October 14, 2022

Fortify Security Team
Oct 14, 2022

Title: Experts released PoC exploit code for critical bug CVE-2022-40684 in Fortinet products

Date Published: October 14, 2022


Excerpt: “Experts released the PoC exploit code for the authentication bypass flaw CVE-2022-40684 in FortiGate firewalls and FortiProxy web proxies. A proof-of-concept (PoC) exploit code for the authentication bypass vulnerability CVE-2022-40684 (CVSS score: 9.6) in FortiGate firewalls and FortiProxy web proxies has been released online.The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are also impacted. The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2. The company also provided a workaround for those who can’t immediately deploy security updates. An attacker can exploit the vulnerability to log into vulnerable devices. “An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT. The company urges customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices. The bad news is that the vendor confirmed this week that the critical vulnerability is being exploited in the wild.”

Title:Russian DDoS attack project pays contributors for more firepower

Date Published: October 13, 2022


Excerpt: “A pro-Russian group created a crowdsourced project called ‘DDOSIA’ that pays volunteers launching distributed denial-of-service (DDOS) attacks against western entities. DDoS attacks typically don’t have any security repercussions for the target but can cause a lot of damage by generating service outages. Depending on the target, the impact can extend beyond financial losses. Because DDoS attacks are easy to organize, simple to carry out, and still carry a punch, they have been the de-facto weapon of hacktivists on both sides of the Russian-Ukrainian war. Introducing a financial incentive is a new strategy, researchers at cybersecurity company Radware say in a report shared with BleepingComputer. In hacktivist DDoS attacks, volunteers don’t get a monetary reward. Joining the cause is normally what they’re in for. With the financial incentive added, DDOSIA attracts attackers that don’t necessarily support the cause.”

Title: This unusual ransomware attack targets home PCs, so beware 

Date Published: October 14, 2022


Excerpt: “A ransomware campaign is using sneaky techniques to infect individual users with ransomware – and demands thousands for the decryption key. A ransomware attack delivered by fake Windows 10 and antivirus software updates is targeting home users, using sneaky techniques to stay undetected before encrypting files and demanding a ransom payment of thousands of dollars. The Magniber campaign, detailed by HP Wolf Security, is unusual for 2022 in the way it focuses on generating relatively small ransom payments from individual users, compared to what could be extorted by going after businesses and demanding large ransoms.  In many ways, it’s a throwback to early ransomware campaigns that encrypted files on individual computers. However, Magniber is using innovative techniques that make it much more difficult to detect – especially for home users.”

Title: RansomExx Leaks 52 GB of Barcelona Health Centers’ Data

Date Published: October 13, 2022


Excerpt: “A ransomware gang says it published information including medical test results and identity cards stolen from a Barcelona hospital system that serves more than a million patients each year. RansomExx says a 52 gigabytes file published Tuesday on the dark web contains data taken from the Consorci Sanitari Integral, a public entity that provides medical and social services. CSI says it is working alongside the Cybersecurity Agency of Catalonia and the Catalan Data Protection Authority to limit the scope of the breach. The hospital system of more than 3,000 physicians and staff acknowledged a “compromise in data confidentiality.” It detected a ransomware attack during the early hours of last Friday, leading to three days of reduced functionality at the Barcelona hospitals Dos de Maig and Creu Roja de l’Hospitalet and the nearby Moisès Broggi facility in Sant Joan Despí. Also affected were ten other health centers, majority of which in the city’s southern suburbs.”

Title: QAKBOT Attacks Spike Amid Concerning Cybercriminal Collaborations

Date Published: October 13, 2022


Excerpt: “The QAKBOT malware group resumed expanding its access-as-a-service network in early September, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, threat researchers said this week. In the most recent incident, cybersecurity firm Trend Micro observed QAKBOT-infected systems deploying Brute Ratel, an “adversary emulation” platform used by penetration testers, but also — along with Cobalt Strike — used by cybercriminals for its sophisticated capabilities. Another group, known as Black Basta, is likely responsible for the subsequent attacker activity using the two platforms, Trend Micro said. Black Basta’s use of the QAKBOT, also known as QBot or Pinkslipbot, highlights how cybercriminal groups are specializing in particular attack-chain activities, says Jon Clay, vice president of threat intelligence for Trend Micro. “QBot appears to have improved their offering as they have to compete with other groups selling similar services in the underground — BlackBasta is one such group that feels their tool set works for them,” he says. “They continue to update their code and malware to enhance obfuscation and ability to successfully compromise victims.” After QAKBOT infects a system, the attack tools conducts automated reconnaissance and then downloads and installs Brute Ratel, which is then used by Black Basta to move laterally to other systems in the network and execute payloads, according to Trend Micro’s report.”

