20-23 June, they swooped on 14 locations, arrested 10 and interviewed eight victims. Among items seized in the searches were vehicles, electronic equipment, hard drives, over 40 mobile phones, SIM cards, documents, payment cards and about €20,000 in cash. Europol supported the French Border Police, the Spanish National Police, the Portuguese Judicial Police and the Brazilian Federal Police during the operation, which saw coordinated raids in France, Spain and Portugal.”

Recent Posts

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...