November 7, 2022

Fortify Security Team
Nov 7, 2022

Title: LockBit 3.0 Gang Claims to Have Stolen Data From Kearney & Company

Date Published: November 6, 2022

https://securityaffairs.co/wordpress/138136/cyber-crime/lockbit-ransomware-kearney-company.html

Excerpt: “The ransomware group LockBit claimed to have stolen data from consulting and IT services provider Kearney & Company. Kearney is the premier CPA firm that services across the financial management spectrum to government entities. The company provides audit, consulting and IT services to the United States government. It has helped the Federal Government improve its financial operations’ overall effectiveness and efficiency. Kearney & Company was added to the list of victims of the Lockbit 3.0 group on November 05, the gang is threatening to publish stolen data by November 26, 2022, if the company will not pay the ransom. At this time, the ransomware gang has published a sample of the stolen data that includes financial documents, contracts, audit reports, billing documents and more.The ransomware gang is demanding the payment of $2M to destroy the stolen data and $10K to extend the timer for 24H.”

Title: Phishing-as-a-Service Platform Offers MFA Bypass for $1,500

Date Published: November 5, 2022

https://www.databreachtoday.com/phishing-as-a-service-platform-offers-mfa-bypass-for-1500-a-20421

Excerpt: “Phishing-as-a-Service platform Robin Banks is offering a cookie-stealing feature that cybercriminals can purchase as an add-on to the phishing kit in order to bypass multi-factor authentication in attacks. The complete full-access phishing kit is now available at $1,500 per month, according to researchers from IronNet Cybersecurity. Robin Banks is a popular cybercrime syndicate known for selling phishing kits and charging as little as $50 per month for a simple campaign. It sells ready-made phishing kits to cybercriminals aiming to gain access to the financial information of the customers of well-known banks and online services. The PhaaS provider sells phishing kits to cybercriminals specializing in social engineering scams, offering a “quick and easy” way for threat actors of all skill levels to perform network intrusions, IronNet researchers say. The crime syndicate was disrupted after IronNet’s July report about the group. “Cloudflare disassociated Robin Banks’ phishing infrastructure from its services, causing a multi-day disruption to operations,” IronNet researchers say. Robin Banks administrators then relocated its infrastructure to a notorious Russian provider and updated features of its phishing kits to be more evasive. Once they were blacklisted by Cloudflare, its operators opted for DDoS-Guard, a well-known Russian provider that hosts various phishing sites and content for cybercriminals.”

Title: FBI: Beware of Cyber-Threat from Russian Hacktivists

Date Published: November 7, 2022

https://www.infosecurity-magazine.com/news/fbi-cyberthreat-from-russian/

Excerpt: “The FBI has warned operators of critical national infrastructure (CNI) to ensure they have mitigations in place, as pro-Russia hacktivists continue to target them with DDoS attacks. A new Private Industry Notification published on Friday revealed that the Feds had noticed an uptick in such activity since the start of Russia’s war against Ukraine. However, it added that these attacks have had limited success thus far and that the biggest impact may be psychological. “Hacktivists provide tools and guidance on cyber-attack methodology and techniques to anyone willing to conduct an attack on behalf of their cause. DDoS attacks of public-facing websites, along with web page and social media profile defacement, are a preferred tactic for many operations,” it explained. “These attacks are generally opportunistic in nature and, with DDoS mitigation steps, have minimal operational impact on victims; however, hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service.” The notification added that many hacktivist groups seek to recycle previously leaked information in a bid to build a perception of higher technical ability than they have. However, by posting coverage of their efforts, they can also encourage copycat attacks, it warned.”

Title: Microsoft Sued for Open-Source Piracy Through Github Copilot

Date Published: November 5, 2022

https://www.bleepingcomputer.com/news/security/microsoft-sued-for-open-source-piracy-through-github-copilot/

