August 23, 2022

Fortify Security Team
Aug 23, 2022

Title: ETHERLED: Air-gapped Systems Leak Data via Network Card LEDs
Date Published: August 23, 2022

https://www.bleepingcomputer.com/news/security/etherled-air-gapped-systems-leak-data-via-network-card-leds/

Excerpt: “Israeli researcher Mordechai Guri has discovered a new method to exfiltrate data from air-gapped systems using the LED indicators on network cards. Dubbed ‘ETHERLED’, the method turns the blinking lights into Morse code signals that can be decoded by an attacker. Capturing the signals requires a camera with a direct line of sight to LED lights on the air-gapped computer’s card. These can be translated into binary data to steal information. Air-gapped systems are computers typically found in highly-sensitive environments (e.g. critical infrastructure, weapon control units) that are isolated from the public internet for security reasons.”

Title: Google: Iranian Hackers Use New Tool To Steal Email From Victims
Date Published: August 23, 2022

https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/

Excerpt: “In December 2021, TAG discovered a novel Charming Kitten tool, named HYPERSCRAPE, used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts. The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials. We have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings.”

Title: Over 80,000 Exploitable Hikvision Cameras Exposed Online
Date Published: August 22, 2022

https://www.bleepingcomputer.com/news/security/over-80-000-exploitable-hikvision-cameras-exposed-online/

Excerpt: “Security researchers have discovered over 80,000 Hikvision cameras vulnerable to a critical command injection flaw that’s easily exploitable via specially crafted messages sent to the vulnerable web server. The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.”

Title: CISA is Warning of High-severity PAN-OS DDoS Flaw Used in Attacks
Date Published: August 22, 2022

https://www.bleepingcomputer.com/news/security/cisa-is-warning-of-high-severity-pan-os-ddos-flaw-used-in-attacks/

Excerpt: “A recent vulnerability found in Palo Alto Networks’ PAN-OS has been added to the catalog of Known Exploitable Vulnerabilities from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The security issue is a high-severity risk identified as CVE-2022-0028 that allows a remote threat actor to deploy reflected and amplified denial-of-service (DoS) attacks without having to authenticate.”

Title: FBI Warns of Residential Proxies Used in Credential Stuffing Attacks
Date Published: August 22, 2022

https://www.bleepingcomputer.com/news/security/fbi-warns-of-residential-proxies-used-in-credential-stuffing-attacks/

Excerpt: “The Federal Bureau of Investigation (FBI) warns of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks without being tracked, flagged, or blocked. The warning was issued as a Private Industry Notification on the Bureau’s Internet Crime Complaint Center (IC3) late last week to raise awareness among internet platform admins who need to implement defenses against credential stuffing attacks. Credential stuffing is a type of attack where threat actors use large collections of username/password combinations exposed in previous data breaches to try and gain access to other online platforms.”

Title: Fake DDoS Protection Pages Are Delivering Malware!
Date Published: August 22, 2022

https://www.helpnetsecurity.com/2022/08/22/fake-ddos-protection-malware/

Excerpt: “Malware peddlers are exploiting users’ familiarity with and inherent trust in DDoS protection pages to make them download and run malware on their computer, Sucuri researchers have warned. DDoS protection pages have become so common that users rarely think twice about doing what those pages tell them to do to get website access. This state of affairs is being exploited by clever malware peddlers. Visitors to WordPress sites that have been hacked and injected with specially crafted JavaScript are faced with the fake “Cloudflare DDoS protection” page, which tells them to download the security_install[.]iso – ostensibly a security application.”

Title: DDoS Attacks Jump 203%, Patriotic Hacktivism Surges
Date Published: August 23, 2022

https://www.helpnetsecurity.com/2022/08/23/malicious-ddos-attacks-climbed/

Excerpt: “Radware released a report revealing that the number of malicious DDoS attacks climbed by 203% compared to the first six months of 2021. The report also underscores how Russia’s invasion of Ukraine has altered the focus of the threat landscape — shifting it from the consequences of the pandemic to a ground swell of DDoS activity launched by patriotic hacktivists. “The threat landscape saw a marked shift in the first half of 2022,” said Pascal Geenens, director of threat intelligence for Radware. “As Russia invaded Ukraine, the cyber focus changed. It shifted from the consequences of the pandemic, including an increase in attack surfaces driven by work from home and the rise of underground crime syndicates, to a ground swell of DDoS activity launched by patriotic hacktivists and new legions of threat actors.”

Title: Counterfeit Versions of Popular Mobile Devices Target WhatsApp and WhatsApp Business
Date Published: August 23, 2022

https://securityaffairs.co/wordpress/134735/malware/counterfeit-versions-mobile-devices-target-whatsapp.html

Excerpt: “Researchers from Doctor Web discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. The malware targets WhatsApp and WhatsApp Business messaging apps and can allow attackers to conduct multiple malicious activities. “Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web. “The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.”

Title: Configuration Errors to Blame for 80% of Ransomware
Date Published: August 23, 2022

https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/

Excerpt: “The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft. The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratized the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books, Microsoft claimed. For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added. “Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued.”

Title: Keeping up with the Attackers: Educating Staff on New Monkeypox Themed Phishing Campaigns
Date Published: August 23, 2022

https://www.infosecurity-magazine.com/blogs/educating-staff-on-monkeypox/

Excerpt: “As the world recovers and learns to live with COVID-19, the use of the pandemic as a phishing theme has started to wane. However, public wariness and anxiety surrounding an emerging medical concern will remain exploitable. Enter the current Monkeypox outbreak. Over the past month, the Cofense Phishing Defence Center (PDC) has seen a series of Monkeypox themed phishing emails emerge as the outbreak has built momentum. Capitalizing on the growing concern and media attention, the emails have attempted to deceive enterprise staff, and attackers look likely to continue tweaking their tactics as the infection spreads around the globe. In the past month, at least two PDC customers in the US have reported emails, such as the one displayed in Figure 1, in their Microsoft and Trend Micro environments. The emails use both the employee’s and company’s real names in the subject line and email body which changes depending on who is targeted. As a result, this creates an element of trust and personalization with the receiver, making the email look legitimate.

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...