September 15, 2022

Fortify Security Team
Sep 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution
Date Published: September 15, 2022

https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/

Excerpt: “The Chinese ‘Webworm’ hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs. Webworm is a cyberespionage cluster active since at least 2017 and previously linked to attacks on IT firms, aerospace, and electric power providers in Russia, Georgia, and Mongolia. According to a report by Symantec, part of Broadcom Software, the threat actors are currently testing various modified Remote Access Trojans (RATs) against IT service providers in Asia, likely to determine their effectiveness.”

Title: FBI: Hackers steal millions from healthcare payment processors
Date Published: September 14, 2022

https://www.bleepingcomputer.com/news/security/fbi-hackers-steal-millions-from-healthcare-payment-processors/

Excerpt: “Cybercriminals are combining multiple tactics to obtain login credentials of employees at payment processors in the healthcare industry and to modify payment instructions. The FBI says that it received multiple reports where hackers are using publicly available personal details and social engineering to impersonate victims with access to healthcare portals, websites, and payment information. Phishing and spoofing support centers are additional methods that help hackers achieve their goal of gaining access to entities that process and distribute healthcare payments. FBI’s alert today notes that this specific threat actor activity includes sending phishing emails to financial departments of healthcare payment processors. They are also modifying Exchange Servers’ configuration and setting up custom rules for targeted accounts, likely to receive a copy of the victim’s messages.”

Title: Death of Queen Elizabeth II exploited to steal Microsoft credentials
Date Published: September 14, 2022

https://www.bleepingcomputer.com/news/security/death-of-queen-elizabeth-ii-exploited-to-steal-microsoft-credentials/

Excerpt: “Threat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure their targets to sites that steal their Microsoft account credentials. Besides Microsoft account details, the attackers also attempt to steal their victims’ multi-factor authentication (MFA) codes to take over their accounts. “Messages purported to be from Microsoft and invited recipients to an ‘artificial technology hub’ in her honor,” Proofpoint’s Threat Insight team revealed today. In the campaign spotted by Proofpoint, the phishing actors impersonate “the Microsoft team” and try to bait the recipients into adding their memo onto an online memory board “in memory of Her Majesty Queen Elizabeth II.” After clicking a button embedded within the phishing email, the targets are instead sent to a phishing landing page where they’re asked first to enter their Microsoft credentials.”

Title: New Lenovo BIOS updates fix security bugs in hundreds of models
Date Published: September 14, 2022

https://www.bleepingcomputer.com/news/security/new-lenovo-bios-updates-fix-security-bugs-in-hundreds-of-models/

Excerpt: “Chinese computer manufacturer Lenovo has issued a security advisory to warn of several high-severity BIOS vulnerabilities impacting hundreds of devices in the various models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem). Exploiting the flaws may lead to information disclosure, privilege escalation, denial of service, and, under certain circumstances, arbitrary code execution.”

The vulnerabilities in Lenovo’s security advisory are the following:

  • CVE-2021-28216: Fixed pointer flaw in TianoCore EDK II BIOS (reference implementation of UEFI), allowing an attacker to elevate privileges and execute arbitrary code.
  • CVE-2022-40134: Information leak flaw in the SMI Set Bios Password SMI Handler, allowing an attacker to read SMM memory.
  • CVE-2022-40135: Information leak vulnerability in the Smart USB Protection SMI Handler, allowing an attacker to read SMM memory.
  • CVE-2022-40136: Information leak flaw in SMI Handler used for configuring platform settings over WMI, enabling an attacker to read SMM memory.
  • CVE-2022-40137: Buffer overflow in the WMI SMI Handler, enabling an attacker to execute arbitrary code.

Title: Linux variant of the SideWalk backdoor discovered
Date Published: September 15, 2022

https://www.helpnetsecurity.com/2022/09/15/linux-variant-sidewalk-backdoor/

Excerpt: “This variant was first deployed against a Hong Kong university in February 2021 — the same university that SparklingGoblin had already targeted during the student protests in May 2020. SparklingGoblin is an APT group with targets mainly in East and Southeast Asia. However, ESET has seen SparklingGoblin targeting a broad range of organizations and verticals around the world, with a particular focus on the academic sector. The SideWalk backdoor is exclusive to SparklingGoblin. In addition to the multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools, one of the SideWalk Linux samples uses a C&C address that SparklingGoblin previously used. Considering all of these factors, we attribute with high confidence SideWalk Linux to the SparklingGoblin APT group,” explains Vladislav Hrcka, an ESET researcher who made the discovery along with Thibault Passilly and Mathieu Tartare.”

