September 21, 2022

Fortify Security Team
Sep 21, 2022

Title: Hive ransomware claims attack on New York Racing Association
Date Published: September 20, 2022

https://www.bleepingcomputer.com/news/security/hive-ransomware-claims-attack-on-new-york-racing-association/

Excerpt: “The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data. NYRA is the operator of the three largest thoroughbred horse racing tracks in New York, namely the Aqueduct Racetrack, the Belmont Park, and the Saratoga Race Course. NYRA is the operator of the three largest thoroughbred horse racing tracks in New York, namely the Aqueduct Racetrack, the Belmont Park, and the Saratoga Race Course. According to the security breach notifications sent to impacted individuals late last month and shared with the authorities last week, the threat actors may have exfiltrated the following member information: Windows 11 22H2 is released, here are the new features, Social security numbers (SSNs), Driver’s license, identification numbers, Health records, Health insurance information. The data breach notifications also include details on how to enroll for a 24-month long identity protection service through Experian, the cost for which is covered by NYRA.”

Title: Imperva blocked a record DDoS attack with 25.3 billion requests
Date Published: September 21, 2022

https://securityaffairs.co/wordpress/136009/cyber-crime/record-breaking-ddos-imperva.html

Excerpt: “Cybersecurity company Imperva announced to have mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests.
Cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests on June 27, 2022. According to the experts, the attack marks a new record for Imperva’s application DDoS mitigation solution. The attack targeted an unnamed Chinese telecommunications company and outstands for its duration, it lasted more than four hours and peaked at 3.9 million RPS. “On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”The average rate for this record-breaking attack was 1.8 million RPS. Threat actors used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections. The technique employed by the attackers is difficult to detect and can bring down targets using a limited number of resources. “Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva. This specific attack was launched by a botnet composed of almost 170,000 different IPs, including routers, security cameras and compromised servers. The compromised devices are located in over 180 countries, most of them in the US, Indonesia, and Brazil.”

Title: 2K Games says hacked help desk targeted players with malware
Date Published: September 20, 2022

https://www.bleepingcomputer.com/news/security/2k-games-says-hacked-help-desk-targeted-players-with-malware/

Excerpt: “American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers with fake support tickets pushing malware via embedded links. “Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers,” 2K’s support account tweeted on Tuesday after BleepingComputer broke the story on the security breach. The company advised those who might have clicked one of the malicious links sent by the attackers to take steps to mitigate the potential impact immediately: Reset any user account passwords stored in your web browser (e.g, Chrome AutoFill), Enable multi-factor authentication (MFA) whenever available, especially on personal email, banking, and phone or Internet provider accounts. If possible, avoid using MFA that relies on text message verification – using an authenticator app would be the most secure method, Install and run a reputable anti-virus program, Check your account settings to see if any forwarding rules have been added or changed on your personal email accounts. 2K added that its support portal was taken offline earlier while the video game publisher investigates and addresses the incident’s fallout.”

Title: Critical Vulnerability in Oracle Cloud Infrastructure Allowed Unauthorized Access
Date Published: September 20, 2022

https://www.infosecurity-magazine.com/news/flaw-in-oracle-cloud-unauthorized/

Excerpt: “A new vulnerability in Oracle Cloud Infrastructure (OCI) would allow unauthorized access to cloud storage volumes of all users, hence violating cloud isolation. The flaw, discovered by secure cloud experts at Wiz in June and dubbed AttachMe, is now being discussed in a new advisory the company published today. The company said that within 24 hours of being informed by Wiz, Oracle patched the flaw for all OCI customers without any customer action required. However, in the technical write–up, Wiz senior software engineer Elad Gabay said that before it was patched, all OCI customers could have been targeted by an attacker with knowledge of the vulnerability. “Any unattached storage volume, or attached storage volumes allowing multi–attachment, could have been read from or written to as long as an attacker had its Oracle Cloud Identifier (OCID), allowing sensitive data to be exfiltrated or more destructive attacks to be initiated by executable file manipulation,” Gabay explained. According to the Wiz advisory, potential attacks resulting from a threat actor aware of this flaw included privilege escalation and cross–tenant access.”

