September 13, 2022

Fortify Security Team
Sep 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia

Date Published: September 13, 2022

https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/

Excerpt: “Security researchers have identified new cyber-espionage activity focusing on government entities in Asia, as well as state-owned aerospace and defense firms, telecom companies, and IT organizations.  The threat group behind this activity is a distinct cluster previously associated with the “ShadowPad” RAT (remote access trojan). In recent campaigns, the threat actor deployed a much more diverse toolset.  According to a report by Symantec’s Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing.”

The current campaign appears to be almost exclusively focused on government or public entities in Asia, including:

  • Head of government/Prime Minister’s office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies

Title: Hackers steal Steam accounts in new Browser-in-the-Browser attacks

Date Published: September 12, 2022

https://www.bleepingcomputer.com/news/security/hackers-steal-steam-accounts-in-new-browser-in-the-browser-attacks/

Excerpt: “Hackers are launching new attacks to steal Steam credentials using a Browser-in-the-Browser phishing technique that is rising in popularity among threat actors.  The Browser-in-the-Browser technique is a trending attack method involving the creation of fake browser windows within the active window, making it appear as a sign-in pop-up page for a targeted login service.  In March 2022, BleepingComputer was the first to report on the capabilities of this new phishing kit created by security researcher mr.d0x. Using this phishing kit, threat actors create fake login forms for Steam, Microsoft, Google, and any other service.  Today, Group-IB published a new report on the topic, illustrating how a new campaign using the ‘Browser-in-the-Browser’ method targets Steam users, going after accounts for professional gamers.  These phishing attacks aim to sell access to those accounts, with some prominent Steam accounts valued between $100,000 and $300,000.”

Title: U-Haul discloses data breach exposing customer driver licenses

Date Published: September 12, 2022

https://www.bleepingcomputer.com/news/security/u-haul-discloses-data-breach-exposing-customer-driver-licenses/

Excerpt: “Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers’ names and driver’s license information.  Following an incident investigation started on July 12 after discovering the breach, the company found on August 1 that attackers accessed some customers’ rental contracts between November 5, 2021, and April 5, 2022.  “After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver’s license or state identification number,” U-Haul told affected customers in notification letters sent to impacted individuals on Friday.  The attacker accessed the U-Haul rental contracts search portal after compromising two “unique passwords.”

Title: Apple fixes actively exploited zero-day in macOS, iOS (CVE-2022-32917)

Date Published: September 13, 2022

https://www.helpnetsecurity.com/2022/09/13/cve-2022-32917/

Excerpt: “CVE-2022-32917, reported by an anonymous researcher, may allow a malicious application to execute arbitrary code with kernel privileges.  “Apple is aware of a report that this issue may have been actively exploited,” the company said, and noted that the vulnerability has been remediated with improved bounds checks.  The vulnerability has been fixed in macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 16, and iOS 15.7 and iPadOS 15.7.  As is Apple’s custom, details about the attack(s) taking advantage of this flaw have not been shared, but it’s likely that they are targeted and limited. Nevertheless, users are advised to update their Apple devices as soon as possible.”

Title: Iran-linked TA453 used new Multi-Persona Impersonation technique in recent attacks

Date Published: September 13, 2022

https://securityaffairs.co/wordpress/135679/apt/iran-ta453-multi-persona-impersonation.html

Excerpt: “In mid-2022, Proofpoint researchers uncovered a cyberespionage campaign conducted by Iran-linked TA453 threat actors.  The campaign aimed at individuals specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used at least two actor-controlled personas on a single email thread to target their victims.  TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.  The attack chain starts with phishing emails impersonating legitimate individuals at Western foreign policy research organizations, including the Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature.”

Title: Montenegro and its allies are working to recover from the massive cyber attack

Date Published: September 13, 2022

https://securityaffairs.co/wordpress/135667/hacking/montenegro-massive-cyber-attack.html

Excerpt: “A massive cyberattack hit Montenegro, the offensive forced government headquarters to disconnect the systems from the Internet. The attack started on August 20 and impacted online government information platforms. According to the media, the critical infrastructure of the country, including banking, water and electrical power systems are at high risk.  Government officials attribute the attack to pro-Russian hackers and to Russian security services.  The National Security Agency said that Montenegro was “under a hybrid war at the moment.”  The state has been a Russian ally since 2017 when it joined NATO despite strong opposition from Russia, it also expressed support to Ukraine after its invasion.  Now Moscow has added the state to its list of “enemy states” for this reason it is suspected to be the source of the attacks.”