Title: US government software suppliers must attest their solutions are secure
Date Published: September 15, 2022

https://www.helpnetsecurity.com/2022/09/15/us-government-software-secure/

Excerpt: “The Office of Management and Budget (OMB) has issued a memo requiring US federal government agencies to use software that has been built according to secure software development practices and whose developers follow practices for software supply chain security, as specified by the National Institute of Standards and Technology (NIST). The term ‘software’ for purposes of this memorandum includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software,” the memo spells out.”

Title: CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog
Date Published: September 14, 2022

https://securityaffairs.co/wordpress/135753/security/cisa-known-exploited-vulnerabilities-catalog-new-flaws.html

Excerpt: “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 2 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, a Windows privilege escalation vulnerability, tracked as CVE-2022-37969, and an arbitrary code execution issue, tracked as CVE-2022-32917, affecting iPhones and Macs. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure. The CVE-2022-37969 flaw was addressed by Microsoft with the release of September 2022 Patch Tuesday security updates, it is a Windows Common Log File System Driver Elevation of Privilege Vulnerability. Microsoft credited Quan Jin with DBAPPSecurity, Genwei Jiang with Mandiant, FLARE OTF, CrowdStrike, and Zscaler ThreatLabz for reporting this flaw.”

Title: FormBook Knocks Off Emotet As Most Used Malware in August
Date Published: September 14, 2022

https://www.infosecurity-magazine.com/news/formbook-knocks-off-emotet/

Excerpt: “FormBook is now the most prevalent malware found in the wild, dethroning Emotet, which has held that position since its reappearance in January. An info stealer targeting Windows OS, FormBook can harvest credentials, collect screenshots and monitor and log keystrokes. It can also download and execute files according to its command and control (C&C) orders. It also features robust evasion techniques and a relatively low price. The data comes from the latest Most Wanted Malware report by cybersecurity company Check Point Research (CPR), which also suggested the Android spyware Joker took third place in the mobile index and the Apache Log4j Remote Code Execution returned to first place as the most exploited vulnerability.”

Title: Cybercrime Forum Admins Steal from Site Users
Date Published: September 15, 2022

https://www.infosecurity-magazine.com/news/cybercrime-forum-admins-spotted/

Excerpt: “Security researchers have uncovered evidence of administrators on cybercrime forums scamming their own customers. Threat intelligence firm Digital Shadows was sent a tip-off leading it to a cross-site scripting (XSS) forum thread. It contained direct messages between the moderator and administrator of the Altenen forum, and one unlucky user. Altenen is an English-language cybercrime forum that has been around for nine years. Like many similar sites, it processes payments via an escrow system – with the site admins managing the escrow account. In this case, a customer bought a laptop from another Altenen user, and then messaged the moderator asking them for a confirmation receipt that the money had been received. Instead, they were sent a demand for an additional ‘escrow fee’ of $120. After haggling the moderator down to $80, the user paid. However, when the purchase fell through and the user requested the escrow fee back, the moderator ceased all communication. A further message from the site admin revealed that the whole incident had been a scam.”

Title: Vulnerabilities Found in Airplane WiFi Devices, Passengers’ Data Exposed
Date Published: September 14, 2022

https://www.infosecurity-magazine.com/news/vulnerabilities-found-airplane/

Excerpt: “Two critical vulnerabilities were found in wireless LAN devices that are allegedly used to provide internet connectivity in airplanes. The flaws were discovered by Thomas Knudsen and Samy Younsi of Necrum Security Labs and affected the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec. “After performing reverse engineering of the firmware, we discovered that a hidden page not listed in the Wireless LAN Manager interface allows us to execute Linux commands on the device with root privileges,” wrote the security researchers in an advisory, referring to the vulnerability tracked CVE–2022–36158. “From here, we have access to all the system files but also be able to open the telnet port and have full access to the device.” Knudsen and Younsi also described a second vulnerability in the advisory (tracked CVE–2022–36159), this one referring to the use of weak hard–coded cryptographic keys and backdoor accounts.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...