September 28, 2022

Fortify Security Team
Sep 28, 2022

Title: Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks
Date Published: September 28, 2022

https://securityaffairs.co/wordpress/136345/cyber-crime/bl00dy-ransomware-lockbit-3-encryptor.html

Excerpt: “The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild. The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild. Last week, an alleged disgruntled developer leaked the builder for the latest encryptor of the LockBit ransomware gang. The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.”

Title: Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings
Date Published: September 27, 2022

https://www.darkreading.com/attacks-breaches/lazarus-lures-aspiring-crypto-pros-fake-exchange-job-postings

Excerpt: “Researchers are warning that Lazarus has expanded its campaign using fake jobs with cryptocurrency exchanges to trick macOS users into downloading malware. Just last month, researchers observed Lazarus using Coinbase job openings to trick macOS users into downloading malware. Now, SentinelOne says the same threat group has expanded its phishing campaign to include fraud job postings at another cryptocurrency exchange, Crypto.com. According to the SentinelOne report on the new crypto job lure, the additional victims were initially contacted by Lazarus through LinkedIn messaging.”

Title: Cryptominers hijack $53 worth of system resources to earn $1
Date Published: September 28, 2022

https://www.bleepingcomputer.com/news/security/cryptominers-hijack-53-worth-of-system-resources-to-earn-1/

Excerpt: “Security researchers estimate that the financial impact of cryptominers infecting cloud servers costs victims about $53 for every $1 worth of cryptocurrency threat actors mine on hijacked devices. This activity is generally attributed to certain financially motivated hacking groups, most notably TeamTNT, that perform large-scale attacks against vulnerable Docker Hubs, AWS, Redis, and Kubernetes deployments. The threat actors load modified OS images containing XMRig, a miner for Monero (XMR), which is a privacy-oriented hard-to-trace cryptocurrency, and currently the most profitable CPU-based mining. The mining programs use the hacked device’s CPUs, so the threat actor generates income by hijacking hardware. Compared to ransomware, rogue crypto mining is a lower-risk activity for the attacker, much less likely to attract law enforcement attention.”

Title: Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery
Date Published: September 27, 2022

https://www.infosecurity-magazine.com/news/microsoft-sway-phishing-and/

Excerpt: “Threat actors have recently conducted phishing campaigns using Microsoft Sway and used the platform to distribute malware within organizations. The findings come from cybersecurity experts at Proofpoint, who released an advisory about the new threat on Monday. “An attacker can weaponize a Sway page by either compromising a Microsoft 365 account within the target organization (to phish more users) or creating a Sway page within their own Microsoft 365 account outside the target organization,” reads the technical write–up. According to the advisory, most phishing attack vectors observed by Proofpoint involved clicking a direct link to a phishing page. The company also highlighted that Microsoft typically uses a warning pop–up to attempt to discourage users from falling prey to such phishing attempts. “However, Proofpoint cloud security research indicates that attackers can phish users using an embed method within Microsoft Sway without a warning pop–up,” the company wrote. “This involves a user clicking on a link in an embedded malicious document within a Sway page.” Further, while Microsoft only allows uploads of media files in Sway pages (and actively blocks uploads of executable files), there are ways to use Sway to distribute malicious executables by embedding the hosted malware within the platform.”

Title: Meta dismantled the largest Russian network since the war in Ukraine began
Date Published: September 28, 2022

https://securityaffairs.co/wordpress/136326/social-networks/meta-dismantled-russian-network.html

Excerpt: “Meta dismantled a network of Facebook and Instagram accounts spreading disinformation across European countries. Meta announced to have taken down a huge Russian network of Facebook and Instagram accounts used to spread disinformation published on more than 60 websites impersonating news organizations across Europe. The disinformation operation began in May 2022, the network targeted primarily Germany, France, Italy, Ukraine and the UK, it was spreading fake content related to the war in Ukraine and its impact in Europe. Meta pointed out that this is the largest and most complex Russian operation they’ve disrupted since the war in Ukraine began.”

Title: Health data theft at Physician’s Business Office impacts 197K patients
Date Published: September 27, 2022

https://www.scmagazine.com/analysis/breach/health-data-theft-at-physicians-business-office-impacts-197k-patients

Excerpt: “Physician’s Business Office notified 196,573 patients that their personal data and protected health information was likely stolen during a hack of its network five months ago. Based in West Virginia, PBO is a medical practice management and administrative services for healthcare providers. PBO discovered unusual activity in its network environment in April 2022 and took steps to secure the network. An outside digital forensics and incident response firm was brought on to assist, which found data stored on the network was accessed “and potentially acquired without authorization” during the hack. Under the Health Insurance Portability and Accountability Act, covered entities and business associates are required to report any breaches of PHI affecting over 500 patients within 60 days of discovery. PBO appears to explain the delay by its “diligent” review of the potentially impacted data to identify the patients and providers tied to the data, which concluded on June 30. Providers were informed on July 26.Its explanation for waiting another three months before sending the official notice was the coordination with providers and working “to collect current mailing addresses for all potentially impacted individuals.” The stolen data could include patient names, Social Security numbers, dates of birth, driver’s licenses, treatments, diagnoses, contact details, disability codes, prescription information, and health insurance account details. Patients will receive free credit monitoring and identity theft protection services.”

