October 21, 2022

Fortify Security Team
Oct 21, 2022

Title: OldGremlin Ransomware Ups Ante Against Russian Targets
Date Published: October 20, 2022

https://www.infosecurity-magazine.com/news/oldgremlin-ransomware-russian/

Excerpt: “A ransomware group which unusually targets Russian organizations has upped its efforts this year, demanding larger ransoms from its victims and developing new malware for Linux, according to Group-IB. The security vendor yesterday released what it claimed was the first comprehensive report on the group known as “OldGremlin,” which was first spotted in 2020. “That year, the gang carried out dozens of campaigns, with emails purporting to be from micro-finance companies, a metals and mining company, a tractor manufacturer, and a business media holding,” the report explained. “In 2021, the group carried out a single but highly successful campaign: the threat actor impersonating an association of online retailers. In 2022, OldGremlin carried out five campaigns masquerading as tax and legal services companies, a payment system, an IT company, and more.” In total, the gang has hit 16 organizations, a relatively low number compared to some of the more prolific ransomware groups. But it appears to have been more ambitious this year, demanding a record $16.9m from one victim, according to Group-IB. OldGremlin has also expanded its efforts to target Linux systems with a new malware variant. Initial access is achieved by phishing email . They then deploy familiar tools like Cobalt Strike for lateral movement and other activity.”

Title: BlackByte ransomware uses new data theft tool for double-extortion
Date Published: October 20, 2022

https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-uses-new-data-theft-tool-for-double-extortion/

Excerpt: “A BlackByte ransomware affiliate is using a new custom data stealing tool called ‘ExByte’ to steal data from compromised Windows devices quickly. Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor. Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tools. At the same time, other threat actors, like Karakurt, don’t even bother to encrypt local copies, solely focusing on data exfiltration.”

Title: Healthcare system Advocate Aurora Health data breach potentially impacted 3M patients
Date Published: October 21, 2022

https://securityaffairs.co/wordpress/137421/data-breach/advocate-aurora-health-data-breach.html

Excerpt: “Healthcare system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients. The US-based hospital healthcare system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients. The company is notifying the impacted individuals.The healthcare system operates 26 hospitals in Wisconsin and Illinois. The root cause of the data breach is the improper use of Meta Pixel on the websites of the organizations. The Meta Pixel is a snippet of JavaScript code that allows administrators to track visitor activity on their websites. The compromised websites contained sensitive personal and medical information entered by the patients.”

Title: Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration
Date Published: October 20, 2022

https://www.darkreading.com/cloud/microsoft-data-exposure-incident-highlights-risk-of-cloud-storage-misconfigurations

Excerpt: “Many enterprises continue to leave cloud storage buckets exposed despite widely available documentation on how to properly secure them. Cloud storage misconfigurations of the sort that Microsoft disclosed late yesterday continue to be a major contributor to data breaches. Microsoft Security Response Center said in a post that information shared by prospective clients with the company in recent years potentially may have been compromised via a misconfigured cloud storage endpoint. SOCRadar, the threat intelligence firm that reported the issue to Microsoft, described discovering the data in an Azure Blob storage bucket that was publicly accessible over the Internet. The data was associated with more than 65,000 companies in 11 countries and included statement-of-work documents, invoices, product orders, project details, signed customer documents, product price lists, personally identifiable information (PII), and potentially intellectual property as well.”

Title: Medibank Acknowledges Data Breach Including Medical Data
Date Published: October 20, 2022

https://www.databreachtoday.com/medibank-acknowledges-data-breach-including-medical-data-a-20301

Excerpt: Ransomware hackers stole up to 200 gigabytes from Australian insurer Medibank, a data set that includes identifying information and medical diagnoses. The company, Australia’s largest private health insurer with 3.9 million customers, has over the course of a week transformed from being confident that it repelled hackers to being apologetic after disclosing Thursday that the incident it first detected Oct. 12 is a data breach. Medibank now says it’s been contacted by a criminal claiming to have taken 200 gigabytes worth of data from the company – sharing as proof records from 100 policies that contain information such as diagnostic codes, full names and addresses, and the location of medical service delivery. The company says the hacker claims to also have obtained payment card data, but it hasn’t verified the claim’s veracity. Customer-facing systems remain online but may be temporarily disrupted by security operations. Australian Federal Police are investigating, said Clare O’Neil, Minister for Home Affairs. She likened the hacker’s extortion demand for payment in return for not publishing the records online to “a dog act”. “The toughest and smartest people in the Australian government are working directly with Medibank,” she added. O’Neil acknowledged the company had initially informed the government that no data breach occurred. In a large organization with a “complex technological system, it takes a bit of time to understand what has changed in that system in the event of an attack,” the minister said.”

Title: Google sued over biometric data collection without consent
Date Published: October 20, 2022

https://www.bleepingcomputer.com/news/security/google-sued-over-biometric-data-collection-without-consent/

Excerpt: “Texas attorney general Ken Paxton has sued Google for allegedly collecting and using biometric data belonging to millions of Texans without proper consent. The Texas AG says that Google allegedly used products and services like Google Photos, Google Assistant, and Nest Hub Max to collect a vast array of biometric identifiers, including voiceprints and records of face geometry since 2015. This would be a violation of the state’s biometric privacy act (aka the Capture or Use of Biometric Identifier Act) which requires companies to get request the users’ consent when collecting their biometric identifiers (i.e., “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry”). “For more than a decade, Texas has prohibited companies from capturing Texans’ biometric data—including the unique characteristics of an individual’s face and voice—without their informed, advance consent,” the petition reads [PDF]. “In blatant defiance of that law, Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google’s commercial ends.” Paxton has filed other lawsuits against Google for invading Texans’ privacy while using its products and services.”

