December 1, 2022

Fortify Security Team
Dec 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System
Date Published: November 30, 2022

https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/

Excerpt: “The Keralty multinational healthcare organization suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries. Keralty is a Colombian healthcare provider that operates an international network of 12 hospitals and 371 medical centers in Latin America, Spain, the US, and Asia. The group employs 24,000 people and 10,000 medical doctors who provide healthcare to over 6 million patients. The company offers further healthcare services through its subsidiaries, Colsanitas, Sanitas USA, and EPS Sanitas. Over the past few days, Keralty and its subsidiaries, EPS Sanitas and Colsanitas, have suffered disruption to their IT operations, the scheduling of medical appointments, and its websites. The IT outages have impacted Colombia’s healthcare system, with local media reporting that patients have been waiting in line for over twelve hours to receive care and some patients fainting due to a lack of medical attention.”

Title: Medibank Hackers Reportedly Release All Data on Dark Web
Date Published: December 1, 2022

https://www.zdnet.com/article/medibank-hackers-reportedly-release-all-data-on-dark-web/

Excerpt: “Australian insurance group confirms hackers who breached its database have dumped another six zipped files of customer data on the dark web, with claims these contain all of the data they stole.Hackers who breached Medibank’s systems have dumped another batch of data on the dark web, along with claims the files contain all of the data they took in a heist that impacted 9.7 million customers. The Australian insurance group confirms six zipped files of data have been released, while government officials reiterate the overdue need to overhaul the country’s cyber strategy. Medibank on Thursday said it was analyzing the data, which was released overnight on the dark web, but added that the files appeared to comprise customer information compromised in the breach. First announced in October, the security incident affected 9.7 million current and former customers as well as some of their authorized representatives. Amongst those impacted were 1.8 million international customers. Before the latest data dump, hackers involved in the theft had released the files in batches along with demands for ransom. Medibank had said it would not pay any ransom. In its statement Thursday, the insurance company said there was no indication financial or banking details had been compromised and the stolen data alone was insufficient to facilitate identity or financial fraud. It further noted that the raw data, so far, had been determined to be incomplete and difficult to understand.”

Title: Google Links Three Exploitation Frameworks to Spanish Commercial Spyware Vendor Variston
Date Published: November 30, 2022

https://securityaffairs.co/wordpress/139126/malware/spanish-spyware-vendor-variston.html

Excerpt: “Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston. While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked to Variston IT, a Spanish firm. Officially, Variston claims to provide custom security solutions and custom patches for embedded systems. The experts reported that the framework includes exploits for n-day vulnerabilities in Chrome, Firefox and Microsoft Defender, the company also provides a collection of tools to deploy a malicious payload to a target device. The vulnerabilities in Google, Microsoft and Mozilla exploited by the company were fixed in 2021 and early 2022. TAG’s research suggests that the above issues were utilized as zero-days in the wild by the surveillance vendor. TAG discovered the Heliconia framework after receiving an anonymous submission to the Chrome bug reporting program. The submitter reported three different exploitation frameworks, instructions, and an archive that contained source code. Their names in the bug reports are “Heliconia Noise,” “Heliconia Soft” and “Files.” The researchers noticed a script in the source code that includes clues pointing to the possible developer of the exploitation frameworks, Variston IT.”

Title: Researchers Accidentally Crash Cryptomining Botnet
Date Published: December 1, 2022

https://www.infosecurity-magazine.com/news/researchers-accidentally-crash/

Excerpt: “Security researchers analyzing a prolific botnet managed to accidentally kill it due to the coding equivalent of a typing error, according to Akamai. The cloud security firm detected the “KmsdBot ” last month. The Golang-based bot is designed to conscript machines via SSH and weak credentials, and has the functionality to launch DDoS and crypto mining campaigns – targeting the gaming, technology and luxury car industries, among others. Akamai decided to test some of the botnet’s command and control (C2) functionality as part of its research, so it set up a controlled environment by modifying a recent sample of KmsdBot to talk to an IP address in RFC 1918 address space. “This allowed us to have a controlled environment to play around in – and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures,” explained Akamai principal security intelligence response engineer, Larry Cashdollar. “Interestingly, after one single improperly formatted command, the bot stopped sending commands.” The command in question was simply missing a space between the target website and the port, but it was enough to bring the entire bot crashing down. That’s because, unfortunately for the bot herders, KmsdBot didn’t have error-checking built into its code to verify that commands are properly formatted. “Because of this, an improperly formatted command will cause the Go binary to crash with a stack trace stating an ‘index out of range’ error. This is because the wrong number of arguments were supplied,” explained Cashdollar. “This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 – essentially, killing the botnet.” Even better for the Akamai team is the fact that the bot also didn’t have any ability to maintain persistence on an infected machine, so the group behind it will effectively now have to start from scratch by reinfecting machines.”

Title: Nvidia GPU Driver Bugs Threaten Device Takeover & More
Date Published: November 30, 2022

https://www.darkreading.com/application-security/nvidia-gpu-driver-bugs-device-takeover

Excerpt: If unpatched, a host of GPU Display Driver flaws could expose gamers, graphic designers, and others to code execution, denial of service, data tampering, and more. A new update from Nvidia for its GPU Display Driver includes fixes for a full 29 security vulnerabilities, seven with a base score of more than 7. The company’s graphics cards are built to accelerate computing processing to support real-time or data-intensive applications. As such, they’re known for their use by gamers, graphic designers, and other creative producers, and for artificial intelligence and machine learning. Impacted software products for the update specifically include GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla. The most serious of the bugs are two flaws that exist in the user mode layer for Windows versions, both of which could allow an unauthorized user to execute code, escalate privileges, launch denial-of-service attacks, and achieve data compromise and disclosure, according to the chipmaker:

  • CVE-2022-34669 (CVSS score of 8.8): An unprivileged regular user can access or modify system files or other files that are critical to the application.
  • CVE-2022-34671 (CVSS score of 8.7): An unprivileged regular user can cause an out-of-bounds write.