Excerpt: “Programmer and lawyer Matthew Butterick has sued Microsoft, GitHub, and OpenAI, alleging that GitHub’s Copilot violates the terms of open-source licenses and infringes the rights of programmers. GitHub Copilot, released in June 2022, is an AI-based programming aid that uses OpenAI Codex to generate real-time source code and function recommendations in Visual Studio. The tool was trained with machine learning using billions of lines of code from public repositories and can transform natural language into code snippets across dozens of programming languages.While Copilot can speed up the process of writing code and ease software development, its use of public open-source code has caused experts to worry that it violates licensing attributions and limitations. Open-source licenses, like the GPL, Apache, and MIT licenses, require attribution of the author’s name and defining particular copyrights. However, Copilot is removing this component, and even when the snippets are longer than 150 characters and taken directly from the training set, no attribution is given. Some programmers have gone as far as to call this open-source laundering, and the legal implications of this approach were demonstrated after the launch of the AI tool. “It appears Microsoft is profiting from others’ work by disregarding the conditions of the underlying open-source licenses and other legal requirements,” comments Joseph Saveri, the law firm representing Butterick in the litigation. To make matters worse, people have reported cases of Copilot leaking secrets published on public repositories by mistake and thus included in the training set, like API keys.”

Title: Medibank Won’t Pay the Ransom for Data Stolen in Breach

Date Published: November 7, 2022

https://www.helpnetsecurity.com/2022/11/07/medibank-ransom/

Excerpt: “Australian health insurance provider Medibank has announced it won’t be paying the ransom to the criminal(s) who stole data of 9.7 million of its current and former customers. “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the criminal to directly extort our customers, and there is a strong chance that paying puts more people in harm’s way by making Australia a bigger target,” the company said. The fact that the criminal didn’t succeed in deploying ransomware on the company’s IT systems and encrypting the data after stealing it was surely a factor in Medibank’s decision to withhold the ransom. The attacker was able to access data of current and former Medibank, ahm, and international customers. More specifically:

  • Name, date of birth, address, phone number and email address for around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers
  • Medicare numbers (but not expiry dates) for ahm customers
  • Passport numbers (but not expiry dates) and visa details for international student customers
  • Health claims data – service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered – for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers
  • Personal and health claims data of around 5,200 My Home Hospital (MHH) patients, and some contact details of around 2,900 next of kin of these patients
  • Health provider details, including names, provider numbers and addresses

The attacker did not compromise credit card and banking details, identity documents of Medibank and ahm resident customers, and health claims data for extras services.”

Title: Cyberattack at Boeing Disrupts Flight Planning

Date Published: November 4, 2022

https://www.databreachtoday.com/cyberattack-at-boeing-disrupts-flight-planning-a-20419

Excerpt: “A Boeing subsidiary that distributes airspace safety notices to pilots entered its second day of outages caused by a cybersecurity incident. Jeppesen, which provides electronic notice to air mission bulletins and applications for in-flight management tasks, is “currently experiencing technical issues with some of our products, services and communications channels,” as it states in a banner notice on its website. The technical issue is a cyber incident whose nature Boeing won’t disclose. Among the disruption’s impacts is receipt and processing of the notices. “At this time we have no reason to believe that this incident poses a threat to aircraft or flight safety,” a company spokesperson told Information Security Media Group. Boeing is communicating with customers and regulatory authorities and is currently working on restoring full service “as soon as possible.” Alternative sources of notice of air missions include the U.S. Federal Aviation Administration and the International Civil Aviation Organization. The aviation sector sees its share of cyberattacks. In October, the pro-Russian political hacking group claimed responsibility for distributed denial-of-service attacks that knocked offline the public websites of several major U.S. airports.”

Title: W4SP Stealer Stings Python Developers in Supply Chain Attack

Date Published: November 4, 2022

https://www.darkreading.com/threat-intelligence/w4sp-stealer-aims-to-sting-python-developers-in-supply-chain-attack

Excerpt: “Threat actors continue to push malicious Python packages to the popular PyPI service, striking with typosquatting, authentic sounding file names, and hidden imports to fool developers and steal their information. Attackers continue to create fake Python packages and use rudimentary obfuscation techniques in an attempt to infect developers’ systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers’ systems. According to an advisory published this week by software supply chain firm Phylum, a threat actor has created 29 clones of popular software packages on Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names similar to legitimate packages, a practice known as typosquatting. If a developer downloads and loads the malicious packages, the setup script also installs — through a number of obfuscated steps — the W4SP Stealer Trojan. The packages have accounted for 5,700 downloads, researchers said.While W4SP Stealer targets cryptocurrency wallets and financial accounts, the most significant objective of the current campaigns appears to be developer secrets, says Louis Lang, co-founder and CTO at Phylum.”

