October 19, 2022

Fortify Security Team
Oct 19, 2022

Title: An Introduction to the State and Local Cybersecurity Grant Program (SLCGP)

Date Published: October 19, 2022


Excerpt: “Cybersecurity funding in corporate environments has always been a source of anxiety for those who seek to keep organizations safe. When we examine the cybersecurity readiness of many state, local, and territorial governments, this funding struggle is taken to new heights of scarcity. Fortunately, a new program has been created by the Department of Homeland Security (DHS) to improve this shortfall, and better protect municipalities in the United States. As introduced on the Cybersecurity and Infrastructure Security Agency (CISA) website: “On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.” “Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local, and territorial (SLLT) governments. Through two distinct Notice of Funding Opportunities (NOFO), SLCGP and TCGP combined will distribute $1 billion over four years to support projects throughout the performance period of up to four years. This year, the TCGP will be released after SLCGP.” The Federal Emergency Management Agency (FEMA) will be the administrative and oversight authority for the appropriated funds. The grants will be distributed to the State Administrative Agencies (SAA), which will distribute the money to the local governments.  The primary purpose of this initiative is to be able to help those state and local governments perform cybersecurity at a level that may not have been previously possible due to budget constraints. One need not look very far to see that local governments are susceptible to many of the same threats that impact many private corporations.”

Title: Microsoft Office 365 Message Encryption (OME) doesn’t ensure confidentiality

Date Published: October 19, 2022


Excerpt: “A bug in the message encryption mechanism used by Microsoft in Office 365 can allow access to the contents of the messages. Researchers at the cybersecurity firm WithSecure discovered a bug in the message encryption mechanism used by Microsoft in Office 365 that can allow access to message contents due. The experts pointed out that Microsoft Office 365 Message Encryption (OME) relies on Electronic Codebook (ECB) mode of operation. The ECB mode is considered insecure and can reveal the structure of the messages sent, potentially leading to partial or full message disclosure. The OME method is used to send and receive encrypted email messages and the vulnerability can allow attackers to decipher the content of encrypted emails. “Malicious 3rd party gaining access to the encrypted email messages may be able to identify content of the messages since ECB leaks certain structural information of the messages. This leads to potential loss of confidentiality.” reads the post published by WithSecure. “Since the encrypted messages are sent as regular email attachments, the messages sent may be stored in various email systems, and may have been intercepted by any party between the sender and the recipient. An attacker with a large database of messages may infer their content (or parts of it) by analyzing relative locations of repeated sections of the intercepted messages.” The experts demonstrated how to exploit the flaw by extracting an image from an Office 365 Message Encryption-protected email. The experts pointed out that despite the message being encrypted with AES, which is secure, the use of the ECB mode exposed the content of the message.”

Title: Deadbolt Ransomware Extorts Vendors and Customers

Date Published: October 19, 2022


Excerpt: “A prolific ransomware group targeting network-attached storage (NAS) devices this year monetizes its efforts by extorting both vendors and their end customers, according to a new report. Group-IB’s study, Deadbolt ransomware: nothing but NASty, is based on its analysis of a sample of the malware, which first appeared at the start of the year. In an ongoing campaign, it has targeted NAS devices from Taiwanese vendor QNAP belonging to SMBs, schools, individual home users and others using zero-day vulnerabilities as an initial access/attack vector. Group-IB claimed the threat actors operate globally without discrimination, demanding between 0.03 and 0.05 bitcoin (less than $1000) from end users for a decryption key. However, unusually for ransomware, the group also seeks to extort the NAS vendors themselves. “For a ransom of 10 BTC ($192,000), the threat actors promised the NAS vendor, QNAP, that they would share all the technical details relating to the zero-day vulnerability that they manipulated, and for 50 BTC ($959,000) they offered to include the master key to decrypt the files belonging to the vendor’s clients who had fallen victim to the campaign,” the report explained. It doesn’t appear as if these efforts to target QNAP have succeeded thus far. A report from last month claimed that Deadbolt infections surged 674% between June and September. A majority of these infections were found in the US, with 2472 hosts showing signs of Deadbolt, followed by Germany (1778), and Italy (1383). However, there has been some success in the fight against Deadbolt. Last Friday, Dutch cyber police managed to obtain more than 150 decryption keys for the ransomware by tricking its operators. The cops paid via bitcoin, received the keys and then promptly withdrew their payment, leaving them with working decryption keys for 150 victims.”

Title: Government officials, including Russia, call for dialogue in combating cybersecurity threats

Date Published: October 19, 2022


Excerpt: “Need for multilateral cooperation and open communications is the shared message amongst senior government officials from across the globe, including Russia and the United States, who have gathered in Singapore to discuss strategies in cyber defense. Multilateral collaboration and information exchange between nations are key in the battle against cybersecurity threats, especially as global systems today are increasingly interconnected. Citizens also need to take responsibility for their personal cyber hygiene amidst growing adoption of Internet of Things (IoT), where one compromised device can bring down an entire network.  There should be open dialogues and communication channels through which governments could share cyber threat details, urged delegates during a ministerial roundtable discussion held Wednesday at the Singapore International Cyber Week conference.  “Cyber threats pose an existential threat to life as we know it. We need to look beyond individual country and individual interests o work together for our collective good,” said Ursula Owusu-Ekuful, Ghana’s Minister for Communications and Digitalisation. “Until we realise that and learn how to engage with each other, and promote dialogue and experience sharing, we will continue to remain at risk.” She underscored the need for greater international cooperation and capacity building, with emphasis on building core digital skills that were required to safeguard individuals and societies.”

