September 7, 2022

Fortify Security Team
Sep 7, 2022

Title: Ransomware Gang’s Cobalt Strike Servers DDoSed with Anti-Russia Messages
Date Published: September 7, 2022

https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/

Excerpt: “Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity. The operators of Conti ransomware completed turning off their internal infrastructure in May this year but its members have dispersed to other ransomware gangs. These former Conti members continue to use in new attacks the same Cobalt Strike toolkit as they did in their original operation.”

Title: Albania Blames Iran for July Cyberattack, Severs Diplomatic Ties
Date Published: September 7, 2022

https://www.bleepingcomputer.com/news/security/albania-blames-iran-for-july-cyberattack-severs-diplomatic-ties/

Excerpt: “Albanian Prime Minister Edi Rama announced on Wednesday that the entire staff of the Embassy of the Islamic Republic of Iran was asked to leave within 24 hours. This decision comes after severing diplomatic relations with Iran following the attribution of a July cyberattack that targeted Albanian government infrastructure to Iranian threat actors. “The in-depth investigation provided us with indisputable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression,” Rama said. “This extreme response, one that is unwanted but totally forced on us, is fully proportional to the gravity and risk of the cyberattack that threatened to paralyze public services, erase digital systems and hack into State records, steal Government intranet electronic communication and stir chaos and insecurity in the country.” The United States government also formally blamed Iran for attacking Albania in July and said the country would be held accountable for threatening the security of a NATO ally.”

Title: Google: Former Conti Cybercrime Gang Members Now Targeting Ukraine
Date Published: September 7, 2022

https://www.bleepingcomputer.com/news/security/google-former-conti-cybercrime-gang-members-now-targeting-ukraine/

Excerpt: “Google says some former Conti ransomware gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs). UAC-0098 is an initial access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems within enterprise networks. The company’s Threat Analysis Group (TAG), a dedicated team of security experts acting as a defense force for Google users from state-sponsored attacks, started tracking this threat group in April after detecting a phishing campaign that pushed the Conti-linked AnchorMail backdoor. “In the initial encounter with UAC-0098, ‘lackeyBuilder’ was observed for the first time. This is a previously undisclosed builder for AnchorMail, one of the private backdoors used by the Conti groups,” Google TAG said.”

Title: US Seizes WT1SHOP Market Selling Credit Cards, Credentials, and IDs
Date Published: September 6, 2022

https://www.bleepingcomputer.com/news/security/us-seizes-wt1shop-market-selling-credit-cards-credentials-and-ids/

Excerpt: “An international law enforcement operation has seized the website and domains for WT1SHOP, a criminal marketplace that sold stolen credit cards, I.D. cards, and millions of login credentials. WT1SHOP was one of the largest criminal marketplaces of PII data commonly used by threat actors to buy credentials for account takeovers, credit cards used for online purchases, and government I.D. cards for identity theft. “The WT1shop was one of the turnkey account shops selling compromised accounts and personally identifiable information since the Slilpp takedown,” AdvIntel CEO Vitali Kremez told BleepingComputer. “It catered primarily to the carders and fraudsters focused on account takeover activity and offering its service on many underground crime communities.” The representatives of WT1SHOP commonly promoted the marketplace on Russian hacking forums and Reddits that catered to online criminal activity.”

Title: Most IT Leaders Think Partners, Customers Make Their Business a Ransomware Target
Date Published: September 7, 2022

https://www.helpnetsecurity.com/2022/09/07/most-it-leaders-think-partners-customers-make-their-business-a-ransomware-target/

Excerpt: “Global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. During May and June 2022 Sapio Research polled 2,958 IT decision-makers across 26 countries. The research revealed that 79% of global IT leaders believe their partners and customers are making their own organization a more attractive ransomware target. The challenge is particularly acute considering that potentially less well-secured SMBs make up a “significant” portion of the supply chain 52% of these organizations. A year ago, a sophisticated attack on a provider of IT management software led to the compromise of scores of MSPs and thousands of downstream customers. Yet only 47% of organizations share knowledge about ransomware attacks with their suppliers. Additionally, 25% said they don’t share potentially useful threat information with partners.”

Title: Researchers Publish Post-quantum Upgrade to the Signal Protocol
Date Published: September 7, 2022

https://www.helpnetsecurity.com/2022/09/07/post-quantum-cryptography-signal-protocol/

Excerpt: “PQShield published a white paper that lays out the quantum threat to secure end-to-end messaging and explains how post-quantum cryptography (PQC) can be added to the Signal secure messaging protocol to protect it from quantum attacks. The company is offering to license its end-to-end encrypted messaging IP to the Signal Foundation pro bono – if/when they plan to upgrade their system – to support the non-profit behind the free encrypted messaging app, Signal, in its mission to make secure communication accessible to everyone.”

Title: Zyxel Addressed a Critical RCE Flaw in its NAS Devices
Date Published: September 7, 2022

https://securityaffairs.co/wordpress/135426/hacking/zyxel-rce-nas.html

Excerpt: “Networking equipment vendor Zyxel addressed a critical vulnerability impacting its network-attached storage (NAS) devices. The CVE-2022-34747 (CVSS score: 9.8) flaw is classified as a format string vulnerability that resides in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0. An attacker can exploit the vulnerability to achieve unauthorized remote code execution via a crafted UDP packet.”

Title: Moobot Botnet is Back and Targets Vulnerable D-Link Routers
Date Published: September 7, 2022

https://securityaffairs.co/wordpress/135414/malware/moobot-botnet-targets-d-link.html

Excerpt: “Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable D-Link routers. The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Now the MooBot has re-emerged in a new wave of attacks that started in August, targeting vulnerable D-Link routers. The botnet is exploiting both old and new exploits, below is list of vulnerabilities exploited:”

  • CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258: D-Link Remote Command Execution Vulnerability
  • CVE-2022-28958: D-Link Remote Command Execution Vulnerability

Title: This Stealthy Linux Malware Starts Off Small but Gradually Takes Control
Date Published: September 7, 2022

https://www.zdnet.com/article/this-stealthy-linux-malware-starts-off-small-but-gradually-takes-control/

Excerpt: “A stealthy new form of malware is targeting Linux systems in attacks that can take full control of infected devices – and it is using this access to install crypto-mining malware. Dubbed Shikitega, the malware targets endpoints and Internet of Things devices that run on Linux operating systems and has been detailed by cybersecurity researchers at AT&T Alien Labs. The malware is delivered in a multi-stage infection chain, where each module responds to commands from the previous part of the payload and downloads and executes the next one.”

Title: BlackCat Ransomware Linked to Italy’s Energy Services Firm Hack
Date Published: September 6, 2022

https://www.infosecurity-magazine.com/news/blackcat-italys-energy-services/

Excerpt: “Infamous hacking group BlackCat was linked to the recent attack on Italy’s state–owned energy services firm GSE by documents obtained by Reuters. According to the publication, BlackCat stole a considerable amount of data from GSE, then threatened to publish if their demands were not met. In particular, the ransomware group claimed to have downloaded 700GB of data from GSE, including information on projects, contracts and accounting. It also uploaded images of documents from the hack on dark web forums. The attack comes weeks after Italian oil company Eni’s computer networks were also breached, though no specific group claimed responsibility for the hack. “The BlackCat/ALPHV ransomware gang have continued their trend of targeting key critical infrastructure with their latest attack on Italy’s energy agency,” Claroty CRO Simon Chassar told Infosecurity Magazine.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...