October 28, 2022

Fortify Security Team
Oct 28, 2022

Title: Microsoft links Raspberry Robin worm to Clop ransomware attacks
Date Published: October 27, 2022


Excerpt: “Microsoft says a threat group tracked as DEV-0950 used Clop ransomware to encrypt the network of a victim previously infected with the Raspberry Robin worm. DEV-0950 malicious activity overlaps with financially motivated cybercrime groups tracked as FIN11 and TA505, known for deploying Clop payloads ransomware on targets’ systems. Besides ransomware, Raspberry Robin has also been used to drop other second-stage payloads onto compromised devices, including IcedID, Bumblebee, and Truebot. “Beginning on September 19, 2022, Microsoft identified Raspberry Robin worm infections deploying IcedID and—later at other victims—Bumblebee and TrueBot payloads,” Microsoft Security Threat Intelligence analysts said. “In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot infection, eventually deployed the Clop ransomware.” This hints at Raspberry Robin’s operators selling initial access to compromised enterprise systems to ransomware gangs and affiliates who now have an additional way to get into their targets’ networks besides phishing emails and malicious ads.”

Title: Microsoft Authenticator gains feature to thwart spam attacks on MFA
Date Published: October 28, 2022


Excerpt: “Microsoft has rolled out ‘number matching’ in push notifications for its multi-factor authentication (MFA) app Microsoft Authenticator. The new advanced feature is generally available in Microsoft Authenticator and should help counter attacks on MFA that rely on push notification spam. Researchers earlier this year spotted so-called ‘MFA fatigue attacks’ on Office 365 users, where attackers repeatedly trigger MFA push notifications while trying to log in to a victim’s account with an already compromised password. The attacker hopes at some point the victim is worn down or distracted enough by the notifications to accidentally approve the login attempt. With number matching enabled, the Authenticator app requires the user to type in the number displayed on the sign-on screen when approving an MFA request rather than just hitting ‘approve’. This is going to be a handy feature for admins whose users have been caught out by this attack on MFA.”

Title: Twilio Reveals Further Security Breach
Date Published: October 28, 2022


Excerpt: “Communication tool provider Twilio has revealed that the same malicious actors responsible for a July breach at the firm also managed to compromise an employee a month prior, exposing customer information. The revelation was buried in a lengthy incident report updated and concluded yesterday. The report focuses mainly on the July–August incident in which attackers sent hundreds of “smishing” text messages to the mobile phones of current and former Twilio employees. Posing as Twilio or other IT administrators, they tricked some recipients into clicking on password reset links leading to fake Okta login pages for Twilio. Once harvested, these credentials were used to access internal Twilio administrative tools and apps and, in turn, customer information. However, the same actors were also responsible for another phishing attempt, this time carried out over the phone, the report revealed.”

Title: Burgeoning Cranefly hacking group has a new intel-gathering tool
Date Published: October 27, 2022


Excerpt: “An undocumented dropper uses a new technique of reading commands from Internet Information Services (IIS) logs to carry out intelligence gathering and deliver backdoors, according to Symantec. Symantec’s blog post noted that the dropper, Trojan.Geppei, is linked to a threat actor Symantec calls Cranefly (aka UNC3524) to install undocumented malware and tools. Cranefly is a hacking group that targets corporate networks to steal emails from employees that deal with larger financial transactions, such as mergers and acquisitions. “We have never seen this technique used to date in real-world attacks. It could, in theory, be used to deliver different types of malware if leveraged by threat actors with different goals,” Brigid O Gorman, senior intelligence analyst at Symantec threat hunter team, told SC Media. During the malicious activity, the dropper reads commands from a legitimate IIS log, which is meant to record data from IIS, including web pages and apps.”

Title: Apple backports fixes for CVE-2022-42827 zero-day to older iPhones, iPads
Date Published: October 28, 2022


Excerpt: “Apple released updates to backport the recently released security patches for CVE-2022-42827 zero-day to older iPhones and iPads. Apple has released new security updates to backport security patches released this week to address actively exploited CVE-2022-42827 in older iPhones and iPads, addressing an actively exploited zero-day bug. Early this week, Apple addressed the ninth zero-day vulnerability exploited in attacks in the wild since the start of the year. The CVE-2022-42827 vulnerability is an out-of-bounds write issue that can be exploited by an attacker to execute arbitrary code with kernel privileges. The flaw was reported to Apple by an anonymous researcher, the company addressed it with improved bounds checking in iOS 16.1 and iPadOS 16. “Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple. The vulnerability impacts iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later.”

