December 5, 2022

Fortify Security Team
Dec 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist
Date Published: December 3, 2022

https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/

Excerpt: “Florida man Nicholas Truglia was sentenced to 18 months in prison on Thursday for his involvement in a fraud scheme that led to the theft of millions from cryptocurrency investor Michael Terpin. The funds were stolen following a January 2018 SIM swap attack that allowed Truglia’s co-conspirators to hijack Terpin’s phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia’s control. According to the indictment, the defendant “agreed to convert the stolen cryptocurrency into Bitcoin, another form of cryptocurrency, and then transfer the Bitcoin to other Scheme Participants, while keeping a portion as payment for his services. In all, Truglia kept at least approximately $673,000 of the stolen funds to assist the other fraudsters in collecting and dividing the illegally obtained funds among them. The 25-year-old was ordered to pay a total of $20,379,007 to Terpin within the next 60 days, until January 30, 2023. The restitution order says $12.1 million is due to be paid before December 31, and $8,279 million is payable on or before January 30.”

Title: Programming Languages: How Google Is Using Rust to Reduce Memory Safety Vulnerabilities in Android
Date Published: December 5, 2022

https://www.zdnet.com/article/google-after-using-rust-we-slashed-android-memory-safety-vulnerabilities/

Excerpt: “Google’s decision to use Rust for new code in Android in order to reduce memory-related flaws appears to be paying off. Memory safety vulnerabilities in Android have been more than halved – a milestone that coincides with Google’s switch from C and C++ to the memory-safe programming language, Rust. This is the first year that memory safety vulnerabilities are not the biggest category of security flaws, and comes a year after Google made Rust the default for new code in the Android Open Source Project (AOSP). Other memory-safe languages Google has used for Android include Java and Java-compatible Kotlin. C and C++ are still dominant languages in AOSP, but Android 13 is the first version where most of the new code is from memory-safe languages. After Google adopted it for AOSP in April 2021, Rust now accounts for about 21% of new code. The Linux kernel project this year adopted Rust as the new official second language to C.”

Title: French Hospital Halts Operations After Cyber-Attack
Date Published: December 5, 2022

https://www.infosecurity-magazine.com/news/french-hospital-halts-operations/

Excerpt: “A hospital in the Parisian suburb of Versailles was forced offline over the weekend, leading to the cancellation of all operations and the transfer of some patients, according to local reports. The André-Mignot hospital in Chesnay-Rocquencourt, Yvelines, was struck by a cyber-attack at 9pm local time on Saturday evening, turning some computer screens black, according to Franceinfo. Six patients have been transferred from the facility’s intensive care and neonatal units to nearby hospitals, as staff struggle to maintain care levels and keep outpatient services running, added an AFP report. Health minister, Francois Braun, is quoted as saying that the attack has led to a “total reorganization of the hospital,” with extra staff needed in intensive care because several critical machines require monitoring more closely as they are no longer networked. Although not mentioned explicitly in reports so far, the attack on the 700-bed hospital looks to be the work of ransomware actors. If so, it follows a major ransomware attack on another facility near Paris in September this year. The Centre Hospitalier Sud Francilien (CHSF) in Corbeil-Essonnes was forced back to pen and paper after being hit with a $10m ransom demand by the LockBit 3.0 group.”

Title: Newsroom Sues NSO Group for Pegasus Spyware Compromise
Date Published: December 2, 2022

https://www.darkreading.com/application-security/newsroom-sues-nso-group-for-pegasus-spyware

Excerpt: “Nearly two dozen journalists and other staffers working for El Faro, a digital newspaper based in El Salvador, are suing NSO Group for unleashing Pegasus spyware — malware they say was used to steal their most sensitive information, putting their safety in danger. Along with ASO Group Technologies, its Israeli parent company, Q Cyber Technologies is also named as a defendant in the lawsuit. The 22 plaintiffs from El Faro are getting assistance from the Knight First Amendment Institute at Columbia University in their litigation. Attorneys for the El Faro group say that because Apple servers in Silicon Valley were compromised by Pegasus to monitor the newsroom, they have filed the lawsuit in the US District Court in Northern California. Pegasus spyware has a long history of being used by authoritarian governments to essentially take full control of devices of those they deem likely to stoke dissent. Once Pegasus is deployed, the complaint explains, the threat actor has control of the entire device, from downloading contacts and text messages to turning on the device microphone to listen to conversations in real time.”

