September 30, 2022

Fortify Security Team
Sep 30, 2022

Title: Microsoft confirms Exchange zero-day flaws actively exploited in the wild
Date Published: September 29, 2022

Excerpt: “Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild. The IT giant has promptly started the investigation into the two zero-day vulnerabilities that impacts Microsoft Exchange Server 2013, 2016, and 2019. The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082. “At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.” reads the advisory published by Microsoft. Microsoft announced that it is working to accelerate the timeline to release a fix that addresses both issues. Meantime, the company provided the mitigations and detection guidance to help customers protect themselves from these attacks.”

Title: LeakBase: India Swachhata Platform Breached, 16 Million User PII Records Exposed
Date Published: September 29, 2022

Excerpt: “The data breach notification website Leakbase said someone allegedly hacked the Swachhata Platform in India and stole 16 million user records. The news comes from security researchers at CloudSEK, who discovered a post by Leakbase sharing data samples containing personally identifiable information (PII), including email addresses, hashed passwords and user IDs. According to an advisory published by CloudSEK earlier today, 6GB of compromised data from the Swachhata Platform – an initiative in association with the Ministry of Housing and Urban Affairs of India – is being shared via a popular file–hosting platform. “[Leakbase is] previously known from providing reliable information and data breaches from companies around the world,” wrote CloudSEK. “[Threat actors on the platform] often operate for financial gain and conduct sales on their marketplace forum Leakbase.” Back in 2017, the platform was at the center of a massive data breach at Taringa, a Reddit–like social network website for Latin American users.”

Title: IT admin admits sabotaging ex-employer’s network in bid for higher salary
Date Published: September 29, 2022

Excerpt: “A 40-year-old man could face up to 10 years in prison, after admitting in a US District Court to sabotaging his former employer’s computer systems. Casey K Umetsu, of Honolulu, Hawaii, has pleaded guilty to charges that he deliberately misdirected a financial company’s email traffic and prevented customers from reaching its website in a failed attempt to convince the firm to rehire him at a greater salary. Umetsu, who had been employed in the IT division of the prominent Hawaii-based company between 2017 and 2019, admitted to the court that he had used his former employer’s credentials to access its domain registrar, and deliberately changed the firm’s DNS records to misdirect the business’s web and email traffic. As the Department of Justice describes, Umetsu additionally locked the company out of its domain name registrar account, preventing them from undoing the damage, for several days. Of course, Umetsu could have easily undone the damage at any time – but from the sound of things he was waiting for his former employer to beg him to help him, and offer him a larger salary than he had previously enjoyed. Instead, the company chose to contact the FBI. “Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said US Attorney Clare E. Connors. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim.” From the sound of things, the problem here is simple to understand – but all-too-common in many work environments: when someone leaves your employment you should ensure that any passwords they have previously had access to no longer work.”

Title: Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange
Date Published: September 29, 2022

Excerpt: “APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange. An emerging cyber-espionage threat group has been hitting targets in the Middle East and Africa with a novel backdoor dubbed “Stegmap,” which uses the rarely seen steganography technique to hide malicious code in a hosted image. Recent attacks show the group — called Witchetty, aka LookingFrog — fortifying its tool set, adding sophisticated evasion tactics, and exploiting known Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon. Researchers from Symantec Threat Hunter observed the group installing webshells on public-facing servers, stealing credentials, and then spreading laterally across networks to propagate malware, they revealed in a blog post published Sept. 29.”

Title: New Royal Ransomware emerges in multi-million dollar attacks
Date Published: September 29, 2022

Excerpt: “A ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. Royal is an operation that launched in January 2022 and consists of a group of vetted and experienced ransomware actors from previous operations. Unlike most active ransomware operations, Royal does not operate as a Ransomware-as-a-Service but is instead a private group without affiliates.Vitali Kremez, CEO of AdvIntel, told BleepingComputer that they utilized other ransomware operation’s encryptors when first starting, such as BlackCat. Soon after, the cybercrime enterprise began using its own encryptors, the first being Zeon [Sample], which generated ransom notes very similar to Conti’s. However, since the middle of September 2022, the ransomware gang has rebranded again to ‘Royal’ and is using that name in ransom notes generated by a new encryptor.”

