November 4, 2022

Fortify Security Team
Nov 4, 2022

Title: LockBit Ransomware Gang Claims the Hack of Continental Automotive Group
Date Published: November 3, 2022

https://securityaffairs.co/wordpress/138062/cyber-crime/lockbit-gang-claims-continental-hack.html

Excerpt: “The LockBit ransomware group claimed to have hacked the multinational automotive group Continental and threatened to leak stolen data. LockBit ransomware gang announced to have hacked the German multinational automotive parts manufacturing company Continental. The group added the name of the company to its Tor leak site and is threatening to publish alleged stolen data if the victim will not pay the ransom. The cybercriminals have fixed the deadline on November 4, 2022, at 15:45:36 UTC. At this time the group announced that it will publish all available data, a circumstance that suggests the victim has yet to negotiate with the criminals or it has refused to pay the ransom. At this time, it is not clear if the Lockbit 3.0 ransomware group is responsible for the attack that Continental disclosed on August 24, 2022.”

Title: New Crimson Kingsnake Gang Impersonates Law Firms in Bec Attacks
Date Published: November 3, 2022

https://www.bleepingcomputer.com/news/security/new-crimson-kingsnake-gang-impersonates-law-firms-in-bec-attacks/

Excerpt: “A business email compromise (BEC) group named ‘Crimson Kingsnake’ has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments. The threat actors impersonate lawyers who are sending invoices for overdue payment of services supposedly provided to the recipient firm a year ago. This approach creates a solid basis for the BEC attack, as recipients may be intimidated when receiving emails from large law firms like the ones impersonated in the scams. Analysts at Abnormal Security, who first discovered Crimson Kingsnake activity in March 2022, report having identified 92 domains linked to the threat actor, all similar to genuine law firm sites. This typosquatting approach enables the BEC actors to send out emails to victims via an address that appears authentic at first glance. The emails contain the logos and letterheads of the impersonated entities and are crafted professionally, featuring punctual writing.”

Title: Phishers Abuse Microsoft Voicemail Service to Trick Users
Date Published: November 4, 2022

https://www.infosecurity-magazine.com/news/phishers-abuse-microsoft-voicemail/

Excerpt: “Security researchers are warning of a new phishing campaign that abuses Microsoft Dynamics 365 Customer Voice to trick recipients into handing over their credentials. Dynamics 365 Customer Voice is a “feedback management” tool from Microsoft designed to make it easier for companies to collect, analyze and track in real time customers’ perception of their products and services. One feature allows customers to interact and leave feedback via the phone. However, threat actors are spoofing voicemail notifications to link to credential harvesting pages, according to Avanan. Emails arrive in the victim’s inbox sent from the survey feature in Dynamics 365, claiming the user has received a voicemail. “This is a legitimate Customer Voice link from Microsoft. Because the link is legit, scanners will think that this email is legitimate. However, when clicking upon the ‘Play Voicemail’ button, hackers have more tricks up their sleeves,” the security vendor explained. “Once you click on the voicemail link, you are redirected to a look-alike Microsoft login page. This is where the threat actors steal your username and password. The URL is different from a typical Microsoft landing page.” This campaign is the latest in a long line leveraging what Avanan describes as the “static expressway” – the practice of hackers abusing legitimate sites that are on the static allow-lists used by security tools – in order to direct malicious content towards users.”

Title: Australia Sees Rise in Cybercrimes on Back of ‘Destructive’ Ransomware, State Actors
Date Published: November 4, 2022

https://www.zdnet.com/article/australia-sees-rise-in-cybercrimes-on-back-of-destructive-ransomware-state-actors/

Excerpt: “Australia clocked one cybercrime report every 7 minutes in the past year, with ransomware proving to be the “most destructive” threat. State actors also remain a persistent threat for agencies such as the Australian Bureau of Statistics, whose personal information on the local population makes it an attractive target. The country saw an almost 13% increase in the number of reported cybercrime cases to more than 76,000 last year, according to the Annual Cyber Threat Report 2021-2022 released by Australian Cyber Security Centre (ACSC). This meant there was one reported case every 7 minutes, up from every 8 minutes in the last financial year, the government agency said. Its annual report contains insights from the Australian Federal Police, Australian Criminal Intelligence Commission, Australian Security Intelligence Organisation, Defence Intelligence Organisation, and Department of Home Affairs. ACSC pointed to ransomware, in particular, as the most damaging, with all sectors in the local economic directly impacted by such attacks last year, where 447 ransomware cases were reported. This figure was a 10% drop from the previous year, but the report surmised that ransomware remained significantly underreported, especially amongst victims who opt to pay a ransom.”

Title: DDoS Cyberscore: US Treasury: 1, Killnet: 0
Date Published: November 3, 2022

https://www.darkreading.com/attacks-breaches/us-treasury-1-killnet-0

Excerpt: “US Treasury Department officials revealed for the first time on Tuesday that the agency was able to disrupt a distributed denial of service attack from Russian-sponsored cyberattack group Killnet last month. At a financial services cybersecurity conference, Todd Conklin, cybersecurity counselor to Deputy Secretary Wally Adeyemo, described the attack as “pretty low-level DDoS activity targeting Treasury’s critical infrastructure nodes,” Reuters reported. The newly confirmed cyberattack on Treasury adds to the list of reported Killnet breaches during October including JPMorgan Chase, US state government systems, and several airports. Conklin attributed the department’s success to the effectiveness of its new focus on cybersecurity.”

