September 8, 2022

Fortify Security Team
Sep 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers
Date Published: September 8, 2022

https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/

Excerpt: “The North Korean APT group ‘Lazarus’ (APT38) is exploiting VMWare Horizon servers to access the corporate networks of energy providers in the United States, Canada, and Japan. Lazarus is a state-backed threat actor known for conducting espionage, data theft, and cryptocurrency stealing campaigns over the past decade. The threat actors are responsible for hundreds of sophisticated attacks internationally. According to researchers at Cisco Talos, who uncovered the latest operation, Lazarus targeted the energy organizations between February and July 2022, leveraging public VMWare Horizon exploits for initial access. From there, they used custom malware families like ‘VSingle’ and ‘YamaBot’ and a previously unknown remote access trojan (RAT) named ‘MagicRAT’ that is used to search for and steal data from infected devices. Symantec’s threat hunters analyzed the same campaign in April and ASEC researchers in May. However, Cisco’s report goes deeper to unveil many more details about the threat actor’s activity.”

Title: HP Fixes Severe Bug in Pre-installed Support Assistant Tool
Date Published: September 7, 2022

https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-installed-support-assistant-tool/

Excerpt: “HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand. HP Support Assistant is used to troubleshoot issues, perform hardware diagnostic tests, dive deeper into technical specifications, and even check for BIOS and driver updates on HP devices. The flaw, discovered by researchers at Secure D and reported to HP, is tracked as CVE-2022-38395 and has a “high” severity score of 8.2, as it enables attackers to elevate their privileges on vulnerable systems.”

Title: Ukraine Dismantles More Bot Farms Spreading Russian Disinformation
Date Published: September 7, 2022

https://www.bleepingcomputer.com/news/security/ukraine-dismantles-more-bot-farms-spreading-russian-disinformation/

Excerpt: “The Cyber Department of the Ukrainian Security Service (SSU) dismantled two more bot farms that spread Russian disinformation on social networks and messaging platforms via thousands of fake accounts. As the SSU discovered, this bot army “of almost 7,000 accounts” was used to push content discrediting the Defence Forces of Ukraine, justify Russia’s armed aggression, and destabilize Ukraine’s social and political situation. The first one, operated by a 24-year-old native living in the Kyiv region, was used by “representatives of the PR departments of political parties and Russian citizens promoting destructive and provocative material in Ukrainian information space.” To hide his identity, he used forged Ukrainian documents, Russian e-mail services, and virtual phone numbers of Russian and Belarusian mobile operators for verification.”

Title: 200,000 North Face Accounts Hacked in Credential Stuffing Attack
Date Published: September 7, 2022

https://www.bleepingcomputer.com/news/security/200-000-north-face-accounts-hacked-in-credential-stuffing-attack/

Excerpt: “Outdoor apparel brand ‘The North Face’ was targeted in a large-scale credential stuffing attack that has resulted in the hacking of 194,905 accounts on the thenorthface.com website. A credential stuffing attack is when threat actors use email addresses/usernames and password combinations obtained from data breaches to attempt to hack into user accounts on other websites. The success of these attacks relies on the practice of password recycling, where a person uses the same credentials across multiple online platforms. The credential stuffing attack on The North Face website began on July 26, 2022, but the website’s administrators detected the unusual activity on August 11, 2022, and were able to stop it on August 19, 2022.”

Title: With Cyber Insurance Costs Increasing, Can Smaller Firms Avoid Getting Priced Out?
Date Published: September 8, 2022

https://www.helpnetsecurity.com/2022/09/08/cyber-insurance-becoming-unavoidable/

Excerpt: “Cyber insurance is quickly becoming an unavoidable part of doing business as more organizations accept the inevitability of cyber risk. There is a growing awareness of the need to be prepared for the impact of devastating security incidents such as those caused by ransomware, just as a firm invests in coverage for potential physical threats such as fire or criminal damage. But while other potential disruptions benefit from stable insurance providers with decades or even centuries of practice behind them, cyber insurance is a nascent field that has proven hard to get a handle on. Even the more experienced stalwarts of the insurance industry have struggled with the task. In many cases, premiums have rapidly increased as providers have become more cautious about being left on the hook for multi-million-dollar breaches.”

