September 20, 2022

Fortify Security Team
Sep 20, 2022

Title: Microsoft 365 phishing attacks impersonate U.S. govt agencies
Date Published: September 19, 2022

https://www.bleepingcomputer.com/news/security/microsoft-365-phishing-attacks-impersonate-us-govt-agencies/

Excerpt: “An ongoing phishing campaign targeting U.S. government contractors has expanded its operation to push higher-quality lures and better-crafted documents. The lure in these phishing emails is a request for bids for lucrative government projects, taking them to phishing pages that are clones of legitimate federal agency portals. This is the same operation that INKY reported about in January 2022, with the threat actors using attached PDFs with instructions on going through the bidding process for the U.S. Department of Labor projects. According to a report by Cofense, the operatives have expanded their targeting and are now also spoofing the Department of Transportation and the Department of Commerce. Moreover, there’s now a plethora of different lures used in the messages, better phishing web page behavior, and removal of artifacts that revealed the signs of fraud in previous versions of the attached PDFs.”

Title: MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
Date Published: September 20, 2022

https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/

Excerpt: “Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network.The reality is that obtaining corporate credentials is not extremely difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces. Due to this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys. While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks, such as evilginx2. However, a social engineering technique called ‘MFA Fatigue’, aka ‘MFA push spam’, is rising in popularity among threat actors as it does not require malware or phishing infrastructure and has been found to be successful in attacks.”

Title: Top Phishing and Social Media Threats: Key Findings from the Quarterly Threat Trends & Intelligence Report
Date Published: September 18, 2022

https://www.tripwire.com/state-of-security/security-data-protection/top-phishing-social-media-quarterly-threat-trends-intelligence-report/

Excerpt: “In today’s online landscape, it is crucial for organizations to stay on top of the threats that put their enterprises at risk. Agari and PhishLabs have put together their Quarterly Threat Trends & Intelligence Report detailing their analysis of phishing and social media attacks this quarter. The report presents statistics regarding the volume of attacks, the tactics used by cybercriminals, and the main targets of these attacks, documenting the changes since last quarter. Below are the key findings from the report. The volume of total phishing sites increased almost 6% from Q1 and remains steady, as opposed to the erratic spikes in activity that took place in 2021. For the remainder of 2022, phishing volume is expected to steadily climb as criminals learn where businesses’ weaknesses lie and take advantage of their vulnerabilities. Although financial institutions remain the top targeted industry at 42% of attacks, these attacks have declined more than 19% since 2021. The second most targeted industry was telecommunications, experiencing 23% of all phishing attacks. Social media accounted for 21% of overall volume, notwithstanding a small decrease in attacks.

Title: American Airlines disclosed a data breach, threat actors had access to an undisclosed number of employee email accounts.
Date Published: September 20, 2022

https://securityaffairs.co/wordpress/135963/data-breach/american-airlines-data-breach.html

Excerpt: “American Airlines recently suffered a data breach, threat actors compromised a limited number of employee email accounts. The intruders had access to sensitive personal information contained in the accounts, but the company’s data breach notification states that it is not aware of any misuse of exposed data. The security breach was discovered on July 5th, the airline promptly adopted the measure to mitigate the incident and secure the impacted email accounts. Then American Airlines launched an investigation with the help of a leading cybersecurity forensic firm. “In July 2022 we discovered that an unauthorized actor compromised the email accounts of a limited number of American Airlines team members. Upon discovery of the incident, we secured the applicable email accounts and engaged a third-party cybersecurity forensic firm to conduct a forensic investigation to determine the nature and the scope of the incident.” reads the data breach notification sent to the impacted customers (Source Bleeping Computer). “Our investigation determined that certain personal information was in the email accounts. We conducted a full eDiscovery exercise and determined some of your personal information may have been contained in the accessed email accounts. We have no evidence to suggest that your personal information was misused. Nevertheless, out of an abundance of caution, we wanted to provide you with information about the incident and protective measures you can take.” Exposed data includes name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information provided by the impacted individuals.”

Title: Revolut has suffered a cyberattack, threat actors have had access to personal information of tens of thousands of customers.
Date Published: September 19, 2022

https://securityaffairs.co/wordpress/135935/data-breach/revolut-data-breach.html

Excerpt: “The financial technology company Revolut suffered a ‘highly targeted’ cyberattack over the weekend, threat actors had access to the personal information of 0.16% of its customers (approximately 50,000 users). The company states that it has already contacted the impacted customers “We have contacted the impacted individuals by email with further information regarding the types of data that may have been exposed. […] We take incidents such as these incredibly seriously, and we would like to sincerely apologize to any customers who have been affected by this incident as the safety of our customers and their data is our top priority at Revolut.” reads the statement issued by Revolut. “We immediately identified and isolated the attack to drastically limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted.” The Lithuanian State Data Protection Inspectorate has started an investigation into the security breach, according to preliminary data, threat actors had access to the Revolut database through the use of social engineering techniques. Upon discovering the intrusion, the security team promptly locked out the threat.”

