September 16, 2022

Fortify Security Team
Sep 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen
Date Published: September 16, 2022

https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

Excerpt: “Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots of the company’s internal systems, email dashboard, and Slack server. The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain. Other systems the hacker accessed include the company’s Amazon Web Services console, VMware ESXi virtual machines, Google Workspace email admin dashboard, and Slack server, to which the hacker posted messages. Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available.”

Title: Hackers trojanize PuTTY SSH client to backdoor media company
Date Published: September 15, 2022

https://www.bleepingcomputer.com/news/security/hackers-trojanize-putty-ssh-client-to-backdoor-media-company/

Excerpt: “North Korean hackers are using trojanized versions of the PuTTY SSH client to deploy backdoors on targets’ devices as part of a fake Amazon job assessment. A novel element in this campaign is the use of a trojanized version of the PuTTY and KiTTY SSH utility to deploy a backdoor, which in this case, is ‘AIRDRY.V2’. According to Mandiant technical report published today, the threat cluster responsible for this campaign is ‘UNC4034’ (aka “Temp.Hermit” or “Labyrinth Chollima”). The group’s latest activities appear to be a continuation of the ‘Operation Dream Job’ campaign, which has been ongoing since June 2020, this time targeting media companies. “In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034,” explained Mandiant.”

Title: Hive Ransomware Claims Cyberattack on Bell Canada Subsidiary
Date Published: September 15, 2022

https://www.bleepingcomputer.com/news/security/hive-ransomware-claims-cyberattack-on-bell-canada-subsidiary/

Excerpt: “The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS). BTS is an independent subsidiary with more than 4,500 employees, specializing in installing Bell services for residential and small business customers across the Ontario and Québec provinces. While the Canadian telecommunications company didn’t reveal when its network was breached or the attack happened, Hive claims in a new entry added to its data leak blog that it encrypted BTS’ systems almost a month ago, on August 20, 2022. BTS’ website, usually reachable at bellsolutionstech.ca, is currently inaccessible, however, Bell Canada published a cybersecurity alert following the incident on its own website.”

Title: Akamai stopped new record-breaking DDoS attack in Europe
Date Published: September 15, 2022

https://www.bleepingcomputer.com/news/security/akamai-stopped-new-record-breaking-ddos-attack-in-europe/

Excerpt: “A new distributed denial-of-service (DDoS) attack that took place on Monday, September 12, has broken the previous record that Akamai recorded recently in July. DDoS attacks are cyberattacks that flood servers with fake requests and garbage traffic, rendering them unavailable to legitimate visitors and customers. The cybersecurity and cloud services company Akamai reports that the recent attack appears to originate from the same threat actor, meaning that the operators are in the process of empowering their swarm further. The victim is also the same as in July, an unnamed customer in Eastern Europe who has been “bombarded relentlessly” by the DDoS operatives all this time.”

Title: Backlogs larger than 100K+ vulnerabilities but too time-consuming to address
Date Published: September 15, 2022

https://www.helpnetsecurity.com/2022/09/15/organizations-backlog-vulnerabilities/

Excerpt: “Rezilion and Ponemon Institute announced the release of “The State of Vulnerability Management in DevSecOps,” which reveals that organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively. The finds 47% of security leaders report that they have a backlog of applications that have been identified as vulnerable. 66% say their backlog consists of more than 100,000 vulnerabilities and 54% say they were able to patch less than 50% of the vulnerabilities in the backlog. Thus, 78% of respondents say high-risk vulnerabilities in their environment take longer than 3 weeks to patch, with 29% noting it takes them longer than 5 weeks to patch. Among the factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%). 28% also said remediation is too time-consuming.”

Title: Experts warn of self-spreading malware targeting gamers looking for cheats on YouTube
Date Published: September 15, 2022

https://securityaffairs.co/wordpress/135788/malware/self-spreading-malware-target-gamers.html

Excerpt: “Researchers from Kaspersky have spotted a self-extracting archive, served to gamers looking for cheats on YouTube, that was employed to deliver the RedLine Stealer information-stealing malware and crypto miners. The RedLine malware allows operators to steal several pieces of information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as first-stage malware. Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers. The videos were crafted to share links to malicious password-protected archive files designed to install the above malware families on infected machines.”

Title: Russia-linked Gamaredon APT target Ukraine with a new info-stealer
Date Published: September 15, 2022

https://securityaffairs.co/wordpress/135780/apt/gamaredon-new-stealing-malware.html

Excerpt: “Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) is targeting employees of the Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant. The malicious code was designed to exfiltrate files and deploy additional payloads, threat actors are using phishing documents containing lures related to the Russian invasion of Ukraine. The threat actors relied on LNK files, PowerShell and VBScript to achieve initial access to the target systems, then deployed malicious payloads in the post-infection phase. “Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain.” reads the analysis published by Talos. “The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.”

Title: IoT: Europe readies cybersecurity rules for smart devices – with big fines attached
Date Published: September 16, 2022

https://www.zdnet.com/article/iot-europe-readies-cybersecurity-rules-for-smart-devices-with-big-fines-attached/

Excerpt: “The European Commission has proposed cyber-resilience legislation that could lead to cybersecurity labels and penalties for device manufacturers with shoddy cybersecurity features and practices. The proposed law covers hardware and software of “products with digital elements” sold in the European Union and connected to any network. The Cyber Resilience Act (CRA) proposal covers most network-connected devices except medical devices for human use and excludes “free and open-source software developed or supplied outside the course of a commercial activity”. What it describes as “high-risk AI systems” and electronic health record systems fall in scope. Among other requirements, once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), security vulnerabilities are “handled effectively”.”

Title: Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence
Date Published: September 15, 2022

https://www.infosecurity-magazine.com/news/notepad-plugins-attackers/

Excerpt: “Threat actors may abuse Notepad++ plugins to circumvent security mechanisms and achieve persistence on their victim machine, new research from security company Cybereason suggests. “Using an open–source project, Notepad++ Plugin Pack, a security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism,” the company wrote in an advisory on Wednesday. The plugin pack itself is just a .NET package for Visual Studio that provides a basic template for building plugins. However, advanced persistent threat (APT) groups have leveraged Notepad++ plugins for nefarious purposes in the past. “The APT group StrongPity is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine,” the Cybereason advisory reads.”

Title: Allies Warn of Iranian Ransom Attacks Using Log4Shell
Date Published: September 16, 2022

https://www.infosecurity-magazine.com/news/allies-warn-iranian-ransom-attacks/

Excerpt: “Cybersecurity agencies in the US, UK, Australia and Canada have warned that Iranian state-sponsored hackers are exploiting Log4j vulnerabilities in ransomware campaigns. An alert published this week said Tehran’s Islamic Revolutionary Guard Corps (IRGC) was behind multiple attacks exploiting VMware Horizon Log4j bugs on unprotected networks to enable disk encryption and data extortion. These include February attacks against a US municipal government and an aerospace company which leveraged the original Log4Shell bug CVE-2021-44228 as well as related vulnerabilities CVE-2021-45046 and CVE-2021-45105. This is in keeping with previous IRGC campaigns that exploited ProxyShell vulnerabilities in Microsoft Exchange and zero-day flaws in Fortinet FortiOS products, the alert claimed.”

Recent Posts

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...

September 7, 2022

Title: Ransomware Gang's Cobalt Strike Servers DDoSed with Anti-Russia Messages Date Published: September 7, 2022 https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/ Excerpt: “Someone is flooding...