October 4, 2022

Fortify Security Team
Oct 4, 2022

Title: Russian Hackers Take Aim at Kremlin Targets: Report
Date Published: October 4, 2022


Excerpt: “Russian threat actors have begun launching cyber-attacks at targets inside their country, in retaliation for what they see as a needless war with Ukraine, according to a new report. The Kyiv Post claimed to have spoken to members of the National Republican Army (NRA), a Russian hacking outfit working towards the overthrow of the Putin regime. Their first target was Unisoftware, a Russian software developer that reportedly works closely with government clients. The group claimed to have stolen all data held by the firm, including: banking and personal account credentials, employee information, phone numbers, addresses, contracts, and proprietary code for Unisoftware clients and software. Among the trove was apparently data from several Russian clients. The paper confirmed the authenticity of this after reviewing materials shared by the NRA. “It’s funny because they tried to kick us out and fix the machines,” an NRA member reportedly told the Kyiv Post. “They don’t understand that we are still there, and have been there for months, and will continue to terrorize them for helping maintain the Putin regime.” The group also claimed to have compromised other clients, although details of these couldn’t be verified in the report. However, one potential target could have been Russian IT retail giant DNS, which admitted in a brief statement earlier this week that it had been breached. It revealed that although passwords and bank card data was safe, an unspecified volume of personal information on customers and employees had been compromised.”

Title: Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub
Date Published: October 3, 2022


Excerpt: “Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange. Working with Trend Micro’s Zero Day Initiative, the researchers disclosed the vulnerabilities privately to Microsoft, who confirmed that the bugs were being exploited in attacks and that they were working on an accelerated timeline to release security updates. “Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization,” Microsoft shared in an analysis of the attacks. Security researchers are keeping the technical details of the vulnerabilities private, and it appears only a small number of threat actors are exploiting them. Due to this, other researchers and threat actors are awaiting the first public disclosure of the vulnerabilities to use in their own activities, whether defending a network or hacking into one.”

Title: Linux Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group
Date Published: October 4, 2022


Excerpt: “Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10). Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying post-intrusion ransomware families to cover up the cyber espionage operations. The experts observed an activity cluster involving post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. “Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.” reads the post published by Sygnia. “‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users. This reinforces claims that the ‘Emperor Dragonfly’ ransomware operators are based in China. Contrary to publicly available information, Cheerscrypt ransomware makes use of payloads that target both Windows and ESXi environments.” Cheerscrypt was first analyzed by Trend Micro in May 2022, like other ransomware families employed by the APT group, the Cheerscrypt ransomware encryptor was also created from the code of Babuk ransomware which was leaked online in June 2021.
Unlike other ransomware gangs, the DEV-0401 group doesn’t rely on a network of affiliates, it directly manages every single phase of the attack chain, from the initial access to the data exfiltration. In attacks that took place in January 2022, the hackers gained initial access to VMware Horizon servers by exploiting critical Log4Shell vulnerability in Apache Log4j, then they dropped a PowerShell payload used to deliver an encrypted Cobalt Strike beacon.”

Title: Bumblebee Malware Loader’s Payloads Significantly Vary by Victim System
Date Published: October 3, 2022


Excerpt: “On some systems the malware drops infostealers and banking Trojans; on others it installs sophisticated post-compromise tools, new analysis shows. A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems. On systems that appear to be part of a domain — for example, systems that might share the same Active Directory server — the malware is programmed to drop sophisticated post-exploitation tools such as Cobalt Strike. On the other hand, when Bumblebee determines it has landed on a machine that is part of a workgroup — or peer-to-peer LAN — the payload generally tends to be banking and information stealers.”

Title: Hacker Steals $29M From Transit Finance, Returns $19M
Date Published: October 3, 2022


Excerpt: “A hacker stole $28.9 million by exploiting a bug in decentralized exchange aggregator Transit Finance on Sunday. Within two days of the theft, the thief returned nearly $18.9 million, keeping a $2 million “bug bounty.” The company halted its cross-chain digital asset swapping services and suspended the faulty contract but has not yet issued a fix for the bug. Transit Finance’s internal security team and blockchain security firms PeckShield, SlowMist, Bitrace and TokenPocket helped uncover the attacker’s IP, email and associated on-chain addresses over the weekend, the victim company said in a series of tweets on Sunday. “The incident is still being progressed and resolved, and we will continue to communicate and try our best to recover more assets for users,” it added in a Monday update. The incident affected a “large number of users” who will be refunded “as soon as possible,” the company said, without providing specific numbers. The attacker also became the victim of a cyberattack, with an arbitrage bot stealing $1.1 million when the attacker illegally transferred stolen funds from a user account, SlowMist says.”

