September 13, 2022

Fortify Security Team
Sep 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia

Date Published: September 13, 2022

https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/

Excerpt: “Security researchers have identified new cyber-espionage activity focusing on government entities in Asia, as well as state-owned aerospace and defense firms, telecom companies, and IT organizations.  The threat group behind this activity is a distinct cluster previously associated with the “ShadowPad” RAT (remote access trojan). In recent campaigns, the threat actor deployed a much more diverse toolset.  According to a report by Symantec’s Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing.”

The current campaign appears to be almost exclusively focused on government or public entities in Asia, including:

  • Head of government/Prime Minister’s office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies

Title: Hackers steal Steam accounts in new Browser-in-the-Browser attacks

Date Published: September 12, 2022

https://www.bleepingcomputer.com/news/security/hackers-steal-steam-accounts-in-new-browser-in-the-browser-attacks/

Excerpt: “Hackers are launching new attacks to steal Steam credentials using a Browser-in-the-Browser phishing technique that is rising in popularity among threat actors.  The Browser-in-the-Browser technique is a trending attack method involving the creation of fake browser windows within the active window, making it appear as a sign-in pop-up page for a targeted login service.  In March 2022, BleepingComputer was the first to report on the capabilities of this new phishing kit created by security researcher mr.d0x. Using this phishing kit, threat actors create fake login forms for Steam, Microsoft, Google, and any other service.  Today, Group-IB published a new report on the topic, illustrating how a new campaign using the ‘Browser-in-the-Browser’ method targets Steam users, going after accounts for professional gamers.  These phishing attacks aim to sell access to those accounts, with some prominent Steam accounts valued between $100,000 and $300,000.”

Title: U-Haul discloses data breach exposing customer driver licenses

Date Published: September 12, 2022

https://www.bleepingcomputer.com/news/security/u-haul-discloses-data-breach-exposing-customer-driver-licenses/

Excerpt: “Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers’ names and driver’s license information.  Following an incident investigation started on July 12 after discovering the breach, the company found on August 1 that attackers accessed some customers’ rental contracts between November 5, 2021, and April 5, 2022.  “After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver’s license or state identification number,” U-Haul told affected customers in notification letters sent to impacted individuals on Friday.  The attacker accessed the U-Haul rental contracts search portal after compromising two “unique passwords.”

Title: Apple fixes actively exploited zero-day in macOS, iOS (CVE-2022-32917)

Date Published: September 13, 2022

https://www.helpnetsecurity.com/2022/09/13/cve-2022-32917/

Excerpt: “CVE-2022-32917, reported by an anonymous researcher, may allow a malicious application to execute arbitrary code with kernel privileges.  “Apple is aware of a report that this issue may have been actively exploited,” the company said, and noted that the vulnerability has been remediated with improved bounds checks.  The vulnerability has been fixed in macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 16, and iOS 15.7 and iPadOS 15.7.  As is Apple’s custom, details about the attack(s) taking advantage of this flaw have not been shared, but it’s likely that they are targeted and limited. Nevertheless, users are advised to update their Apple devices as soon as possible.”

Title: Iran-linked TA453 used new Multi-Persona Impersonation technique in recent attacks

Date Published: September 13, 2022

https://securityaffairs.co/wordpress/135679/apt/iran-ta453-multi-persona-impersonation.html

Excerpt: “In mid-2022, Proofpoint researchers uncovered a cyberespionage campaign conducted by Iran-linked TA453 threat actors.  The campaign aimed at individuals specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used at least two actor-controlled personas on a single email thread to target their victims.  TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.  The attack chain starts with phishing emails impersonating legitimate individuals at Western foreign policy research organizations, including the Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature.”

