October 17, 2022

Fortify Security Team
Oct 17, 2022

Title: Almost 900 servers hacked using Zimbra zero-day flaw
Date Published: October 15, 2022


Excerpt: “Almost 900 servers have been hacked using a critical Zimbra Collaboration Suite (ZCS) vulnerability, which at the time was a zero-day without a patch for nearly 1.5 months. The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks. According to the cybersecurity company Kaspersky, various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums. Kaspersky told BleepingComputer that they detected at least 876 servers being compromised by sophisticated attackers leveraging the vulnerability before it was widely publicized and received a CVE identifier.”

Title: Microsoft warns over unusual ransomware attacks
Date Published: October 17, 2022


Excerpt: “Microsoft has flagged a new piece of ransomware that’s hit transport and logistic organizations in Ukraine and Poland. Microsoft hasn’t seen the attackers use a specific software exploit but all the attacks utilize stolen Active Directory admin account credentials. The ransom note identifies itself as being “Prestige ransomware”, according to the Microsoft Threat Intelligence Center (MSTIC). Cloud computing is now a business essential, but keeping your data and applications secure is vital. Find out more about cloud security in this ZDNet special report. The ransomware was launched on October 11 and stood out to researchers because it was a rare example in Ukraine of an enterprise-wide ransomware deployment and was distinct from 94 other ransomware gangs Microsoft is tracking. Also, the victim profiles align with recent Russia state-aligned activity and overlaps with victims of the HermeticWiper destructive malware that was deployed at the outset of Russia’s invasion of Ukraine. The US government in February was worried the same malware could be used against US organizations.”

Title: Hackney Council Ransomware Attack Cost £12m+
Date Published: October 17, 2022


Excerpt: “A local government authority in London was forced to spend over £12m ($11.7m) in a single financial year to help it recover from a devastating ransomware attack, according to a local report. The October 2020 attack, traced to the Pysa/Mespinoza variant, resulted in sensitive data of local residents and council staff being published on the group’s leak site several months later. Now, around two years after the attack, the Hackney Citizen has reported that it cost the council millions to recover data, replace affected systems and shift a backlog of work including land searches for property transactions, business rate and council tax payments, and disbursement of COVID support and energy rebate funds. Also detailed in the report was £444,000 spent on IT consultancy during the past financial year, £152,000 on recovery of the Mosaic systems used for social care and £572,000 on the housing register. The cyber-attack reportedly forced council staff to rely on pen and paper, downed printers in local libraries and resulted in theft of data for “a high number” of people whose benefits were processed between July and October 2020. Matt Aldridge, principal solutions consultant at OpenText Security Solutions, argued that public sector bodies need not only to put the right processes and technology in place to mitigate cyber-risk, but also to focus on their own staff.”

Title: Bulgaria hit by a cyber attack originating from Russia
Date Published: October 17, 2022


Excerpt: “Government institutions in Bulgaria have been hit by a cyber attack during the weekend, experts believe it was launched by Russian threat actors. The infrastructure of government institutions in Bulgaria has been hit by a massive DDoS attack. The attack started on Saturday and experts believe that it was orchestrated by Russian threat actors.The attack hit multiple government offices, including the Internal Affairs Ministry, the Defence Ministry, the Justice Ministry, and the Constitutional Court. The Bulgarian government launched an investigation into the incident and warned that these attacks threaten the foundations of the state. Chief Prosecutor Ivan Geshev, during a special briefing on the subject, defined the attack as a criminal offense. “Here, not only the website of the presidency is under attack, the object of the attack is the entire Bulgarian state as part of the European family,” said Ivan Geshev, quoted by BTA. The object of the attack are numerous ministries, including the Ministry of Internal Affairs, Defense, and Justice.” reported the Euractive website. “The Constitutional Court was also attacked. “I don’t know why they left out the prosecutor’s office,” Geshev added, stressing that he was saying it as a joke.” Initial investigation revealed that the attack originated from Magnitogorsk, Russia, explained the deputy chief prosecutor and director of the national investigation Borislav Sarafov. Clearly, this information is not enough to attribute the attack to a specific threat actor.”

Title: Microsoft 365 Message Encryption Can Leak Sensitive Info
Date Published: October 14, 2022


Excerpt: “Researchers have discovered what they call a vulnerability in Microsoft 365, tied to the use of a broken or risky cryptographic algorithm. It could be exploited to infer some or all the content of encrypted email messages, they warned — but Microsoft has declined to address the issue. Third-party researchers tell Dark Reading that the real-world risk from the issue depends on an organization’s profile. Microsoft 365 (formerly Office 365) offers a method of sending encrypted messages (Office 365 Message Encryption, or OME) using Electronic Codebook (ECB), a mode of operation known to expose certain structural information about messages. WithSecure principal security consultant Harry Sintonen wrote in an Oct. 14 posting that if an attacker had access to enough emails using OME, it’s possible to access leaked information by analyzing the frequency of repeating patterns in individual messages and then matching those patterns with those in other encrypted emails and files.”This could impact anyone using OME, if the attachment in question has the properties that make it decipherable in this way,” he tells Dark Reading. “Of course, for the extraction to be possible, the adversary first needs to get access to the actual encrypted email message.” Sintonen explains that even if the files did not have a larger structure that could directly be revealed, there is still the possibility of fingerprinting files. “If a file has some repeating blocks, you could construct a fingerprint from the relation of these repeating blocks,” he says. “You can then scan the encrypted email messages for these fingerprints. If found, you know that this email message included the specific file.” He adds that it’s also possible to leverage artificial intelligence (AI) to find similar fingerprints to find content that is related, perhaps part of a set of similar files.”

