November 22, 2022

Fortify Security Team
Nov 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs

Date Published: November 21, 2022

Excerpt: “Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads. According to cybersecurity firm SEKOIA, at least seven notable cyber gangs with significant activity have adopted Aurora exclusively, or along with Redline and Raccoon, two other established information-stealing malware families. The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected. Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability. Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features. As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough. However, in late August 2022, SEKOIA noticed that Aurora was advertised as a stealer, so the project abandoned its goal of creating a multi-function tool.”

Title: Two Estonian Citizens Arrested in $575M Cryptocurrency Fraud Scheme

Date Published: November 22, 2022

Excerpt: “Two Estonian citizens were arrested in Tallinn for allegedly running a $575 million cryptocurrency fraud scheme. Two Estonian nationals were arrested in Tallinn, Estonia, after being indicted in the US for running a fraudulent cryptocurrency Ponzi scheme that caused more than $575 million in losses. According to the indictment, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a crypto Ponzi scheme. The duo used shell companies to launder the cash from the fraudulent activity and to buy real estate and luxury cars. “They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank.” reads the press release published by DoJ. “In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies.” The defendants are accused of defrauding the victims between December 2013 and August 2019, they operated with other co-conspirators residing in Estonia, Belarus, and Switzerland. Potapenko and Turõgin tricked the investors into believing that HashFlare was a massive cryptocurrency mining operation, the victims were requested to pay for rent computing power and receive a proportional part of the cryptocurrencies mined. The bad news for the investors is that HashFlare did not have the virtual currency mining equipment it claimed to have. According to the indictment, HashFlare’s equipment performed Bitcoin mining at a rate of less than one percent of the computing power it claimed to have. When investors asked to withdraw their mining proceeds, the defendants either resisted making the payments or in some cases, they paid off the investors using virtual currency that were purchased on the open market.”

Title: Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk

Date Published: November 22, 2022

Excerpt: “Security researchers are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use. However, like the latter two tools, it could soon be co-opted by those with nefarious intent, Proofpoint warned in a new report. The vendor claimed to have recorded a 161% increase in the malicious use of Cobalt Strike between 2019 and 2020, for example. Other tools like Sliver and Brute Ratel have found their way into malicious campaigns within months of their release, it said. “Historically, threat actors have integrated legitimate tools into their arsenal for various reasons, such as complicating attribution, leveraging specific features such as endpoint detection evasion capabilities or simply due to ease of use, flexibility, and availability,” said Proofpoint. “In the last few years, threat actors from cyber-criminals to advanced persistent threat actors have increasingly turned to red-teaming tools to achieve their goals.” Proofpoint’s analysis revealed an “extensive list of configurable evasion techniques” referred to as “opsec” functions in the product’s code.”

Title: Luna Moth’s Novel, Malware-Free Extortion Campaign Takes Flight

Date Published: November 21, 2022

Excerpt: “Luna Moth is relying solely on call-back phishing, as well as legitimate tools, to steal data and extract ransoms from victims of all stripes in an expanding cyberattack effort. Researchers have spotted a threat actor that has managed to extort hundreds of thousands of dollars over the last few months from mostly small and midsize businesses — without using any encryption tools or malware. Instead, the attacker — dubbed Luna Moth (aka the “Silent” ransomware group) has been using an array of legitimate tools and a technique dubbed “call-back phishing.” The tactic is to steal sensitive data from victim organizations and use it as leverage to extort money from them. Most of the attacks so far have targeted smaller organizations in the legal industry; more recently, though, the adversary has begun going after larger companies in the retail sector as well, researchers from Palo Alto Networks Unit 42 said in a report Monday. The evolution of the attacks suggests the threat actor has become more efficient with its tactics and now presents a danger to businesses of all sizes, the security vendor warned. “We are seeing this tactic successfully targeting all sizes of businesses — from large retailers to small/medium sized legal organization” says Kristopher Russo, senior threat researcher with Unit 42 at Palo Alto Networks. “Because social engineering targets individuals, the size of the company does not offer much protection.” Call-back phishing is a tactic that security researchers first observed the Conti ransomware group using more than a year ago in a campaign to install BazarLoader malware on victim systems.”

Title: Enterprise Healthcare Providers Warned of Lorenz Ransomware Threat

Date Published: November 21, 2022

Excerpt: “The Department of Health and Human Services Cybersecurity Coordination Center is warning larger, enterprise healthcare organizations of the potential threat posed by the Lorenz ransomware threat group. The human-operated campaign is well-known for its big-game hunting of larger organizations and has claimed victims in both the healthcare and public health sectors. The alert follows a warning of the serious threat posed by Hive ransomware actors to healthcare organizations. Earlier this month, HC3 also issued a brief on the relatively new group known as Venus ransomware, which has claimed at least one U.S. healthcare entity since emerging in August. Venus primarily targets exposed Remote Desktop Services on Windows devices. But while open-source reports show Venus’ ransom demands begin around 1 BTC, or less than $20,000, the Lorenz group operates in a much bigger playing field with demands that range from $500,000 to $700,000. The actors are also known to sell access to the victim’s network. Lorenz has been active for at least two years and operates a data leak site, per the typical extortion group model. However, the group’s tactics are far more nefarious. HC3 warns that “upon becoming frustrated with a victim’s unwillingness to pay, they first make the stolen data available for sale to other threat actors or competitors.” If that fails to garner a payment, Lorenz will then “release password protected RAR archives” of the victim’s data. If those efforts don’t result in monetary gains, the group then releases “the password for the full archives, so they will be publicly available for anyone to access.” The model could result in a serious fallout in a situation like the recent attack, extortion attempt, and subsequent data leak of files tied to MediBank, Australia’s largest health insurer.”