Title: Montenegro and its allies are working to recover from the massive cyber attack

Date Published: September 13, 2022

https://securityaffairs.co/wordpress/135667/hacking/montenegro-massive-cyber-attack.html

Excerpt: “A massive cyberattack hit Montenegro, the offensive forced government headquarters to disconnect the systems from the Internet. The attack started on August 20 and impacted online government information platforms. According to the media, the critical infrastructure of the country, including banking, water and electrical power systems are at high risk.  Government officials attribute the attack to pro-Russian hackers and to Russian security services.  The National Security Agency said that Montenegro was “under a hybrid war at the moment.”  The state has been a Russian ally since 2017 when it joined NATO despite strong opposition from Russia, it also expressed support to Ukraine after its invasion.  Now Moscow has added the state to its list of “enemy states” for this reason it is suspected to be the source of the attacks.”

Title: Ransomware Gang Hacks VoIP for Initial Access

Date Published: September 13, 2022

https://www.infosecurity-magazine.com/news/ransomware-gang-hacks-voip-for/

Excerpt: “Threat actors exploited a vulnerability in a popular VoIP appliance to gain access to a victim’s corporate network, researchers have revealed.  A team at Arctic Wolf said that the unnamed organization was compromised by the Lorenz ransomware variant. The group apparently targeted the Mitel Service Appliance component of MiVoice Connect, via remote code execution bug CVE-2022-29499, to obtain a reverse shell.  The hackers then used open source TCP tunnelling tool Chisel to pivot into the network.  After waiting almost a month following initial access, the group then proceeded with lateral movement, data exfiltration via FileZilla, and encryption with BitLocker and Lorenz ransomware on ESXi systems.”

Title: Researchers Warn of 674% Surge in Deadbolt Ransomware

Date Published: September 13, 2022

https://www.infosecurity-magazine.com/news/researchers-674-surge-deadbolt/

Excerpt: “Security experts have flagged a spectacular surge in network-attached storage (NAS) devices around the world infected with the Deadbolt ransomware variant.  Devices made by Taiwanese company QNAP have been targeted by the group since the start of the year. It appears that the hackers took advantage of a vulnerability in the products to compromise them, causing major problems for the consumers and small businesses that are typical QNAP customers.  However, attack surface management vendor Censys has warned that the attacks have kept on coming over the summer.  It recorded a global infection count of 2459 on June 27, rising to 7783 on July 15, then 9091 on July 30, and finally a high of 19,029 devices on September 4. That’s a 674% increase in just over two months.  A majority of these infections were found in the US, with 2472 hosts showing signs of Deadbolt, followed by Germany (1778), and Italy (1383).”

Title: Oxeye Discovers Several High Severity IDOR Vulnerabilities in Harbor

Date Published: September 12, 2022

https://www.infosecurity-magazine.com/news/oxeye-idor-vulnerabilities-harbor/

Excerpt: “The Oxeye security research team found several high–severity insecure direct object reference (IDOR) vulnerabilities in Harbor, an open–source artifact registry developed by the Cloud Native Computing Foundation (CNCF) and VMWare.  The company explained that the five flaws were discovered despite Harbor having implemented role–based access control (RBAC) on most HTTP endpoints.  One of them reportedly led to webhook policy disclosure, while another led to the disclosure of job execution logs.  “Managing access to operations and resources can be a challenging goal,” explained Oxeye in an advisory about the new vulnerabilities.”

Title: China says NSA used multiple cybersecurity tools in attacks against Chinese university

Date Published: September 13, 2022

https://www.zdnet.com/article/china-says-nsa-used-multiple-cybersecurity-tools-in-attacks-against-chinese-university/

Excerpt: “China has released a report that reveals the US National Security Agency (NSA) used multiple cybersecurity tools in its recent attacks against a Chinese university. Amongst these are sniffing and Trojan programs, which Chinese researchers say led to the theft of a “large amount of sensitive data”.   China’s National Computer Virus Emergency Response Center (CVERC) on Tuesday said “41 types of cyber weapons” were tapped by NSA’s hacking unit, Tailored Access Operations (TAO), in the cyber attacks targeting China’s Northwestern Polytechnical University.  Located in the Chinese city of Xi’an, the university describes itself as a research-focused institution with disciplines in aeronautics, astronautics, and marine technology engineering. It is affiliated with China’s Ministry of Industry and Information Technology.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...