October 6, 2022

Fortify Security Team
Oct 6, 2022

Title: FBI: Cyberattacks targeting election systems unlikely to affect results

Date Published: October 6, 2022


Excerpt: “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) in a public service announcement says that cyber activity attempting to compromise election infrastructure is unlikely to cause a massive disruption or prevent voting. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) assessed the associated risks over time, and neither agency has seen evidence of malicious interference having any measurable impact. As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information,” PSA from the FBI and CISA “Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes,” the two agencies says in the report. The announcement further explains that election officials are empowered by a set of technological tools and strict procedural controls that greatly mitigate the likelihood of phishing, denial of service, domain spoofing, or ransomware attacks that may affect the voting process in any way. This includes the availability of voting systems, the confidentiality of the votes, and the integrity of the election infrastructure. Some of the mentioned fail-safes include provisional ballots and backup pollbooks, logic and accuracy testing on the voting systems, and conducting extensive post-election audits. In conclusion, the FBI and CISA state that manipulating votes in a meaningful way would be difficult to pass undetected.”

Title: “Egypt Leaks” – Hacktivists are Leaking Financial Data

Date Published: October 6, 2022


Excerpt: “Researchers at cybersecurity firm Resecurity spotted a new group of hacktivists targeting financial institutions in Egypt, Resecurity, a California-based cybersecurity company protecting Fortune 500 corporations globally, has noticed a new group of hacktivists targeting financial institutions in Egypt. The bad actors go under the campaign “EG Leaks” (also known as “Egypt Leaks”), they started leaking large volumes of compromised payment data belonging to the customers of major Egyptian banks on the Dark Web. First mention of this activity have been detected in a Telegram channel created to leak Excel files containing 12,229 credit cards. The leaked data includes references to PII belonging to potential customers of major banks in Egypt – including National Bank of Egypt, HSBC Bank Egypt, Bank of Alexandria, Banque Misr, Alexbank, Credit Agricole Egypt, and multiple other banks. While some of the data seem to be incomplete, it was confirmed the data contained multiple customers with valid details, these customers were contacted individually to confirm and validate it.”

Title: NullMixer Dropper Delivers a Multimalware Code Bomb

 Date Published: October 6, 2022


Excerpt: “In one shot, Trojan dropper NullMixer installs a suite of downloaders, banking Trojans, stealers, and spyware on victims’ systems. It’s only after a user clicks a malicious link, downloads the malware, and then launches it that NullMixer is deployed. But once the dropper infects a victim’s system, it deploys a whole bunch of bad malware, from spyware to Trojans.  The multi hyphenated malware threat lurks among sites promising licensed software workarounds and fake security key generators, according to Kaspersky, which just published a report on NullMixer. The malicious domains appear legitimate to users because those sites have found their way up to the first page of the Google search rankings for keywords like “cracked software” and “keygen,” using advanced search engine optimization (SEO) tools, Kasperky said. Unfortunately, it’s not just home users at risk — thanks to the work-from-home phenomenon and people using personal devices for work purposes, the danger to companies from these kinds of threats is clear and present.”

Title: Patients Affected By Cybersecurity Event at Hospital Chain

Date Published: October 5, 2022


Excerpt: “A cybersecurity incident is affecting medical care delivery in some facilities belonging to Chicago-based CommonSpirit Health, a system of 1,500 healthcare sites across 21 states.CommonSpirit, the largest Catholic health system and the second-largest nonprofit hospital chain in the United States, “is managing an IT security issue that is impacting some of our facilities,” a spokeswoman said in a statement provided to Information Security Media Group. The spokeswoman characterized a decision to take offline some electronic health records and other systems, which has resulted in some patients being turned away, as a “precautionary” step. Among the CommonSpirit facilities affected are several Nebraska hospitals, including MercyOne Des Moines Medical Center; multiple Omaha-area facilities including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy and Immanuel Medical Center; and Memorial Hospital in Chattanooga, Tennessee. Cyber incidents, including ransomware attacks, involving larger healthcare organizations can have outsized impact on their surrounding communities.”

Title: This sneaky ransomware attack tries to switch off your security software

Date Published: October 6, 2022


Excerpt: “A major ransomware gang is using a new technique that allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software. The technique has been detailed by cybersecurity researchers at Sophos, who’ve seen it being used in attacks by the BlackByte ransomware gang. BlackByte is a relatively new ransomware operation, but a series of attacks going after critical infrastructure and other high-profile targets have led to the FBI issuing a warning about the group. Now the BlackByte ransomware gang is apparently using CVE-2019-16098, a vulnerability in RTCorec64.sys, a graphics utility driver for Windows systems. This driver is legitimately used for overclocking by providing extended control over the graphics card.  However, by exploiting the vulnerability, attackers which have gained access to an authenticated user account that can read and write to arbitrary memory, which could be exploited for privilege escalation, code execution or accessing information.”

