October 7, 2022

Fortify Security Team
Oct 7, 2022

Title: LilithBot Malware, a new MaaS offered by the Eternity Group
Date Published: October 7, 2022

https://securityaffairs.co/wordpress/136764/breaking-news/lilithbot-malware-eternity-group.html

Excerpt: “Researchers linked the threat actor behind the Eternity malware-as-a-service (MaaS) to a new malware strain called LilithBot.
Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is active since at least January 2022. In May, researchers at cybersecurity firm Cyble analyzed a Tor website named named ‘Eternity Project’ that offers for sale a broad range of malware, including stealers, miners, ransomware, and DDoS Bots. The experts discovered the marketplace during a routine investigation, they also discovered that its operators also have a Telegram channel with around 500 subscribers. The channel was used to share information about malware listings and updates.The operators behind the project allow their customers to customize the binary features through the Telegram channel. The operators sell the Stealer module for $260 as an annual subscription; it allows them to steal a lot of sensitive information from infected systems, including passwords, cookies, credit cards, and crypto-wallets. Stolen data are exfiltrated via Telegram Bot. The Eternity Miner module goes for $90 as an annual subscription, customers can customize it with their own Monero pool and AntiVM features. The Eternity operators also sells the clipper malware for $110, it monitors the clipboard for cryptocurrency wallets and replaces them with the wallet address of the attackers.The Eternity Ransomware goes for $490 while the Eternity Worm is available for $390.”

Title: Hacker Exploits Bug to Steal Millions from Binance Bridge
Date Published: October 7, 2022

https://www.databreachtoday.com/hacker-exploits-bug-to-steal-millions-from-binance-bridge-a-20224

Excerpt: “The world’s largest cryptocurrency exchange suspended trading on a smart contract blockchain after a hacker took at least $100 million in stolen cryptocurrency. Independent observers say the attack on the Binance Smart Chain actually netted the hacker $586 million.
Changpeng “CZ” Zhao, chief executive of Binance, says the company asked all validators to suspend BSC and is resolving the issue “Your funds are safe. We apologize for the inconvenience,” Zhao tweeted. He linked to a Reddit post asserting that “the issue is contained now.” BSC uses a consensus mechanism requiring multiple validators to approve transactions. The BSC blockchain runs in parallel with the Binance Chain. The attacker found a vulnerability on the BSC Token Hub, a cross-chain bridge, by exploiting the smart contract blockchain’s internal verification logic, which allowed for a “huge reward claim,” cybersecurity firm PeckShield tells Information Security Media Group. PeckShield also estimates the total loss to be $586 million, saying that $89.5 million of the stolen funds have already been moved off the Binance Smart Chain. The incident is the latest in a series of attacks on cross-chain bridges. Blockchain security company Chainalysis pegs the amount of cryptocurrency stolen from bridges this year at $2 billion. Attacks on bridges accounted for 69% of total funds stolen in 2022 through July, it says. Cross-chain bridges allow the transfer of crypto assets and information across independent blockchains.”

Title: LofyGang hackers built a credential-stealing enterprise on Discord, NPM
Date Published: October 7, 2022

https://www.bleepingcomputer.com/news/security/lofygang-hackers-built-a-credential-stealing-enterprise-on-discord-npm/

Excerpt: “In one shot, Trojan dropper NullMixer installs a suite of downloaders, banking Trojans, stealers, and spyware on victims’ systems. It’s only after a user clicks a malicious link, downloads the malware, and then launches it that NullMixer is deployed. But once the dropper infects a victim’s system, it deploys a whole bunch of bad malware, from spyware to Trojans. The multi hyphenated malware threat lurks among sites promising licensed software workarounds and fake security key generators, according to Kaspersky, which just published a report on NullMixer. The malicious domains appear legitimate to users because those sites have found their way up to the first page of the Google search rankings for keywords like “cracked software” and “keygen,” using advanced search engine optimization (SEO) tools, Kasperky said. Unfortunately, it’s not just home users at risk — thanks to the work-from-home phenomenon and people using personal devices for work purposes, the danger to companies from these kinds of threats is clear and present.”

