September 12, 2022

Fortify Security Team
Sep 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data
Date Published: September 12, 2022

https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/

Excerpt: “Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May. However, the company says in an update that the leak does not change the initial assessment that the incident has no impact on the business: On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed. Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Title: Firmware bugs in many HP computer models left unfixed for over a year
Date Published: September 11, 2022

https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-computer-models-left-unfixed-for-over-a-year/

Excerpt: “A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021. Firmware flaws are particularly dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools. As Binarly highlights in the report, even though it’s been a month since they made some of the flaws public at Black Hat 2022, the vendor hasn’t released security updates for all impacted models, leaving many customers exposed to attacks. The researchers reported three bugs to HP in July 2021 and the other three in April 2022, so the vendor had between four months and more than a full year to push updates for all affected devices.”

Title: Ransomware gangs switching to new intermittent encryption tactic
Date Published: September 10, 2022

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

Excerpt: “A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the chances of being detected and stopped. This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files’ content, which would still render the data unrecoverable without using a valid decryptor+key. For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good. Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.”

Title: US sanctions Iran’s Ministry of Intelligence over Albania cyberattack
Date Published: September 9, 2022

https://www.bleepingcomputer.com/news/security/us-sanctions-iran-s-ministry-of-intelligence-over-albania-cyberattack/

Excerpt: “The U.S. Treasury Department announced sanctions today against Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for their role in the July cyberattack against the government of Albania, a U.S. ally and a NATO member state. MOIS is the Iranian government’s leading intelligence agency, tasked with coordinating intelligence and counterintelligence efforts, as well as covert actions supporting the Islamic regime’s goals beyond the country’s borders. “Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors,” the Treasury Dept’s Office of Foreign Assets Control (OFAC) said. “In July 2022, cyber threat actors assessed to be sponsored by the Government of Iran and MOIS disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens.”

Title: Thousands of QNAP NAS devices hit by DeadBolt ransomware (CVE-2022-27593)
Date Published: September 12, 2022

https://www.helpnetsecurity.com/2022/09/12/cve-2022-27593/

Excerpt: “QNAP Systems has provided more information about the latest DeadBolt ransomware campaign targeting users of its network-attached storage (NAS) devices and the vulnerability the attackers are exploiting (CVE-2022-27593). CVE-2022-27593 exists because of an externally controlled reference that resolves to a resource that is outside of the intended control sphere, and affects the widely used Photo Station application. The vulnerability allows attackers to modify system files and, ultimately, install and deploy ransomware.”

Title: Iran-linked APT42 is behind over 30 espionage attacks
Date Published: September 11, 2022

https://securityaffairs.co/wordpress/135581/apt/iran-apt42-espionage-attacks.html

Excerpt: “Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788). The campaigns have been conducted since 2015 and are aimed at conducting information collection and surveillance operations against individuals and organizations of strategic interest to Teheran. Mandiant researchers pointed out that the APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO). APT42’s TTPs overlap with another Iran-linked APT group tracked as APT35 (aka ‘Charming Kitten‘, ‘Phosphorus‘, Newscaster, and Ajax Security Team) which made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media. Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011.”

Title: The ransomware problem won’t get better until we change one thing
Date Published: September 11, 2022

https://www.zdnet.com/article/the-ransomware-problem-wont-get-better-until-we-change-one-thing/

Excerpt: “Ransomware is one of the most significant cybersecurity issues facing us today, as cyber criminals hack into businesses, schools, hospitals, critical infrastructure and more in order to encrypt files and demand a ransom payment for the decryption key. Despite warnings not to, many victims pay these ransoms, under the impression that it’s the quickest way to restore their network, particularly if the cyber criminals are also threatening to leak stolen data. But all this means is that the attack cycle continues, with ransomware groups using their ill-gotten gains to finance more ambitious attacks. Beyond this there’s another problem. Many of ransomware incidents are simply kept under wraps, so it’s hard to get a good picture of what’s really happening in the world. Even when companies do admit to a cyberattack they are very often vague about what has happened, and seem most reluctant to describe any incident as a ransomware attack. ”

Title: Cops Raid Suspected Fraudster Penthouses
Date Published: September 12, 2022

https://www.infosecurity-magazine.com/news/cops-raid-suspected-fraudster/

Excerpt: “Investigators have disrupted a major organized crime gang believed to have tricked thousands of British victims into handing over money. The UK’s National Crime Agency (NCA) and Romanian police searched two penthouse apartments in Bucharest thought to have been the nerve center for a fraud operation that targeted consumers across Europe on a “massive scale.” The group specifically targeted individuals who had already been victims of investment fraud, according to the NCA. They approached the victims, claiming to work for the Financial Conduct Authority (FCA) or other regulatory bodies, promising to help recover any losses. However, once an upfront fee had been paid for this ‘service’ and transferred to a crypto wallet, the fraudsters would cease contact and move on to their next victim, the NCA explained.”

Title: North Korean Lazarus Group Hacked Energy Providers Worldwide
Date Published: September 12, 2022

https://www.infosecurity-magazine.com/news/lazarus-group-hacked-energy/

Excerpt: “A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022. The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it. Writing in an advisory on Thursday, the security researchers said the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organizations. “The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers,” the team wrote. “In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.”

Title: Monti, the New Conti: Ransomware Gang Uses Recycled Code
Date Published: September 9, 2022

https://www.darkreading.com/vulnerabilities-threats/monti-conti-ransomware-recycled-code

Excerpt: “Analysts have discovered a ransomware campaign from a new group called “Monti,” which relies almost entirely on leaked Conti code to launch attacks. The Monti group emerged with a round of ransomware attacks over the Independence Day weekend, and was able to successfully exploit the Log4Shell vulnerability to encrypt 20 BlackBerry user hosts and 20 servers, BlackBerry’s Research and Intelligence Team reported. After further analysis, researchers discovered that the indicators of compromise (IoCs) for the new ransomware attacks were the same as in previous Conti ransomware attacks, with one twist: Monti incorporates the Acrion 1 Remote Monitoring and Maintenance (RMM) Agent. But rather than being Conti reborn, the researchers said they believe Monti lifted Conti’s infrastructure when it was leaked last spring, during February and March.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...

September 7, 2022

Title: Ransomware Gang's Cobalt Strike Servers DDoSed with Anti-Russia Messages Date Published: September 7, 2022 https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/ Excerpt: “Someone is flooding...