September 26, 2022

Fortify Security Team
Sep 26, 2022

Title: Microsoft SQL servers hacked in TargetCompany ransomware attacks

Date Published: September 24, 2022

https://www.bleepingcomputer.com/news/security/microsoft-sql-servers-hacked-in-targetcompany-ransomware-attacks/

Excerpt: “Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding data for internet services and apps. Disrupting them can cause severe business trouble. BleepingComputer has reported similar attacks in February, dropping Cobalt Strike beacons, and in July when threat actors hijacked vulnerable MS-SQL servers to steal bandwidth for proxy services. The latest wave is more catastrophic, aiming for a quick and easy profit by blackmailing database owners.”

Title: Attackers impersonate CircleCI platform to compromise GitHub accounts

Date Published: September 25, 2022

https://securityaffairs.co/wordpress/136211/hacking/phishing-circleci-github-accounts.html

Excerpt: “Threat actors target GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. GitHub is warning of an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The company learned of the attacks against its users on September 16, it pointed out that the phishing campaign has impacted many victim organizations except GitHub. Phishing messages claim that a user’s CircleCI session expired and attempt to trick recipients into logging in using GitHub credentials. “Clicking the link takes the user to a phishing site that looks like the GitHub login page but steals any credentials entered. For users with TOTP-based two-factor authentication (2FA) enabled, the phishing site also relays any TOTP codes to the threat actor and GitHub in real time, allowing the threat actor to break into accounts protected by TOTP-based 2FA. Accounts protected by hardware security keys are not vulnerable to this attack.” reads the advisory published by the Microsoft-owned company. Recipients are redirected to the phishing pages mimicking GitHub login page designed to steal in real-time the credentials and 2FA code entered by the users. The company pointed out that the accounts protected by hardware security keys are not vulnerable to this attack.”

Title: Ransomware Affiliates Adopt Data Destruction

Date Published: September 26, 2022

https://www.infosecurity-magazine.com/news/ransomware-affiliates-adopt-data/

Excerpt: “Ransomware affiliates appear to be dabbling with new data destruction capabilities in a bid to evade detection, increase their chances of getting paid and minimize the opportunities for the development of decryptor tools. A new report from US security companies Cyderes and Stairwell reveals analysis of Exmatter-like malware. Exmatter is a .NET-based exfiltration tool often used by BlackCat/ALPHV ransomware affiliates. However, in this version of the tool, the attacker attempts to corrupt files in the victim’s system following exfiltration, rather than encrypt them as usual. “First, the malware iterates over the drives of the victim machine, generating a queue of files that match a hardcoded list of designated extensions. Files matching those file extensions are added to the queue for exfiltration, which are then written to a folder with the same name as the victim machine’s hostname on the actor-controlled server,” Cyderes explained. “As files upload to the actor-controlled server, the files that have been successfully copied to the remote server are queued to be processed by a class named ‘Eraser.’ A randomly sized segment starting at the beginning of the second file is read into a buffer and then written into the beginning of the first file, overwriting it and corrupting the file.”There are several advantages to the affiliate group of using such tactics.”

Title: Sophos warns of new firewall RCE bug exploited in attacks

Date Published: September 23, 2022

https://www.bleepingcomputer.com/news/security/sophos-warns-of-new-firewall-rce-bug-exploited-in-attacks/

Excerpt: “Sophos warned today that a critical code injection security vulnerability in the company’s Firewall product is being exploited in the wild. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the security software and hardware vendor warned. “We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” Tracked as CVE-2022-3236, the flaw was found in the User Portal and Webadmin of Sophos Firewall, allowing attackers to code execution (RCE). The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. “No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained. However, the company added that users of older versions of Sophos Firewall would have to upgrade to a supported version to receive the CVE-2022-3236 patch. It also provides detailed info on enabling the automatic hotfix installation feature and checking if the hotfix was successfully installed. Sophos also provides a workaround for customers who cannot immediately patch the vulnerable software that will require them to ensure that the firewall’s User Portal and Webadmin are not exposed to WAN access.”

Title: Exmatter exfiltration tool used to implement new extortion tactics

Date Published: September 26, 2022

https://securityaffairs.co/wordpress/136226/cyber-crime/exmatter-tool-shift-extortion-tactics.html

Excerpt: “Ransomware operators switch to new extortion tactics by using the Exmatter malware and adding new data corruption functionality. The data extortion landscape is constantly evolving and threat actors are devising new extortion techniques, this is the case of threat actors using the Exmatter malware.Cyderes Special Operations and Stairwell Threat Research researchers spotted a sample of malware classified as the .NET exfiltration tool Exmatter. The malware was observed in conjunction with the deployment of BlackCat/ALPHV ransomware, which experts believe is run by affiliates of numerous ransomware groups, including BlackMatter. Exmatter allows operators to exfiltrate specific file types from selected directories before the ransomware itself is executed on the compromised systems. The sample analyzed by the experts attempts to corrupt files within the victim’s environment, rather than encrypting them, and executes actions to prepare the files for destruction.”

