September 9, 2022

Fortify Security Team
Sep 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections
Date Published: September 8, 2022

Excerpt: “A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. Bumblebee was discovered in April, involved in phishing campaigns believed to be orchestrated by the same actors behind BazarLoader and TrickBot, i.e., the Conti syndicate. As Bumblebee is an evolved loader with advanced anti-analysis and anti-detection features, it was assumed that it would replace other loaders, such as BazarLoader, in initial compromise attacks followed by ransomware deployment. Bumblebee’s distribution rate reached notable levels in the ensuing months, yet the new loader never became dominant in the field. According to a report by Cyble, based on a finding by threat researcher Max Malyutin, the authors of Bumblebee are preparing a comeback from the summer hiatus of spam operations, using a new execution flow.”

Title: GIFShell Attack Creates Reverse Shell Using Microsoft Teams GIFs
Date Published: September 8, 2022

Excerpt: “A new attack technique called ‘GIFShell’ allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using … GIFs. The new attack scenario, shared exclusively with BleepingComputer, illustrates how attackers can string together numerous Microsoft Teams vulnerabilities and flaws to abuse legitimate Microsoft infrastructure to deliver malicious files, commands, and perform exfiltrating data via GIFs. As the data exfiltration is done through Microsoft’s own servers, the traffic will be harder to detect by security software that sees it as legitimate Microsoft Team’s traffic.”

Title: CISA Orders Agencies to Patch Chrome, D-Link Flaws Used in Attacks
Date Published: September 8, 2022

Excerpt: “CISA has added 12 more security flaws to its list of bugs exploited in attacks, including two critical D-Link vulnerabilities and two (now-patched) zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation. On Monday, QNAP network-attached storage (NAS) appliance maker warned its customers that it patched a zero-day bug in the widely used Photo Station software, tracked as CVE-2022-27593, and actively exploited in widespread DeadBolt ransomware attacks. Last but not least, the two critical D-Link security flaws (CVE-2022-28958 and CVE-2022-26258) are being targeted by the Mirai-based Moobot botnet to gain remote code execution and take over unpatched devices. After being added to CISA’s to its Known Exploited Vulnerabilities (KEV) catalog, all Federal Civilian Executive Branch Agencies (FCEB) agencies now must patch their systems against these security bugs exploited in the wild according to a binding operational directive (BOD 22-01) published in November.”

Title: US Recovers $30 Million Stolen from Axie Infinity by Lazarus Hackers
Date Published: September 8, 2022

Excerpt: “With the help of blockchain analysts and FBI agents, the U.S. government seized $30 million worth of cryptocurrency stolen by the North Korean threat group ‘Lazarus’ from the token-based ‘play-to-earn’ game Axie Infinity earlier in the year. The news about the retrieval was announced during the AxieCon event today, where the hosts highlighted it as a community achievement and the result of a large-scale collaboration between multiple law enforcement authorities and private entities. This is the first time stolen cryptocurrency has been seized from a North Korean hacking group, and according to a Chainalysis report, which had active involvement in the retrieval, it won’t be the last. “Chainalysis Crypto Incident Response team played a role in these seizures, utilizing advanced tracing techniques to follow stolen funds to cash out points and liaising with law enforcement and industry players to quickly freeze funds,” the company reports. The seized money will gradually move into Axie Infinity’s treasury and back to the players’ community, but the game’s publishers explained this process might take several years.”

Title: High-risk ConnectWise Automate Vulnerability Fixed, Admins Urged to Patch ASAP
Date Published: September 8, 2022

Excerpt: “ConnectWise has fixed a vulnerability in ConnectWise Automate, a popular remote monitoring and management tool, which could allow attackers to compromise confidential data or other processing resources. The severity of the vulnerability is merely “important”, as its exploitation requires additional access and/or privilege, but ConnectWise recommends administrators of on-premise instances to patch as soon as possible. The company did not actually say that the vulnerability is being exploited in the wild, but categorizes the priority with which it should be fixes as “High,” meaning that it’s a flaw that is either being targeted or has a higher risk of being targeted by exploits in the wild.”

Title: Experts Warn of Attacks Exploiting Zero-day in WordPress BackupBuddy Plugin
Date Published: September 9, 2022

Excerpt: “On September 6, 2022, the Wordfence Threat Intelligence team was informed of a vulnerability being actively exploited in the BackupBuddy WordPress plugin. This plugin allows users to back up an entire WordPress installation, including theme files, pages, posts, widgets, users, and media files. The vulnerability, tracked as CVE-2022-31474 (CVSS score: 7.5), can be exploited by an unauthenticated user to download arbitrary files from the affected site. It has been estimated that the plugin has around 140,000 active installations. Wordfence researchers determined that threat actors started exploiting this vulnerability in the wild on August 26, 2022. The security firm also added to have blocked 4,948,926 attacks exploiting this vulnerability since that time. The attackers were attempting to retrieve sensitive files such as the /wp-config.php and /etc/passwd. The vulnerability affects versions to and was fixed with the release of version 8.7.5 on September 2, 2022.”

