November 1, 2022

Fortify Security Team
Nov 1, 2022

Title: Google ad for GIMP.org served info-stealing malware via lookalike site
Date Published:November 1, 2022

https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/

Excerpt: “Searching for ‘GIMP’ on Google as recently as last week would show visitors an ad for ‘GIMP.org,’ the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it’d state ‘GIMP.org’ as the destination domain. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware. Up until last week, googling for ‘GIMP’ would bring up a Google ad that’d appear to take you to the open source graphics editor’s official website ‘GIMP.org.’ But instead this malvertising campaign drove visitors to a lookalike, phishing page delivering a malicious ‘Setup.exe’ that appeared to be the GIMP utility for Windows. Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon “replaced with an even more malicious one” which employed a fake replica website ‘gilimp.org‘ to serve malware. BleepingCompuer observed another domain ‘gimp.monster’ related to this campaign. To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding.”

Title: FTC Takes Enforcement Action Against EdTech Giant Chegg
Date Published:November 1, 2022

https://www.infosecurity-magazine.com/news/ftc-enforcement-action-edtech/

Excerpt: “The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017. The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and mandated enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data. The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said. The regulator alleged in its complaint that Chegg had failed to adequately protect this information, leading to three successful phishing attacks in the past five years. However, perhaps the most damaging breach was when a former contractor used login information the company shared with employees and outside contractors to access a cloud database holding info on 40 million customers, the FTC said. Some of this information was subsequently sold online.”

Title: Samsung Galaxy Store flaw could have allowed installing malicious apps on target devices
Date Published:November 1, 2022

https://securityaffairs.co/wordpress/137922/mobile-2/samsung-galaxy-store-flaw.html

Excerpt: “A security flaw in the Galaxy Store app for Samsung devices could have potentially allowed remote command execution on affected phones. A now-patched vulnerability in the Galaxy Store app for Samsung devices could have potentially triggered remote command execution on affected phones. The flaw is a cross-site scripting (XSS) bug that can be triggered when handling certain deep links. The vulnerability impacts Galaxy Store version 4.5.32.4, it was reported by an independent security researcher through the SSD Secure Disclosure program. “In the Galaxy Store application, there are some deep links handled. Deeplink can be called from another application or from a browser. When receiving suitable deeplinks Galaxy Store will process and display them via webview.” reads the advisory. “Here, by not checking the deep link securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application.” The expert focuses on deep links configured for Samsung’s Marketing & Content Service (MCS). The SamSung MCS Direct Page website was parsing the parameter from the url and then displaying it on the website, but it did not encode, leading to an XSS error.”

Title: White House Convenes International Ransomware Summit
Date Published:October 31, 2022

https://www.darkreading.com/risk/white-house-convenes-international-ransomware-summit

Excerpt: “Dozens of international delegations meet for the second year to share intel, with a goal of stopping ransomware attacks on critical infrastructure. U.S. officials will meet this week with delegations from more than 36 countries to share intelligence and strategize about how to push back against crippling and costly ransomware attacks against critical infrastructure. The second-annual ransomware summit will include briefings from intelligence officials on the more than 4,000 cyberattacks that have occurred just over the past 18 months, Biden administration officials told reporters. In addition to public sector experts, Microsoft and SAP will also contribute their data and analysis as part of their participation in the summit.”

Title: Researchers: ‘CosMiss’ vulnerability affecting Microsoft Azure Cosmos DB could give attacker RCE privileges
Date Published:November 1, 2022

https://www.scmagazine.com/analysis/cloud-security/researchers-cosmiss-vulnerability-affecting-microsoft-azure-cosmos-db-could-give-attacker-rce-privileges

Excerpt:“Researchers on Tuesday reported what they called a “highly important” vulnerability within Azure Cosmos DB, a Microsoft-owned NoSQL database used for app development, in which authentication checks were missing from Cosmos DB Notebooks. In a blog post, researchers at Orca Security said the vulnerability – called “CosMiss” – would have let an attacker with knowledge of a notebook’s forwardingID –the universally unique identifier of the Notebook Workspace — to have full permissions on the notebook without having to authenticate. This included read and write access, as well as the ability to modify the file system of the container running the notebook. By modifying the container file system the Orca researchers said they were able to obtain a Remote Code Execution (RCE) in the notebook container. Once they found the flaw, Orca reported it to the Microsoft Security Response Center (MSRC), which fixed the critical issue in two days. The researchers said the two-day fix was “impressive” and a “much faster response” than a previous vulnerability, SynLapse, that they discovered in Azure Synapse.”

