July 20, 2022

Fortify Security Team
Jul 21, 2022

Title: New Luna Ransomware Encrypts Windows, Linux, and Esxi Systems

Date Published: July 20, 2022


Excerpt: “A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems. Discovered by Kaspersky security researchers via a dark web ransomware forum ad spotted by the company’s Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors. “The advertisement states that Luna only works with Russian-speaking affiliates. Also, the ransom note hardcoded inside the binary contains spelling mistakes. For example, it says ‘a little team’ instead of ‘a small team’,” Kaspersky said. “Because of this, we assume with medium confidence that the actors behind Luna are speakers of Russian.” Luna (Russian for moon) is very simple ransomware still under development and with limited capabilities based on the available command line options. However, it uses a not-so-common encryption scheme, combining fast and secure X25519 elliptic curve Diffie-Hellman key exchange using Curve25519 with the Advanced Encryption Standard (AES) symmetric encryption algorithm.”

Title: Hacking Group ‘8220’ Grows Cloud Botnet to More Than 30,000 Hosts

Date Published: July 19, 2022


Excerpt: “A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts. The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache. Previous attacks from this gang relied on a publicly available exploit to compromise Confluence servers. After gaining access, the attackers use SSH brute forcing to spread further and hijack available computational resources to run cryptominers pointing to untraceable pools. The 8220 Gang has been active since at least 2017 and isn’t considered particularly sophisticated, but the sudden explosion in infection numbers underlines how dangerous and impactful these lower tier actors can still be when they’re devoted to their goals.”

Title: Building Materials Giant Knauf Hit by Black Basta Ransomware Gang

Date Published: July 19, 2022


Excerpt: “The Knauf Group has announced it has been the target of a cyberattack that has disrupted its business operations, forcing its global IT team to shut down all IT systems to isolate the incident. The cyberattack took place on the night of June 29, and at the time of writing this, Knauf is still in the process of forensic investigation, incident response, and remediation. “We are currently working heavily to mitigate the impact to our customers and partners – as well as to plan a safe recovery. However, we apologize for any inconvenience or delays in our delivery processes, that may occur,” reads the short announcement posted on Knauf’s main page. Emails seen by BleepingComputer warned that email systems were shut down as part of the response to the attack but that mobile phones and Microsoft Teams were still working for communication. Knauf is a German-based multinational building and construction materials producer that holds approximately 81% of the world’s wallboard market. The firm operates 150 production sites in several countries worldwide and owns U.S.-based Knauf Insulation and USG Corporation. Notably, Knauf Insulation has also posted a notice about the cyberattack on its site, so that entity has been impacted too.”

Title: UK Heat Wave Causes Google and Oracle Cloud Outages

Date Published: July 19, 2022


Excerpt: “An ongoing heatwave in the United Kingdom has led to Google Cloud and Oracle Cloud outages after cooling systems failed at the companies’ data centers. For the past week, the United Kingdom has suffered an ongoing record-breaking heat wave causing stifling temperatures throughout the region. However, today, with temperatures reaching a record-breaking 40.2 degrees Celsius (104.4 Fahrenheit), cooling systems at data centers used by Google and Oracle to host their cloud infrastructure have begun to fail.”

Title: EU Warns of Russian Cyberattack Spillover, Escalation Risks

Date Published: July 19, 2022


Excerpt: “The Council of the European Union (EU) said today that Russian hackers and hacker groups increasingly attacking “essential” organizations worldwide could lead to spillover risks and potential escalation. “This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation,” the High Representative on behalf of the EU said Tuesday. “The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed.” In this context, the EU reminded Russia that all United Nations member states must adhere to the UN’s Framework of responsible state behavior in cyberspace to ensure international security and peace. The EU urged all states to take any actions required to stop malicious cyber activities conducted from their territory. The Minister for Foreign Affairs of Belgium also said today that multiple Chinese state-sponsored threat groups (including APT27, APT30, APT31, and Gallium) have been targeting the Belgian defense and interior ministries.”

Title: Malicious Android Apps With 300K Installs Found on Google Play

Date Published: July 19, 2022


Excerpt: “Cybersecurity researchers have discovered three Android malware families infiltrating the Google Play Store, hiding their malicious payloads inside many seemingly innocuous applications. The malicious activities suffered by users who installed the malware apps included stolen data, social media account takeovers, SMS interception, and unauthorized charges to their mobile numbers. The malware families discovered by Zscaler’s ThreatLabz on the Google Play Store are known as “Joker,” “Facestealer,” and “Coper.” The analysts informed Google of their findings, and all apps have since been removed from the Play Store. However, those still using these malicious apps will need to remove them and perform a device lean-up to uproot any remnants.”

Title: Russian Hackers Use Fake Ddos App to Infect Pro-ukrainian Activists

Date Published: July 19, 2022


Excerpt: “Google’s Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations. In a report regarding recent cyber activity in Eastern Europe, Google TAG security engineer Billy Leonard revealed that hackers part of the Turla Russian APT group have also been spotted deploying their first Android malware. They camouflaged it as a DDoS attack tool and hosted it on cyberazov[.]com, a domain spoofing the Ukrainian Azov Regiment.”

Title: Belgium Says Chinese Hackers Attacked Its Ministry of Defense

Date Published: July 19, 2022


Excerpt: “The Minister for Foreign Affairs of Belgium says multiple Chinese state-backed threat groups targeted the country’s defense and interior ministries. “Belgium exposes malicious cyber activities that significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence,” the foreign minister said. “Belgium assesses these malicious cyber activities to have been undertaken by Chinese Advanced Persistent Threats (APT).” Chinese authorities were urged to adhere to responsible state behavior norms as endorsed by all United Nations member states and to take action against such malicious activity originating from its territory. The cyberespionage groups named in the Belgian Government statement are APT27, APT30, APT31, and a fourth threat group tracked under multiple names, including Gallium, Softcell, and UNSC 2814.”

Title: Hackers Steal 50,000 Credit Cards From 300 U.S. Restaurants

Date Published: July 19, 2022


Excerpt: “Payment card details from customers of more than 300 restaurants have been stolen in two web-skimming campaigns targeting three online ordering platforms. Web-skimmers, or Magecart malware, are typically JavaScript code that collects credit card data when online shoppers type it on the checkout page. Recently, Recorded Future’s threat detection tools identified two Magecart campaigns injecting malicious code into the online ordering portals of MenuDrive, Harbortouch, and InTouchPOS. As a result, 50,000 payment cards were stolen and have already been offered for sale on various marketplaces on the dark web.”

Title: Air-Gapped Systems Leak Data via Sata Cable WiFi Antennas

Date Published: July 19, 2022


Excerpt: “A security researcher has found a new way to steal data from air-gapped systems by using serial ATA (SATA) cables present inside most computers as a wireless antenna that sends out data via radio signals. Air-gapped systems are used in critical environments that need to be physically isolated from less secure networks, such as those connected to the public internet. They are typically seen in military, government, and nuclear development programs, as well as industrial control systems in critical sectors (e.g. oil, gas, financial, electric power). Dubbed “SATAn”, the attack was discovered by Mordechai Guri, the Head of R&D of The Cyber Security Research Labs at Ben-Gurion University in Israel, and could theoretically help an adversary steal sensitive information.”

Recent Posts

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...