November 17, 2022

Fortify Security Team
Nov 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network
Date Published: November 17, 2022

https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html

Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive Branch organization using a Log4Shell exploit and installed a cryptomining malware. According to a joint advisory published by the FBI and CISA, an Iran-linked APT group compromised a Federal Civilian Executive Branch (FCEB) organization using an exploit for the Log4Shell flaw (CVE-2021-44228) and deployed a cryptomining malware. Log4Shell impacts the products of several major companies that use Log4j, but in many attacks, the vulnerability has been exploited against affected VMware software. In this specific case, the Iranian hackers hacked an unpatched VMware Horizon server to gain remote code execution. “CISA obtained four malicious files for analysis during an on-site incident response engagement at a Federal Civilian Executive Branch (FCEB) organization compromised by Iranian government sponsored advanced persistent threat (APT) actors.” reads the Malware Analysis Report (AR22-320A) published by CISA. These files have been identified as variants of the XMRIG cryptocurrency mining software. The files include a kernel driver, two Windows executables, and a configuration file to control one of the executable’s behavior on the network and infected host.” CISA conducted an incident response engagement in the impacted Federal Civilian Executive Branch (FCEB) organization between mid-June and mid-July 2022.”

Title: Not Patched log4j Yet? Assume Attackers Are in Your Network, Say CISA and FBI
Date Published: November 17, 2022

https://www.zdnet.com/article/cybersecurity-warning-if-youve-not-patched-log4j-yet-assume-attackers-are-in-your-network/

Excerpt: “Almost a year on from Log4j’s disclosure, a joint alert by CISA and the FBI warns organizations that if they haven’t protected their systems against it yet, they really need to now. A joint security alert by CISA and the FBI has warned organizations that haven’t applied much-needed Log4j security patches and mitigations to VMware Horizon server instances to assume their network has been compromised and act accordingly. It comes following an investigation into a cyberattack, against what they describe as a ‘federal civilian executive branch’ organization, found that hackers breached the network by exploiting an unpatched Log4j vulnerability in a VMware Horizon server. The warning comes almost a full year after the Log4j vulnerability was first disclosed and organizations were urged to apply patches or mitigations against a cybersecurity flaw that CISA chief Jen Easterly described as “one of the most serious that I’ve seen in my entire career, if not the most serious”. The vulnerability (CVE-2021-44228) is in the widely used Java logging library Apache Log4j and, if successfully exploited, the flaw allows attackers to remotely execute code and gain access to machines.”

Title: Misconfigured Server Exposed PHI of 600,000 Inmates
Date Published: November 16, 2022

https://www.databreachtoday.com/misconfigured-server-exposed-phi-600000-inmates-a-20482

Excerpt: “A server misconfiguration at a firm that provides medical claims processing for correctional facilities exposed sensitive information of nearly 600,000 inmates who received medical care during the last decade while incarcerated. Kentucky-based CorrectCare Integrated Health Inc. on Oct. 31 reported to the U.S. Department of Health and Human Services at least three “unauthorized access/disclosure” breaches affecting a total of nearly 500,000 individuals involving its server misconfiguration incident. The HHS Office for Civil Rights’ HIPAA Breach Reporting Tool website also shows several breaches reported in recent weeks by CorrectCare’s clients, collectively affecting about another 100,000 individuals. Those clients include the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health, and Mediko Correctional Healthcare, a firm that provides medical and mental health services to inmates at correctional facilities. In a sample breach notification letter that CorrectCare submitted to the California attorney general’s office on Oct. 31, the company describes itself as a third-party health administrator under contract with Health Net Federal Services and a business associate of the California Department of Corrections and Rehabilitation.”

