November 2, 2022

Fortify Security Team
Nov 2, 2022

Title: Dropbox discloses unauthorized access to 130 GitHub source code repositories
Date Published: November 2, 2022

Excerpt: “Dropbox disclosed a security breach, threat actors gained unauthorized access to 130 of its source code repositories on GitHub. File hosting service Dropbox announced that threat actors gained unauthorized access to 130 of its source code repositories on GitHub. According to the advisory published by Dropbox, the company was the target of a phishing campaign that resulted in access to the GitHub repositories. The investigation revealed that the code accessed by the attackers contained some credentials, primarily, API keys, used by the development team. The company pointed out that no one’s content, passwords, or payment information were accessed, it also remarked that the issue was quickly resolved. Dropbox uses CircleCI for select internal deployments, and in early October, a phishing campaign targeted multiple Dropboxers using messages impersonating CircleCI. “While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site.” reads the advisory published by the company. “This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.” The repositories included internal copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team of the file hosting service.”

Title: Mobile Phishing Attacks on Government Staff Soar
Date Published: November 2, 2022

Excerpt: “Mobile-based credential theft attacks against federal government employees increased by 47% from 2020 to 2021, exposing agencies to a serious risk of breaches, according to Lookout. The security vendor compiled its 2022 Government Threat Report from analysis of more than 200 million devices and more than 175 million apps. It found that around half (46%) of state, local and federal US government employees were the target of mobile-based credential phishing attempts in 2021, up from 30% a year earlier. The report also claimed that one in eight government employees were exposed to phishing threats last year, via “social engineering within any app including social media platforms, messaging apps, games, or even dating apps.” Lookout didn’t mention SMS or email explicitly as phishing vectors, although these are perhaps the most popular. Either way, phishing exposure means threat actors could steal credentials to hijack accounts en route to sensitive government data and systems, or install malware to eavesdrop on conversations and steal logins that way. Part of the threat comes from the large number of unmanaged devices in use across federal, state and local governments. The report revealed a 55% increase in the use of such devices from 2020 to 2021 as BYOD and remote working became the norm across many organizations.”

Title: OpenSSL dodges a security bullet
Date Published: November 1, 2022

Excerpt: “The critical security vulnerability turned out to be two serious vulnerabilities. Still, they need patching ASAP. At first, it looked like the OpenSSL 3.x security bug was going to be truly awful. While it was feared to be a critical error that could lead to remote code execution (RCE), upon a closer examination it turned out to be not so horrid after all. That’s not to say it isn’t bad. Both CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”) have a CVE rating of 8.8, which is considered “high.” That means they could still cause you real trouble. If that is, you’re using OpenSSL 3.0.0 to 3.0.6. OpenSSL 1.1.1 and 1.0.2 users don’t have to worry. However, just because your main operating system uses OpenSSL 1.x, don’t think you can ignore these issues. Your applications or containers may use a vulnerable version. In short, before kicking your shoes off and taking a nap, check your code.”

Title: Bed Bath & Beyond Discloses Data Breach to SEC
Date Published: November 1, 2022

Excerpt: “The retailer reported that an employee fell for a phishing scam, allowing malicious actors to access shared drives. Bed Bath & Beyond is registering additional shares of stock, and tucked several paragraphs down in its Security and Exchange Commission (SEC) filing is an “additional disclosure” — confirming that the company was breached in October. The company said that one of its employees was tricked by a phishing scam and handed over access to their own hard drive as well as company shared drives. Besides the fact that the breach happened, the retailer offered few additional details, including how many people might be affected and what information was exposed.”

Title: Patients sue WakeMed, Aurora Advocate over data collection by Meta’s Pixel tool
Date Published: November 1, 2022

Excerpt: “WakeMed Health and Hospitals, and Aurora Advocate Health are both facing patient-led lawsuits after two separate breach notices tied to possible data scraping by the use of Pixel on its hospital and patient-facing websites. The two separate lawsuits were filed on Oct. 31. As SC Media reported, WakeMed informed 495,000 patients and Advocate Aurora notified 3 million individuals that their data was inadvertently shared with Meta and other third-party vendors due to the use of Pixel on their respective websites. Novant ACE sent a similar notice to 1.3 million patients in June, following two reports alleging the Meta Pixel tool was scraping hospital data. Meta is already facing similar lawsuits filed by patients in the wake of these reports. The company has denied it receives protected health information from its pixel tool. The breach notices explained the tool was installed on these sites to understand how patients and others interact with the websites, for measuring and evaluating trends, as well as the preferences of patients using their sites. The data involved interactions with the websites, especially for users concurrently logged into Google or Facebook accounts.”

