November 16, 2022

Fortify Security Team
Nov 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware
Date Published: November 15, 2022

https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/

Excerpt: “North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device. The new malware version doesn’t feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely. As Kaspersky explains in a report published today, their telemetry shows DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.”

Title: New RapperBot Campaign targets game servers with DDoS attacks
Date Published: November 16, 2022

https://securityaffairs.co/wordpress/138615/malware/rapperbot-botnet-targets-game-servers.html

Excerpt: “Fortinet researchers discovered new samples of RapperBot used to build a botnet to launch Distributed DDoS attacks against game servers. Fortinet FortiGuard Labs researchers have discovered new samples of the RapperBot malware that are being used to build a DDoS botnet to target game servers. Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai. Experts also noticed that the most recent samples include the code to maintain persistence, which is rarely implemented in other Mirai variants. Earlier samples of the malware had the brute-forcing credential list hardcoded into the binary, but from July the samples started retrieving the list from the C2 server.”

Title: FBI warning: PC and tech support scams are back. Here’s what to watch out for
Date Published: November 16, 2022

https://www.zdnet.com/article/fbi-warning-pc-and-tech-support-scams-are-back-heres-what-to-watch-out-for/

Excerpt: “Scammers try to convince victims they’re about to lose hundreds of dollars through a service payment – then use remote access software to get into their PCs. The FBI is warning people to be alert to the threat of technical support scams, in which criminals pose as support staff from computer or software companies and try to trick unsuspecting PC users into giving up access to their bank accounts. The public service announcement by the FBI warns that there have been instances across the US recently of scammers posing as service representatives of software company tech support or computer repair services in attempts to trick victims into following instructions. They contact victims by phishing email or by phone, warning that an annual subscription service is about to be renewed within hours at a cost which is commonly in the range of $300 to $500 – and that the victim should get in contact if they want to cancel the payment. According to the FBI, the scammers offer services, “that would be found at major electronic store chains that sell electronics, computers, and other digital devices.” These false alerts can include, among other things, claims that Microsoft Office is going to expire, or a subscription to anti-virus software needs to be renewed.”

Title: State-Backed APT Group Activity Continuing Apace
Date Published: November 16, 2022

https://www.infosecurity-magazine.com/news/state-backed-apt-group-activity/

Excerpt: “High levels of advanced persistent threat (APT) group activity from Russia, China, Iran and North Korea has continued since the Russian invasion of Ukraine, according to the ESET APT Activity Report T2 2022. ESET researchers analyzed cyber activities of many of these groups, which are usually operated by a nation-state or by state-sponsored actors, during the period May to August 2022. Their activities are generally undertaken for the purposes of harvesting sensitive data from governments, high-profile individuals or strategic companies. Jean-Ian Boutin, director of ESET Threat Research, told Infosecurity that while APT groups in the four countries are continuing to be highly active, there have been no signs of coordination between these regions.“We have not seen signs of collaboration between groups that have a different country alignment. They sometimes target the same organizations, but we have no evidence that they are collaborating. We believe that in those cases, they have similar goals and thus, overlapping targets,” he commented. Unsurprisingly, Russia-aligned APT groups were particularly active in targeting Ukraine over the four-month period. One of the most “continuously active” was Gamaredon, which the report noted has been prominent in targeting Ukrainian government entities throughout 2022. This group “constantly modifies its tools to evade detection mechanisms,” said the report, and has recently started to use a third-party service, ip-api.com, for resolving IP addresses of its C&C servers instead of regular DNS.”

Title: Wipermania: Malware Remains a Potent Threat, 10 Years Since ‘Shamoon’
Date Published: November 15, 2022

https://www.darkreading.com/endpoint/wipermania-malware-potent-threat-since-shamoon

Excerpt: “An in-depth analysis of system-destroying malware families presented at Black Hat Middle East & Africa shows a growing nuance in terms of how they’re deployed. Destructive wiper malware has evolved very little since the “Shamoon” virus crippled some 30,000 client and server systems at Saudi Aramco more than 10 years ago. Yet it remains as potent a threat as ever to enterprise organizations, according to a new study. Max Kersten, a malware analyst at Trellix, recently analyzed more than 20 wiper families that threat actors deployed in various attacks since the beginning of this year — i.e., malware that makes files irrecoverable or destroys whole computer systems. He presented a summary of his findings at the Black Hat Middle East & Africa event on Tuesday during a “Wipermania” session. Kersten’s analysis included a comparison of the technical aspects of the different wipers in the study, including the parallels and differences between them. For his analysis, Kersten included wipers that threat actors used extensively against Ukrainian targets, especially just before Russia’s invasion of the country, as well as more generic wipers in the wild.”

