November 3, 2022

Fortify Security Team
Nov 3, 2022

Title: Hundreds of U.S. news sites push malware in supply-chain attack

Date Published: November 2, 2022

Excerpt: “Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. “The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer. The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets’ websites. This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., Chrom?.U?dat?.zip,, Firefo?.U?dat?.zip, Oper?.Upd?, via fake update alerts. “Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,” Proofpoint’s Threat Insight team revealed today in a Twitter thread.”

Title: Experts link the Black Basta ransomware operation to FIN7 cybercrime gang

Date Published: November 3, 2022

Excerpt: “Sentinel Labs found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7. Security researchers at Sentinel Labs shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7. The experts analyzed tools used by the ransomware gang in attacks, some of them are custom tools, including EDR evasion tools. SentinelLabs believes the developer of these EDR evasion tools is, or was, a developer for the FIN7 gang. Further evidence linking the two includes IP addresses and specific TTPs (tactics, techniques, and procedures) used by FIN7 in early 2022 and seen months later in actual Black Basta attacks. Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. On the other hand, FIN7 is a Russian financially motivated group that has been active since at least 2015. It focused on deploying POS malware and launching targeted spear-phishing attacks against organizations worldwide. The Sentinel Labs’s analysis revealed that Black Basta ransomware operators develop and maintain their own toolkit, they documented only collaboration with a limited and trusted set of affiliates.”

Title: Smooth ‘Opera1er’: French-Speaking Gang Steals $11 Million

Date Published: November 3, 2022

Excerpt: “A French-speaking gang has been tied to the theft of at least $11 million, mainly from banks in Africa. The criminal syndicate, codenamed “Opera1er,” remains “active and dangerous,” according to a new report from cybersecurity firm Group-IB and the CERT Coordination Center at French multinational telecommunications giant Orange. “Researchers codenamed the gang Opera1er after an email account frequently used by the gang to register their domains,” Group-IB reports, adding that the gang is also known as Desktop-Group and NXSMS, while the Society for Worldwide Interbank Financial Telecommunication – aka SWIFT – in 2020 dubbed it Common Raven. “Between 2018 and 2022, the gang managed to steal at least $11 million, and the actual amount of damage could be as high as $30 million,” Group-IB reports. Victims have included financial services firms and telecommunications companies in Argentina, Bangladesh, Burkina Faso, Cameroon, Gabon, Ivory Coast, Mali, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Togo and Uganda. Researchers say the group prefers to hit victims on weekends or during public holidays. Group-IB and Orange CERT-CC are releasing their findings, including TTPs and indicators of compromise, to help organizations – and especially banks – better spot attacks tied to this group. They say a number of other security researchers have helped track the group, including Polish cyber threat intelligence expert Przemyslaw Skowron, as well as researchers in Belgium, France and Switzerland, and Russian hosting provider Internet Hosting Center.”

Title: Bot Warning for Retailers Ahead of Busy Shopping Season

Date Published: November 3, 2022

Excerpt: “Retailers can expect a surge in bot-driven account takeovers (ATOs), DDoS attacks, card fraud and more as they prepare for the busiest shopping period of the year, a new report has warned. Imperva’s State of Security Within eCommerce 2022 report was compiled from data based on the vendor’s engagements with clients in the sector. It found that 40% of traffic on retailers’ websites over the past 12 months came from bots – automated software that’s often malicious in intent. Automated threats caused 62% of security incidents in the period. Bot-related attacks on retail sites surged 10% in October and another 34% in November 2021, suggesting that bot operators will again increase their activity around the peak shopping period this year. This includes ATO attacks, 64% of which were linked to bad bots last year, using techniques such as credential stuffing, where previously breached passwords and usernames are tried against different accounts across the web. Another popular tactic is using bots to buy up in-demand inventory and then selling it on at a profit. DDoS attacks are a perennial threat for retailers, who could lose millions during busy shopping periods if their websites and apps are taken offline. Imperva revealed that the number of attacks greater than 100 Gbps doubled year-on-year in 2021, and attacks larger than 500 Gbps increased by 287%. It added that organizations targeted by an attack are often hit again within 24 hours – 55% of sites targeted by an application-layer DDoS and 80% by a network-layer DDoS were attacked multiple times.”

Title: Snack giant settles with insurer over $100 million claim tied to 2017 NotPetya attacks

Date Published: November 2, 2022

Excerpt: “Mondelez International and Zurich American Insurance settled a multi-year legal battle over the snack giant’s $100 million claim regarding losses from the NotPetya cyberattack in 2017.  The closely watched lawsuit has fueled an ongoing discussion over who should pay when businesses are hit by state-sponsored cyberattacks. It could have broader implications for policymakers, highlighting the urgent need for them to devise practical, long-term solutions to address increasing cyber threats blamed on nation-state actors.   Mondelez, owner of Oreo cookies, Triscuit crackers, and dozens of other snack food brands, did not respond to SC Media’s request for comment on the settlement. A spokesperson from Zurich American told SC Media that “the parties have mutually resolved the matter.”   Mondelez was one of the hundreds of victims hit by NotPetya, one of the largest cyberattacks in history that cost up to $10 billion worldwide and was later attributed to the Russian government. According to court documents filed by Mondelez and obtained by The Register, the malware affected more than 1,700 servers and 24,000 laptops, which led to over $100 million in financial losses. During the time, Mondelez’s insurance contract stated that it covered “all risks of physical loss or damage,” including “physical loss or damage to electronic data, programs, or software” as well as “loss or damage caused by the malicious introduction of machine code or instruction.” But the insurer, Zurich Insurance, initially refused to cover the cost by citing a clause in the contracts — “war exclusion,” a provision that protects insurers from paying costs related to damage from war or warlike actions. The disagreement between the two parties led to a legal fight and eventually a settlement last week.”

