October 3, 2022

Fortify Security Team
Oct 3, 2022

Title: BlackCat ransomware gang claims to have hacked US defense contractor NJVC
Date Published: October 3, 2022


Excerpt: “Another US defense contractor suffered a data breach, the BlackCat ransomware gang claims to have hacked NJVC. The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense. The company supports intelligence, defense, and geospatial organizations. The company has more than 1,200 employees in locations worldwide. BlackCat added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company will not pay the ransom. “We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” reads the ALPHV’s statement.

At the time of this writing, the ALPHV’s Tor leak site is not reachable and it is not clear if there is some link with the NJVC hack. Experts reported that the site was intermittently online, and someone noticed that the name of NJVC was removed from the site. “Interestingly enough, BlackCat’s leak site on the dark web was accessible on 30 September, but NJVC was no longer posted among the gang’s victims. The latest current victim on the leak site was posted on 27 September, a day before the DoD contractor was initially posted.” reported CyberNews. BlackCat has been operating since at least November 2021 and launched major attacks in January 2022 to disrupt OilTanking GmbH, a German fuel company, and in February 2022 against the aviation company, Swissport. The group is targeting high-profile businesses in critical industries including energy, financial institutions, legal services, and technology.”

Title: Ransomware gang leaks data stolen from LAUSD school system
Date Published: October 2, 2022


Excerpt: “The Vice Society Ransomware gang published data and documents Sunday morning that were stolen from the Los Angeles Unified School District during a cyberattack earlier this month. LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter, along with announcing a new hotline launching tomorrow morning at 855-926-1129 for concerned parents and students to ask questions about the data leak. “Unfortunately, as expected, data was recently released by a criminal organization. In partnership with law enforcement, our experts are analyzing the full extent of this data release,” tweeted Carvalho. The public release of data comes after the school system announced Friday that they would not be giving in to the ransom demands and that the district could better use the money for students and their education.”

Title: Trojanized, Signed Comm100 Chat Installer Anchors Supply Chain Attack
Date Published: September 30, 2022


Excerpt: “Malicious Comm100 files have been found scattered throughout North America, and across sectors including tech, healthcare, manufacturing, telecom, insurance, and others. A new supply chain attack uses a Trojanized version of the Comm 100 Live Chat Application to compromise networks, and until Sept. 29, it was actively available for download from Comm 100’s official website. The Comm100 Live Chat application enables organizations to communicate with real-time chat and boasts more than 15,000 customers across 51 countries. Researchers with CrowdStrike reported the malicious Comm100 installer was available for download on the company’s website and was signed on Sept. 26.”

Title: Finnish intelligence warns of Russia’s cyberespionage activities
Date Published: October 3, 2022


Excerpt: “The Finnish Security Intelligence Service (Suojelupoliisi or SUPO) warn of a highly likely intensification of cyberespionage activities conducted by Russia-linked threat actors over the winter. According to the SUPO, future NATO membership will make the country a privileged target for Russian intelligence and influence operations. The intelligence agency states that cyber threats to Finland’s critical infrastructure has increased in both the physical and cyber environments as a result of the Russian invasion of Ukraine. These malicious activities could potentially paralyze infrastructure operations with unpredictable consequences. “Future NATO membership will make Finland a more interesting target for Russian intelligence and influence operations. One target of particular interest will be the formulation of policy in a militarily allied Finland. Russia’s assessment of what kind of NATO member Finland is becoming determines the aims and methods of influence operations.” reads the unclassified National Security Overview 2022 published last week by the Finnish agency. “Finland is portrayed as a member of a hostile alliance, whose location in the near vicinity of Russia exemplifies the threat of NATO enlargement, a narrative disseminated by the Russian regime.” According to the report, Russia’s traditional intelligence gathering activity relied on spies with diplomatic cover, but this approach has become substantially more difficult since Russia invaded Ukraine, because many Russian diplomats have been expelled from the West. The report pointed out that despite the Russian reactions to Finland’s NATO accession process having been restrained for the time being, and Finland was not targeted by any extraordinary influencing in the course of policymaking, the government fears an escalation of the malicious activities.”

Title: Pentagon Bug Bounty Program Uncovers 350 Vulnerabilities
Date Published: October 1, 2022


Excerpt: “The U.S. Department of Defense uncovered almost 350 vulnerabilities in the department’s networks as part of its experimental bug bounty program launched on American Independence Day. The week-long bug bounty challenge that ran from July 4 to July 11 was launched by the Chief Digital and Artificial Intelligence Office, Directorate for Digital Services, DoD Cyber Crime Center and the vulnerability disclosure partner HackerOne, a private firm with a platform that enables researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures. While announcing the results, HackerOne, the vulnerability disclosure partner, says DoD gained critical insights into how the hacker community competes for prizes with an end goal of strengthening the security of the hundreds of thousands of assets in the DoD scope.”

