December 9, 2022

Fortify Security Team
Dec 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare
Date Published: December 8, 2022

https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/

Excerpt: “The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country’s healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang. The Health Sector Cybersecurity Coordination Center (HC3) —HHS’ security team— revealed in a new analyst note published Wednesday that the ransomware group has been behind multiple attacks against U.S. healthcare orgs. “Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector,” the advisory says. “Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.” This ransomware group is focused on targeting U.S. healthcare organizations based on past successful attacks. Until now, Royal also claimed following each healthcare compromise that they leaked all data allegedly stolen from the victims’ networks online.”

Title: Experts Devised a Technique to Bypass Web Application Firewalls (WAF) Of Several Vendors
Date Published: December 9, 2022

https://securityaffairs.co/wordpress/139445/hacking/web-application-firewalls-waf-bypass.html

Excerpt: “Claroty researchers devised a technique for bypassing the web application firewalls (WAF) of several vendors. Researchers at industrial and IoT cybersecurity firm Claroty devised an attack technique for bypassing the web application firewalls (WAF) of several industry-leading vendors. The technique was discovered while conducting unrelated research on Cambium Networks’ wireless device management platform. The researchers discovered a Cambium SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes. The experts pointed out that they were able to exploit the SQL injection vulnerability against the on-premises version, while hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF. Then the experts started investigating how to bypass the AWS WAF. The researchers discovered that appending JSON syntax to SQL injection payloads allows bypassing the WAF because it is unable to parse it.”

Title: Hive Ransomware Group Leaks Data From European Retailer
Date Published: December 8, 2022

https://www.databreachtoday.com/hive-ransomware-group-leaks-data-from-european-retailer-a-20667

Excerpt: “The Hive ransomware-as-a-service group says it posted customer data obtained during a November attack against French sports retailer Intersport. The notorious ransomware-as-a-service group posted a tranche of Intersport data to its dark web leak site on Monday and threatened to leak more unless the retailer pays extortion money. The hack allegedly included passport details of Intersport staff from stores in northern France, their pay slips, a list of former and current employees from other stores, as well as Social Security numbers, French publication Le Monde reported. La Voix du Nord reported the hack occurred during the Black Friday sales and prevented staff from accessing the cash registers. The incident also forced the stores to do manual restocking. The Swiss company has 5,800 outlets across the world, 780 of which are located in France. The company did not immediately respond to a request for comment. Hive has hit more than 1,300 companies worldwide, collecting about $100 million in ransom payments, the U.S. federal government said in late November.”

Title: Security Concerns Scupper Deals for Two-Thirds of Firms
Date Published: December 9, 2022

https://www.infosecurity-magazine.com/news/security-concerns-scupper-deals/

Excerpt: “Two-thirds (67%) of global organizations have admitted to losing out on acquiring potential customers due to concerns about their security posture, according to LogRhythm. The security vendor polled 1175 security professionals and executives across five continents to compile its latest report, The State of the Security Team 2022. It found that security due diligence among customers and partners is increasingly rigorous. Some 91% of respondents said that their security strategy must now align with customers’ security policies and standards, while 85% claimed their company must provide proof that they meet partners’ security requirements. There was more worrying news from the report: 70% of respondents reported an increase in workplace stress for security teams, with nearly a third (30%) citing a “significant” increase. Among the key stress factors highlighted in the study were growing attack sophistication, greater responsibilities and increasing attack frequency. Two-fifths (41%) claimed that better integrated solutions would help to relieve these pressures, while a similar number (42%) pointed to the need for more experienced security professionals. The latter would seem unlikely, given the coming recession’s likely impact on budgets, and persistent industry skills shortages.”

Title: Report: Air-Gapped Networks Vulnerable to DNS Attacks
Date Published: December 8, 2022

https://www.darkreading.com/attacks-breaches/report-air-gapped-networks-vulnerable-dns-attacks

Excerpt: “Common mistakes in network configuration can jeopardize the security of highly protected assets and allow attackers to steal critical data from the enterprise. Common misconfigurations in how Domain Name System (DNS) is implemented in an enterprise environment can put air-gapped networks and the high-value assets they are aimed at protecting at risk from external attackers, researchers have found. Organizations using air-gapped networks that connect to DNS servers can inadvertently expose the assets to threat actors, resulting in high-impact data breaches, researchers from security firm Pentera revealed in a blog post published Dec. 8. Attackers can use DNS as a command-and-control (C2) channel to communicate with these networks through DNS servers connected to the Internet, and thus breach them even when an organization believes the network is successfully isolated, the researchers revealed.”

