July 8, 2022

Fortify Security Team
Jul 8, 2022

Title: Free Decryptor Released for AstraLocker, Yashma Ransomware Victims

Date Published: July 8, 2022


Excerpt: “New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. The free tool is available for download from Emsisoft’s servers, and it allows you to recover encrypted files using easy-to-follow instructions available in this usage guide [PDF]. “Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files,” Emsisoft warned. “By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives. Additional locations can be added using the ‘Add’ button.” The ransomware decryptor will allow you to keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.”

Title: Microsoft Rolls Back Decision to Block Office Macros by Default

Date Published: July 7, 2022


Excerpt: “While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on “feedback” until further notice. The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.”

Title: Fake Copyright Complaints Push IcedID Malware Using Yandex Forms

Date Published: July 7, 2022


Excerpt: “Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware. For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website’s contact page to send legal threats to convince recipients to download a report of the offending material. These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target’s device with various malware, including BazarLoader, BumbleBee, and IcedID.”

Title: Quantum Ransomware Attack Affects 657 Healthcare Orgs

Date Published: July 7, 2022


Excerpt: “Professional Finance Company Inc. (PFC), a full-service accounts receivables management company, says that a ransomware attack in late February led to a data breach affecting over 600 healthcare organizations. Founded in 1904, PFC helps thousands of healthcare, government, and utility organizations across the U.S. ensure that customers pay their invoices on time. The company started notifying the impacted healthcare providers’ patients on May 5, saying that an ongoing investigation discovered that the attackers accessed files containing their personal information before encrypting some of PFC’s systems.”

Title: QNAP Warns of New Checkmate Ransomware Targeting NAS Devices

Date Published: July 7, 2022


Excerpt: “Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data. QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.”

Title: Online Programming IDEs can be Used to Launch Remote Cyberattacks

Date Published: July 7, 2022


Excerpt: “Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. At least one such platform, known as DataCamp, allows threat actors to compile malicious tools, host or distribute malware, and connect to external services. DataCamp provides integrated development environments (IDEs) to close to 10 million users that want to learn data science using various programming languages and technologies (R, Python, Shell, Excel, Git, SQL).”

Title: 54% of SMBs do Not Implement MFA

Date Published: July 8, 2022


Excerpt: “SMB owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI).”

Title: Russian Cybercrime Trickbot Group is Systematically Attacking Ukraine

Date Published: July 8, 2022


Excerpt: “BM researchers collected evidence indicating that the Russia-based cybercriminal Trickbot group (aka Wizard Spider, DEV-0193, ITG23) has been systematically attacking Ukraine since the beginning of the Russian invasion of the country. Since February, the Conti ransomware group has taken over TrickBot malware operation and also planned to replace it with BazarBackdoor malware. Between mid-April and mid-June of 2022, the Trickbot group has conducted at least six campaigns against entities in Ukraine. The experts observed the threat actors deploying multiple malware IcedID, CobaltStrike, AnchorMail, and Meterpreter. Experts pointed out that prior to the Russian invasion, the Trickbot gang hasn’t targeted Ukraine and the malware used by the group was configured to not execute on systems using the Ukrainian language.”

Title: Large-Scale Cryptomining Campaign is Targeting the NPM JavaScript Package Repository

Date Published: July 7, 2022


Excerpt: “Checkmarx researchers spotted a new large-scale cryptocurrency mining campaign, tracked as CuteBoi, that is targeting the NPM JavaScript package repository. Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after noticing a burst of suspicious NPM users and packages automatically created.”

Title: China’s Tonto Team APT Ramps Up Spy Operations Against Russia

Date Published: July 7, 2022


Excerpt: “Representing a significant increase in activity, a campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities, according to analyses by security firms and Ukraine’s Computer Emergency Response Team (CERT). The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. That’s according to endpoint security firm SentinelOne, which stated in an analysis published on Thursday that the contents of the documents appear as security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...