Title: Arrest of Ukrainian in Cybercrime Case Shows Patience Pays
Date Published: November 16, 2022

https://www.databreachtoday.com/arrest-ukrainian-in-cybercrime-case-shows-patience-pays-a-20476

Excerpt: “The arrest of a Ukrainian national long wanted on cybercrime charges in the U.S. shows that with much patience, law enforcement can nab suspects. The Ukrainian national, Vyacheslav Igorevich Penchukov, was allegedly deeply entwined in one of the most successful cybercriminal gangs on record. Dubbed Jabberzeus, the operation stole upwards of $70 million, according to U.S. prosecutors. Penchukov was arrested in the last three weeks or so in Geneva, according to computer security writer Brian Krebs, who wrote an in-depth piece on his website. Penchukov, known by the nickname “Tank,” was charged in secret in 2012 for his alleged role using the Zeus malware and botnet to collect login credentials for bank accounts, draining those accounts of money then sending the money outside the U.S. using a network of money mules. Although Penchukov has long been wanted by U.S. authorities, officials have been reluctant to triumph over his apprehension for unclear reasons. FBI officials contacted on Tuesday had no comment, and Swiss officials couldn’t immediately be reached.”

Title: Researchers Release Exploit Details for Backstage Pre-auth RCE Bug
Date Published: November 15, 2022

https://www.bleepingcomputer.com/news/security/researchers-release-exploit-details-for-backstage-pre-auth-rce-bug/

Excerpt: “Older versions of the Spotify Backstage development portal builder are vulnerable to a critical (CVSS score: 9.8) unauthenticated remote code execution flaw allowing attackers to run commands on publicly exposed systems. The problem lies in a vm2 sandbox escape issue that researchers at Oxeye disclosed in a report last month, warning about the extensive deployment of the particular JavaScript sandbox library. As Backstage uses the vm2 library, it, too, was affected by the vulnerability via the supply chain. Oxeye confirmed the impact in Backstage and alerted Spotify on August 18, 2022. The vendor then addressed it via an update (v 1.5.1) released on August 29, 2022, only a day after vm2 was patched with version 3.9.11. The Oxeye team developed a working payload to attack Backstage’s Scaffolder plugin for sandbox escape and code execution, trying it out on a local deployment. The malicious code was injected in a modified function of the rendering engine of the said plugin, run in the context of the virtual machine, and triggered by an error that invokes an undefined function. The payload creates a CallSite object outside the sandbox, allowing the attacker to execute arbitrary commands on the host system.”

Title: Experts revealed details of critical SQLi and access issues in Zendesk Explore
Date Published: November 15, 2022

https://securityaffairs.co/wordpress/138579/hacking/zendesk-explore-critical-flaws.html

Excerpt: “Researchers disclosed technical details of critical SQLi and access vulnerabilities in the Zendesk Explore Service. Cybersecurity researchers at Varonis disclosed technical details of critical SQLi and access vulnerabilities impacting the Zendesk Explore service. Zendesk Explore allows organizations to view and analyze key information about their customers, and their support resources.Threat actors would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts having the Explore service enabled. The experts are not aware of attacks in the wild. “To exploit the vulnerability, an attacker would first register for the ticketing service of its victim’s Zendesk account as a new external user. Registration is enabled by default because many Zendesk customers rely on end-users submitting support tickets directly via the web.” reads the advisory published by Varonis. “Zendesk Explore is not enabled by default but is heavily advertised as a requirement for the analytic insights page.” Varonis reported the flaws to Zendesk which started working on a fix the same day they were reported. The company addressed multiple vulnerabilities in less than one workweek.”

Title: Critical Vulnerability in Spotify’s Backstage Discovered, Patched
Date Published: November 15, 2022

https://www.helpnetsecurity.com/2022/11/15/spotify-backstage-vulnerability/

Excerpt: “A critical unauthenticated remote code execution vulnerability in Spotify’s Backstage project has been found and fixed, and developers are advised to take immediate action in their environments. Having more than 19,000 stars on Github, Backstage is one of the most popular open-source platforms for building developer portals and is in widespread use by Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, Palo Alto Networks and many others. It unifies all infrastructure tooling, services, and documentation to create a streamlined development environment. Backstage was accepted to the Cloud Native Computing Foundation (CNCF) on September 8, 2020 and is at the Incubating project maturity level. “By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” said Yuval Ostrovsky, Software Architect for Oxeye. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.” Oxeye researchers reported the vulnerability through Spotify’s bug bounty program, and Spotify rapidly patched the vulnerability and released Backstage version 1.5.1, which fixes the issue.”

Title: Misconfigurations, Vulnerabilities Found in 95% of Applications
Date Published: November 15, 2022

https://www.darkreading.com/application-security/misconfigurations-vulnerabilities-found-in-95-of-applications

Excerpt: “Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.
Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows. Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys’ new Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe.Configuration issues are often put in a less severe bucket, but both configuration and coding issues are equally risky, says Ray Kelly, a fellow with the Software Integrity Group at Synopsys.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...