Title: Romcom Rat Malware Campaign Impersonates Keepass, Solarwinds Npm, Veeam
Date Published: November 3, 2022

https://www.bleepingcomputer.com/news/security/romcom-rat-malware-campaign-impersonates-keepass-solarwinds-npm-veeam/

Excerpt: “The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution.In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs. In addition, Unit 42 discovered that the threat actors created a site that impersonates the Veeam Backup and Recovery software. Besides copying the HTML code to reproduce the genuine sites, the hackers also registered typo-squat ‘lookalike’ domains to further add authenticity to the malicious site. BlackBerry previously detected the RomCom malware used in attacks against military institutions in Ukraine.”

Title: World’s Most Expensive Observatory Floored by Cyber-Attack
Date Published: November 4, 2022

https://www.infosecurity-magazine.com/news/worlds-most-expensive-observatory/

Excerpt: “The world-famous Atacama Large Millimeter Array (ALMA) observatory in Chile has become the latest unlikely victim of a cyber-attack, forcing it offline. The facility, which also claims to house the world’s most powerful telescope for observing molecular gas and dust, revealed the incident on Twitter earlier this week. It said the attack on its computer systems came last Saturday, “forcing the suspension of astronomical observations and the public website.” At the time of writing, the official ALMA website was still down. “There are limited email services at the observatory. The threat has been contained, and our specialists are working hard to restore affected systems. The attack did not compromise the ALMA antennas or any scientific data,” it explained. “Given the nature of the episode, it is not yet possible to estimate a date for a return to regular activities. We are thankful for the support across the ALMA partnership and apologize for any inconveniences resulting from the recovery efforts.” Kelvin Murray, senior threat researcher at OpenText Security Solutions, argued that space-related technology is increasingly a focus for threat actors.”

Title: Outmaneuvering Cybercriminals by Recognizing Mobile Phishing Threats’ Telltale Markers
Date Published: November 4, 2022

https://www.helpnetsecurity.com/2022/11/04/smartphones-phishing-attacks/

Excerpt: “Preventative medicine has long been recognized as a vital approach in safeguarding our physical health. We take a variety of tests and assessments so that doctors can uncover key biological markers that may indicate the potential development of certain diseases or illnesses as early as possible. Cybercrime in the digital world has distinguishing features, too, and we can react to cyberattacks by neutralizing the source. As phishing attacks soar in frequency and sophistication and are delivered by an entirely new breed of cybercriminals, it’s time we utilize the latest technology to anticipate threats before they advance. Smartphones have become increasingly targeted by hacking attempts – especially since the pandemic, with total phishing attacks in the second quarter of 2022 rising to over 1 million. This makes sense: Smartphones are our main connection to our digital endpoints – social media, email, apps, SMS, etc. – and the sophistication of today’s phishing criminals means that even the most switched on and savvy users can fall prey to attacks. This has resulted in cybercrime becoming big business and a huge drain on public money. Making even a small dent in this will be a huge win for both businesses and consumers.”

Title: Cisco Addressed Several High-Severity Flaws in Its Products
Date Published: November 4, 2022

https://securityaffairs.co/wordpress/138068/security/cisco-addressed-multiple-flaws.html

Excerpt: “Cisco addressed multiple flaws impacting its products, including high-severity issues in identity, email, and web security solutions. Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products. The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device. “A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.” reads the advisory. “This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the target user.” Cisco also addressed an Insufficient Access Control vulnerability, tracked as CVE-2022-20956 (CVSS score of 7.1), in its ISE product. The flaw is caused by improper access control in the web-based management interface and an attacker can trigger it by sending specially-crafted HTTP requests to affected devices.”

Title: UK NCSC Says Friendly Spooks Scanning British Internet
Date Published: November 3, 2022

https://www.databreachtoday.com/uk-ncsc-says-friendly-spooks-scanning-british-internet-a-20405

Excerpt: “U.K. intelligence officials say a new project that is scanning the British internet for vulnerable systems is part of an effort to boost national levels of cybersecurity. The National Cyber Security Centre – a public-facing component of signals intelligence agency Government Communications Headquarters – disclosed the scanning project in a Tuesday blog post. “We’re not trying to find vulnerabilities in the U.K. for some other, nefarious purpose. We’re beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we’re doing,” wrote Ian Levy, NCSC technical director. The project will scan networked systems throughout the United Kingdom at regular intervals to detect vulnerabilities. The idea is to collect data to quantify risk exposure and respond to shocks such as a widely exploited zero-day vulnerability. The NCSC says it will use cloud-hosted tools that connect to IP addresses assigned to scanner.scanning.service.ncsc.gov.uk. Specifically, 18.171.7.246 and 35.177.10.231. To address the privacy concerns, the NCSC says it will avoid collecting personal information. Data collected from the users will include HTTP response including headers from web servers. For other services, it will hold on to “data that is sent by the server immediately after a connection has been established or a valid protocol handshake.” Network administrators can opt-out by emailing their IP address to the agency, it says. Scanning the internet for vulnerabilities, of course, is hardly an original activity. Hackers and cybersecurity companies have silently been doing so for decades. In 2014, cybersecurity researcher Rob Graham unveiled a tool he dubbed masscan capable of scanning the entire internet within minutes.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...