Title: Staying Protected From Cybercriminals This Holiday Season

Date Published: November 22, 2022

Excerpt: “As we approach the holiday season, we wanted to focus this month’s post on you (and your family). Bad guys don’t just wait until the holidays to start causing havoc, they also relentlessly target all of us all throughout the year. Judging by our perseverance, nothing is going to keep us from a good holiday deal, and attackers love to use this season to their advantage. Therefore, we must all keep a frosty demeanor (pun intended) to protect ourselves. Let us take some time to review these precautions when shopping to ensure you and your family are well protected this holiday season.

  • Credit?–?never debit?–?for online shopping. In case of fraud or a data breach, debit cards do not have the same consumer protections as credit cards. Credit cards don’t give a seller direct access to the money in your bank account – debit cards do. If you rely on your debit card, you could be without that money for an extended period in the event of fraud. Not to mention, you can take advantage of credit card points!
  • Review your statements. Your bank and credit card statements should be frequently reviewed for unusual transactions.

TIP: If you have been breached, you are entitled to place a free initial fraud alert with one of the three national credit reporting companies:

Title: Attackers Bypass Coinbase and Metamask 2FA via Teamviewer, Fake Support Chat

Date Published: November 21, 2022

Excerpt: “A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask,, and KuCoin and steal cryptocurrency. The threat actors abuse the Microsoft Azure Web Apps service to host a network of phishing sites and lure victims to them via phishing messages impersonating bogus transaction confirmation requests or suspicious activity detection. For example, one of the phishing emails seen in the attacks pretended to be from Coinbase, which says they locked the account due to suspicious activity. When the targets visit the phishing site, they are presented with a chat window supposedly for ‘customer support,’ controlled by a scammer who directs visitors through a multi-step defrauding process. PIXM has been tracking this campaign since 2021 when the threat group targeted only Coinbase. Recently, PIXM’s analysts noticed an expansion in the campaign’s targeting scope to include MetaMask,, and KuCoin.”

Title: Expert Published Poc Exploit Code for MacOS Sandbox Escape Flaw

Date Published: November 21, 2022

Excerpt: “A researcher published details and proof-of-concept (PoC) code for High-Severity macOS Sandbox escape vulnerability tracked as CVE-2022-26696.Researcher Wojciech Regula (@_r3ggi) of SecuRing published technical details and proof-of-concept (PoC) code for a macOS sandbox escape vulnerability tracked as CVE-2022-26696 (CVSS score of 7.8). In a wrap-up published by Regula, the researcher observed that the problem is caused by a strange behavior he observed in a sandboxed macOS app that may launch any application that won’t inherit the main app’s sandbox profile. According to ZDI, This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. “A sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory published by Apple that addressed the flaw with improved environment sanitization. According to ZDI, a remote attacker can trigger the flaw to escape the sandbox on vulnerable Apple macOS installs. ZDI pointed out that an attacker can exploit the bug only if he has first obtained the ability to execute low-privileged code on the target system.”

Title: Credential Stuffers Steal $300K from DraftKings Customers

Date Published: November 22, 2022

Excerpt: “Sports betting site DraftKings has promised to reimburse an undisclosed number of customers after they lost $300,000 through a suspected credential stuffing campaign. A statement from the firm’s co-founder, Paul Liberman, late yesterday noted that some customers had experienced “irregular activity” with their accounts. “We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” it continued. “We have seen no evidence to suggest that DraftKings’ systems were breached to obtain this information.” That would seem to indicate classic credential stuffing attacks, where threat actors buy up username/password combos from underground breach sites, feed them into automated tools and try them en masse across the internet, to see where they’ve been reused by individuals. Liberman said he would “make whole” any customer that was impacted, although the firm presumably has no liability in this case. However, the company does appear to have been slow to respond to customer complaints, which in turn may have enabled the threat actors to make off with more customer funds from bank accounts linked to their DraftKings accounts.”

Title: Out of the Blue: Surviving an 18-Hour, 39M-Request DDoS Attack

Date Published: November 22, 2022

Excerpt: “No online business can afford to neglect malicious bot threats. Attackers and fraudsters increasingly leverage bots to automate and coordinate attacks, driving IT teams and ill-equipped security tools to their limits. Only a full-endpoint, 360° bot protection solution that leverages aggregate global detection signals can save you from unexpected threats. Case in point: A large e-commerce website protected by DataDome’s bot and online fraud management solution recently remained blissfully unaffected throughout a high volume, highly-distributed DDoS attack. What’s more, the site implemented the protection to solve a scraping problem. Let’s deep dive into a real-life attack to understand the key traits of a DDoS attack, how the threat landscape is evolving, and the implications when choosing a security solution. Beginning on a Friday and lasting through Saturday, the DDoS attack came in several waves spanning over 18 hours. In total, the site was under active attack for ~4 hours. The attack can be split into two main waves:

1st wave: Friday night between ~18:00 and ~0:00 (CEST).
2nd wave: Saturday morning from ~10:00 to 12:00.

The first part of the attack represented the highest volume of traffic (29.375 million bot requests). During this first wave, the DDoS generated spikes of traffic that reached up to 1.5 million requests per minute. The attack, like most DDoS attacks these days, was heavily distributed. The attacker leveraged a botnet of more than 11,000 distinct IP addresses from 1,500 different autonomous systems, spread over 138 countries. The point: Simple IP rate limiting or geo-blocking would not have been effective. The targeted website has customers all around the world. So, while blocking all requests from certain countries could have helped mitigate the attack, it would have also impacted the user experience for innocent customers based in the blocked countries.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...