July 15, 2022

Fortify Security Team
Jul 15, 2022

Title: Microsoft Links Holy Ghost Ransomware Operation to North Korean Hackers
Date Published: July 14, 2022

https://www.bleepingcomputer.com/news/security/microsoft-links-holy-ghost-ransomware-operation-to-north-korean-hackers/

“For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries. The group has been active for quite a while but it failed to gain the notoriety and financial success of other gangs even if the operation followed the same recipe: double extortion combined with a leak site to publish the name of the victims and stolen data.”

Title: Attackers Scan 1.6 million WordPress Sites For Vulnerable Plugin
Date Published: July 15, 2022

 

https://www.bleepingcomputer.com/news/security/attackers-scan-16-million-wordpress-sites-for-vulnerable-plugin/

Excerpt: “Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284. The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site.”

Title: Q-Day: The Problem with Legacy Public Key Encryption
Date Published: July 15, 2022

https://www.helpnetsecurity.com/2022/07/15/legacy-public-key-encryption-problem/

Excerpt: “In the power circles where policy and technology meet, there always seems to be someone with his or her “hair on fire” about some issue or another, and it can be difficult to differentiate between a serious matter, hype and political theater. When it comes to the looming threat to existing cryptography methods, however, the consensus is clear: Quantum computers will make it possible to crack all current public key encryption. This means that unless people in positions of leadership take action, malicious actors will be able to steal government and industrial secrets, not to mention individuals’ private encrypted information.”

Title: How to Address the Ongoing Risk of Log4j Exploitation and Prepare for the Future
Date Published: July 15, 2022

https://www.helpnetsecurity.com/2022/07/15/log4j-risk/

Excerpt: ““Vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” the Cyber Safety Review Board (CSRB) has concluded.”

Title: The New Retbleed Speculative Execution Attack Impacts Both Intel and AMD Chips
Date Published: July 14, 2022

https://www.bleepingcomputer.com/news/security/new-lilith-ransomware-emerges-with-extortion-site-lists-first-victim/

Excerpt: “ETH Zurich researchers Johannes Wikner and Kaveh Razavi discovered a new vulnerability, dubbed Retbleed, that affects multiple older AMD and Intel microprocessors. An attacker can exploit the flaw to bypass current defenses and perform in Spectre-based attacks. The Retbleed vulnerability is tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel). Experts pointed out that many operating systems use a defense mechanism called retpoline, which works by replacing indirect jumps and calls with returns. Retpolines were first devised in 2018 to prevent Spectre-BTI attacks. The experts discovered that it is possible to exploit return instructions as an attack vector for speculation execution and predict the statements like indirect branches.”

Title: Mantis Botnet Powered the Largest HTTPS DDoS Attack in June
Date Published: July 14, 2022

https://securityaffairs.co/wordpress/133233/hacking/mantis-botnet-record-ddos-attack.html

Excerpt: “In June 2022, DDoS mitigation firm Cloudflare announced it has mitigated the largest HTTPS DDoS attack that was launched by a botnet they have called Mantis. The Mantis botnet generated 26 million request per second using approximately 5000 hijacked virtual machines and powerful servers. Experts consider Mantis as the evolution of the Meris botnet, which is composed of MikroTik devices, but Mantis includes a variety of VM platforms and supports running various HTTP proxies to perform the attacks.”

Title: RedAlert, LILITH, and 0mega, 3 New Ransomware in the Wild 
Date Published: July 15, 2022

https://securityaffairs.co/wordpress/133248/cyber-crime/lilith-redalert-0mega-ransomware.html

Excerpt: “Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega. RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string with the same name in the ransom note. Unlike other ransomware operations, RedAlert only accepts ransom payments in Monero. RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. It appends a  “.crypt[Random number]” extension to the filenames of encrypted files. The Lilith ransomware is written in C/C++ and targets 64-bit Windows systems. The malware appends the “.lilith” extension to the filenames of encrypted files. The threat actors behind this operation adopt a double extortion model.”

