December 7, 2022

Fortify Security Team
Dec 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack
Date Published: December 7, 2022

https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/

Excerpt: “ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is known for its destructive operations. In February 2022, Agrius began targeting Israeli HR and IT consulting firms, and users of an Israeli software suite used in the diamond industry. We believe that Agrius operators conducted a supply-chain attack abusing the Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals. The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did. Instead, it goes right to work wiping data. Victims were observed in South Africa – where reconnaissance began several weeks before Fantasy was deployed – Israel, and Hong Kong.”

Title: Amnesty International Canada Breached by Suspected Chinese Hackers
Date Published: December 6, 2022

https://www.bleepingcomputer.com/news/security/amnesty-international-canada-breached-by-suspected-chinese-hackers/

Excerpt: “Amnesty International’s Canadian branch has disclosed a security breach detected in early October and linked to a threat group likely sponsored by China. The international human rights non-governmental organization (NGO) says it first detected the breach on October 5, when it spotted suspicious activity on its IT infrastructure. After detecting the attack, the NGO hired the services of cybersecurity firm Secureworks to investigate the attack and secure its systems. “The investigation’s preliminary results indicate that a digital security breach was perpetrated using tools and techniques associated with specific advanced persistent threat groups (APTs),” Amnesty International Canada said. “Forensic experts with leading international cyber-security firm Secureworks later established that ‘a threat group sponsored or tasked by the Chinese state’ was likely behind the attack.” The attack was linked to a suspected Chinese threat group based on the attackers’ tactics, techniques, and procedures (TTPs) and the information they targeted, all consistent with Chinese state hackers’ known behavior and tools.”

Title: Android Security Update Fixes More Than 80 Security Vulnerabilities – Including Four Critical
Date Published: December 7, 2022

https://www.zdnet.com/article/android-security-update-fixes-more-than-80-security-vulnerabilities-including-four-critical/

Excerpt: “Google’s Android Security Bulletin for December 2022 protects against a number of vulnerabilities – including one which could allow attackers to exploit Bluetooth. Android’s December security update fixes over 80 security vulnerabilities affecting smartphones – including four flaws classed as critical. According to Google’s Android security bulletin for December 2022, the most severe vulnerability is one in Android’s System component which could allow attackers to remotely execute code over Bluetooth without the need for device permissions. The four critical vulnerabilities affect Android versions 10 to 13. Two of them – CVE-2022-20411 and CVE-2022-20498 – are in the System component of the Android operating system, while the other two – CVE-2022-20472 and CVE-2022-20473 – are in Android’s application framework and could allow attackers to remotely execute code with no additional execution privileges needed.”

Title: Ransomware Attack in New Zealand Has Cascading Effects
Date Published: December 6, 2022

https://www.databreachtoday.com/ransomware-attack-in-new-zealand-has-cascading-effects-a-20636

Excerpt: “A ransomware attack on a New Zealand third party managed IT service provider impacted several government agencies across the country including the Ministry of Justice and the national health authority. The Office of the Privacy Commissioner said “urgent work” is underway to understand the full impact of the incident. The third party provider is Mercury IT, whose LinkedIn page describes it as a small business based in Wellington. It provides a wide range of IT services to customers throughout New Zealand, according to a one-page website on the company domain. News of the incident began filtering to the public after Wellington-based private health insurer Accuro informed customers on Thursday of an incident at a third party provider that may have affected the personal data of its 34,000 customers. A spokesperson for the Office of the Privacy Commissioner told Information Security Media Group that Mercury IT is the constant behind this spate of service outages.”

Title: Russia’s Second-Largest Bank VTB Bank Under DDoS Attack
Date Published: December 6, 2022

https://securityaffairs.co/wordpress/139354/hacking/vtb-bank-ddos-attack.html

Excerpt: “Russia’s second-largest bank VTB Bank reveals it is facing the largest DDoS (distributed denial of service) attack in its history. State-owned VTB Bank, the second-largest financial institution in Russia, says it is facing the largest DDoS (distributed denial of service) attack in its history. The pro-Ukraine collective IT Army of Ukraine has claimed responsibility for the DDoS attacks against the bank. In November the group of hacktivists announced the offensive on its Telegram channel. The attack is causing problems for its customers that are not able to access the website of the bank and its mobile app. The bank added that customers’ data were not compromised as a result of the attack. “The bank’s technological infrastructure is under an unprecedented cyber attack from abroad,” reads a statement issued by the Russian bank. “The largest not only this year, but in the whole time the bank has operated.” The cyber attacks against the infrastructure of government and private Russian entities spiked after the beginning of the invasion of Ukraine.”

Title: For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers
Date Published: December 7, 2022

https://www.darkreading.com/vulnerabilities-threats/cyberattackers-popular-edr-tools-destructive-data-wipers

Excerpt: “Microsoft, three others release patches to fix a vulnerability in their respective products that enables such manipulation. Other EDR products potentially are affected as well. Many trusted endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing virtually any data on installed systems. Or Yair, a security researcher at SafeBreach who discovered the issue, tested 11 EDR tools from different vendors and found six — from a total of four vendors — were vulnerable. The vulnerable products were Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne. Three of the vendors have assigned formal CVE numbers for the bugs and issued patches for them prior to Yair disclosing the issue at the Black Hat Europe conference on Wednesday, Dec 7.”

