August 18, 2022

Fortify Security Team
Aug 18, 2022

Title: Microsoft Sysmon Can Now Block Malicious EXEs from Being Created

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-block-malicious-exes-from-being-created/

Excerpt: “Microsoft has released Sysmon 14 with a new ‘FileBlockExecutable’ option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.  This feature is a powerful tool for system administrators as it allows them to block the creation of executables based on various criteria, such as the file path, whether they match specific hashes, or are dropped by certain executables.  For example, if you have a list of known malware hashes, you can configure Sysmon to block the creation of executables matching those hashes. Or, if you want to prevent malicious Office attachments from dropping malware, you can stop the creation of executables from Word or Excel.”

Title: Amazon Fixes Ring Android App Flaw Exposing Camera Recordings

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/security/amazon-fixes-ring-android-app-flaw-exposing-camera-recordings/

Excerpt: “Amazon has fixed a high-severity vulnerability in the Amazon Ring app for Android that could have allowed hackers to download customers’ saved camera recordings.  The vulnerability was discovered by security researchers at application security testing company Checkmarx, who found and disclosed the vulnerability to Amazon on May 1st, 2022. Amazon fixed the bug shortly after it was disclosed.  As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer’s saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft.”

Title: Apple Security Updates Fix 2 Zero-days Used to Hack iPhones, Macs

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/

Excerpt: “Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.  Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.  Today, Apple has released macOS Monterey 12.5.1 and  iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.”

Title: BlackByte Ransomware Gang is Back with New Extortion Tactics

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is-back-with-new-extortion-tactics/

Excerpt: “The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.  After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls.  The threat actors are calling this new iteration of their operation BlackByte version 2.0, and while it is not clear if the ransomware encryptor has changed as well, the gang has launched a brand new Tor data leak site.”

Title: APT41 Group: 4 Malicious Campaigns, 13 Victims, New Tools and Techniques

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/apt41-group/

Excerpt: “Group-IB has released new research on the state-sponsored hacker group APT41. The Group-IB Threat Intelligence team estimates that in 2021 the threat actors gained access to at least 13 organizations worldwide. While analyzing the group’s malicious campaigns, experts uncovered adversary techniques and artifacts left by the attackers that point to their origin.  The state-sponsored attacker group APT41 (aka ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), whose goals are cyber espionage and financial gain, has been active since at least 2007.  Group-IB Threat Intelligence analysts identified four APT41 malware campaigns carried out in 2021 that were geographically spread across the United States, Taiwan, India, Vietnam, and China. The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation. According to Group-IB, there were 13 confirmed victims of APT41 in 2021, but the actual number could be much higher.”

Title: IoT: The Huge Cybersecurity Blind Spot That’s Costing Millions

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/iot-cybersecurity-blind-spots/

Excerpt: “According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices ending up in the end-product or system ecosystem – which is where the blind spot comes in. We currently don’t have visibility of the security strength of a partner or vendor device/software/component, so we need a way to better assess and validate partners and their products before they form part of an IoT system.  RFPs can help businesses find suppliers that meet their needs from a functionality perspective, but there is still the question of how to properly assess the security of the supplier. Working with multiple partners or vendors will mean those players will, in turn, seek components from elsewhere, bringing even more third parties (with unknown levels of security) into the mix. There’s very limited visibility as to where the new components come from, how rigorously they’ve been tested and how secure they are.  To go back to the door analogy: You might buy a door from Home Depot, only to find out that burglars have found a weakness in its lock and broken into your home. Who knows what vendor supplied the lock – is it them at fault, or Home Depot, or you? Which raises the question: If a system is hacked, who’s to blame?”

Title: PoC Exploit Code for Critical Realtek RCE Flaw Released Online

Date Published: August 18, 2022

https://securityaffairs.co/wordpress/134515/breaking-news/realtek-rce-poc-exploit.html

Excerpt: “The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security.  “On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.” reads the advisory published by Realtek, which published the issue in March 2022. “A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.”  Millions of devices, including routers and access points, are exposed to hacking.”

