August 1, 2022

Fortify Security Team
Aug 1, 2022

Title: Congress Warns of Us Court Records System Breach
Date Published: July 29, 2022

https://www.infosecurity-magazine.com/news/congress-us-court-records-breach/

Excerpt: “A cyber-attack on the US justice system has compromised a public document management system, revealed lawmakers on the Hill yesterday. Jerrold Nadler (D-NY), chairman of the House Judiciary Committee, revealed the attack at a hearing on oversight of the Justice Department on Thursday. Nadler said three hostile actors had breached the Public Access to Court Electronic Records and Case Management/Electronic Case File (PACER) system, which provides access to documents across the US court system. The document system had suffered a “system security failure,” Nadler said.

Title: Threat Actor Claims to Have Hacked European Manufacturer of Missiles Mbda
Date Published: July 31, 2022

https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html

Excerpt: “MBDA is a European multinational developer and manufacturer of missiles that was the result of the merger of the main French, British and Italian missile systems companies (Aérospatiale–Matra, BAE Systems, and Finmeccanica (now Leonardo). The name MBDA comes from the initialism of the names missile companies: Matra, BAe Dynamics and Alenia. A threat actor that goes online with the moniker Adrastea, and that defines itself as a group of independent cybersecurity specialists and researchers, claims to have hacked MBDA. Adrastea said that they have found critical vulnerabilities in the company infrastructure and have stolen 60 GB of confidential data. The attackers said that the stolen data includes information about the employees of the company involved in military projects, commercial activities, contract agreements and correspondence with other companies.”

Title: Us Federal Communications Commission (Fcc) Warns of the Rise of Smishing Attacks
Date Published: August 1, 2022

https://securityaffairs.co/wordpress/133865/cyber-crime/fcc-warns-smishing-attacks.html

Excerpt: “The Federal Communications Commission (FCC) issued an alert to warn Americans of the rising threat of smishing (robotexts) attacks aimed at stealing their personal information or for financial scams. Threat actors use multiple lures to trick victims into providing their information or sending them money. SMS used by the attackers include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against the victims. In some cases, the information collected as part of these smishing attacks may be used in future scams. The alert recommends Americans don’t respond or click on any links in the message. The alert is based on the increased number of consumer complaints about unwanted text messages, in recent years it raised from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022.”

Title: The Most Impersonated Brand in Phishing Attacks? Microsoft
Date Published: August 1, 2022

https://www.helpnetsecurity.com/2022/08/01/microsoft-brand-impersonation-phishing-attacks/

Excerpt: “Vade announced its H1 2022 Phishers’ Favorites report, a ranking of the top 25 most impersonated brands in phishing attacks. Microsoft came in at #1 on the list, followed by Facebook. Rounding out the top five are Crédit Agricole, WhatsApp, and Orange.”

Title: Australia Charges Dev of Imminent Monitor Rat Used by Domestic Abusers
Date Published: July 31, 2022

https://www.bleepingcomputer.com/news/security/australia-charges-dev-of-imminent-monitor-rat-used-by-domestic-abusers/

Excerpt: “An Australian man was charged for developing and selling the Imminent Monitor remote access trojan, used to spy on victims’ devices remotely. A remote access trojan is a type of malware that allows full remote access to an infected device, including the ability to execute commands, log keystrokes, steal files and data, install additional software, take screenshots, and even record video from the device’s webcam. These types of malware are very popular among hackers due to its cheap price and the unfettered access it provided to infected devices. However, they are also popular with domestic abusers who use them to spy on their victims. Yesterday, the Australian Federal Police (AFP) announced that they had charged an Australian man, age 24, for developing and selling the Imminent Monitor (IM5) software. The AFP alleges that the man sold the software to more than 14,500 people across 128 countries. Since the operation started in 2013, law enforcement states that the developer made 300,000 to 400,000, which was predominantly used to pay for food deliveries and purchase “other consumable and disposable items.” The Australian man faces six charges with a maximum penalty of 20 years.”

