November 30, 2022

Fortify Security Team
Nov 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines
Date Published: November 30, 2022

https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html

Excerpt: “An alleged China-linked cyberespionage group, tracked as UNC4191, used USB devices in attacks aimed at Philippines entities. Mandiant researchers spotted an alleged China-linked cyberespionage group, tracked as UNC4191, leveraging USB devices as attack vectors in campaigns aimed at Philippines entities. This campaign has been active dates as far back as September 2021 and targeted public and private sector entities primarily in Southeast Asia, along with organizations in the U.S., Europe, and APJ “UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ; however, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.” reads the analysis published by Mandiant.”

Title: Trigona Ransomware Spotted in Increasing Attacks Worldwide
Date Published: November 29, 2022

https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide/

Excerpt: “A previously unnamed ransomware has rebranded under the name ‘Trigona,’ launching a new Tor negotiation site where they accept Monero as ransom payments. Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name. As discovered by MalwareHunterTeam, starting in late October 2022, the ransomware operation launched a new Tor negotiation site where they officially named themselves ‘Trigona.’ As Trigona is the name of a family of large stingless bees, the ransomware operation has adopted a logo showing a person in a cyber bee-like costume. BleepingComputer is aware of numerous victims of the new ransomware operation, including a real estate company and what appears to be a village in Germany.”

Title: Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw
Date Published: November 29, 2022

https://www.darkreading.com/threat-intelligence/tcyberattackers-selling-access-networks-compromised-fortinet-flaw

Excerpt: “The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product. Fortinet customers that have not yet patched a critical authentication bypass vulnerability that the vendor disclosed in October in multiple versions of its FortiOS, FortiProxy, and FortiSwitch Manager technologies now have an additional reason to do so quickly. At least one threat actor, operating on a Russian Dark Web forum, has begun selling access to multiple networks compromised via the vulnerability (CVE-2022-40684), and more could follow suit soon. Researchers from Cyble who spotted the threat activity described the victim organizations as likely using unpatched and outdated versions of FortiOS. Dhanalakshmi PK, senior director of malware and research intelligence at Cyble, says the company’s available intelligence indicates the threat actor might have access to five major organizations via the vulnerability. Cyble’s analysis showed the attacker attempting to add their own public key to the admin user’s account on the compromised systems.”

Title: Who’s Swimming in South Korean Waters? Meet Scarcruft’s Dolphin
Date Published: November 30, 2022

https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/

Excerpt: “ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In line with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C&C communication. During our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade detection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes. In this blogpost, we provide a technical analysis of the Dolphin backdoor and explain its connection to previously documented ScarCruft activity. We will present our findings about this new addition to ScarCruft’s toolset at the AVAR 2022 conference.”

Title: New “Icefall” Bugs Include Critical DoS Flaw
Date Published: November 30, 2022

https://www.infosecurity-magazine.com/news/new-icefall-bugs-include-critical/

Excerpt: Researchers at Forescout have released details of more OT product vulnerabilities that they say stem from an “insecure-by-design” approach to manufacturing. The bugs, which include a critical denial of service (DoS) CVE, are found in products from German vendors Codesys and Festo. CVE-2022-4048 is a logic manipulation bug in the Codesys V3 automation software for engineering control systems. Forescout said Codesys is running on several million devices and around 1000 models from over 500 manufacturers. The vulnerability stems from weak cryptography, namely:

  • Session keys are generated using an insecure pseudo-random number generator (PRNG) working off a small and predictable seed
  • The encryption scheme uses an insecure mode of operation – compromising confidentiality and integrity regardless of session key strength

The second vulnerability, CVE-2022-3079, is a denial-of-service bug which affects Festo CPX-CEC-C1 and CPX-CMXX Codesys V2 controllers. It enables unauthenticated, remote access to critical webpage functions, which may cause DoS. While these first two flaws were given a CVSS rating of 7.7 and 7.5 respectively, the final one, impacting Festo controllers using the FGMC protocol, is rated critical with a CVSS of 9.8. CVE-2022-3270 was categorized by Forescout as stemming from an insecure engineering protocol, potentially leading to DoS. The Festo Generic Multicast (FGMC) protocol allows for the unauthenticated reboot of controllers over the network, meaning attackers can tamper with devices, including controllers, once they’ve gained remote access via the network.”

