July 1, 2022

Fortify Security Team
Jul 1, 2022

Title: XFiles Info-Stealing Malware Adds Support for Follina Delivery
Date Published: June 30, 2022


Excerpt: “The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. The flaw, discovered as a zero-day at the end of May and fixed with Microsoft’s Windows update on June 14, enables the execution of PowerShell commands simply by opening a Word document. In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine.”

Title: Russian Hacktivists Take Down Norway Govt Sites in DDoS Attacks
Date Published: June 30, 2022


Excerpt: “Norway’s National Security Authority (NSM) published a statement yesterday warning that some of the country’s most important websites and online services are being rendered inaccessible due to distributed denial of service (DDoS) attacks. The statement further explains that a criminal pro-Russian group is believed to be behind the attacks. DDoS attacks are a special type of cyberattack that causes internet servers to be overwhelmed by many requests and garbage traffic, rendering the hosted sites and services inaccessible for legitimate visitors and users.”

Title: Ukraine Targeted by Almost 800 Cyberattacks Since the War Started
Date Published: June 30, 2022


Excerpt: “Ukrainian government and private sector organizations have been the target of 796 cyberattacks since the start of the war on February 24, 2022, when Russia invaded Ukraine. According to Ukraine’s cybersecurity defense and security agency SSSCIP (short for State Service of Special Communications and Information Protection), the country’s networks have been under a constant barrage of hacking attempts since the war started. “Enemy hackers continue to attack Ukraine. The intensity of cyberattacks has not decreased since the beginning of Russia’s full-scale military invasion, although their quality has been declining,” SSSCIP said on Thursday.”

Title: Microsoft Exchange Servers Worldwide Backdoored With New Malware
Date Published: June 30, 2022


Excerpt: “Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa. The malware, dubbed SessionManager by security researchers at Kaspersky, who first spotted it in early 2022, is a malicious native-code module for Microsoft’s Internet Information Services (IIS) web server software. It has been used in the wild without being detected since at least March 2021, right after the start of last year’s massive wave of ProxyLogon attacks.”

Title: Macmillan Shuts Down Systems After Likely Ransomware Attack
Date Published: June 30, 2022


Excerpt: “Publishing giant Macmillan was forced to shut down their network and offices while recovering from a security incident that appears to be a ransomware attack. The attack reportedly occurred over the weekend, on Saturday, June 25th, with the company shutting down all of their IT systems to prevent the spread of the attack. Publishers Weekly first reported on the incident, seeing emails from Macmillan that stated they suffered a “security incident, which involves the encryption of certain files on our network.” The use of encryption in the attack indicates that it was a ransomware attack. Since then, Macmillan editors have been unusually transparent about the security incident, telling agents and clients that they are not being ignored, but have lost access to their systems, emails, and files.”

Title: Toll Fraud Malware Disables Your WiFi to Force Premium Subscriptions
Date Published: June  30, 2022


Excerpt: “Microsoft is warning that toll fraud malware is one of the most prevalent threats on Android and that it is evolving with features that allow automatic subscription to premium services. Toll fraud is a subset of billing fraud, where the threat actor tricks victims into calling or sending an SMS to a premium number. The difference is that toll fraud does not work over WiFi and forces the devices to connect to the mobile operator’s network.”

Title: Jenkins Discloses Dozens of Zero-Day Bugs in Multiple Plugins
Date Published: July 1, 2022


Excerpt: “On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched. Jenkins is a highly popular platform (with support for over 1,700 plugins) used by enterprises worldwide for building, testing, and deploying software. The zero-days’ CVSS base scores range from low to high severity, and, according to Jenkins’ stats, the impacted plugins have a total of more than 22,000 installs.”

Title: Product showcase: Group-IB Unified Risk Platform
Date Published: June 30, 2022


Excerpt: “The cyber threat landscape has intensified. Threat actors are organized and professionalized, with ransomware gangs outsourcing the first step of their operations to Initial Access Brokers. This alliance has proven profitable for both sides, as the illegal sale of initial access to organizations grew 204% and ransom demand soared by 45% last year. The pace of cybercrime is accelerating, making it harder for businesses to manage their cyber risks. Security teams are faced with the increasing challenge of identifying the specific threats they face, how to defend against them, and how to respond immediately in case of an incident. Inaccurate or out-of-date information will result in misplaced defenses, suboptimal prioritization of vulnerability management, false positives overwhelming operations teams, and slow response times to real security incidents. To address these challenges, Group-IB has developed the Unified Risk Platform, a comprehensive set of solutions that understands each organization’s threat profile and configures defenses, and responds to threats in real-time. At the heart of the Unified Risk Platform is Group-IB’s Single Data Lake, which contains the industry’s richest body of adversary intelligence. Every product and service in Group-IB’s now consolidated security suite is enriched with intelligence from the data lake, enabling them to overcome the attacks targeting an organization and reduce organizational risk.”

Title: Korean Cybersecurity Agency Released a Free Decryptor for Hive Ransomware
Date Published: June 30, 2022


Excerpt: “Good news for the victims of the Hive ransomware, the South Korean cybersecurity agency KISA has released a free decryptor for versions from v1 till v4. “The Korea Internet & Security Agency (KISA) is distributing the Hive ransomware integrated recovery tool. This recovery tool can recover Hive ransomware version 1 to version 4.” reads the announcement published by the KISA agency. The agency released an executable along with a user manual that provides step-by-step instructions to recover encrypted data for free.”

Title: Experts Blame North Korea-Linked Lazarus APT for the Harmony Hack
Date Published: June 30, 2022


Excerpt: “Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident to the authorities, the FBI is investigating the cyber heist with the help of several cybersecurity firms. Harmony’s Horizon Bridge allows users to transfer their crypto assets from one blockchain to another, the company immediately halted the bridge to prevent further transactions and notified other exchanges. The company also offers a $1 million bounty in exchange for the return of the funds.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...