Title: Chinese Spy Gets 20 Years for Aviation Espionage Plot
Date Published: November 17, 2022

https://www.infosecurity-magazine.com/news/chinese-spy-20-years-aviation/

Excerpt: “A prolific Chinese spy who tried to steal secrets from US aviation companies has been jailed for 20 years, in a first for the Department of Justice (DoJ). Yanjun Xu, 42, rose to become deputy division director at the Ministry of State Security (MSS) intelligence agency. However, he was arrested in Belgium in 2018 after being lured there by an FBI agent posing as a GE Aviation employee that Xu was cultivating to provide Beijing with information. Xu was the first ever Chinese intelligence officer to be extradited to the US, according to the DoJ. The MSS spy reportedly played a key role in a sophisticated, multi-year plot to steal trade secrets from western aerospace firms that helped the country build its C919 commercial airliner, among other things. Xu used aliases, front companies and universities to trick aviation employees and solicit information, sometimes recruiting them to travel to China under the guise of giving a presentation at a university, which they were paid for. He also worked with colleagues to hack the computers of GE Aviation employees in their hotel rooms while other MSS officials took the staffers out to dinner, according to the DoJ. In addition, Xu recruited insiders at a French aircraft engine manufacturer’s plant in China who were willing to spy for Beijing, and planted malware on the laptop of a French executive who frequently traveled to the facility.”

Title: Ukraine’s ‘IT Army’ Stops 1,300 Cyberattacks in 8 Months of War
Date Published: November 15, 2022

https://www.darkreading.com/endpoint/ukraine-it-army-stops-1300-cyberattacks-war

Excerpt: “President Zelensky offers hard-won Ukrainian cybersecurity expertise to other countries that want to protect citizen populations. Ukrainian President Volodymyr Zelensky spoke to the G20 Summit’s “Digital Transformation” panel this week, offering the benefits of his embattled country’s cyber-defense experience to G20-allied countries. Zelensky noted that Ukraine’s “IT army,” made up of talent pooled from companies across the country, has successfully stopped more than 1,300 Russian cyberattacks over the past eight months of the Russian invasion. That experience, he said, offers lessons for protecting civilian populations from the kinds of brutal cyberattacks that have been leveled against his country as part of Russia’s invasion. For instance, after Russia destroyed a major data center in the country, Ukraine switched to the cloud, allowing it to build public registers and make payments to citizens affected by the war, he said. The country’s Diia state site is operating and able to provide 100 contactless public services, including providing digital passports, accepting tax payments, and more, Zelensky said during his speech to the G20.”

Title: U.S. Charges Russian Suspects With Operating Z-Library E-book Site
Date Published: November 17, 2022

https://www.bleepingcomputer.com/news/security/us-charges-russian-suspects-with-operating-z-library-e-book-site/

Excerpt: “Anton Napolsky (33) and Valeriia Ermakova (27), two Russian nationals, were charged with intellectual property crimes linked to Z-Library, a pirate online eBook repository. The defendants were arrested on November 3, 2022, in Argentina by the country’s authorities at the request of U.S. law enforcement. A day later, Z-Library’s clearnet domains (z-lib.orgb-ok.org, and 3lib.net) were seized by the Department of Justice and the FBI, although the fate of the operators was unknown to the public at that time. Z-Library was one of the world’s largest public and free-to-access written content repositories, containing 11 million books and 84 million articles in a massive 220 TB database. Of the two defendants, Napolsky is burdened by evidence, based on records obtained from Google and Amazon, that he was in control of Z-Library. “The defendants are alleged to have operated a website for over a decade whose central purpose was providing stolen intellectual property, in violation of copyright laws,” said FBI Assistant Director-in-Charge Driscoll. Z-Library started as a volunteer-run project with no commercial direction. However, at some point, it started offering paid memberships in exchange for premium features. This means that the platform had financial income from its operation, generated at the expense of work authors and publishers.”

Title: Tank, the Leader of the Zeus Cybercrime Gang, Was Arrested by the Swiss Police
Date Published: November 17, 2022

https://securityaffairs.co/wordpress/138648/cyber-crime/zeus-gang-leader-arrested.html

Excerpt: “A suspected leader of the Zeus cybercrime gang, Vyacheslav Igorevich Penchukov (aka Tank), was arrested by Swiss police. Swiss police last month arrested in Geneva Vyacheslav Igorevich Penchukov (40), also known as Tank, who is one of the leaders of the JabberZeus cybercrime group. “Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.” reported the popular investigator Brian Kress. “Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan.” The man will be extradited to the United States on November 15, according to a statement from the Federal Office of Justice (FOJ) in Switzerland. Penchukov is on the FBI’s “Most Wanted” list and has been sought for 10 years.”

