November 8, 2022

Fortify Security Team
Nov 8, 2022

Title: Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time

Date Published: November 7, 2022

https://www.bleepingcomputer.com/news/security/azov-ransomware-is-a-wiper-destroying-data-666-bytes-at-a-time/

Excerpt: “The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs. Last month, a threat actor began distributing malware called ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files. However, instead of providing contact info to negotiate a ransom, the ransom note told victims to contact security researchers and journalists to frame them as the developers of the ransomware. As there was no contact info, and the listed contacts had no way of helping victims, we assumed that the malware was a data wiper.Last week, Checkpoint security researcher Jirí Vinopal analyzed the Azov Ransomware and confirmed to BleepingComputer that the malware was specially crafted to corrupt data. The malware included a trigger time that would cause it to sit dormant on the victim’s devices until October 27th, 2022, at 10:14:30 AM UTC, which would then trigger the corruption of all data on the device.”

Title: Vultur Android Banking Trojan Reaches 100,000+ Downloads on Google Play Store

Date Published: November 7, 2022

https://www.infosecurity-magazine.com/news/vultur-android-banking-trojan/

Excerpt: “The Android banking Trojan Vultur has reached a total of more than 100,000 downloads on the Google Play Store, says a new advisory from cybersecurity experts at Cleafy. The dropper hides behind a fake utility application. Because of its relatively limited permissions and small footprint, it appears as a legitimate app and can elude Google Play security measures. “Although most of the banking trojans are distributed via *ishing campaigns, TAs [threat actors] also use official app stores to deliver their malware using dropper applications, namely an application designed to download malware into the target device,” the Cleafy team explained. According to the advisory, one of the primary reasons behind this choice is reaching more potential victims and securing a greater likelihood of committing fraud. “Furthermore, since these droppers hide behind utility apps and come from a trusted source, they can mislead even ‘experienced’ users,” Cleafy wrote. “This explains why, even though an overview of this dropper was already described in the last article of Threat Fabric, we decided to publish this report and analyze in detail how this application ended up in the Play Store and attempted to commit bank fraud.” From a technical standpoint, after installation, the dropper uses advanced evasion techniques, including steganography, file deletion and code obfuscation, in addition to multiple checks before downloading the malware.”

Title: Password-Hacking Attacks Are on the Rise. Here’s How to Stop Your Accounts From Being Stolen

Date Published: November 8, 2022

https://www.zdnet.com/article/password-hacking-attacks-are-on-the-rise-heres-how-to-stop-your-accounts-from-being-stolen/

Excerpt: “Passwords are a common target for hackers, but many of us still aren’t doing the basics to help protect our accounts. Here’s what to do. Cyber crooks are making almost 1,000 attempts to hack account passwords every single second – and they’re more determined that ever, with the number of attacks on the rise. The figures come from Microsoft’s Digital Defense Report 2022 and are based on analysis of trillions of alerts and signals collected from the company’s worldwide ecosystem of products and services. It warns that cyberattacks are on the rise, with account passwords still very much the main target of hackers – particularly as many accounts are vulnerable because they lack any additional layers of protection beyond the password itself to help keep them secure. According to Microsoft, the volume of password-based attacks has risen to an estimated 921 attacks every second – representing a 74% increase in just one year for what’s the primary method through which accounts are compromised.”

Title: U.S. DOJ Seizes $3.36B Bitcoin From Silk Road Hacker

Date Published: November 8, 2022

https://securityaffairs.co/wordpress/138228/cyber-crime/silk-road-hacker-pleads-guilty.html

Excerpt: “The U.S. The Department of Justice condemned James Zhong, a hacker who stole 50,000 bitcoins from the Silk Road darknet marketplace. The US Department of Justice announced that a man from Georgia, James Zhong, has pleaded guilty to wire fraud after stealing more than 50,000 bitcoins from the Silk Road. Zhong pled guilty to money laundering crimes, he exploited a flaw in the Silk Road that allowed him to withdraw more Bitcoin than he deposited on the dark web marketplace. The man funded nine fraudulent accounts with an initial deposit of 200 to 2,000 bitcoin and then triggered 140 withdrawal transactions in rapid succession. “JAMES ZHONG pled guilty to committing wire fraud in September 2012 when he unlawfully obtained over 50,000 Bitcoin from the Silk Road dark web internet marketplace.  ZHONG pleaded guilty on Friday, November 4, 2022, before United States District Judge Paul G. Gardephe.” reads the press release published by DoJ. “On November 9, 2021, pursuant to a judicially authorized premises search warrant of ZHONG’s Gainesville, Georgia, house, law enforcement seized approximately 50,676.17851897 Bitcoin, then valued at over $3.36 billion. The authorities seized the stolen funds in November 2021, at the time it was the biggest-ever seizure of cryptocurrency. The US authorities are seeking to forfeit, collectively, approximately 51,680.32473733 Bitcoin. Law enforcement located 50,491.06251844 Bitcoin of the approximately 53,500 Bitcoin Crime Proceeds. The funds were stored in an underground floor safe and on a single-board computer hidden in the Zhong’s house. The police also recovered $661,900 in cash (25 Casascius coins (physical bitcoin)) along with 11.1160005300044 additional Bitcoin, and four one-ounce silver-colored bars, three one-ounce gold-colored bars, four 10-ounce silver-colored bars, and one gold-colored coin.”