Title: Huge Network of 11,000 Fake Investment Sites Targets Europe
Date Published: July 31, 2022

https://www.bleepingcomputer.com/news/security/huge-network-of-11-000-fake-investment-sites-targets-europe/

Excerpt: “Researchers have uncovered a gigantic network of more than 11,000 domains used to promote numerous fake investment schemes to users in Europe. The platforms show fabricated evidence of enrichment and falsified celebrity endorsements to create an image of legitimacy and lure in a larger number of victims. The goal of the operation is to trick users into an opportunity for high-return investments and convince them to deposit a minimum amount of 250 EUR ($255) to sign up for the fake services. Researchers at cybersecurity company Group-IB discovered the operation and mapped the massive network of phishing sites, content hosts, and redirections. According to Group-IB, more than 5,000 of the identified malicious domains are still active. Currently, the countries targeted in this scheme are the UK, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic.”

Title: Facebook Ads Push Android Adware With 7 Million Installs on Google Play
Date Published: July 30, 2022

https://www.bleepingcomputer.com/news/security/facebook-ads-push-android-adware-with-7-million-installs-on-google-play/

Excerpt: “Several adware apps promoted aggressively on Facebook as system cleaners and optimizers for Android devices are counting millions of installations on Google Play store. The apps lack all of the promised functionality and push advertisements while trying to last as long as possible on the device. To evade deletion, the apps hide on the victim’s device by constantly changing icons and names, masquerading as Settings or the Play Store itself.”

Title: Meta, Us Hospitals Sued for Using Healthcare Data to Target Ads
Date Published: July 30, 2022

https://www.bleepingcomputer.com/news/security/meta-us-hospitals-sued-for-using-healthcare-data-to-target-ads/

Excerpt: “TA class action lawsuit has been filed in the Northern District of California against Meta (Facebook), the UCSF Medical Center, and the Dignity Health Medical Foundation, alleging that the organizations are unlawfully collecting sensitive healthcare data about patients for targeted advertising. This tracking and data collection allegedly takes place in medical portals beyond login walls, where patients enter highly sensitive information about themselves, their conditions, doctors, prescribed medication, and more. According to the lawsuit, neither the hospitals nor Meta informs the patients about the data collection, no user consents are requested, and there is no visible indication of this process. The plaintiffs realized the violation of their privacy when Facebook, the social media platform belonging to Meta, began targeting them with advertisements tailored explicitly for their medical condition.”

Title: Cisa Warns of Critical Confluence Bug Exploited in Attacks
Date Published: July 29, 2022

https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-confluence-bug-exploited-in-attacks/

Excerpt: “CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation. As Australian software firm Atlassian revealed last week, unpatched versions of the Questions for Confluence app (installed on more than 8,000 servers) create an account with hardcoded credentials. One day after patching the vulnerability, the company notified admins to fix their servers immediately, seeing that the hardcoded password had been found and shared online. Today, CISA added the CVE-2022-26138 to its catalog of Known Exploited Vulnerabilities (KEV) based on evidence of active exploitation. Cybersecurity firm Rapid7 also published a report Wednesday warning the security flaw is now actively exploited in the wild but did not share any information on the attacks or indicators of compromise collected while investigating them.”

Title: Lockbit Ransomware Abuses Windows Defender to Load Cobalt Strike
Date Published: July 29, 2022

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/

Excerpt: “A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software. Cobalt Strike is a legitimate penetration testing suite with extensive features popular among threat actors to perform stealthy network reconnaissance and lateral movement before stealing data and encrypting it. However, security solutions have become better at detecting Cobalt Strike beacons, causing threat actors to look for innovative ways to deploy the toolkit. In a recent incident response case for a LockBit ransomware attack, researchers at Sentinel Labs noticed the abuse of Microsoft Defender’s command line tool “MpCmdRun.exe” to side-load malicious DLLs that decrypt and install Cobalt Strike beacons. The initial network compromise in both cases was conducted by exploiting a Log4j flaw on vulnerable VMWare Horizon Servers to run PowerShell code. Side-loading Cobalt Strike beacons on compromised systems isn’t new for LockBit, as there are reports about similar infection chains relying on the abuse of VMware command line utilities.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...