August 22, 2022

Fortify Security Team
Aug 22, 2022

Title: Hackers Target Hotel And Travel Companies With Fake Reservations

Date Published: August 21, 2022

https://www.bleepingcomputer.com/news/security/hackers-target-hotel-and-travel-companies-with-fake-reservations/

Excerpt: “A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space.  The threat actor uses a set of 15 distinct malware families, usually remote access trojans (RATs), to gain access to the target systems, perform surveillance, steal key data, and eventually siphon money from customers.  TA558 has been active since at least 2018, but Proofpoint has recently seen an uptick in its activities, possibly linked to the rebound of tourism after two years of COVID-19 restrictions.”

Title: Hackers Steal Crypto From Bitcoin ATMs By Exploiting Zero-Day Bug

Date Published: August 20, 2022

https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/

Excerpt: “Hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrency from customers.  When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers.  General Bytes is the manufacturer of Bitcoin ATMs that, depending on the product, allow people to purchase or sell over 40 different cryptocurrencies.”

Title: WordPress Sites Hacked With Fake Cloudflare Ddos Alerts Pushing Malware

Date Published: August 20, 2022

https://www.bleepingcomputer.com/news/security/wordpress-sites-hacked-with-fake-cloudflare-ddos-alerts-pushing-malware/

Excerpt: “WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute malware that installs the NetSupport RAT and the RaccoonStealer password-stealing Trojan.  DDoS (distributed denial of service) protection screens are commonplace on the internet, protecting sites from bots that ping them with bogus requests, aiming to overwhelm them with garbage traffic.  Internet users treat these “welcome screens” as an unavoidable short-term annoyance that keeps their favorite online resources protected from malicious operatives. Unfortunately, this familiarity serves as an excellent opportunity for malware campaigns.”

Title: Russia’s ‘Oculus’ To Use AI To Scan Sites For Banned Information

Date Published: August 20, 2022

https://www.bleepingcomputer.com/news/security/russias-oculus-to-use-ai-to-scan-sites-for-banned-information/

Excerpt: “Russia’s internet watchdog Roskomnadzor is developing a neural network that will use artificial intelligence to scan websites for prohibited information.  Called “Oculus,” the automatic scanner will analyze URLs, images, videos, and chats on websites, forums, social media, and even chat/messenger channels to locate material that should be redacted or taken down.  Examples of information targeted by Oculus include homosexuality “propaganda,” instructions on manufacturing weapons or drugs, and misinformation that discredits official state and army sources.”

Title: Escanor Malware Delivered in Weaponized Microsoft Office Documents

Date Published: August 22, 2022

https://securityaffairs.co/wordpress/134697/malware/escanor-malware-ms-docs.html

Excerpt: “Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.  The tool has been released for sale on January 26th this year initially as a compact HVNC implant allowing to set up a silent remote connection to the victim’s computer, and later transformed into a full-scale commercial RAT with a rich feature-set. Escanor has built a credible reputation in Dark Web, and attracted over 28,000 subscribers on the Telegram channel. In the past, the actor with exactly the same moniker released ‘cracked’ versions of other Dark Web tools, including Venom RAT, 888 RAT and Pandora HVNC which were likely used to enrich further functionality of Escanor.”

Title: Donot Team Cyberespionage Group Updates Its Windows Malware Framework

Date Published: August 22, 2022

https://securityaffairs.co/wordpress/134674/apt/donot-team-improves-jaca-framework.html

Excerpt: “The Donot Team has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries.  In October 2021, a report released by the Amnesty International revealed that the Donot Team group employed Android applications posing as secure chat application and malicious emails in attacks aimed at a prominent Togolese human rights defender. In the past, the Donot Team spyware was found in attacks outside of South Asia. The investigation also discovered links between the spyware and infrastructure used in these attacks, and Innefu Labs, a cybersecurity company based in India.  The attack chain starts with spear phishing emails containing malicious attachments, the next stage malware is loaded once enabled Microsoft Office macros, opening RTF files exploiting Equation Editor vulnerability, and via remote template injection.”

Title: White Hat Hackers Broadcasted Talks And Hacker Movies Through A Decommissioned Satellite

Date Published: August 21, 2022

https://securityaffairs.co/wordpress/134637/hacking/hackers-take-control-decommissioned-satellite.html

Excerpt: “During the latest edition of the DEF CON hacking conference held in Las Vegas, the group of white hat hackers Shadytel demonstrated how to take control of a satellite in geostationary orbit. The group used a satellite called Anik F1R, which was dismissed in 2020.  The group was authorized to perform the hack and the satellite they hacked had been decommissioned, which means that it is going to send to a graveyard orbit. The graveyard, also called a junk orbit, is an orbit that lies away from common operational orbits, some satellites are moved into such orbits at the end of their operational life to avoid colliding with operational spacecraft and satellites.”

Title: Estonia’s Battle Against a Deluge of DDoS Attacks

Date Published: August 22, 2022

https://www.infosecurity-magazine.com/news-features/estonias-battle-against-a-deluge/

Excerpt: “The number and frequency of large-scale distributed denial-of-service (DDoS) attacks against Estonian public authorities and businesses has significantly increased in the month of August, Infosecurity Magazine has learned.  Infosecurity Magazine spoke to Tõnu Tammer, head of the incident response (CERT-EE) department, Estonian Information System Authority (RIA), to discuss the attacks and what the Estonian government is doing in response.  The peak of these attacks, so far, were recorded on August 16 and 17, Tõnu Tammer, head of Incident Response (CERT-EE) department, Estonian Information System Authority (RIA) told Infosecurity.”

Title: Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks

Date Published: August 22, 2022

https://www.infosecurity-magazine.com/news/raven-storm-tool-perform-ddos/

Excerpt: “The threat actor dubbed ‘Mysterious Team’ has used the Raven Storm tool to conduct distributed denial-of-service (DDoS) attacks against multiple targets.  The news comes from CloudSEK, who detailed the new threat in an advisory on Sunday.  “[Our] contextual AI digital risk platform XVigil discovered a post by the Mysterious Team announcing the use of the Raven Storm tool DDoS attacks,” reads the document. “The tool uses multi-threading for sending multiple packets at a single moment of time and getting the target down.”  Additionally, the malware is reportedly capable of server takedown, Wi-Fi attacks and application layer attacks. It also gives attackers the ability to connect to a client via botnets.”

Title: Disk Wiping Malware Knows No Borders

Date Published: August 22, 2022

https://www.helpnetsecurity.com/2022/08/22/ransomware-threat-more-variants/

Excerpt: “Fortinet announced the latest semiannual FortiGuard Labs Global Threat Landscape Report which revealed that ransomware threat continues to adapt with more variants enabled by Ransomware-as-a-Service (RaaS).

Additional highlights of the report:

  • Work-from-anywhere (WFA) endpoints remain targets for cyber adversaries to gain access to corporate networks.
  • Operational technology (OT) and information technology (IT) environments are both attractive targets as cyber adversaries search for opportunities in the growing attack surface and IT/OT convergence.
  • Destructive threat trends continue to evolve, as evidenced by the spread of wiper malware as part of adversary toolkits.
  • Cyber adversaries are embracing more reconnaissance and defense evasion techniques to increase precision and destructive weaponization across the cyber-attack chain.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...