October 31, 2022

Fortify Security Team
Oct 31, 2022

HAPPY HALLOWEEN 

Title: Europe’s Biggest Copper Producer Hit by Cyber-Attack
Date Published: October 31, 2022

https://www.infosecurity-magazine.com/news/europes-biggest-copper-producer/

Excerpt: “The world’s second largest copper producer has been hit by a cyber-attack which forced IT systems offline. Hamburg-headquartered Aurubis revealed in a brief statement that the attack struck on Friday evening. “This was apparently part of a larger attack on the metals and mining industry,” it said. “As a result, numerous systems at Aurubis sites had to be shut down and disconnected from the internet as a preventive measure.” It’s unclear exactly what the impact has been on production. Aurubis claims to produce over one million tons of copper cathodes each year and is the world’s largest recycler of the metal. Copper is an increasingly important metal, used among other things in renewable energy production, electric vehicles and energy storage technologies. “The primary goal is to keep production and the procurement of raw materials as well as the delivery of metals and products running. However, Aurubis is not yet able to provide any information on when the systems will be fully functional again,” its statement concluded. “The production and environmental protection facilities at the smelter sites are running, and incoming and outgoing goods are also being maintained manually. Transitional solutions are being implemented to make the company’s full services available to business partners again starting next week. Customers and suppliers can still reach their Aurubis contacts by phone.” It’s unclear what the “larger attack” on the metals industry was, but the steps taken by Aurubis are similar to those taken when organizations find ransomware on their networks.”

Title: BlackByte ransomware group hit Asahi Group Holdings, a precision metal manufacturing and metal solution provider
Date Published: October 30, 2022

https://securityaffairs.co/wordpress/137803/cyber-crime/blackbyte-ransomware-asahi-group-holdings.html

Excerpt: “The BlackByte ransomware group claims to have compromised Asahi Group Holdings, a precision metal manufacturing and metal solution provider. Asahi Group Holdings, Ltd. is a precision metal manufacturing and metal solution provider, for more than 40 years, the company has been delivering end-to-end services in the industries of precision metals and thin-film coatings with different teams of experts. he BlackByte ransomware group claims to have stolen gigabytes of documents from Asahi Group Holdings, including financial and sales reports. The ransomware gang is demanding 500k$ to buy data and 600k$ to delete the stolen data. The BlackByte ransomware operation has been active since September 2021, in October 2021 researchers from Trustwave’s SpiderLabs released a decryptor that can allow victims of early versions of BlackByte ransomware to restore their files for free.”

Title: Final Twilio Smishing Victim Count Reaches 209
Date Published: October 28, 2022

https://www.databreachtoday.com/final-twilio-smishing-victim-count-reaches-209-a-20362

Excerpt: “Customer engagement platform Twilio says the number of customers affected by a phishing campaign that coaxed employees of the San Francisco company into permitting attackers to bypass multi factor authentication protections will stand at a final tally of 209. The company was one of a handful targeted this summer by campaign dubbed 0ktapus or Scatter Swine that fooled employees with authentic-appearing multi factor login pages delivered via an SMS text telling the recipient to change their password (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort). The fake pages captured login data including one-time verification codes, allowing attackers entry into the company network. Twilio has steadily ratcheted upward the number of customers affected by the breach, at first disclosing in August that 125 customers had their data accessed by the malicious actors. The finally tally will be 209 companies, Twilio said Thursday. The company says it has a customer base of more than 270,000 companies. It also says it found no evidence that the attackers accessed console account credentials, authentication tokens, or API keys.”

