July 7, 2022

Fortify Security Team
Jul 7, 2022

Title: IT Services Giant SHI Hit By “Professional Malware Attack”

Date Published: July 6, 2022


Excerpt: “SHI International, a New Jersey-based provider of Information Technology (IT) products and services, has confirmed that a malware attack hit its network over the weekend. SHI claims to be one of North America’s largest IT solutions providers, with $12.3 billion in revenue in 2021 and 5,000 employees around the world in operations centers in the U.S., the United Kingdom, and the Netherlands. It also says it provides services to over 15,000 corporate, enterprise, public sector, and academic customer organizations worldwide. “Over the Fourth of July holiday weekend, SHI was the target of a coordinated and professional malware attack,” SHI said in a statement. After the attack, SHI added a message to its website warning customers and visitors that its information systems were undergoing maintenance due to a “sustained outage.” This message was later replaced with the malware attack statement published on the company’s blog.”

Title: Security Advisory Accidentally Exposes Vulnerable Systems

Date Published: July 6, 2022


Excerpt: “A security advisory for a vulnerability (CVE) published by MITRE has accidentally been exposing links to remote admin consoles of over a dozen vulnerable IP devices since at least April 2022.  BleepingComputer became aware of this issue yesterday after getting tipped off by a reader who prefers to remain anonymous. The reader was baffled on seeing several links to vulnerable systems listed within the “references” section of the CVE advisory. CVE advisories published by MITRE get syndicated verbatim across a large number of public sources, feeds, infosec news sites, and vendors providing this data to their customers. The “references” section of these advisories typically lists links to the original source (a writeup, blog post, PoC demo) that explains the vulnerability. However, including links to publicly exposed unpatched systems can potentially allow threat actors to now target these systems and conduct their malicious activities. BleepingComputer conducted some additional investigation as to how this issue may have occurred and reached out to MITRE as well as some security experts to better understand if this is a normal, or even acceptable, practice.”

Title: Apple’s New Lockdown Mode Defends Against Government Spyware

Date Published: July 6, 2022


Excerpt: “Apple announced that a new security feature known as Lockdown Mode will roll out with iOS 16, iPadOS 16, and macOS Ventura to protect high-risk individuals like human rights defenders, journalists, and dissidents against targeted spyware attacks. Once enabled, the Lockdown Mode will provide Apple customers with messaging, web browsing, and connectivity protections designed to block mercenary spyware (like NSO Group’s Pegasus) used by government-backed hackers to monitor their Apple devices after infecting them with malware. Attackers’ attempts to compromise Apple devices using zero-click exploits targeting messaging apps such as WhatsApp and Facetime or web browsers will get automatically blocked, seeing that vulnerable features like link previews will be disabled.”

Title: Ransomware, Hacking Groups Move from Cobalt Strike to Brute Ratel

Date Published: July 6, 2022


Excerpt: “Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network. For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy “beacons” on compromised devices to perform remote network surveillance or execute commands. While Cobalt Strike is legitimate software, threat actors have been sharing cracked versions online, making it one of the most popular tools used by hackers and ransomware operations to spread laterally through breached corporate networks.”

Title: The Connected Nature of Smart Factories is Exponentially Increasing the Risk of Cyber Attacks

Date Published: July 6, 2022


Excerpt: “51% of industrial organizations believe that the number of cyber attacks on smart factories is likely to increase over the next 12 months, according to the Capgemini Research Institute. Yet, 47% of manufacturers say cybersecurity in their smart factories is not a C-level concern. Around 53% of organizations – including 60% of heavy-industry and 56% of pharma and life sciences firms – agree that most future cyberthreats will feature smart factories as their primary targets. However, a high level of awareness doesn’t automatically translate to business preparedness. A lack of C-suite focus, limited budget, and human factors are noted as the top cybersecurity challenges for manufacturers to overcome.”

Title: Marriott Hit by New Data Breach and a Failed Extortion Attempt

Date Published: July 6, 2022


Excerpt: “Hotel giant Marriott International confirmed it was hit by another data breach after an unknown threat actor breached one of its properties and stole 20GB of files. The attackers could only breach one of the chain’s properties, BWI Airport Marriott, and only had access to its network for a limited time. “This incident only involved one property. The threat actor did not gain access to Marriott’s core network. The access to one device at the property involved only lasted for approximately six hours,” a Marriott spokesperson told BleepingComputer.”

Title: US Govt Warns of Maui Ransomware Attacks Against Healthcare Orgs

Date Published: July 6, 2022


Excerpt: “The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations. Starting in May 2021, the FBI has responded to and detected multiple Maui ransomware attacks impacting HPH Sector orgs across the U.S. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the federal agencies revealed.

Title: Cyberattacks Against Law Enforcement Are on the Rise

Date Published: July 7, 2022


Excerpt: “Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 companies worldwide, has registered an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. Threat actors are hacking email and other accounts which belong to law enforcement officers and their internal systems. The emerging trend consists of threat actors sending fake subpoenas and EDR’s (Emergency Data Requests) to their victims from the hacked law enforcement email accounts. Using such capabilities, the threat actors are targeting major technology companies such as Apple, Facebook (Meta), Snapchat, and Discord are to name a few, to collect sensitive information about targets of interest. The replies received by the bad actors contain sensitive details which could/are being used for leverage extortion, or cyberespionage. Such incidents have become especially notable in cybercriminal group activities such as LAPSUS$ and Recursion Group.”

Title: OpenSSL Version 3.0.5 Fixes a Flaw that Could Potentially Lead to RCE

Date Published: July 7, 2022


Excerpt: “The maintainers of the OpenSSL project fixed a high-severity heap memory corruption issue, tracked as CVE-2022-2274, affecting the popular library. This bug makes the RSA implementation with 2048 bit private keys incorrect on such machines and triggers a memory corruption during the computation. A remote attacker can exploit the memory corruption to achieve code execution on the machine while performing the computation. The CVE-2022-2274 vulnerability was introduced in OpenSSL version 3.0.4 released on June 21, 2022.”

Title: OrBit, a New Sophisticated Linux Malware Still Undetected

Date Published: July 7, 2022


Excerpt: “Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected. The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion techniques and hooks key functions to maintain persistence on the infected systems. OrBit allows operators to achieve remote access capabilities over SSH, harvests credentials, and logs TTY commands. Experts noticed similarities between the threat and the recently disclosed Symbiote malware which is designed to infect all of the running processes on the compromised machines. Unlike Symiote that leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods. In the first method, the shared object is added to the configuration file that is used by the loader, in the second one the binary of the loader is patched to load the malicious shared object.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...