Title: Intent-based approach leverages neural networks to deliver targeted classifications to BECs

Date Published: October 18, 2022


Excerpt: “Researchers on Wednesday explained an innovative new way to mitigate business email compromise (BEC) attacks, an intent-based approach using neural networks that detects the BEC and then classifies it into a specific type of scam. In a blog post, Cisco Talos researchers said in the intent-based approach, the system catches BEC messages irrespective of whether a threat actor impersonates a C-level executive or any rank-and-file employee in the organization. This approach extracts text from an email, converts sentences to numeric vectors by encoding the meaning of words in the sentences, using the neural network language model (NNLM) or Bi-directional Encoder Representations from Transformers (BERT) encodings. It then performs detection and classification using deep neural networks. The researchers say classification based on the type of scam can help security teams identify which segment of an organization was targeted and which employees were impersonated by the attackers. So the intent-based approach not only detects the BECs, but also labels it into the of BEC scam. This can range from payroll, money transfer, initial lure, gift card scams, invoice scams, acquisitions scams, W2 scams, and aging reports.”

Title: Hackers target Asian casinos in lengthy cyberespionage campaign

Date Published: October 18, 2022


Excerpt: “A hacking group named ‘DiceyF’ has been observed deploying a malicious attack framework against online casinos based in Southeast Asia since at least November 2021. According to a new report by Kaspersky, the DiceyF APT group does not appear to be targeting financial gains from the casinos but instead conducting stealthy cyberespionage and intellectual property theft. The DiceyF activity aligns with “Operation Earth Berberoka” reported by Trend Micro in March 2022, both pointing to the threat actors being of Chinese origin. The attack framework used by the APT is named ‘GamePlayerFramework’, and is a C# rewrite of the C++ malware ‘PuppetLoader.’ The framework features payload downloaders, malware launchers, plugins, remote access modules, keyloggers, clipboard stealers, and more.”

Title: HelpSystems Patch Falls Short, RCE Vulnerability in Cobalt Strike Remains

Date Published: October 18, 2022


Excerpt: “A remote code execution (RCE) vulnerability has been discovered in Cobalt Strike software, potentially allowing threat actors to take control of targeted systems. At a basic level, Cobalt Strike is a red-team framework primarily used for adversary simulation. It comprises a team server that functions as a command-and-control (C2) component and a beacon (malware tool) to create a connection to the team server and drop next-stage payloads. The new flaw (tracked CVE-2022-42948) affects Cobalt Strike version 4.7.1 and derives from an incomplete patch released by HelpSystems on September 20, 2022, to rectify a cross-site scripting (XSS) vulnerability (CVE-2022-39197) that could lead to RCE attacks. According to a new advisory by the IBM-sponsored Security Intelligence team, the XSS vulnerability could be triggered in one of three ways: by manipulating client-side UI input fields, simulating a Cobalt Strike implant check-in or hooking a Cobalt Strike implant running on a host. Despite the patch released by HelpSystems last month, the first of these three methods has not been fully patched, as described by the IBM advisory. Addressing the new flaw in a blog post published on Monday, Greg Darwin, software development manager at HelpSystems, clarified that RCE could be triggered in specific cases using the Java Swing framework, the graphical user interface (GUI) toolkit behind Cobalt Strike.”

Title: German Cybersecurity Boss Sacked Over Kremlin Connection

Date Published: October 18, 2022


Excerpt: “Head of German national cybersecurity agency was fired over ties to a member of Russian intelligence once honored by Vladimir Putin. The chief of Germany’s national cybersecurity agency, Arne Schönbohm, has lost his job as a result of allegations about his ties to a cybersecurity firm called Protelion (formerly Infotecs), which was founded by a reported member of Russian intelligence. Interior Minister Nancy Faeser formally dismissed Schönbohm on Tuesday, according to Deutsche Welle (DW). “The background to this is not least the allegations, which are well known and widely discussed in the media, and which have permanently damaged the necessary public confidence in the neutrality and impartiality of the conduct of his office as president of Germany’s most important cybersecurity authority,” the spokesperson told DW. Schönbohm has held the post since February 2016 but faced mounting scrutiny following the Russian invasion of Ukraine, the report explained. A public-private advisory group Schönbohm founded 10 years ago called the Cyber Security Council of Germany included Protelion, which was run by someone whose ties to the Kremlin were so close they were reportedly honored by Vladimir Putin. Protelion has since been removed from the Council.”

Title: iDealwine suffers a data breach

Date Published: October 19, 2022


Excerpt: “Popular international fine wine online retailer iDealwine has suffered a data breach during the past weekend, and has yet to reveal the number of customers affected. Its e-shop is still offline, showing a brief explanatory message, and the firm has informed all potentially affected customers about the cyberattack via email (also via the company blog). iDealwine is an e-merchant based in France, with offices in Hong Kong and London. It specializes in online auctions and fixed-price sales of fine wine, and provides information about news and trends in the wine industry. The company revealed it has contacted experts to deal with the issue, as well as the data privacy regulators in France and UK. It has informed its customers that their name, address, telephone number and email address may have been compromised. Customers’ credit card/bank information has not been compromised, since it’s not stored on company servers.”

Title: Verizon notifies prepaid customers their accounts were breached

Date Published: October 18, 2022


Excerpt: “Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks. “We determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account,” Verizon said in an alert published this week. “Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it.” Verizon added that it blocked further unauthorized access to its clients’ accounts and found no evidence that this malicious activity is still ongoing. The company also reset the Account Security Codes (PINs) for an undisclosed number of customers “in an abundance of caution.” According to the notification, the attackers couldn’t access the full credit card number or the customers’ banking information, financial information, passwords, Social Security numbers, tax IDs, or other personal details since user accounts don’t contain this info. However, Verizon said the threat actors could have accessed names, telephone numbers, billing addresses, price plans, and other service-related information on compromised accounts.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...