Title: Medlab Pathology Breach Impacts 223,000 Australians
Date Published: October 27, 2022


Excerpt: “Information about individual diseases diagnoses, payment cards and national insurance cards are among the data stolen by hackers from Australian Medlab Pathology. Parent company Australian Clinical Labs disclosed the breach on Thursday, saying that the personal information of approximately 223,000 people was caught up in the breach. “To date, there is no evidence of misuse of any of the information or any demand made of Medlab or ACL,” the company says. About 60 percent of the affected individuals had their Medicare number and name released. About 12 percent had credit card numbers exposed while about 8 percent are set to find out that medical records associated with a pathology test were posted online. The testing giant – it describes itself as one of Australia’s largest, privately owned independent pathology practices – says it will directly contact individuals affected by the breach.”

Title: Cyberattackers Target Instagram Users With Threats of Copyright Infringement
Date Published: October 27, 2022


Excerpt: “Threat actors are targeting Instagram users in a new phishing campaign that uses URL redirection to take over accounts, or steal sensitive information that can be used in future attacks or be sold on the Dark Web. As a lure, the campaign uses a suggestion that users may be committing copyright infringement — a great concern among social media influencers, businesses, and even the average account holder on Instagram, researchers from Trustwave SpiderLabs revealed in an analysis shared with Dark Reading on Oct. 27. This type of “infringement phishing” was also seen earlier this year, in a separate campaign targeting users of Facebook — a brand also under Instagram parent company Meta — with emails suggesting users had violated community standards, the researchers said.”

Title: New York Post hacked with offensive headlines targeting politicians
Date Published: October 27, 2022


Excerpt: “New York Post confirmed today that it was hacked after its website and Twitter account were used by the attackers to publish offensive headlines and tweets targeting U.S. politicians. “The New York Post has been hacked. We are currently investigating the cause,” the daily newspaper tweeted shortly after removing multiple disturbing tweets published earlier on Thursday. These offensive headlines and tweets referred to NYC Mayor Eric Adams, D-NY Rep. Alexandria Ocasio-Cortez, NY Governor Kathy Hochul, Texas Governor Gregg Abbot, R-IL Rep. Adam Kinzinger, as well as U.S. President Joe Biden and his son Hunter Biden. Currently, there is no information on how the attackers took control of the NY Post’s website and verified Twitter account.”

Title: Santander: Radical Action Needed to Tackle APP Fraud
Date Published: October 28, 2022


Excerpt: “One of world’s biggest banks has called on the UK government and industry to do more to fight authorized push payment (APP) fraud. The financial group Santander issued its Tackling Authorised Push Payment Fraud Report this week, outlining its goals for enhanced collaboration between government, the private sector and law enforcement. APP fraud occurs when a scammer posing as a trusted entity tricks the victim into transferring money to a bank account under their control. Common examples include crypto and romance scams. As the victim technically initiates the payment, banks in many countries refuse to refund losses incurred this way. However, it’s an increasingly popular way for scammers to get hold of victims’ money. One recent report claimed that 75% of all digital banking fraud losses in the first half of 2022 were down to APP fraud.”

Title: SiriSpy flaw allows eavesdropping on users’ conversations with Siri
Date Published: October 27, 2022


Excerpt: “SiriSpy is a vulnerability affecting Apple iOS and macOS that allows apps to eavesdrop on users’ conversations with Siri. SiriSpy is a now-patched vulnerability, tracked as CVE-2022-32946, in Apple’s iOS and macOS that could have potentially allowed any app with access to Bluetooth to eavesdrop on conversations with Siri and audio. “An app may be able to record audio using a pair of connected AirPods.” reads the advisory published by Apple. “This issue was addressed with improved entitlements.” The malicious app with access to Bluetooth could record the conversations from the iOS keyboard dictation feature when using AirPods or Beats headsets. According to app developer Guilherme Rambo, who reported SiriSpy to Apple, the app doesn’t request microphone access permission and doesn’t leave any trace that it was listening to the microphone.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...