Title: Researchers Reveal New Iranian Threat Group APT42
Date Published: September 8, 2022

https://www.infosecurity-magazine.com/news/researchers-iranian-threat-group/

Excerpt: “Security researchers have uncovered another state-backed Iranian threat group with activity dating back at least seven years. Threat intelligence firm Mandiant claimed to have found at least 30 victims of APT42, although it said the count is likely much higher given the group’s “high operational tempo” and researchers’ visibility gaps stemming from its targeting of personal email accounts. Based on APT42’s targeting patterns, Mandiant assessed with “moderate confidence” that it is operating on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). “APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK and Israel, working on Iran-related projects,” it said.”

Title: NSO Group’s Recent Difficulties Could Shape the Future of the Spyware Industry
Date Published: September 8, 2022

https://www.infosecurity-magazine.com/news-features/nso-groups-difficulties-spyware/

Excerpt: “The spyware industry continues to find itself in the headlines, most notably for the controversial, and sometimes nefarious, use of spyware products. In July 2022, Nikos Androulakis, leader of PASOK, Greece’s third largest political party, revealed there had been an attempt to infect his phone with Predator, a piece of surveillance software developed by Cytrox, now part of Greek company Intellexa. In August, NSO Group’s CEO and co-founder Shalev Hulio stepped down and the Israeli firm laid off 100 workers following findings from the Pegasus Project, an investigation from 17 media organizations about the use of NSO’s software. In late August, the collaborative investigation newsroom Lighthouse reported that Tykelab and its Italian owner, RCS Lab, were quietly selling powerful surveillance tech both inside and outside of the EU. The company boasted that it can “track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent.”

Title: Japan Government Websites Hit By Cyber-Attacks, Killnet Suspected
Date Published: September 7, 2022

https://www.infosecurity-magazine.com/news/japan-govt-websites-killnet/

Excerpt: “The Russia–affiliated hacking group Killnet claimed responsibility for a series of cyber–attacks against Japanese companies and 20 websites across four government ministries. In particular, the country’s government is reportedly looking into whether problems to the aforementioned sites were caused by a denial-of-service (DDoS) attack, according to Chief Cabinet Secretary Hirokazu Matsuno. Japan’s digital agency also said its e–Gov administrative portal was experiencing login problems to some services on Wednesday but did not specify the cause. “We are aware that the [Killnet] hacker group suggested it was behind the attacks, but at the moment, we are still investigating the cause of the failures, including the group’s involvement,” Matsuno added. The minister also said that while the government websites could not be accessed on Tuesday evening, they were restored on the same day.

Title: Toys Behaving Badly: How Parents Can Protect Their Family from IoT Threats
Date Published: September 8, 2022

https://www.welivesecurity.com/2022/09/08/toys-behaving-badly-how-parents-protect-family-iot-threats/

Excerpt: “The Internet of Things (IoT) is changing the way we live and work. From smart pacemakers to fitness trackers, voice assistants to smart doorbells, the technology is making us healthier, safer, more productive and entertained. At the same time, it has also provided opportunities for manufacturers to market flashy new toys for our children. The global market for smart toys is set to see percentage growth in the double digits, to exceed US$24 billion by 2027. But when connectivity, data and computing meet, privacy and security concerns are never far away. Chances are that you, too, are considering buying one of these toys for your children and so encourage their learning and creativity. However, to protect your data and privacy (and your child’s safety!), it pays to do some research before taking a leap into the world of connected toys.”

Title: RDP on the Radar: An Up-close View of Evolving Remote Access Threats
Date Published: September 7, 2022

https://www.welivesecurity.com/2022/09/07/rdp-radar-up-close-view-evolving-remote-access-threats/

Excerpt: “As the COVID-19 pandemic spread around the globe, many of us, myself included, turned to working full-time from home. Many of ESET’s employees were already accustomed to working remotely part of the time, and it was largely a matter of scaling up existing resources to handle the influx of new remote workers, such as purchasing a few more laptops and VPN licenses. The same, though, could not be said for many organizations around the world, who either had to set up access for their remote workforce from scratch or at least significantly scale up their Remote Desktop Protocol (RDP) servers to make remote access usable for many concurrent users. To help those IT departments, particularly the ones for whom a remote workforce was something new, I worked with our content department to create a paper discussing the types of attacks ESET was seeing that were specifically targeting RDP, and some basic steps to secure against them. That paper can be found here on ESET’s corporate blog, in case you are curious.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 7, 2022

Title: Ransomware Gang's Cobalt Strike Servers DDoSed with Anti-Russia Messages Date Published: September 7, 2022 https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/ Excerpt: “Someone is flooding...