Title: Critical Vulnerability in Microsoft Azure Cosmos DB Opens Up Jupyter Notebooks

Date Published: November 2, 2022

Excerpt: “The now-patched RCE flaw in Cosmos DB’s Jupyter Notebook feature highlights some of the weaknesses that can arise from emerging tech in the cloud-native and machine learning worlds. Researchers with the Microsoft Security Response Center (MSRC) and Orca Security drew the covers back this week on a critical vulnerability in Microsoft Azure Cosmos DB that impacts its Cosmos DB Jupyter Notebooks feature. The remote code execution (RCE) bug provides a portrait into how weaknesses in the authentication architecture of cloud-native and machine learning-friendly environments could be used by attackers. Dubbed CosMiss by Orca’s research team, the vulnerability boils down to a misconfiguration in how authorization headers are handled, which let unauthenticated users gain read and write access to Azure Cosmos DB Notebooks, and inject and overwrite code. “In short, if an attacker had knowledge of a Notebook’s ‘forwardingId’, which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook, including read and write access, and the ability to modify the file system of the container running the notebook,” wrote Lidor Ben Shitrit and Roee Sagi of Orca in a technical run-down of the vulnerability. “By modifying the container file system — aka dedicated workspace for temporary notebook hosting — we were able to obtain RCE in the notebook container.” A distributed NoSQL database, Azure Cosmos DB is designed for supporting scalable, high-performance apps with high availability and low latency. Among its uses are for IoT device telemetry and analytics; real-time retail services to run things like product catalogs and AI-driven personalized recommendations; and globally distributed applications such as streaming services, pick-up and delivery services, and the like.”

Title: New clipboard hijacker replaces crypto wallet addresses with lookalikes

Date Published: November 3, 2022

Excerpt: “A new clipboard stealer called Laplas Clipper spotted in the wild is using cryptocurrency wallet addresses that look like the address of the victim’s intended recipient. Laplas is different from other malware of the same kind, which are typically just add-ons of info-stealing malware. The new clipper is a feature-rich tool that gives hackers more granular control and better insight into the efficiency of their operations. The tool is provided under a subscription model, the most expensive tier being $549 for a year’s access to the web-based panel that allows operators to monitor and control their attacks. In about a week, the number of Laplas Clipper samples spotted in the wild grew from less than 20 a day to 55 at the end of last month, security researchers at Cyble note in a report. Currently, Laplas is distributed through the Smoke Loader and the Raccoon Stealer 2.0, showing that it has attracted the attention of the cybercrime community.”

Title: Businesses want technologies that allow for passwordless workflows

Date Published: November 3, 2022

Excerpt: “Bitwarden announced the results of its 2023 Password Decisions Survey, which polled 800 IT decision makers across a wide range of industries, showing that passwordless technology is here to stay, with businesses enthusiastic about its perceived security benefits and improved user experience (UX). According to the survey, roughly half of respondents deploy or have plans to deploy passwordless technology. Of that percentage, 66% have 1-2 user groups or multiple teams using passwordless technology and 13% have deployed to their entire organization. Businesses are confronting numerous post-pandemic security challenges: increased employee turnover, a hybrid workforce relying on multiple devices in many different locations, and a seemingly unending threat from cyber-criminals. In light of these challenges, 79% of IT decision makers want employees to use the same enterprise-wide password manager. 60% cite security as the most important attribute of a good password manager, followed by the integration of 2FA (56%) and ease-of-use (40%). With hybrid and remote work here to stay for many employees, the lines between security habits at work and at home have blurred. 71% of employees are ‘very likely’ to use a password manager with a complementary family account to give their family added security at home, if this was offered by their company.”

Title: Fortinet fixed 16 vulnerabilities, 6 rated as high severity

Date Published: November 3, 2022

Excerpt: “Fortinet addressed 16 vulnerabilities in some of the company’s products, six flaws received a ‘high’ severity rate. One of the high-severity issues is a persistent XSS, tracked as CVE-2022-38374, in Log pages of FortiADC. The root cause of the issue is an improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC. A remote, unauthenticated attacker can trigger the flaw to perform a stored cross-site scripting (XSS) attack via HTTP fields observed in the traffic and event logviews. Another issue addressed by the company is a command injection in CLI command, tracked as CVE-2022-33870, of FortiTester. “An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.” reads the advisory. Another issue, tracked as CVE-2022-26119, impacts FortiSIEM, the issue is described as “Glassfish local credentials stored in plain text.” A local attacker with command-line access can exploit the bug to perform operations on the Glassfish server directly via a hardcoded password.”

Title: More State-Sponsored OT Hacking To Come, Says ENISA

Date Published: November 3, 2022

Excerpt: “State-backed hacking groups will turn more attention onto operational technology as geopolitics influences the cyberthreat landscape, the European Union Agency for Cybersecurity says in a Thursday report. “Today’s global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens,” ENISA Executive Director Juhan Lepassaar said. The report analyzes cyber incidents during the second half of 2021 and first half of 2022 and makes some predictions about the near future. Evidence cited by the agency of growing state-sponsored interest in OT hacking includes the April detection of malware dubbed Industroyer2 by cybersecurity firm Eset and used in an attempt to infect high-voltage electrical substations in Ukraine. That month also saw the public exposure of attack tools dubbed Incontroller. Analysis by Mandiant and Schneider Electric determined that Incontroller “is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction” of machine automation devices. By ENISA’s count, Industroyer2 and Incontroller are the fifth and sixth known examples of industrial control system-specific malware.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 Excerpt: “The Keralty multinational healthcare...