October 13, 2022

Fortify Security Team
Oct 13, 2022

Title: New Alchimist attack framework targets Windows, macOS, Linux
Date Published: October 13, 2022


Excerpt: “Cybersecurity researchers have discovered a new attack and C2 framework called ‘Alchimist,’ which appears to be actively used in attacks targeting Windows, Linux, and macOS systems. The framework and all its files are 64-bit executables written in GoLang, a programming language that makes cross-compatibility between different operating systems a lot easier. Alchimist offers a web-based interface using the Simplified Chinese language, and it’s very similar to Manjusaka, a recently-emerged post-exploitation attack framework growing popular among Chinese hackers.Cisco Talos researchers who discovered both of these frameworks highlight their similarities but explain there are enough technical differences to deduce different authors developed them.”

Title: Aruba fixes critical vulnerabilities in EdgeConnect Enterprise Orchestrator
Date Published: October 12, 2022


Excerpt: “Aruba addressed multiple critical severity vulnerabilities in the EdgeConnect Enterprise Orchestrator. Aruba addressed multiple critical severity vulnerabilities in the EdgeConnect Enterprise Orchestrator that can be exploited by remote attackers to compromise the vulnerable host. Aruba EdgeConnect Orchestrator is a centralized SD-WAN management solution that allows enterprises to control their WAN.

Below are the vulnerabilities addressed by Aruba:

CVE-2022-37913 and CVE-2022-37914 (CVSS v3.1 – 9.8) Authentication bypass vulnerabilities that resides in the web-based management interface of EdgeConnect Orchestrator. Threat actors can trigger the issue to bypass authentication. “Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host.” reads the advisory published by the vendor. The company also addressed an unauthenticated Remote Code Execution issue in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface. The flaw, tracked as CVE-2022-37915 can be exploited to execute arbitrary commands on the underlying host, leading to complete system compromise.”

Title: WhatsApp Users Beware: Dangerous Mobile Trojan Being Distributed via Malicious Mod
Date Published: October 12, 2022


Excerpt: “Among other things, users who download the app could end up having their WhatsApp account details stolen. Security researchers have detected a threat actor distributing a data-stealing mobile Trojan via a spoofed version of YoWhatsApp, a relatively widely used, modified version of the WhatsApp messaging application. Users who download the app are at risk of having their WhatsApp account details stolen and being signed up for paid subscriptions they did not want or were even aware of. Researchers at Kaspersky detected the threat recently and identified the Trojan as Triada, a malware tool that it observed last year being similarly distributed via another malicious version of YoWhatsApp. WhatsApp mods are basically unofficial, modified versions of the social media app touting features and functionality — such as additional privacy, custom backgrounds, and bulk messaging — that the official version does not have. Since these modified social media apps are unofficial, they are not available on the official mobile app stores of Google and Apple, so users who want them must download them from unofficial sources — a practice that security experts have long warned as being especially risky. However, users often do it anyway because they see the additional functionality is worth the risk.”

Title: Lloyd’s of London Says It Found No Evidence of Breach
Date Published: October 12, 2022


Excerpt: “Days after taking systems offline due to “suspicious activity” on its network, Lloyd’s of London says it has turned up no evidence of a compromise. A Wednesday statement from the U.K. insurance and reinsurance marketplace giant says its network is fully restored. An investigation conducted with outside expertise by Mandiant and NTT turned up no evidence of a compromise. “Nor was any data compromised,” the corporation added.A Lloyd’s spokesman told Information Security Media Group the company will continue to closely monitor its network for signs of hacking. The marketplace last week acknowledged a probe into potential hacking causing it to enter into voluntary downtime. Possible motives for a malicious hacker to target Lloyd’s aren’t in short supply. For one thing, Lloyd’s has been active in applying international sanctions against Russia launched after Moscow’s invasion of Ukraine.”

Title: Cloudflare mitigated record DDoS attack against Minecraft server
Date Published: October 13, 2022


Excerpt: “Wynncraft, one of the largest Minecraft servers, was recently hit by a 2.5 Tbps distributed denial-of-service (DDoS) attack. It was a multi-vector attack that lasted for about two minutes and consisted of UDP and TCP floods packets attempting to overwhelm the server and keep out hundreds of thousands of players, DDoS mitigation company Cloudflare says. The researchers say this was the largest bitrate attack they ever recorded and handled. A DDoS attack this large occurred in 2017, in a campaign that lasted for six months from a nation-state actor, disclosed by Google in 2020. Cloudflare’s 2022 Q3 DDoS report notes that multi-terabit DDoS attacks are now more frequent. One of the largest DDoS attacks ever reported was in November 2021 and peaked at 3.47 terabits per second.”

