November 28, 2022

Fortify Security Team
Nov 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia
Date Published: November 28, 2022

https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html

Excerpt: “Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports. Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations. The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in .NET and experts noticed that deployment is similar to previous attacks attributed to the Russia-linked Sandworm APT group. Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage. In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper. The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.”

Title: 5.4 Million Twitter Users’ Stolen Data Leaked Online — More Shared Privately
Date Published: November 27, 2022

https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/

Excerpt: “Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum. Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors. The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. Last July, a threat actor began selling the private information of over 5.4 million Twitter users on a hacking forum for $30,000. While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. This data was collected in December 2021 using a Twitter API vulnerability disclosed in the HackerOne bug bounty program that allowed people to submit phone numbers and email addresses into the API to retrieve the associated Twitter ID.”

Title: Belgian Police Under Fire After Major Ransomware Leak
Date Published: November 28, 2022

https://www.infosecurity-magazine.com/news/belgian-police-under-fire-major/

Excerpt: “A notorious ransomware group has begun leaking highly sensitive data it stole from Belgian police, in what is being described as one of the biggest breaches of its kind in the country. RagnarLocker has been connected to the incident, which hit the Zwijndrecht police force in the city of Antwerp. “Police Zwijndrecht had to deal with a serious case of hacking earlier this year. The internet criminals were able to gain access to the administrative network,” read a post on the force’s Facebook page (via Google Translate). “The police zone personnel, which is most impacted, has been informed. Due to the secrecy of the investigation, we limit ourselves to this information.” However, while administrative staff are most impacted by the incident, they’re certainly not the only ones. Chief Commissioner of Police Zwijndrecht, Marc Snels, admitted to local news site VRT that “it is indeed also the case that some sensitive information was on that network,” even though it is meant to reside on a separate network. “This is a case of human error, and this is how crime reports and fine notices, but also photographs of child abuse have been leaked,” he continued. “This is of course particularly regrettable.” The report suggested that records dating back to 2006 were accessed by the hackers.”

Title: Multiple Arrests in Coordinated African Cyber Operation
Date Published: November 28, 2022

https://www.databreachtoday.com/multiple-arrests-in-coordinated-african-cyber-operation-a-20560

Excerpt: “A joint Africa-based cyber operation has led to 11 arrests and the seizure of their malicious cyberinfrastructure used for phishing and other scams. The investigation dubbed Africa Cyber Surge Operation was aimed at tackling cybercriminals operating across Africa and was launched in the wake of increasing financial thefts targeting business organizations and individuals in the region. The operations were coordinated between 27 law enforcement agencies and led to 11 people from different parts of Africa arrested for engaging in different cybercrimes such as phishing, romance and cryptocurrency scams, banking and personal data theft, causing combined financial loss of $800,000, according to Interpol which worked in close cooperation with AFRIPOL on the operation. It’s unclear how many citizens are affected by the breach, but they include victims, perpetrators, witnesses and those under surveillance – with potentially far-reaching consequences if their identities are uncovered.”

Title: Operation Elaborate – UK Police Text 70,000 Suspected Victims of iSpoof Bank Fraudsters
Date Published: November 24, 2022

https://www.tripwire.com/state-of-security/operation-elaborate-uk-police-text-70000-suspected-victims-ispoof-bank-fraudsters

Excerpt: “UK police are texting 70,000 people who they believe have fallen victim to a worldwide scam that saw fraudsters steal at least £50 million from bank accounts. 200,000 people in the UK, including the elderly and disabled, are thought to have been targeted by con men who masqueraded as high street banks. Scammers paid a subscription to a service called iSpoof.cc that allowed them to disguise their phone number so they appeared to be calling from major banks including Barclays, NatWest, HSBC, Santander, Lloyds, First Direct, Nationwide, Halifax, and TSB. The site, set up in December 2020, helped fraudsters steal sensitive information (such as one-time passcodes) from unsuspecting banking customers, allowing the criminals to break into accounts and steal funds. Most of the victims were based in the United States (40%) and the UK (35%), but individuals across Europe and even as far afield as Australia were also targeted. iSpoof, which promoted itself as a “state of the art system” that handled “auto-calling with custom hold music and convincing call centre background noise” had its own Telegram channel, where the site’s administrators and users communicated.”