Title: Amazon-themed campaigns of Lazarus in the Netherlands and Belgium
Date Published: September 30, 2022

Excerpt: “ESET researchers uncovered and analyzed a set of malicious tools that were used by the infamous Lazarus APT group in attacks during the autumn of 2021. The campaign started with spearphishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium. The primary goal of the attackers was data exfiltration. Lazarus (also known as HIDDEN COBRA) has been active since at least 2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011.”

Title: Matrix: Install security update to fix end-to-end encryption flaws
Date Published: September 29, 2022

Excerpt: “Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form. Clients affected by the bugs are those using the matrix-js-sdk, matrix-ios-sdk, and matrix-android-sdk2, like Element, Beeper, Cinny, SchildiChat, Circuli, and Other clients using a different encryption implementation (e.g. Hydrogen, ElementX, Nheko, FluffyChat, Syphon, Timmy, Gomuks, Pantalaimon) are not impacted. Matrix underlines that the issues have been fixed and all that users need to do to keep their communications safe is apply the available updates to their IM clients. Matrix’s announcement claims that exploiting the flaws is not an easy task and that they have seen no evidence of active exploitation.”

Title: What the Securing Open Source Software Act does and what it misses
Date Published: September 29, 2022

Excerpt: “The US government is recognizing the importance of open-source software. But is it ready for what’s needed?There’s at least one thing Republicans and Democrats can agree on in the US Senate: the importance of open-source software. Seriously. As US Senator Gary Peters (D-MI) said last week, “Open-source software is the bedrock of the digital world.” His partner across the aisle, Rob Portman (R-OH), agreed, saying, “The computers, phones, and websites we all use every day contain open-source software that is vulnerable to cyberattack.” Therefore, “The bipartisan Securing Open Source Software Act [PDF] will ensure that the US government anticipates and mitigates security vulnerabilities in open-source software to protect Americans’ most sensitive data.” This bill proposes that since the Log4j security blow-up in 2021, and its continuing aftershocks, showed just how vulnerable we are to open-source code attacks, the Cybersecurity and Infrastructure Security Agency (CISA) must help “ensure that open-source software is used safely and securely by the federal government, critical infrastructure, and others.” After all, the Sept. 22 government release introducing the legislation added, “The overwhelming majority of computers in the world rely on open-source code.” This is far from the first time that the federal government has taken note of just how vital open-source software has become to everyone. In January, the US Federal Trade Commission warned it would punish companies that don’t fix their Log4j security problems.”

Title: Manufacturers Failing to Address Cybersecurity Vulnerabilities Liable Under New European Rules
Date Published: September 30, 2022

Excerpt: “The European Commission has publicized new liability rules on digital products and artificial intelligence (AI) in order to protect consumers from harm, including in cases where cybersecurity vulnerabilities fail to be addressed. The two proposals the Commission adopted on September 28, 2022 will modernize the existing rules on the strict liability of manufacturers for defective products (from smart technology to pharmaceuticals). Additionally, the Commission proposes – for the first time, it says – a targeted harmonization of national liability rules for AI, making it easier for victims of AI-related damage to get compensation. This will be adopted in line with the Commission’s 2021 AI Act proposal. The liability rules allow compensation for damages when products like robots, drones or smart-home systems are made unsafe by software updates, AI or digital services that are needed to operate the product, as well as when manufacturers fail to address cybersecurity vulnerabilities. Explaining how the new rules shift the focus in such litigations, John Buyers, head of AI at Osborne Clarke explained, “There’s a very intentional interplay between the AI Act and the proposed new presumptions on liability, linking non-compliance with the EU’s planned regulatory regime with increased exposure to damages actions.”

Title: Capital One Phish Showcases Growing Bank-Brand Targeting Trend
Date Published: September 29, 2022

Excerpt: “Capital One lures leveraged the bank’s new partnership with Authentify, showing that phishers watch the headlines, and take advantage. A recent phishing campaign exploits Capital One’s new partnership with verification service Authentify, sending thousands of scam emails to the bank’s customers to try and trick them into uploading images of their identification cards. The emails appear to be sent from a Capital One corporate account, and explain what the Authentify authentication app does, according to researchers at Vade who have been tracking the campaign since July 1. To provide an idea of the volume of scam emails being launched at customers, Vade reported that, at one point, the attackers sent out at least 6,000 in one day. “You are required to provide any copy of your ID for verification and to ensure that you are fully enrolled to avoid account restrictions now,” the phishing email read. Vade noted that, unlike most other campaigns targeting credentials, this Capital One phishing scam was after identities.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...