Title: Data of 380K patients compromised in hack of 13 anesthesia practices
Date Published: October 12, 2022


Excerpt: “The Department of Health and Human Services breach reporting tool recently added 13 separate filings from anesthesia practices across the U.S., stemming from a “data security incident” at the covered entities’ management company. In total, the compromise involved the protected health information of 380,104 patients. The HHS tool appears to center on entities tied to New York-based Resource Anesthesiology Associates and Anesthesia Associates, including sites in El Paso, California, Washington, Palm Springs, Lynbrook, Hazleton, Fredericksburg, Bronx, San Joaquin, and Maryland. Upstate Anesthesia Services is also listed. It’s currently unclear the name of the management company. A dive into how, or whether, these providers are connected found just one breach notice from Anesthesia Associates of El Paso PA, “an anesthesia provider to a local healthcare facility.” The breach notification shows the incident occurred on July 15, 2022 at “its management company.” No further details are shared as to the entity behind the incident, or the threat behind the compromise. However the incident occurred, it appears that protected health information stored in the management company’s system was impacted during the event, which included patient names, contact details, health insurance policy numbers, Social Security numbers, payment data, and health information, such as treatments and diagnosis.”

Title: #DTX2022: Cyber Needs to Redress the Defensive-Offensive Balance Following Russia-Ukraine
Date Published: October 13, 2022


Excerpt: “The Russia–Ukraine conflict has demonstrated the need to balance defensive vs offensive cyber, challenging a narrative that has been prevalent among policymakers for a long time. This was the view of Dr Alexi Drew, technology policy advisor for the international committee, Red Cross, during DTX Europe 2022. Drew noted that the war has demonstrated what is and isn’t possible in cyberspace, with predictions about ‘cybergeddon’ proving unrealistic. However, the idea of cyber-attacks bringing down critical infrastructure and causing potential death and destruction, have caught on in policy circles. It is important to “bridge the gap between those in the technology space and the policy space to challenge these misconceptions,” she stated. As a result, politicians have increasingly invested in offensive cyber capabilities over the years, believing this approach will make their nations cyber superpowers. This viewpoint has been influenced by a strong offensive security market, according to Drew, and is further exacerbated by the fact that it is much harder to prove the effectiveness of cyber defenses compared to cyber-attacks. “It’s much harder to say ‘here’s a defensive incident where the attack did not happen,’’ she commented. However, Drew believes the war in Ukraine has demonstrated that defensive cybersecurity is more effective than offensive capabilities, which is a perspective shared by the NCSC’s CEO, Lindy Cameron, and the US national cyber director, Chris Englis, in recent months.”

Title: Airborne Drones Are Dropping Cyber-Spy Exploits in the Wild
Date Published: October 12, 2022


Excerpt: “Once limited to abstract academic conversation among cybersecurity enthusiasts, drones loaded with cyber-spying equipment are now being used in the real world to breach networks and steal information. Cybersecurity researcher Greg Linares shared a Twitter thread on Oct. 10 providing an overview of a drone-based cyberattack he was privy to over the summer. He explained it started when an unnamed financial company picked up unusual traffic on its network. A trace of the Wi-Fi signal behind the network activity led the threat hunters to the roof, where two drones were found. One was a modified DJI Phantom carrying what Linares called a “modified Wifi Pineapple device”; the other was a likewise modified DJI Matrice 600 drone loaded with “a Raspberry Pi, batteries, a GPD mini laptop, a 4G modem and another Wi-Fi device,” he added. The cyberattack was partially successful, allowing attackers to target the internal Atlassian Confluence page to get access to credentials and other devices, Linares said. However, the threat hunters found one of the drones damaged, but still functioning. “The attack was a limited success, and it appears that once the attackers were discovered, they accidentally crashed the drone on recovery,” Linares tweeted. He explained this sort of drone exploit delivery attack probably cost no more than $15,000 to put together.”

Title: Everything We Know About the Mango Markets Hack
Date Published: October 12, 2022


Excerpt: “Things happen differently with cryptocurrency. A hacker who stole $117 million in digital assets from decentralized finance exchange Mango Markets now says they’ll return the funds, but only if token holders let them keep $70 million without the possibility of criminal prosecution. The hacker communicated their proposal on the Mango Markets decentralized governance platform and proceeded to use votes tied to the stolen assets to support the proposition. The hacker was unable to unilaterally establish a quorum, meaning that widespread disapproval could still defeat the proposal to treat the incident as a white hat hacking incident worthy of a bug bounty. In a nutshell: A hacker who stole cryptocurrency says they should walk away with the majority of the loot and put that plan up for a vote to the people from whom they stole, using votes tied to the stolen cryptocurrency to vote yes.”

Title: New npm timing attack could lead to supply chain attacks
Date Published: October 12, 2022


Excerpt: “Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a “404 Not Found” error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks. Organizations create private packages for internal projects and certain software products to minimize the risk of their development teams falling for typosquatting attacks, and to keep their code and functions secret. Keeping private packages private is crucial for organizations using them. Otherwise, attackers can create clones or typosquatted packages that hackers could trick employees of organizations into downloading and using in software projects. If the developers and internal software testers don’t discover the compromise, the products could reach end users, achieving a supply chain compromise. In a report by Aqua Security’s threat research team, who shared its findings with BleepingComputer before publication, attackers are increasingly focusing on supply chain attacks, fueling a rise of 300% in associated activities in 2021.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...