July 8, 2022

Fortify Security Team
Jul 8, 2022

Title: Free Decryptor Released for AstraLocker, Yashma Ransomware Victims

Date Published: July 8, 2022

https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-astralocker-yashma-ransomware-victims/

Excerpt: “New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. The free tool is available for download from Emsisoft’s servers, and it allows you to recover encrypted files using easy-to-follow instructions available in this usage guide [PDF]. “Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files,” Emsisoft warned. “By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives. Additional locations can be added using the ‘Add’ button.” The ransomware decryptor will allow you to keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.”

Title: Microsoft Rolls Back Decision to Block Office Macros by Default

Date Published: July 7, 2022

https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-back-decision-to-block-office-macros-by-default/

Excerpt: “While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on “feedback” until further notice. The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.”

Title: Fake Copyright Complaints Push IcedID Malware Using Yandex Forms

Date Published: July 7, 2022

https://www.bleepingcomputer.com/news/security/fake-copyright-complaints-push-icedid-malware-using-yandex-forms/

Excerpt: “Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware. For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website’s contact page to send legal threats to convince recipients to download a report of the offending material. These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target’s device with various malware, including BazarLoader, BumbleBee, and IcedID.”

Title: Quantum Ransomware Attack Affects 657 Healthcare Orgs

Date Published: July 7, 2022

https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-affects-657-healthcare-orgs/

Excerpt: “Professional Finance Company Inc. (PFC), a full-service accounts receivables management company, says that a ransomware attack in late February led to a data breach affecting over 600 healthcare organizations. Founded in 1904, PFC helps thousands of healthcare, government, and utility organizations across the U.S. ensure that customers pay their invoices on time. The company started notifying the impacted healthcare providers’ patients on May 5, saying that an ongoing investigation discovered that the attackers accessed files containing their personal information before encrypting some of PFC’s systems.”

Title: QNAP Warns of New Checkmate Ransomware Targeting NAS Devices

Date Published: July 7, 2022

https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-checkmate-ransomware-targeting-nas-devices/

Excerpt: “Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data. QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.”

Title: Online Programming IDEs can be Used to Launch Remote Cyberattacks

Date Published: July 7, 2022

https://www.bleepingcomputer.com/news/security/online-programming-ides-can-be-used-to-launch-remote-cyberattacks/

Excerpt: “Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. At least one such platform, known as DataCamp, allows threat actors to compile malicious tools, host or distribute malware, and connect to external services. DataCamp provides integrated development environments (IDEs) to close to 10 million users that want to learn data science using various programming languages and technologies (R, Python, Shell, Excel, Git, SQL).”

Title: 54% of SMBs do Not Implement MFA

Date Published: July 8, 2022

https://www.helpnetsecurity.com/2022/07/08/smb-implement-mfa/

Excerpt: “SMB owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI).”

Title: Russian Cybercrime Trickbot Group is Systematically Attacking Ukraine

Date Published: July 8, 2022

https://securityaffairs.co/wordpress/132999/cyber-crime/trickbot-systematically-attacking-ukraine.html

Excerpt: “BM researchers collected evidence indicating that the Russia-based cybercriminal Trickbot group (aka Wizard Spider, DEV-0193, ITG23) has been systematically attacking Ukraine since the beginning of the Russian invasion of the country. Since February, the Conti ransomware group has taken over TrickBot malware operation and also planned to replace it with BazarBackdoor malware. Between mid-April and mid-June of 2022, the Trickbot group has conducted at least six campaigns against entities in Ukraine. The experts observed the threat actors deploying multiple malware IcedID, CobaltStrike, AnchorMail, and Meterpreter. Experts pointed out that prior to the Russian invasion, the Trickbot gang hasn’t targeted Ukraine and the malware used by the group was configured to not execute on systems using the Ukrainian language.”

Title: Large-Scale Cryptomining Campaign is Targeting the NPM JavaScript Package Repository

Date Published: July 7, 2022

https://securityaffairs.co/wordpress/132983/cyber-crime/cuteboi-cryptomining-campaign-npm.html

Excerpt: “Checkmarx researchers spotted a new large-scale cryptocurrency mining campaign, tracked as CuteBoi, that is targeting the NPM JavaScript package repository. Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after noticing a burst of suspicious NPM users and packages automatically created.”

Title: China’s Tonto Team APT Ramps Up Spy Operations Against Russia

Date Published: July 7, 2022

https://www.darkreading.com/threat-intelligence/china-tonto-team-apt-spy-operations-russia

Excerpt: “Representing a significant increase in activity, a campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities, according to analyses by security firms and Ukraine’s Computer Emergency Response Team (CERT). The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. That’s according to endpoint security firm SentinelOne, which stated in an analysis published on Thursday that the contents of the documents appear as security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...