October 20, 2022

Fortify Security Team
Oct 20, 2022

Title: Hackers use new stealthy PowerShell backdoor to target 60+ victims
Date Published: October 19, 2022


Excerpt: “A previously undocumented, fully undetectable PowerShell backdoor is being actively used by a threat actor who has targeted at least 69 entities. Based on its features, the malware is designed for cyberespionage, mainly engaging in data exfiltration from the compromised system. When first detected, the PowerShell backdoor was not seen as malicious by any vendors on the VirusTotal scanning service. However, its cover was blown due to operational mistakes by the hackers, allowing SafeBreach analysts to access and decrypt commands sent by the attackers to execute on infected devices.”

Title: Internet disruptions observed as Russia targets critical infrastructure in Ukraine
Date Published: October 20, 2022


Excerpt: “While the Russian army is conducting coordinated missile and drone strikes in Ukraine experts observed Internet disruptions in the country. Starting on the morning of Monday, October 10, the Russian army is targeting several cities in Ukraine with coordinated missile and drone strikes. The escalation is a retaliation for the bombing of a bridge connecting Crimea to Russia. The strategy adopted by Moscow consists of disrupting energy and telecoms infrastructure in multiple regions of the country. Global internet monitor NetBlocks reported widespread Internet disruptions in the country as a result of the attacks. “Network data show major sustained impacts to infrastructure across much of #Ukraine after a series of reprisal attacks by Russia; energy facilities have been targeted per President’s office” reported the observatory. “Following rapid repair efforts, much of the lost connectivity was restored by Tuesday” Regions around cities (Kharkiv, Sumy, Lviv, zaporizhzhia) that were the targets of the attacks were heavily impacted. Network connectivity was observed to fall to 81% of ordinary levels in Kyiv City after the Russian attacks on infrastructure.”

Title: This old malware has been rebuilt with new features to use in ransomware attacks
Date Published: October 20, 2022


Excerpt: “One of the oldest and most successful forms of banking malware has been repurposed into a backdoor trojan which has been described as “significantly dangerous” and likely to be used for ransomware attacks.  The new variant of Ursnif malware – also known as Gozi – has been detailed by researchers at security company Mandiant, who suggest it has been purposefully built to power ransomware and data theft attacks.  Designed to steal bank details, the first incarnation of malware appeared in 2006, and has caused tens of millions of dollars in losses, with the FBI describing it as “one of the most financially destructive computer viruses in history”. Since the original source code has leaked, which spawned several new variants which still plague victims to this day.  These versions of Ursnif have stuck with the goal of the original malware – stealing bank details. But according to analysis by Mandiant, that’s changed with a new variant – dubbed LDR4 – which has repurposed Ursnif into malware in the style of Trickbot and Emotet. Attackers using the malware could steal data or use the backdoor to install ransomware, something which could cause much wider and much more severe damage than stealing bank details, and provide attackers with a much larger payday.”

Title: Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
Date Published: October 20, 2022


Excerpt: “ESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance operations against Iranian citizens and this new FurBall version is no different in its targeting. Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The malicious app was uploaded to VirusTotal where it triggered one of our YARA rules (used to classify and identify malware samples), which gave us the opportunity to analyze it. This version of FurBall has the same surveillance functionality as previous versions; however, the threat actors slightly obfuscated class and method names, strings, logs, and server URIs. This update required small changes on the C&C server as well – precisely, names of server-side PHP scripts. Since the functionality of this variant hasn’t changed, the main purpose of this update appears to be to avoid detection by security software. These modifications have had no effect on ESET software, however; ESET products detect this threat as Android/Spy.Agent.BWS. The analyzed sample requests only one intrusive permission – to access contacts. The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase of a spear phishing attack conducted via text messages. If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more.”

