September 14, 2022

Fortify Security Team
Sep 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware
Date Published: September 14, 2022

https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/

Excerpt: “State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector. The malware is attributed with high confidence to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group. The SideWalk Linux backdoor has been observed in the past, initially being tracked as StageClient by security researchers at cybersecurity company ESET.”

Title: Hackers now use ‘sock puppets’ for more realistic phishing attacks
Date Published: September 13, 2022

https://www.bleepingcomputer.com/news/security/hackers-now-use-sock-puppets-for-more-realistic-phishing-attacks/

Excerpt: “An Iranian-aligned hacking group uses a new, elaborate phishing technique where they use multiple personas and email accounts to lure targets into thinking its a realistic email conversation. The attackers send an email to targets while CCing another email address under their control and then respond from that email, engaging in a fake conversation. Named ‘multi-persona impersonation’ (MPI) by researchers at Proofpoint who noticed it for the first time, the technique leverages the psychology principle of “social proof” to obscure logical thinking and add an element of trustworthiness to the phishing threads. TA453 is an Iranian threat group believed to be operating from within the IRGC (Islamic Revolutionary Guard Corps), previously seen impersonating journalists to target academics and policy experts in the Middle East.”

Title: Zero-day in WPGateway WordPress plugin actively exploited in attacks
Date Published: September 13, 2022

https://www.bleepingcomputer.com/news/security/zero-day-in-wpgateway-wordpress-plugin-actively-exploited-in-attacks/

Excerpt: “The Wordfence Threat Intelligence team warned today that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin. WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard. This critical privilege escalation security flaw (CVE-2022-3180) enables unauthenticated attackers to add a rogue user with admin privileges to completely take over sites running the vulnerable WordPress plugin. “On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin,” Wordfence senior threat analyst Ram Gall said today. “The Wordfence firewall has successfully blocked over 4.6 million attacks targeting this vulnerability against more than 280,000 sites in the past 30 days.”

Title: Attackers mount Magento supply chain attack by compromising FishPig extensions
Date Published: September 14, 2022

https://www.helpnetsecurity.com/2022/09/14/fishpig-extensions-compromised/

Excerpt: “FishPig, a UK-based company developing extensions for the popular Magento open-source e-commerce platform, has announced that its paid software offerings have been injected with malware after its distribution server was compromised. The injected malicious code installs the Rekoobe remote access trojan that, upon being launched, removes all malware files and runs in memory, Sansec researchers explained. Then it hides as a system process and waits for commands from a control server in Latvia. The only good news related to this Magento supply chain attack is that there’s no evidence that the compromised installations have been taken advantage of.”

Title: Thwarting attackers in their favorite new playground: Social media
Date Published: September 14, 2022

https://www.helpnetsecurity.com/2022/09/14/social-media-attacks/

Excerpt: “For years, LinkedIn has been utilized by threat actors looking to refine their attacks. From simple spear-phishing attacks to reconnaissance, the professional networking site has provided a fertile field to harvest data and enhance criminal tactics, even as a jumping point to other platforms like Facebook Business. Given how reliant employees are on their own “brand” and contacts to thrive in today’s economy, the drive to use social media at home and work isn’t likely to diminish, leading to potential compromises for the organization from their employees’ online activities. As we constantly adapt and improve our technology and techniques for countering and responding to attacks, attackers are doing the same from the other side of the fence. However, there are key actions that company IT departments can take to counter the risk considerably.”

Title: Twitter former head of security told the Senate of severe security failings by the company
Date Published: September 14, 2022

https://securityaffairs.co/wordpress/135726/security/twitter-head-security-concerns-senate.html

Excerpt: “Peiter ‘Mudge’ Zatko, former head of security, testified in front of Congress on Tuesday, sustaining that the platform ignored his security concerns and was vulnerable to cyber attacks. Zatko filed a whistleblower complaint in July with Congress, the justice department, the Federal Trade Commission and the Securities and Exchange Commission, arguing that Twitter mislead regulators and the public about its cybersecurity best practices. The expert added that ‘any employee could take over the accounts of any senator in this room.’ While serving as head of security for the company, from late 2020 until January 2022, he repeatedly alerted the management of the presence of severe vulnerabilities that could expose the platform to compromise.”