Title: Hong Kong Consumers Want Right to Choose When Firms use AI
Date Published: September 8, 2022

Excerpt: “Online consumers in Hong Kong are concerned about how artificial intelligence (AI) is used to deliver the services they consume and want more transparency from merchants. They admit, however, to having little knowledge about the technology. Just 31% of consumers in the Asian market said they trusted AI, but 51% acknowledged it helped cut the time they spent choosing products, according to a study released Thursday by Hong Kong Consumer Council. The online survey polled 1,219 respondents aged 15 and above who had visited local and international online stores, 77% of whom made purchases or browsed online stores on a daily or weekly basis. While 75% said they were unfamiliar with AI, 41% said the technology addressed their needs accurately. Another 74% expressed concerns about the excessive data businesses collected and 72% were worried no one would be held responsible if the AI algorithm was inaccurate and caused problems. Some 81% said they should have the right to choose when AI tools were used and 78% suggested merchants should inform consumers if they were using AI to provide services.”

Title: Rapid7 Discusses SIGMA Spectrum Infusion Pump and WiFi Battery Vulnerabilities
Date Published: September 8, 2022

Excerpt: “On April 20, 2022, Rapid7 discovered vulnerabilities in two TCP/IP–enabled medical devices produced by Baxter Healthcare. The flaws, four in total, affected the company’s SIGMA Spectrum Infusion Pump and SIGMA WiFi Battery. Almost five months after Rapid7 first reported the issues to Baxter, the companies are now revealing they have worked together to discuss the impact, resolution and coordinated response for these vulnerabilities. Rapid7 detailed the findings in a new disclosure report, where the firm said the SIGMA vulnerabilities were discovered by Deral Heiland, Rapid7’s principal IoT (Internet of Things) researcher. For context, Baxter’s SIGMA infusion pumps are typically used by hospitals to deliver medication and nutrition directly into a patient’s circulatory system. These are TCP/IP–enabled machines designed to deliver data to healthcare providers to enable more effective care. The first of the vulnerabilities (tracked CVE–2022–26390) discovered by Rapid7 caused the pump to transfer the WiFi credential to the battery unit when the latter was connected to the primary infusion pump and the infusion pump powered up. The second flaw (tracked CVE–2022–26392), on the other hand, saw the exposure of the command ‘hostmessage’ to format string vulnerability when running a telnet session on the Baxter SIGMA WiFi battery firmware version 16. The third vulnerability (tracked CVE–2022–26393) was also a format string vulnerability on WiFi battery software version 20 D29, and the fourth one (tracked CVE–2022–26394) saw WiFi battery units (versions 16, 17 and 20 D29) allowing remote unauthenticated changing of the SIGMA GW IP address (used for configuring the back–end communication services for the devices’ operation).”

Title: APT42: Crooked Charms, Cons, and Compromises
Date Published: September 8, 2022

Excerpt: “Today, Mandiant is releasing a comprehensive report detailing APT42, an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization’s operational mandates and priorities. The full published report covers APT42’s recent and historical activity dating back to at least 2015, the group’s tactics, techniques, and procedures, targeting patterns, and elucidates historical connections to APT35. APT42 partially coincides with public reporting on TA453 (Proofpoint), Yellow Garuda (PwC), ITG18 (IBM X-Force), Phosphorus (Microsoft), and Charming Kitten (ClearSky and CERTFA).”

Title: Ransomware Campaigns Linked to Iranian Govt’s DEV-0270 Hackers
Date Published: September 8, 2022

Excerpt: “Security researchers have linked multiple ransomware campaigns to DEV–0270 (also known as Nemesis Kitten). The threat actor, widely considered a sub–group of Iranian actor PHOSPHORUS, conducts various malicious network operations on behalf of the Iranian government, according to a new write–up by Microsoft. However, judging from the threat actor’s geographic and sectoral targeting (which often lacked a strategic value for the regime), Microsoft also speculated that some of DEV–0270’s attacks might be a form of moonlighting for personal or company–specific revenue generation. From a technical standpoint, the tech giant said DEV–0270 leverages exploits, particularly for newly disclosed high–severity vulnerabilities, to gain access to devices.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...