September 23, 2022

Fortify Security Team
Sep 23, 2022

Title: Microsoft Exchange servers hacked via OAuth apps for phishing
Date Published: September 22, 2022

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-via-oauth-apps-for-phishing/

Excerpt: “Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the end goal of deploying malicious OAuth applications and sending phishing emails. “The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access,” the Microsoft 365 Defender Research Team revealed.The attacker then used this inbound connector and transport rules designed to help evade detection to deliver phishing emails through the compromised Exchange servers. The threat actors deleted the malicious inbound connector and all the transport rules between spam campaigns as an additional defense evasion measure. In contrast, the OAuth application remained dormant for months between attacks until it was used again to add new connectors and rules before the next wave of attacks. These email campaigns were triggered from Amazon SES and Mail Chimp email infrastructure commonly used to send marketing emails in bulk.”

Title: Optus security breach compromises customers’ passport details
Date Published: September 22, 2022

https://www.zdnet.com/article/optus-security-breach-compromises-customers-passport-details/

Excerpt: “Australian operator says it is investigating “unauthorized access” of personal data belonging to its current and former customers, including dates of birth, phone numbers, and passport numbers. Optus has suffered a security breach that it says may have compromised various customer data, including dates of birth, email addresses, and passport numbers. Information belonging to both current and former customers of the Australian mobile operator are impacted in the security incident. Optus said Thursday it was looking into “possible unauthorized access” of customer data following a cyber attack, but did not reveal details of what systems were affected, when the breach was discovered, or how many customers might be impacted.”

Title: Multi-million dollar credit card fraud operation uncovered
Date Published: September 23, 2022

https://www.bleepingcomputer.com/news/security/multi-million-dollar-credit-card-fraud-operation-uncovered/

Excerpt: “A massive operation that has reportedly siphoned millions of USD from credit cards since its launch in 2019 has been exposed and is considered responsible for losses for tens of thousands of victims. The site operators, thought to originate from Russia, operate an extensive network of bogus dating and customer support websites and use them to charge credit cards bought on the dark web. This way, the charges appear legitimate, and the websites are not readily approving fund returns on the grounds of fraudulent transactions, resulting in the enrichment of the crime syndicate behind the operation.The discovery and report about the global operation come from researchers at ReasonLabs, who shared their findings with BleepingComputer before publication.”

Title: Russia-Based Hackers FIN11 Impersonate Zoom to Conduct Phishing Campaigns
Date Published: September 22, 2022

https://www.infosecurity-magazine.com/news/russia-fin11-impersonate-zoom/

Excerpt: “The threat actors known as FIN11 (and Clop) may have impersonated web download pages of the Zoom Application to conduct phishing campaigns against targets worldwide. The news comes from cybersecurity company Cyfirma, which published a new advisory about the threat on Wednesday. “This threat actor is known for conducting a large–scale campaign using impersonated web applications,” reads the technical blog post. “In this case, FIN11 was observed employing Zoom download pages to install an information stealer (Vidar) targeting a large attack surface. We also observed an IP address that was earlier associated with AsyncRAT.” Further, the security experts said that the Russia–based threat actor FIN11 has also lately been associated with Clop ransomware for post–compromise ransomware deployment and data theft extortion. “This association with the ransomware group increases the possibility of compromised systems becoming potential ransomware victims,” Cyfirma wrote. In its latest investigation, the cybersecurity firm said it discovered several fake Zoom Video Communications download pages, all of which had the Russian Federation as the registrant country for all the hosts.From a technical standpoint, the threat actor delivered malicious Zoom applications through phishing URLs masquerading as legitimate Zoom websites and apps. Upon execution of a malicious “Zoom.exe” file, the malware drops “Decoder.exe,” which acts as a downloader to download additional payloads (a remote access Trojan (RAT) and an information stealer) alongside the legitimate Zoom app setup, the advisory explained. The injected MSBuild.exe also downloads dynamic link libraries (DLLs) related to information stealer Vidar.”

Title: Seven-Year Mobile Surveillance Campaign Targets Uyghurs
Date Published: September 23, 2022

https://www.infosecurity-magazine.com/news/sevenyear-mobile-campaign-targets/

Excerpt: “Researchers have revealed a long-running surveillance and espionage campaign targeting one of China’s largest ethnic minority groups. First discovered by Palo Alto Networks back in 2016, the “Scarlet Mimic” group was initially spotted targeting Uyghur and Tibetan rights activists. Although the Chinese government has long oppressed and spied on these and other minority groups in the country, there is currently no direct attribution of this group’s activities to Beijing. Check Point explained in a new report this week that the mobile malware used by Scarlet Mimic actually dates back to 2015. It has since tracked 20 variants of the MobileOrder Android spyware, the most recent dated mid-August this year.