Title: Persistent Cybersecurity Threats Impede HHS Strategic Plans, Watchdog Warns
Date Published: November 16, 2022

https://www.scmagazine.com/analysis/zero-trust/persistent-cybersecurity-threats-impede-hhs-strategic-plans-watchdog-warns

Excerpt: “As the Department of Health and Human Services moves toward greater interoperability across the healthcare sector, the agency must make greater efforts to modernize its approach to cybersecurity, according to a new report from the Office of the Inspector General. The report, “Top Management and Performance Challenges Facing HHS,” details the complex challenges facing the healthcare regulator, with a section dedicated to cybersecurity concerns. OIG found that HHS has taken strides to improve its posture, particularly after the Biden administration’s May 2021 executive order directing federal agencies to “fundamentally and systemically change their approach to cybersecurity.” HHS is currently in the process of finalizing its strategic plan, but the path forward has been wrought with challenges faced across the government and healthcare sectors: persistent cybersecurity threats. And the report notes that it will “require significant investments in resources as well as cultural and organizational change.” HHS has long struggled to meet the challenges facing its information security program, with yearly reports from both OIG and the Government Accountability Office consistently deeming the program “not effective,” under the Federal Information Security Modernization Act (FISMA) metrics.”

Title: Microsoft Urges Devs to Migrate Away From .Net Core 3.1 ASAP
Date Published: November 17, 2022

https://www.bleepingcomputer.com/news/security/microsoft-urges-devs-to-migrate-away-from-net-core-31-asap/

Excerpt: “Microsoft has urged developers still using the long-term support (LTS) release of .NET Core 3.1 to migrate to the latest .NET Core versions until it reaches the end of support (EOS) next month. The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 “as soon as possible” before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022. As Dominique Whittaker, the Senior Program Manager responsible for .NET Core and .NET Native releases, warned this July, Microsoft will stop providing technical support or servicing updates after EOS.”We recommend moving to .NET 6 as soon as possible. If you are still using .NET Core 3.1 after the end of support date, you’ll need to update your app to .NET 6 or .NET 7 to remain supported and continue to receive .NET updates,” Whittaker said. While .NET Core 3.1 apps will still run after the EOS is reached in less than a month, they will be exposed to attacks targeting any of the security vulnerabilities patched in .NET Core 6 since its initial release in November 2021. Whittaker also shared detailed steps on how software vendors and developers can upgrade to .NET 6 (LTS) and how to update their development environment. “If you’re migrating an app to .NET 6, some breaking changes might affect you. We recommend you to go through the compatibility check,” the Microsoft PM added.”

Title: Thousands of Amazon RDS Snapshots Are Leaking Corporate PII
Date Published: November 16, 2022

https://www.darkreading.com/cloud/thousands-amazon-rds-snapshots-leaking-corporate-pii

Excerpt: “A service that allows organizations to back up data in the cloud can accidentally leak sensitive data to the public Internet, paving the way for abuse by threat actors. Legions of databases are being inadvertently exposed monthly, through a feature of an Amazon cloud-based data-backup service. The situation gives threat actors access to personally identifiable information (PII) that they can use in extortion, ransomware, or other threat activity, researchers have found.Amazon RDS is a popular platform-as-a-service that provides a database based on several optional engines, including MySQL and PostgreSQL. An RDS snapshot, or a storage volume snapshot of a database instance, is an intuitive feature that helps organizations back up their databases, allowing users to share public data or a template database to an application, researchers said. The Mitiga Research Team recently discovered the leaks in the form of numerous Amazon Relationship Database Service (RDS) snapshots that are being shared publicly — whether intentionally or by mistake.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...