Title: VMware and Microsoft are warning of a widespread Chromeloader malware campaign that distributes several malware families.
Date Published: September 20, 2022

https://securityaffairs.co/wordpress/135949/malware/chromeloader-malware-campaigns.html

Excerpt: “ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and add the extension to the browser. In May, researchers from Red Canary observed a malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers. This week, VMware and Microsoft warned of an ongoing, widespread Chromeloader malware campaign that is dropping malicious browser extensions, node-WebKit malware, and ransomware. Microsoft spotted an ongoing widespread click fraud campaign, the IT giant attributes the campaign to a threat actor tracked as DEV-0796. Attackers attempt to monetize clicks generated by a browser node-webkit or malicious browser extension they have secretly installed on victims’ devices. This attack chain starts with an ISO file that’s downloaded when a user clicks malicious ads or YouTube comments. Upon opening the ISO file, a browser node-webkit (NW.js) or a browser extension is installed. Experts also observed threat actors using DMG files in order to target also macOS systems. VMware published a report that provides technical details about multiple Chromeloader variants that the company observed since August.”

Title: Hackers Admit Destroying InterContinental Hotels Group’s Data ‘For Fun’
Date Published: September 20, 2022

https://www.infosecurity-magazine.com/news/hackers-destroying-ihgs-data-for/

Excerpt: “The threat actors behind the InterContinental Hotels Group (IHG) cyber–attack reported earlier this month admitted doing it ‘for fun.’The hackers made the admission to the BBC over the weekend, saying they are a couple from Vietnam who tried to conduct a ransomware attack against IHG and upon failing, decided to delete the data they had originally obtained.”In this instance, it, fortunately, looks like IHG was able to prevent the attackers from deploying ransomware, but in retaliation, they deleted the data they had accessed, putting the hotel chain in a no–win situation,” Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine. The threat actors called themselves ‘TeaPea,’ and said they gained initial access to IHG systems via a successful phishing attack that tricked an employee into downloading malware through an email attachment and capturing their two–factor authentication (2FA) code. They would have then accessed the most sensitive parts of IHG’s computer systems after finding login details for the company’s internal password vault, with the password reportedly being ‘Qwerty1234.'”Being able to recover from unexpected events quickly and easily must also be a focus. The stakes are high, and there are simply no guarantees on the path an attacker will take or what they will end up doing,” Schroeder added.”When it comes to defenses, these must include good password practices, but using a password that is Qwerty1234 is not an example of this. Unfortunately, this password keeps showing up on ‘most–used passwords’ lists.”An IHG spokeswoman later told the BBC that the password vault details were not insecure but refused to provide details about how TeaPea managed to break into the hotel chain’s systems.”

Title: Hackers steal $162 million from Wintermute crypto market maker
Date Published: September 20, 2022

https://www.bleepingcomputer.com/news/security/hackers-steal-162-million-from-wintermute-crypto-market-maker/

Excerpt: “Digital assets trading firm Wintermute has been hacked and lost $162.2 million in DeFi operations, the company CEO, Evgeny Gaevoy, announced earlier today. Wintermute provides liquidity to over 50 cryptocurrency exchanges and trading platforms, including Binance, Coinbase, Kraken, and Bitfinex.The company remains solvent, holding twice the stolen amount in equity. A service disruption in the following days, though, is to be expected as the platform will work to restore all its operations.Gaevoy has also stated that they’re willing to treat the security incident as a “white hat” event, meaning they are open to pay the attacker a bounty for successfully exploiting the vulnerability, without any legal consequences. The company CEO has clarified that Wintermute’s CeFi (centralized finance) and OTC (over-the-counter) operations have not been impacted by the security breach.”

Title: Quantum Computing Already Putting Data at Risk, Cyber Pros Agree
Date Published: September 20, 2022

https://www.infosecurity-magazine.com/news/quantum-computing-data-risk-cyber/

Excerpt: “Over half of organizations believe that current datasets are already threatened by future advances in quantum computing, according to a new study by Deloitte. In the survey of more than 400 cybersecurity professionals, 50.2% of respondents said their organization is at risk of ‘harvest now, decrypt later’ attacks, whereby cyber-criminals extract encrypted data in anticipation of the time quantum computers are able to break existing cryptographic algorithms. This phenomenon is known as ‘Q Day,’ which experts believe will occur in the next 5-10 years. Without the development of quantum secure encryption, this could potentially leave all digital information vulnerable to threat actors.”

Title: FBI Warns Healthcare Sector of Surge in Payment Scams
Date Published: September 19, 2022

https://www.databreachtoday.com/fbi-warns-healthcare-sector-surge-in-payment-scams-a-20107

Excerpt: “Cybercriminals are stealing multimillion-dollar payouts from healthcare payment processors by compromising user login credentials, the FBI warns the healthcare industry.In a Wednesday alert, federal agents say they’ve received multiple reports of cybercriminals redirecting into their pockets payments from providers. In recent incidents, cybercriminals used employees’ publicly available personally identifiable information and deployed social engineering techniques to impersonate care providers and gain access to healthcare portals, payment information and websites, the FBI says. In one February incident, an attacker changed an unnamed hospital’s direct deposit information to divert $3.1 million in payments into a consumer checking account.In April, an unnamed healthcare company with more than 175 medical providers discovered that a threat actor had posed as an employee and changed automated clearing house instructions of one of the entities’ payment processing vendors to direct payments to the cybercriminal.In that scam, the cybercriminal successfully diverted about $840,000 dollars over two transactions prior to discovery of the fraud, the FBI says.During a seven-month period between June 2018 and January 2019, cybercriminals targeted and accessed at least 65 healthcare payment processors in the United States, replacing legitimate customer banking and contact information with accounts controlled by the attackers. One of those victims reported a loss of approximately $1.5 million. “Cybercriminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access,” the FBI warns.”

Recent Posts

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains Date Published: November 15, 2022 https://www.infosecurity-magazine.com/news/chinabased-campaign-42000-phishing/ Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of...