July 15, 2022

Fortify Security Team
Jul 15, 2022

Title: Microsoft Links Holy Ghost Ransomware Operation to North Korean Hackers
Date Published: July 14, 2022


“For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries. The group has been active for quite a while but it failed to gain the notoriety and financial success of other gangs even if the operation followed the same recipe: double extortion combined with a leak site to publish the name of the victims and stolen data.”

Title: Attackers Scan 1.6 million WordPress Sites For Vulnerable Plugin
Date Published: July 15, 2022



Excerpt: “Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284. The vulnerability would allow an unauthenticated attacker to inject malicious Javascript to sites using any version of the plugin and perform actions like uploading and deleting files, which could lead to complete takeover of the site.”

Title: Q-Day: The Problem with Legacy Public Key Encryption
Date Published: July 15, 2022


Excerpt: “In the power circles where policy and technology meet, there always seems to be someone with his or her “hair on fire” about some issue or another, and it can be difficult to differentiate between a serious matter, hype and political theater. When it comes to the looming threat to existing cryptography methods, however, the consensus is clear: Quantum computers will make it possible to crack all current public key encryption. This means that unless people in positions of leadership take action, malicious actors will be able to steal government and industrial secrets, not to mention individuals’ private encrypted information.”

Title: How to Address the Ongoing Risk of Log4j Exploitation and Prepare for the Future
Date Published: July 15, 2022


Excerpt: ““Vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” the Cyber Safety Review Board (CSRB) has concluded.”

Title: The New Retbleed Speculative Execution Attack Impacts Both Intel and AMD Chips
Date Published: July 14, 2022


Excerpt: “ETH Zurich researchers Johannes Wikner and Kaveh Razavi discovered a new vulnerability, dubbed Retbleed, that affects multiple older AMD and Intel microprocessors. An attacker can exploit the flaw to bypass current defenses and perform in Spectre-based attacks. The Retbleed vulnerability is tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel). Experts pointed out that many operating systems use a defense mechanism called retpoline, which works by replacing indirect jumps and calls with returns. Retpolines were first devised in 2018 to prevent Spectre-BTI attacks. The experts discovered that it is possible to exploit return instructions as an attack vector for speculation execution and predict the statements like indirect branches.”

Title: Mantis Botnet Powered the Largest HTTPS DDoS Attack in June
Date Published: July 14, 2022


Excerpt: “In June 2022, DDoS mitigation firm Cloudflare announced it has mitigated the largest HTTPS DDoS attack that was launched by a botnet they have called Mantis. The Mantis botnet generated 26 million request per second using approximately 5000 hijacked virtual machines and powerful servers. Experts consider Mantis as the evolution of the Meris botnet, which is composed of MikroTik devices, but Mantis includes a variety of VM platforms and supports running various HTTP proxies to perform the attacks.”

Title: RedAlert, LILITH, and 0mega, 3 New Ransomware in the Wild 
Date Published: July 15, 2022


Excerpt: “Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega. RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string with the same name in the ransom note. Unlike other ransomware operations, RedAlert only accepts ransom payments in Monero. RedAlert is human-operated ransomware, the ransomware uses NTRUEncrypt public key encryption algorithm for encryption. The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. It appends a  “.crypt[Random number]” extension to the filenames of encrypted files. The Lilith ransomware is written in C/C++ and targets 64-bit Windows systems. The malware appends the “.lilith” extension to the filenames of encrypted files. The threat actors behind this operation adopt a double extortion model.”

Title: Ransomware Attack on US Healthcare Debt Collector Exposes 1.9m Patient Records
Date Published: July 14, 2022


Excerpt: “A ransomware attack on a healthcare debt collector has potentially exposed the records of 1.9 million patients. The attack, which occurred in Colorado against Professional Finance Company (PFC), involved the installation of ransomware on the debt collector’s computer systems. Furthermore, the ransomware encrypted the data on the systems, preventing it from being accessed. As a result of the attack, the debt collector was forced to shut down its computer systems. The company maintains that it was able to “detect and stop” the “sophisticated ransomware attack” on February 26, 2022, while the impacted healthcare providers were noticed in May 2022. It is worth noting that this is not the first time when a US-based medical debt collector has suffered a ransomware attack. In August 2020, R1 RCM, formerly Accretive Health Inc., one of the largest medical debt collection firms in the United States, was hit by a major ransomware attack.”

Title: Uniswap V3 LPs Lose Millions in Fake Token Phishing Attack
Date Published: July 14, 2022


Excerpt: “Uniswap liquidity providers (LPs) have suffered a phishing attack lasting around eight hours. It was a fake token phishing attack in which 73,399 addresses received malicious ERC-20 tokens from where the hacker stole the funds and laundered them through Tornado Cash.”

Title: Journalists Emerge as Favored Attack Target for APTs
Date Published: July 14, 2022


Excerpt: “Targeted phishing attacks are traced to multiple threat actors who have each independently focused on stealing credentials and sensitive data and tracking the geolocation of journalists. In a Thursday report by Proofpoint, researchers outline individual efforts by advance persistent threat (APT) groups who they say are aligned with China, North Korea, Iran and Turkey. Attacks began in early 2021 and are ongoing, researchers said. According to the report, the APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar, with threat actors targeting email and social-media accounts as phishing inroads in cyberespionage campaigns.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...