Title: Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine
Date Published: September 19, 2022

https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine

Excerpt: “Recorded Future continues to monitor cyber espionage operations targeting government and private sector organizations across multiple geographic regions including Ukraine. From August 2022, Recorded Future observed a steady rise in command and control (C2) infrastructure used by the threat activity group tracked by Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0113. UAC-0113 has been linked by CERT-UA to the Russian advanced persistent threat (APT) group Sandworm. This report highlights trends observed by Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows that the group’s efforts to target entities in Ukraine remains ongoing. Domain masquerades can enable spear phishing campaigns or redirects that pose a threat to victim networks. Using a combination of proactive adversary infrastructure detections and domain analysis techniques, Insikt Group determined that UAC-0113’s use of this newly discovered infrastructure overlaps with other infrastructure tactics, techniques, and procedures (TTPs) previously attributed to the group by CERT-UA. The information and TTPs provided in this report enables defenders to better search for and protect against activity by UAC-0113.”

Title: Open Source Repository Attacks Soar 700% in Three Years.
Date Published: September 21, 2022

https://www.infosecurity-magazine.com/news/open-source-repository-attacks-700/

Excerpt: “The volume of malicious activity targeting upstream open source code repositories has hit triple-digit growth over the past three years, according to Sonatype. The security vendor claimed in newly released data to have detected a 700% rise in attacks designed to plant malware in software components, which can cause havoc when these components are used by DevOps teams downstream. Sonatype identified over 55,000 newly published packages as malicious in various open source repositories over the past year, and nearly 95,000 over the past three years. “Almost every modern business relies on open source. Clearly, the use of open source repositories as an entry point for malicious attacks shows no signs of slowing down – making the early detection of both known and unknown security vulnerabilities more important than ever,” said Brian Fox, co-founder and CTO of Sonatype.
“Stopping malicious components before they come in the door is a fundamental element of risk prevention and should be a part of every conversation around protecting software supply chains.” Sonatype said prevention of this sort is the only way to go, because if a malicious component is downloaded onto a developer machine – even if it isn’t used in a finished product – the damage may already have been done.”

Title: Okta: Credential stuffing accounts for 34% of all login attempts
Date Published: September 21, 2022

https://www.bleepingcomputer.com/news/security/okta-credential-stuffing-accounts-for-34-percent-of-all-login-attempts/

Excerpt: “Credential stuffing attacks have become so prevalent in the first quarter of 2022 that traffic surpassed that of legitimate login attempts from normal users in some countries. This type of attack takes advantage of “password recycling,” which is the bad practice of using the same credential pairs (login name and password) across multiple sites. Once the credentials are leaked or brute-forced from one site, threat actors perform a credential stuffing attack that attempts to use the same leaked credentials at other sites to gain access to users’ accounts. As the FBI warned recently, these attacks are growing in volume thanks to the readily available aggregated lists of leaked credentials and the automated tools made available to cybercriminals, enabling them to test pairs against many sites.

Title: Indonesia finally passes personal data protection law
Date Published: September 20, 2022

https://www.zdnet.com/article/indonesia-finally-passes-personal-data-protection-law/

Excerpt: “After years of deliberation, the largest Southeast Asian market ratifies personal data protection bill, which will apply to local businesses as well as international corporations that handle data of Indonesian consumers. Indonesia finally has passed its personal data protection law that has been in discussions since 2016. The government believes the new Bill will be critical amidst a spate of data security breaches in the country. Indonesia’s House of Representatives earlier this month approved the Personal Data Protection (PDP) Bill, paving the way for its ratification on Tuesday. The country now joins other jurisdictions in Southeast Asia that have dedicated personal data protection laws, including Singapore and Thailand.”

Title: U.S. gov adds more Chinese Telecom firms to the Covered List
Date Published: September 21, 2022

https://securityaffairs.co/wordpress/136018/intelligence/covered-list-chinese-companies.html

Excerpt: “The U.S. The Federal Communications Commission (FCC) has added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the Covered List. The Covered List, published by the Public Safety and Homeland Security Bureau, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons. These letters explain that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control.”

Title: US to award $1B to state, local, and territorial governments to improve cyber resilience
Date Published: September 21, 2022

https://www.helpnetsecurity.com/2022/09/21/us-grants-cyber-resilience/

Excerpt: “The US government will award $1 billion in grants to help state, local, and territorial (SLT) governments address cybersecurity risks, strengthen the cybersecurity of their critical infrastructure, and ensure cyber resilience against persistent cyber threats. “Applicants have 60 days to apply for a grant, which can be used to fund new or existing cybersecurity programs,” the US Department of Homeland Security pointed out in the announcement.SLT governments face many challenges when it comes to defending against cyber threats (and especially ransomware attacks), but one of the main ones is the lack of resources. According to the Cybersecurity and Infrastructure Security Agency (CISA), the funds can be used for developing and implementing a fitting cybersecurity plan, purchasing equipment and software, and hiring personnel, but cannot be used for construction of physical facilities, paying a ransom to cyberattackers, or buying cybersecurity insurance.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...