December 8, 2022

Fortify Security Team
Dec 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps
Date Published: December 8, 2022

https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/

Excerpt: “A darknet platform dubbed ‘Zombinder’ allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion. This new platform was discovered by cybersecurity firm ThreatFabric, which spotted malicious Windows and Android campaigns distributing multiple malware families. The campaign impersonates Wi-Fi authorization portals, supposedly helping users to access internet points as a lure to push various malware families. The site then prompts a user to download either a Windows or Adware version of the application, which in reality, is malware. ThreatFabric reports that the operation has claimed thousands of victims, with Erbium stealer infections alone having stolen data from 1,300 different computers. An interesting aspect of the campaign is the darknet service, which the researchers dubbed “Zombinder,” which offers malicious APK binding of malware to legitimate Android applications. Zombinder launched in March 2022 as a malware packer on APK files, and according to ThreatFabric, it is now growing popular in the cybercrime community. The APKs used in this campaign vary, with the analysts reporting seeing a fake live football streaming app and a modified version of the Instagram app. These apps work as expected because the functionality of the legitimate software is not removed. Instead, Zombinder appends a malware loader to its code. The loader is obfuscated to evade detection, so when the user launches the app, the loader will display a prompt to install a plugin. If the prompt is accepted, the loader will install a malicious payload and launch it in the background.”

Title: New Go-Based Botnet Zerobot Exploits Dozens of Flaws
Date Published: December 7, 2022

https://securityaffairs.co/wordpress/139392/malware/zerobot-botnet-dozens-flaws.html

Excerpt: “Researchers discovered a new Go-based botnet called Zerobot that exploits two dozen security vulnerabilities IoT devices. Fortinet FortiGuard Labs researchers have discovered a new Go-based botnet called Zerobot that spreads by exploiting two dozen security vulnerabilities in the internet of things (IoT) devices and other applications. “This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation.” reads the advisory published by Fortinet. “It also communicates with its command-and-control server using the WebSocket protocol. Based on some IPS signatures trigger count, this campaign started its distribution of the current version sometime after mid-November. Zerobot targets multiple architectures, including i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. The bot is saved using the filename “zero.” The malware first appeared in the wild on November 18, 2022 targeting devices running on Linux operating system.”

Title: Cyber Scammers Are Scamming Each Other, and Revealing Dark Web Secrets Along the Way
Date Published: December 8, 2022

https://www.zdnet.com/article/cyber-scammers-are-scamming-each-other-and-revealing-dark-web-secrets-along-the-way/

Excerpt: “Scammers are scamming scammers, and that’s creating an unexpected window into their world. Cyber criminals are losing millions of dollars to other cyber criminals after themselves falling victim to scams on dark web forums. And the way they’re publicly complaining about it could help uncover the secrets of the whole underground economy. Online scammers and fraudsters cost consumers and businesses billions every year, and it appears that even cyber criminals aren’t immune to falling victim to scams. According to analysis of underground marketplaces by cybersecurity researchers at Sophos, cyber criminals have lost at least $2.5 million to other dark web scammers during the last 12 months – and that’s just on three prominent cybercrime forums, so the total figure is likely to be a lot higher. For cyber criminals, scamming other cyber criminals can be an appealing prospect because there’s little risk of the police ever getting involved. While some dark web forum moderators do offer arbitration processes if someone is accused of conducting a scam, the anonymous nature of the cyber criminal underground forums means that for the most part, the worst consequence a scammer is going to face will be a ban from the forum.”

Title: Fraudsters Siphon $360M From Retailers Using 50M Fake Shoppers
Date Published: December 7, 2022

https://www.darkreading.com/threat-intelligence/fraudsters-siphon-360m-fake-shoppers

Excerpt: “Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions. Online fraudsters posing as consumers likely siphoned off more than $360 million from the marketing budgets of online businesses by generating fake clicks during Black Friday, while 20% of visits to retail sites on Cyber Monday were bots posing as shoppers and not humans, Web security firms said this week. The surge in fraud included techniques such as ad injection, search engine redirects, and affiliate fraud — and shows the trouble that cybercriminal automation such as bots can cause for online commerce providers. The increase in fraud matched the annual upswing of US holiday sales that start the week of Thanksgiving though the following Monday, also known as Cyber Monday. Overall, online retailers saw a nearly 12% increase in sales during November and a 2.3% increase in purchases on Black Friday. The lockstep growth of sales and fraud underscores the opportunistic nature of attackers, says Guy Tytunovich, CEO of Cheq.”