Title: News URSNIF variant doesn’t support banking features
Date Published: October 21, 2022

https://securityaffairs.co/wordpress/137435/malware/ursnif-shift-backdoor.html

Excerpt: “A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data. Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data. The new variant, first observed in June 2022 and dubbed LDR4, is not a banking trojan, but a generic backdoor.  “This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.” reads the report published by Mandiant. “Mandiant believes that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. Given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely.”

Ursnif is one of the most and widespread common threats today delivered through malspam campaigns. It appeared on the threat landscape in 2007 and gained popularity in 2014 when its source code was leaked online giving the opportunity to several threat actors to develop their own version. The attack chain associated with LDR4, starts with malspam messages using a recruitment-related lure. The email contains a link to a compromised website that redirects to a domain masquerading as a legitimate company. A CAPTCHA challenge is presented to download an Excel document purported to contain information related to the email lure. Upon opening the document, it will download and execute the LDR4 payload. The analysis of the code of the latest variant revealed that the developers had totally removed the banking functionalities.”

Title: Singapore champions Asean CERT as region’s cyber armour
Date Published: October 20, 2022

https://www.zdnet.com/article/singapore-champions-asean-cert-as-regions-cyber-armour/

Excerpt: “Now formally established, the Asean Regional Computer Emergency Response Team (CERT) will operate as a virtual centre comprising incident responders from across member states, each sharing information during security incidents that occur in any of the respective nations. The Asean Regional Computer Emergency Response Team (CERT) has been formally established, operating as a virtual centre comprising analysts and incident respondents from across member states. It is tipped to play a key role in beefing up the region’s cyber resilience amidst a threat landscape that is increasingly complex. It would deepen collaboration between CERTs amongst Asean member states and boost the region’s cybersecurity posture, said Minister for Communications and Information Josephine Teo, who was speaking at the Asean ministerial conference held Thursday in Singapore. Noting that the region already had conducted annual CERT incident drills since 2006 to boost the readiness of CERTs within the individual countries, Teo said setting up the Asean CERT was an important step in building regional cyber resilience.  There currently are 10 Asean member states including Singapore, Indonesia, Thailand, Malaysia, and the Philippines. The region in September 2018 agreed on the need for a formal framework to coordinate cybersecurity efforts, outlining cyber diplomacy, policy, and operational issues.”

Title: Vulnerabilities in Cisco Identity Services Engine require your attention (CVE-2022-20822, CVE-2022-20959)
Date Published: October 21, 2022

https://www.helpnetsecurity.com/2022/10/21/cve-2022-20822-cve-2022-20959/

Excerpt: “Cisco has published a heads-up for admins of Cisco Identity Services Engine solutions, about two vulnerabilities (CVE-2022-20822, CVE-2022-20959) that could be exploited to read and delete files on an affected device, and to execute arbitrary script or access sensitive information. “The Cisco PSIRT is aware that proof-of-concept exploit code for the vulnerability that is described in this advisory will become available after software fixes are released. Public reports of the vulnerability, including a description and classification without specific technical details, will become available after publication of this advisory,” the company said. Both vulnerabilities have been discovered and reported by Davide Virruso, a freelance bug hunter and a red team operator at managed security service provider Yoroi. Cisco Identity Services is a policy management and access control platform for devices on networks and is a crucial element of an organization’s zero-trust architecture. “ISE therefore not only guarantees software-defined access and automates network segmentation within IT and OT environments, but also provides a means of visibility into the ‘state’ of the network,” the Yoroi advisory team noted. CVE-2022-20822 is a path traversal vulnerability in the web-based management interface of Cisco ISE that could be exploited by an authenticated, remote attacker.”

Title: Ransomware is Being Used As a Precursor to Physical War: Ivanti
Date Published: October 20, 2022

https://www.infosecurity-magazine.com/news/ransomware-precursor-to-physical/

Excerpt: “Ransomware has grown by 466% since 2019 and is increasingly being used as a precursor to physical war. The findings come from Ivanti’s Ransomware Index Report Q2–Q3 2022, which the company shared with Infosecurity earlier today. The data also shows ransomware groups continuing to grow in volume and sophistication, with 35 vulnerabilities becoming associated with ransomware in the first three quarters of 2022 and 159 trending active exploits. Further, the Ivanti report highlighted 10 new ransomware families compared to the previous quarter: Black Basta, BianLian, BlueSky, Play, Hive, Deadbolt, H0lyGh0st, Lorenz, Maui and NamPoHyu. These bring the total to 170. From a geographical perspective, Russia has been at the forefront of the malware families discovered, with 11 advanced persistent threat (APT) groups, followed closely by China with eight and Iran with four. According to the Ivanti report, hostile governments increasingly use state-sponsored threat groups to infiltrate, destabilize and disrupt operations in their target countries. In many of these attacks, ransomware is being used as a precursor to physical warfare, as shown in the recent Russia–Ukraine war. Regardless of geography, Ivanti has also said ransomware attackers increasingly rely on spear phishing techniques to lure unsuspecting victims into delivering their malicious payload, as in the case of the Pegasus spyware. In terms of new ransomware vulnerabilities, the cybersecurity company spotted two: CVE-2021-40539 and CVE-2022-2613. Both have reportedly been exploited by ransomware families such as AvosLocker and Cerbe. The report has also revealed that 47.4% of ransomware vulnerabilities affect healthcare systems, 31.6% energy systems and 21.1% critical manufacturing.”

Recent Posts

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains Date Published: November 15, 2022 https://www.infosecurity-magazine.com/news/chinabased-campaign-42000-phishing/ Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of...