Title: Microsoft Office 365 email encryption could expose message content

Date Published: October 14, 2022


Excerpt: “Security researchers at WithSecure, previously F-Secure Business, found that it is possible to partially or fully infer the contents of encrypted messages sent through Microsoft Office 365 due to the use of a weak block cipher mode of operation. Organizations use Office 365 Message Encryption to send or receive emails, both external and internal, to ensure confidentiality of the content from destination to source. However, the feature encrypts the data using the Electronic Code Book (ECB) mode, which allows inferring the plaintext message under certain conditions. The main problem with ECB is that repetitive areas in the plaintext data have the same encrypted result when the same key is used, thus creating a pattern. The issue was highlighted after the massive Adobe data breach in 2013 when tens of millions of passwords were leaked and researchers discovered that the company used ECB mode to encrypt the data, making it possible to obtain plaintext passwords. his weakness was highlighted again in 2020 when it was discovered that the widely used teleconference application Zoom used  the same 128-bit key to encrypt all audio and video using the AES algorithm with ECB mode. Harry Sintonen of WithSecure underlines that with Office 365 Message Encryption the content of the encrypted messages isn’t directly decipherable, but structural information about those messages can be captured. An attacker able to collect multiple encrypted messages can look for patterns that could lead to parts of the message to become gradually readable without the need of an encryption key.”

Title: Budworm Espionage Group Returns, Targets US State Legislature

Date Published: October 13, 2022


Excerpt: “The advanced persistent threat (APT) actor known as Budworm has been spotted targeting a US-based entity for the first time in more than six years, alongside other international targets. The news comes from Symantec security researchers, who shared an advisory about the attacks with Infosecurity before publication. According to the new data, Budworm executed attacks over the past six months against several strategically significant targets, including a Middle Eastern country’s government, a multinational electronics manufacturer, a hospital in South East Asia and a US state legislature. “While there were frequent reports of Budworm targeting US organizations six to eight years ago, in more recent years, the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe,” reads the advisory. In the latest attacks, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers to install web shells. The attackers reportedly used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command and control (C&C) servers.”

Title: DJI drone tracking data exposed in the US

Date Published: October 12, 2022


Excerpt: “Over 80,000 drone IDs were exposed in the leak of a database containing information from airspace monitoring devices manufactured by DJI. Think twice before taking out your shiny new drone for a spin near the Cannes Film Festival, a prison, a nuclear power plant, or an airport. Enhanced security institutions use devices to monitor drone movement, posing a privacy risk to its owner. Recently, the Cybernews research team stumbled upon an unprotected database with over 90 million drone-monitoring logs generated by DJI devices – the largest market player in the world that sells both drones and devices to surveil them. Used by the military, businesses, and consumers, drones are “fundamentally changing aviation.” Therefore, the US Federal Aviation Administration (FAA) envisions integrating drones into the National Airspace System (NAS) by identifying all unmanned aircraft systems (UAS.) The FAA introduced remote ID – analogous to license plates for drones – to identify owners of all drones in case they are flying in an unsafe manner or where they are not allowed to fly. Remote ID will provide information about drones in flight – the identity, location, and altitude of the drone and its control station or take-off location.”

Title: Chinese APT WIP19 Targets IT Service Providers and Telcos

Date Published: October 13, 2022


Excerpt: “A new threat cluster, tracked by SentinelLabs as WIP19, has been targeting telecommunications and IT service providers across the Middle East and Asia. According to the security experts, the group is characterized by the use of a legitimate, stolen digital certificate issued by DEEPSoft, a Korean company specializing in messaging solutions. “Throughout this activity, the threat actor abused the certificate to sign several malicious components,” SentinelLabs explained. “Almost all operations performed by the threat actor were completed in a ‘hands-on keyboard’ fashion during an interactive session with compromised machines. This meant the attacker gave up on a stable C2 channel in exchange for stealth.” The SentinelLabs analyses of the backdoors utilized also suggested parts of the components used by WIP19 were created by WinEggDrop, a well-known Chinese-speaking malware author who has developed tools for various groups and been active since 2014. “The use of WinEggDrop-authored malware, stolen certificates and correlating TTPs [tactics, techniques and procedures] indicate possible links to Operation Shadow Force, as reported by TrendMicro and AhnLab,” SentinelLabs explained. “As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation ‘Shadow Force’ or simply a different actor utilizing similar TTPs. The activity we observed, however, represents a more mature actor, utilizing new malware and techniques.” Additionally, SentinelLabs linked an implant dubbed “SQLMaggie,” recently described by DCSO CyTec, to WIP19’s latest activity.  “SQLMaggie appears to be actively maintained and provides insights into the development timeline with hardcoded version names.” Because of its advanced TTPs, SentinelLabs warned that WIP19 is an example of the greater breadth of Chinese espionage activity targeting critical infrastructure organizations.”

Title: Cyberattackers Spoof Google Translate in Unique Phishing Tactic

Date Published: October 13, 2022


Excerpt: “The campaign uses a combination of tactics and a common JavaScript obfuscation technique to fool both end users and email security scanners to steal credentials. Attackers are spoofing Google Translate in an ongoing phishing campaign that uses a common JavaScript coding technique to bypass email security scanners. Leveraging trust in Google Translate is a never-before-seen approach, researchers said. Researchers from Avanan, a Check Point Software Company, uncovered the campaign, which uses the coding technique to obfuscate phishing sites to make them appear legitimate to the end user as well as fool security gateways. The phish also uses social engineering tactics to convince users they need to respond quickly to an email or face having an account closed, according to a blog post published today. The messages direct a user to a link that directs them to a credential-harvesting page that appears to be a legitimate Google Translate page, with a pre-populated email field that requires only that a person enter his or her password to log in.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...