Title: China-linked RedAlpha Behind Multi-year Credential Theft Campaign

Date Published: August 17, 2022

https://securityaffairs.co/wordpress/134519/apt/redalpha-china-credential-theft-campaign.html

Excerpt: “Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.  Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.”

Title: Researchers Find 35 Adware Apps on Google Play

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/researchers-find-35-adware-apps-on/

Excerpt: “Security experts have repeated warnings about malicious applications hiding on official mobile app stores after finding dozens of them on Google Play.  Bitdefender said it identified 35 in total by using behavioral analysis technology to scan the marketplace. They totaled over two million downloads.  The apps perform various malicious activities to achieve persistence on the user’s device and bombard them with advertising, but could also be a conduit for malware, Bitdefender warned.  “Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims,” it said.”

Title: Threat Group Ramps-Up Attacks on Travel Sector in 2022

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/threat-group-rampsup-attacks-on/

Excerpt: “Researchers have revealed new details of a prolific APT group which has used 15 malware families over the past four years to steal data from travel and hospitality companies.  Financially motivated, group TA558 targets mainly organizations in Latin America and sometimes North America and Western Europe, switching between Portuguese, Spanish and English as it does so, according to Proofpoint.  It primarily uses phishing emails as its access vector, deploying reservation-themed lures with content relevant to the victim organization such as hotel room bookings.  These emails contain either malicious links or attachments designed to covertly install malware, which will then enable reconnaissance, data theft and the download of additional payloads, the report explained.  Among the multiple malware types used by the group are Loda RAT, Vjw0rm, Revenge RAT and AsyncRAT.”

Title: Microsoft Sysmon Can Now Block Malicious EXEs from Being Created

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-block-malicious-exes-from-being-created/

Excerpt: “Microsoft has released Sysmon 14 with a new ‘FileBlockExecutable’ option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.  This feature is a powerful tool for system administrators as it allows them to block the creation of executables based on various criteria, such as the file path, whether they match specific hashes, or are dropped by certain executables.  For example, if you have a list of known malware hashes, you can configure Sysmon to block the creation of executables matching those hashes. Or, if you want to prevent malicious Office attachments from dropping malware, you can stop the creation of executables from Word or Excel.”

Title: Amazon Fixes Ring Android App Flaw Exposing Camera Recordings

Date Published: August 18, 2022

https://www.bleepingcomputer.com/news/security/amazon-fixes-ring-android-app-flaw-exposing-camera-recordings/

Excerpt: “Amazon has fixed a high-severity vulnerability in the Amazon Ring app for Android that could have allowed hackers to download customers’ saved camera recordings.  The vulnerability was discovered by security researchers at application security testing company Checkmarx, who found and disclosed the vulnerability to Amazon on May 1st, 2022. Amazon fixed the bug shortly after it was disclosed.  As the Ring Android app has over 10 million downloads and is used by people worldwide, the ability to access a customer’s saved camera recordings could have allowed a wide range of malicious behavior, ranging from extortion to data theft.”

Title: Apple Security Updates Fix 2 Zero-days Used to Hack iPhones, Macs

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/

Excerpt: “Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.  Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.  Today, Apple has released macOS Monterey 12.5.1 and  iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited.”

Title: BlackByte Ransomware Gang is Back with New Extortion Tactics

Date Published: August 17, 2022

https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is-back-with-new-extortion-tactics/

Excerpt: “The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.  After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls.  The threat actors are calling this new iteration of their operation BlackByte version 2.0, and while it is not clear if the ransomware encryptor has changed as well, the gang has launched a brand new Tor data leak site.”

