October 25, 2022

Fortify Security Team
Oct 25, 2022

Title: Hive claims ransomware attack on Tata Power, begins leaking data

Date Published: October 25, 2022


Excerpt: “Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month. A subsidiary of the multinational conglomerate Tata Group, Tata Power is India’s largest integrated power company based in Mumbai. In screenshots seen by BleepingComputer, Hive operators have posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed. As of a few hours ago, operators behind the Hive ransomware group began leaking data allegedly stolen from Tata Power on their leak site. Cybersecurity analyst and researcher Dominic Alvieri tweeted about the development and also tipped us off. Another researcher Rakesh Krishnan shared screenshots of the stolen data—which appears to include Tata Power employees’ personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, salary information, etc.”

Title: Australia seeks stiffer penalty for data breaches amidst spate of security incidents

Date Published: October 25, 2022


Excerpt: “Government says it will push up maximum fines for serious or repeated data privacy breaches to AU$50 million, up from the current AU$2.22 million, in a move that follows a spate of cybersecurity incidents that compromised customer data, including Medibank. Australia wants organizations to dig deeper for serious or repeated data privacy breaches, forking out maximum fines of up to AU$50 million ($31.57 million). The move to increase penalties for violations comes amidst a spate of cybersecurity incidents that compromised customer data, with the latest involving insurance group Medibank. Attorney-General Mark Dreyfus unveiled plans to introduce legislation in parliament this week that would push financial punishment for privacy violators up from the current AU$2.22 million ($1.4 million).  The new rules will be outlined in Australia’s Privacy Legislation Amendment  (Enforcement and Other Measures) Bill 2022, which can be applied under the Privacy Act 1988 for “serious or repeated” privacy breaches.”

Title: Dormant Colors campaign operates over 1M malicious Chrome extensions

Date Published: October 25, 2022


Excerpt: “A new malvertising campaign, code-named Dormant Colors, is delivering malicious Google Chrome extensions that hijack targets’ browsers. Researchers at Guardio Labs have discovered a new malvertising campaign, called Dormant Colors, aimed at delivering malicious Google Chrome extensions. The Chrome extensions hijack searches and insert affiliate links into web pages. The experts called the campaign Dormant Colors because the extensions offer color customization options. “It starts with the trickery malvertising campaign, and continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs. By mid-October 2022, the researchers discovered at least 30 variants of these extensions in both Chrome and Edge web stores. The malicious browser extensions counted over a million installs.”

Title: Ukraine Warns of Cuba Ransomware Campaign

Date Published: October 25, 2022


Excerpt: “The Ukrainian authorities have posted information warning of a new ransomware campaign against organizations in the war-torn country. In a brief notice, the Ukrainian CERT said it had discovered phishing emails spoofed to appear as if sent from the “Press Service of the General Staff of the Armed Forces of Ukraine.” If recipients fall for the scam and click on the link contained in the email, they’ll be taken to a web page and urged to download a new version of PDF Reader. Doing so will trigger a malicious executable, the CERT-UA warned. “Running the mentioned file will, as a result, decode and run the ‘rmtpak.dll’ file. The latter is classified as a RomCom malware,” it explained. RomCom was first uncovered by Palo Alto Networks back in August. It linked the remote access Trojan (RAT) to a new Cuba ransomware affiliate dubbed “Tropical Scorpius,” noting that the malware enables threat actors to perform a range of post-intrusion functions including data exfiltration.”

Title: Atlassian Vulnerabilities Highlight Criticality of Cloud Services

Date Published: October 24, 2022


Excerpt: “Two flaws in the popular developer cloud platform show how weaknesses in authorization functions and SaaS flaws can put cloud apps at risk. Two vulnerabilities in Atlassian Jira Align, an agile planning software-as-a-service (SaaS) tool, could allow users with access to the service to become application administrators, and then attack the Atlassian service. That’s according to cybersecurity services firm Bishop Fox, which said in an advisory today that the vulnerabilities typify the risks posed to cloud services by relatively well-known, but often hard to catch, flaws. The two vulnerabilities found by Bishop Fox affect the Jira Align application, which is used to set agile-development goals, track efforts toward those goals, and create agile strategies. Because every instance of Jira Align is provisioned by Atlassian, an attacker could gain control of a part of the company’s cloud infrastructure, Bishop Fox stated.”