Title: Meta Sues Chinese Devs Over WhatsApp Malware Plot
Date Published: October 7, 2022

https://www.infosecurity-magazine.com/news/whatsapp-sues-chinese-devs-malware/

Excerpt: “WhatsApp parent company Meta is suing three Chinese developers for allegedly tricking users into downloading fake versions of the app that harvested their login details. WhatsApp and Meta are listed as plaintiffs in the case, filed in the US District Court for the Northern District of California this week, against Hong Kong’s Rockey Tech HK and Beijing Luokai Technology, and Taiwan’s ChitChat Technology. The defendants are accused of distributing at least two malicious apps, “AppUpdater for WhatsPlus 2021 GB Yo FM HeyMods” and “Theme Store for Zap,” which misused WhatsApp trademarks. They were apparently promoted for download on Google Play and third-party app marketplaces. Once installed, the apps collected user credentials, then proceeded “to communicate the user’s credentials to WhatsApp’s computers and obtain the user’s account keys and authentication information.” The malware then allegedly transmitted this access information back to the developers. The developers used access to victims’ WhatsApp accounts to send spam to their contacts, the complaint alleges, according to Law360.The tech giant is suing the trio of developers not only for misusing and infringing upon WhatsApp’s trademarks but also for breaching Meta contract terms. That’s because they created business accounts and Facebook pages.”

Title: Fortinet warns admins to patch critical auth bypass bug immediately
Date Published: October 7, 2022

https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/

Excerpt: “Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability. The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices. “An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet explains in a customer support bulletin issued today.”This is a critical vulnerability and should be dealt with the utmost urgency,” the company adds. Fortinet has also emailed customers and advised them to update to the latest available versions immediately. “Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade,” the company warned. According to a Shodan search, more than 100,000 FortiGate firewalls are reachable from the Internet, although it’s unknown if their management interfaces are also exposed.”

Title: Watch out, a bug in Linux Kernel 5.19.12 can damage displays on Intel laptops
Date Published: October 6, 2022

https://securityaffairs.co/wordpress/136751/security/linux-kernel-5-19-12-bug.html

Excerpt: “A bug in Linux Kernel 5.19.12 that was released at the end of September 2022 can potentially damage the displays of Intel laptops. Linux users reported the displays of their Intel laptops rapidly blinking, flickering, and showing white flashes after upgrading to Linux kernel version 5.19.12. Linux expert Ville Syrjäl pointed out that the anomalous issue may damage displays. “After looking at some logs we do end up with potentially bogus panel power sequencing delays, which may harm the LCD panel.” wrote Syrjäl. “Greg, I recommend immediate revert of this stuff, and new stable release ASAP. Plus a recommendation that no one using laptops with Intel GPUs run 5.19.12.” Syrjäl argued that the issue ends up with bogus panel power sequencing delays, which may harm the LCD panels. According to BleepingComputer, most impacted Linux users running Arch and Fedora distros on Framework laptops. The issue was addressed with the release of kernel version 5.19.13 on Tuesday. “I’m announcing the release of the 5.19.13 kernel. This release is to resolve a regression on some Intel graphics systems that had problems with 5.19.12.” reads the announcement of the new release by Greg Kroah-Hartman. “If you do not have this problem with 5.19.12, there is no need to upgrade.” Experts recommend users to check the kernel version running on their laptops to avoid upgrading to the buggy Linux release.”

Title: Facebook users warned: You may have downloaded these password-stealing Android and iOS apps
Date Published: October 7, 2022

https://www.zdnet.com/article/facebook-users-warned-you-may-have-downloaded-these-password-stealing-android-and-ios-apps/

Excerpt: “Meta said it has notified a million Facebook users that their usernames and passwords may have stolen after downloading one of over 400 malicious Android and iOS smartphone apps. The apps were discovered in the Google Play Store and Apple’s App Store over the course of the last year, posing as popular kinds of apps. According to Meta, four in ten of the apps posed as photo editors, while others posed as games, VPNs, health trackers, business applications, flashlight enhancers and other services to trick users into downloading them. Users who downloaded the malicious apps were asked to login with their Facebook account before they could use the features they were promised – and if the user entered their username and password, it handed their credentials to the attackers. And even if they do this, many of the apps were useless and did not provide the functions they advertise – because at this point the attackers have already got what they wanted. With stolen login information, attackers can gain access to a person’s account, providing them with the ability to access private information, or send malicious phishing messages to the victim’s contacts. And if the victim also uses their Facebook account to login to other applications and services, the attackers will also be able to access those – and potentially gain access to additional sensitive data.”

