December 6, 2022

Fortify Security Team
Dec 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom
Date Published: December 6, 2022

https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/

Excerpt: “Victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand, simply because the ransomware isn’t able to decrypt files – it just destroys them instead. Coded in Python, Cryptonite ransomware first appeared in October as part of a free-to-download open-source toolkit – available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery. But analysis of Cryptonite by cybersecurity researchers at Fortinet has found that the ransomware only has “barebones” functionality and doesn’t offer a means of decrypting files at all, even if a ransom payment is made. Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files, leaving no way of retrieving the data.”

Title: Sneaky Hackers Reverse Defense Mitigations When Detected
Date Published: December 5, 2022

https://www.bleepingcomputer.com/news/security/sneaky-hackers-reverse-defense-mitigations-when-detected/

Excerpt: “A financially motivated threat actor is hacking telecommunication service providers and business process outsourcing firms, actively reversing defensive mitigations applied when the breach is detected. The campaign was spotted by Crowdstrike, who says the attacks started in June 2022 and are still ongoing, with the security researchers able to identify five distinct intrusions. The attacks have been attributed with low confidence to hackers tracked as ‘Scattered Spider,’ who demonstrate persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets if thwarted. The campaign’s ultimate goal is to breach telecom network systems, access subscriber information, and conduct operations such as SIM swapping.”

Title: Prolific Chinese Hackers Stole US COVID funds
Date Published: December 6, 2022

https://www.infosecurity-magazine.com/news/prolific-chinese-hackers-stole-us/

Excerpt: “A Chinese state-sponsored APT group has stolen at least $20m from US COVID-relief funds, in what appears to be a first-of-its kind campaign, according to the Secret Service. The service told NBC that it linked the prolific Chengdu-based APT41 to the raids, which targeted Small Business Administration (SBA) loans and unemployment insurance funds in more than 12 states. However, the true scale of the campaign may be much greater. The Secret Service said it has over 1000 investigations currently open into theft and fraud related to public benefits programs. “It would be crazy to think this group didn’t target all 50 states,” said Roy Dotson, national pandemic fraud recovery coordinator for the Secret Service. The campaign began in mid-2020 and impacted 2000 accounts associated with more than 40,000 financial transactions, according to NBC. It’s unclear at this stage whether the group was specifically given orders to steal the funds or if government handlers simply looked the other way. APT41 has certainly done similar in the past – in 2019 FireEye said it detected the same group using ransomware against gaming companies and attacking cryptocurrency providers for personal profit.”

Title: Microsoft Warns of Growing Russian Digital Threats to Europe
Date Published: December 5, 2022

https://www.databreachtoday.com/microsoft-warns-growing-russian-digital-threats-to-europe-a-20631

Excerpt: “An October ransomware attack by a Russian military intelligence threat actor on transportation and related logistics industries in Poland may be an indication of the Kremlin’s intent to pursue its Ukrainian offensive in European cyberspace, computing giant Microsoft warns. Russia already pursues a strategy of digitally enabled disinformation in Europe – it’s particularly effective in Central European countries, including Germany, and that’s likely to intensify in the coming months, the company wrote in a Saturday alert. “The world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter,” wrote Clint Watts, general manager of Microsoft’s Digital Threat Analysis Center. Microsoft earlier this fall attributed a novel ransomware campaign active in Ukraine and Poland to the same Kremlin threat actor responsible for NotPetya malware and for wintertime cyberattacks against Ukrainian electricity providers in 2015 and 2016. Associated with Russia’s GRU military intelligence agency, the threat actor most often is known by the moniker Sandworm, although Microsoft tracks it as Iridium.”

Title: New Magecart Campaign Said to Target at Least 44 E-commerce Sites
Date Published: December 5, 2022

https://www.scmagazine.com/news/cybercrime/new-magecart-campaign-said-to-target-at-least-44-e-commerce-sites

Excerpt: “Researchers on Monday discovered a new Magecart campaign that has impacted at least 44 e-commerce sites. In a blog post, Jscrambler researchers said the incident underscores how risky client-side security can be if the web supply chain is left unchecked. The researchers said in what appears as a new way to acquire victims cheaply and easily, attackers took over a defunct internet domain that previously hosted a JavaScript library decommissioned in December 2014. The researchers said companies running the JavaScript failed to remove it from their website, likely because of a lack of visibility into third-party scripts and/or poor security policies. This attack has been underway since Dec. 20, 2021, and uses a loader script that resembles Google Analytics, a common JavaScript included in many websites. Another version aims to resemble Google Tag Manager, the researchers said, done for deception only, as the real endpoint to contact is encrypted or encoded.”

Title: Google Chrome Zero-Day Exploited in the Wild (CVE-2022-4262)
Date Published: December 6, 2022

https://www.helpnetsecurity.com/2022/12/06/cve-2022-4262/

Excerpt: “Google has patched CVE-2022-4262, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome (and Chromium), which is being exploited by attackers in the wild. No other technical details have been shared about this zero-day flaw, only that it was reported by security engineer Clement Lecigne of Google’s Threat Analysis Group (TAG), whose goal is to protect users from state-sponsored attacks and other advanced persistent threats. With a “High” security rating, CVE-2022-4262 ostensibly allows remote attackers to exploit heap (memory) corruption via a crafted HTML page. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Srinivas Sista, Technical program manager for Google Chrome, explained. The fix – in the form of a browser update – is being rolled out right now. Users will get updated to v108.0.5359.94 (for Mac and Linux) and v108.0.5359.94/.95 (for Windows) if the update is available and they reboot their browser. Users can also trigger the update manually and should consider doing it.”

