October 11, 2022

Fortify Security Team
Oct 11, 2022

Title: Hackers behind IcedID malware attacks diversify delivery tactics
Date Published: October 10, 2022


Excerpt: “The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets. Researchers at Team Cymru have observed several campaigns in September 2022, all following slightly different infection pathways, which they believe is to help them evaluate effectiveness. Moreover, the analysts have noticed changes in the management of command and control server (C2) IPs used in the campaigns, now showing signs of sloppiness. The IcedID malware started in 2017 as a modular banking trojan but has since evolved into a malware dropper that is commonly used to gain initial access to corporate networks. Malware droppers are used to quietly install further malware on an infected device, helping threat actors gain a foothold on a target system and then deploy more potent payloads throughout the network. Typically, operators of malware droppers sell their services to other cybercriminals, who outsource this part of the attack and focus on post-compromise activities.”

Title: Toyota discloses accidental leak of some customers’ personal information
Date Published: October 11, 2022


Excerpt: “Toyota Motor Corporation discloses data leak, customers’ personal information may have been exposed after an access key was exposed on GitHub. Toyota Motor Corporation warns customers that their personal information may have been accidentally exposed after an access key was publicly available on GitHub for almost five years.The carmaker discovered recently that a portion of its T-Connect site source code was mistakenly published on GitHub. T-Connect is an app developed by the company that allows car owners to control the vehicle’s infotainment system and monitor the access of the vehicle. The code also contained an access key to the data server that stored customer info, such as email addresses and management numbers. The source code was leaked by a development subcontractor. An unauthorized third party could have had access to the details of Toyota customers between December 2017 and September 15, 2022. The number of impacted customers is 296,019, the GitHub repository was restricted in September 2022 and the keys were changed. Exposed records include customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data.”

Title: This ‘thermal attack’ can read your password from the heat your fingertips leave behind
Date Published: October 10, 2022


Excerpt: “Researchers detail an attack technique combining thermal imaging and AI – and warn that increased access to innovative technologies will be abused by cyber criminals. Computer security researchers say they’ve developed an AI-driven system that can guess computer and smartphone passwords in seconds by examining the heat signatures that fingertips leave on keyboards and screens when entering data. Called ThermoSecure, researchers at the University of Glasgow’s School of Computing Science developed the system to show how the falling price of thermal-imaging cameras and increasing access to machine-learning and artificial intelligence (AI) algorithms are creating new opportunities for what they describe as thermal attacks. By using a thermal-imaging camera to look at a computer keyboard, smartphone screen or ATM keypad, it’s possible to take a picture that reveals the recent heat signature from fingers touching the device.”

Title: US Airports in Cyberattack Crosshairs for Pro-Russian Group Killnet
Date Published: October 10, 2022


Excerpt: “Killnet calls on other groups to launch similar attacks against US civilian infrastructure, including marine terminals and logistics facilities, weather monitoring centers, and healthcare systems. Hot on the heels of attacks against US state government websites, pro-Russian threat group Killnet on Monday disrupted the websites of multiple US airports in a series of distributed denial-of-service (DDoS) attacks. It also called on similarly aligned groups and individuals to carry out DDoS attacks on other US infrastructure targets, in what appears to be an escalation of a recent campaign protesting the US government’s support for Ukraine in its war with Russia. Airport websites that were affected by Killnet’s DDoS attacks included Los Angeles International Airport (LAX), Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, and the Indianapolis International Airport. While the DDoS attacks made some of the sites inaccessible for several hours, they do not appear to have had any impact on airport operations.”

Title: Intel Confirms Source Code Leak
Date Published: October 10, 2022


Excerpt: “Intel has confirmed that the alleged leak of its Alder Lake BIOS source code is authentic, potentially raising cybersecurity risks for customers. Last week, the firm’s BIOS/UEFI code was apparently posted on 4chan and Github in a repository named ‘ICE_TEA_BIOS.’ This repository contains 5.97 GB of files, source code, private keys, change logs and compilation tools. In a statement to Tom’s Hardware, an Intel spokesperson said: “Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.” It is currently unclear how the source code was accessed, and who was responsible. The leak relates to Intel’s 12th generation Intel Core processors, released in November 2021. Despite Intel’s reassurances, the leak could pose a security risk for customers, making it easier for cyber-criminals to discover vulnerabilities in the product.”

