August 19, 2022

Fortify Security Team
Aug 19, 2022

Title: LockBit Claims Ransomware Attack on Security Giant Entrust

Date Published: August 18, 2022

Excerpt: “The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust.  Last month, BleepingComputer broke the story that Entrust suffered a ransomware attack on June 18th, 2022.  Starting in early June, Entrust had begun to tell customers that they suffered a cyberattack where data was stolen from internal systems.”

Title: Apple Releases Safari 15.6.1 to Fix Zero-day Bug Used in Attacks

Date Published: August 18, 2022

Excerpt: “Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs.  The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device.  “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” warns Apple in a security bulletin released today.”

Title: Exploiting Stolen Session Cookies to Bypass Multi-factor Authentication (MFA)

Date Published: August 19, 2022

Excerpt: “Active adversaries are increasingly exploiting stolen session cookies to bypass multi-factor authentication (MFA) and gain access to corporate resources, according to Sophos.  In some cases, the cookie theft itself is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and using legitimate executables to disguise the malicious activity. Once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories.”

Title: Cisco Fixes High-Severity Bug in Secure Web Appliance

Date Published: August 19, 2022

Excerpt: “Cisco Secure Web Appliance (formerly Secure Web Appliance (WSA)) offers protection from malware and web-based attacks and provides application visibility and control.  Cisco has addressed a high-severity escalation of privilege vulnerability, tracked as CVE-2022-20871, that resides in the web management interface of AsyncOS for Cisco Secure Web Appliance.  An authenticated, remote attacker can exploit this issue to perform a command injection and elevate privileges to root.”

Title: Bumblebee Attacks, From Initial Access to the Compromise of Active Directory Services

Date Published: August 19, 2022

Excerpt: “The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network.  Most Bumblebee infections started by users executing LNK files which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment or a link to the malicious archive containing Bumblebee.  After initial execution, Bumblebee was used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft.  Threat actors conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.”

Title: Estonia Blocked Cyberattacks Claimed by Pro-Russia Killnet Group

Date Published: August 19, 2022

Excerpt: “Undersecretary for Digital Transformation Luukas Ilves announced that Estonia was hit by the most extensive wave of DDoS attacks it has faced since 2007. The DDoS attacks targeted both public institutions and the private sector. The Pro-Russia hacker group Killnet claimed responsibility for the attacks.  Ilves confirmed that Estonian cyber units were able to block the attacks. E-Estonia services were not disrupted.  e-Estonia refers to a movement by the government of Estonia to facilitate citizen interactions with the state through the use of electronic solutions. E-services created under this initiative include i-Voting, e-Tax Board, e-Business, e-Banking, e-Ticket, e-School, University via internet, the E-Governance Academy, as well as the release of several mobile applications.”

Title: Google Blocked the Largest Layer 7 DDoS Reported to Date

Date Published: August 18, 2022

Excerpt: “Google announced to have blocked the largest ever HTTPs DDoS attack that hit one of its Cloud Armor customers. The IT giant revealed that the attack reached 46 million requests per second (RPS).  The attack took place on June 1st, at 09:45, it started with more than 10,000 requests per second (rps) and targeted a customer’s HTTP/S Load Balancer. Eight minutes later, the attack grew to 100,000 requests per second, and two minutes later reached 46 million RPS. The DDoS attack lasted 69 minutes.  The company pointed out that the volume of requests per second is at least 76% more than the previous record, which was blocked by Cloudflare in June and that reached 26 million RPS.”

Title: UK Carrier Claims to Block One Million Vishing Calls Per Day

Date Published: August 19, 2022

Excerpt: “UK carrier EE claims to have blocked 11 million scam phone calls since rolling out new AI technology in July to detect potential vishing attacks.  The firm said it uses the unnamed firewall technology to check Calling Line Identification (CLI) data and block calls which originate abroad but are spoofed to appear as if made from UK numbers.  CLI allows the person receiving a call to see the number of the caller. However, scammers often try to trick victims by displaying a fake number. Vishing calls could be used to trick the victim into handing over personal and financial information, or even to provide access to their devices/PCs, EE said.  EE claimed the new tech is blocking up to one million such calls per day now.”

Title: Hackers Build Phishing Pages Using AWS Apps

Date Published: August 18, 2022

Excerpt: “AWS is one of the most popular cloud storage and hosting solutions. From major companies hosting their work on the service, to individuals using it to create and host webpages, it is a force. If you’re using a site on the Internet, there’s a good chance that AWS is involved in some fashion.  One way that folks use AWS is to build and host web pages. The service allows you to host a WordPress site or something fully created with custom code. With a little bit of coding knowledge, you can create a free website that’s hosted on AWS.  Hackers, who know a little about coding, are taking advantage of this by building phishing pages on AWS. Sending a link to this page via email is a way to bypass scanners and get users to hand over credentials.  In this attack brief, researchers at Avanan, a Check Point Company, will discuss how threat actors are creating phishing pages on AWS using the site’s legitimacy to steal credentials.”

Title: Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors

Date Published: August 17, 2022

Excerpt: “Over the last year Mandiant has been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. Mandiant assesses with moderate confidence this actor is linked to Iran, which is notable given the strong focus on shipping and the ongoing naval conflict between Iran and Israel. While we believe this actor is focused on intelligence collection, the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years.  Mandiant assesses with moderate confidence that UNC3890 conducts espionage and intelligence collection activity to support multiple Iranian interests and operations. Targeting patterns indicate a strong interest in Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare. We observed several limited technical connections to Iran, such as PDB strings and Farsi language artifacts.  This campaign has been active since at least late 2020, and is still ongoing as of mid-2022, and though it is regional in nature, targeted entities include global companies.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...