August 18, 2022

Fortify Security Team
Aug 18, 2022

Title: Microsoft Sysmon Can Now Block Malicious EXEs from Being Created

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-block-malicious-exes-from-being-created/

Excerpt: “Microsoft has released Sysmon 14 with a new ‘FileBlockExecutable’ option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.  This feature is a powerful tool for system administrators as it allows them to block the creation of executables based on various criteria, such as the file path, whether they match specific hashes, or are dropped by certain executables.  For example, if you have a list of known malware hashes, you can configure Sysmon to block the creation of executables matching those hashes. Or, if you want to prevent malicious Office attachments from dropping malware, you can stop the creation of executables from Word or Excel.”

Title: Amazon Fixes Ring Android App Flaw Exposing Camera Recordings

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/security/amazon-fixes-ring-android-app-flaw-exposing-camera-recordings/

Excerpt: “Amazon has fixed a high-severity vulnerability in the Amazon Ring app for Android that could have allowed hackers to download customers’ saved camera recordings.  The vulnerability was discovered by security researchers at application security testing company Checkmarx, who found and disclosed the vulnerability to Amazon on May 1st, 2022. Amazon fixed the bug shortly after it was disclosed.  As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer’s saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft.”

Title: Apple Security Updates Fix 2 Zero-days Used to Hack iPhones, Macs

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/

Excerpt: “Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.  Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.  Today, Apple has released macOS Monterey 12.5.1 and  iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.”

Title: BlackByte Ransomware Gang is Back with New Extortion Tactics

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is-back-with-new-extortion-tactics/

Excerpt: “The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.  After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls.  The threat actors are calling this new iteration of their operation BlackByte version 2.0, and while it is not clear if the ransomware encryptor has changed as well, the gang has launched a brand new Tor data leak site.”

Title: APT41 Group: 4 Malicious Campaigns, 13 Victims, New Tools and Techniques

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/apt41-group/

Excerpt: “Group-IB has released new research on the state-sponsored hacker group APT41. The Group-IB Threat Intelligence team estimates that in 2021 the threat actors gained access to at least 13 organizations worldwide. While analyzing the group’s malicious campaigns, experts uncovered adversary techniques and artifacts left by the attackers that point to their origin.  The state-sponsored attacker group APT41 (aka ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), whose goals are cyber espionage and financial gain, has been active since at least 2007.  Group-IB Threat Intelligence analysts identified four APT41 malware campaigns carried out in 2021 that were geographically spread across the United States, Taiwan, India, Vietnam, and China. The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation. According to Group-IB, there were 13 confirmed victims of APT41 in 2021, but the actual number could be much higher.”

Title: IoT: The Huge Cybersecurity Blind Spot That’s Costing Millions

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/iot-cybersecurity-blind-spots/

Excerpt: “According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices ending up in the end-product or system ecosystem – which is where the blind spot comes in. We currently don’t have visibility of the security strength of a partner or vendor device/software/component, so we need a way to better assess and validate partners and their products before they form part of an IoT system.  RFPs can help businesses find suppliers that meet their needs from a functionality perspective, but there is still the question of how to properly assess the security of the supplier. Working with multiple partners or vendors will mean those players will, in turn, seek components from elsewhere, bringing even more third parties (with unknown levels of security) into the mix. There’s very limited visibility as to where the new components come from, how rigorously they’ve been tested and how secure they are.  To go back to the door analogy: You might buy a door from Home Depot, only to find out that burglars have found a weakness in its lock and broken into your home. Who knows what vendor supplied the lock – is it them at fault, or Home Depot, or you? Which raises the question: If a system is hacked, who’s to blame?”

Title: PoC Exploit Code for Critical Realtek RCE Flaw Released Online

Date Published: August 18, 2022

https://securityaffairs.co/wordpress/134515/breaking-news/realtek-rce-poc-exploit.html

Excerpt: “The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security.  “On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.” reads the advisory published by Realtek, which published the issue in March 2022. “A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.”  Millions of devices, including routers and access points, are exposed to hacking.”

Title: China-linked RedAlpha Behind Multi-year Credential Theft Campaign

Date Published: August 17, 2022

https://securityaffairs.co/wordpress/134519/apt/redalpha-china-credential-theft-campaign.html

Excerpt: “Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.  Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.”

Title: Researchers Find 35 Adware Apps on Google Play

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/researchers-find-35-adware-apps-on/

Excerpt: “Security experts have repeated warnings about malicious applications hiding on official mobile app stores after finding dozens of them on Google Play.  Bitdefender said it identified 35 in total by using behavioral analysis technology to scan the marketplace. They totaled over two million downloads.  The apps perform various malicious activities to achieve persistence on the user’s device and bombard them with advertising, but could also be a conduit for malware, Bitdefender warned.  “Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims,” it said.”

Title: Threat Group Ramps-Up Attacks on Travel Sector in 2022

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/threat-group-rampsup-attacks-on/

Excerpt: “Researchers have revealed new details of a prolific APT group which has used 15 malware families over the past four years to steal data from travel and hospitality companies.  Financially motivated, group TA558 targets mainly organizations in Latin America and sometimes North America and Western Europe, switching between Portuguese, Spanish and English as it does so, according to Proofpoint.  It primarily uses phishing emails as its access vector, deploying reservation-themed lures with content relevant to the victim organization such as hotel room bookings.  These emails contain either malicious links or attachments designed to covertly install malware, which will then enable reconnaissance, data theft and the download of additional payloads, the report explained.  Among the multiple malware types used by the group are Loda RAT, Vjw0rm, Revenge RAT and AsyncRAT.”