Title: SingTel Confronts Multiple Data Leaks
Date Published: October 10, 2022


Excerpt: “Mobile network carrier Singapore Telecommunications is dealing with its second Australian subsidiary data breach in a handful of weeks now that IT consultancy Dialog Group has seen some of its internal data published on the dark web.The two incidents are joined by a third affecting the global communications giant – the additional incident being a hacker forum posting containing 74 gigabytes of data purporting to include confidential company documents, employee email addresses, work orders, stock requisition and business application forms and more. Dialog is probing the unauthorized access of company data, which could affect up to 20 clients and around 1,000 current and former Dialog employees.Singtel’s first breach occurred at telecom provider Optus following an incident in which the personal information of 9.8 million Australians was potentially exposed after the company detected “unusual activity” on its network (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt). The Singapore company says the two Australian incidents appear unrelated. Singtel acquired Optus in 2001, and it added Dialog to its portfolio in an AU$325 transaction that closed in April. Dialog says it detected an undisclosed threat actor’s malicious activity on Sept. 10 and shut them down as a precautionary measure. Last Friday, it says, it became aware “that a very small sample” of company data, including some employee personal information, was available on the dark web.”

Title: Caffeine service lets anyone launch Microsoft 365 phishing attacks
Date Published: October 10, 2022


Excerpt: “A phishing-as-a-service (PhaaS) platform named ‘Caffeine’ makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns. Caffeine doesn’t require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind. Mandiant’s analysts discovered and tested Caffeine thoroughly, and today report that it’s a worryingly feature-rich PhaaS considering its low barrier for entry. The cybersecurity firm first spotted Caffeine after investigating a large-scale phishing campaign run through the service, targeting one of Mandiant’s clients to steal Microsoft 365 account credentials.”

Title: Experts analyzed the evolution of the Emotet supply chain
Date Published: October 11, 2022


Excerpt: “Threat actors behind the Emotet bot are continually improving their tactics, techniques, and procedures to avoid detection. VMware researchers have analyzed the supply chain behind the Emotet malware reporting that its operators are continually shifting their tactics, techniques, and procedures to avoid detection. The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor. In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default. In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.”

Title: POLONIUM targets Israel with Creepy malware
Date Published: October 11, 2022


Excerpt: “ESET researchers reveal their findings about POLONIUM, an advanced persistent threat (APT) group about which little information is publicly available and its initial compromise vector is unknown. POLONIUM is a cyberespionage group first documented by Microsoft Threat Intelligence Center (MSTIC) in June 2022. MSTIC’s assessment is that POLONIUM is an operational group based in Lebanon, coordinating its activities with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS). According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022. Verticals targeted by this group include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. Our findings describing the tactics of this group, including details about a number of previously undocumented backdoors, were presented in late September at the Virus Bulletin 2022 conference.”

Title: #ISC2Congress: Cybersecurity Pros Must Prepare for Emerging Deepfake Threats
Date Published: October 10, 2022


Excerpt: “Deepfakes pose an emerging security risk to organizations, stated Thomas P. Scanlon, CISSP, technical manager – CERT Data Science, Carnegie Mellon University, during a session at the (ISC)2 Security Congress this week. Scanlon began his talk by explaining how deepfakes work, which he emphasized is essential for cybersecurity professionals to understand to protect against the threats this technology poses. He noted that organizations are starting to become aware of this risk. “If you’re in a cybersecurity role in your organization, there is a good chance you will be asked about this technology,” commented Scanlon. He believes deepfakes are part of a broader ‘malinformation’ trend, which differs from disinformation in that it “is based on truth but is missing context.” Deepfakes can encompass audio, video and image manipulations or can be completely fake creations. Examples include face swaps of individuals, lip syncing, puppeteering (the control of sounds and synthetic) and creating people who don’t exist. Currently, the two machine-learning neural networks used to create deepfakes are auto-encoders and generative adversarial networks (GAN). Both require substantial amounts of data to be ‘trained’ to recreate aspects of a person. Therefore, creating accurate deepfakes is still very challenging, but “well-funded actors do have the resources.” Increasingly, organizations are being targeted in numerous ways through deepfakes, particularly in the area of fraud. Scanlon highlighted the case of a CEO being duped into transferring $243,000 to fraudsters after being tricked into believing he was talking to the firm’s chief executive through deepfake voice technology. This was the “first known instance of somebody using deepfakes to commit a crime.”He also noted that there has been a number of cases of malicious actors using video deepfakes to pose as a potential candidate for a job in a virtual interview, for example, using the LinkedIn profile of someone who would be qualified for the role. Once employed, they planned use their access to the company’s systems to access and steal sensitive data. This was a threat that the FBI recently warned employers about.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...