September 6, 2022

Fortify Security Team
Sep 6, 2022

Title: New Worok Cyber-espionage Group Targets Governments, High-profile Firms
Date Published: September 6, 2022

https://www.bleepingcomputer.com/news/security/new-worok-cyber-espionage-group-targets-governments-high-profile-firms/

Excerpt: “A newly discovered cyber-espionage group has been hacking governments and high-profile companies in Asia since at least 2020 using a combination of custom and existing malicious tools. The threat group, tracked as Worok by ESET security researchers who first spotted it, has also attacked targets from Africa and the Middle East. To date, Worok has been linked to attacks against telecommunications, banking, maritime, and energy companies, as well as military, government, and public sector entities. In late 2020, Worok targeted a telecommunications company in East Asia, a bank in Central Asia, a maritime industry company in Southeast Asia, a government entity in the Middle East, and a private company in southern Africa. While there have been no sightings until February 2022, ESET once again linked the group with new attacks against an energy company in Central Asia and a public sector entity in Southeast Asia.”

Title: Second Largest U.S. School District LAUSD Hit by Ransomware
Date Published: September 6, 2022

https://www.bleepingcomputer.com/news/security/second-largest-us-school-district-lausd-hit-by-ransomware/

Excerpt: “Los Angeles Unified (LAUSD), the second largest school district in the U.S., disclosed that a ransomware attack hit its Information Technology (IT) systems over the weekend. LAUSD enrolls more than 640,000 students, spanning from kindergarten through 12th grade. It includes Los Angeles and 31 smaller municipalities, as well as several Los Angeles County unincorporated sections. The school district first revealed districtwide technical issues after discovering that the attackers disrupted access to LAUSD systems, including email servers. Roughly seven hours later, it confirmed that this was a ransomware attack, tagging the incident as “criminal in nature.” LAUSD has reported the incident and is working with law enforcement and federal agencies (the FBI and CISA) as part of an ongoing investigation and incident response.”

Title: New EvilProxy Service Lets All Hackers Use Advanced Phishing Tactics
Date Published: September 5, 2022

https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-all-hackers-use-advanced-phishing-tactics/

Excerpt: “A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. The service enables low-skill threat actors who don’t know how to set up reverse proxies to steal online accounts that are otherwise well-protected. Reverse proxies are servers that sit between the targeted victim and a legitimate authentication endpoint, such as a company’s login form. When the victim connects to a phishing page, the reverse proxy displays the legitimate login form, forwards requests, and returns responses from the company’s website. When the victim enters their credentials and MFA to the phishing page, they are forwarded to the actual platform’s server, where the user is logged in, and a session cookie is returned. However, as the threat actor’s proxy sits in the middle, it can also steal the session cookie containing the authentication token. The threat actors can then use this authentication cookie to log in to the site as the user, bypassing configured multi-factor authentication protections.”

Title: QNAP Patches Zero-day Used in New Deadbolt Ransomware Attacks
Date Published: September 5, 2022

https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/

Excerpt: “QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station. The company has patched the security flaw but attacks continue today. “QNAP Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet,” explains the security notice. The attacks were widespread, with the ID Ransomware service seeing a surge in submissions on Saturday and Sunday.”

Title: China Accuses the US of Cyberattacks
Date Published: September 6, 2022

https://securityaffairs.co/wordpress/135369/cyber-warfare-2/china-accuses-us-cyberattacks.html

Excerpt: “The Government of Beijing accused the United States of launching tens of thousands of cyberattacks on China. The attacks aimed at stealing sensitive data from government entities and universities. In the past, the US Government has accused China of cyberattacks against US organizations and private businesses, but Bejing always denied the claims. On Monday, the Chinese National Computer Virus Emergency Response Center (CVERC) published a report, which was co-authored by the private Chinese cybersecurity firm Qihoo 360, that accuses the US National Security Agency (NSA) of conducting “tens of thousands of malicious attacks on network targets in China in recent years”. The attacks were orchestrated by the NSA’s Tailored Access Operations (TAO) elite hacker unit that in one case compromised the Northwestern Polytechnical University in the city of Xi’an and stole over 140 gigabytes of high-value data.”

Title: TikTok Denies Data Breach Following Leak of User Data
Date Published: September 5, 2022

https://securityaffairs.co/wordpress/135333/data-breach/tiktok-data-leak.html

Excerpt: “The hacking collective AgainstTheWest recently published a post on Breach Forums message board claiming to have hacked TikTok and stolen source code and user data. The group published screenshots of an alleged stolen data, it claims to have had access to an Alibaba cloud instance containing data for both TikTok and WeChat users. Threat actors reported that the server contained 2.05 billion records in a 790GB database.”

Title: SharkBot Malware Resurfaces on Google Play to Steal Users’ Credentials
Date Published: September 5, 2022

https://www.infosecurity-magazine.com/news/sharkbot-resurfaces-google-play/

Excerpt: “An upgraded version of the SharkBot mobile malware has been spotted on Google’s Play Store, suggested a new blog post by Fox-IT, part of the NCC Group. The new version of SharkBot reportedly targets the banking credentials of Android users via apps that have collectively counted 60,000 installations. These apps, which have now been removed by the Play Store, are ‘Mister Phone Cleaner’ and ‘Kylhavy Mobile Security’. “This new dropper doesn’t rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware,” warned the Fox-IT researchers. “Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.”

Title: Google Chrome Zero-day Flaw: Users Urged to Install Update ‘immediately’
Date Published: September 5, 2022

https://www.zdnet.com/article/google-chrome-zero-day-flaw-users-urged-to-install-update-immediately/

Excerpt: “Google has released a security update for the Chrome browser on Windows, Mac and Linux to fix a newly discovered zero-day vulnerability that is being exploited actively by cyberattacks – and users are urged to apply the update as soon as possible. The release, which updates Google Chrome to version 105.0.5195.102, fixes what’s described as a high-severity security issue (CVE-2022-3075) relating to insufficient data validation in Mojo, a collection of runtime libraries used in Chromium, which powers much of the code behind the Google Chrome browser. Google said it’s “aware of reports that an exploit for CVE-2022-3075 exists in the wild”.”

Title: Half of Firms Report Supply Chain Ransomware Compromise
Date Published: September 6, 2022

https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/

Excerpt: “Over half (52%) of global organizations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro. The security vendor polled nearly 3000 IT decision makers across 26 countries to produce its latest report, Everything is connected: Uncovering the ransomware threat from global supply chains. It revealed that 90% of global IT leaders believe their partners and customers are making their own organization a more attractive ransomware target. That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies. However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.”

Title: Keybank’s Customer Information Stolen By Hackers Via Third-party Provider
Date Published: September 5, 2022

https://www.infosecurity-magazine.com/news/keybanks-customer-information/

Excerpt: “Threat actors stole Social Security numbers, addresses and account numbers of home mortgage holders at KeyBank, the Associated Press (AP) has reported. The breach was allegedly caused by third-party vendor Overby-Seawell, a firm providing multiple corporate clients, including KeyBank, with insurance services. According to AP, the hackers acquired the information on July 5 after breaking into Overby-Seawell computers. At the time of writing, KeyBank did not clarify how many of its customers were affected by the breach. The company did, however, publicly apologize on social media over the weekend to customers and offered two years of free Equifax identity protection as compensation. “All of us at Key deeply regret that this incident occurred. Your business means a great deal to us, and keeping your personal information safe and secure is extremely important. Please let us know if you have any questions regarding the letter. Feel free to DM us.” Since the message, KeyBank has then locked its direct message on Twitter. Further, the bank said it is investigating the Overby-Seawell breach.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...