November 15, 2022

Fortify Security Team
Nov 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains
Date Published: November 15, 2022

Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue. Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax. The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr. The victims will be redirected to advertising sites, which Fangxiao generates money from, en route to a fake survey where it’s claimed they can win a prize. In some cases a malware download will be triggered during this process. “Victims are then redirected to a main survey domain. When they click the link, they are sent through a series of advertising sites to one of a set of constantly changing destinations,” Cyjax explained in a blog post. “A click on the ‘Complete registration’ button with an Android user-agent will sometimes result in a download of the Triada malware. As victims are invested in the scam, keen to get their ‘reward,’ and the site tells them to download the app, this has likely resulted in a significant number of infections.” This appears to be a complex and constantly evolving money-making exercise. Its operators have used other lures in the past, including COVID-19 themes, according to Cyjax. The 42,000 domains registered by the group date back to 2019 and “continue to scale.” Infrastructure is protected behind Cloudflare and domain names are changed “regularly and quickly.” On a single day in October, the group used over 300 new unique domains.”

Title: Chinese Hackers Target Government Agencies And Defense Orgs
Date Published: November 15, 2022

Excerpt: “A cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting certificate authority, government agencies, and defense organizations in several countries in Asia. The most recent attacks were observed since at least March but the actor has been operating stealthily for more than a decade and it is believed to be a state-sponsored group working for China. Its operations have been documented by multiple cybersecurity companies over the past six years [1, 2, 3]. Security researchers at Symantec say in a report today that Billbug, who they’ve been tracking since 2018, also targeted a certificate authority company, which would have allowed them to deploy signed malware to make it more difficult to detect or to decrypt HTTPS traffic. Symantec hasn’t determined how Billbug gains initial access to the target networks but they have seen evidence of this happening by exploiting public-facing apps with known vulnerabilities. Like in previous campaigns attributed to Billbug, the actor combines tools that are already present on the target system, publicly available utilities, and custom malware. Among them are:

  • AdFind
  • Winmail
  • WinRAR
  • Ping
  • Tracert
  • Route
  • NBTscan
  • Certutil
  • Port Scanner

These tools help hackers blend with innocuous daily activity, avoid suspicious log traces or raising alarms on security tools, and generally make attribution efforts harder.”

Title: Android Malware: A Million People Downloaded These Malicious Apps Before They Were Finally Removed From Google Play
Date Published: November 15, 2022

Excerpt: “Cybersecurity researchers identify an aggressive adware campaign. The developer is now banned from Google Play – but if you’ve not uninstalled the apps, you’re still infected. Google has removed a series of apps downloaded by over a million Android users from the Google Play Store that infected smartphones with malware and bombarded devices with malicious pop-up ads. The malware has been detailed by cybersecurity researchers at Malwarebytes. The apps were still available to download for a number of days after the research was published, but they’ve now been removed. “The apps identified in the report are no longer available on Google Play and the developer has been banned,” a Google spokesperson said in response to ZDNET. However, while the apps are no longer available for download, users who’ve already installed the apps will still be infected with malware unless they’ve manually uninstalled them. The four apps that have been identified as malicious were from a developer called Mobile apps Group and were called ‘Bluetooth Auto Connect’, ‘Bluetooth App Sender’, ‘Mobile transfer: smart switch’, and ‘Driver: Bluetooth, Wi-Fi, USB’. The Bluetooth Auto Connect app alone boasted more than one million downloads and was initially uploaded to Google Play two years ago.”

Title: Researchers Sound Alarm on Dangerous BatLoader Malware Dropper
Date Published: November 14, 2022

Excerpt: “BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims. A dangerous new malware loader with features for determining whether it’s on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months. Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor’s tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods. BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages, analysts from VMware Carbon Black’s managed detection and response (MDR) team said in a report released on Nov. 14. VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.”

Title: ‘Unauthorized Transactions’ Lead to Missing Funds at FTX
Date Published: November 14, 2022

Excerpt: “Bankrupt cryptocurrency exchange platform FTX says unsanctioned actors made off with customers’ digital assets, initiating a scramble to cut off digital wallets from the internet.A Saturday statement attributed by FTX U.S. General Counsel Ryne Miller to newly installed CEO John J. Ray III acknowledged “unauthorized access to certain assets” while pledging to “secure all assets, wherever located.” A message posted Saturday on the FTX Telegram page warned users of malware on the platform. Security firm PeckShield said on Monday the FTX account drainer’s wallet address currently holds about $340 million worth of crypto. On Sunday, the account had a balance of about $390 million, it said. Security firm Elliptic pegged the value of the stolen assets at $477 million. The hacker swapped more than $220 million for other tokens through decentralized exchanges, helping obfuscate the flow of funds on the blockchain and avoid seizure, the company wrote. Following its Chapter 11 filing, the FTX platform on Friday halted transactions, began moving funds on the platform to a cold wallet and initiated a fact review and mitigation exercise, Miller said. The company is coordinating with law enforcement and relevant regulators, he added.”