Title: Server Remains Down; India’s Premier Healthcare Turns to Paper
Date Published: November 29, 2022

https://www.databreachtoday.com/server-remains-down-indias-premier-healthcare-turns-to-paper-a-20581

Excerpt: “India’s flagship combined public medical university and hospital continues to grapple with the fallout of a cyber incident it underwent last Wednesday. Patient care services remain affected as of Tuesday as physicians and staff use manual processes in place of disabled electronic systems. The New Delhi branch of the All India Institute of Medical Sciences said it successfully restored data held in hospital management information system eHospital. The network is being sanitized before the services can resume, the hospital said in a Tuesday update. “All hospital services, including outpatient, in-patient, laboratories, etc continue to run on manual mode,” the institute said. AIIMS is the national capital’s largest referral hospital, serving 1.5 million outpatients and 80,000 inpatients annually. It has treated the country’s prime minister, president and other national figures. The attack came just weeks before the hospital’s planned transition in January to paper-free processes. Multiple media outlets have reported that an unknown hacker has demanded 2 billion rupees worth of cryptocurrency as ransom. Delhi Police officials say otherwise, stating in a tweet that “No such information brought to notice by AIIMS authorities.” Law enforcement is investigating the incident.”

Title: Crafty Threat Actor Uses ‘Aged’ Domains to Evade Security Platforms
Date Published: November 30, 2022

https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms/

Excerpt: “A sophisticated threat actor named ‘CashRewindo’ has been using ‘aged’ domains in global malvertising campaigns that lead to investment scam sites. Malvertising involves the injection of malicious JavaScript code in digital ads promoted by legitimate advertising networks, taking website visitors to pages that host phishing forms, drop malware, or operate scams. The CashRewindo malvertising campaigns are spread across Europe, North and South America, Asia, and Africa, using customized language and currency to appear legitimate to the local audience. Analysts at Confiant have been tracking ‘CashRewindo’ since 2018 and report the threat actor stands out for an unusually crafty approach in setting up malicious advertising operations with great attention to detail. Domain aging is when threat actors register domains and wait years to use them, hoping to bypass security platforms. This technique works as old domains that have not been involved in malicious activity for a long time earn trust on the Internet, making them unlikely to be flagged by security tools as suspicious.”

Title: Threat Actors Are Offering Access to Corporate Networks via Unauthorized Fortinet VPN Access
Date Published: November 29, 2022

https://securityaffairs.co/wordpress/139085/cyber-crime/iabs-offers-access-via-fortinet-products.html

Excerpt: “Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products. Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products. In early October, Fortinet addressed the critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies.
The company explained that an attacker can exploit the vulnerability to log into vulnerable devices. “An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the customer support bulletin issued by the company. The company urged customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw.”

Title: Cybercriminals Look To Exploit Sports Fans With World Cup-Themed Attacks
Date Published: November 29, 2022

https://www.scmagazine.com/news/cybercrime/cybercriminals-look-to-exploit-sports-fans-with-world-cup-themed-attacks

Excerpt: “As the sports world’s attention turns its eyes to Qatar for the 2022 FIFA World Cup, threat actors are looking to cash-in or draw attention to their cause with attacks aimed at drawing unsuspecting fans who may be more distracted with rooting for their favored teams than cybersecurity. “The cybercriminals are motivated by financial gain, ideology, or geo-political affiliations,” according to a new report by contextual artificial intelligence firm CloudSEK, which looks at the various threats aimed at fans and organizations with World Cup-themed attacks and tactics. As noted in the report, previous sporting events such as the World Cup and the Winter Olympics in 2018 were subject to 25 million and 12 million cyberattacks per day, respectively. Financially motivated cybercriminals have resorted to selling fake Hayya cards (FIFA entry permits), match tickets, and even leveraging stolen credit cards to arrange travel and lodging for the game. The CloudSEK report noted that several Telegram channels offer fake Hayya cards requiring valid identification from buyers and only accept Bitcoin as payment.”

Title: PII May Have Been Stolen in Virginia County Ransomware Attack
Date Published: November 29, 2022

https://www.infosecurity-magazine.com/news/virginia-county-pii-stolen-in/

Excerpt: “Southampton County in Virginia, US, recently warned individuals that their personal identifiable information (PII) might have been stolen in a ransomware attack. According to a letter sample published last week, a cyber-criminal accessed a single server at Southampton and encrypted it on September 06, 2022. “Upon discovering the incident, our IT team promptly took the appropriate steps to contain the incident,” said the County. “To ensure the safety of our community’s systems, we also engaged with leading outside security experts to conduct a thorough review of our environment.”The County added that it notified the FBI Cyber Crimes Division, the Virginia State Police and the Virginia Fusion Center and is supporting law enforcement in their efforts to bring the criminals to justice. “We were able to recover from this matter and successfully prevent this incident from impacting any of our critical operations. However, thereafter the cyber criminal claimed that they took sensitive data from the server,” reads the letter. In particular, a W-2 form had been published on a dark web forum with the criminal claiming that they obtained sensitive data from the encrypted Southampton server, including archived County information.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...