Title: US Healthcare Giant CommonSpirit Hit by Possible Ransomware

Date Published: October 6, 2022


Excerpt: “One of the largest non-profit healthcare providers in the US has been hit by a suspected ransomware attack which has already impacted multiple locations around the country. CommonSpirit claims to run over 1000 sites and 140 hospitals in 21 states. In a brief message yesterday it said it had “identified an IT security issue” affecting some facilities. “We have taken certain systems offline. We are continuing to investigate this issue and follow existing protocols for system outages,” it continued. “We are grateful to our staff and physicians, who are doing everything possible to minimize the impact to our patients. We take our responsibility to our patients very seriously and apologize for any inconvenience.” One impacted hospital, MercyOne Des Moines Medical Center, reportedly took certain IT systems offline as a precaution, meaning it currently has no access to electronic health records. Omaha-based Lakeside Hospital, Creighton University Medical Center – Bergan Mercy, and Immanuel Medical Center are also said to be affected in a similar manner. There’s no official confirmation yet on what caused the “IT security issue,” although security experts on Twitter are blaming it on ransomware actors. Researcher Kevin Beaumont cited “IR chatter” as pointing to “ransomware for sure,” while Emsisoft threat analyst Brett Callow said “unconfirmed reports” also blamed extortionists for the incident.”

Title: Hundreds of Microsoft SQL servers backdoored with new malware

Date Published: October 5, 2022


Excerpt: “Security researchers have found a new piece of malware targeting Microsoft SQL servers. Named Maggie, the backdoor has already infected hundreds of machines all over the world. Maggie is controlled through SQL queries that instruct it to run commands and interact with files. Its capabilities extend to brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridge head into the server’s network environment. The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. Telemetry data shows that Maggie is more prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.”

Title: 19-Year-Old man arrested for misusing leaked record from Optus Breach

Date Published: October 6, 2022


Excerpt: “The Australian Federal Police (AFP) arrested a 19-year-old teen from Sydney for attempting to use data from the Optus data breach in SMS scams.
The Australian Federal Police (AFP) has arrested a 19-year-old teen from Sydney for allegedly attempting to use data leaked after the Optus data breach in a fraudulent scheme aimed at extorting victims via SMS scams. Early this week, the company confirmed that the breach impacted nearly 2.1 million individuals. “A Sydney man, 19, has been charged for allegedly attempting to misuse stolen Optus customer data in a text message blackmail scam.” reads the announcement published by the AFP. The Rockdale man is scheduled to appear in a Sydney Court on 27 October (2022) to face two offences that carry a maximum penalty of 10 and 7 years’ imprisonment.” The arrest is the result of Operation Guardian led by AFP which became aware of a number of text messages demanding some Optus customers transfer $2000 to a bank account or face their personal information being used for financial crimes. The authorities determined that data used in this criminal activity were from the 10,200 records stolen from the telecommunications giant last month. The database belonging to the company was leaked on a cybercrime forum.”

Title: CISA: Multiple APT Groups Infiltrate Defense Organization 

Date Published: October 5, 2022


Excerpt: “Advanced attackers gained access to Microsoft Exchange services, conducted searches of email, and used an open source toolkit to collect data from the network for nearly a year. Multiple advance persistent threat (APT) groups gained access to the network of a US-based defense organization in January 2021, extensively compromising the company’s computers, network, and data for nearly a year, three government agencies stated in a joint advisory on Oct. 4. The attackers had access to the organization’s Microsoft Exchange Server and used a compromised administrator account to collect information and move laterally in the IT environment as early as mid-January 2021, according to the advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). The attackers gained access to email messages and defense contract information, collected credentials to elevate user privileges, and deployed a custom exfiltration tool, CovalentStealer, to move the data to an external server.”

Title: RDP Attacks Decline 89% in Eight Months

Date Published: October 6, 2022


Excerpt: “Detections of RDP password-guessing attacks declined from 123 billion in the first four months of the year to 13 billion in the period May–August, according to new data from ESET. The security vendor’s Threat Report series is compiled using telemetry from its products. Unusually, it analyzes the threat landscape over four-month periods, with this report covering T2 2022: May–August. It revealed an 89% decline in total RDP attack detections from T1 to T2 2022, and a 23% drop in unique clients reporting attacks over the period. Most of the attacks recorded were aimed at targets in Poland, the US and Spain, with Russian IPs accounting for most (31%) detections. ESET pointed to several drivers behind the decline in RDP compromise attempts, including changes in working patterns, which may mean remote connections are being used less, and defensive improvements.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...