Title: K-12 Schools Lack Resources, Remaining Top Target For Cyberattacks
Date Published: November 14, 2022

Excerpt: “The K-12 sector remains a top target for cyberattacks despite its security capabilities improving over time, according to a new report published Monday by the Center for Internet Security. The report noted that the education sector’s cyber maturity lags behind other sectors due to limited internal resources for defense against threat actors, with nearly a fifth of K-12 schools spending less than 1% of their IT budget on cybersecurity. It also found that K-12 schools lack cybersecurity strategies, with 81% not fully implementing multi-factor authentication (MFA) and 29% not using MFA at all. “Many K-12 school districts are data-rich and resource-poor, making them attractive targets for financially motivated cyber threat actors, and relatively easy targets for hacktivists, those who break into a computer system for politically- or socially-motivated purposes, determined to grow their reputations and name recognition,” the report read. The report comes two weeks after the Cybersecurity and Infrastructure Security Agency (CISA) hosted a national summit on K-12 school safety and security to address the complex threats facing the education sector.”

Title: Google To Pay A Record $391m Fine For Misleading Users About The Collection Of Location Data
Date Published: November 15, 2022

Excerpt: “Google is going to pay $391.5 million to settle with 40 states in the U.S. for secretly collecting personal location data. Google has agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ.“Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023.” reads the DoJ’s press release. Oregon Attorney General Ellen Rosenblum, who led the settlement along with Nebraska AG Doug Peterson, pointed out that for years Google has prioritized profit over their users’ privacy. The authorities started the investigation into Google collection practice following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.” According to the article, there are two settings responsible for the location data collection, the “Location History” and “Web & App Activity”. The former is “off” by default while the latter is automatically enabled when users set up a Google account, including all Android users. Location data represent the core of the digital advertising business of the IT giant. However, location data can be used to expose a person’s identity and routines, and even infer personal details.”

Title: Whoosh Confirms Data Breach After Hackers Sell 7.2m User Records
Date Published: November 14, 2022

Excerpt: “The Russian scooter-sharing service Whoosh has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Whoosh is Russia’s leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. On Friday, a threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data. The company confirmed the cyberattack via statements on Russian media earlier this month but claimed that its IT experts had managed to thwart it successfully. In a new statement shared with RIA Novosti today, Whoosh admits that there is a data leak and informs its user base they are working with law enforcement authorities to take all measures to stop the distribution of the data. “The leak did not affect sensitive user data, such as account access, transaction information, or travel details,” stated a Whoosh spokesperson. “Our security procedures also exclude the possibility of third parties gaining access to full payment data of users’ bank cards.” On Friday, a user on the ‘Breached’ hacking forums posted a database containing details about 7.2 millionWhoosh customers, including email addresses, phone numbers, and first names.”

Title: Australia Considers Ban on Ransomware Payments After Medibank Breach
Date Published: November 14, 2022

Excerpt: “The Australian government announced over the weekend it is considering banning ransomware payments in response to the Medibank data breach. The group behind the hack has been linked by the Australian Federal Police (AFP) to Russian cyber-criminals with connections to the REvil cyber gang, allegedly dismantled by Russia’s Federal Security Service earlier this year. Now, the Australian government is suggesting making ransomware payments illegal to decrease the profitability of data breaches for criminal organizations. Australia’s home affairs minister Clare O’Neil made the announcement on ABC television on Sunday, confirming a new cyber-policing model between the AFP and the Australian Signals Directorate to deliver “new tough policing” on cybercrime. Roughly 100 officers will be part of the new partnership that would act as a joint standing operation against cyber-criminals. However, according to Jordan Schroeder, managing CISO at Barrier Networks, the idea of a task force is insufficient to ensure protection against ransomware attacks in Australia, particularly at a time of sustained cyber-attacks against companies in the country.”

Title: Unpatched Zimbra Platforms Are Probably Compromised, CISA Says
Date Published: November 14, 2022

Excerpt: “Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says. Security teams running unpatched, Internet-connected Zimbra Collaboration Suites (ZCS) should just go ahead and assume compromise, and take immediate detection and response action. That’s according to a new alert issued by the Cybersecurity and Infrastructure Security Agency, which flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. The attacks lead to remote code execution and access to the Zimbra platform. The result could be quite risky when it comes to shielding sensitive information and preventing email-based follow-on threats: ZCS is a suite of business communications services that includes an email server and a Web client for accessing messages via the cloud. CISA, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided detection details and indicators of compromise (IoCs) to help security teams”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...