November 10, 2022

Fortify Security Team
Nov 10, 2022

Title: New Strelastealer Malware Steals Your Outlook, Thunderbird Accounts

Date Published: November 10, 2022

Excerpt: “A new information-stealing malware named ‘StrelaStealer’ is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients. This behavior deviates from most info-stealers, which attempt to steal data from various data sources, including browsers, cryptocurrency wallet apps, cloud gaming apps, the clipboard, etc. The previously unknown malware was discovered by analysts at DCSO CyTec, who report that they first saw it in the wild in early November 2022, targeting Spanish-speaking users. StrelaStealer arrives on the victim’s system via email attachments, currently ISO files with varying content.”

Title: InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

Date Published: November 9, 2022

Excerpt: “As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks. Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said. “Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them,” Talos said in a report summarizing the threat.”

Title: A Bug in ABB Totalflow Flow Computers Exposed Oil and Gas Companies to Attack

Date Published: November 10, 2022

Excerpt: “A flaw in the ABB Totalflow system used in oil and gas organizations could be exploited by an attacker to inject and execute arbitrary code. Researchers from industrial security firm Claroty disclosed details of a vulnerability affecting ABB Totalflow flow computers and remote controllers. Flow computers are used to calculate volume and flow rates for oil and gas that are critical to electric power manufacturing and distribution.The critical systems are widely used by oil and gas organizations worldwide. The vulnerability, CVE-2022-0902 (CVSS score: 8.1), is a path-traversal issue that can be exploited by an attacker to inject and execute arbitrary code. According to Claroty experts, the vulnerability resides in the implementation of the Totalflow TCP protocol in ABB G5 products. “Team82 found a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB’s TotalFlow Flow Computers and Remote Controllers. Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code.” reads an advisory published by Claroty. The industrial automation giant ABB addressed the flaw with the release of firmware updates on July 14, 2022. The researchers initially discovered an authentication bypass issue, then explored the systems looking at functionalities available to authenticated users such as uploading and downloading configuration files.”

Title: Malware Redirects 15,000 Sites in Malicious SEO Campaign

Date Published: November 10, 2022

Excerpt: “Security researchers have spotted an intriguing malware campaign designed to increase the search engine rankings of spam websites under the control of threat actors. Over 15,000 WordPress and other sites have been redirected to the spam Q&A sites, according to Sucuri. The hackers are using modified WordPress PHP files and, in some cases, their own PHP files to achieve the redirects, with targeted sites on average containing 100 infected files each. The destination spam sites, of which Sucuri has so far found 14, have their servers hidden behind a CloudFlare proxy. “The sites seem to be using the same Q&A pattern and are built using the Question2Answer (Q2A) open source Q&A platform. According to their website, this platform is currently powering over 24,500 sites in 40 languages,” the vendor explained. “The attackers’ spam sites are populated with various random questions and answers found to be scraped from other Q&A sites. Many of them have cryptocurrency and financial themes.” Although no malicious activity has been detected on these spam sites as yet, the actors behind this campaign could “arbitrarily add malware” to them or redirect visitors again to malicious third-party sites, Sucuri warned.”

Title: IT Army of Ukraine Targets Russian Banks

Date Published: November 9, 2022

Excerpt: “Ukraine’s group of hacktivist volunteers claims it stole 27,000 files from the Russian central bank. The IT Army of Ukraine said Thursday that all 2.6 gigabytes of the files are available on Anonfile, with news of the hack touted by the Telegram account of Mykhailo Fedorov, Ukraine’s minister of digital transformation. “We have a lot of interesting information about personnel, specialized automated banking systems, their output files, the principles of their interaction, KPI systems and other materials that circulate in the networks of the Central Bank of the Russian Federation,” the Fedorov Telegram channel states. The data accessed by the Ukrainian hacking group included details of financial transactions of the Russian Ministry of Defense, and data of military personnel such as phone and card numbers. Russian state-owned news agency Tass printed a denial including an assertion from the Bank of Russia that no hack occurred and that the documents in question were already available online.”