Title: Russians dodging mobilization behind flourishing scam market
Date Published: October 2, 2022


Excerpt: “Ever since Russian president Vladimir Putin ordered partial mobilization after facing setbacks on the Ukrainian front, men in Russia and the state’s conscript officers are playing a ‘cat and mouse’ game involving technology and cybercrime services. More specifically, many Russian men eligible for enlistment have resorted to illegal channels that provide them with fabricated exemptions, while those fleeing the country to neighboring regions turn to use identity masking tools. This situation has created a highly lucrative environment for sellers of illicit services to flourish. Similarly, scammers and fraudsters also see an excellent opportunity to exploit panicking people in a great hurry.”

Title: BEC attacks: Most victims aren’t using multi-factor authentication – apply it now and stay safe
Date Published: September 29, 2022


Excerpt: “Business email compromise scammers are gaining access to real accounts that they’re using to dupe victims into sending payments. One change could help to stop it. There has been a big rise in business email compromise (BEC) attacks – and most victims work at organizations that weren’t using multi-factor authentication (MFA) to secure their accounts. BEC attacks are one of the most lucrative forms of cyber crime: according to the FBI, the combined total lost is over $43 billion and counting, with attacks reported in at least 177 countries. These attacks are relatively simple for cyber criminals to carry out – all they need is access to an email account and some patience as they try to trick victims into making financial transfers under false pretenses. This commonly involves sending messages to employees, purportedly from their boss or a colleague, that suggest a payment – often very large – must be made quickly in order to secure an important business deal.”

Title: Hackers Hide Malware in Windows Logo, Target Middle East Governments
Date Published: September 30, 2022


Excerpt: “A hacking group dubbed ‘Witchetty’ has been observed using a steganographic technique to hide a backdoor in a Windows logo and target Middle Eastern governments. According to a new advisory by Broadcom, Witchetty (aka LookingFrog) is believed to have connections to the state–backed Chinese threat actor APT10 as well as with TA410 operatives, a group previously linked to attacks against US energy providers. Witchetty was first discovered by ESET in April 2022, with its activity being characterized by the use of a first–stage backdoor known as X4 and a second–stage payload known as LookBack. While the group has continued to use the LookBack backdoor, Broadcom observed that several new types of malware appear to have been added to its toolset. “The Witchetty espionage group […] has been progressively updating its toolset, using new malware in attacks on targets in the Middle East and Africa,” the advisory reads. “Among the new tools being used by the group is a backdoor Trojan (Backdoor.Stegmap) that employs steganography, a rarely seen technique where malicious code is hidden within an image.” Further, the attackers observed by Broadcom between February and September 2022 exploited ProxyShell and ProxyLogon vulnerabilities to install web shells on public–facing servers. It then stole credentials, moved laterally across networks and installed malware on other computers.”

Title: UK Construction: Cybersecurity Experts Defend Joint Ventures
Date Published: October 2, 2022


Excerpt: “After years of falling behind, the construction industry has realized the importance of its data. Construction-related businesses invested a remarkable 188% more in cybersecurity in 2018–19. Data leaks and cyberattacks have jolted sectors worldwide, affecting everyone. 55% of UK businesses experienced a cyberattack in 2019 alone, and the average damage resulting from breaches is £176,000. This is why every company needs to choose an effective cyber protection system to stop attackers from ruining all they have laboriously built. Some of the most significant construction projects in the UK are the result of joint ventures. Joint ventures (JVs) are business entities created by two or more parties, characterized by shared ownership, shared returns and risks, and shared governance. Therefore, the data they manage must be secured to protect vital infrastructure. Joint ventures must secure their websites, computer systems, and data, since failing to protect this information impacts individual firms and may jeopardize national security. To this end, the UK government, in collaboration with the construction sector, has introduced new guidance to promote information security through implementing security best practices in the construction sector.”

Title: SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates
Date Published: September 30, 2022


Excerpt: “The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks. The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks. According to an advisory published by eSentire’s Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer’s website, which was built with the popular open source content management system WordPress. The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google. “This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update,” the advisory noted. “The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website,” the advisory added. “Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page.” It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...