August 25, 2022

Fortify Security Team
Aug 25, 2022

Title: More Hackers Adopt Sliver Toolkit as a Cobalt Strike Alternative

Date Published: August 25, 2022

https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-toolkit-as-a-cobalt-strike-alternative/

Excerpt: “Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.  However, malicious activity using Sliver can be detected using hunting queries drawn from analyzing the toolkit, how it works, and its components.  Over the past years, Cobalt Strike has grown in popularity as an attack tool for various threat actors, including ransomware operations, to drop on compromised networks “beacons” that allow moving laterally to high-value systems.”

Title: PyPI Packages Hijacked after Developers Fall for Phishing Emails

Date Published: August 25, 2022

https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/

Excerpt: “A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry.  Python packages ‘exotel’ and ‘spam’ are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.   Admins of the PyPI registry confirmed yesterday a phishing email campaign had actively been targeting PyPI maintainers after Django project board member Adam Johnson reported receiving a suspicious email.”

Title: Quantum Ransomware Attack Disrupts Govt Agency in Dominican Republic

Date Published: August 24, 2022

https://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/

Excerpt: “The Dominican Republic’s Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency.  The Instituto Agrario Dominicano (IAD) is part of the Ministry of Agriculture and is responsible for executing Agrarian Reform programs in the country.  Local media reports that the ransomware attack occurred on August 18th, which has impacted the agency’s operation.”

Title: GitLab ‘strongly recommends’ Patching Critical RCE Vulnerability

Date Published: August 24, 2022

https://www.bleepingcomputer.com/news/security/gitlab-strongly-recommends-patching-critical-rce-vulnerability/

Excerpt: “GitLab is urging users to install a security update for branches 15.1, 15.2, and 15.3 of its community and enterprise editions to fix a critical vulnerability that could enable an attacker to perform remote command execution via Github import.  GitLab is a web-based Git repository for developer teams that need to manage their code remotely. It has approximately 30 million registered users and one million paying customers.  The vulnerability addressed by this security update is tracked as CVE-2022-2884 and assigned a CVSS v3 criticality score of 9.9. It impacts all versions starting from 11.3.4 and up to 15.1.4, those between 15.2 and 15.2.3, and 15.3.”

Title: Ransomware Dominates the Threat Landscape

Date Published: August 25, 2022

https://www.helpnetsecurity.com/2022/08/25/ransomware-dominates-threat-landscape/

Excerpt: “Acronis researchers have concluded that ransomware continues to be the number one threat to large and medium-sized businesses, including government organizations. Nearly half of all reported breaches during the first half of 2022 involved stolen credentials, which enable phishing and ransomware campaigns. Findings underscore the need for more holistic approaches to cybersecurity.  To extract credentials and other sensitive information, cybercriminals use phishing and malicious emails as their preferred infection vectors. Nearly one percent of all emails contain malicious links or files, and more than one-quarter (26.5%) of all emails were delivered to the users inbox (not blocked by Microsoft365) and then were removed by Acronis email security.”

Title: Threat Actors are Using the Tox P2P Messenger as C2 Server

Date Published: August 25, 2022

https://securityaffairs.co/wordpress/134806/malware/tox-p2p-c2-server.html

Excerpt: “Tox is a peer-to-peer serverless instant messaging services that uses NaCl for encryption and decryption.  Uptycs researchers reported that threat actors have started using the Tox peer-to-peer instant messaging service as a command-and-control server. Tox has been used in the last months by threat actors as a communication channel between ransomware gangs and their victims.  The researchers recently discovered an ELF sample that acts as a bot and can run scripts on the victim machine using the Tox protocol.  The binary is written in C and has only statically linked the c-toxcore library.”

Title: Ex-Apple Engineer Pleads Guilty to Stealing Apple’s Car Secrets

Date Published: August 23, 2022

https://www.zdnet.com/article/ex-apple-engineers-pleads-guilty-to-stealing-apples-car-secrets/

Excerpt: “Xiaolang Zhang, a former Apple employee charged by the FBI in 2018 for stealing trade secrets about Apple’s autonomous vehicle project, pleaded guilty in a federal court in San Jose on Monday.  Zhang stole the trade secrets while preparing to work for Chinese electric vehicle startup Xiaopeng Motors, also known as XPeng. The FBI arrested Zhang at San Jose airport, California, on 7 July, while he was en route to China.  Zhang was hired by Apple in 2015 where he would eventually work on hardware for Apple’s secretive autonomous vehicle project. ”

Title: IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals

Date Published: August 24, 2022

https://www.infosecurity-magazine.com/news/iot-vulnerability-disclosures-up-57/

Excerpt: “The number of vulnerability disclosures impacting extended internet of things (XIoT) devices increased by 57% in the first half of 2022 compared to the previous six months, according to a new report by Team82, the research team of cyber-physical systems (CPS) security firm Claroty.  The research also found that vendor self-disclosures increased by 69%. This would be a first for the industry, which usually relies more for disclosures on independent research teams. According to Team82, the trend indicates that more operational technology (OT), IoT, and internet of medical things (IoMT) vendors are establishing vulnerability disclosure programs and dedicating more resources to them.  Additionally, fully or partially remediated firmware vulnerabilities increased by 79% over the same time period, a significant improvement considering the relative challenges in patching firmware versus software vulnerabilities.”

Title: Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

Date Published: August 24, 2022

https://www.darkreading.com/edge-articles/3-years-later-solarwinds-ciso-shares-3-lessons-from-the-infamous-attack

Excerpt: “On Dec. 8, 2020, FireEye announced the discovery of a breach in the SolarWinds Orion software while it investigated a nation-state attack on its Red Team toolkit. Five days later, on Dec. 13, 2020, SolarWinds posted on Twitter, asking “all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability.” It was clear: SolarWinds — the Texas-based company that builds software for managing and protecting networks, systems, and IT infrastructure — had been hacked.  More worrisome was the fact that the attackers, which US authorities have now linked to Russian intelligence, had found the backdoor through which they infiltrated the company’s system about 14 months before the hack was announced. The SolarWinds hack is now almost 3 years old, but its aftereffects continue to reverberate across the security world.”

Title: Lessons from the Holy Ghost Ransomware Attacks

Date Published: August 25, 2022

https://www.hackread.com/lessons-from-holy-ghost-ransomware-attacks/

Excerpt: “Originating in North Korea, the Holy Ghost ransomware operation has preyed primarily on small businesses, but that doesn’t mean larger businesses can ignore it. This is an interesting shift of focus, and highlights a key lesson straight out the gate- cybersecurity is now no longer just for ‘big’ or ‘important’ businesses.  With the pandemic-accelerated shift to online and remote work, staying safe in cyberspace has become a business-critical concern. It’s easy to assume you are too small or too ‘uninteresting’ to cyber criminals and hackers, but in a world that’s ever-increasingly connected, this is no longer a safe stance to assume.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...