Title: Ransomware Attack on US Healthcare Debt Collector Exposes 1.9m Patient Records
Date Published: July 14, 2022

https://www.hackread.com/healthcare-debt-collector-ransomware-attack-patient-records/

Excerpt: “A ransomware attack on a healthcare debt collector has potentially exposed the records of 1.9 million patients. The attack, which occurred in Colorado against Professional Finance Company (PFC), involved the installation of ransomware on the debt collector’s computer systems. Furthermore, the ransomware encrypted the data on the systems, preventing it from being accessed. As a result of the attack, the debt collector was forced to shut down its computer systems. The company maintains that it was able to “detect and stop” the “sophisticated ransomware attack” on February 26, 2022, while the impacted healthcare providers were noticed in May 2022. It is worth noting that this is not the first time when a US-based medical debt collector has suffered a ransomware attack. In August 2020, R1 RCM, formerly Accretive Health Inc., one of the largest medical debt collection firms in the United States, was hit by a major ransomware attack.”

Title: Uniswap V3 LPs Lose Millions in Fake Token Phishing Attack
Date Published: July 14, 2022

https://www.hackread.com/uniswap-v3-lps-lose-millions-fake-token-phishing-attack/

Excerpt: “Uniswap liquidity providers (LPs) have suffered a phishing attack lasting around eight hours. It was a fake token phishing attack in which 73,399 addresses received malicious ERC-20 tokens from where the hacker stole the funds and laundered them through Tornado Cash.”

Title: Journalists Emerge as Favored Attack Target for APTs
Date Published: July 14, 2022

https://threatpost.com/journalists-target-apts/180224/

Excerpt: “Targeted phishing attacks are traced to multiple threat actors who have each independently focused on stealing credentials and sensitive data and tracking the geolocation of journalists. In a Thursday report by Proofpoint, researchers outline individual efforts by advance persistent threat (APT) groups who they say are aligned with China, North Korea, Iran and Turkey. Attacks began in early 2021 and are ongoing, researchers said. According to the report, the APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar, with threat actors targeting email and social-media accounts as phishing inroads in cyberespionage campaigns.”

Recent Posts

July 27, 2022

Title: Phishing Attacks Skyrocket With Microsoft and Facebook as Most Abused Brands Date Published: July 26, 2022 https://threatpost.com/popular-bait-in-phishing-attacks/180281/ Excerpt: “The bloom is back on phishing attacks with criminals doubling down on fake...

July 26, 2022

Title: Nist Updates Healthcare Security Guidance Date Published: July 25, 2022 https://www.infosecurity-magazine.com/news/nist-healthcare-guidance/ Excerpt: “The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for...

July 25, 2022

Title: Lockbit Ransomware Gang Claims to Have Breached the Italian Revenue Agency Date Published: July 25, 2022 https://securityaffairs.co/wordpress/133640/cyber-crime/lockbit-ransomware-italian-revenue-agency.html Excerpt: “The ransomware gang Lockbit claims to have...

July 22, 2022

Title: Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’ Date Published: July 21, 2022 https://threatpost.com/hackers-cyber-mercenaries/180263/ Excerpt: “A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and...

July 21, 2022

Title: Windows 11 Now Blocks Rdp Brute-Force Attacks by Default Date Published: July 21, 2022 https://www.bleepingcomputer.com/news/microsoft/windows-11-now-blocks-rdp-brute-force-attacks-by-default/ Excerpt: “Recent Windows 11 builds come with the Account Lockout...

July 20, 2022

Title: New Luna Ransomware Encrypts Windows, Linux, and Esxi Systems Date Published: July 20, 2022 https://www.bleepingcomputer.com/news/security/new-luna-ransomware-encrypts-windows-linux-and-esxi-systems/ Excerpt: “A new ransomware family dubbed Luna can be used to...

July 18, 2022

Title: A Massive Cyberattack Hit Albania Date Published: July 18, 2022 https://securityaffairs.co/wordpress/133363/cyber-warfare-2/albania-cyber-attack.html Excerpt: “Albania was hit by a massive cyberattack over the weekend, the government confirmed on Monday. A...