Title: Apple Issues Emergency iOS Fix as Kernel Zero-Day Exploited

Date Published: October 25, 2022


Excerpt: “Apple has issued a slew of security updates amidst reports that its iOS devices are being actively exploited via a zero-day vulnerability in the kernel. Because of the out-of-bound write flaw, designated CVE-2022-42827, any iOS application “may be able to execute arbitrary code with kernel privileges,” it warns in a security bulletin. While Apple says that it “is aware of a report that this issue may have been actively exploited,” it hasn’t attributed such exploits to any specific cybercrime or nation-state group. Out-of-bounds writing refers to writing data before the beginning or after the end of a buffer. “Typically, this can result in corruption of data, a crash or code execution,” Mitre’s Common Weakness Enumeration website warns. “Given the high price that working iPhone zero-days command in the ‘cyberunderworld,’ we assume that whoever is in in possession of this exploit knows how to make it work effectively and is unlikely to draw attention to it themselves, in order to keep existing victims in the dark as much as possible,” Paul Ducklin, a security researcher at Sophos, says in a blog post.”

Title: Pendragon car dealer refuses $60 million LockBit ransomware demand

Date Published: October 24, 2022


Excerpt: “Pendragon Group, with more than 200 car dealerships in the U.K., was breached in a cyberattack from the LockBit ransomware gang, who allegedly demanded $60 million to decrypt files and not leak them. Pendragon owns CarStore, Evans Halshaw, and Stratstone luxury car retailer, that sell brands cars for all budgets, from Jaguar, Porsche, Ferrari, Mercedes-Benz, BMW, Land Rover, or Aston Martin, to Renault, Ford, Hyundai, Nissan, Peugeot, Vauxhall, Citroen, DS, Dacia, and DAF. Pendragon did not provide many details about the security incident and limited the information to saying that there is no impact on operations. “We have identified suspicious activity on part of our IT systems and have confirmed we experienced an IT security incident,” Pendragon says in the security announcement. However, in an interview for The Times publication on Friday, the company chief marketing officer, Kim Costello, pointed to LockBit ransomware gang as the culprit and said that the attack happened about a month ago.”

Title: Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App

Date Published: October 24, 2022


Excerpt: “Several critical and high-severity vulnerabilities have been discovered affecting the Veeam Backup & Replication application that could be exploited by advertising fully weaponized tools for remote code execution (RCE). The findings come from security researchers at CloudSEK, who published an advisory about them earlier today. “Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication: CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8 and CVE-2022-26504 with a CVSS V3 score of 8.8,” reads the technical write-up. According to CloudSEK, the successful exploitation of these common vulnerabilities and exposures (CVEs) can lead to copying files within the boundaries of the locale or from a remote Server Message Block (SMB) network, RCE without authorization or RCE/LPE without authorization. From a technical standpoint, Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors.”

Title: Norway PM warns of Russia cyber threat to oil and gas industry

Date Published: October 24, 2022


Excerpt: “Norway ’s prime minister warned last week that Russia poses “a real and serious threat” to the country’s oil and gas industry. Norway ’s prime minister Jonas Gahr Støre warned that Russia poses “a real and serious threat” to the country’s oil and gas industry. The minister claims its country is going slow in adopting necessary measures to protect organizations and critical infrastructure operators in the energy sector from cyberattacks. The risks of sabotage and cyber attacks are high now that Norway is now the largest supplier of gas to Europe. Norway ’s prime minister warned last week that Russia poses “a real and serious threat” to the country’s oil and gas industry. Norway ’s prime minister Jonas Gahr Støre warned that Russia poses “a real and serious threat” to the country’s oil and gas industry. The minister claims its country is going slow in adopting necessary measures to protect organizations and critical infrastructure operators in the energy sector from cyberattacks. The risks of sabotage and cyber attacks are high now that Norway is now the largest supplier of gas to Europe.”

Title: New Canadian Cyberattack Data Says 80% of SMBs Are Vulnerable

Date Published: October 25, 2022


Excerpt: “If you were to take a look at the cybersecurity news cycle, you’d be forgiven for thinking that it’s only large enterprises with expansive customer bases and budgets that are the most vulnerable to attacks. But that’s not entirely true. Even if it’s at a much smaller scale, small- and medium-sized businesses (SMBs) still have stores of sensitive information that’s appealing to bad actors — and they’re often much less equipped to protect that data. In its recent Small and Medium-Sized Business Vulnerabilities Report (SMBVR), Vancouver-based CyberCatch sheds light on the state of security in this business segment — and it’s not looking good. According to the report, 8 in 10 Canadian SMBs are at risk of an attack. In addition, many of these businesses operate in critical industry segments, including finance and healthcare. These and other key data points in the report all indicate one thing: there’s an increasing need for robust cybersecurity efforts in the SMB space.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...