October 24, 2022

Fortify Security Team
Oct 24, 2022

Title: Hackers stole sensitive data from Iran’s atomic energy agency

Date Published: October 24, 2022


Excerpt: “Iran’s atomic energy agency claims that alleged state-sponsored hackers have compromised its email system. Iran’s atomic energy agency revealed on Sunday that a nation-state actor had access to a subsidiary’s network and free access to its email system, the Associated Press reports. The Iranian government has yet to attribute the attack to a specific hacker group, which calls itself Black Reward, announced the hack of the Atomic Energy Organization on Telegram and shared files of contracts, construction plans, and details about equipment at the Bushehr plant as proof of the intrusion. “Unlike Westerners, we do not flirt with criminal mullahs,” the group wrote. Black Reward claims to have breached the Iranian government and exfiltrated sensitive data related to their nuclear programs. On October 21, they gave the Iranian government 24 hours to release political prisoners arrested during recent protests or they will release the documents.”

Title: ‘Pig Butchering’ Online Scam Sweeping English Speakers

Date Published: October 24, 2022


Excerpt: “A confidence scam endemic in East Asia that’s based on long-term emotional manipulation of victims is a mounting threat in English-speaking countries. Known as “Pig Butchering” – pigs are fattened before slaughtering – the scam rests on handlers with attractive but phony online personas enticing victims into a trusted relationship that moves into a money-making phase. Often victims are led into buying cryptocurrency for a fake investing platform. Scammers reward investments with supposed balance increases and gain trust by allowing small withdrawals. Only when a victim is unwilling or unable to pour more money into the scheme does it end. Researchers from cybersecurity firm Proofpoint say they’ve spent the last three months pretending to be victims and have identified 55 web domains used to host fake investment platforms.”

Title: FBI warning: This ransomware group is targeting poorly protected VPN servers

Date Published: October 24, 2022


Excerpt: “Attackers are using VPN servers to gain access, and then SSH and RDP to spread through networks. The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public health sector since June 2022.   The group has used ransomware to encrypt servers providing services for electronic health records, diagnostics, imaging, and intranet. They have also exfiltrated personal identifiable information and patient health information.”

Title: Thousands of GitHub repositories deliver fake PoC exploits with malware

Date Published: October 23, 2022


Excerpt: “Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw. According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.”

Title: FBI: Iranian Threat Group Likely to Target US Midterms

Date Published: October 21, 2022


Excerpt: “Similar to what happened around the 2020 election, FBI warns that the Emennet Pasargad group is poised to target officials and companies with embarrassing hack-and-leak campaigns.Although the Iranian threat group Emennet Pasargad is largely dedicated to launching attacks against Israeli officials, the FBI warns the group is likely to engage in hack-and-leak operations against US interests — namely the upcoming midterm elections. The latest FBI advisory explained that Emennet tactics usually involve a breach, data theft, data leak, and amplification of leaked data on social media; often they leave encryption malware behind, for good measure. The group was active during the 2020 presidential elections, and the FBI is warning they are likely to reemerge as Americans vote in the November midterm elections.”

Title: Clicker Malware Garners Estimated 20 Million Downloads

Date Published: October 24, 2022


Excerpt: “So-called “clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. After being notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads. Detected as Android/Clicker, the malware was inserted into legitimate-looking utility apps such as flashlights, QR readers, cameras, unit converters and task managers. “Once the application is opened, it downloads its remote configuration by executing an HTTP request,” explained McAfee. “After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.” Specifically, the malware forces infected devices to visit and browse certain websites in the background, without the user’s knowledge.”

Title: Typosquat campaign mimics 27 brands to push Windows, Android malware

Date Published: October 23, 2022


Excerpt: “A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional “s,” making them easy for people to miss. In terms of appearance, in most cases seen by BleepingComputer, the malicious websites are clones of the originals or at least convincing enough, so there’s not much to give away the fraud. Victims typically end up on these sites by mistyping the website name they want to visit in the browser’s URL bar, which is not uncommon when typing on mobile. However, users could also be led on these sites via phishing emails or SMS, direct messages, malicious social media and forum posts, and other ways.”

Title: Wholesale giant METRO confirmed to have suffered a cyberattack

Date Published: October 23, 2022


Excerpt: “International cash and carry giant METRO suffered this week IT infrastructure outages following a cyberattack. International cash and carry giant METRO was hit by a cyberattack that caused IT infrastructure outages. Metro employs more than 95,000 people in 681 stores worldwide, most of them in Germany, its sales reaching 24.8 billion euros in 2020. The outages impacted stores worldwide. The company confirmed the cyber attack in an official statement, it is investigating the incident with the help of external experts: “METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage.” reads the statement issued by the company. The wholesale giant notified relevant authorities and warned customers that delays might occur due to service disruptions. In response to the outage, the teams in the stores set up offline systems to process payments.”

Title: New Phishing Campaign Targets Saudi Government Service Portal

Date Published: October 21, 2022


Excerpt: “Multiple phishing domains impersonating Absher, the Saudi government service portal, have been set up to provide fake services to citizens and steal their credentials. The discovery comes from cybersecurity researchers at CloudSEK, who published an advisory about the threat on Thursday. “The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal,” wrote the security experts. “The phishing website presents users with a fake login portal, compromising the login credentials.” According to CloudSEK, after the fake ‘login’ action, a pop-up appears on the site prompting a four-digit one-time password (OTP) sent to the registered mobile number, probably used to bypass multi factor authentication (MFA) on the legitimate Absher Portal. “Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal,” CloudSEK clarified. Once the fake login process is complete, the user is then asked to fill in a ‘registration’ form, divulging sensitive personally identifiable information (PII), and redirected to a new page where they are prompted to choose a bank. They are then directed to a fake bank login portal designed to steal their credentials.”

Title: Criminals are starting to exploit the metaverse, says Interpol. So police are heading there too

Date Published: October 24, 2022


Excerpt: “An international police organization is using the metaverse and wants to understand how crime could evolve. The International Criminal Police Organization, aka Interpol, has launched its ‘global police Metaverse’ as part of an effort to train members how to police in a virtual world. Last week, Interpol unveiled what it says is the “the first ever Metaverse specifically designed for law enforcement worldwide.” It says the “Interpol Metaverse” gives officers around the world the tools for cross-border knowledge sharing via avatars, and to take immersive training in forensic investigation and other policing activities. Interpol has also created an expert group on the metaverse to represent law enforcement concerns about the new virtual world.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...