Title: Brazilian Police Arrest Lapsus$ Suspect
Date Published: October 20, 2022


Excerpt: “Federal police in Brazil yesterday arrested a suspected member of the prolific Lapsus$ cybercrime collective, after launching an investigation this summer. A press release claimed the man was apprehended in Feira de Santana, a city in the north-east of the country, as a result of Operation Dark Cloud, which began in August. That policing effort was precipitated by Lapsus$ attacks that targeted dozens of Brazilian government agencies, including the Ministry of Health, Ministry of Economy, Comptroller General of the Union and the Federal Highway Police. According to the police, a breach at the health ministry enables attackers to delete data and compromise a website used to manage COVID vaccine certificates. The data extortion group is said to have posted a message to the ministry’s website claiming the stolen information was in its hands. Lapsus$ has targeted many other big-name organizations across the globe over the past year, including tech firms Nvidia, Samsung, Microsoft, Okta, Vodafone, Mercado Libre and Uber.  However, law enforcers appear to have the group in their sights. Back in March, City of London police arrested seven suspects, and a month later charged two teenage boys with hacking offenses. The duo could not be named due to their age, but one is believed to be the ringleader of the group – a 16-year-old boy from Oxford who is said to go by the online monikers “White” and “Breachbase.” In September, the same police force reportedly re-arrested one of the Lapsus$ suspects in connection with an attack on Rockstar Games in which a hacker leaked footage of an upcoming Grand Theft Auto game. The individual has also been linked to a breach at Uber.”

Title: Crimeware Hackers Adopt APT-Like Capabilities
Date Published: October 18, 2022



Excerpt: “Cyber Weapon-Grade Hacking Tools Pose Danger for Financial Sector, Says Kaspersky. Cyberthieves traditionally on the lower rung of hacking abilities now have access to nation-state-class malicious software, warn close observers of the criminal dark web. The appearance on criminal forums of tools capable of infecting a computer’s boot firmware or malware that evades antivirus detection is a consequence of years of state-sponsored development of cyber weapons, says Sergey Lozhkin, lead security researcher at Kaspersky Global Research and Analysis Team. “Cybercriminals learned from APTs and exposed information to the public on espionage tools, and they are adopting these modus operandi to their toolkits to target victims in the financial sector,” said Lozhkin, referring to advanced persistent threats. Users who prefer stealing money over swiping secrets may not even need to understand the internals of an advanced cyberweapon, since crimeware programmers are willing to do it for them, he told a handful of media outlets recently in Kasperksy’s London office. Coders behind crimeware applications – the class of malware focused mainly on stealing money – have grown in sophistication and offer users ready-made tools.”

Title: Microsoft Customer Data Exposed by Misconfigured Server
Date Published: October 19, 2022


Excerpt: “Sensitive information for some Microsoft customers were exposed by a misconfigured server, Microsoft Security Response Center said on Wednesday. The misconfigured endpoint was accessible on the Internet and did not require authentication. The exposed information included names, email addresses, email content, company name, phone numbers, and files “relating to business between a customer and Microsoft or an authorized Microsoft partner,” the company said. The endpoint has already been secured to require authentication, and affected customers have been notified. “This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” Microsoft said, noting that there is no indication that customer accounts or systems had been compromised. Microsoft learned of the misconfiguration on Sept. 24 from a research team at SOCRadar. SOCRadar’s researchers claimed in their own blog post to have found 2.4TB of emails and project files containing Statement of Work documents, product orders, project details, personally identifiable information, invoices, price lists, and “documents that may reveal intellectual property.” The researchers claimed the exposed information could be linked to more than 65,000 entities from 111 countries.”

Title: Experts discovered millions of .git folders exposed to public 
Date Published: October 20, 2022


