November 14, 2022

Fortify Security Team
Nov 14, 2022

Title: Kmsdbot, a New Evasive Bot for Cryptomining Activity and Ddos Attacks
Date Published: November 14, 2022

https://securityaffairs.co/wordpress/138514/malware/kmsdbot-golang-malware.html

Excerpt: “Researchers spotted a new evasive malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak credentials. Akamai Security Research discovered a new evasive Golang-based malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak login credentials.The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection. The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.”

Title: Ukraine Says Russian Hacktivists Use New Somnia Ransomware
Date Published: November 14, 2022

https://www.bleepingcomputer.com/news/security/ukraine-says-russian-hacktivists-use-new-somnia-ransomware/

Excerpt: “Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called ‘Somnia,’ encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to ‘From Russia with Love’ (FRwL), also known as ‘Z-Team,’ whom they track as UAC-0118. The group previously disclosed creating the Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine.However, until today, Ukraine has not confirmed any successful encryption attacks by the hacking group.”

Title: Mass Email Extortion Campaign Claims Server Hack
Date Published: November 14, 2022

https://www.infosecurity-magazine.com/news/mass-email-extortion-claims-server/

Excerpt: “Security experts have revealed a new extortion campaign threatening to leak sensitive corporate data unless a Bitcoin payment is made. Microsoft regional director and HaveIBeenPwned founder, Troy Hunt, revealed the unsolicited email in a social media post. It claimed that the fraudsters had hacked his site by exploiting some unnamed vulnerabilities and harvesting database credentials before extracting the “complete data” from all computers and servers. “We will systematically go through a series of steps to totally damage your reputation. First, your database will be leaked or sold to the highest bidder to be used for any purpose. Next, emails will be sent to all your customers, suppliers and business partners, stating that all of their information has been sold or leaked and your [web] site was at fault for leaking the information and damaging the reputation of all your customers and providers,” the message said. “Lastly, any links you have indexed in search engines will be de-indexed based on the black hat techniques we used in the past to de-index our targets, not to mention getting your business on every blacklist in the country.” The scammers then posted a Bitcoin address, demanding $2500 within 72 hours or else they will “completely destroy your reputation with your customers, your suppliers, your partners, on Google and the entire country.” It’s unclear how widespread the campaign is, but the ‘Team Montesano’ group behind it are clearly hoping to cash-in on widespread news of data breach extortion groups such as the notorious Lapsus$.”

Title: Texas Hospital Says Ransomware Breach Affected 500,000
Date Published: November 11, 2022

https://www.databreachtoday.com/texas-hospital-says-ransomware-breach-affected-500000-a-20454

Excerpt: “A ransomware attack at a Texas hospital that knocked out phone and email systems for weeks is now even worse following OakBend Medical Center’s admission that hackers downloaded data from the medical records of up to 500,000 individuals. The Texas medical system says it doesn’t believe that cybercriminals were able to remove complete medical records, but hackers did obtain personal and medical information and, in some cases, Social Security numbers and birthdates. In a Thursday breach notification statement, OakBend warned current and former patients they’re at heightened risk of receiving spam messages. The hospital reported the breach to the Department of Health and Human Services on Oct. 28 as an email hacking incident. The early September attack forced OakBend to limit communications with the outside world by yanking its email and phone systems offline for several weeks. Keith Fricke, principal consultant at privacy and security consultancy tw-Security, says the OakBend incident is a prime example of why incident response plans need to identify primary and alternate methods of communicating within an organization and with external parties during an incident.”

Title: Uyghurs Targeted With Spyware, Courtesy of PRC
Date Published: November 11, 2022

https://www.darkreading.com/threat-intelligence/china-using-spyware-to-target-uyghurs

Excerpt: “Chinese government employs spyware to detect so-called “pre-crimes” including using a VPN, religious apps, or WhatsApp, new analysis reveals. As part of its widely documented, brutal suppression of Muslim Uyghur populations, the Chinese government has been deploying spyware to hunt down what it deems to be “religious extremists” and detain them. Researchers at Lookout Threat Labs reported People’s Republic of China-backed threat groups have widely distributed spyware called BadBazaar and Moonshine across Uyghur-language sites and social media. The spyware is trying to catch what Lookout’s report ominously called “pre-crimes,” like using a VPN, Muslim religious apps, or even WhatsApp. Notably, these malicious apps attract Uyghur-speaking people across the globe, not just inside China. One campaign Lookout documented distributed a link from the Twitter handle @MalwareHunterTeam that appeared to be a legitimate English-Uyghur dictionary application, but was instead loaded with malware. The Lookout team was able to trace the malicious app back to the Chinese-backed group APT15.”