Title: Trend Micro addresses actively exploited Apex One zero-day
Date Published: September 13, 2022

https://securityaffairs.co/wordpress/135689/security/trend-micro-apex-one-zero-day.html

Excerpt: “Trend Micro announced this week the release of security patches to address multiple vulnerabilities in its Apex One endpoint security product, including a zero-day vulnerability, tracked as CVE-2022-40139 (CVSS 3.0 SCORE 7.2), which is actively exploited. The CVE-2022-40139 flaw is an improper validation issue related to a rollback function, an agent can exploit the vulnerability to download unverified rollback components and execute arbitrary code. “We have confirmed an improper validation vulnerability in some of the components used for the rollback function of Apex One and Apex One SaaS. This could allow the agent to download unverified rollback components and execute arbitrary code. An attacker would need to be able to log into the product’s administrative console to exploit this vulnerability. Since the attacker must have previously stolen the authentication information for the product’s management console, it is not possible to infiltrate the target network using this vulnerability alone.” reads the advisory published by Trend Micro. “Trend Micro is aware of attacks using this vulnerability (CVE-2022-40139). We recommend updating to the latest build as soon as possible.”

Title: GPS jammers are being used to hijack trucks and down drones: How to stop them
Date Published: September 13, 2022

https://www.zdnet.com/article/criminals-are-using-gps-jammers-to-hijack-trucks-and-down-drones/

Excerpt: “Satellite navigation and tracking via GPS has become a critical link in the world’s rapidly growing logistics and freight carrying ecosystem. Companies use GPS to track trucks and keep them on time and their cargo secure. Little wonder, then, that criminals are turning to cheap GPS jamming devices to ransack the cargo on roads and at sea, a problem that’s getting worse but may be ameliorated with a new generation of safety technology designed to overcome threats from jamming. In case you aren’t a master criminal or a secret agent, here’s some background. The core problem for any system using GPS is that the signals are extremely weak, an inevitable byproduct of the vast distances those signals need to travel. Jammers work by overpowering GPS signals by emitting a signal at the same frequency, just a bit more powerful than the original. The typical jammers used for cargo hijackings are able to jam frequencies from up to 5 miles away rendering GPS tracking and security apparatuses, such as those used by trucking syndicates, totally useless.”

Title: Four-Fifths of Firms Hit by Critical Cloud Security Incident
Date Published: September 14, 2022

https://www.infosecurity-magazine.com/news/fourfifths-firms-critical-cloud/

Excerpt: “Some 80% of organizations suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it, according to new research from Snyk. The developer security specialist polled 400 cloud engineering and security practitioners from organizations of various sizes and sectors, to compile its State of Cloud Security Report. Among the incidents flagged by respondents over the past 12 months were breaches, leaks, intrusions, crypto-mining, compliance violations, failed audits and system downtime in the cloud. Startups (89%) and public sector organizations (88%) were the most likely to have suffered such an incident over the period. The bad news is that 58% of respondents predict they will suffer another severe incident in the cloud over the coming year. Over three-quarters (77%) of those questioned cited poor training and collaboration as a major challenge in this regard.”

Title: ShadowPad-Associated Hackers Targeted Asian Governments
Date Published: September 13, 2022

https://www.infosecurity-magazine.com/news/shadowpad-hackers-targeted-asia/

Excerpt: “A group of threat actors previously associated with the ShadowPad remote access Trojan (RAT) has adopted a new toolset to conduct campaigns against various government and state–owned organizations across multiple Asian countries. The news comes from the Threat Hunter Team at Symantec, who published a new advisory about the threats earlier today. According to the document, the attacks have been underway since early 2021 and appear focused on intelligence gathering. In terms of tools used to conduct the attacks, the threat actors reportedly leveraged several legitimate software packages to load malware payloads utilizing a technique known as DLL side–loading. The attack method involves threat actors placing a malicious dynamic link library (DLL) in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application, which in turn loads and executes the payload.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...

September 7, 2022

Title: Ransomware Gang's Cobalt Strike Servers DDoSed with Anti-Russia Messages Date Published: September 7, 2022 https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/ Excerpt: “Someone is flooding...