Title: National Guard Cyber Forces ‘Surging’ to Help States Protect Midterm Elections

Date Published: November 7, 2022

https://www.darkreading.com/risk/national-guard-cyber-forces-surging-to-help-states-protect-midterm-elections

Excerpt: “Fourteen states, including Arizona, Iowa, and Pennsylvania, have called in the Guard to help with election network risk assessments and threat mitigation. The National Guard has offered its 38 cyber units and 2,200 personnel to state and local election officials in an effort to help shore up cybersecurity during the 2022 US midterm elections. Politico reported that during the midterm elections, the National Guard will have a Joint Cyber Mission Center staffed with personnel from the National Guard, Cybersecurity and Infrastructure Agency (CISA), and Department of Homeland Security to help coordinate detection and response efforts and thwart cyber threats to the election.”

Title: Threat Group Weaponizes Employee Trust With Impersonation of Healthcare Software Solutions

Date Published: November 7, 2022

https://www.scmagazine.com/analysis/security-awareness/threat-group-weaponizes-employee-trust-with-impersonation-of-healthcare-software-solutions

Excerpt: “The Zeon threat group is impersonating software solutions and targeting the healthcare sector, weaponizing the trust that is often inherent to the healthcare workforce and capitalizing on security failures. A recent alert to Health-ISAC members shows the targeted attacks began on Oct. 19 and were sent to 35,000 addresses, with another 480,000 addresses reached on Oct. 20 and 21. On Sept. 26, another member-alert warned the Roy/Zeon threat group was impersonating a Health-ISAC member by using fake invoices to lure victims to a malicious call center.  “The bad guys are continuously becoming innovative and creative,” said Errol Weiss, Health-ISAC’s chief security officer, in an exclusive interview with SC Media. This new Zeon campaign is “where it’s really gotten bad, where there are no evil links, no evil attachments; it’s just all text, and they’re able to craft something that scares people and it makes them do things they wouldn’t ordinarily do.” In short, the tactic is “social engineering at its finest; psychological warfare,” he added, declining to name the specific vendors used in the campaigns. “They’re getting people into a mindset where they’re very vulnerable, and then they’re doing dumb things.” Weiss is referring to the latest Zeon Group campaign, which is successfully targeting the healthcare sector in force. The group is one of three to rise from the ashes after the dissolution of Conti. All three created their own versions of the BazarCall spear-phishing attacks, a targeted callback phishing tactic where nefarious actors dupe victims with fake subscription service offers. These calls were actually “used by the operators to silently install malware and exfiltrate data once access is obtained,” according to an August New Jersey Cybersecurity & Communications alert. Once employees call the phone number, they’re being walked-through an installation of “legitimate remote access tools, and then the bad guys have access to your computer,” Weiss explained. By June, Zeon was impersonating a range of brands that targeted a range of sectors, including insurance and tech, and others with high annual revenue, but not healthcare specifically. The group soon pivoted again, impersonating “legitimate healthcare organizations delivering software solutions focused on patient data,” according to the Health-ISAC member alert.”

Title: Maple Leaf Foods Suffers Outage Following Weekend Cyberattack

Date Published: November 7, 2022

https://www.bleepingcomputer.com/news/security/maple-leaf-foods-suffers-outage-following-weekend-cyberattack/

Excerpt: “Maple Leaf Foods confirmed on Sunday that it experienced a cybersecurity incident causing a system outage and disruption of operations. Maple Leaf Foods is Canada’s largest prepared meats and poultry food producer, operating 21 manufacturing facilities, employing 14,000 people, and contracting over 700 barns. In 2021, the firm generated $3.3 billion in sales. Hackers often launch cyberattacks during weekends, hoping to find incident responders understaffed, and maximize their chances for success. Despite the timing, the Canadian food packaging giant says its IT team took immediate action to respond to the incident. Currently, the firm’s specialists are working with cybersecurity and recovery experts to resolve the situation as soon as possible.” The company is executing its business continuity plans as it works to restore the impacted systems,” reads the announcement. “However, it expects that full resolution of the outage will take time and result in some operational and service disruptions.” Maple Leaf Foods says it will continue to work with customers and partners to minimize the food supply disruption in the Canadian market.”

