August 9, 2022

Fortify Security Team
Aug 9, 2022

Title: Orchard Botnet Uses Bitcoin Transaction Info to Generate Dga Domains
Date Published: August 8, 2022

Excerpt: “Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company providing managed threat detection and response for Fortune 500’s, identified threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters to ultimately deliver phishing content. Using highly trusted service domains like Snapchat and other online-services, they create special URLs which lead to malicious resources with phishing kits. The kit identified is named LogoKit, which was previously used in attacks against the customers of Office 365, Bank of America, GoDaddy, Virgin Fly, and many other major financial institutions and online-services internationally. The spike of LogoKit was been identified around the beginning of August, when multiple new domain names impersonating popular services had been registered and leveraged together with Open Redirects. While LogoKit is known for a while in the underground, at least since 2015, the cybercrime group behind it is constantly leveraging new tactics.”

Title: Logokit Update – The Phishing Kit Leveraging Open Redirect Vulnerabilities
Date Published: August 8, 2022

Excerpt: “The Cybersecurity and Infrastructure Security Agency (CISA) has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers. This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction. In short, a hacker can perform Memcache poisoning via CRLF injection and trick the software into forwarding all IMAP traffic to the attacker when legitimate users attempt to log in.”

Title: Microsoft Is Blocking Tutanota Email Addresses From Registering a MS Teams Account
Date Published: August 8, 2022

Excerpt: “Tutanota is an end-to-end encrypted email app and a freemium secure email service, as of March 2017, Tutanota’s owners claimed to have over 2 million users. The news is that Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account. Microsoft doesn’t recognize the company as an email service but as a corporate address. The first time that a Tutanota user registered a Teams account, its domain was recognized as a corporation, for this reason, any other users of the popular email service were not able to register its account and were requested to contact their admin.”

Title: Three Ransomware Gangs Consecutively Attacked the Same Network
Date Published: August 9, 2022

Excerpt: “Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.”

Title: Debridge Finance Crypto Platform Targeted by Lazarus Hackers
Date Published: August 8, 2022

Excerpt: “Hackers suspected to be from the North Korean Lazarus group tried their luck at stealing cryptocurrency from deBridge Finance, a cross-chain protocol that enables the decentralized transfer of assets between various blockchains. The threat actor used a phishing email to trick company employees into launching malware that collected various information from Windows systems and allowed the delivery of additional malicious code for subsequent stages of the attack.”

Title: Email Marketing Firm Hacked to Steal Crypto-Focused Mailing Lists
Date Published: August 8, 2022

Excerpt: “Email marketing firm Klaviyo disclosed a data breach after threat actors gained access to internal systems and downloaded marketing lists for cryptocurrency-related customers. Klaviyo says the breach occurred on August 3rd after hackers stole an employee’s login credentials in a phishing attack. These login credentials were then used to access the employee’s account and internal Klaviyo support tools. Using the internal tools, the threat actors downloaded marketing lists for thirty-eight customers who are in the cryptocurrency industry. The hackers also downloaded two internal lists used by Klaviyo for product and marketing updates that contain names, addresses, email addresses, and phone numbers. Klaviyo says they have notified law enforcement and engaged with a third-party cybersecurity firm to investigate a breach of their network.”

Title: US Sanctions Crypto Mixer Tornado Cash Used by North Korean Hackers
Date Published: August 8, 2022

Excerpt: “The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash today, a decentralized cryptocurrency mixer service used to launder more than $7 billion since its creation in 2019. The North Korean-backed APT Lazarus Group also used the crypto mixer to launder approximately $455 million stolen in the largest known cryptocurrency heist ever. This was part of the total bounty collected following that attack since Lazarus stole $620 million worth of Ethereum after hacking Axie Infinity’s Ronin network bridge in April. Tornado Cash was also used to launder over $96 million after the June Harmony Bridge hack (out of $100 million stolen) and at least $7.8 million from the August Nomad Heist (out of $150 million stolen). This crypto mixer was also used to make it harder to trace stolen funds after hacking blockchain music platform Audius, the Beanstalk DeFi platform, and the decentralized cryptocurrency exchange Uniswap, as well as in the Arbix Finance exit scam.”

Title: Twilio Discloses Data Breach After SMS Phishing Attack on Employees
Date Published: August 8, 2022

Excerpt: “Cloud communications company Twilio says some of its customers’ data was accessed by attackers who breached internal systems after stealing employee credentials in an SMS phishing attack. “On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials,” Twilio said over the weekend. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” The company also revealed the attackers gained access to its systems after tricking and stealing credentials from multiple employees targeted in the phishing incident. To do that, they impersonated Twilio’s IT department, asking them to click URLs containing “Twilio,” “Okta,” and “SSO” keywords that would redirect them to a Twilio sign-in page clone. The SMS phishing messages baited Twilio’s employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed.”

Title: 7-Eleven Stores in Denmark Closed Due to a Cyberattack
Date Published: August 8, 2022

Excerpt: “7-Eleven stores in Denmark shut down today after a cyberattack disrupted stores’ payment and checkout systems throughout the country. The attack occurred early this morning, August 8th, with the company posting on Facebook that they were likely “exposed to a hacker attack” The translated statement says that the company has closed all the stores in the country while investigating the security incident.”

Title: Chinese Hackers Use New Windows Malware to Backdoor Govt, Defense Orgs
Date Published: August 8, 2022

Excerpt: “An extensive series of attacks detected in January used new Windows malware to backdoor government entities and organizations in the defense industry from several countries in Eastern Europe. Kaspersky linked the campaign with a Chinese APT group tracked as TA428, known for its information theft and espionage focus and attacking organizations in Asia and Eastern Europe [1, 2, 3, 4]. The threat actors successfully compromised the networks of dozens of targets, sometimes even taking control of their entire IT infrastructure by hijacking systems used to manage security solutions.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...