Title: Ransomware Gang’s Cobalt Strike Servers DDoSed with Anti-Russia Messages
Date Published: September 7, 2022
Excerpt: “Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity. The operators of Conti ransomware completed turning off their internal infrastructure in May this year but its members have dispersed to other ransomware gangs. These former Conti members continue to use in new attacks the same Cobalt Strike toolkit as they did in their original operation.”
Title: Albania Blames Iran for July Cyberattack, Severs Diplomatic Ties
Date Published: September 7, 2022
Excerpt: “Albanian Prime Minister Edi Rama announced on Wednesday that the entire staff of the Embassy of the Islamic Republic of Iran was asked to leave within 24 hours. This decision comes after severing diplomatic relations with Iran following the attribution of a July cyberattack that targeted Albanian government infrastructure to Iranian threat actors. “The in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression,” Rama said. “This extreme response, one that is unwanted but totally forced on us, is fully proportional to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into State records, steal Government intranet electronic communication and stir chaos and insecurity in the country.” The United States government also formally blamed Iran for attacking Albania in July and said the country would be held accountable for threatening the security of a NATO ally.”
Title: Google: Former Conti Cybercrime Gang Members Now Targeting Ukraine
Date Published: September 7, 2022
Excerpt: “Google says some former Conti ransomware gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs). UAC-0098 is an initial access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems within enterprise networks. The company’s Threat Analysis Group (TAG), a dedicated team of security experts acting as a defense force for Google users from state-sponsored attacks, started tracking this threat group in April after detecting a phishing campaign that pushed the Conti-linked AnchorMail backdoor. “In the initial encounter with UAC-0098, ‘lackeyBuilder’ was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups,” Google TAG said.”
Title: US Seizes WT1SHOP Market Selling Credit Cards, Credentials, and IDs
Date Published: September 6, 2022
Excerpt: “An international law enforcement operation has seized the website and domains for WT1SHOP, a criminal marketplace that sold stolen credit cards, I.D. cards, and millions of login credentials. WT1SHOP was one of the largest criminal marketplaces of PII data commonly used by threat actors to buy credentials for account takeovers, credit cards used for online purchases, and government I.D. cards for identity theft. “The WT1shop was one of the turnkey account shops selling compromised accounts and personally identifiable information since the Slilpp takedown,” AdvIntel CEO Vitali Kremez told BleepingComputer. “It catered primarily to the carders and fraudsters focused on account takeover activity and offering its service on many underground crime communities.” The representatives of WT1SHOP commonly promoted the marketplace on Russian hacking forums and Reddits that catered to online criminal activity.”
Title: Most IT Leaders Think Partners, Customers Make Their Business a Ransomware Target
Date Published: September 7, 2022
Excerpt: “Global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. During May and June 2022 Sapio Research polled 2,958 IT decision-makers across 26 countries. The research revealed that 79% of global IT leaders believe their partners and customers are making their own organization a more attractive ransomware target. The challenge is particularly acute considering that potentially less well-secured SMBs make up a “significant” portion of the supply chain 52% of these organizations. A year ago, a sophisticated attack on a provider of IT management software led to the compromise of scores of MSPs and thousands of downstream customers. Yet only 47% of organizations share knowledge about ransomware attacks with their suppliers. Additionally, 25% said they don’t share potentially useful threat information with partners.”
Title: Researchers Publish Post-quantum Upgrade to the Signal Protocol
Date Published: September 7, 2022
https://www.helpnetsecurity.com/2022/09/07/post-quantum-cryptography-signal-protocol/
Excerpt: “PQShield published a white paper that lays out the quantum threat to secure end-to-end messaging and explains how post-quantum cryptography (PQC) can be added to the Signal secure messaging protocol to protect it from quantum attacks. The company is offering to license its end-to-end encrypted messaging IP to the Signal Foundation pro bono – if/when they plan to upgrade their system – to support the non-profit behind the free encrypted messaging app, Signal, in its mission to make secure communication accessible to everyone.”
Title: Zyxel Addressed a Critical RCE Flaw in its NAS Devices
Date Published: September 7, 2022
https://securityaffairs.co/wordpress/135426/hacking/zyxel-rce-nas.html
Excerpt: “Networking equipment vendor Zyxel addressed a critical vulnerability impacting its network-attached storage (NAS) devices. The CVE-2022-34747 (CVSS score: 9.8) flaw is classified as a format string vulnerability that resides in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0. An attacker can exploit the vulnerability to achieve unauthorized remote code execution via a crafted UDP packet.”
Title: Moobot Botnet is Back and Targets Vulnerable D-Link Routers
Date Published: September 7, 2022
https://securityaffairs.co/wordpress/135414/malware/moobot-botnet-targets-d-link.html
Excerpt: “Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable D-Link routers. The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Now the MooBot has re-emerged in a new wave of attacks that started in August, targeting vulnerable D-Link routers. The botnet is exploiting both old and new exploits, below is list of vulnerabilities exploited:”
- CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258: D-Link Remote Command Execution Vulnerability
- CVE-2022-28958: D-Link Remote Command Execution Vulnerability
Title: This Stealthy Linux Malware Starts Off Small but Gradually Takes Control
Date Published: September 7, 2022
Excerpt: “A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices – and it is using this access to install crypto-mining malware. Dubbed Shikitega, the malware targets endpoints and Internet of Things devices that run on Linux operating systems and has been detailed by cybersecurity researchers at AT&T Alien Labs. The malware is delivered in a multi-stage infection chain, where each module responds to commands from the previous part of the payload and downloads and executes the next one.”
Title: BlackCat Ransomware Linked to Italy’s Energy Services Firm Hack
Date Published: September 6, 2022
https://www.infosecurity-magazine.com/news/blackcat-italys-energy-services/
Excerpt: “Infamous hacking group BlackCat was linked to the recent attack on Italy’s state–owned energy services firm GSE by documents obtained by Reuters. According to the publication, BlackCat stole a considerable amount of data from GSE, then threatened to publish if their demands were not met. In particular, the ransomware group claimed to have downloaded 700GB of data from GSE, including information on projects, contracts and accounting. It also uploaded images of documents from the hack on dark web forums. The attack comes weeks after Italian oil company Eni’s computer networks were also breached, though no specific group claimed responsibility for the hack. “The BlackCat/ALPHV ransomware gang have continued their trend of targeting key critical infrastructure with their latest attack on Italy’s energy agency,” Claroty CRO Simon Chassar told Infosecurity Magazine.”