October 24, 2022

Fortify Security Team
Oct 24, 2022

Title: Hackers stole sensitive data from Iran’s atomic energy agency

Date Published: October 24, 2022

https://securityaffairs.co/wordpress/137513/hacking/hackers-stole-sensitive-data-from-irans-atomic-energy-agency.html

Excerpt: “Iran’s atomic energy agency claims that alleged state-sponsored hackers have compromised its email system. Iran’s atomic energy agency revealed on Sunday that a nation-state actor had access to a subsidiary’s network and free access to its email system, the Associated Press reports. The Iranian government has yet to attribute the attack to a specific hacker group, which calls itself Black Reward, announced the hack of the Atomic Energy Organization on Telegram and shared files of contracts, construction plans, and details about equipment at the Bushehr plant as proof of the intrusion. “Unlike Westerners, we do not flirt with criminal mullahs,” the group wrote. Black Reward claims to have breached the Iranian government and exfiltrated sensitive data related to their nuclear programs. On October 21, they gave the Iranian government 24 hours to release political prisoners arrested during recent protests or they will release the documents.”

Title: ‘Pig Butchering’ Online Scam Sweeping English Speakers

Date Published: October 24, 2022

https://www.databreachtoday.com/pig-butchering-online-scam-sweeping-english-speakers-a-20311

Excerpt: “A confidence scam endemic in East Asia that’s based on long-term emotional manipulation of victims is a mounting threat in English-speaking countries. Known as “Pig Butchering” – pigs are fattened before slaughtering – the scam rests on handlers with attractive but phony online personas enticing victims into a trusted relationship that moves into a money-making phase. Often victims are led into buying cryptocurrency for a fake investing platform. Scammers reward investments with supposed balance increases and gain trust by allowing small withdrawals. Only when a victim is unwilling or unable to pour more money into the scheme does it end. Researchers from cybersecurity firm Proofpoint say they’ve spent the last three months pretending to be victims and have identified 55 web domains used to host fake investment platforms.”

Title: FBI warning: This ransomware group is targeting poorly protected VPN servers

Date Published: October 24, 2022

https://www.zdnet.com/article/fbi-warning-this-ransomware-group-is-targeting-poorly-protected-vpn-servers/

Excerpt: “Attackers are using VPN servers to gain access, and then SSH and RDP to spread through networks. The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public health sector since June 2022.   The group has used ransomware to encrypt servers providing services for electronic health records, diagnostics, imaging, and intranet. They have also exfiltrated personal identifiable information and patient health information.”

Title: Thousands of GitHub repositories deliver fake PoC exploits with malware

Date Published: October 23, 2022

https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/

Excerpt: “Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw. According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.”

Title: FBI: Iranian Threat Group Likely to Target US Midterms

Date Published: October 21, 2022

https://www.darkreading.com/threat-intelligence/fbi-iranian-threat-group-likely-to-target-us-midterms

Excerpt: “Similar to what happened around the 2020 election, FBI warns that the Emennet Pasargad group is poised to target officials and companies with embarrassing hack-and-leak campaigns.Although the Iranian threat group Emennet Pasargad is largely dedicated to launching attacks against Israeli officials, the FBI warns the group is likely to engage in hack-and-leak operations against US interests — namely the upcoming midterm elections. The latest FBI advisory explained that Emennet tactics usually involve a breach, data theft, data leak, and amplification of leaked data on social media; often they leave encryption malware behind, for good measure. The group was active during the 2020 presidential elections, and the FBI is warning they are likely to reemerge as Americans vote in the November midterm elections.”

Title: Clicker Malware Garners Estimated 20 Million Downloads

Date Published: October 24, 2022

https://www.infosecurity-magazine.com/news/clicker-malware-20-million/

Excerpt: “So-called “clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. After being notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads. Detected as Android/Clicker, the malware was inserted into legitimate-looking utility apps such as flashlights, QR readers, cameras, unit converters and task managers. “Once the application is opened, it downloads its remote configuration by executing an HTTP request,” explained McAfee. “After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.” Specifically, the malware forces infected devices to visit and browse certain websites in the background, without the user’s knowledge.”

Title: Typosquat campaign mimics 27 brands to push Windows, Android malware

Date Published: October 23, 2022

https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27-brands-to-push-windows-android-malware/

Excerpt: “A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional “s,” making them easy for people to miss. In terms of appearance, in most cases seen by BleepingComputer, the malicious websites are clones of the originals or at least convincing enough, so there’s not much to give away the fraud. Victims typically end up on these sites by mistyping the website name they want to visit in the browser’s URL bar, which is not uncommon when typing on mobile. However, users could also be led on these sites via phishing emails or SMS, direct messages, malicious social media and forum posts, and other ways.”

Title: Wholesale giant METRO confirmed to have suffered a cyberattack

Date Published: October 23, 2022

https://securityaffairs.co/wordpress/137506/hacking/metro-confirmed-cyberattack.html

Excerpt: “International cash and carry giant METRO suffered this week IT infrastructure outages following a cyberattack. International cash and carry giant METRO was hit by a cyberattack that caused IT infrastructure outages. Metro employs more than 95,000 people in 681 stores worldwide, most of them in Germany, its sales reaching 24.8 billion euros in 2020. The outages impacted stores worldwide. The company confirmed the cyber attack in an official statement, it is investigating the incident with the help of external experts: “METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage.” reads the statement issued by the company. The wholesale giant notified relevant authorities and warned customers that delays might occur due to service disruptions. In response to the outage, the teams in the stores set up offline systems to process payments.”

Title: New Phishing Campaign Targets Saudi Government Service Portal

Date Published: October 21, 2022

https://www.infosecurity-magazine.com/news/phishing-campaign-saudi-government/

Excerpt: “Multiple phishing domains impersonating Absher, the Saudi government service portal, have been set up to provide fake services to citizens and steal their credentials. The discovery comes from cybersecurity researchers at CloudSEK, who published an advisory about the threat on Thursday. “The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal,” wrote the security experts. “The phishing website presents users with a fake login portal, compromising the login credentials.” According to CloudSEK, after the fake ‘login’ action, a pop-up appears on the site prompting a four-digit one-time password (OTP) sent to the registered mobile number, probably used to bypass multi factor authentication (MFA) on the legitimate Absher Portal. “Any four-digit number is accepted as an OTP without verification, and the victim successfully logs in to the fake portal,” CloudSEK clarified. Once the fake login process is complete, the user is then asked to fill in a ‘registration’ form, divulging sensitive personally identifiable information (PII), and redirected to a new page where they are prompted to choose a bank. They are then directed to a fake bank login portal designed to steal their credentials.”

Title: Criminals are starting to exploit the metaverse, says Interpol. So police are heading there too

Date Published: October 24, 2022

https://www.zdnet.com/article/criminals-are-starting-to-exploit-the-metaverse-says-interpol-so-police-are-heading-there-too/

Excerpt: “An international police organization is using the metaverse and wants to understand how crime could evolve. The International Criminal Police Organization, aka Interpol, has launched its ‘global police Metaverse’ as part of an effort to train members how to police in a virtual world. Last week, Interpol unveiled what it says is the “the first ever Metaverse specifically designed for law enforcement worldwide.” It says the “Interpol Metaverse” gives officers around the world the tools for cross-border knowledge sharing via avatars, and to take immersive training in forensic investigation and other policing activities. Interpol has also created an expert group on the metaverse to represent law enforcement concerns about the new virtual world.”

Recent Posts

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains Date Published: November 15, 2022 https://www.infosecurity-magazine.com/news/chinabased-campaign-42000-phishing/ Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of...