November 21, 2022

Fortify Security Team
Nov 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account
Date Published: November 20, 2022

Excerpt: “The new ‘AXLocker’ ransomware family is not only encrypting victims’ files and demanding a ransom payment but also stealing the Discord accounts of infected users. When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account. Threat actors commonly attempt to steal these tokens because they enable them to take over accounts or, even worse, abuse them for further malicious attacks.As Discord has become the community of choice for NFT platforms and cryptocurrency groups, stealing a moderator token or other verified community member could allow threat actors to conduct scams and steal funds.”

Title: Google Provides Rules to Detect Tens of Cracked Versions of Cobalt Strike
Date Published: November 21, 2022

Excerpt: “Researchers at Google Cloud identified 34 different hacked release versions of the Cobalt Strike tool in the wild. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions. Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries
The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7. The researchers cataloged the stagers, templates, and beacons, including the XOR encodings used by Cobalt Strike since version 1.44. GCTI noticed that the cracked versions of the post-exploitation tool used in the attack in the wild are not the latest versions from the vendor Fortra, but are typically at least one release version behind. For this reason, Google researchers focused on these versions.”

Title: DOJ Charges 10 with BEC Targeting Federal Health Program
Date Published: November 19, 2022

Excerpt: “The U.S. Department of Justice on Friday charged 10 individuals with using business email compromise and money laundering schemes to target public and private insurers.These schemes targeted Medicare, state Medicaid programs, private health insurers and numerous other victims, resulting in more than $11.1 million in total losses. The charges stem from BEC schemes where these alleged individuals posed as business partners to fraudulently divert money from victims’ bank accounts into accounts they or co-conspirators controlled, the DOJ says. The charged individuals allegedly recruited money mules to transfer money and used spoofed email addresses, bank account takeovers and similar fraudulent methods designed to deceive victims into believing that they were making legitimate payments. This is DOJ’s first coordinated action against individuals from multiple states in connection with multiple BEC, money laundering and wire fraud schemes. Total losses tied to business email compromise theft domestically and internationally totaled $43.3 billion from June 2016 through December 2021, according to the most recent FBI Internet Crime Complaint Center annual report. The FBI warned earlier this year that business email compromise scams are on the rise, with real and actual losses increasing by 65% in the 14-month period ending last December. In part, it attributed the increase to the novel coronavirus pandemic and its knock-on effect of shifting more work online.”

Title: Private Equity Exposed by Cyber-Hygiene Shortcomings
Date Published: November 21, 2022

Excerpt: “Private equity firms are failing to adequately manage cyber-risk in their portfolio companies, with a fifth (19%) of such businesses found to feature easily exploitable vulnerabilities, according to BlueVoyant. The security vendor chose a group of private equity firms at random and analyzed the 780 unique portfolio companies they had invested in to compile its report, Private Equity A Look at Portfolio Company Cyber Risk.It revealed that 149 of these companies, or around a fifth of the total, had so-called “zero tolerance findings.” BlueVoyant categorizes these as:

  • Known critical vulnerabilities in software on internet-facing systems, where a patch is available
  • Malicious activity, involving “beaconing” from inside the organization to known malicious infrastructure
  • IT hygiene, specifically open or misconfigured ports exposed to the internet, which can be probed to gain access via credential stuffing and other techniques

The companies impacted had between one and 11 of these findings, with more than half having two or more and almost a quarter having six or more. Some 70% of critical internet-facing findings came in the area of IT hygiene. Here, the most common open or misconfigured ports related to remote desktop protocol (RDP), a major vector for ransomware. This accounted for 27% of findings, versus 18% for Server Message Block (SMB) and 17% for Windows Remote Management (WinRM). Most impacted portfolio companies were located in the US (222) and the UK (133) although proportionately these countries fared better than the average, representing just 13% and 12% of the total respectively.”

Title: Australia’s Hack-Back Plan Against Cyberattackers Raises Familiar Concerns
Date Published: November 18, 2022

Excerpt: “How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage? The Australian government’s defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.How effective the country’s newly announced “joint standing operation against cybercriminal syndicates” will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.”As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in,” says Richard Stiennon, chief research analyst at IT-Harvest. “I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much.” Australian prime minister Anthony Albanese’s government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to “investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups.” The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia’s total population of some 26 million people.”

Title: Emotet’s Return Underscores That Some Threat Groups Never Go Away for Good
Date Published: November 18, 2022

Excerpt: “Researchers reported on Thursday that after being disrupted in early 2021, after a few months of so-called “summer vacation” Emotet re-emerged with nearly daily activity since October of last year. In a blog post, Deep Instinct researchers said the current wave of Emotet malspam is delivered via “thread hijacking” emails. The attachments come in both password-protected zips as well as plain attachments. Emotet started as a banking trojan in 2014 and was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. The researchers said Emotet gets propagated mostly via Microsoft Office email attachments containing a macro. If enabled, it downloads a malicious PE file (Emotet) which then gets executed. “Security pros should read this research as confirmation that even if they don’t see a prevalence of infections from a specific group, it does not mean they are not maintaining a presence or monitoring devices that are still infected, “ said Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct. “Bad actors don’t just go away. They might go dark when there’s too much attention being placed on them, but in many cases they don’t just disappear.” Fulmer explained that a couple examples are how Emotet countlessly reemerges after “disappearing” for a period of time, or how Darkside went dark after the Colonial Pipeline attack just to reemerge as a newly named group with the same attack methodology and payloads. Fulmer said this also emphasizes the danger infected machines pose and how crucial it is to ensure there’s nothing malicious remaining on the machine. “When Emotet came back to action, the first order was to push out updated malware to currently infected machines which I guarantee environments assumed were clean, but had some level of persistence allowing the group to instantly access them upon return, Fulmer said. “Security teams need to be more proactive and leverage all items at their disposal. This means shifting from a stance of detection toward prevention-first offerings and changing the mindset to adopt an assume-breach mentality.” Here’s another example of a group evolving its strategy to avoid detection engines, said Andrew Barratt, vice president at Coalfire. Barratt said Proofpoint also had an interesting post on the return of Emotet earlier this week. Barratt said he suspected the time “off grid” was to avoid the detection fatigue level they were probably getting.”

