September 19, 2022

Fortify Security Team
Sep 19, 2022

Title: GTA 6 source code and videos leaked after Rockstar Games hack
Date Published: September 18, 2022

Excerpt: “Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker allegedly breached Rockstar Game’s Slack server and Confluence wiki. The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos. The videos appear to be created by developers debugging various features in the game, such as camera angles, NPC tracking, and locations in Vice City. In addition, some of the videos contain voiced conversations between the protagonist and other NPCs. The hacker claims to have stolen “GTA 5 and 6 source code and assets, GTA 6 testing build,” but is trying to extort Rockstar Games to prevent further data from being released. However, the threat actor says they are accepting offers over $10,000 for the GTA V source code and assets but are not selling the GTA 6 source code at this time.”

Title: TeamTNT hijacking servers to run Bitcoin encryption solvers
Date Published: September 18, 2022

Excerpt: “Threat analysts at AquaSec have spotted signs of TeamTNT activity on their honeypots since early September, leading them to believe the notorious hacking group is back in action. TeamTNT announced it was quitting back in November 2021, and indeed, most associated observations since then involved remnants of past infections like automated scripts but no new payloads. However, the recent attacks bear various signatures linked to TeamTNT and rely on tools previously deployed by the gang, indicating that the threat actor is likely making a comeback.”

Title: Emotet botnet now pushes Quantum and BlackCat ransomware
Date Published: September 17, 2022

Excerpt: “While monitoring the Emotet botnet’s current activity, security researchers found that the Quantum and BlackCat ransomware gangs are now using the malware to deploy their payloads. This is an interesting development given that the Conti cybercrime syndicate was the one that previously used the botnet before shutting down in June. The Conti group was the one who orchestrated its comeback in November after an international law enforcement action took down Emotet’s infrastructure at the beginning of 2021. “The Emotet botnet (also known as SpmTools) has fueled major cybercriminal groups as an initial attack vector, or precursor, for numerous ongoing attacks,” security researchers at intelligence company AdvIntel said. “From November 2021 to Conti’s dissolution in June 2022, Emotet was an exclusive Conti ransomware tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat.”

Title: New York ambulance service discloses data breach after ransomware attack
Date Published: September 17, 2022

Excerpt: “Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information. According to the notification, the company suffered a ransomware attack on July 14, 2022. An investigation into the incident revealed that the intruder had gained access to Empress EMS’ systems on May 26, 2022. About a month and a half later, on July 13, the hackers exfiltrated “a small subset of files,” a day before deploying the encryption. “Some of these files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers,” reads the disclosure from Empress EMS. “Empress EMS is mailing letters to affected individuals and offering eligible individuals credit monitoring services,” the company announced.”

Title: High severity vulnerabilities found in Harbor open-source artifact registry
Date Published: September 19, 2022

Excerpt: “Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. Harbor is an open-source cloud native registry project that stores, signs, and scans content. It can integrate with various Docker registries to provide security features such as user management, access control, and activity auditing. Classified as an access control vulnerability, IDOR occurs when an application uses user-supplied input to access objects directly. IDOR is a high severity threat and is considered to be the most serious web application security risk on the most current OWASP top 10 list.”

Title: Experts warn of critical flaws in Flexlan devices that provide WiFi on airplanes
Date Published: September 19, 2022

Excerpt: “Researchers from Necrum Security Labs discovered a couple of critical vulnerabilities, tracked as CVE–2022–36158 and CVE–2022–36159, impacting the Contec Flexlan FXA3000 and FXA2000 series LAN devices. The FXA3000 and FXA2000 Series are access points that are manufactured by Japan-based firm Contec that conform to IEEE 802.11n/a/b/g wireless. These devices are installed in airplanes to offer internet connectivity to the passengers, the above vulnerabilities can be exploited by an attacker to compromise the inflight entertainment system and potentially conduct other malicious activities.”

Title: LastPass revealed that intruders had internal access for four days during the August hack
Date Published: September 17, 2022

Excerpt: “Password management solution LastPass shared more details about the security breach that the company suffered in August 2022. The company revealed that the threat actor had access to its network for four days in August 2022. LastPass CEO Karim Toubba explained that there is no evidence that the attackers had access to customer data. “We have completed the investigation and forensics process in partnership with Mandiant. Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident.” reads the Notice of Recent Security Incident published by the company. “There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.”

Title: Webworm Attackers Deploy Modified RATs in Espionage Attacks
Date Published: September 15, 2022

Excerpt: “The threat actor known as Webworm has been linked to several Windows–based remote access Trojans, suggests a new advisory by Symantec, a subsidiary of Broadcom Software. The group reportedly developed customized versions of three older remote access Trojans (RATs): Trochilus, Gh0st RAT and 9002 RAT. The first of these tools, first spotted in 2005, is a RAT implemented in C++, and its source code is available for download on GitHub. Gh0st, on the other hand, was released in 2008 and has since been used by advanced persistent threat (APT) groups. In the advisory, Symantec did not specify how both these malware tools were modified by Webworm. As for the 9002 RAT, the tool provides attackers with extensive data exfiltration capabilities. Symantec said it spotted variants of 9002 RAT that inject into memory and do not write to the disk.”

Title: Are Phishing Scams Likely to Go Away Anytime Soon?
Date Published: September 16, 2022

Excerpt: “Cyber-criminals are using new tactics to increase their chance of success in phishing attacks against various companies. Phishing is the most pressing cyber threat organizations face and will increase in the future. In 2021, 83% of organizations reported becoming victims of phishing attacks; in 2022, approximately 6 billion attacks are expected to happen. Today’s attackers use tactics like spear phishing, vishing and deceptive phishing to target users and cause organizations to lose billions annually. Their primary purpose is to gain access to networks, steal data or infect systems with malware. Due to these attacks, organizations lose valuable customers, money and reputation. With phishing scams not going down, there’s a need to make efforts to prevent the consequences it brings.”

Title: New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems
Date Published: September 17, 2022

Excerpt: “Hackers associated with North Korea are using trojanized versions of the PuTTY SSH open-source terminal emulator to install backdoors on victims’ devices. Discovered by Mandiant, the threat actor responsible for this campaign would be ‘UNC4034’ (also known as Temp.Hermit or Labyrinth Chollima). “Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus,” reads an advisory published by the company on Wednesday. The campaign, trying to trick victims into clicking on malicious files as part of a fake Amazon job assessment, would build on a previous, existing one called ‘Operation Dream Job.’ The methodology used by UNC4034 would now be evolving, according to Mandiant.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...