The display driver for Linux also received a number of updates in this latest security update.”

Title: Predatory Loan Mobile Apps Grab Data, Harass Users and Their Contacts
Date Published: December 1, 2022

https://www.helpnetsecurity.com/2022/12/01/predatory-loan-apps-android-ios/

Excerpt: “Lookout researchers have discovered nearly 300 Android and iOS apps that trick victims into unfair loan terms, exfiltrate excessive user data from mobile devices, and then use it to pressure and shame the victims for repayment. Aimed at consumers in developing countries – Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda – the apps and their operators are taking advantage of victims’ inability to qualify for a traditional loan. The apps “purportedly offer quick, fully-digital loan approvals with reasonable loan terms. In reality, they exploit victims’ desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages,” Lookout researchers Ruohan Xiong, Rono Dasgupta, and Alina Mambo explained. “A number of users have reported that their loans come with hidden fees, high interest rates, and repayment terms that are much less favorable than what is posted on the app stores. We also found evidence that the data exfiltrated from devices are sometimes used to pressure for repayment, either by harassing the customers themselves or their contacts.” After downloading one of these apps, the user is first asked to share personal and financial information – name, address, employment history, education, and banking information – then to perform an ID verification with a video selfie (meaning: they also provide an image of their ID card). Then the apps ask the user to access their contacts, photos and media, and to be allowed to make and manage phone calls and send and view SMS messages.”

Title: Hyundai App Bugs Allowed Hackers to Remotely Unlock, Start Cars
Date Published: December 1, 2022

https://www.bleepingcomputer.com/news/security/hyundai-app-bugs-allowed-hackers-to-remotely-unlock-start-cars/

Excerpt: “Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM “smart vehicle” platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to “remotely unlock, start, locate, flash, and honk” them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads (Hyundai, SiriusXM). The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user’s email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target’s email address with an additional control character at the end.”

Title: Zero-Day Flaw Discovered in Quarkus Java Framework
Date Published: November 30, 2022

https://www.infosecurity-magazine.com/news/zeroday-flaw-in-quarkus-java/

Excerpt: “A high-severity zero-day vulnerability has been discovered in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines (JVMs) and native compilation. Tracked CVE-2022-4116, the flaw has a CVSS v3 base score rating of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution (RCE). According to Joseph Beeton, a senior application security researcher at Contrast Security, exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges. “While preparing a talk for the recent DeepSec Conference about attacking the developer environment through drive-by localhost, I reviewed some popular Java frameworks to see if they were vulnerable,” Beeton wrote in an advisory published on Tuesday. “To be clear, CVE-2022-4116 doesn’t impact services running in production; it only impacts developers building services using Quarkus. If a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer’s machine.” As part of his testing, Beeton created a payload that opens the system calculator. However, the security expert warned that the silent code could potentially take more damaging actions.”

Title: ENC Security, the Encryption Provider for Sony and Lexar, Leaked Sensitive Data for Over a Year
Date Published: November 30, 2022

https://securityaffairs.co/wordpress/139091/data-breach/enc-security-data-leak-sony-lexar.html

Excerpt: “CyberNews experts discovered that ENC Security, a Netherlands software company, had been leaking critical business data since May 2021. When you buy a Sony, Lexar, or Sandisk USB key or any other storage device, it comes with an encryption solution to keep your data safe. The software is developed by a third-party vendor – ENC Security. Netherlands-based company with 12 million users worldwide provides “military-grade data protection” solutions with its popular DataVault encryption software. As it turns out, ENC Security had been leaking its configuration and certificate files for more than a year, the Cybernews research team discovered. “The data that was leaking for over a year is nothing less than a goldmine for threat actors,” Cybernews researcher Martynas Vareikis said. The company said a misconfiguration by a third-party supplier caused the issue and fixed it immediately upon notification.”

Title: Lastpass, Goto Announce Security Incident
Date Published: December 1, 2022

https://www.helpnetsecurity.com/2022/12/01/lastpass-goto-breach/

Excerpt: “LastPass and its affiliate GoTo (formerly LogMeIn) have announced that they suffered a security incident and, in LastPass’ case, a possible data breach. “Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service,” GoTo CEO Paddy Srinivasan noted, and explained that the third-party cloud storage service in question is shared by GoTo, a cloud-based SaaS provider of remote work collaboration and IT management tools, and LastPass, the company behind the popular password manager of the same name. Both companies have engaged Mandiant to help their internal teams investigate the issue and have alerted law enforcement. Also, both companies’ products and services “remain fully functional.” While GoTo does not mention any compromised information, LastPass CEO Karim Toubba said that their preliminary investigation has shown that “an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” but that the customers’ passwords “remain safely encrypted due to LastPass’s Zero Knowledge architecture.” The August 2022 incident he referred to resulted in a breach and the exfiltration of portions of source code and some proprietary LastPass technical information. Whether that stolen information has helped attackers perpetrate this latest breach is yet unknown. But, as confirmed by the company a month later, that previous breach did result in code-poisoning or malicious code injection, nor the theft of customer data.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...