Title: Japan Joins Key NATO Cyber Agency

Date Published: November 7, 2022

https://www.infosecurity-magazine.com/news/japan-joins-key-nato-cyber-agency/

Excerpt: “Japan has become the latest US ally to join NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), in a move likely to anger Moscow. Former Prime Minister, Shinzo Abe, confirmed on a visit to Estonia four years ago that the East Asia giant would join the center. However, it wasn’t until Friday that the country formally confirmed its place. Defense Minister Seiichi Hamada revealed the news at a press conference, according to the Jiji news agency. Although a Ministry of Defence (MoD) official has apparently been stationed at the CCDCOE since 2019, the latest announcement should signal the start of a more formal arrangement. “JMOD will formally join NATO Cooperative Cyber Defence Centre of Excellence’s activities, following the completion of participation procedures. JMOD will continue to collaborate with international partners to respond to threats in the cyber domain,” noted a brief tweet from the MoD. Japan will join other non-NATO members such as Australia and South Korea as contributing participants. It has already participated in last year’s “Locked Shields” cyber war-gaming exercise. Based in Estonia, the CCDCOE is involved in a range of activities in cyber-defense research, training and exercises that span four focus areas: technology, strategy, operations and law. As such, it plays a key role in shaping NATO responses in the cyber domain, now officially recognized as a legitimate military domain and part of Article 5. This is the “collective defense” section of NATO’s founding treaty which stipulates that an attack on one member is an attack on all. Japan’s newly formalized position with the CCDCOE comes just months after it was agreed that Ukraine should be admitted as a contributing participant.”

Title: Z-Library Ebook Site Domains Seized by U.S. Dept of Justice

Date Published: November 4, 2022

https://www.bleepingcomputer.com/news/technology/z-library-ebook-site-domains-seized-by-us-dept-of-justice/

Excerpt: “Internet domains for the popular Z-Library online eBook repository were seized early this morning by the U.S. Department of Justice, preventing easy access to the service. Z-Library is ranked in the top 10k most visited websites on the Internet, offering over 11 million books and 84 million articles for free via its website. Yesterday, the websites hosted at z-lib.orgb-ok.org, and 3lib.net began displaying a message stating that the service was seized by the US DOJ and the Postal Inspection Service, as shown below. However, the U.S. Postal Inspector’s office told BleepingComputer they were credited in the seizure notice by mistake. Friday afternoon, the seizure notice on 3lib.net was updated to indicate the domains were seized by the FBI and the United States Attorney’s Office for the Eastern District of New York. “This domain has been seized by the Federal Bureau of Investigation in accordance with a warrant issued pursuant to 18 U.S.C. § 981(b) and 21 U.S.C. § 853(f) by the United States District Court for the Eastern District of New York as part of a law enforcement action,” reads the seizure notice.”

Title: Water Sector in the US and Israel Still Unprepared to Defeat Cyber Attacks

Date Published: November 7, 2022

https://securityaffairs.co/wordpress/138185/hacking/water-sector-us-israel-cyberattacks.html

Excerpt: “Expert warns that the US and Israel are still unprepared to defeat a cyber attack against organizations in the water sector. Ariel Stern, a former Israeli Air Force captain, warns that the US and Israel are still unprepared to defeat a cyber attack against the water sector that could be orchestrated by enemy states like Iran. Stern highlighted the dangers for providers of critical infrastructure and issued his warning following the ransomware attack that in august disrupted the IT operations of South Staffordshire Water, a UK company supplying drinking water to 1.6M consumers daily. The intelligence officer pointed out that nations like Russia, Iran, North Korea, and China have the capabilities to hit the water sector with dramatic consequences. “He flagged that the main adversary in this sphere for Israel is Iran, but cautioned that even after past cyber attacks on Israel and America’s water sector in recent years, “we don’t have top minds in the water industry.”” reported The Jerusalem Post. ““Most water sector workers are civil engineers. How can they ignore it [cyber dangers]? They are very sophisticated within their domain relating to pipes, water flows, ground stabilization and chemistry,” but not with regard to blocking hackers.” One of the main problems for the industry is the lack of proper training for cyber defense. A cyber attack against a water facility or an organization in the water sector could have a widespread impact because many infrastructures serve wide areas including many cities and states, and protecting them is not easy.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...