Title: Urgent: Google Issues Emergency Patch for Chrome Zero-Day
Date Published: October 28, 2022

https://www.darkreading.com/vulnerabilities-threats/urgent-google-issues-emergency-patch-chrome-zero-day

Excerpt: “An undocumented dropper uses a new technique of reading commands from Internet Information Services (IIS) logs to carry out intelligence gathering and deliver backdoors, according to Symantec. Symantec’s blog post noted that the dropper, Trojan.Geppei, is linked to a threat actor Symantec calls Cranefly (aka UNC3524) to install undocumented malware and tools. Cranefly is a hacking group that targets corporate networks to steal emails from employees that deal with larger financial transactions, such as mergers and acquisitions. “We have never seen this technique used to date in real-world attacks. It could, in theory, be used to deliver different types of malware if leveraged by threat actors with different goals,” Brigid O Gorman, senior intelligence analyst at Symantec threat hunter team, told SC Media. During the malicious activity, the dropper reads commands from a legitimate IIS log, which is meant to record data from IIS, including web pages and apps.”

Title: New Azov data wiper tries to frame researchers and BleepingComputer
Date Published: October 30, 2022

https://www.bleepingcomputer.com/news/security/new-azov-data-wiper-tries-to-frame-researchers-and-bleepingcomputer/

Excerpt: “A new and destructive ‘Azov Ransomware’ data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack. The Azov Ransomware falsely claims to have been created by a well-known security researcher named Hasherazade and lists other researchers, myself, and BleepingComputer, as involved in the operation. The ransom note, named RESTORE_FILES.txt, says that devices are encrypted in protest of the seizure of Crimea and because Western countries are not doing enough to help Ukraine in their war against Russia. The ransom note tells victims to contact BleepingComputer, MalwareHunterTeam, Michael Gillespie, or Vitali Kremez on Twitter to recover files, falsely implying that they are part of the ransomware operation. To be clear, those listed in the ransom note are not associated with this ransomware and are being framed by the threat actor. Therefore, we, unfortunately, do not have the decryption keys and cannot help. Furthermore, as there is no way to contact the threat actors to pay a ransom, this malware should be treated as a destructive data wiper rather than ransomware.”

Title: FBI and CISA: Here’s what you need to know about DDoS attacks
Date Published: October 31, 2022

https://www.zdnet.com/article/fbi-and-cisa-heres-what-you-need-to-know-about-ddos-attacks/

Excerpt: “The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning organizations to take proactive steps to reduce the impact of distributed denial-of-service (DDoS) attacks. DDoS attacks can be cheap to create but disruptive, so it could be worthwhile for network defenders to take a look at CISA’s and the FBI’s guidance as a backup to what they likely already know about the attacks, which can overload networks, protocols, and applications. DDoS attacks use networks of compromised internet-connected devices to overwhelm targets with junk traffic. In the past, attackers have abused Network Time Protocol, Memcached and other protocols to amplify DDoS attacks.”A DoS attack is categorized as a distributed denial-of-service (DDoS) attack when the overloading traffic originates from more than one attacking machine operating in concert. DDoS attackers often leverage a botnet—a group of hijacked internet-connected devices—to carry out large-scale attacks that appear, from the targeted entity’s perspective, to come from many different attackers,” CISA says in its guidance. CISA highlights that Internet of Things (IoT) devices are a notable source of DDoS problems, thanks to the use of default passwords and poor security from device makers. IoT devices, like standard home routers, are a problem because they lack a user interface, meaning users can’t be informed on the device by the vendor when to apply a security patch. The White House this month proposed an IoT security-labeling scheme that will come into force in the Spring of 2023. The EU is also planning a CE-style labeling scheme for IoT devices.”

Title: Russia Suspected in Truss Phone Hacking Scandal
Date Published: October 27, 2022

https://www.darkreading.com/application-security/cyberttackers-target-instagram-users-threats-copyright-infringement

Excerpt: “Former UK Prime Minister Liz Truss’s personal phone was hacked earlier this year by suspected foreign agents, putting national security at risk, according to a new report on Sunday. Unnamed “security sources” told the Mail on Sunday that the incident was discovered during the Conservative Party leadership contest over the summer, causing Truss sleepless nights as she worried it may impact her chances of winning. However, then-Prime Minister Boris Johnson and cabinet secretary Simon Case are said to have imposed a total news blackout on the incident. “It is not a great look for the intelligence services if the foreign secretary’s phone can be so easily plundered for embarrassing personal messages by agents presumed to be working for Vladimir Putin’s Russia,” a security source told the paper. No evidence was given linking the breach to the Kremlin, although it’s believed that a year’s worth of messages were downloaded from Truss’s device by an unauthorized intruder. These apparently included “highly sensitive” conversations with other countries’ foreign ministers about the war in Ukraine, including detailed discussions about arms shipments. The use by ministers of personal devices and consumer-grade services for government business is creating unacceptable national security risks, according to security experts.”