Title: Details of Over 300,000 Russian Reservists Leaked, Anonymous Claims
Date Published: September 23, 2022

https://www.infosecurity-magazine.com/news/russian-reservists-leaked-anonymous/

Excerpt: “Hacktivist collective Anonymous has claimed to have leaked the personal data of over 300,000 individuals likely to be mobilized by the Russian government to fight in Ukraine. In a message posted on one of the group’s Twitter accounts on Friday, September 23, 2022, Anonymous TV (@YourAnonTV), it said it had “hacked the website of the Russian Ministry of Defense and leaked the data of 305,925 people who are likely to be mobilized in the first of three waves of mobilization.” An image was posted purporting show the personal information of these individuals. Anonymous’ claim followed a national address by Russian President Vladimir Putin just two days earlier, on September 21, in which a partial military mobilization of 300,000 reservists was announced to bolster the Kremlin’s so-called special military operation in Ukraine. This announcement came in response to a major counter-offensive by Ukraine’s armed forces, retaking large portions of territory occupied by Russia since the early stages of the conflict. If Anonymous’ latest claims are proven to be true, it could leave the reservists open to social engineering attacks and potentially being contacted by Ukrainians. Hacktivist group Anonymous has launched numerous cyber-attacks against Russia in support of Ukraine during the conflict. Immediately following the start of its invasion on February 24, 2022, it declared a “cyber war” against Vladimir Putin’s government.”

Title: Ukraine dismantles hacker gang that stole 30 million accounts
Date Published: September 23, 2022

https://www.bleepingcomputer.com/news/security/ukraine-dismantles-hacker-gang-that-stole-30-million-accounts/

Excerpt: “The cyber department of Ukraine’s Security Service (SSU) has taken down a group of hackers that stole accounts of about 30 million individuals and sold them on the dark web. The hackers used malware to obtain credentials and other sensitive data available on victim systems in Ukraine and the European Union. The SSU says that the threat actor offered data packs, which were purchased in bulk by pro-Kremlin propagandists, who then used the accounts to spread fake news on social media, instill panic, and cause destabilization in Ukraine and other countries. “According to preliminary data, the hackers sold approximately 30 million accounts and received a “profit” of almost UAH 14 million ($380,000),” the SSU informs. They used anonymous dark web markets to sell this information and received payments via YuMoney, Qiwi, and WebMoney, which are prohibited in Ukraine. During the raids on the perpetrators’ homes in Lviv, Ukraine, the police found and confiscated several hard drives with stolen personal data along with computers, SIM cards, mobile phones, and flash drives.The number of individuals arrested remains undisclosed but they are all facing criminal charges for unauthorized sale or distribution of information with limited access stored in computers and networks. These charges come with multi year prison sentences. Distributing fake news about the war has turned into an epidemic in Ukraine, starting immediately after the initial stages of the Russian invasion. The deluge of both disinformation and misinformation continues still.”

Title: Researchers Uncover Mysterious ‘Metador’ Cyber-Espionage Group
Date Published: September 22, 2022

https://www.darkreading.com/attacks-breaches/researchers-uncover-mysterious-metador-cyber-espionage-group

Excerpt: “A new threat actor that has infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa is responsible for two “extremely complex” malware platforms — but a lot about the group that remains shrouded in mystery, according to new research revealed here today. Researchers from SentintelLabs, who shared their findings at the first-ever LabsCon security conference, named the group Metador, based on the phrase “I am meta” that appears in the malicious code and the fact that the server messages are typically in Spanish. The group is believed to have been active since December 2020, but it has successfully flown under the radar over the past few years. Juan Andrés Guerrero-Saade, senior director of SentinelLabs, said the team shared information about Metador with researchers at other security firms and government partners, but no one knew anything about the group.”

Title: Sansec researchers warn of a surge in hacking attempts targeting a critical Magento 2 vulnerability tracked as CVE-2022-24086.
Date Published: September 23, 2022

https://securityaffairs.co/wordpress/136112/hacking/magento-2-cve-2022-24086.html

Excerpt: “Sansec researchers are warning of a hacking campaign targeting the CVE-2022-24086 Magento 2 vulnerability. Magento is a popular open-source e-commerce platform owned by Adobe, which is used by hundreds of thousands of e-stores worldwide.In February, Adobe rolled out security updates to address the critical CVE-2022-24086 flaw affecting its Commerce and Magento Open Source products, at the time, the company confirmed it was actively exploited in the wild. “Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe. The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems. The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.

Title: Morgan Stanley fined millions for selling off devices full of customer PII
Date Published: September 23, 2022

https://www.infosecurity-magazine.com/news/vulnerabilities-discovered-in/

Excerpt: “Morgan Stanley, which bills itself in its website title tag as the “global leader in financial services”, and states in the opening sentence of its main page that “clients come first”, has been fined $35,000,000 by the US Securities and Exchange Commission (SEC)… …for selling off old hardware devices online, including thousands of disk drives, that were still loaded with personally identifiable information (PII) belonging to its clients. Strictly speaking, it’s not a criminal conviction, so the penalty isn’t technically a fine, but it’s “not a fine” in much the same sort of way that car owners in England no longer get parking fines, but officially pay penalty charge notices instead. Also, strictly speaking, Morgan Stanley didn’t directly sell off the offending devices itself. But the company contracted someone else to do the work of wiping-and-selling-off the superannuated equipment, and then didn’t bother to keep its eye on the process to ensure that it was done properly.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...