September 27, 2022

Fortify Security Team
Sep 27, 2022

Title: Hackers use PowerPoint files for ‘mouseover’ malware delivery
Date Published: September 26, 2022

Excerpt: “Hackers believed to work for Russia have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. No malicious macro is necessary for the malicious code to execute and download the payload, for a more insidious attack. A report from threat intelligence company Cluster25 says that APT28 (a.k.a. ‘Fancy Bear’), a threat group attributed to the Russian GRU (Main Intelligence Directorate of the Russian General Staff), have used the new technique to deliver the Graphite malware as recently as September 9. The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide.”

Title: Erbium info-stealing malware, a new option in the threat landscape
Date Published: September 27, 2022

Excerpt: “The recently discovered Erbium information-stealer is being distributed as fake cracks and cheats for popular video games. Threat actors behind the new ‘Erbium’ information-stealing malware are distributing it as fake cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets.The Erbium info-stealing malware was first spotted by researchers at threat intelligence firm Cluster25 on July 21, 2022. The Malware-as-a-Service (MaaS) was advertised on a Dark Web forum by a Russian-speaking threat actor.”

Title: Ukraine Predicts “Massive” Russian Cyber Assault
Date Published: September 27, 2022

Excerpt: “The Russian government is planning a major new cyber-attack campaign on the critical infrastructure of Ukraine and its allies as winter approaches, Kyiv has warned. A brief statement from the Ukrainian Ministry of Defense’s Main Directorate of Intelligence explained that the energy industry would be a key target as the weather gets colder. “With this, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine,” it said. “The occupying command is convinced that this will slow down the offensive actions of the Ukrainian defense forces.” If the intelligence is accurate, the campaign will have echoes of the cripplingly destructive attacks of December 2015 and 2016 that the Kremlin launched against Ukrainian facilities, and which left hundreds of thousands without power. Kyiv said in its latest missive that its experiences from responding to those incidents will help it prepare more effectively for a predicted fresh assault. Ukrainian energy providers can expect more attacks using both destructive and wiper malware. Microsoft claimed back in April that the country had already been on the receiving end of over 230 cyber-attack campaigns, including 40 wiper attacks aimed at hundreds of targets.”

Title: Adware on Google Play and Apple Store installed 13 million times
Date Published: September 26, 2022

Excerpt: “Security researchers have discovered 75 applications on Google Play and another ten on Apple’s App Store engaged in ad fraud. Collectively, they add to 13 million installations. Apart from flooding mobile users with advertisements, both visible and hidden, the fraudulent apps also generated revenue by impersonating legitimate apps and impressions. Although these types of apps are not seen as a severe threat, their operators can use them for more dangerous activity. Researchers from HUMAN’s Satori Threat Intelligence team identified a collection of mobile apps that are part of a new ad fraud campaign that they named ‘Scylla’. The analysts believe Scylla is the third wave of an operation they found in August 2019 and dubbed ‘Poseidon’. The second wave, apparently from the same threat actor, was called ‘Charybdis’ and culminated towards the end of 2020.”

Title: Hackers Use NullMixer and SEO to Spread Malware More Efficiently
Date Published: September 26, 2022

Excerpt: “Security researchers from Kaspersky have spotted a new series of campaigns focusing on the malware tool they named NullMixer. According to an advisory published by the firm earlier today, NullMixer spreads malware via malicious websites that can be easily found via popular search engines, including Google. “These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper,” reads the advisory. The researchers further explained that when users attempt to download software from one of these sites, they are redirected several times and eventually land on a page containing download instructions alongside an archived password–protected malware acting as the desired software tool.”

