July 21, 2022

Fortify Security Team
Jul 21, 2022

Title: Windows 11 Now Blocks Rdp Brute-Force Attacks by Default

Date Published: July 21, 2022


Excerpt: “Recent Windows 11 builds come with the Account Lockout Policy policy enabled by default which will automatically lock user accounts (including Administrator accounts) after 10 failed sign-in attempts for 10 minutes. The account brute forcing process commonly requires guessing the passwords using automated tools. This tactic is now blocked by default on the latest Windows 11 builds (Insider Preview 22528.1000 and newer) after failing to enter the correct password 10 times in a row. “Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston, Microsoft’s VP for Enterprise and OS Security, tweeted Thursday. As Weston also said, brute forcing credentials is a popular tactic among threat actors to breach Windows systems via Remote Desktop Protocol (RDP) when they don’t know the account passwords. The use of Windows Remote Desktop Services to breach enterprise networks is so prevalent among cybercriminals that the FBI said RDP is responsible for roughly 70-80% of all network breaches leading to ransomware attacks.”

Title: New ‘Lightning Framework’ Linux Malware Installs Rootkits, Backdoors

Date Published: July 21, 2022


Excerpt: “A new and previously undetected malware dubbed ‘Lightning Framework’ targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. Described as a “Swiss Army Knife” in a report published today by Intezer, Lightning Framework is a modular malware that also comes with support for plugins. “The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration,” Intezer security researcher Ryan Robinson said.”

Title: Microsoft Resumes Default Blocking of Office Macros After Updating Docs

Date Published: July 21, 2022


Excerpt: “Microsoft announced today that it resumed the rollout of VBA macro auto-blocking in downloaded Office documents after temporarily rolling it back earlier this month following user feedback. The change comes after the company improved its user and admin support documentation to make it easier to understand the available options when a macro is blocked. “Based on our review of customer feedback, we’ve made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios,” Microsoft explained in a new update in the Microsoft 365 message center.”

Title: New Redeemer Ransomware Version Promoted on Hacker Forums

Date Published: July 21, 2022


Excerpt: “A threat actor is promoting a new version of their free-to-use ‘Redeemer’ ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AV detection rate. Unlike many Ransomware-as-a-Service (RaaS) operations, anyone can download and use the Redeemer ransomware builder to launch their own attacks. However, when a victim decides to pay the ransom, the author receives 20% of the fees and shares the master key to be combined with the private build key held by the affiliate for decryption.”

Title: Neopets Data Breach Exposes Personal Data of 69 Million Members

Date Published: July 20, 2022


Excerpt: “Virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing the personal information of over 69 million members. Neopets is a popular website where members can own, raise, and play games with their virtual pets. Neopets recently launched NFTs that will be used as part of an online Metaverse game. On Tuesday, a hacker known as ‘TarTarX’ began selling the source code and database for the Neopets.com website for four bitcoins, worth approximately $94,000 at today’s prices.”

Title: Google Boosts Android Privacy With Support for DNS-Over-HTTP/3

Date Published: July 20, 2022


Excerpt: “Google has added support for the DNS-over-HTTP/3 (DoH3) protocol on Android 11 and later to increase the privacy of DNS queries while providing better performance. HTTP/3 is the third major version of the Hypertext Transfer Protocol, which relies on QUIC, a multiplexed transport protocol built on UDP, rather than TCP like previous versions. The new protocol fixes the problem of “head-of-line blocking,” which slows down internet data transactions when a packet is lost or reordered, something quite common when moving around on mobile and switching connections frequently.”

Title: Atlassian Fixes Critical Confluence Hardcoded Credentials Flaw

Date Published: July 20, 2022


Excerpt: “Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers. The hardcoded password is added after installing the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) for a user account with the username disabledsystemuser — designed to help admins with the migration of data from the app to the Confluence Cloud. According to Atlassian, the app helps improve communication with the organization’s internal Q&A team and is currently installed on over 8,000 Confluence servers.”

Title: Google Calendar Provides New Way to Block Invitation Phishing

Date Published: July 20, 2022


Excerpt: “The Google Workspace team announced today that it started rolling out a new method to block Google Calendar invitation spam, available to all customers, including legacy G Suite Basic and Business users. “To help keep your Google Calendar free from spam, you can now select an option to display events on your calendar only if they come from a sender you know,” the Google Workspace team said today. “If you select this option, you still get email event invitations from unknown senders, but they appear on your calendar only after you accept.” According to Google, known senders that you would receive invitations from include people in your same company domain, in your contacts list, or with whom you’ve interacted before. After rolling out, Google Workspace admins can change from the default option allowing invitations from everyone to the new option at the domain level.”

Title: 3rd Party Services Are Falling Short on Password Security

Date Published: July 20, 2022


Excerpt: “Preventing the use of weak and leaked passwords within an enterprise environment is a manageable task for your IT department, but what about other services where end-users share business-critical data in order to do their work? They could be putting your organization at risk, and the team at Specops Software decided to see for sure. Specops Software investigated the requirements of five common web services to see if leaked passwords could open the door for hackers looking for company information outside of the Active Directory network.  In other words, if a hacker is unable to access a company’s data directly, they might use the backdoor approach of accessing a service used by the company to learn where that company is vulnerable. We know this type of shadow IT is risky for organizations, as it falls beyond the jurisdiction of most IT security teams—this data shows us just how risky it can be.
The Specops dev team investigated five popular services from a variety of industries such as ecommerce, project management, email marketing, and customer support. The analysis compared the password requirements against a subset of the Specops Breached Password Protection list, containing 1 billion known compromised passwords.”

Title: FBI Recovers $500,000 Healthcare Orgs Paid to Maui Ransomware

Date Published: July 20, 2022


Excerpt: “The U.S. Department of Justice has announced the seizure of approximately $500,000 in Bitcoin, paid by American health care providers to the operators of the Maui ransomware strain. At the start of this month, Maui was highlighted by the FBI and CISA as a new North Korean-backed ransomware operation extorting western organizations with encryption attacks. The particular ransomware operation demonstrated an inclination towards healthcare and public health organizations in its targeting, causing life-threatening service outages.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...