Title: Machine Learning Models: A Dangerous New Attack Vector
Date Published: December 6, 2022

https://www.darkreading.com/threat-intelligence/machine-learning-models-dangerous-new-attack-vector

Excerpt: “Threat actors have been spotted using criminal proxy networks to obfuscate their illegal activities by hiding behind hijacked IP addresses and using the same to create an appearance of legitimacy. The findings come from security researchers at DomainTools, who have said that while these networks were initially used as part of botnets, their lucrative nature has turned them into their own criminal enterprises. Describing the new threat in an advisory published on Thursday, the DomainTools team said it spotted a new and particularly dangerous proxy service called ‘Black Proxies,’ which is being marketed to other cyber-criminals for its reliability, scope and vast number of IP addresses. “Black Proxies market themselves as having over 1,000,000 residential and other proxy IP addresses ‘from all around the world.’ The scope and scale of these new offerings show just how large their claimed pool of IP space is,” DomainTools wrote. “Upon further examination through the service, their pool of IP addresses listed in fall of 2022 ‘online’ comes in at just over 180,000 IPs, which is still a factor larger than the traditional services based on other types of tactics and botnets.” According to the advisory, the Black Proxies’ scale is significant because of not only their focus on both the traditional forms of IP proxying but also their use of compromised websites for their services.” Ultimately, in the cybercrime ecosystem, there are a host of specialized services designed to enable malicious activity,” reads the report. The researchers also added that understanding these newer malicious proxy services and how they facilitate the efforts of other cyber-criminals is critical in order to combat them.”

Title: Hackers Hijack Linux Devices Using Proot Isolated Filesystems
Date Published: December 5, 2022

https://www.bleepingcomputer.com/news/security/hackers-hijack-linux-devices-using-proot-isolated-filesystems/

Excerpt: “Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions. A Bring Your Own Filesystem attack is when threat actors create a malicious file system on their own devices that contain a standard set of tools used to conduct attacks. This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to compromise a Linux system further. “First, threat actors build a malicious filesystem which will be deployed. This malicious file system includes everything that the operation needs to succeed,” explains a new report by Sysdig. “Doing this preparation at this early stage allows all of the tools to be downloaded, configured, or installed on the attacker’s own system far from the prying eyes of detection tools.” Sysdig says the attacks typically lead to cryptocurrency mining, although more harmful scenarios are possible. The researchers also warn about how easy this novel technique could make scaling malicious operations against Linux endpoints of all kinds.”

Title: Russian Hackers Use Western Networks to Attack Ukraine
Date Published: December 6, 2022

https://www.infosecurity-magazine.com/news/russian-hackers-western-networks/

Excerpt: “Russian hackers are using their presence inside the networks of organizations in the UK, US and elsewhere to launch attacks against Ukraine, a new report from Lupovis has revealed. The Scottish security firm set up a series of decoys on the web to lure Russian threat actors so it could study their tactics, techniques and procedures (TTPs). This included fake “honeyfile” documents leaked to cybercrime forums and spoofed to contain what appeared to be critical usernames, passwords and other information. Other decoys included insecurely configured web portals designed to mimic Ukrainian political and governmental sites, and “high interaction and ssh services.” The latter were configured to accept the fake credentials from the web portals. The exercise highlighted just how primed and ready Russian threat actors are to seize on any evidence of Ukrainian targets. Some 50–60 human actors interacted with just five decoys, with many of them reaching the honeypots within just a minute of them going live. The duped hackers attempted to carry out a variety of attacks, ranging from reconnaissance of the lure information to conscripting them into DDoS botnets, and exploitation of SQL injection and other bugs.”

Title: NETGEAR Router Vulnerability Allowed Access to Restricted Services
Date Published: December 6, 2022

https://www.hackread.com/netgear-router-vulnerability/

Excerpt: “According to Tenable research, NETGEAR had to release last-minute patches for their devices that were a part of the Pwn2Own event. A new report from Tenable, a Columbia, Maryland-based cybersecurity firm, outlined an emerging threat related to NETGEAR and TP-Link routers. According to Tenable research, both TP-Link and NETGEAR had to release last-minute patches for their devices that were a part of the Pwn2Own event. For your information, Pwn2Own is a computer hacking competition held yearly at the CanSecWest security conference since 2007. According to researchers, the NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400 series) was to be included in the bug-finding contest at Pwn2Own. Just one day before the deadline for registering for the contest, the company identified a flaw that invalidated their submission and had to issue a patch urgently. According to a blog post published by cybersecurity experts at Tenable, network misconfiguration was identified in NETGEAR Nighthawk router versions released before 1.0.9.90. These devices, by default, feature IPv6 for the WAN interface. The problem is that firewall restrictions in place to determine IPv4 traffic’s access restrictions don’t work on the IPv6 WAN interface. That’s why anyone gaining random access to a service running on the device can listen to IPv6 inadvertently.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...