October 18, 2022

Fortify Security Team
Oct 18, 2022

Title: Over 17000 Fortinet devices exposed online are very likely vulnerable to CVE-2022-40684
Date Published: October 18, 2022


Excerpt: “Fortinet confirmed that many systems are still vulnerable to attacks exploiting the CVE-2022-40684 zero-day vulnerability. Fortinet is urging customers to address the recently discovered CVE-2022-40684 zero-day vulnerability. Unfortunately, the number of devices that have yet to be patched is still high. “After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability. Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory.” reads the advisory published by the company. A couple of weeks ago, the security vendor addressed the critical authentication bypass flaw that impacted FortiGate firewalls and FortiProxy web proxies.
An attacker can exploit the vulnerability to log into vulnerable devices. “An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the advisory issued by the company PSIRT. The company urges customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw.”

Title: Hackers compromised Hong Kong govt org’s network for a year
Date Published: October 18, 2022


Excerpt: “Researchers at Symantec have uncovered cyberattacks attributed to the China-linked espionage actor APT41 (a.k.a. Winnti) that breached government organizations in Hong Kong and remained undetected for a year in some cases. The threat actor has been using custom malware called Spyder Loader, which has been previously attributed to the group. In May 2022, researchers at Cybereason discovered ‘Operation CuckooBees’, which had been underway since 2019 focusing on high-tech and manufacturing firms in North America, East Asia, and Western Europe. Symantec’s report notes that there are signs that the newly discovered Hong Kong activity is part of the same operation, and Winnti’s targets are government entities in the special administrative region.”

Title: Car theft ring used software to steal hundreds of vehicles without the physical key fob, say police
Date Published: October 18, 2022


Excerpt: “Law enforcement in France, Latvia and Spain have arrested 31 suspects believed to be part of a group that used software to steal vehicles without using the physical key fob. According to the EU Agency for Criminal Justice Cooperation (Eurojust), the suspects built or used software that duplicated certain models’ ignition keys and which was promoted online as an automotive diagnostic tool. “The criminals targeted keyless vehicles from two French car manufacturers. A fraudulent tool – marketed as an automotive diagnostic solution, was used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob,” said Europol. “The perpetrators of the scam kept updating and adapting their software, to counteract the measures implemented by companies to reinforce the security of their vehicles,” Eurojust noted. On October 10, the 31 suspects were arrested in France, including the managers of the firm that allegedly built the software. Authorities searched 22 locations in France, Spain, and Latvia. They also seized €100 million, 12 bank accounts, real estate, three luxury cars and the website domain.”

Title: Ransom Cartel Linked to Russia-Based REvil Ransomware Group
Date Published: October 17, 2022


Excerpt: “The team behind the ransomware as a service (RaaS) group known as Ransom Cartel has been associated with the notorious REvil gang. The claims come from Palo Alto Networks’ security research team Unit 42, which shared a new technical write-up about Ransom Cartel with Infosecurity over the weekend. According to the advisory, the REvil ransomware stopped operating roughly two months before Ransom Cartel made its debut and just one month after 14 of its alleged members were arrested in Russia. “When Ransom Cartel first appeared, it was unclear whether it was a rebrand of REvil or an unrelated threat actor who reused or mimicked REvil ransomware code,” Unit 42 wrote. However, in time, the collection became clearer, mainly through the tools used by both threat actors. “While Ransom Cartel uses double extortion and some of the same [tactics, techniques and procedures] TTPs we often observe during ransomware attacks, this type of ransomware uses less common tools – DonPAPI, for example – that we haven’t observed in any other ransomware attacks.” Based on their investigation, the security researchers also observed that the Ransom Cartel operators have access to the original REvil ransomware source code but likely do not possess the obfuscation engine used to encrypt strings and hide API calls. “We speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point before starting their own operation,” the advisory reads. “Due to the high-profile nature of some organizations targeted by Ransom Cartel and steady stream of Ransom Cartel cases identified by Unit 42, the operator and/or affiliates behind the ransomware likely will continue to attack and extort organizations,” warned the security experts. To protect their systems from Ransom Cartel attacks, Unit 42 called for companies to deploy anti-ransomware software and to review the indicators of compromise for the threat, which are available in the advisory’s original text.”

Title: Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text
Date Published: October 17, 2022


Excerpt: “Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component. The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity. he Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. “Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers,” the advisory said. NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, “disables the problematic interpolators by default.” The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit’s (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.”