Title: Ransomware Gang Hacks VoIP for Initial Access

Date Published: September 13, 2022

https://www.infosecurity-magazine.com/news/ransomware-gang-hacks-voip-for/

Excerpt: “Threat actors exploited a vulnerability in a popular VoIP appliance to gain access to a victim’s corporate network, researchers have revealed.  A team at Arctic Wolf said that the unnamed organization was compromised by the Lorenz ransomware variant. The group apparently targeted the Mitel Service Appliance component of MiVoice Connect, via remote code execution bug CVE-2022-29499, to obtain a reverse shell.  The hackers then used open source TCP tunnelling tool Chisel to pivot into the network.  After waiting almost a month following initial access, the group then proceeded with lateral movement, data exfiltration via FileZilla, and encryption with BitLocker and Lorenz ransomware on ESXi systems.”

Title: Researchers Warn of 674% Surge in Deadbolt Ransomware

Date Published: September 13, 2022

https://www.infosecurity-magazine.com/news/researchers-674-surge-deadbolt/

Excerpt: “Security experts have flagged a spectacular surge in network-attached storage (NAS) devices around the world infected with the Deadbolt ransomware variant.  Devices made by Taiwanese company QNAP have been targeted by the group since the start of the year. It appears that the hackers took advantage of a vulnerability in the products to compromise them, causing major problems for the consumers and small businesses that are typical QNAP customers.  However, attack surface management vendor Censys has warned that the attacks have kept on coming over the summer.  It recorded a global infection count of 2459 on June 27, rising to 7783 on July 15, then 9091 on July 30, and finally a high of 19,029 devices on September 4. That’s a 674% increase in just over two months.  A majority of these infections were found in the US, with 2472 hosts showing signs of Deadbolt, followed by Germany (1778), and Italy (1383).”

Title: Oxeye Discovers Several High Severity IDOR Vulnerabilities in Harbor

Date Published: September 12, 2022

https://www.infosecurity-magazine.com/news/oxeye-idor-vulnerabilities-harbor/

Excerpt: “The Oxeye security research team found several high–severity insecure direct object reference (IDOR) vulnerabilities in Harbor, an open–source artifact registry developed by the Cloud Native Computing Foundation (CNCF) and VMWare.  The company explained that the five flaws were discovered despite Harbor having implemented role–based access control (RBAC) on most HTTP endpoints.  One of them reportedly led to webhook policy disclosure, while another led to the disclosure of job execution logs.  “Managing access to operations and resources can be a challenging goal,” explained Oxeye in an advisory about the new vulnerabilities.”

Title: China says NSA used multiple cybersecurity tools in attacks against Chinese university

Date Published: September 13, 2022

https://www.zdnet.com/article/china-says-nsa-used-multiple-cybersecurity-tools-in-attacks-against-chinese-university/

Excerpt: “China has released a report that reveals the US National Security Agency (NSA) used multiple cybersecurity tools in its recent attacks against a Chinese university. Amongst these are sniffing and Trojan programs, which Chinese researchers say led to the theft of a “large amount of sensitive data”.   China’s National Computer Virus Emergency Response Center (CVERC) on Tuesday said “41 types of cyber weapons” were tapped by NSA’s hacking unit, Tailored Access Operations (TAO), in the cyber attacks targeting China’s Northwestern Polytechnical University.  Located in the Chinese city of Xi’an, the university describes itself as a research-focused institution with disciplines in aeronautics, astronautics, and marine technology engineering. It is affiliated with China’s Ministry of Industry and Information Technology.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...

September 7, 2022

Title: Ransomware Gang's Cobalt Strike Servers DDoSed with Anti-Russia Messages Date Published: September 7, 2022 https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/ Excerpt: “Someone is flooding...