Title: Alleged Optus Hacker Apologizes, Deletes Customers’ Exposed Data
Date Published: September 27, 2022

https://www.infosecurity-magazine.com/news/alleged-optus-hacker-apologizes/

Excerpt: “The hacker behind last week’s Optus data breach seems to have taken down the database containing customers’ released information. A user going by ‘optusdata’ and posting on BreachForums claimed responsibility for the attack earlier today and said they had deleted the only copy of the stolen data. “Too many eyes. We will not [sell] data to anyone. We can’t if we even want to: personally deleted data from drive (Only copy).” However, the alleged hacker also apologized to 10,000 Australian individuals whose data had been leaked. “Australia will see no gain in fraud; this can be monitored. Maybe for 10.200 Australian but rest of population no. Very sorry to you.” Additionally, the BreachForums user said they would have contacted Optus to let them know firsthand about the breach, but the hacker could not find a dedicated Optus channel for security–related matters. The supposed hacker concluded their post by saying that even if the ransom was not paid, they did not care anymore. “[It] was [a] mistake to scrape [and] publish [the] data in [the] first place.” The post comes hours after the attorney general, Mark Dreyfus, confirmed that the Federal Bureau of Investigation in the US was assisting the Australian Federal Police’s (AFP) operation in discovering who might have accessed the data and who was attempting to sell it.”

Title: Chilean Court System Hit With Ransomware Attack
Date Published: September 27, 2022

https://www.databreachtoday.com/chilean-court-system-hit-ransomware-attack-a-20159

Excerpt: “The Chilean judicial system yanked 150 computers offline to stop the spread of a virus that maliciously encrypts files even as authorities stressed that court proceedings were mostly unaffected. The event is the latest cyber disruption affecting the South American country. The nation’s consumer protection agency was hit by a ransomware attack that started on Aug. 25 (see: Chile Consumer Protection Agency Hit by Ransomware Attack) and just days ago, hundreds of thousands of emails hacked from the military’s Joint Chiefs of Staff were published online. The judicial system on Monday attributed the spread of the Cryptolocker Trojan inside its network to a phishing email opened on Sunday night. It affected computers operating Windows 7 and loaded with McAfee antivirus, reaching just 1% of court system computers, said court administration official Zvonimir Koporcic. “We are changing the antivirus,” he said. No data was stolen, Supreme Court spokeswoman Ángela Vivanco told reporters Tuesday during a press conference where she characterized the incident as “not a huge attack.” She said authorities have no idea about the threat actor behind the Trojan.”

Title: Pass-the-Hash Attacks and How to Prevent them in Windows Domains
Date Published: September 27, 2022

https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-how-to-prevent-them-in-windows-domains/

Excerpt: “In the movies, hackers typically enter a few keystrokes and gain access to entire networks in a matter of seconds. In the real world however, attackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network. One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack. In order to understand how a pass-the-hash attack works, you must first understand how password hashes are used. When you assign a password to a system, that password is not actually stored on the system. Instead, the operating system uses a mathematical formula to compute a hash for the password. The hash is what is stored, not the actual password. When you log into the system, the authentication engine uses the same mathematical formula to compute a hash for the password that you entered and compares it to the stored hash. If the two hashes match one another then the password is assumed to be correct, and access is granted. The important takeaway from this is that as far as the system is concerned, the hash is the password. An attacker who wants to gain access to a system doesn’t always need to know a user’s password. They just need to have access to the password hash that is already stored within the system. From the hacker’s perspective, having access to a password hash is essentially the same as having access to the password. Password hashing is a commonly used technique to protect passwords but not all password hash technologies are equal. This post outlines the three main types of password hashing techniques and how to change which one your Active Directory is using.”

Title: Your Guide to the Latest Email Fraud and Identity Deception Trends
Date Published: September 27, 2022

https://www.tripwire.com/state-of-security/security-data-protection/your-guide-latest-email-fraud-identity-deception-trends/

Excerpt: “There’s a high chance that you or someone you know has been impacted by email fraud or identity theft. At the very least, you’ve likely received a variety of spam emails and text messages asking to provide a payment or confirm your identity. The good news is that cybersecurity protection is constantly evolving and improving, with cybersecurity education programs preparing skilled professionals to enter the front lines against cybercrime. The less-than-good news: as cybersecurity protection evolves, so do the attack methods used to steal your personal information. Companies and organizations are often doing their best to protect customers and employees, but the threat is very real.In fact, two-thirds of Fortune 500 companies “remain vulnerable to getting impersonated in phishing scams targeting their customers, partners, inventors, and the general public.”

Keep these alarming statistics in mind from PurpleSec:

  • 92% of malware is delivered by email.
  • Nearly 60 million people in the U.S. have been impacted by identity theft.

So, what are some of the latest trends in online deception, and how are cybercriminals adapting when it comes to email fraud and identity theft? Let’s find out.”

Recent Posts

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains Date Published: November 15, 2022 https://www.infosecurity-magazine.com/news/chinabased-campaign-42000-phishing/ Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of...