Title: APT41 Group: 4 Malicious Campaigns, 13 Victims, New Tools and Techniques

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/apt41-group/

Excerpt: “Group-IB has released new research on the state-sponsored hacker group APT41. The Group-IB Threat Intelligence team estimates that in 2021 the threat actors gained access to at least 13 organizations worldwide. While analyzing the group’s malicious campaigns, experts uncovered adversary techniques and artifacts left by the attackers that point to their origin.  The state-sponsored attacker group APT41 (aka ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), whose goals are cyber espionage and financial gain, has been active since at least 2007.  Group-IB Threat Intelligence analysts identified four APT41 malware campaigns carried out in 2021 that were geographically spread across the United States, Taiwan, India, Vietnam, and China. The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation. According to Group-IB, there were 13 confirmed victims of APT41 in 2021, but the actual number could be much higher.”

Title: IoT: The Huge Cybersecurity Blind Spot That’s Costing Millions

Date Published: August 18, 2022

https://www.helpnetsecurity.com/2022/08/18/iot-cybersecurity-blind-spots/

Excerpt: “According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices ending up in the end-product or system ecosystem – which is where the blind spot comes in. We currently don’t have visibility of the security strength of a partner or vendor device/software/component, so we need a way to better assess and validate partners and their products before they form part of an IoT system.  RFPs can help businesses find suppliers that meet their needs from a functionality perspective, but there is still the question of how to properly assess the security of the supplier. Working with multiple partners or vendors will mean those players will, in turn, seek components from elsewhere, bringing even more third parties (with unknown levels of security) into the mix. There’s very limited visibility as to where the new components come from, how rigorously they’ve been tested and how secure they are.  To go back to the door analogy: You might buy a door from Home Depot, only to find out that burglars have found a weakness in its lock and broken into your home. Who knows what vendor supplied the lock – is it them at fault, or Home Depot, or you? Which raises the question: If a system is hacked, who’s to blame?”

Title: PoC Exploit Code for Critical Realtek RCE Flaw Released Online

Date Published: August 18, 2022

https://securityaffairs.co/wordpress/134515/breaking-news/realtek-rce-poc-exploit.html

Excerpt: “The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security.  “On Realtek eCos SDK-based routers, the ‘SIP ALG’ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ‘SIP ALG’ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.” reads the advisory published by Realtek, which published the issue in March 2022. “A remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.”  Millions of devices, including routers and access points, are exposed to hacking.”

Title: China-linked RedAlpha Behind Multi-year Credential Theft Campaign

Date Published: August 17, 2022

https://securityaffairs.co/wordpress/134519/apt/redalpha-china-credential-theft-campaign.html

Excerpt: “Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.  Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.”

Title: Researchers Find 35 Adware Apps on Google Play

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/researchers-find-35-adware-apps-on/

Excerpt: “Security experts have repeated warnings about malicious applications hiding on official mobile app stores after finding dozens of them on Google Play.  Bitdefender said it identified 35 in total by using behavioral analysis technology to scan the marketplace. They totaled over two million downloads.  The apps perform various malicious activities to achieve persistence on the user’s device and bombard them with advertising, but could also be a conduit for malware, Bitdefender warned.  “Many legitimate apps offer ads to their users, but these ones show ads through their own framework, which means they can also serve other types of malware to their victims,” it said.”

Title: Threat Group Ramps-Up Attacks on Travel Sector in 2022

Date Published: August 18, 2022

https://www.infosecurity-magazine.com/news/threat-group-rampsup-attacks-on/

Excerpt: “Researchers have revealed new details of a prolific APT group which has used 15 malware families over the past four years to steal data from travel and hospitality companies.  Financially motivated, group TA558 targets mainly organizations in Latin America and sometimes North America and Western Europe, switching between Portuguese, Spanish and English as it does so, according to Proofpoint.  It primarily uses phishing emails as its access vector, deploying reservation-themed lures with content relevant to the victim organization such as hotel room bookings.  These emails contain either malicious links or attachments designed to covertly install malware, which will then enable reconnaissance, data theft and the download of additional payloads, the report explained.  Among the multiple malware types used by the group are Loda RAT, Vjw0rm, Revenge RAT and AsyncRAT.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...