July 11, 2022

Fortify Security Team
Jul 11, 2022

Title: Maastricht University Wound Up Earning Money from its Ransom Payment
Date Published: July 10, 2022


Excerpt: “Maastricht University (UM), a Dutch university with more than 22,000 students, said last week that it had recovered the ransom paid after a ransomware attack that hit its network in December 2019. After a thorough investigation of the incident, the attack was linked by cybersecurity company Fox-IT with a financially motivated hacker group tracked as TA505 (or SectorJ04), known for primarily targeting retail and financial organizations since at least Q3 2014. The hackers infiltrated the university’s systems via phishing e-mails in mid-October and deployed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally through the network. One week later, on December 30, the university decided to pay the ransom to have its files decrypted after deciding that rebuilding all infected systems from scratch or creating a decryptor were not viable options.”

Title: PyPI Mandates 2FA for Critical Projects, Developer Pushes Back
Date Published: July 9, 2022


Excerpt: “On Friday, the Python Package Index (PyPI), the official repository of third-party open-source Python projects announced plans to mandate two-factor authentication requirements for maintainers of “critical” projects. Although many community members praised the move, the developer of a popular Python project decided to delete his code from PyPI and republish it to invalidate the “critical” status assigned to his project.”

Title: Mangatoon Data Breach Exposes Data from 23 Million Accounts
Date Published: July 9, 2022


Excerpt: “Comic reading platform Mangatoon has suffered a data breach that exposed information belonging to 23 million user accounts after a hacker stole it from an unsecured Elasticsearch database. Mangatoon is also a very popular iOS and Android app used by millions of users to read online Manga comics. This week, the data breach notification service Have I Been Pwned (HIBP) added 23 million Mangatoon accounts to their platform.”

Title: New 0mega Ransomware Targets Businesses in Double-Extortion Attacks
Date Published: July 8, 2022


Excerpt: “A new ransomware operation named ‘0mega’ targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. 0mega (spelled with a zero) is a new ransomware operation launched in May 2022 and has attacked numerous victims since then.”

Title: BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2.5 Million in Demands
Date Published: July 11, 2022


Excerpt: “The notorious cybercriminal syndicate competes with Conti and Lockbit 3.0. They introduced an advanced search by stolen victim’s passwords, and confidential documents leaked in the TOR network. Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang. According to experts, the notorious cybercriminal syndicate actively competes with Conti and the updated Lockbit 3.0, and recently introduced a search by stolen victim’s passwords, and confidential documents leaked in the TOR network. Based on the observed recently compromised victims based in the Nordics region (which haven’t been disclosed by the group yet) the amount to be paid exceeds $2 million. One of the tactics used offers close to 50% discount to the victim in the case they are willing to pay – several ransom demands valued at $14 million were decreased to $7 million, but such amounts are still complicated for enterprises facing cybersecurity incidents. The most common ransom demand practiced by BlackCat jumped up to $2.5 million and it seems its trajectory will only grow.”

Title: Dealing with Threats and Preventing Sensitive Data Loss
Date Published: July 11, 2022


Excerpt: “Recently, Normalyze, a data-first cloud security platform, came out of stealth with $22.2M in Series A funding. This was the perfect time to catch up with co-founder and CEO Amer Deeba. In this interview with Help Net Security, he talks about the path data security as well as visibility challenges.”

Title: Anubis Networks is Back with New C2 Server
Date Published: July 11, 2022


Excerpt: “A large-scale phishing campaign is targeting Internet-end users in Brazil and Portugal since March 2022. Anubis Network is a C2 portal developed to control fake portals and aims to steal credentials to fully access the real systems. This C2 server is controlled by a group of operators that come from the previous analysis in 2022, the various brands being divided among the operators of the group (in a call center modus operandi). This campaign is highlighted by Segurança Informática in 2020, and the high-level diagram of this new campaign can be observed below.”

Title: Experts Demonstrate how to Unlock Several Honda Models via Rolling-PWN Attack
Date Published: July 10, 2022


Excerpt: “A team of security Researchers Kevin2600 and Wesley Li from Star-V Lab independently discovered a flaw in Honda models, named the Rolling-PWN Attack vulnerability (CVE-2021-46145), that can allow unlocking their vehicles. A remote keyless entry system (RKE) allows remotely unlocking or starting a vehicle. The researchers tested a remote keyless entry system (RKE) that allows to remotely unlock or start a vehicle and discovered the Rolling-PWN attack issue. According to the experts, the issue affects all Honda vehicles on the market (From the Year 2012 up to the Year 2022). Successful exploitation of this flaw can allow attackers to permanently open the car door or even start the engine of a vehicle. The issue resides in a version of the rolling codes mechanism implemented in many Honda models to prevent replay attacks.”

Title: French Telephone Operator La Poste Mobile Suffered a Ransomware Attack
Date Published: July 10, 2022


Excerpt: “The ransomware attack hit the virtual mobile telephone operator La Poste Mobile on July 4 and paralyzed administrative and management services. The company pointed out that threat actors may have accessed data of its customers, for this reason it is recommending them to be vigilant. The company highlight the risks of identity theft or phishing attacks in case their data have been compromised.”

Title: China’s Tonto Team APT Ramps Up Spy Operations Against Russia
Date Published: July 11, 2022


Excerpt: “French energy giant EDF has been placed under ‘enhanced attention’ by the UK’s Office for Nuclear Regulation (ONR) after identifying shortfalls in its cybersecurity plans, according to reports this weekend. The ONR is taking action due to the findings of routine inspections over the past 12 months. The Telegraph newspaper quoted the body as saying it had “identified shortfalls in governance, risk and compliance in certain technical controls” during these inspections. EDF owns and runs the UK’s network of nuclear power stations at five locations and is currently building a new nuclear power station at Hinkley Point in Somerset, together with minority Chinese partner CGN. The action takes place against a backdrop of increased awareness of the vulnerability of energy infrastructure around Europe to cyber-attack. ”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...