Title: ‘Justice Blade’ Hackers are Targeting Saudi Arabia

Date Published: November 8, 2022

https://securityaffairs.co/wordpress/138213/hacking/justice-blade-targets-saudi-arabia.html

Excerpt: “Threats actors calling themselves “Justice Blade” published leaked data from an outsourcing IT vendor. The group of threat actors calling themselves ‘Justice Blade’ published leaked data from SmartLink BPO Solutions, an outsourcing IT vendor working with major enterprises and government agencies in the Kingdom of Saudi Arabia and other countries in the GCC. The bad actors claim to have stolen a significant volume of data, including CRM records, personal information, email communications, contracts, and account credentials.  The same day, Justice Blade also set up a Telegram account with a private communications channel. On the screenshots and video leaked by the attackers – the incident could have happened as a result of targeted network intrusion affecting Active Directory and internal applications and services. The bad actors also released screenshots of active RDP sessions and Office 365 communications between various companies from within the region, and several lists of users presumably related to FlyNas (airlines company) and SAMACares (initiative managed by Saudi Arabia Central Bank) containing over 100,000 records.”

Title: Who is Extorting Australian Health Insurer Medibank?

Date Published: November 8, 2022

https://www.databreachtoday.com/blogs/who-extorting-australian-health-insurer-medibank-p-3310

Excerpt: “Who is attempting to extort Australian health insurer Medibank, why did Medibank tell its attackers it wouldn’t pay a ransom and will this deter future cyber extortionists? Here are a few thoughts on the high cybercrime drama playing out. On Monday, Medibank publicly said it wouldn’t pay a ransom to attackers it says took sensitive data on 9.7 million current and former customers. Today, that gambit reaped a reaction: a 24-hour deadline to pay or see sensitive medical claims data released. Medibank’s announcement was the equivalent of flipping the bird to their attackers and one that aligns with the Australian government’s position. Medibank CEO David Koczkar said the amount asked by the extortionists – which he did not reveal – was “irrelevant.” Even if Medibank paid, there’s no guarantee that the data will be deleted, he said. He’s right. What’s remarkable and nearly unheard of is how open and transparent Medibank has been at every turn of this extremely sensitive situation. Publicly stating no ransom would be paid was a strikingly bold move. Rarely do companies say either way if they’ve paid. The extortion group issued their warning to Medibank in a blog post on a .onion site. Some cybercrime researchers have dubbed the group “BlogXX” since it doesn’t have a clear name. BlogXX’s website has links to the infamous REvil ransomware gang, which attacked the software developer Kaseya in July 2021 and JBS Foods in May 2021. Both incidents had big knock-on effects within Australia. The REvil gang is no more, and its decline reads like a cybercrime mafia novel: there’s extortion, there’s loads of cash, there’s betrayal, there are arrests in Russia and the downfall of the group around October 2021.”

Title: SMBs Fear Security Budget Cuts as Inflation Bites

Date Published: November 8, 2022

https://www.infosecurity-magazine.com/news/smbs-fear-security-budget-cuts/

Excerpt: “Most (57%) small and medium-sized businesses (SMBs) are worried about their cybersecurity budgets being reduced amid a surge in ransomware, according to a new report from OpenText Security Solutions. The security vendor polled over 1330 security and IT professionals from SMBs of up to 1000 employees, in the US, UK and Australia, to compile its 2022 Global SMB Ransomware Survey. Despite many SMBs having suffered a serious attack in the past, budgets are already low, the report found. Half (50%) of respondents spend less than $20,000 annually, with only 10% spending more than $50,000 per year. In addition, most (68%) have fewer than five people working on security. However, most SMBs surveyed are concerned that rising inflation will force business leaders to further trim cost from this part of the organization. That’s particularly concerning given the persistent threat from ransomware. Nearly half (46%) of SMBs polled admitted they have suffered an attack in the past, and a similar number (52%) believe they’re more at risk today because of heightened geopolitical tensions.”

Recent Posts

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...

November 16, 2022

Title: North Korean Hackers Target European Orgs With Updated Malware Date Published: November 15, 2022 https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-european-orgs-with-updated-malware/ Excerpt: “North Korean hackers are using a new...

November 15, 2022

Title: China-Based Campaign Uses 42,000 Phishing Domains Date Published: November 15, 2022 https://www.infosecurity-magazine.com/news/chinabased-campaign-42000-phishing/ Excerpt: “Security researchers have uncovered a sophisticated phishing campaign using tens of...