Title: Global Cops Arrest Dozens Linked to Financial Crime Gang
Date Published: October 17, 2022


Excerpt: “Interpol has released details of a new operation designed to target notorious West African criminal gang Black Axe, which led to 75 arrests. Operation Jackal saw the policing organization coordinate forces in 14 countries across four continents, in a bid to put pressure on one of the world’s most prolific financial crime syndicates. One “action week” at the end of September led to dozens of arrests and 49 property searches in Ireland, South Africa and Italy. At the same time, local police intercepted €1.2m ($1.1m) in bank accounts, using Interpol’s Anti-Money Laundering Rapid Response Protocol (ARRP), which is currently being trialed. “The ARRP is a game-changer in the fight against global financial crime, where speed and international cooperation are crucial to intercepting illicit funds before they disappear into the pockets of money mules abroad,” said Rory Corcoran, director of the Interpol Financial Crime and Anti-Corruption Centre (IFCACC). “Interpol’s Global Financial Crime Task Force has shown remarkable effectiveness in disrupting illicit financial flows, bringing together cyber and finance experts across sectors to track and cut off criminal money trails.” Police also seized assets including 12,000 SIM cards, which has helped them to build leads in other cases and identify 70 new suspects. Interpol issued seven purple notices detailing the tactics and techniques employed by Black Axe members, and six red notices requesting the arrest of internationally wanted fugitives. Among other assets seized were residential property, three cars and tens of thousands of dollars in cash. Black Axe is believed to have been in operation for decades. Although it’s involved in various criminal endeavors, it has made significant sums in romance fraud, business email compromise (BEC) and other financial crimes.”

Title: Mysterious Prestige ransomware targets organizations in Ukraine and Poland
Date Published: October 16, 2022


Excerpt: “Microsoft warns that new Prestige ransomware is targeting transportation and logistics organizations in Ukraine and Poland. Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland. The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims. A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises. Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.The campaign shares victimology with recent operations conducted by Russia-linked threat actors.The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)” reads the report published by Microsoft Threat Intelligence Center (MSTIC). HermeticWiper is a destructive wiper that was discovered in February by researchers from cybersecurity firms ESET and Broadcom’s Symantec. The malicious code was employed in attacks that hit hundreds of machines in Ukraine.”

Title: Mango Markets Set to Pay $47M Bug Bounty to Hacker
Date Published: October 15, 2022


Excerpt: “Decentralized finance exchange Mango Markets is set to pay $47 million as a bug bounty to the hacker who stole $117 million in digital assets on Wednesday. Mango Markets is a trading platform riding on the Solana blockchain. The platform halted operations to cease all deposits and withdrawals to limit the impact of the attack. Under a new deal between the hacker and the decentralized finance exchange, the hacker will keep $47 million as a bug bounty and will return the remaining $67 million stolen via the protocol.The hacker initially put forth their proposal on the decentralized autonomous organization governing Mango Markets that would give the attacker a $70 million bounty. The Mango DAO governs Mango Markets and gives MNGO token holders the power to make decisions about the platform’s functions.The attacker also demanded that the decentralized finance company not initiate a criminal investigation or freeze the hacker’s funds if the proposal passes.The deadline for the voting ended on Saturday at 1:12 a.m. UTC, and 96% of the governance, which stands for around 473 million tokens, voted in favor of the deal. Only 3.4% were against the deal. The hackers also allegedly voted for this proposal using millions of tokens stolen from the exploit.”The funds sent by you and the mango DAO treasury will be used to cover any remaining bad debt in the protocol. All mango depositors will be made whole,” the governance vote says. The deal also requires hackers to send back some of the tokens within 12 hours of the proposal opening “as a show of good faith” and to return the remaining assets within 12 hours once the vote is complete and the deal is passed.”

Title: Apple’s Constant Battles Against Zero-Day Exploits
Date Published: October 14, 2022


Excerpt: “Over the past few years, there’s been an increase in the number of attackers targeting Apple, especially with zero-day exploits. One major reason is that a zero-day exploit might just be the most valuable asset in a hacker’s portfolio — and hackers know it. In 2022 alone, Apple has discovered seven zero-days and has followed up these discoveries with the required remedial updates. But it doesn’t seem like the cat-and-mouse game will die anytime soon. In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020, showing the highest level since tracking began in 2014, according to a repository maintained by Project Zero. MIT Technology Review attributed this rise to the “rapid global proliferation of hacking tools” and the willingness of powerful state and non-state groups to invest handsomely in the discovery and infiltration of these operating systems. Threat actors actively search for vulnerabilities, find a way to exploit them, then sell the information to the highest bidder.”

Title: Venus Ransomware targets publicly exposed Remote Desktop services
Date Published: October 16, 2022


Excerpt: “Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related. BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it .Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol. Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...