August 26, 2022

Fortify Security Team
Aug 26, 2022

Title: How ‘Kimsuky’ Hackers Ensure Their Malware Only Reach Valid Targets

Date Published: August 25, 2022

https://www.bleepingcomputer.com/news/security/how-kimsuky-hackers-ensure-their-malware-only-reach-valid-targets/

Excerpt: “The North Korean ‘Kimsuky’ threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers.  According to a Kaspersky report published today, the threat group has been employing new techniques to filter out invalid download requests since the start of 2022, when the group launched a new campaign against various targets in the Korean peninsula.  The new safeguards implemented by Kimsuky are so effective that Kaspersky reports an inability to acquire the final payloads even after they are successfully connected to the threat actor’s command and control server.”

Title: LastPass Developer Systems Hacked to Steal Source Code

Date Published: August 25, 2022

https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/

Excerpt: “Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company’s source code and proprietary technical information.  The disclosure comes after BleepingComputer learned of the breach from insiders last week and reached out to the company on August 21st without receiving a response to our questions.  Sources told BleepingComputer that employees were scrambling to contain the attack after LastPass was breached.”

Title: Microsoft: Russian Malware Hijacks ADFS to Log in as Anyone in Windows

Date Published: August 25, 2022

https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/

Excerpt: “Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network.  As a state-sponsored cyberespionage actor, APT29 employs the new capability to hide their presence on the networks of their targets, typically government and critical organizations across Europe, the U.S., and Asia.  Dubbed ‘MagicWeb’, the new malicious tool is an evolution of ‘FoggyWeb’, which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services (ADFS) servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control (C2) server.”

Title: How Fast Is The Financial Industry Fixing Its Software Security Flaws?

Date Published: August 26, 2022

https://www.helpnetsecurity.com/2022/08/26/financial-software-security-flaws/

Excerpt: “Veracode released data revealing that the financial services industry ranks among the best for overall flaw percentage when compared to other industries, but has one of the lowest fix rates for software security flaws. The sector also falls to the middle of the pack for high-severity flaws, with 18 percent of applications containing a serious vulnerability, suggesting financial firms should prioritize identifying and remediating the flaws that matter most.  The findings were outlined in the company’s annual State of Software Security report v12, which analyzed 20 million scans across half a million applications in the financial, technology, manufacturing, retail, healthcare and government sectors. Across the six industries, the financial sector has the second-lowest proportion of applications containing security flaws, at 73 percent.”

Title: CISA: Action Required Now to Prepare for Quantum Computing Cyber Threats

Date Published: August 26, 2022

https://www.zdnet.com/article/quantum-computing-poses-cyber-threats-to-critical-infrastructure-action-to-secure-it-is-needed-now-warns-cisa/

Excerpt: “Action must be taken now to help protect networks from cybersecurity threats that will emerge in the advent of power of quantum computing, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.  While quantum computing could bring benefits to computing and society, it also brings new cybersecurity threats – and the CISA alert warns that critical infrastructure in particular is at risk.  Many forms of digital communications and internet-connected systems rely on data encryption to protect them from cyber attackers. Public key cryptography helps to protect information from being viewed by unauthorized intruders – and it’s extremely difficult to crack using today’s computers.”

Title: Microsoft: Iranian Attackers are Using Log4Shell to Target Organizations in Israel

Date Published: August 26, 2022

https://www.zdnet.com/article/microsoft-iranian-attackers-using-log4shell-to-attack-organizations-in-israel/

Excerpt: “Microsoft has warned that an Iranian state-based threat actor it calls Mercury is using the Log4Shell flaws in applications from IT vendor SysAid against organizations located in Israel.  Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), has assessed with “high confidence” that the campaign is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). US Cyber Command tracks the group as MuddyWater, which it assesses is a “subordinate element” of MOIS.  Targeting SysAid apps is a new approach for Mercury, which in the past has used Log4Shell remote code execution flaws in VMware apps to carry out attacks.”

Title: Block Faces Class Action Suit After 2021 Breach

Date Published: August 26, 2022

https://www.infosecurity-magazine.com/news/block-faces-class-action-suit/

Excerpt: “Payments giant Block is being taken to court by former customers who claim its negligence led to an insider stealing their personal information last year.  A December 2021 breach at the firm’s subsidiary Cash App enabled a former employee at the firm to steal the personal information of over eight million customers.  This week, lawyers for two of those victims filed a class action lawsuit in the Northern District of California.  They’re alleging that Block “failed to maintain reasonable and adequate data security measures to safeguard customers’ private information,” which ultimately enabled the unauthorized insider access.”

Title: More Bang for the Buck: Cross-Platform Ransomware Is the Next Problem

Date Published: August 25, 2022

https://www.darkreading.com/threat-intelligence/cross-platform-ransomware-spikes-problem

Excerpt: “Two emerging ransomware gangs, known as RedAlert and Monster, have adopted cross-platform capabilities to make attacks easier to execute against multiple operating systems and environments. It’s a shining example of a snowballing trend toward multiplatform ransomware attacks, for which defenders need to gear up.  One of the new threat groups, referred to as RedAlert or N13V, creates executables in a Linux-specific version of C, and also supports VMware’s enterprise-class ESXi hypervisor. The other threat group, Monster, uses an older cross-platform language, Delphi, which makes it easy to tailor the attack for a specific victim’s configuration.  The ability to impact a variety of client operating systems within a single victim’s environment started gaining steam in 2021, according to an advisory from Kaspersky published on Thursday. The Conti group, for example, allows affiliates to access a Linux variant of its ransomware, which also allows targeting of systems running VMware’s ESXi hypervisor.”

Title: Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

Date Published: August 25, 2022

https://www.darkreading.com/vulnerability-management/thousands-organizations-risk-critical-ip-camera-bug

Excerpt: “Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.  The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don’t have, according to the researcher that discovered the flaw.  The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions.”

Title: What is Doxing and How to Protect Yourself

Date Published: August 25, 2022

https://www.welivesecurity.com/2022/08/25/what-is-doxing-how-protect-yourself/

Excerpt: “A UK study published in June 2022 revealed that 19% of respondents were victims of doxing (also spelled doxxing), a practice where people with bad intentions publish, usually online, the personal information of their victims with the intention of embarrassing or intimidating them.  The term comes from the abbreviation “docs” for “documents”, referring to the files leaked online containing the victim’s personal information. Ultimately, the abusers seek to frighten, shame, and create enormous distress, sometimes demanding money from their victims, other times for pure revenge or a personal sense of justice.  While doxing might be perpetrated by strangers – both individuals and groups – it can also be carried out by acquaintances or even by people in their own household. Doxing is especially dangerous because its consequences can span from cyberbullying to real-world stalking and harassment, and even assaults and murder.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...