Title: Slippery RansomExx Malware Moves to Rust, Evading VirusTotal
Date Published: November 25, 2022

https://www.darkreading.com/threat-intelligence/slippery-ransomexx-malware-moves-rust-virustotal

Excerpt: “A new, harder-to-peg version of the ransomware has been rewritten in the Rust programming language. The APT group DefrayX appears to have launched a new version of its RansomExx malware, rewritten in the Rust programming language — possibly to avoid detection by antivirus software. According to IBM Security X-Force Threat researchers, that evasion may be successful, at least for now. IBM reported that one sample that it analyzed “was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission” and that “the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform.” Besides being harder to detect and reverse-engineer, Rust has the advantage of being platform-agnostic. Thus, while the new version of RansomExx runs on Linux, IBM predicts a Windows version will be on its way soon, if it’s not already loose and undetected. RansomExx is far from the only malware package written in Rust. BlackCat, Hive, and, before that, Buer are prominent examples of malware that was rewritten to avoid detection based on the C/C++ versions.”

Title: Socgholish Finds Success Through Novel Email Techniques
Date Published: November 23, 2022

https://www.scmagazine.com/analysis/threat-intelligence/socgholish-finds-success-through-novel-email-techniques

Excerpt: “Researchers at Proofpoint revealed more technical details about SocGholish, the malware variant they identified earlier this month, highlighting its noteworthy tactics that differ from traditional phishing campaigns. According to a Proofpoint blog post Tuesday, SocGholish deviates from the norm by forgoing all the classic staples of modern phishing, such as instilling a sense of urgency, promises of rewards, and misdirection. Instead, researchers found that SocGholish is leveraged in email campaigns with injections on sites, mainly targeting organizations with extensive marketing campaigns or strong Search Engine Optimization. “[SocGholish] really is sophisticated. I do not like to use the word ‘sophisticated’ when it comes to threats in general, but this actor [along with] its development lifecycle and various techniques really are head and shoulders above other actors,” Andrew Northern, senior threat researcher at Proofpoint, said during a virtual event on Tuesday.”

Title: Google Warns: Android ‘Patch Gap’ Is Leaving These Smartphones Vulnerable to Attack
Date Published: November 25, 2022

https://www.zdnet.com/article/google-warns-android-patch-gap-is-leaving-these-smartphones-vulnerable-to-attack/

Excerpt: “Google says it is working with Android smartphone manufacturers to get them to release patches for multiple critical Arm Mali GPU driver bugs. Many Android smartphones are vulnerable to multiple high-severity security issues that Google Project Zero reported over summer but remain unpatched, despite Arm releasing fixes for them. Android phones equipped with Arm Mali GPUs are affected by the unpatched flaws. As GPZ researcher Ian Beer points out, even Google’s Pixel phones are vulnerable, as are phones from Samsung, Xiaomi, Oppo, and others. Beer is urging all major Android smartphone vendors to do exactly what consumers get told all the time, and patch their devices as soon as possible. Right now, smartphone users themselves can’t apply a patch for an Arm Mali GPU driver, despite Arm releasing fixes for them months ago, because no Android smartphone vendor has applied the fixes to their Android builds.”

Title: Vice Society Ransomware Claims Attack on Cincinnati State College
Date Published: November 25, 2022

https://www.bleepingcomputer.com/news/security/vice-society-ransomware-claims-attack-on-cincinnati-state-college/

Excerpt: “The Vice Society ransomware operation has claimed responsibility for a cyberattack on Cincinnati State Technical and Community College, with the threat actors now leaking data allegedly stolen during the attack. The hackers posted a long list of documents on their Tor data leak site they claim was stolen from the college, indicating that a ransom was never paid. The documents date from several years ago until November 24, 2022, possibly indicating that the threat actors maintain access to the breached systems, but this has not been verified. All documents on the Vice Society site have been made freely accessible to visitors and contain PII (personally identifiable information) in the leaked files. Cincinnati State college informed its 10,000 students and 1,000 staff members that they suffered a cybersecurity incident earlier in the month, warning that online services and restoration to regular operations will take time. The latest update on the cyberattack came on Tuesday this week, announcing the restoration of on-campus networks and email, partial internet access, and classroom computers. However, voicemail, network printing, VPN access, network and intranet shared drives are all unavailable, while a range of online application and registration portals are also offline. The college has posted FAQs for the employees, current and new students, guiding them on how to interact with the administration until systems return to normal operations. However, there aren’t workarounds for all services, so the disruption from the cyberattack remains significant for the college.”

Title: Devices From Dell, HP, and Lenovo Used Outdated OpenSSL Versions
Date Published: November 26, 2022

https://securityaffairs.co/wordpress/138986/security/dell-hp-lenovo-openssl-outdated.html

Excerpt: “Researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library. Binarly researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library. The OpenSSL software library allows secure communications over computer networks against eavesdropping or the need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The researchers discovered the issue by analyzing firmware images used devices from the above manufacturers. The experts analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component. EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications. The main EDKII repository is hosted on Github and is frequently updated. The experts first analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...