Title: Russian Hackers Shut Down US State Government Websites
Date Published: October 6, 2022

https://www.darkreading.com/attacks-breaches/russian-hackers-shut-down-state-government-sites

Excerpt: “A hacktvist group with ties to the Russian government has claimed credit for cyberattacks on the government websites of three US states: Colorado, Kentucky, and Mississippi. The sites for Mississippi and Kentucky were functioning Thursday, following the Russian cyberattacks, while the Colorado State Official Web Portal was displaying a message that the “homepage is currently offline,” earlier in the day. By Thursday afternoon, the homepage appeared back online. Reports of the compromise of state government systems by the so-called Killnet hacktivist group is particularly alarming in light of upcoming November US midterm elections, which rely on individual states to administer voting.”

Title: Managed detection and response (MDR): How to get the most out of it
Date Published: October 6, 2022

https://www.scmagazine.com/resource/ransomware/managed-detection-and-response-mdr-how-to-get-the-most-out-of-it

Excerpt: “Security teams have learned the hard way that technology alone won’t stop every cyberattack. The task also requires the human element: threat hunting, investigation, and response. To fuse the technological with the human, many organizations have turned to managed detection and response (MDR) services. MDR offerings provide remotely delivered security operations center capabilities to detect, investigate and mitigate incidents. While threat hunting can be performed in house using EDR (endpoint detection and response) and XDR (extended detection and response) tools, security experts have cited extensive benefits to using an MDR service either alongside an in-house team or as a fully outsourced service:

  • Elevated cyber defenses: An MDR vendor will experience a far greater volume and variety of attacks than any individual organization, giving them a level of expertise that is almost impossible to replicate in house. MDR service providers often have greater fluency in using threat hunting tools, enabling them to respond more quickly and accurately.
  • Greater IT capacity: One big benefit of MDR – it frees security teams up to support business-focused initiatives. Threat hunting is time-consuming and unpredictable work that often prevents IT teams from focusing on more strategic projects. Organizations using MDR report considerable IT efficiency gains, which in turn enables them to better support their organization’s goals.
  • Added expertise without added headcount: Threat hunting is a highly complex operation. Individuals in this space need to possess a specific and niche set of skills, which makes recruiting threat hunting expertise an uphill task for many organizations. MDR services provide that added expertise.
  • Improved ROI: MDR services provide a cost-effective way to secure an organization and stretch cybersecurity budgets further, greatly reducing the risk of experiencing a costly data breach and avoiding the financial pain of dealing with a major incident.”

Title: Hackers Have It Out for Microsoft Email Defenses
Date Published: October 6, 2022

https://www.darkreading.com/remote-workforce/hackers-have-it-out-for-microsoft-email-defenses

Excerpt: “Cybercriminals are focusing more and more on crafting special email attacks that evade Microsoft Defender and Office security. Increasingly, cyberattackers are laser-focused on crafting attacks that are specialized to bypass Microsoft’s default security, researchers say which is going to require a shift in defense posture for organizations going forward. “Many hackers think of email and Microsoft 365 as their initial points of compromise, [so they] will test and verify that they are able to bypass Microsoft’s default security,” according to a new report from Avanan that flags an uptick in its customer telemetry of malicious emails landing in Microsoft-protected email boxes. “This does not mean that Microsoft’s security got worse. It means that the hackers got better, faster, and learned more methods to obfuscate and bypass the default security.” Some of the eye-catching numbers in the report, gleaned from analyzing 3 million corporate emails in the past year, include:

  • About 19% of phishing emails observed by Avanan bypassed Microsoft Exchange Online Protection (EOP) and Defender.
  • Since 2020, Defender’s missed phishing rates among Avanan’s customers have increased by 74%.
  • On average, Defender sends only 7% of phishing messages received by Avanan customers to the Junk folder.
  • In good news: Microsoft flagged and blocked 93% of business email compromise attempts.
  • Microsoft catches 90% of emails booby-trapped with malware-laden attachments.

Again, the numbers speak to the evolution of phishing and the fact that attackers are increasingly using tactics like leveraging legitimate services to avoid including obviously malicious links in emails, using masking techniques like vanity URLs, and avoiding attachments altogether.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...