September 22, 2022

Fortify Security Team
Sep 22, 2022

Title: BlackCat ransomware’s data exfiltration tool gets an upgrade
Date Published: September 22, 2022

Excerpt: “The BlackCat ransomware (aka ALPHV) isn’t showing any signs of slowing down, and the latest example of its evolution is a new version of the gang’s data exfiltration tool used for double-extortion attacks. BlackCat is considered a successor to Darkside and BlackMatter and is one of the most sophisticated and technically advanced Ransomware-as-a-service (RaaS) operations. Security researchers at Symantec report that the developer of BlackCat, the first Rust-based ransomware strain, continually improves and enriches the malware with new features. Lately, the focus appears to have been on the tool used for exfiltrating data from compromised systems, an essential requirement for conducting double extortion attacks.”

Title: Windows 11 gets better protection against SMB brute-force attacks
Date Published: September 21, 2022

Excerpt: “Microsoft announced that the Windows 11 SMB server is now better protected against brute-force attacks with the release of the Insider Preview Build 25206 to the Dev Channel. Redmond has enabled the SMB authentication rate limiter by default and tweaking some of its settings to make such attacks less effective, starting with the latest Windows 11 Insider dev build. “With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication,” explained Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group. “This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum.” Once toggled on, this feature adds a delay between each failed NTLM authentication as extra protection for the SMB server service.”

Title: Domain shadowing becoming more popular among cybercriminals
Date Published: September 21, 2022

Excerpt: “Threat analysts at Palo Alto Networks (Unit 42) discovered that the phenomenon of ‘domain shadowing’ might be more prevalent than previously thought, uncovering 12,197 cases while scanning the web between April and June 2022. Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist. These subdomains are then used to create malicious pages on the cybercriminals’ servers while the domain owner’s site’s web pages and DNS records remain unchanged, and the owners don’t realize they have been breached. In the meantime, the threat actors are free to host C2 (command and control) addresses, phishing sites, and malware-dropping points, abusing the good reputation of the hijacked domain to bypass security checks. The attackers can theoretically change the DNS records to target users and owners of the compromised domains, but they typically prefer to take the stealthy path described above.”

Title: FBI: Iranian hackers lurked in Albania’s govt network for 14 months
Date Published: September 21, 2022

Excerpt: “The Federal Bureau of Investigation (FBI) and CISA said that one of the Iranian threat groups behind the destructive attack on the Albanian government’s network in July lurked inside its systems for roughly 14 months. “A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware,” the two agencies revealed in a joint advisory published today. “The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.” The malicious actors behind the attack, collectively identified by the FBI as an Iranian-backed threat group named “HomeLand Justice,” attacked the Government of Albania in July 2022, 14 months after the initial breach, taking down multiple websites and services.”

Title: What you need to know about Evil-Colon attacks
Date Published: September 22, 2022

Excerpt: “While novel attacks seem to emerge faster than TikTok trends, some warrant action before they’ve even had a chance to surface. This is the case for an attack we’ll refer to as Evil-Colon, which operates similarly to the now defunct Poison-NULL-Byte attacks. Though Poison-NULL-Byte attacks are now obsolete, they may have paved the path for new, similar attacks that could wreak havoc in your code if not dealt with properly. Case in point: When performing a source code audit, I stumbled across a situation where Evil-Colon might be used to overcome the path sanitization process. In this instance, I discovered a uniquely interesting approach to attacking path manipulation vulnerabilities on applications deployed on Windows operating systems. Since this is a Windows-specific issue, the Evil-Colon attack method would likely work on applications deployed on any Windows servers.”

Title: What could be the cause of growing API security incidents?
Date Published: September 22, 2022

Excerpt: “Noname Security announced the findings from its API security report, “The API Security Disconnect – API Security Trends in 2022”, which revealed a rapidly growing number of API security incidents, concerning lack of API visibility, and a level of misplaced confidence in existing controls. 76% of respondents have suffered an API security incident in the last 12 months, with these incidents primarily caused by Dormant/Zombie APIs, Authorization Vulnerabilities, and Web Application Firewalls. Furthermore, 74% of cybersecurity professionals do not have a full API inventory, or know which APIs return sensitive data. This implies that the majority of respondents will struggle to remediate against any API security threats – and not know which to prioritize – if they do not have real-time granular visibility into the APIs in their ecosystems.”

Title: A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects
Date Published: September 22, 2022

Excerpt: “More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago. The issue is a Directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions in the tarfile module in Python. A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. “While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” reads the post published by security firm Trellix.”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.” The experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploit this issue to gain code execution from the file write..

Title: Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining campaign
Date Published: September 22, 2022

Excerpt: “Trend Micro researchers warn of an ongoing crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability. The now-patched critical security flaw was disclosed by Atlassian in early June, at the time the company warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions that is being actively exploited in attacks in the wild. “We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining.” reads the post published by Trend Micro. “If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware.”

Title: A disgruntled developer is the alleged source of the leak of the Lockbit 3.0 builder
Date Published: September 22, 2022

Excerpt: “The leak of the builder for the latest encryptor of the LockBit ransomware gang made the headlines, it seems that the person who published it is a disgruntled developer. The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs. The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:

  • Build.bat;
  • builder.exe;
  • config.json;
  • keygen.exe.

“Ali Qushji claims to have hacked the servers of the ransomware gang and stolen the ransomware encryptor.”

Title: Multiple Vulnerabilities Discovered in Dataprobe’s iBoot-PDUs
Date Published: September 21, 2022

Excerpt: “Claroty’s research arm, Team82, has discovered several new vulnerabilities in Dataprobe’s iBoot–PDU (power distribution units). The company published the findings Tuesday in an advisory released in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA). The technical write–up describes the newly discovered flaws, saying that if exploited, they pose a number of risks to Dataprobe, including giving control of the iBoot–PDU to attackers. According to the advisory, PDUs are quite common in industrial environments, with some of them having remote access and control capabilities. Unfortunately, Team82 wrote, attacking a remotely exploitable vulnerability in a PDU component, including its web–based interface or cloud–based management platform, puts an attacker in the position of disrupting critical services by cutting off the electric power to the device and everything else that may be plugged into it. The company explained that they started researching Dataprobe’s iBoot–PDU after reading a 2021 Censys report revealing that more than 2000 PDUs were exposed to the internet, with 31% of those being Dataprobe devices.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...