Title: New Zealand Health Insurer Investigates IT Provider Hack
Date Published: December 4, 2022

https://www.databreachtoday.com/new-zealand-health-insurer-investigates-provider-hack-a-20621

Excerpt: “A cyber incident at an external IT infrastructure provider for New Zealand private health insurer Accuro may have affected the personal data of the underwriter’s 34,000 customers. The Wellington based not-for-profit insurer said its investigation into the incident so far hasn’t revealed evidence of a data breach “but we cannot rule out this possibility.” A Thursday statement from CEO Lance Walker said day-to-day operations and customer service have been impacted by the incident, warning of delays in service including claims processing. The company notified the New Zealand Government’s Computer Emergency Response Team, the Office of the Privacy Commissioner and has brought in outside cybersecurity support, the company said. Company Chief Financial Officer Joe Benbow wouldn’t confirm or deny the incident is a ransomware attack, reported the New Zealand Herald. Benbow also declined to identify the third party infrastructure provider. Ransomware hackers based in Russia attacked private health insurer Medibank in neighboring Australia in October and earlier this month dumped online data they characterized as a full set of stolen customer data.”

Title: Hackers Use New, Fake Crypto App to Breach Networks, Steal Cryptocurrency
Date Published: December 3, 2022

https://www.bleepingcomputer.com/news/security/hackers-use-new-fake-crypto-app-to-breach-networks-steal-cryptocurrency/

Excerpt: “The North Korean ‘Lazarus’ hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, “BloxHolder,” to install the AppleJeus malware for initial access to networks and steal crypto assets. According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations. A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware’s infection chain and abilities. The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022. In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform. This website distributed a 12.7MB Windows MSI installer that pretended to be the BloxHolder app. However, in reality, it was the AppleJeus malware bundled with the QTBitcoinTrader app. In October 2022, the hacking group evolved their campaign to use Microsoft Office documents instead of the MSI installer to distribute the malware.”

Title: ‘Black Proxies’ Enable Threat Actors to Conduct Malicious Activity
Date Published: December 2, 2022

https://www.infosecurity-magazine.com/news/black-proxies-linked-to-malicious/

Excerpt: “Threat actors have been spotted using criminal proxy networks to obfuscate their illegal activities by hiding behind hijacked IP addresses and using the same to create an appearance of legitimacy. The findings come from security researchers at DomainTools, who have said that while these networks were initially used as part of botnets, their lucrative nature has turned them into their own criminal enterprises. Describing the new threat in an advisory published on Thursday, the DomainTools team said it spotted a new and particularly dangerous proxy service called ‘Black Proxies,’ which is being marketed to other cyber-criminals for its reliability, scope and vast number of IP addresses. “Black Proxies market themselves as having over 1,000,000 residential and other proxy IP addresses ‘from all around the world.’ The scope and scale of these new offerings show just how large their claimed pool of IP space is,” DomainTools wrote. “Upon further examination through the service, their pool of IP addresses listed in fall of 2022 ‘online’ comes in at just over 180,000 IPs, which is still a factor larger than the traditional services based on other types of tactics and botnets.” According to the advisory, the Black Proxies’ scale is significant because of not only their focus on both the traditional forms of IP proxying but also their use of compromised websites for their services.” Ultimately, in the cybercrime ecosystem, there are a host of specialized services designed to enable malicious activity,” reads the report. The researchers also added that understanding these newer malicious proxy services and how they facilitate the efforts of other cyber-criminals is critical in order to combat them.”