Title: Second Health Entity Reports Breach Tied to Meta Pixel Use
Date Published:October 31, 2022

https://www.databreachtoday.com/second-health-entity-reports-breach-tied-to-meta-pixel-use-a-20377

Excerpt: “A second healthcare entity is treating its past use of Facebook’s Pixel website tracking code in patient portals as a data breach requiring regulatory notification. North Carolina-based WakeMed Health and Hospitals reported to the Department of Health and Human Services on Oct. 14 an unauthorized access/disclosure breach affecting nearly 500,000 individuals. The entity’s breach notification statement says “select data” – including email addresses, phone numbers, novel coronavirus vaccine status and appointment information – may have been transmitted to Facebook parent Meta through the social media’s deployable tracking code. Affected information did not include Social Security numbers or other financial information unless it was entered into a free text box by the user, the notification says. WakeMed says it began using Pixel in 2018 and discontinued its use this past May.”

Title: Hackers selling access to 576 corporate networks for $4 million
Date Published:October 31, 2022

https://www.bleepingcomputer.com/news/security/hackers-selling-access-to-576-corporate-networks-for-4-million/

Excerpt: “A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings. Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand. Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity.”

Title: Hackers Target Australian Defense Communications Platform With Ransomware
Date Published:October 31, 2022

https://www.infosecurity-magazine.com/news/ransomware-australian-defence/

Excerpt:“Threat actors have conducted a ransomware attack against a communications platform used by Australian military personnel and defense staff. Named ForceNet, the company is one of the defense department’s external service providers employed to run one of its websites. At the time of writing, it would appear that no data has been compromised, according to Assistant Minister For Defense Matt Thistlethwaite, who spoke with ABC Radio earlier today, as reported by Reuters. Still, some private information like dates of birth and enlistment details of military personnel may have been stolen, reported the Australian Broadcasting Corp, citing an unnamed source with knowledge of the matter. ForceNet has become the latest company hacked in Australia, following some of the biggest firms in the country suffering data breaches over the last couple of months. These include telecoms giant Optus, owned by Singapore Telecommunications, and the country’s largest health insurer, Medibank.”

Title: VMware warns of the public availability of CVE-2021-39144 exploit code
Date Published:October 31, 2022

https://securityaffairs.co/wordpress/137912/security/vmware-cve-2021-39144-exploit.html

Excerpt:“VMware warned of the availability of a public exploit for a recently addressed critical remote code execution flaw in NSX Data Center for vSphere (NSX-V). VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability, tracked as CVE-2021-39144 (CVSS score of 9.8), in NSX Data Center for vSphere (NSX-V). VMware NSX is a network virtualization solution that is available in VMware vCenter Server. The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance.” reads the advisory published by the company. The product team has also released patches for end-of-life products due to the severity of the vulnerability.”

Title: North Korea Disguising Android Malware as Legitimate Apps
Date Published:October 31, 2022

https://www.databreachtoday.com/north-korea-disguising-android-malware-as-legitimate-apps-a-20368

Excerpt: “North Korean hackers may be targeting Android users south of the demilitarized zone with malware including one variant disguised as a Google security plug-in. Seoul-based cybersecurity company S2W says it spotted three Android malware apps, dubbed FastFire, FastSpy and FastViewer, by studying a a server domain used by North Korean hackers in the past. FastFire masquerades as the Google security plugin and, as of S2W’s publication of its blog post last week, had yet to be flagged as malicious by in a VirusTotal malware test. FastViewer disguises itself as Hancom Office Viewer and FastSpy is a remote access tool based on AndroSpy. The malware comes from state-sponsored group Kimsuky, also known as Thallium, Black Banshee and Velvet Chollima. Kimsuky has been active since 2012 and charged by Pyongyang with intelligence collection on foreign policy and national security issues related to the Korean peninsula. The U.S. government warned in 2020 that Kimsuky has also been active in the United States and Japan.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...