July 6, 2022

Fortify Security Team
Jul 6, 2022

Title: New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers
Date Published: July 5, 2022


Excerpt: “A new ransomware operation called RedAlert, or N13V, encrypts both Windows and Linux VMWare ESXi servers in attacks on corporate networks. The new operation was discovered today by MalwareHunterTeam, who tweeted various images of the gang’s data leak site. The ransomware has been called ‘RedAlert’ based on a string used in the ransom note. However, from a Linux encryptor obtained by BleepingComputer, the threat actors call their operation ‘N13V’ internally, as shown below.”

Title: NPM Supply-Chain Attack Impacts Hundreds of Websites and Apps
Date Published: July 5, 2022


Excerpt: “An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As researchers at supply chain security firm ReversingLabs discovered, the threat actors behind this campaign (known as IconBurst) used typosquatting to infect developers looking for very popular packages, such as umbrellajs and ionic.io NPM modules. If fooled by the very similar module naming scheme, they would add the malicious packages designed to steal data from embedded forms (including those used for sign-in) to their apps or websites.”

Title: Microsoft Quietly Fixes ShadowCoerce Windows NTLM Relay Bug
Date Published: July 5, 2022


Excerpt: “Microsoft has confirmed it fixed a previously disclosed ‘ShadowCoerce’ vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. This NTLM relay attack method can be used by threat actors to force unpatched servers to authenticate against servers under the attacker’s control, leading to a takeover of the Windows domain. As BleepingComputer was told by a Microsoft spokesperson, while there was no public announcement made regarding this issue, the “MS-FSRVP coercion abuse PoC aka ‘ShadowCoerce’ was mitigated with CVE-2022-30154, which affected the same component.””

Title: Why Your API Gateway is Not Enough for API Security?
Date Published: July 6, 2022


Excerpt: “The emergence of cloud computing architectures has caused enterprises to rethink the way applications are scaled. Impetuses were put on companies to get away from deploying full-stack applications via infrastructure such as virtual machines and instead adopt a microservices approach by creating APIs composed of multiple interoperating services. The market for APIs is growing, and so is the threat landscape. While API gateways play a vital role in API management and API delivery, they provide a variety of core functionality for API security. It might be tempting to adhere to API gateway alone to meet security objectives. However, addressing the emerging risks of APIs requires various new sophisticated techniques outside the scope of conventional API gateways.”

Title: The Connected Nature of Smart Factories is Exponentially Increasing the Risk of Cyber Attacks
Date Published: July 6, 2022


Excerpt: “51% of industrial organizations believe that the number of cyber attacks on smart factories is likely to increase over the next 12 months, according to the Capgemini Research Institute. Yet, 47% of manufacturers say cybersecurity in their smart factories is not a C-level concern. Around 53% of organizations – including 60% of heavy-industry and 56% of pharma and life sciences firms – agree that most future cyberthreats will feature smart factories as their primary targets. However, a high level of awareness doesn’t automatically translate to business preparedness. A lack of C-suite focus, limited budget, and human factors are noted as the top cybersecurity challenges for manufacturers to overcome.”

Title: Encryption is High up on Corporate Priority Lists
Date Published: July 6, 2022


Excerpt: “The number of UK organizations implementing data encryption as a core part of their cybersecurity strategy has continued to rise, with 32% introducing a policy to encrypt all corporate information as standard in the last year. In total, 47% now require the encryption of all data, whether it’s at rest or in transit, according to Apricorn. 32% of organizations encrypt all data when it’s stored on their systems or in the cloud. Only 2% do not currently see encryption as a priority. The stakes are getting higher for those organizations that don’t give the approach sufficient attention: 16% of the IT leaders surveyed admitted that a lack of encryption had been the main cause of a data breach within their company, up from 12% in 2021.”

Title: New Hive Ransomware Variant is Written in Rust and Uses Improved Encryption Method
Date Published: July 6, 2022


Excerpt: “The operators of the Hive ransomware upgraded their malware by migrating the malware to the Rust language and implementing a more sophisticated encryption method, Microsoft researchers warn. These upgrades prove that Hive is one of the fastest evolving ransomware families in the cybercrime ecosystem. The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used a variety of attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.”

Title: Malicious NPM Packages Used to Grab Data From Apps, Websites
Date Published: July 6, 2022


Excerpt: “Researchers from ReversingLabs discovered a couple of dozen NPM packages that included malicious code designed to steal data from apps and web forms on websites that included the modules. The malicious NPM modules were delivered as part of a widespread campaign, tracked as IconBurst, that according to the experts has been active at least since 2021. One of the tainted packages had been downloaded more than 17,000 times.”

Title: Iranian Fars News Agency Claims Cyberattack on a Company Involved in the Construction of Tel Aviv Metro
Date Published: July 5, 2022


Excerpt: “Iran’s Fars News Agency reported on Monday that operating systems and servers of the Tel Aviv Metro were hit by a massive cyberattack. The rail system is still under construction and according to The Jerusalem Post, the infrastructure is the subject of a political debate in Israel. The Fars agency later reported that the attack hit one of the companies involved in the construction of Tel Aviv Metro. Sabareen, a militant Palestinian group, claimed the attack through its Telegram channel. However, the diffusion of news of the attack could be part of propaganda against Israel, according to local media.”

Title: Advanced Phishing Scams Target Middle East and Impersonate UAE Ministry of Human Resources
Date Published: July 5, 2022


Excerpt: “CloudSEK researchers have identified an extensive phishing campaign in which threat actors (TA) were impersonating the Ministry of Human Resources of the UAE government. Spotted through the company’s artificial intelligence (AI) digital risk monitoring platform XVigil, the new threat would target various government and corporate entities across the finance, travel, hospital, legal, oil and gas and consultation industries. “The actors created a fake website […] that resembles the legitimate domain […] to defraud users,” CloudSEK wrote in an advisory. The security experts’ investigation suggests this is a large-scale phishing campaign, mainly targeted at individual job seekers and businesses and exposing them to 419 and BEC scams.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...