Title: Exclusive: The Largest Mobile Malware Marketplace Identified by Resecurity in the Dark Web
Date Published: December 5, 2022

https://securityaffairs.co/wordpress/139310/cyber-crime/dark-web-mobile-malware-marketplace.html

Excerpt: “Resecurity has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. “In the Box” dark web marketplace is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries. Resecurity, the California-based cybersecurity company protecting major Fortune 500 companies, has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. The marketplace is known as “InTheBox”, and has been available for cybercriminals in the TOR network from at least the start of May 2020, however since then it has transformed from a cybercriminal service operating privately into the largest marketplace known today for it’s sheer number of unique tools and so called WEB-injects offered for sale. Such malicious scenarios are purposely developed by fraudsters and used for online-banking theft and financial fraud. Web-injects are integrated into mobile malware to intercept banking credentials, payment systems, social media and email provider credentials, but it doesn’t end there, these malicious tools also collect other sensitive information such as credit card information, address details, phone and other PII. This trend comes from the “Man in The Browser” (MiTB) attacks and WEB-injects designed for traditional PC-based malware such as Zeus, Gozi and SpyEye. Later, cybercriminals successfully applied the same approach to mobile devices, because modern digital payments are extremely interconnected when it comes to mobile applications used by consumers.”

Title: Rackspace Hosted Exchange service outage caused by security incident
Date Published: December 5, 2022

https://www.helpnetsecurity.com/2022/12/05/rackspace-hosted-exchange-service-outage/

Excerpt: “Cloud computing company Rackspace has suffered a security breach that has resulted in a still ongoing outage of their Hosted Exchange environment. “In order to best protect the environment, this will continue to be an extended outage of Hosted Exchange,” the company said on Sunday. The connectivity issues for Rackspace Hosted Exchange customers – mostly small to medium size businesses – started on Friday (December 2), with users experiencing errors when accessing the Outlook Web App (Webmail) and syncing their email clients. It took 18 hours for Rackspace to realize that the problem will not easily be fixed and to decide to offer another option to disgruntled customers: a free Microsoft Exchange Plan 1 license on Microsoft (i.e., Office) 365. They provided customers with instructions on how to make the switch and said that their support team is available for assistance but, apparently, the self-migration process is not as simple to pull off as they hoped and their customer support got overwhelmed. “Since our last update, we have mobilized roughly 1000 support Rackers to reduce wait times and address ticket queues,” the company said on Sunday, then followed up with the decision to contact every Hosted Exchange customer by phone or email. The company also offered a stopgap solution until the M365 onboarding can be performed. “You can also implement a temporary forwarding that will allow mail destined for a Hosted Exchange user to be routed to an external email address,” they said. Unfortunately, this option also requires the help of the support team and comes with some limitations (e.g., email sent before the rule is put into place will not be forwarded). Despite Rackspace saying that they’ve “successfully restored email services to thousands of customers on Microsoft 365”, Twitter is still full of customer complaints about the wait times and/or inability to get help from the support team. According to the Rackspace system status page, Rackspace’s other offerings – Email, Administrator Tools, and Apps, have been and are operating normally.”

Title: Critical Ping bug potentially allows remote hack of FreeBSD systems
Date Published: December 5, 2022

https://securityaffairs.co/wordpress/139300/hacking/cve-2022-23093-freebsd-systems-flaw.html

Excerpt: “A critical stack-based buffer overflow bug, tracked as CVE-2022-23093, in the ping service can allow it to take over FreeBSD systems. The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution. The ping utility allows testing the reachability of a remote host using ICMP messages, it requires elevated privileges to use raw sockets. It is available to unprivileged users with the installation of a setuid bit set. This means that when ping runs, it creates the raw socket, and then revokes its elevated privileges. “ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue. “The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”. A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...