July 25, 2022

Fortify Security Team
Jul 25, 2022

Title: Lockbit Ransomware Gang Claims to Have Breached the Italian Revenue Agency
Date Published: July 25, 2022


Excerpt: “The ransomware gang Lockbit claims to have hacked the Italian Revenue Agency (Agenzia delle Entrate) and added the government agency to the list of victims reported on its dark web leak site. The group claims to have stolen 78GB of data, including company documents, scans, financial reports, and contracts, it plans to release screenshots of files and samples very soon. If the attack will be confirmed, it can represent one of the most severe incidents suffered by Italian government agencies. The Agenzia delle Entrate, or the Italian Revenue Agency, enforces the financial code of Italy and collects taxes and revenue. The agency provides several online services for Italian and non-Italian taxpayers. At this time it is not unknown if the ransomware gang has already contacted the Italian government or the amount of the ransom it is demanding. The Lockbit ransomware gang gives 5 days to the Agency to pay the ransomware to avoid the leak of stolen data. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.”

Title: Drupal Developers Fixed a Code Execution Flaw in the Popular CMS
Date Published: July 25, 2022


Excerpt: “Drupal developers have released security updates to address multiple vulnerabilities in the popular CMS: The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for the above vulnerabilities. The most severe one, rated as “critical,” is an arbitrary PHP code execution tracked as CVE-2022-25277. n order to mitigate the issue, it is mandatory for the field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads. The vulnerability impacts 9.4, and 9.3 versions, the advisory states that the issue only affects Apache web servers with specific configurations.”

Title: Trust in Fintech Security Has Been Wavering
Date Published: July 25, 2022


Excerpt: “In Q1 of 2022, fintech companies experienced 2.5 times more attacks than in the two previous years. The growing rate of cybercrime has added to the market unrest and questioned fintech preparedness; some claimed that the industry players are more susceptible to virtual threats than traditional banking, with greater resources at their disposal. Thibaud Catry, Head of Compliance at ConnectPay, said that claims about diminishing fintech security are far-fetched, although he encouraged ramping up defenses due to rising cyber threats. He also noted that, in a way, the long-standing credibility of legacy banks puts them at greater risk. For instance, in phishing assaults, large banks are frequently a better target for fraudsters as they service an incredibly high number of people.”

Title: Amadey Malware Pushed via Software Cracks in Smokeloader Campaign
Date Published: July 24, 2022


Excerpt: “A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures. Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads. While its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still very active SmokeLoader malware. This is a departure from Amadey’s reliance on the Fallout, and the Rig exploit kits, which have generally fallen out of popularity as they target dated vulnerabilities.”

Title: Qbot Phishing Uses Windows Calculator Sideloading to Infect Devices
Date Published: July 24, 2022


Excerpt: “The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers. DLL side-loading is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are handled in Windows. It consists of spoofing a legitimate DLL and placing it in a folder from where the operating system loads it instead of the legitimate one. QBot, also known as Qakbot is a Windows malware strain that started as a banking trojan but evolved into a malware dropper, and is used by ransomware gangs in the early stages of the attack to drop Cobalt Strike beacons. Security researcher ProxyLife recently discovered that Qakbot, has been abusing the the Windows 7 Calculator app for DLL side-loading attacks since at least July 11. The method continues to be used in malspam campaigns.”

Title: North Korean Hackers Attack EU Targets With Konni Rat Malware
Date Published: July 23, 2022


Excerpt: “Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries. In this campaign, the hackers use malware known as Konni, a remote access trojan (RAT) capable of establishing persistence and performing privilege escalation on the host. Konni has been associated with North Korean cyberattacks since 2014, and most recently, it was seen in a spear-phishing campaign targeting the Russian Ministry of Foreign Affairs. The latest and still ongoing campaign was observed and analyzed by researchers at Securonix, who call it STIFF#BIZON, and resembles tactics and methods that match the operational sophistication of an APT (advanced persistent threat).”

Title: Chrome Use Subject to Restrictions in Dutch Schools Over Data Security Concerns
Date Published: July 23, 2022


Excerpt: “The Dutch Ministry of Education has decided to impose some restrictions on the use of the Chrome OS and Chrome web browser until August 2023 over concerns about data privacy. The officials worry that Google services collect student data and make it available to large advertising networks, who use it for purposes beyond helping education. Since the national watchdog doesn’t know where or how the students’ personal data is stored and processed, there are concerns about violating European Union’s GDPR (General Data Protection Regulation).”

Title: Hacker Selling Twitter Account Data of 5.4 Million Users for $30K
Date Published: July 22, 2022


Excerpt: “Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000. Yesterday, a threat actor known as ‘devil’ said on a stolen data market that the database contains info about various accounts, including celebrities, companies, and random users. “Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact),” reads the forums post selling the Twitter data.”

Title: Digital Security Giant Entrust Breached by Ransomware Gang
Date Published: July 22, 2022


Excerpt: “Digital security giant Entrust has confirmed that it suffered a cyberattack where threat actors breached their network and stole data from internal systems. Entrust is a security firm focused on online trust and identity management, offering a wide range of services, including encrypted communications, secure digital payments, and ID issuance solutions. Depending on what data was stolen, this attack could impact a large number of critical, and sensitive, organizations who use Entrust for identity management and authentication. This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more.”

Title: Sonicwall: Patch Critical SQL Injection Bug Immediately
Date Published: July 22, 2022


Excerpt: “SonicWall has published a security advisory today to warn of a critical SQL injection flaw impacting the GMS (Global Management System) and Analytics On-Prem products. “SonicWall PSIRT strongly suggests that organizations using the Analytics On-Prem version outlined below should upgrade to the respective patched version immediately,” warns SonicWall in an advisory. The flaw, tracked as CVE-2022-22280, allows SQL injection due to improper neutralization of special elements used in an SQL Command. It carries a severity rating of 9.4, categorizing it as “critical”, and is exploitable from the network without requiring authentication or user interaction, while it also has low attack complexity. SonicWall clarifies that they are not aware of any reports of active exploitation in the wild or the existence of a proof of concept (PoC) exploit for this vulnerability as of yet.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...