June 30, 2022

Fortify Security Team
Jun 30, 2022

Title: Google Blocked Dozens of Domains Used by Hack-For-Hire Groups
Date Published: June 30, 2022


Excerpt: “Google’s Threat Analysis Group (TAG) has blocked dozens of malicious domains and websites used by hack-for-hire groups in attacks targeting high-risk targets worldwide. Unlike commercial surveillance vendors whose tools are deployed in attacks by clients, hack-for-hire operators are directly involved in attacks and are usually employed by a firm offering such services. In some cases, they can also be “freelance” threat actors. They’re hired for their hacking skills by clients who lack them or who want to conceal their identity if the attacks are detected and investigated.”

Title: AstraLocker 2.0 Infects Users Directly from Word Attachments
Date Published: June 30, 2022


Excerpt: “A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products. According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement. Instead, they are performing “smash-n-grab” attacks to his immediately hit with maximum force aiming for a quick payout.”

Title: OpenSea Discloses Data Breach, Warns Users of Phishing Attacks
Date Published: June 30, 2022


Excerpt: “OpenSea, the largest non-fungible token (NFT) marketplace, disclosed a data breach on Wednesday and warned users of phishing attacks that could target them in the coming days. The online NFT marketplace says it has more than 600,000 users and a transaction volume that surpassed $20 billion. The company’s Head Of Security, Cory Hardman, said that an employee of Customer.io, the platform’s email delivery vendor, downloaded email addresses belonging to OpenSea users and newsletter subscribers.”

Title: New YTStealer Malware Steals Accounts from YouTube Creators
Date Published: June 29, 2022


Excerpt: “A new information-stealing malware named YTStealer is targeting YouTube content creators and attempting to steal their authentication tokens and hijack their channels. In a space where multiple info-stealers compete for the attention of cybercriminals, the existence of YTStealer and its extremely narrow focus is peculiar. According to a report published today by Intezer, focusing on one goal has given YTStealer’s authors the capacity to make its token-stealing operation very effective, incorporating advanced, specialized tricks.”

Title: CISA Warns of Hackers Exploiting PwnKit Linux Vulnerability
Date Published: June 29, 2022


Excerpt: “The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. The security flaw, identified as CVE-2021-4034, was found in the Polkit’s pkexec component used by all major distributions (including Ubuntu, Debian, Fedora, and CentOS). PwnKit is a memory corruption bug that unprivileged users can exploit to gain full root privileges on Linux systems with default configurations.”

Title: Ukraine Arrests Cybercrime Gang Operating over 400 Phishing Sites
Date Published: June  28, 2022


Excerpt: “The Ukrainian cyberpolice force arrested nine members of a criminal group that operated over 400 phishing websites crafted to appear like legitimate EU portals offering financial assistance to Ukrainians. The threat actors used forms on the site to steal visitors’ payment card data and online banking account credentials and perform fraudulent, unauthorized transactions like moving funds to accounts under their control. According to the police’s estimates, the total damage caused by this cybercrime operation is 100 million hryvnias, or approximately $3,360,000, stolen from roughly 5,000 victimized citizens.”

Title: CISA Warns Orgs to Switch to Exchange Online Modern Auth until October
Date Published: June  29, 2022


Excerpt: “CISA has urged government agencies and private sector organizations using Microsoft’s Exchange cloud email platform to expedite the switch from Basic Authentication legacy authentication methods without multifactor authentication (MFA) support to Modern Authentication alternatives. Basic Auth (proxy authentication) is an HTTP-based auth scheme used by apps to send credentials in plain text to servers, endpoints, or online services. The alternative, Modern Auth (Active Directory Authentication Library and OAuth 2.0 token-based authentication), uses OAuth access tokens with a limited lifetime that cannot be re-used to authenticate on other resources besides those they were issued for. Apps using Basic Auth allow attackers to guess credentials in password spray attacks or capture them in man-in-the-middle attacks over TLS. To make things worse, when using basic auth, multi factor authentication (MFA) is quite complicated to enable, and, as a result, it often isn’t used at all.”

Title: Evaluating the Use of Encryption Across the World’s Top One Million Sites
Date Published: June 30, 2022


Excerpt: “A new report from security researcher and TLS expert Scott Helme, evaluates the use of encryption across the world’s top one million sites over the last six months and reveals the need for a control plane to automate the management of machine identities in increasingly complex cloud environments.”

Title: Path Traversal Flaw in UnRAR Utility can Allow Hacking Zimbra Mail Servers
Date Published: June 29, 2022


Excerpt: “SonarSource researchers have discovered a new vulnerability in RARlab’s UnRAR utility, tracked as CVE-2022-30333, that can be exploited by remote attackers to execute arbitrary code on a system that relies on the binary, like Zimbra webmail servers.Zimbra is an enterprise-ready email solution used by over 200,000 businesses, government and financial institutions. The CVE-2022-30333 flaw in the unrar binary developed by RarLab is a File Write vulnerability that could be exploited by tricking victims into extracting maliciously crafted RAR archives. The experts pointed out that In the case of Zimbra, threat actors could exploit this issue to access every email sent and received on a compromised email server. An attacker can fully compromise a server and install a backdoor and use the compromised machine as a pivot to target other systems withing the organization.”

Title: EMEA Continues to be a Hotspot for Malware Threats
Date Published: June 30, 2022


Excerpt: “Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased. Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...