Title: Insider Threats Accounted For More Than a Third of Unauthorized Access Incidents in Q3
Date Published: November 14, 2022

https://www.scmagazine.com/news/insider-threat/insider-threats-accounted-for-more-than-a-third-of-unauthorized-access-incidents-in-q3

Excerpt: “The pandemic saw a great number of employees seeking new opportunities as the workforce shifted to remote and hybrid models. The threat of insider risk, however, also increased along with the so-called “Great Resignation” of 2021 and 2022. According to a report by security risk management firm Kroll, insider threats peaked to its highest quarterly level to date in Q3 of 2022, accounting for nearly 35% of all unauthorized access threat incidents. “While always a challenge, the risk of insider threat is particularly high during the employee termination process,” wrote the report’s authors. As noted in the Kroll report, the Organization for Economic Cooperation and Development registered an overall net gain of more than 9 million jobs in June 2022 for OECD countries compared with pre-pandemic levels. Insider threats are among the hardest to detect, said John Bambenek, principal threat hunter at Netenrich. “If employees come and go quickly, that means they can purloin data and secrets before an organization is any wiser for it,” said Bambenek. “Ultimately, new employees should have guardrails into what intellectual property they can access and existing techniques to look for trade secret theft need to be fully deployed.” But as U.S. job growth increased more than expected in October, the pace is slowing and the unemployment rate rose to 3.7%, according to Reuters.”

Title: New Extortion Scam Threatens to Damage Sites’ Reputation, Leak Data
Date Published: November 12, 2022

https://www.bleepingcomputer.com/news/security/new-extortion-scam-threatens-to-damage-sites-reputation-leak-data/

Excerpt: “An active extortion scam is targeting website owners and admins worldwide, claiming to have hacked their servers and demanding $2,500 not to leak data. The attackers (self-dubbed Team Montesano) are sending emails with “Your website, databases and emails have been hacked” subjects. The emails appear to be non-targeted, with ransom demand recipients from all verticals, including personal bloggers, government agencies, and large corporations. The scam is so widespread that our own reporter Ax Sharma and Have I Been Breached created Troy Hunt have also received these extortion attempts. The spam messages warn that the hackers will leak stolen data, damage their reputation, and get the site blacklisted for spam if the targets don’t make a payment of $2,500.”

Title: Malicious App in the Play Store Spotted Distributing Xenomorph Banking Trojan
Date Published: November 12, 2022

https://securityaffairs.co/wordpress/138440/malware/xenomorph-banking-malware-play-store.html

Excerpt: “Experts discovered two new malicious dropper apps on the Google Play Store distributing the Xenomorph banking malware. Zscaler ThreatLabz researchers discovered a couple of malicious dropper apps on the Play Store distributing the Xenomorph banking malware. Xenomorph was first spotted by ThreatFabric researchers in February 2022, at the time the malware was employed in attacks against 56 European banks to steal sensitive information from the devices of their customers. Xenomorph shares overlaps with the Alien banking trojan, but it has functionalities radically different from the Alien’s one. Researchers speculate that the two malware could have been developed by the same actor, or at least by someone familiar with the codebase of the Alien banking Trojan. Zscaler discovered a malicious app in the Play Store named “Todo: Day manager” with over 1,000 downloads. The security firm pointed out that in the last 3 months, it has reported over 50+ malicious apps in the Play Store resulting in 500k+ downloads. The apps were used to spread malware families such as Joker, Harly, Coper, and Adfraud.”

Title: CISA Releases SSVC Guide to Help Companies Prioritize Vulnerabilities
Date Published: November 11, 2022

https://www.infosecurity-magazine.com/news/cisa-releases-ssvc-guide-to/

Excerpt: “The Cybersecurity and Infrastructure Security Agency (CISA) has published a new guide on Stakeholder-Specific Vulnerability Categorization (SSVC). This vulnerability management methodology is designed to assess vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts on safety and prevalence of the affected product in a singular system. SSVC was first created by CISA in collaboration with Carnegie Mellon University’s Software Engineering Institute (SEI) in 2019. In 2020, CISA then worked with SEI to develop its customized SSVC decision tree to examine vulnerabilities relevant to the United States government (USG), as well as state, local, tribal and territorial (SLTT) governments and critical infrastructure entities. According to the latest iteration of SSVC, its new implementation has allowed CISA to better prioritize its vulnerability response and vulnerability messaging to the public. Writing about the new guide, CISA’s executive assistant director Eric Goldstein said that organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities. “Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts. Smaller organizations struggle with understanding where to start and how to allocate limited resources,” Goldstein wrote in a blog post. “Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management,” the security expert added. Goldstein explained that organizations now can use CISA’s customized SSVC decision tree guide to prioritize a known vulnerability based on assessing five decision points: exploitation status, technical impact, automatability, mission prevalence and public well-being impact.”

Title: Ukrainian Cyber Police Bust Fake Investing Ring
Date Published: November 11, 2022

https://www.databreachtoday.com/ukrainian-cyber-police-bust-fake-investing-ring-a-20455

Excerpt: “Ukrainian cyber police arrested five members of an international cybercrime gang that used a fake cryptocurrency investment platform to fleece millions from victims.Law enforcement on Thursday raided three call centers in Kyiv and Ivano-Frankivsk housing the Ukrainian arm of the operation, which police say is a transnational effort to use a fake online investment platform to dupe victims into purportedly buying cryptocurrency and other securities such as stocks, and bonds. Authorities confiscated more than 500 computers and mobile phones. While the platform purportedly generated profit for victims, conspiracy members prevented the victims from cashing out their money. Ukrainian authorities say the operation established call centers in several European countries, employing more than 2,000 individuals.The arrests were made following a two-year investigation that was launched by Ukrainian authorities alongside law enforcement agencies in Albania, Finland, Georgia, Germany, Latvia and Spain.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...