Title: Victims of these online crooks lacked a key security feature. Don’t make the same mistake
Date Published: October 4, 2022


Excerpt: “There has been a big rise in business email compromise (BEC) attacks – and most victims work at organizations that weren’t using multi-factor authentication (MFA) to secure their accounts. BEC attacks are one of the most lucrative forms of cyber crime: according to the FBI, the combined total lost is over $43 billion and counting, with attacks reported in at least 177 countries. These attacks are relatively simple for cyber criminals to carry out – all they need is access to an email account and some patience as they try to trick victims into making financial transfers under false pretenses. This commonly involves sending messages to employees, purportedly from their boss or a colleague, that suggest a payment – often very large – must be made quickly in order to secure an important business deal.More advanced BEC attacks hack into a company account and use a legitimate email address to make the payment request. It’s even been known for scammers to monitor inboxes for long periods of time, only choosing to strike when a real business transaction is about to be made – at which point they cut in and direct the payment to their own account.”

Title: Shangri-La Hotels Hit by Data Breach Incident
Date Published: October 3, 2022


Excerpt: “A cybersecurity incident at Shangri-La Group hotels may affect hundreds of thousands of guests who visited the Asian hotel chain’s flagship properties. The Hong Kong-based hotel and commercial real estate company operates 104 hotels in Asia under different names including Traders and Jen. It says the breach mainly affects Shangri-La-branded hotels in Hong Kong, Singapore, Tokyo, Thailand and Taiwan. One Kerry Hotel-branded location in Hong Kong is also affected by the actions of someone the company calls “a sophisticated threat actor” who bypassed monitoring systems to access the guest database. Attackers did not encrypt data, and the company says it is unable to provide details about the culprit. The hotel chain has “not been able to confirm the exact contents of the exfiltrated data files,” Olivia Christensen, assistant vice president for corporate communications at Shangri-La Hotels and Resorts, tells Information Security Media Group. Affected databases contained data including guest names, email addresses, phone numbers, postal addresses and reservation dates. The hotel chain encrypts identifying information such as passport numbers, birthdates and payment card numbers in its database, Christensen says.”

Title: First 72 Hours of Incident Response Critical to Taming Cyberattack Chaos
Date Published: October 3, 2022


Excerpt: “Cybersecurity professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organizations. A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey’s results. Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security’s X-Force response team.”

Title: FBI warns of “Pig Butchering” cryptocurrency investment schemes
Date Published: October 4, 2022


Excerpt: “The Federal Bureau of Investigation (FBI) warns of a rise in ‘Pig Butchering’ cryptocurrency scams used to steal ever-increasing amounts of crypto from unsuspecting investors. The warning was issued as a Private Industry Notification from the FBI Miami Field Office in coordination with the Internet Crime Complaint Center (IC3) yesterday to raise awareness among cryptocurrency investors who are increasingly being targeted by these types of scams. Pig Butchering is a relatively new social engineering scam where fraudsters contact people (the “Pigs”) on social media and build trust by engaging in long-term communication, establishing the idea of a fabricated friendship or romantic partnership. Sometimes, the scammers impersonate real friends of the target. At some point, the fraudsters propose that the victim invests in cryptocurrency on phony platforms that aren’t linked to an actual cryptocurrency exchange or market. Victims visiting these fake investment dashboards see massive returns, thinking their investment is already generating profit. The fake investment returns prime the target for the next stage of the scam, which is to press them to invest ever-increasing amounts and not withdraw anything. At some point, the victim attempts to cash out on their investments, which is when they are told that they need to pay income taxes first, additional processing fees, international transaction costs, etc. Eventually, the fraudster stops communication and shuts down the fake crypto exchange, or the victim gives up after realizing they have been scammed. Unfortunately, this can be months into the scam with the victim already giving huge amounts of funds to the fraudsters ranging from thousands to millions of dollars.”

Title: RansomEXX gang claims to have hacked Ferrari and leaked online internal documents
Date Published: October 3, 2022


Excerpt: “The Italian luxury sports car manufacturer Ferrari confirmed the availability of internal documents online, but said it has no evidence of cyber attack. Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online, the company confirmed their authenticity stating it is not aware of cyber attacks. Ferrari is investigating the leak of the internal documents and announced it will implement all the necessary actions. While the circumstance suggests the company could have suffered a ransomware attack, the car manufacturer that it has no evidence of a compromise of its systems or ransomware, it also added that its business and operations were not impacted. The news of the alleged cyber attack was first reported by the Italian website Red Hot Cyber which first reported that the ransomware gang RansomEXX claimed to have breached the popular car maker on its Tor leak site. The ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...