November 23, 2022

Fortify Security Team
Nov 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966
Date Published: November 23, 2022

Excerpt: “Microsoft released an out-of-band update to fix problems tied to a recent Windows security patch that caused Kerberos authentication issues. Microsoft released an out-of-band update to address issues caused by a recent Windows security patch that causes Kerberos authentication problems. Microsoft Patch Tuesday security updates for November 2022 addressed a privilege escalation vulnerability, tracked as CVE-2022-37966, that impacts Windows Server. An attacker can trigger this flaw to gain administrator privileges on vulnerable systems. “An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.” reads the advisory published by Microsoft. After the release of the Patch Tuesday security updates, users started reporting issues related to the Kerberos authentication. The IT giant investigated the reports and developed an out-of-band update to fix the problems”

Title: Backdoored Chrome Extension Installed by 200,000 Roblox Players
Date Published: November 23, 2022

Excerpt: “Chrome browser extension ‘SearchBlox’ installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform. BleepingComputer has been able to analyze the extension code which indicates the presence of a backdoor, introduced either intentionally by its developer or after a compromise. The ‘SearchBlox’ extensions found on the Chrome Web Store appear to be compromised, BleepingCompuer has observed. There are two search results for ‘SearchBlox’ on Chrome. These extensions claim to let you “search Roblox servers for a desired player… blazingly fast” but both contain the backdoor.”

Title: Yanluowang Ransomware’s Russian Links Laid Bare
Date Published: November 23, 2022

Excerpt: “The inner workings of yet another ransomware group have been laid bare after internal messages were leaked online, suggesting the Yanluowang group was actually run by Russian speakers. Threat intelligence firm Trellix analyzed close to 3000 messages shared by Twitter user @yanluowangleaks, revealing some interesting tidbits. The group, which was responsible for breaching big-name organizations over the past year including Walmart and Cisco, converses in Russian, despite its Chinese mythological moniker. In fact, at one point it wanted to post a message in support of Ukraine on its ransom page to increase the chances of payment, but decided not to out of concerns it would blow the Chinese cover story, Trellix said. Like Conti, another group whose chats were doxed, Yanluowang appears to have been well organized operationally. Members include leader and payroll manager “Saint,” lead developer Killanas (aka “coder0”) and pen-testers “Felix” and “Shoker.” A doxed image of Killanas appears to show him wearing a Russian military uniform, which would add weight to the theory that the ransomware actors have close ties to the Kremlin. The Trellix analysis also revealed collaboration between the group and other ransomware actors, most notably HelloKitty.”

Title: Warning: This Scam Starts With a Fake Invoice. It Could End With Crooks Stealing Your Data
Date Published: November 22, 2022

Excerpt: “Social engineering and phony call centers are used to trick victims into installing remote software. Then the gang steals data and threatens to leak it. A cyber-extortion gang is using phishing emails, social engineering and a network of phony call centers to scam victims out of hundreds of thousands of dollars by tricking them into allowing remote access to their PC, then stealing data threatening to leak it if a ransom isn’t paid. According to analysis of the ‘callback phishing’ attacks by cybersecurity researchers at Palo Alto Networks Unit 42, the social-engineering campaign is worryingly successful, which is leading to a growth in the infrastructure behind attacks, as the cyber criminals try to make as much money as possible. The attacks are similar to previously identified campaigns that used phishing emails containing malicious documents to trick victims into installing BazarLoader backdoor malware. The malware was used to access the network, steal data and blackmail the victim into paying an extortion fee to prevent the data being leaked.”

Title: Black Basta Using QBot Malware to Target US-Based Companies
Date Published: November 23, 2022

Excerpt: “QBot Backdoor Opens Systems to Loading Cobalt Strike, Ransomware and Other Malware. Researchers say Black Basta is dropping QBot malware – also called QakBot – in a widespread ransomware campaign targeting mostly U.S.-based companies. In the group’s latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code, according to Cybereason. The Black Basta ransomware gang surfaced in April 2022 and was observed using QBot malware to create an initial point of entry and move laterally within the targeted organization’s network. QBot malware is a banking Trojan, primarily designed to steal banking data, including browser information, keystrokes and credentials. Its previous targets include JPMorgan Chase, Citibank, Bank of America, Citizens, Capital One and Wells Fargo. The latest campaign, tracked by Cybereason’s global SOC, uncovered that Black Basta is specifically targeting organizations in the United States, Canada, the United Kingdom, Australia and New Zealand.”