Title: New Attacks Use Windows Security Bypass Zero-Day to Drop Malware
Date Published: November 19, 2022

Excerpt: “New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings. When files are downloaded from an untrusted remote location, such as the Internet or an email attachment, Windows add a special attribute to the file called the Mark of the Web. This Mark of the Web (MoTW) is an alternate data stream that contains information about the file, such as the URL security zone the file originates from, its referrer, and its download URL. When a user attempts to open a file with a MoTW attribute, Windows will display a security warning asking if they are sure they wish to open the file. “While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows. Last month, the HP threat intelligence team reported that a phishing attack was distributing the Magniber ransomware using JavaScript files.These JavaScript files are not the same as those used on websites but are standalone files with the ‘.JS’ extension that are executed using the Windows Script Host (wscript.exe). After analyzing the files, Will Dormann, a senior vulnerability analyst at ANALYGENCE, discovered that the threat actors were using a new Windows zero-day vulnerability that prevented Mark of the Web security warnings from being displayed. To exploit this vulnerability, a JS file (or other types of files) could be signed using an embedded base64 encoded signature block, as described in this Microsoft support article.”

Title: PoC Exploit Code for Proxynotshell Microsoft Exchange Bugs Released Online
Date Published: November 18, 2022

Excerpt: “Proof-of-concept exploit code for two actively exploited Microsoft Exchange ProxyNotShell flaws released online. Proof-of-concept exploit code has been released online for two actively exploited vulnerabilities in Microsoft Exchange, known as ProxyNotShell. The two flaws are:

  • CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability

they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on vulnerable servers. Cybersecurity firm GreyNoise confirmed that threat actors are attempting to exploit the flaws since late September, Bleeping Computer reported. Microsoft addressed both vulnerabilities with the release of Patch Tuesday updates for November 2022 security updates. This week the popular researcher Will Dormann confirmed that PoC exploit code released by the security researcher Janggggg, which was exploited by threat actors in the wild, works against Exchange Server 2016 and 2019, and even against 2013 with some modifications. The expert demonstrated how to exploit the bug to execute calc.exe as SYSTEM.”

Title: Ransomware-as-a-Service Market Now Highly Specialized
Date Published: November 18, 2022

Excerpt: “The criminal underground market for ransomware services is now specialized to the point where almost every step of the infection and extortion chain can be outsourced to contractors, cybersecurity firm Sophos says in its latest annual assessment of the threat landscape. Just as the cloud and web services industry lets corporate customers pick and choose from a plethora of paid services, ransomware criminals stand ready to offer extortionists service ranging from malware distribution to network scanning. One enterprising criminal entrepreneur even offers OPSEC-as-a-service, the Sophos report says. The seller offers – either as a one-off setup or a monthly subscription – a service designed to hide Cobalt Strike infections and minimize the risk of detection and attribution, Sophos writes. “Ransomware-as-a-Service began last year and by this year, virtually every type of cybercriminal activity is available as a service for a few hundred dollars. This is just an indication of how sophisticated and professionalized the people in the cybercrime industry have become,” says Sean Gallagher, a Sophos principle threat researcher.”

Title: Shoppers Warned Stay Alert this Black Friday as Hackers Renew Efforts
Date Published: November 18, 2022

Excerpt: “Shoppers should stay alert on Black Friday as hackers launch new scams in the lead-up to the event. Check Point Research (CPR) said the team has already observed a sharp increase in shopping-related phishing scams, with threat actors imitating well-known brands. “While consumers are getting ready to bag the best deal, cybercriminals are taking advantage of distracted minds by launching their own shopping ‘specials’ in the form of phishing campaigns and lookalike fake websites,” reads a CPR advisory published on Thursday. At the end of October, Check Point researchers discovered a malicious phishing email spoofed from the webmail address to appear as if it had been forwarded from Louis Vuitton. “The well-known fashion brand was also the subject of several other fake websites. At the beginning of October, four domains with the same format were registered,” CPR wrote. All these websites were reportedly designed to look like the legitimate Louis Vuitton site and spread via email with a subject suggesting discounts were available. “Over the past month, we have seen an increased number of incidents involving these domains, reaching close to 15,000 in the second week of November,” Check Point explained. Further, the security team says cyber-criminals are not only exploiting the busy buying period during the purchase process but also at the delivery stage. “In the first ten days of November, we found that 17% of all malicious files distributed by emails were related to orders/deliveries and shipping,” the CPR reads. One such scam was impersonating delivery company DHL, which aimed to steal the victims’ credentials by claiming they needed to pay €1.99 to complete the delivery.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...