August 25, 2022

Fortify Security Team
Aug 25, 2022

Title: More Hackers Adopt Sliver Toolkit as a Cobalt Strike Alternative

Date Published: August 25, 2022

Excerpt: “Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.  However, malicious activity using Sliver can be detected using hunting queries drawn from analyzing the toolkit, how it works, and its components.  Over the past years, Cobalt Strike has grown in popularity as an attack tool for various threat actors, including ransomware operations, to drop on compromised networks “beacons” that allow moving laterally to high-value systems.”

Title: PyPI Packages Hijacked after Developers Fall for Phishing Emails

Date Published: August 25, 2022

Excerpt: “A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry.  Python packages ‘exotel’ and ‘spam’ are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.   Admins of the PyPI registry confirmed yesterday a phishing email campaign had actively been targeting PyPI maintainers after Django project board member Adam Johnson reported receiving a suspicious email.”

Title: Quantum Ransomware Attack Disrupts Govt Agency in Dominican Republic

Date Published: August 24, 2022

Excerpt: “The Dominican Republic’s Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency.  The Instituto Agrario Dominicano (IAD) is part of the Ministry of Agriculture and is responsible for executing Agrarian Reform programs in the country.  Local media reports that the ransomware attack occurred on August 18th, which has impacted the agency’s operation.”

Title: GitLab ‘strongly recommends’ Patching Critical RCE Vulnerability

Date Published: August 24, 2022

Excerpt: “GitLab is urging users to install a security update for branches 15.1, 15.2, and 15.3 of its community and enterprise editions to fix a critical vulnerability that could enable an attacker to perform remote command execution via Github import.  GitLab is a web-based Git repository for developer teams that need to manage their code remotely. It has approximately 30 million registered users and one million paying customers.  The vulnerability addressed by this security update is tracked as CVE-2022-2884 and assigned a CVSS v3 criticality score of 9.9. It impacts all versions starting from 11.3.4 and up to 15.1.4, those between 15.2 and 15.2.3, and 15.3.”

Title: Ransomware Dominates the Threat Landscape

Date Published: August 25, 2022

Excerpt: “Acronis researchers have concluded that ransomware continues to be the number one threat to large and medium-sized businesses, including government organizations. Nearly half of all reported breaches during the first half of 2022 involved stolen credentials, which enable phishing and ransomware campaigns. Findings underscore the need for more holistic approaches to cybersecurity.  To extract credentials and other sensitive information, cybercriminals use phishing and malicious emails as their preferred infection vectors. Nearly one percent of all emails contain malicious links or files, and more than one-quarter (26.5%) of all emails were delivered to the users inbox (not blocked by Microsoft365) and then were removed by Acronis email security.”

Title: Threat Actors are Using the Tox P2P Messenger as C2 Server

Date Published: August 25, 2022

Excerpt: “Tox is a peer-to-peer serverless instant messaging services that uses NaCl for encryption and decryption.  Uptycs researchers reported that threat actors have started using the Tox peer-to-peer instant messaging service as a command-and-control server. Tox has been used in the last months by threat actors as a communication channel between ransomware gangs and their victims.  The researchers recently discovered an ELF sample that acts as a bot and can run scripts on the victim machine using the Tox protocol.  The binary is written in C and has only statically linked the c-toxcore library.”

Title: Ex-Apple Engineer Pleads Guilty to Stealing Apple’s Car Secrets

Date Published: August 23, 2022

Excerpt: “Xiaolang Zhang, a former Apple employee charged by the FBI in 2018 for stealing trade secrets about Apple’s autonomous vehicle project, pleaded guilty in a federal court in San Jose on Monday.  Zhang stole the trade secrets while preparing to work for Chinese electric vehicle startup Xiaopeng Motors, also known as XPeng. The FBI arrested Zhang at San Jose airport, California, on 7 July, while he was en route to China.  Zhang was hired by Apple in 2015 where he would eventually work on hardware for Apple’s secretive autonomous vehicle project. ”

Title: IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals

Date Published: August 24, 2022

Excerpt: “The number of vulnerability disclosures impacting extended internet of things (XIoT) devices increased by 57% in the first half of 2022 compared to the previous six months, according to a new report by Team82, the research team of cyber-physical systems (CPS) security firm Claroty.  The research also found that vendor self-disclosures increased by 69%. This would be a first for the industry, which usually relies more for disclosures on independent research teams. According to Team82, the trend indicates that more operational technology (OT), IoT, and internet of medical things (IoMT) vendors are establishing vulnerability disclosure programs and dedicating more resources to them.  Additionally, fully or partially remediated firmware vulnerabilities increased by 79% over the same time period, a significant improvement considering the relative challenges in patching firmware versus software vulnerabilities.”

Title: Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

Date Published: August 24, 2022

Excerpt: “On Dec. 8, 2020, FireEye announced the discovery of a breach in the SolarWinds Orion software while it investigated a nation-state attack on its Red Team toolkit. Five days later, on Dec. 13, 2020, SolarWinds posted on Twitter, asking “all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability.” It was clear: SolarWinds — the Texas-based company that builds software for managing and protecting networks, systems, and IT infrastructure — had been hacked.  More worrisome was the fact that the attackers, which US authorities have now linked to Russian intelligence, had found the backdoor through which they infiltrated the company’s system about 14 months before the hack was announced. The SolarWinds hack is now almost 3 years old, but its aftereffects continue to reverberate across the security world.”

Title: Lessons from the Holy Ghost Ransomware Attacks

Date Published: August 25, 2022

Excerpt: “Originating in North Korea, the Holy Ghost ransomware operation has preyed primarily on small businesses, but that doesn’t mean larger businesses can ignore it. This is an interesting shift of focus, and highlights a key lesson straight out the gate- cybersecurity is now no longer just for ‘big’ or ‘important’ businesses.  With the pandemic-accelerated shift to online and remote work, staying safe in cyberspace has become a business-critical concern. It’s easy to assume you are too small or too ‘uninteresting’ to cyber criminals and hackers, but in a world that’s ever-increasingly connected, this is no longer a safe stance to assume.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 Excerpt: “The North Korean APT group 'Lazarus' (APT38)...