Title: Microsoft Warns Cryptocurrency Firms Against Complex Cyber-Attacks
Date Published: December 7, 2022

https://www.infosecurity-magazine.com/news/cryptocurrency-firms-warned/

Excerpt: “Threat actors have been observed targeting companies operating within the cryptocurrency industry for financial gain. According to a new advisory published by Microsoft on Tuesday, attacks targeting this market have taken several forms over the past few months, including fraud, vulnerability exploitation, fake applications and info stealer deployment. “We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” the tech giant wrote. One of the threat actors observed by Microsoft and operating in this industry is DEV-0139, who used Telegram groups to facilitate communication between VIP clients and cryptocurrency exchange firms and thus identified their target among the members. “The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022, invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms,” Microsoft explained. “The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.” After establishing the first contact with potential victims, DEV-0139 sent a weaponized Excel file that contained tables about fee structures among cryptocurrency exchange companies.”

Title: North Korean Hackers Look to Internet Explorer Zero Days
Date Published: December 7, 2022

https://www.databreachtoday.com/north-korean-hackers-look-to-internet-explorer-zero-days-a-20651

Excerpt: “North Korean state-sponsored hackers exploited a zero-day vulnerability in the JavaScript engine of Microsoft’s Internet Explorer via an Office document sent to users in South Korea. Google’s Threat Analysis Group says it spotted the exploit in October after multiple individuals from South Korea uploaded to VirusTotal a copy of the malicious Word file. The document purported to be an update on the Halloween crowd crush that killed more than 150 in the Itaewon neighborhood of Seoul. APT37, also known as Reaper, primarily targets South Korea, the country with which the totalitarian regime in Pyongyang has maintained a tense seven-decade armistice. Cybersecurity firm Mandiant has written that APT37, which appears to have been active since at least 2012, focuses on targeting the public and private sectors alike for espionage campaigns. Microsoft issued a patch for the zero-day in early November. The vulnerability, CVE-2022-41128, resided within the Internet Explorer JavaScript engine – jscript9.dll – the application Office uses to render HTML content. Google characterizes the flaw as an incorrect just-in-time compilation that leads to variable type confusion. It is similar to another vulnerability, CVE-2021-34480, which Google researchers identified in 2021. This North Korean threat group has exploited Internet Explorer zero-days before, Google says. Exploiting Internet Explorer through the Office channel has its advantages since it doesn’t depend on users selecting the browser as the default. Nor does it require chaining the exploit with another to break free of Internet Explorer’s Enhanced Protected Mode sandbox, writes Google.”

Title: CloudSEK Claims It Was Hacked by Another Cybersecurity Firm
Date Published: December 7, 2022

https://www.bleepingcomputer.com/news/security/cloudsek-claims-it-was-hacked-by-another-cybersecurity-firm/

Excerpt: “Indian cybersecurity firm CloudSEK says a threat actor gained access to its Confluence server using stolen credentials for one of its employees’ Jira accounts. While some internal information, including screenshots of product dashboards and three customers’ names and purchase orders, was exfiltrated from its Confluence wiki, CloudSEK says the attackers didn’t compromise its databases. “We are investigating a targeted cyber attack on CloudSEK. An employee’s Jira password was compromised to get access to our confluence pages,” the company’s CEO and founder, Rahul Sasi, said on Tuesday. Instead, using the stolen Jira credentials, the threat actor could access training and internal documents, Confluence pages, and open-source automation scripts attached to Jira.
A threat actor named ‘sedut’ is now trying to sell what they claim is access to CloudSek’s “networks, Xvigil, codebase, email, JIRA and social media accounts” on multiple hacking forums. They also leaked images containing CloudSEK-related information, including usernames and passwords for accounts used to scrape the Breached and XSS hacking forums, instructions on how to use various website crawlers, as well as screenshots showing CloudSEK’s database schema, CloudSEK’s dashboard, and purchase orders. The threat actor is now trying to sell CloudSEK’s alleged database for $10,000 and the codebase and employee/engineering product docs for $8,000 each.”

