August 8, 2022

Fortify Security Team
Aug 8, 2022

Title: Microsoft Is Blocking Tutanota Email Addresses From Registering a MS Teams Account
Date Published: August 8, 2022

Excerpt: “Tutanota is an end-to-end encrypted email app and a freemium secure email service, as of March 2017, Tutanota’s owners claimed to have over 2 million users. The news is that Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account. Microsoft doesn’t recognize the company as an email service but as a corporate address. The first time that a Tutanota user registered a Teams account, its domain was recognized as a corporation, for this reason, any other users of the popular email service were not able to register its account and were requested to contact their admin.”

Title: Hackers Are Actively Exploiting Password-Stealing Flaw in Zimbra
Date Published: August 5, 2022

Excerpt: “The Cybersecurity and Infrastructure Security Agency (CISA) has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers. This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction. In short, a hacker can perform Memcache poisoning via CRLF injection and trick the software into forwarding all IMAP traffic to the attacker when legitimate users attempt to log in.”

Title: North Korean Hackers Target Crypto Experts With Fake Coinbase Job Offers
Date Published: August 7, 2022

Excerpt: “A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry. A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack. According to Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, the threat actors are now pretending to be from Coinbase, targeting candidates suitable for the role of “Engineering Manager, Product Security.” Coinbase is one of the world’s largest cryptocurrency exchange platforms, allowing Lazarus to lay the ground for a lucrative and enticing job offer at a prestigious organization.”

Title: Snapchat, Amex Sites Abused in Microsoft 365 Phishing Attacks
Date Published: August 7, 2022

Excerpt: “Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365 credentials. Open redirects are web app weaknesses that allow threat actors to use the domains of trusted organizations and websites as temporary landing pages to simplify phishing attacks. They’re used in attacks to redirect targets to malicious sites that will either infect them with malware or trick them into handing over sensitive information (e.g., credentials, financial info, personal info).”

Title: Microsoft Edge Gets Better Security Defaults on Less Popular Sites
Date Published: August 6, 2022

Excerpt: “Microsoft is rolling out a new update to the Microsoft Edge Stable Channel over the coming days to improve the web browser’s security defaults when visiting less popular websites. Starting with version 104.0.1293.47, Edge will toggle on the “Basic” level of security when the “Enhance your security on the web” optional browsing mode is enabled in settings. When this mode is toggled on, it provides an additional layer of protection against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling extra OS protections when browsing the web and unfamiliar sites.”

Title: New Gwisinlocker Ransomware Encrypts Windows and Linux Esxi Servers
Date Published: August 6, 2022

Excerpt: “A new ransomware family called ‘GwisinLocker’ targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. The new malware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. The actor is of unknown origin but appears to have a good knowledge of the Korean language. Also, the attacks coincided with Korean public holidays and occurred during early morning hours, so Gwisin has a good grasp of the country’s culture and business routines. Reports about Gwisin and its activities first appeared on South Korean media outlets late last month, when the threat actor compromised large pharmaceutical firms in the country. On Wednesday, Korean cybersecurity experts at Ahnlab published a report on the Windows encryptor, and yesterday, security researchers at ReversingLabs published their technical analysis of the Linux version.”

Title: UK NHS Suffers Outage After Cyberattack on Managed Service Provider
Date Published: August 5, 2022

Excerpt: “United Kingdom’s National Health Service (NHS) 111 emergency services are affected by a significant and ongoing outage triggered by a cyberattack that hit the systems of British managed service provider (MSP) Advanced. Advanced’s Adastra client patient management solution, which is used by 85% of NHS 111 services, has been hit by a major outage together with several other services provided by the MSP, according to a status page. “There is a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers,” the Welsh Ambulance Services said today. The UK public is advised to access the NHS 111 emergency services using the online platform until the incident is resolved.”

Title: Slack Resets Passwords After Exposing Hashes in Invitation Links
Date Published: August 5, 2022

Excerpt: “Slack notified roughly 0.5% of its users that it reset their passwords after fixing a bug exposing salted password hashes when creating or revoking shared invitation links for workspaces. “When a user performed either of these actions, Slack transmitted a hashed version of their password (not plaintext) to other workspace members,” Slack told BleepingComputer. “Although this data was shared via the new or deactivated invitation link, the Slack client did not store or display this data to members of that workspace.” The bug was discovered by an independent security researcher who disclosed it to Slack on July 17. The issue affected all users who created or revoked shared invitation links between April 17, 2017, and July 17, 2022. Luckily, the hashed passwords were not visible to Slack clients, with active monitoring of encrypted network traffic from Slack’s servers required to access this exposed information, according to Slack.”

Title: Twitter Confirms Zero-Day Used to Expose Data of 5.4 Million Accounts
Date Published: August 5, 2022

Excerpt: “Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles. Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site. This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.”

Title: Facebook Finds New Android Malware Used by Apt Hackers
Date Published: August 5, 2022

Excerpt: “Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as ‘Bitter APT’ and APT36 (aka ‘Transparent Tribe’) using new Android malware. These cyberspying operatives use social media platforms like Facebook to collect intelligence (OSINT) or to befriend victims using fake personas and then drag them to external platforms to download malware. Both APT36 and Bitter APT were observed orchestrating cyber-espionage campaigns earlier this year, so Facebook’s report gives a new dimension to their recent activities. The Pakistan-aligned state-sponsored actor APT36 was recently exposed in a campaign targeting the Indian government using MFA-bypassing tools. The Bitter APT was also observed in May 2022, targeting the government of Bangladesh with a new malware that featured remote file execution capabilities.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...