Title: App Developers Increasingly Targeted via Slack, DevOps Tools

Date Published: September 23, 2022

https://www.darkreading.com/attacks-breaches/malicious-apps-millions-downloads-apple-google-app-stores

Excerpt: “Slack, Docker, Kubernetes, and other applications that allow developers to collaborate have become the latest vector for software supply chain attacks.Developers are increasingly under attack through the tools that they use to collaborate and to produce code — such as Docker, Kubernetes, and Slack — as cybercriminals and nation-state actors aim to access the valuable software that developers work on every day. For instance, an attacker claimed on Sept. 18 to have used stolen Slack credentials to access and copy more than 90 videos representing the early development of Grand Theft Auto 6, a popular game from Take-Two Interactive’s Rockstar Games. And a week earlier, security firm Trend Micro discovered that attackers were systematically searching for and attempting to compromise misconfigured Docker containers. Neither attack involved vulnerabilities in the software programs, but security missteps or misconfiguration are not uncommon on the part of developers, who often fail to take the care necessary to secure their attack surface area, says Mark Loveless, a staff security engineer at GitLab, a DevOps platform provider. “A lot of developers don’t think of themselves as targets because they are thinking that the finished code, the end result, is what attackers are going after,” he says. “Developers often take security risks — such as setting up test environments at home or taking down all the security controls — so they can try out new things, with the intent of adding security later.” He adds, “Unfortunately, those habits become replicated and become culture.” Attacks against the software supply chain — and the developers who produce and deploy software — have grown quickly in the past two years. In 2021, for example, attacks that aimed to compromise developers’ software — and the open source components widely used by developers — grew by 650%, according to the “2021 State of the “Software Supply Chain” report, published by software security firm Sonatype.”

Title: HHS HC3 Warns Health Sector of Monkeypox Phishing Schemes

Date Published: September 23, 2022

https://www.databreachtoday.com/hhs-hc3-warns-health-sector-monkeypox-phishing-schemes-a-20140

Excerpt: “Scammers are taking advantage of the monkeypox virus outbreak to launch phishing campaigns targeting healthcare providers, the U.S. government says. The campaign email has a subject line purporting the email contains important information about monkeypox and contains a PDF attachment with a link to a purportedly secure document download. In actuality, the download is an attempt to harvest email credentials, warns the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center.”

Title: Cyber Mercenary Group Void Balaur Continues Hack-For-Hire Campaigns

Date Published: September 23, 2022

https://www.infosecurity-magazine.com/news/void-balaur-expand-hack-for-hire/

Excerpt: “The cyber mercenary group, Void Balaur, continues expanding its hack–for–hire campaigns despite disruptions to its online advertising personas. The new information comes from cybersecurity experts at SentinelLabs, who recently published an advisory detailing Void Balaur’s latest campaigns. Written by senior threat researcher Tom Hegel, the document discusses the findings that SentinelLabs first unveiled at its LABScon event on Thursday. “Void Balaur was first reported in 2019 (eQualitie), then again in 2020 (Amnesty International). In November 2021, our colleagues at Trend Micro profiled the larger set of malicious activity and named the actor ‘Void Balaur’ based on a monster of Eastern European folklore,” Hegel wrote. “Most recently Google’s TAG highlighted some of their activity earlier this year. Building on top of analysis from each of our above colleagues, the purpose here is to share our analysis of interesting findings based on newer activity and the large scale set of attacker infrastructure.” According to the advisory, Void Balaur campaigns in 2022 targeted several industries across the United States, Russia and Ukraine (among others), often with particular business or political interests tied to Russia”

Title: Successor to ransomware used in Colonial Pipeline attack observed using new tools

Date Published: September 23, 2022

https://www.scmagazine.com/news/ransomware/successor-to-ransomware-used-in-colonial-pipeline-attack-observed-using-new-tools

Excerpt: “Symantec on Thursday detailed new tactics, tools and procedures (TTPs) attackers using the Noberus ransomware have deployed in recent months. In a Thursday blog post by its Threat Hunter Team, Symantec said Noberus is widely believed to be the successor payload to the Darkside and BlackMatter ransomware families, pointing out that Darkside is the same malware used in the May 2021 ransomware attack on Colonial Pipeline. Tracked by Symantec as Coreid, aka Fin7, both Darkside and BlackMatter were retired by the ransomware-as-a-service group after the attention gained from law enforcement in the Colonial Pipeline attack. The FBI in April asked for help from victims of the Noberus ransomware, noting that at least 60 organizations were compromised between November 2021 and March 2022 with the malware. What makes the Noberus ransomware notable, said Symantec, is that it’s coded using the Rust cross-platform language that Coreid claims is capable of encrypting files on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.”

Title: American Airlines learned it was breached from phishing targets

Date Published: September 24, 2022

https://www.bleepingcomputer.com/news/security/american-airlines-learned-it-was-breached-from-phishing-targets/

Excerpt: “American Airlines says its Cyber Security Response Team found out about a recently disclosed data breach from the targets of a phishing campaign that was using an employee’s hacked Microsoft 365 account. As the airline said in filings with the Office of the New Hampshire Attorney General, after receiving these phishing reports, America’s CIRT discovered unauthorized activity in the company’s Microsoft 365 environment. The investigation also revealed the attacker accessed multiple employees’ accounts (also compromised via phishing attacks) and used them to send more phishing emails to targets American has not yet disclosed. The company added that the team members’ accounts also provided access to employee files stored on the Sharepoint cloud-based service. “Through its investigation, American was able to determine that the unauthorized actor used an IMAP protocol to access the mailboxes. Use of this protocol may have enabled the unauthorized actor to sync the contents of the mailboxes to another device,” a legal notice describing the security incident explains. “American has no reason to believe that syncing the contents of the mailboxes was the purpose of the access. Based on the fact, it appears the unauthorized actor was using IMAP protocol as a means to access the mailboxes and send phishing emails.” While the airline believes the risk to affected individuals is remote, it notified impacted individuals of the data breach starting on September 16th. As American disclosed in the notification letters, personal information exposed in the attack may have included employees’ and customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, or certain medical information.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...