Title: GitHub flaw could have allowed attackers to takeover repositories of other users
Date Published: October 27, 2022

https://securityaffairs.co/wordpress/137866/hacking/github-flaw-repojacking.html

Excerpt: “A critical flaw in the cloud-based repository hosting service GitHub could’ve allowed attackers to take over other repositories. The cloud-based repository hosting service GitHub has addressed a vulnerability that could have been exploited by threat actors to takeover the repositories of other users. The vulnerability was discovered by Checkmarx that called the attack technique RepoJacking. The technique potentially allowed attackers to infect all applications and code in the repository. “The Checkmarx SCS (Supply Chain Security) team found a vulnerability in GitHub that can allow an attacker to take control over a GitHub repository, and potentially infect all applications and other code relying on it with malicious code.” reads the post published by Checkmarx. “If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers. This means that thousands of packages could have been hijacked immediately and start serving malicious code to millions of users.” The researchers discovered that the vulnerability resides in the “popular repository namespace retirement” mechanism and developed an open-source tool to identify and help mitigate the risk of exploitation of bugs in this mechanism.”

Title: ConnectWise fixes RCE bug exposing thousands of servers to attacks
Date Published: October 28, 2022

https://www.bleepingcomputer.com/news/security/connectwise-fixes-rce-bug-exposing-thousands-of-servers-to-attacks/

Excerpt: “ConnectWise has released security updates to address a critical vulnerability in the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions. The security flaw is due to an injection weakness described by the company in an advisory issued today as “Improper Neutralization of Special Elements in Output Used by a Downstream Component.” Affected software versions include ConnectWise Recover or earlier and R1Soft SBM v6.16.3 or earlier. Connectwise added that this is a critical severity vulnerability that could enable attackers to access confidential data or execute code remotely. It also tagged it as a high-priority issue, as a flaw that’s either exploited in attacks or at a high risk of being targeted in the wild. Discovered by Code White security researcher Florian Hauser and expanded by Huntress Labs security researchers John Hammond and Caleb Stewart, the vulnerability can be used to “push ransomware” through thousands of R1Soft servers exposed on the Internet, according to Huntress Labs CEO Kyle Hanslovan. According to a Shodan scan, more than 4,800 Internet-exposed R1Soft servers are likely exposed to attacks if they haven’t been patched since ConnectWise has released patches for this RCE bug.”

Title: Cyber Events Disrupt Polish, Slovakian Parliament IT Systems
Date Published: October 28, 2022

https://www.databreachtoday.com/cyber-events-disrupt-polish-slovakian-parliament-systems-a-20358

Excerpt: “Parliamentary IT systems in two Eastern European capitals were disrupted Thursday by apparent cyberattacks. A distributed denial-of-service attack with connections to Russia briefly disabled the Polish Senate website on Thursday while the speaker of Slovakia’s Parliament postponed voting after announcing that internal IT systems were not working. The attack on the Polish Senate website came a day after the chamber unanimously voted to recognize Russia as a “terrorist regime” following Moscow’s invasion of Ukraine. “Russian invaders have been terrorizing the populations of Ukrainian cities by shelling civilian targets: kindergartens, schools, theaters and residential estates,” reads the official English translation of the resolution. “The attack was multidirectional, including from inside the Russian Federation,” the Polish Senate said in a statement reported by the Polish Press Agency. A hacker group calling itself the Cyber Army of Russia on early Thursday called for an attack on the Polish website through its Telegram channel. It later posted news coverage of the attack.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...