Title: Mandiant identifies 3 hacktivist groups working in support of Russia
Date Published: September 27, 2022

Excerpt: “Researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the GRU. Mandiant researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the Russian Main Intelligence Directorate (GRU).The experts assess with moderate confidence that moderators of the purported hacktivist Telegram channels “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn” are coordinating their operations under the control of the GRU. The so-called hacktivist groups conducted distributed denial-of-service (DDoS) and defacement attacks against Ukrainian websites, but the experts believe that they are a front for information operations and destructive cyber activities coordinated by the Kremlin. The experts discovered that some APT28 tools were used to compromise the networks of Ukrainian victims, whose data was subsequently leaked on Telegram within 24 hours of wiping activity by APT28. The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide.”

Title: LockBit Publishes Stolen Data as Hospital Rejects Extortion
Date Published: September 26, 2022

Excerpt: “Refusal by a French hospital on the southern edge of greater Paris to pay ransomware hackers led to the publishing of nearly 12 gigabytes of patient and staff data paired with vows of defiance from French government officials. The leak contains Social Security numbers, lab reports and other health data. François Braun, French minister of social affairs and health, condemned the leak and tweeted that Paris will “not give in to these criminals.” The 1,000-bed Centre Hospitalier Sud Francilien in Corbeil-Essonnes underwent a cyberattack late last month and received a $10 million demand from a group now identified as working with LockBit ransomware. Attackers issued an ultimatum for payment that the hospital says it refused to honor. Attackers postponed the ultimatum’s trigger date and lowered the ransom demand to $1 million.”

Title: Global Firms Deal with 51 Security Incidents Each Day
Date Published: September 27, 2022

Excerpt: “Security operations (SecOps) teams are struggling to respond to dozens of cybersecurity incidents every single day, according to a new report from Trellix. The security vendor polled 9000 security decision makers from organizations with 500+ employees across 15 markets to compile its latest study, XDR: Redefining the future of cybersecurity. It found that the average SecOps team has to manage 51 incidents per day, with 36% of respondents claiming they deal with 50 to 200 daily incidents. Around half (46%) agreed that they are “inundated by a never-ending stream of cyber-attacks.” Part of the problem is the siloed nature of security and detection and response systems, the study claimed. Some 60% of respondents argued that poorly integrated products mean teams can’t work efficiently, while a third (34%) admitted they have blind spots. It’s perhaps no surprise, therefore, that 60% admitted they can’t keep pace with the rapid evolution of security threats.”

Title: Feds: Chinese Hacking Group Undeterred by Indictment
Date Published: September 26, 2022

Excerpt: “Two federal indictments against a Chinese-state sponsored hacking group haven’t slowed down its operations, the U.S. government acknowledges in a warning telling the healthcare sector to be vigilant about the threat actor.A federal grand jury returned indictments in 2019 and 2020 against five Chinese nationals accused of hacking for a threat group dubbed APT41 and also known as Barium, Winnti, Wicked Panda and Wicked Spider. The hackers are believed to be at large, likely in China, and are unlikely to face arrest. The United States began publicly indicting Chinese hackers in 2014 in a strategy to pressure Beijing by exposing the organizations and individuals behind state-sponsored cybertheft”

Title: Quantifying the Social Impact of Ransomware and ESG Disclosure Implication
Date Published: September 26, 2022

Excerpt: “2022 began with successful ransomware attacks against global IT and digital transformation providers, no thanks to the notorious LAPSUS$ ransomware gang. Often, any discussion about ransomware impact has mostly centered on affected organizations. Rightly so, as victimized organizations usually suffer significant disruption to their operations. In 2021, the US Federal Bureau of Investigation received 3,729 complaints identified as ransomware. Recently, a company closed all of its 175 stores in Denmark due to a ransomware attack. Globally, 81% of organizations are highly concerned about ransomware attacks. A recent Sophos report showed that “66% of organizations were hit by ransomware in the last year, a 78% increase over the previous year”. 90% of these organizations suffered operational disruption, and 86% lost business and revenue. In the first half of 2022, ransomware variants nearly doubled compared with the second half of 2021. The popularization of Ransomware-as-a-Service (RaaS), and the willingness of affected organizations to pay are some drivers for increased ransomware attacks.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...