Title: Christmas Warning: Threat Actors Impersonate your Favorite Brands to Attack, Finds CSC
Date Published: December 6, 2022

https://www.infosecurity-magazine.com/news/threat-actors-impersonate-your/

Excerpt: “In the run-up to Christmas, one of the busiest times for online shopping and e-commerce, we are likely to see a spike in fraudulent domain name registrations. Domain provider CSC analyzed threatening domains targeting 10 of the biggest brands in the world in a report published on December 6, 2022. These include Amazon, Walmart, McDonald’s, Tencent, Google, Microsoft, Apple and Facebook. Of 8480 identified unique third-party domain names in their dataset, CSC found that 56% were linked to a live webpage, some of which offered “a range of high-concern content types, including fraud issues like potential phishing sites, and other brand infringements,” according to the report. Also, 66% of the identified third-party domain names used domain privacy services, “indicating an intention by the owner to mask their identity,” and 35% were configured with active mail exchange (MX) records, “indicating their ability to send and receive emails, making them capable of launching phishing attacks,” the report reads. While all of these three methods could hint at nefarious motivations, Ihab Shraim, CSC’s CTO, told Infosecurity that various domain name alteration techniques were “often smart and sometimes tricky to detect.” Aside from the regular typosquatting, the act of changing, withdrawing or adding a character from the original domain name, 3% of the fraudulent third-party domain names used legitimate domains in a fraudulent way to trick users.”

Title: Antwerp’s City Services Down After Hackers Attack Digital Partner
Date Published: December 6, 2022

https://www.bleepingcomputer.com/news/security/antwerps-city-services-down-after-hackers-attack-digital-partner/

Excerpt: “The city of Antwerp, Belgium, is working to restore its digital services that were disrupted last night by a cyberattack on its digital provider. The disruption has affected services used by citizens, schools, daycare centers, and the police, which have been working intermittently today. An investigation is ongoing, but the little information available points to a ransomware attack from a threat actor that has yet to be disclosed. According to Het Laatste Nieuws (HLN), the hackers were able to disrupt Antwerp’s services after breaching the servers of Digipolis, the city’s digital partner that provides administrative software. The publication also notes that almost all Windows applications have been impacted. Phone service for some departments was also unavailable. Alexandra d’Archambeau, a council member for the district of Wilrijk, said earlier today that the city’s email service was down. De Standaard reports that it received confirmation that ransomware was the cause of the disruption from an actor that has yet to be determined. The problems also extend to the city’s reservation system, which has been shut down, leaving people unable to receive their identity cards. Today, only travel cards could be collected.”

Title: Sophos Fixed a Critical Flaw in Its Sophos Firewall Version 19.5
Date Published: December 7, 2022

https://securityaffairs.co/wordpress/139362/security/sophos-firewall-critical-flaw.html

Excerpt: “Sophos addressed several vulnerabilities affecting its Sophos Firewall version 19.5, including arbitrary code execution issues. Sophos has released security patches to address seven vulnerabilities in Sophos Firewall version 19.5, including some arbitrary code execution bugs.The most severe issue addressed by the security vendor is a critical code injection vulnerability tracked as CVE-2022-3236. “A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin.” reads the advisory. In September Sophos warned of this critical code injection security vulnerability (CVE-2022-3236) affecting its Firewall product which is being exploited in the wild. Sophos confirmed that this vulnerability was being used to target a small set of specific organizations, primarily in the South Asia region. The security vendor also addressed three vulnerabilities rated as ‘high’ severity, below is the list of these issues:

  • CVE-2022-3226 – An OS command injection vulnerability allowing admins to execute code via SSL VPN configuration uploads was discovered by Sophos during internal security testing.
  • CVE-2022-3713 – A code injection vulnerability allowing adjacent attackers to execute code in the Wifi controller was discovered by Sophos during internal security testing. It requires attackers to be connected to an interface with the Wireless Protection service enabled.
  • CVE-2022-3696 – A post-auth code injection vulnerability allowing admins to execute code in Webadmin was discovered and responsibly disclosed to Sophos by an external security researcher. It was reported via the Sophos bug bounty program.

The company also fixed two flaws, rated as medium severity, respectively a stored XSS vulnerability (CVE-2022-3709) and a post-auth read-only SQL injection flaw (CVE-2022-3711).”

Title: FFT and Ransomware Represent Over Half of Cyber Insurance Claims in 2022
Date Published: December 7, 2022

https://www.infosecurity-magazine.com/news/fft-ransomware-cyber-insurance/

Excerpt: “Fraudulent funds transfer (FFT) and ransomware were the biggest drivers of financial loss from cybercrime in 2022, accounting for more than 50% of insurance claims, according to figures from Corvus. The insurance company found that FFT and ransomware “are the two most consistent tactics of choice for threat actors,” with FFT representing 28% of cyber claims and ransomware 23% in its all-time figures. However, the average FFT claim is significantly lower than ransomware – $90,000 versus $256,000, respectively. Additionally, over all time, ransomware claims are three-times higher than that of FFT. This is because “FFT incidents do not typically involve costly data restoration, system recovery, business interruption or breach response efforts” that are required following ransomware attacks. Despite this, Jason Rebholz, CISO at Corvus Insurance told Infosecurity that the cyber insurance industry must avoid “tunnel vision” on ransomware, viewing it as the sole threat to organizations. “While the cost of ransomware claims are three times that of fraudulent funds transfer, the higher frequency of other attack vectors like business email compromise (BEC) and FFT could deliver death by a thousand cuts,” he explained. The prevalence of FFT, in which social engineering techniques are used to trick employees or vendors into transferring funds to the wrong accounts, highlights the growing effectiveness of BEC scams. The report found that FFT represented 70% of all BEC-related claims, and BEC made up 45% of claims in H1 2022.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...