Title: Microsoft Sysmon Can Now Block Malicious EXEs from Being Created

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-block-malicious-exes-from-being-created/

Excerpt: “Microsoft has released Sysmon 14 with a new ‘FileBlockExecutable’ option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.  This feature is a powerful tool for system administrators as it allows them to block the creation of executables based on various criteria, such as the file path, whether they match specific hashes, or are dropped by certain executables.  For example, if you have a list of known malware hashes, you can configure Sysmon to block the creation of executables matching those hashes. Or, if you want to prevent malicious Office attachments from dropping malware, you can stop the creation of executables from Word or Excel.”

Title: Amazon Fixes Ring Android App Flaw Exposing Camera Recordings

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/security/amazon-fixes-ring-android-app-flaw-exposing-camera-recordings/

Excerpt: “Amazon has fixed a high-severity vulnerability in the Amazon Ring app for Android that could have allowed hackers to download customers’ saved camera recordings.  The vulnerability was discovered by security researchers at application security testing company Checkmarx, who found and disclosed the vulnerability to Amazon on May 1st, 2022. Amazon fixed the bug shortly after it was disclosed.  As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer’s saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft.”

Title: Apple Security Updates Fix 2 Zero-days Used to Hack iPhones, Macs

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/

Excerpt: “Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.  Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.  Today, Apple has released macOS Monterey 12.5.1 and  iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.”

Title: BlackByte Ransomware Gang is Back with New Extortion Tactics

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is-back-with-new-extortion-tactics/

Excerpt: “The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.  After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls.  The threat actors are calling this new iteration of their operation BlackByte version 2.0, and while it is not clear if the ransomware encryptor has changed as well, the gang has launched a brand new Tor data leak site.”

Title: APT41 Group: 4 Malicious Campaigns, 13 Victims, New Tools and Techniques

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/apt41-group/

Excerpt: “Group-IB has released new research on the state-sponsored hacker group APT41. The Group-IB Threat Intelligence team estimates that in 2021 the threat actors gained access to at least 13 organizations worldwide. While analyzing the group’s malicious campaigns, experts uncovered adversary techniques and artifacts left by the attackers that point to their origin.  The state-sponsored attacker group APT41 (aka ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), whose goals are cyber espionage and financial gain, has been active since at least 2007.  Group-IB Threat Intelligence analysts identified four APT41 malware campaigns carried out in 2021 that were geographically spread across the United States, Taiwan, India, Vietnam, and China. The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation. According to Group-IB, there were 13 confirmed victims of APT41 in 2021, but the actual number could be much higher.”

Title: IoT: The Huge Cybersecurity Blind Spot That’s Costing Millions

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/iot-cybersecurity-blind-spots/

Excerpt: “According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices ending up in the end-product or system ecosystem – which is where the blind spot comes in. We currently don’t have visibility of the security strength of a partner or vendor device/software/component, so we need a way to better assess and validate partners and their products before they form part of an IoT system.  RFPs can help businesses find suppliers that meet their needs from a functionality perspective, but there is still the question of how to properly assess the security of the supplier. Working with multiple partners or vendors will mean those players will, in turn, seek components from elsewhere, bringing even more third parties (with unknown levels of security) into the mix. There’s very limited visibility as to where the new components come from, how rigorously they’ve been tested and how secure they are.  To go back to the door analogy: You might buy a door from Home Depot, only to find out that burglars have found a weakness in its lock and broken into your home. Who knows what vendor supplied the lock – is it them at fault, or Home Depot, or you? Which raises the question: If a system is hacked, who’s to blame?”

Title: PoC Exploit Code for Critical Realtek RCE Flaw Released Online

Date Published: August 18, 2022

https://securityaffairs.co/wordpress/134515/breaking-news/realtek-rce-poc-exploit.html

Excerpt: “The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security.  “On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.” reads the advisory published by Realtek, which published the issue in March 2022. “A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.”  Millions of devices, including routers and access points, are exposed to hacking.”

Title: China-linked RedAlpha Behind Multi-year Credential Theft Campaign

Date Published: August 17, 2022

https://securityaffairs.co/wordpress/134519/apt/redalpha-china-credential-theft-campaign.html

Excerpt: “Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.  Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.”

Title: Researchers Find 35 Adware Apps on Google Play

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/researchers-find-35-adware-apps-on/

Excerpt: “Security experts have repeated warnings about malicious applications hiding on official mobile app stores after finding dozens of them on Google Play.  Bitdefender said it identified 35 in total by using behavioral analysis technology to scan the marketplace. They totaled over two million downloads.  The apps perform various malicious activities to achieve persistence on the user’s device and bombard them with advertising, but could also be a conduit for malware, Bitdefender warned.  “Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims,” it said.”

Title: Threat Group Ramps-Up Attacks on Travel Sector in 2022

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/threat-group-rampsup-attacks-on/

Excerpt: “Researchers have revealed new details of a prolific APT group which has used 15 malware families over the past four years to steal data from travel and hospitality companies.  Financially motivated, group TA558 targets mainly organizations in Latin America and sometimes North America and Western Europe, switching between Portuguese, Spanish and English as it does so, according to Proofpoint.  It primarily uses phishing emails as its access vector, deploying reservation-themed lures with content relevant to the victim organization such as hotel room bookings.  These emails contain either malicious links or attachments designed to covertly install malware, which will then enable reconnaissance, data theft and the download of additional payloads, the report explained.  Among the multiple malware types used by the group are Loda RAT, Vjw0rm, Revenge RAT and AsyncRAT.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...