Excerpt: “Nearly two million .git folders containing vital project information are exposed to the public, the Cybernews research team found. Git is the most popular open-source, distributed version control system (VCS) developed nearly 20 years ago by Linus Torvalds for development of the Linux kernel, with other kernel developers contributing to its initial development. It allows coordination work among programmers developing source code and allows tracking of changes. A .git folder contains essential information about projects, such as remote repository addresses, commit history logs, and other essential metadata. Leaving this data in open access can lead to breaches and system exposure. For example, another recent research by Cybernews discovered that CarbonTV, a US-based streaming service, left a server with its source code open, risking user safety and the company’s reputation. The source code was leaking due to poor control of access to the .git folder. Researchers at Cybernews on most common web service ports 80 and 443 revealed 1,931,148 IP addresses with live servers that had .git folder structure accessible to the public. “Having public access to the .git folder could lead to the exposure of the source code. Tools required to get parts or full source code from the .git folder are free and well-known, which could lead to many more internal leaks or easier access to the system for a malicious actor,” Martynas Vareikis, a researcher at Cybernews, said. Over 31% of publicly exposed .git folders are located in the US, followed by China (8%) and Germany (6.5%.) Around 6.3% of exposed .git configuration files had their deployment credentials in the configuration file itself. “Credential leaks are even worse. Threat actors could use them to view/access/pull/push all repositories, opening up even more opportunities for a malicious actor, such as planting malicious ads, changing content, and credit card skimming. Possibilities are endless when you have full access,” Vareikis warned. He said developers need to make use of the .gitignore file, telling Git which files to ignore when committing a project to the GitHub repository. In general, it’s never a good idea to commit anything sensitive, even to private repositories.”

Title: Cybercriminals jailed for cryptocurrency theft, death threats
Date Published: October 20, 2022


Excerpt: “On Wednesday, two Massachusetts men were sentenced to more than two years in prison each for stealing cryptocurrency in SIM swapping attacks and hijacking their victims’ social media accounts. In their attacks, Eric Meiggs and Declan Harrington targeted individuals who likely owned significant amounts of crypto assets in Coinbase or Block.io wallets (like cryptocurrency executives) or potential victims who controlled high-value “Original Gangster” (OG) Instagram and Tumblr accounts. “Meiggs and Harrington conspired to hack into and take control over these victims’ online accounts so they could obtain things of value, such as cryptocurrency,” a DOJ press release reads. “They used an illegal practice known as “SIM-swapping” and other techniques to access, take control of, and in some cases steal cryptocurrency from the accounts.” Harrington and Meiggs were charged in November 2019 for targeting at least ten victims in SIM swapping attacks and, in some cases, with death threats. The defendants both pleaded guilty to charges of crypto theft and hijacking victims’ social media accounts. While each defendant faced a statutory maximum penalty of 20 years in prison for charges of wire fraud, Meiggs was sentenced to two years and one day in prison and Harrington to two years and seven days.”

Title: Moola Market Reveals $9m Crypto Exploit
Date Published: October 19, 2022


Excerpt: “Decentralized finance (DeFi) platform Moola Market has suffered a security incident leading to a loss of up to $9m worth of cryptocurrency. The Celo blockchain-based platform admitted the incident in a tweet posted at 19:03 BST on Tuesday, October 18. In a thread, the Moola Market team stated: “We are actively investigating an incident on @Moola_Market. All activity on Moola has been paused. Please do not trade mTokens. “To the exploiter, we have contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours.” Several hours later, it appeared the hacker had negotiated a “bounty” for returning most of the funds taken by the attacker. Moola Market tweeted: “Following today’s incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol.” Later on, the company again took to Twitter to provide an update on the incident. It said that an “unknown attacker” started manipulating the price of MOO on Ubeswap, allowing them to manipulate the MOO time weighted average price (TWAP) oracle used by the Moola protocol. This meant they were able to borrow a large amount of cUSD, cEUR and CELO from the protocol using MOO as collateral, “effectively draining the protocol of its funds.” Moola Market then revealed that 10 minutes after tweeting about its willingness to negotiate a bounty payment, it received a direct message from someone claiming to be the attacker who controlled the private key that was custodying the bulk of the funds. This led to 93.1% of the funds being returned to an “admin multi-sig used by Moola.” The incident bears similarities to a $177m exploit suffered by Mango Markets last week (October 11), in which the hacker negotiated to keep $47m of the funds as a “bounty.” Analyzing the cases, blockchain security platform CertiK explained: “In both cases, the attacker borrowed the illiquid native token of the lending platform, manipulated the price higher, and then used this newly-inflated value of their collateral to borrow more of the protocol’s assets.” CertiK continued: “Users who have assets deposited into similar lending platforms should investigate to see if their assets are at similar risk of being drained by such a strategy.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...