August 26, 2022

Fortify Security Team
Aug 26, 2022

Title: How ‘Kimsuky’ Hackers Ensure Their Malware Only Reach Valid Targets

Date Published: August 25, 2022

Excerpt: “The North Korean ‘Kimsuky’ threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers.  According to a Kaspersky report published today, the threat group has been employing new techniques to filter out invalid download requests since the start of 2022, when the group launched a new campaign against various targets in the Korean peninsula.  The new safeguards implemented by Kimsuky are so effective that Kaspersky reports an inability to acquire the final payloads even after they are successfully connected to the threat actor’s command and control server.”

Title: LastPass Developer Systems Hacked to Steal Source Code

Date Published: August 25, 2022

Excerpt: “Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company’s source code and proprietary technical information.  The disclosure comes after BleepingComputer learned of the breach from insiders last week and reached out to the company on August 21st without receiving a response to our questions.  Sources told BleepingComputer that employees were scrambling to contain the attack after LastPass was breached.”

Title: Microsoft: Russian Malware Hijacks ADFS to Log in as Anyone in Windows

Date Published: August 25, 2022

Excerpt: “Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network.  As a state-sponsored cyberespionage actor, APT29 employs the new capability to hide their presence on the networks of their targets, typically government and critical organizations across Europe, the U.S., and Asia.  Dubbed ‘MagicWeb’, the new malicious tool is an evolution of ‘FoggyWeb’, which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services (ADFS) servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control (C2) server.”

Title: How Fast Is The Financial Industry Fixing Its Software Security Flaws?

Date Published: August 26, 2022

Excerpt: “Veracode released data revealing that the financial services industry ranks among the best for overall flaw percentage when compared to other industries, but has one of the lowest fix rates for software security flaws. The sector also falls to the middle of the pack for high-severity flaws, with 18 percent of applications containing a serious vulnerability, suggesting financial firms should prioritize identifying and remediating the flaws that matter most.  The findings were outlined in the company’s annual State of Software Security report v12, which analyzed 20 million scans across half a million applications in the financial, technology, manufacturing, retail, healthcare and government sectors. Across the six industries, the financial sector has the second-lowest proportion of applications containing security flaws, at 73 percent.”

Title: CISA: Action Required Now to Prepare for Quantum Computing Cyber Threats

Date Published: August 26, 2022

Excerpt: “Action must be taken now to help protect networks from cybersecurity threats that will emerge in the advent of power of quantum computing, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.  While quantum computing could bring benefits to computing and society, it also brings new cybersecurity threats – and the CISA alert warns that critical infrastructure in particular is at risk.  Many forms of digital communications and internet-connected systems rely on data encryption to protect them from cyber attackers. Public key cryptography helps to protect information from being viewed by unauthorized intruders – and it’s extremely difficult to crack using today’s computers.”

Title: Microsoft: Iranian Attackers are Using Log4Shell to Target Organizations in Israel

Date Published: August 26, 2022

Excerpt: “Microsoft has warned that an Iranian state-based threat actor it calls Mercury is using the Log4Shell flaws in applications from IT vendor SysAid against organizations located in Israel.  Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), has assessed with “high confidence” that the campaign is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). US Cyber Command tracks the group as MuddyWater, which it assesses is a “subordinate element” of MOIS.  Targeting SysAid apps is a new approach for Mercury, which in the past has used Log4Shell remote code execution flaws in VMware apps to carry out attacks.”

Title: Block Faces Class Action Suit After 2021 Breach

Date Published: August 26, 2022

Excerpt: “Payments giant Block is being taken to court by former customers who claim its negligence led to an insider stealing their personal information last year.  A December 2021 breach at the firm’s subsidiary Cash App enabled a former employee at the firm to steal the personal information of over eight million customers.  This week, lawyers for two of those victims filed a class action lawsuit in the Northern District of California.  They’re alleging that Block “failed to maintain reasonable and adequate data security measures to safeguard customers’ private information,” which ultimately enabled the unauthorized insider access.”

Title: More Bang for the Buck: Cross-Platform Ransomware Is the Next Problem

Date Published: August 25, 2022

Excerpt: “Two emerging ransomware gangs, known as RedAlert and Monster, have adopted cross-platform capabilities to make attacks easier to execute against multiple operating systems and environments. It’s a shining example of a snowballing trend toward multiplatform ransomware attacks, for which defenders need to gear up.  One of the new threat groups, referred to as RedAlert or N13V, creates executables in a Linux-specific version of C, and also supports VMware’s enterprise-class ESXi hypervisor. The other threat group, Monster, uses an older cross-platform language, Delphi, which makes it easy to tailor the attack for a specific victim’s configuration.  The ability to impact a variety of client operating systems within a single victim’s environment started gaining steam in 2021, according to an advisory from Kaspersky published on Thursday. The Conti group, for example, allows affiliates to access a Linux variant of its ransomware, which also allows targeting of systems running VMware’s ESXi hypervisor.”

Title: Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

Date Published: August 25, 2022

Excerpt: “Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.  The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don’t have, according to the researcher that discovered the flaw.  The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions.”

Title: What is Doxing and How to Protect Yourself

Date Published: August 25, 2022

Excerpt: “A UK study published in June 2022 revealed that 19% of respondents were victims of doxing (also spelled doxxing), a practice where people with bad intentions publish, usually online, the personal information of their victims with the intention of embarrassing or intimidating them.  The term comes from the abbreviation “docs” for “documents”, referring to the files leaked online containing the victim’s personal information. Ultimately, the abusers seek to frighten, shame, and create enormous distress, sometimes demanding money from their victims, other times for pure revenge or a personal sense of justice.  While doxing might be perpetrated by strangers – both individuals and groups – it can also be carried out by acquaintances or even by people in their own household. Doxing is especially dangerous because its consequences can span from cyberbullying to real-world stalking and harassment, and even assaults and murder.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...