Title: Group indicted for breaching CPA, tax preparation firms via stolen credentials
Date Published: November 2, 2022

Excerpt: “United States Attorney Roger B. Handberg announces the partial unsealing of an indictment charging eight individuals with Racketeer Influenced and Corrupt Organizations (RICO) conspiracy. Four have also been charged with wire fraud conspiracy and aggravated identity theft. If convicted, each faces a maximum penalty of 20 years in federal prison for the RICO conspiracy count. They also face a maximum penalty of 20 years in federal prison for the wire fraud conspiracy count and a consecutive 2 years’ imprisonment for the aggravated identity theft count. According to the indictment and information shared in court, from 2015 through 2019, the defendants and numerous other conspirators – including a now-deceased conspirator who is referenced in the indictment as RICH4EVER4430 – banded together to engage in a sophisticated cybercrime and tax fraud scheme. The defendants purchased on the dark web server credentials for the computer servers of Certified Public Accounting (CPA) and tax preparation firms across the country. They used those server credentials to remotely and covertly commit computer intrusions and exfiltrate the tax returns of thousands of taxpayers who were clients of those CPA and tax preparation firms. Those tax returns included the clients’ names, dates of birth, Social Security numbers, and financial information.”

Title: Malicious Android apps with 1M+ installs found on Google Play
Date Published: November 1, 2022

Excerpt: “A set of four malicious applications currently available in Google Play, the official store for the Android system, are directing users to sites that steal sensitive information or generate ‘pay-per-click’ revenue for the operators. Some of these sites offer victims to download fake security tools or updates, to trick users into installing the malicious files manually. At the time of publishing, the apps are still present on Google Play under a developer account called Mobile apps Group, and have a total install count of more than one million. According to a report from Malwarebytes, the same developer was exposed twice in the past for distributing adware on Google Play but it was allowed to continue publishing apps after submitting cleaned versions.

The four malicious apps uncovered this time are:

  • Bluetooth Auto Connect, with over 1,000,000 installs
  • Bluetooth App Sender, with over 50,000 installs
  • Driver: Bluetooth, Wi-Fi, USB, with over 10,000 installs
  • Mobile transfer: smart switch, with over 1,000 installs

The apps don’t have favorable reviews on Google Play and many users left comments about intrusive ads that open automatically in new browser tabs.”

Title: White House Ransomware Confab Ends With Data Sharing Pledge
Date Published: November 1, 2022

Excerpt: “The United States, European Union and three dozen countries vowed a crackdown on ransomware after meeting for two days in the White House. The meeting marked a one year anniversary of the Biden administration-led International Counter Ransomware Initiative, an effort that U.S. officials insist has made progress over the past 12 months even as ransomware continues to wreak havoc, whether by affecting patient care at a one of the America’s largest hospital networks or extortion demands made against Australia’s largest private health insurer. The Department of Treasury tallied on Tuesday actual or attempted ransomware payouts by U.S. financial institutions during 2021 as totatling nearly $1.2 billion. “We’ve seen takedowns,” a senior administration official said in a press call Sunday night, pointing to the arrest and recent sentencing of a Canadian affiliate of a ransomware-as-a-service gang. Still, “we’re seeing the pace and the sophistication of the ransomware attacks increasing faster than our resilience and disruption efforts,” the official acknowledged.In a Tuesday joint declaration, members of the initiative said they will ensure ransomware hackers are not provided with a safe haven. They pledged to target hackers’ ability to profit from extortion by enforcing “know your customer” requirements for cryptocurrency trading platforms.”

Title: Twitter Verified Status Users Flooded with Scams
Date Published: November 2, 2022

Excerpt: “Twitter users with “verified” status have been bombarded by phishing attempts via email and on the platform itself, after Elon Musk’s arrival as owner, according to reports. The self-proclaimed “chief twit,” who sacked the board of the social networking firm to become sole director, wants to charge “blue tick” verified users $8 each per month to retain their status and be enrolled in the site’s premium service, Blue. It’s widely seen as a potential way to make money from the perpetually under-performing platform, while reducing the number of bots and inauthentic accounts. However, the publicity surrounding the move has already attracted cyber-criminals. Some verified users posted screenshots of a phishing email they received from a [email protected] domain, asking them to click through to confirm their identity, or risk losing their status. Doing so would take them to a phishing page where they’re asked to submit various account details, which could be subsequently used to hijack those accounts. Separately, some users posted screenshots of messages they’ve received on the site itself. One masquerades as a ‘removal notice,’ urging them to visit what is presumably a phishing URL in order to prevent permanent removal of their blue badge.”

Title: New SandStrike spyware infects Android devices via malicious VPN app
Date Published: November 1, 2022

Excerpt: “Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users. They focus on Persian-speaking practitioners of the Bahá’í Faith, a religion developed in Iran and parts of the Middle East. The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions. To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN. “To lure victims into downloading spyware implants, the SandStrike adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed materials, setting up an effective trap for adherents of this belief,” Kaspersky said. “Most of these social media accounts contain a link to a Telegram channel also created by the attacker.” While the app is fully functional and even uses its own VPN infrastructure, the VPN client also installs the SandStrike spyware, which scours their devices for sensitive data and exfiltrates it to its operators’ servers. This malware will steal various types of information like call logs and contact lists and will also monitor compromised Android devices to help its creators keep track of the victims’ activity.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...