Title: New Data Leaks Add to Australia’s Data Security Reckoning
Date Published: October 18, 2022


Excerpt: “Personal data from MyDeal.com.au, a marketplace owned by Australia’s largest grocery chain Woolworths Group, has appeared for sale on a data leak forum. Later on Tuesday, it was marked as sold. That comes as wine retailer Vinomofo disclosed a breach on Monday and as the Optus telecommunications breach continues to fuel concerns over data security and if Australian data protection laws are adequate. The 500-line sample data from MyDeal appears to be legitimate, says Troy Hunt, a data breach expert who created Have I Been Pwned, a service that notifies people when their email address has appeared in a new data breach. MyDeal’s website will reveal if an email address is already in its system when trying to register a new account, Hunt says. Email addresses in the sample are registered with MyDeal. An attacker, who goes by the nickname “Christian Dior,” was selling the entire MyDeal data set for $600. Later on Tuesday, Dior marked the data as “sold” and wrote on Telegram that the “MyDeal DB has been sold – won’t be selling any more copies.” Woolworths Group, which owns MyDeal, disclosed on Friday that an attacker gained access to its customer relationship management system using a compromised login credential. CRM software is widely used amongst organizations to store and process user data.”

Title: Malware dev claims to sell new BlackLotus Windows UEFI bootkit
Date Published: October 17, 2022


Excerpt: “A threat actor is selling on hacking forums what they claim to be a new UEFI bootkit named BlackLotus, a malicious tool with capabilities usually linked to state-backed threat groups. UEFI bootkits are planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence. While cybercriminals who want a license for this Windows bootkit have to pay $5,000, the threat actor says rebuilds would only set them back $200. The seller says BlackLotus features integrated Secure Boot bypass, has built-in Ring0/Kernel protection against removal, and will start in recovery or safe mode. BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process. Even more, this tiny bootkit with a size of only 80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC).”

Title: Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike
Date Published: October 18, 2022


Excerpt: “HelpSystems, the company that developed the Cobalt Strike platform, addressed a critical remote code execution vulnerability in its software. HelpSystems, the company that developed the commercial post-exploitation toolkit Cobalt Strike, addressed a critical remote code execution vulnerability, tracked as CVE-2022-42948, in its platform. The company released an out-of-band security update to address the remote code execution issue that can be exploited by an attacker to take control of targeted systems. “Certain components within Java Swing will automatically interpret any text as HTML content if it starts with <html>. This can be exploited using an object tag, which in turn can load a malicious payload from a web server, which is then executed by the Cobalt Strike client.” reads the post published by HelpSystems. “Disabling automatic parsing of html tags across the entire client was enough to mitigate this behavior.” The vulnerability affects Cobalt Strike version 4.7.1 and results from an incomplete patch released on September 20, 2022, to address cross-site scripting (XSS) vulnerability tracked as CVE-2022-39197. An attacker can exploit the CVE-2022-39197 by manipulating some client-side UI input fields, by simulating a Cobalt Strike implant check-in or by hooking a Cobalt Strike implant running on a host.”

Title: Disinformation Attacks Threaten US Midterm Elections
Date Published: October 17, 2022


Excerpt: “Foreign nations continue to target various US public entities and private industries with cyberattacks, but the coming midterms are driving more disinformation than hacking, say experts. While traditional cyberattack operations against US government organizations have remained fairly consistent, influence and disinformation attacks by foreign nations have increased in the run-up to the US midterm elections. On the cyberattack front, the China-linked hacking group Budworm has targeted several government agencies, including the legislature for a US state, over the past six months, according to Symantec, part of Broadcom Software. The attack on a US government organization is the second recent incident — after a hiatus of more than six years — where the group has targeted a US private-sector agency, the company’s researchers stated in an advisory. The attack is a departure from the group’s more recent strategy of targeting Southeast Asia, and could mark a shift in strategy, says Dick O’Brien, principal intelligence analyst for the Symantec Threat Hunter team.”

Title: Wine Merchant Among Aussie Firms Breached, Exposing Millions
Date Published: October 18, 2022


Excerpt: “Wine retailer Vinomofo has become the latest Australian business to be targeted by hackers, with reports suggesting as many as half a million customers may have had their information exposed. A letter to customers published by security expert Troy Hunt, revealed that a wide variety of personal data may have been stolen by the attackers. “An unauthorized third party unlawfully accessed our database on a testing platform,” it noted. “Information about you that was contained in the database that may have been accessed may include name, gender, date of birth, address, email address and phone number.” Although the firm claimed that “the risk to customers and members” is low – and that the firm doesn’t store passport, driver’s license or financial information – the info potentially exposed could put customers at a high risk of receiving convincing phishing emails going forward.It’s unclear how many individuals were affected by the incident, but reports suggest Vinomofo has around 500,000 customers.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...