Title: 10 More Anesthesia Practices Added to Healthcare Management Breach Tally

Date Published: November 9, 2022

Excerpt: “The Department of Health and Human Services breach reporting tool shows at least 10 more anesthesia practices have been added to the “data security incident” at a healthcare management company, first reported in October. As previously reported, 13 other anesthesiology care sites primarily in the New York region reported similar security incidents first detected in July that resulted in data compromise for a total of 380,104 patients. With the addition of 55,029 patients tied to multiple Resource Anesthesiology Associates care sites, Somnia Anesthesia Services, Saddlebrook Anesthesia Services, Primary Anesthesia Services, and Mid-Westchester Anesthesia Services, more than 435,000 patients from over 20 anesthesia practices have been affected. It was initially unclear just what management company was behind the incident. The notice from Somnia Anesthesia Services confirms the incident occurred on its network and sheds further light into what appears to be a systems hack. Discovered in July, Somnia launched its incident response protocols and disconnected all systems. An investigation was launched with support from an outside cybersecurity firm, which found “some information stored on Somnia’s systems may have been compromised.” The compromised data impacted both patients and employees and varies by individual, including names, Social Security numbers, dates of birth, driver’s licenses, financial account information, health insurance policy numbers, Medical Record numbers, Medicaid or Medicare IDs, and health information like treatments and diagnosis.”

Title: iPhone iOS 16.1.1 Fixes Two Security Vulnerabilities – Time to Update

Date Published: November 10, 2022

Excerpt: “Two security flaws could allow attackers to remotely crash apps or run commands on iPhones and iPads. Apple has released an update that protects users against two security vulnerabilities that could affect iPhones and iPads. The iOS 16.1.1 and iPadOS 16.1.1 software update comes two weeks after the release of iOS 16.1 for all iPhone and iPad users. The security update protects users against two vulnerabilities CVE-2022-40303 and CVE-2022-40304. Both vulnerabilities have been found in libxml2, a software library for parsing XML documents and both were disclosed by Google’s Project Zero, Google’s team of cybersecurity researchers. Both CVE-2022-40303 and CVE-2022-40304 could allow a remote user to cause unexpected app termination or arbitrary code execution – potentially enabling attackers to run commands on the device. The vulnerabilities are classified under CVE ratings as having moderate impact, which means flaws that might be more difficult to exploit but that could still lead to compromise.”

Title: New Hacking Group Uses Custom ‘Symatic’ Cobalt Strike Loaders

Date Published: November 9, 2022

Excerpt: “A previously unknown Chinese APT (advanced persistent threat) hacking group dubbed ‘Earth Longzhi’ targets organizations in East Asia, Southeast Asia, and Ukraine. The threat actors have been active since at least 2020, using custom versions of Cobalt Strike loaders to plant persistent backdoors on victims’ systems. According to a new Trend Micro report, Earth Longzhi has similar TTP (techniques, tactics, and procedures) as ‘Earth Baku,’ both considered subgroups of the state-backed hacking group tracked as APT41. Trend Micro’s report illustrates two campaigns conducted by Earth Longzhi, with the first occurring between May 2020 and February 2021. During that time, the hackers attacked several infrastructure companies in Taiwan, a bank in China, and a government organization in Taiwan. In this campaign, the hackers used the custom Cobalt Strike loader ‘Symatic,’ which features a sophisticated anti-detection system including the following functions:

  • Remove API hooks from ‘ntdll.dll,’ get raw file content, and replace the in-memory ntdll image with a copy not monitored by security tools.
  • Spawn a new process for process injection and masquerade the parent process to obfuscate the chain.
  • Inject a decrypted payload into the newly created process.

For its primary operations, Earth Longzhi used an all-in-one hacking tool that combined various publicly available tools under a single package.”

Title: APT29 Abused the Windows Credential Roaming in an Attack Against a Diplomatic Entity

Date Published: November 10, 2022

Excerpt: “Russia-linked APT29 cyberespionage group exploited a Windows feature called Credential Roaming to target a European diplomatic entity. Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR group, Cozy Bear, Nobelium, and The Dukes) successfully phished a European diplomatic entity. The attack stands out for the use of the Windows Credential Roaming feature. Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain. APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.”

Title: High-Risk Vulnerability Found in ABB’s Flow Computers

Date Published: November 9, 2022

Excerpt: “A path-traversal vulnerability has been discovered in ABB Totalflow flow computers and controllers that could lead to code injection and arbitrary code execution (ACE). The high-risk vulnerability (tracked CVE-2022-0902) has a CVSS v3 of 8.1 and affected several ABB G5 products. It has been discovered by security experts at Team82, Claroty’s research arm. “Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code,” the company wrote in an advisory published on Tuesday. In particular, attackers could try to exploit the vulnerability by creating a specially crafted message and sending it to an affected system node. The procedure would require the attacker to have access to the system network, either directly or through a wrongly configured or breached firewall. They could also install malicious software on a system node or infect the network itself with malicious software. Team82 has said it disclosed the vulnerability to ABB, which promptly released a firmware update that resolves the vulnerability in several product versions. “The update removes the vulnerability by modifying the way that the Totalflow protocol validates messages and verifies input data,” ABB explained. The advisory also recommends network segmentation as a mitigation strategy.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...