Title: Investment Fraud Gang May Have Made $500m
Date Published: December 8, 2022

https://www.infosecurity-magazine.com/news/investment-fraud-gang-may-have/

Excerpt: “Security researchers have uncovered a prolific investment fraud group that may have made half a billion dollars in profits over the past four years. Named “CryptosLabs” after a scam website template it used, the group’s fake investment scheme is built on a highly organized group of “kingpins,” sales agents, developers and call-center operators, according to Group-IB. Victims are lured by messages left on investment forums or advertising on social media and search engines. The gang spoofed at least 40 popular European brands from the banking, fintech, crypto and asset management industries to add legitimacy to their offerings, Group-IB claimed. If victims clicked on an ad they would be taken to one of 300 spoofed domains hosted on 70 servers, which usually impersonate well-known financial and asset management companies. After leaving their details on the phishing sites, the victims would be contacted by phone by a call-center scammer pretending to be a personal manager from the investment division of the relevant spoofed company. They would be provided with credentials to log-in to the trading portal and asked to pay a €200–300 ($210–315) deposit to start investing in stocks, crypto and NFTs. Victims would be shown fake growth curves and stats to keep them investing, with all the money heading to the scammers, Group-IB said. If a victim wanted to leave, they’d be required to pay a fee to receive their non-existent funds, which also goes to the fraudsters. All the victims of CryptosLabs are from French-speaking parts of Europe: France, Luxembourg and Belgium. Group-IB said it identified 20 in its research, who lost around €280,000 between them. It reckons the group may have made as much as €480m ($505m) over the past four years.”

Title: Rackspace Incident Highlights How Disruptive Attacks on Cloud Providers Can Be
Date Published: December 7, 2022

https://www.darkreading.com/cloud/rackspace-incident-highlights-disruptive-attacks-on-cloud-providers

Excerpt: “A ransomware attack on the company’s Hosted Exchange environment disrupted email for thousands of mostly small and midsize businesses. A Dec. 2 ransomware attack at Rackspace Technology — which the managed cloud hosting company took several days to confirm — is quickly becoming a case study on the havoc that can result from a single well-placed attack on a cloud service provider. The attack has disrupted email services for thousands of mostly small and midsize organizations. The forced migration to a competitor’s platform left some Rackspace customers frustrated and desperate for support from the company. It has also already prompted at least one class-action lawsuit and pushed the publicly traded Rackspace’s share price down nearly 21% over the past five days. While it’s possible the root cause was a missed patch or misconfiguration, there’s not enough information publicly available to say what technique the attackers used to breach the Rackspace environment,” says Mike Parkin, senior technical engineer at Vulcan Cyber. “The larger issue is that the breach affected multiple Rackspace customers here, which points out one of the potential challenges with relying on cloud infrastructure.” The attack shows how if threat actors can compromise or cripple large service providers, they can affect multiple tenants at once. Rackspace first disclosed something was amiss at 2:20 a.m. EST on Dec. 2 with an announcement it was looking into “an issue” affecting the company’s Hosted Exchange environment. Over the next several hours, the company kept providing updates about customers reporting email connectivity and login issues, but it wasn’t until nearly a full day later that Rackspace even identified the issue as a “security incident.” By that time, Rackspace had already shut down its Hosted Exchange environment citing “significant failure” and said it did not have an estimate for when the company would be able to restore the service. Rackspace warned customers that restoration efforts could take several days and advised those looking for immediate access to email services to use Microsoft 365 instead. “At no cost to you, we will be providing access to Microsoft Exchange Plan 1 licenses on Microsoft 365 until further notice,” Rackspace said in a Dec. 3 update.”

Title: Online Retailer Giant Exposed User Data and Over 1B Records
Date Published: December 8, 2022

https://www.hackread.com/online-retailer-exposed-user-data/

Excerpt: “The cyber security researchers at Website Planet published a report on discovering an unprotected database containing a trove of data. The exposed server, which belonged to a global online retailer, was identified twice between April to July 2022. According to Website Planet and security researcher Jeremiah Fowler, the first time the server was found was in April 2022. What’s worse, even after several responsible disclosure attempts, they didn’t receive any response from the company, and the unprotected database remained open to public access for several days post-discovery. In July 2022, they discovered the same database hosted on a different IP address. Again, they didn’t receive any response from the owner, but the exposed AWS server was secured quickly. However, a probe revealed the database was exposed due to a misconfiguration caused by the server’s owner or the company responsible for managing IT infrastructure, not Amazon Web Services’ fault. During the first exposure in April, the database contained 706,206,770 documents (406.79GB size), and the second time in July, it contained 1,166,293,742 documents (601.84GB). According to Fowler, the database had several references to Vevor, an online retailer based in California. However, Crunchbase claims that although the company is registered in the US, its website suggests it is based in China, boasting more than ten million customers across 200 countries/regions. The brand deals in tools and equipment and offers DIYers and professionals advanced tools and equipment at low rates.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...