Title: Ducktail Cyberattackers Add WhatsApp to Facebook Business Attack Chain
Date Published: November 22, 2022

Excerpt: “The Vietnam-based financial cybercrime operation’s primary goal is to push out fraudulent ads via compromised business accounts. A financially motivated threat actor targeting individuals and organizations on Facebook’s Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them. The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor’s primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.”

Title: Russian Cybergangs Stole Over 50 Million Passwords This Year
Date Published: November 23, 2022

Excerpt: “At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022. The stolen credentials were for cryptocurrency wallets, Steam, Roblox, Amazon, and PayPal accounts, as well as payment card records. According to a report from Group-IB, whose analysts have been tracking these operations globally, most victims are based in the United States, Germany, India, Brazil, and Indonesia, but the malicious operations targeted 111 countries. In 2022, information-stealing malware distribution reached unprecedented levels, now involving low-skilled hackers aspiring to make a larger profit from their illegal activities. Group-IB says the cybercriminals fueling the growth of info-stealer deployment are low-level scammers who previously worked as “victim callers” in phishing campaigns known as “Classiscam.” “The influx of a huge number of workers into the popular scam Classiscam, […] at its peak, comprised over a thousand criminal groups and hundreds of thousands of fake websites has led to criminals competing for resources and looking for new ways to make profits,” comments Group-IB.”

Title: Exclusive – Quantum Locker Lands in the Cloud
Date Published: November 23, 2022

Excerpt: “The gang behind Quantum Locker used a particular modus operandi to target large enterprises relying on cloud services in the NACE region.

  • Quantum Locker gang demonstrated capabilities to operate ransomware extortion even on cloud environments such as Microsoft Azure.
  • Criminal operators of the Quantum gang demonstrated the ability to hunt and delete secondary backup copies stored in cloud buckets and blobs.
  • Quantum Locker gang targets IT administration staff to gather sensitive network information and credential access.
  • During their intrusions, Quantum operators steal access to enterprise cloud file storage services such as Dropbox, to gather sensitive credentials.
  • Cloud root account takeovers have been observed in q4 2022 during Quantum gang intrusions in North Europe.

During the latest weeks, the Belgian company Computerland shared insights with the European threat intelligence community about Quantum TTPs adopted in recent attacks. The shared information revealed Quantum gang used a particular modus operandi to target large enterprises relying on cloud services in the NACE region. The disclosed technical details about recent intrusions confirm the ability of the Quantum Locker gang to conduct sabotage and ransomware attacks even against companies heavily relying on cloud environments.”

Title: Bahamut Cybermercenary Group Targets Android Users With Fake VPN Apps
Date Published: November 23, 2022

Excerpt: “Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram. ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been active since January 2022 and malicious apps are distributed through a fake SecureVPN website that provides only Android apps to download. Note that although the malware employed throughout this campaign uses the name SecureVPN, it has no association whatsoever with the legitimate, multiplatform SecureVPN software and service. ESET researchers discovered at least eight versions of the Bahamut spyware. The malware is distributed through a fake SecureVPN website as trojanized versions of two legitimate apps – SoftVPN and OpenVPN. These malicious apps were never available for download from Google Play. The malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data.”

Title: LockBit 3.0 Says It’s Holding a Canadian City for Ransom
Date Published: November 22, 2022

Excerpt: “Ransomware Attack Locks Up Westmount Services and Takes Down Email System. The nefarious LockBit 3.0 cybercriminal group is claiming responsibility for the ransomware attack that halted municipal services and shut down employee email accounts in Westmount, Quebec, giving the city a deadline of Dec. 4 to make an undisclosed ransom payment. Westmount, a city with nearly 21,000 residents in southwestern Quebec, on Monday initially reported that the city’s email services were unavailable because of an unidentified computer outage. Later, the city confirmed the outage also affected other municipal services and stemmed from a targeted cyberattack. “Cyberattacks are unfortunately becoming more and more prevalent and sophisticated in our society, and despite all the measures we put in place, public administrations are not completely immune to this sad reality,” Westmount Mayor Christina Smith says in a statement. “I want to reassure all Westmounters that our teams are working seriously and diligently to remedy this situation, and we will keep residents informed.” The city did not comment on the extent of the attack but says it hired a cybersecurity firm to investigate and to restore its systems as soon as possible.”

Recent Posts

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 Excerpt: “An alleged China-linked cyberespionage group,...