Title: Business Email Compromise Attacks Going Mobile via Sms and Social Media Apps
Date Published: December 8, 2022

https://www.scmagazine.com/news/email-security/business-email-compromise-attacks-going-mobile-via-sms-and-social-media-apps

Excerpt: “Researchers reported that while phishing scams are prevalent in the SMS threat landscape, business email compromise (BEC) attacks are now going mobile. In a Dec. 8 blog post, researchers at Trustwave’s SpiderLabs said the flow and nature of a BEC attack in short messaging services (SMS) is similar to email in which attackers impersonate company executives. The researchers said attackers make a legitimate request, such as asking for a wire transfer, sending a copy of an aging report, or changing a payroll account. The Anti-Phishing Working Group reports that among these requests, gift card fraud was the most common scheme in the second quarter of 2022. BECs remain one of the biggest cybersecurity threats today. The FBI has reported that losses from BECs have surpassed $43 billion globally and as time goes by, scammers are becoming more cunning with their lures. We are certainly seeing an increase in attackers leveraging mobile platforms, including SMS messages, Signal, WhatsApp, and social media apps to carry out BEC attacks, said Hank Schless, senior manager of security solutions at Lookout. What’s worse, Schless said, is that one successful phishing attack on an employee’s mobile device can quickly spread laterally and have a major impact on an organization.”

Title: Hacked Corporate Email Accounts Used to Send MSP Remote Access Tool
Date Published: December 7, 2022

https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/

Excerpt: “MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. The group adopted the new tactic in a campaign that might have started in September but wasn’t observed until October and combined the use of a legitimate remote administration tool. MuddyWater has used legitimate remote administration tools for its hacking activities in the past. Researchers discovered campaigns from this group in 2020 and 2021 that relied on RemoteUtilities and ScreenConnect. In another campaign in July, the hackers continued with this tactic but switched to Atera, as highlighted by Simon Kenin, a security researcher at Deep Instinct. Deep Instinct researchers caught a new MuddyWater campaign in October that used Syncro, a remote administration tool designed for managed service providers (MSPs).”

Title: Cisco Discloses High-severity Flaw Impacting IP Phone 7800 and 8800 Series
Date Published: December 9, 2022

https://securityaffairs.co/wordpress/139453/security/cisco-ip-phones-flaw.html

Excerpt: “Cisco disclosed a high-severity flaw in its IP phones that can be exploited to gain remote code execution and conduct DoS attacks. Cisco disclosed a high-severity vulnerability, tracked as CVE-2022-20968, impacting its IP Phone 7800 and 8800 Series (except Cisco Wireless IP Phone 8821). An unauthenticated, adjacent attacker can trigger the flaw to cause a stack overflow on an affected device leading to remote code execution and denial of service (DoS) attacks. The vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this flaw by sending specially crafted Cisco Discovery Protocol packets to an affected device. “A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device.” reads the advisory published by the company. “This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.” Cisco Product Security Incident Response Team (PSIRT) is aware of the availability of a proof-of-concept exploit code for this vulnerability.”

Title: Report: Outsourced HR Firm Sequoia One Undergoes Data Breach
Date Published: December 8, 2022

https://www.databreachtoday.com/report-outsourced-hr-firm-sequoia-one-undergoes-data-breach-a-20666

Excerpt: “Outsourced human resources provider Sequoia One is disclosing to customers that an array of sensitive employee data was affected by unauthorized access to its cloud computing storage account, reports Wired. Data that the unauthorized party access includes “names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system,” Wired reported. San Francisco-based Sequoia One says it serves more than 500 venture-capital backed firms. The firm has yet to address the data breach outside of notification letters that Wired says the company sent to affected individuals and to corporate clients. State law requires businesses to notify the state attorney general in the event that a breach affects more than 500 California residents. Press representatives of California Attorney General Rob Bonta did not return multiple attempts to contact them. No sample breach notification from Sequoia at the time of publication appears on the attorney general’s public tracking reportable breaches.”

Title: Apple Introduces New Data Protections to Increase Cloud Security
Date Published: December 8, 2022

https://www.infosecurity-magazine.com/news/apple-new-feature-increase-cloud/

Excerpt: “Apple has introduced three new security features focused on protecting users against data theft in the cloud. According to a blog post published on Wednesday, the first of the new capabilities is iMessage Contact Key Verification, which enables users to verify the identities of the person they are communicating with. Apple said users with iMessage Contact Key Verification enabled would receive automatic alerts if threat actors managed to breach cloud servers and insert their devices in their communications. Users can also compare a Contact Verification Code in person, via FaceTime or through another secure call. “While iMessages sent between Apple devices were [already] end-to-end encrypted […], not all information backed up to iCloud, Apple’s cloud server, had the same level of encryption,” explained Erfan Shadabi, a cybersecurity expert at comforte AG. “So these new updates seem to address such issues, but we have to wait and analyze the details and implications as they become available.” The second feature, called Security Keys for Apple ID, introduces support for using hardware security keys to sign in to Apple ID accounts as a two-factor authentication option. “Apple’s new data protections – especially the integration of security keys – are a welcome addition to the platform for security-conscious users,” said Keeper Security CTO Craig Lurey. “[This is particularly true for] those who already use a YubiKey device to encrypt their data on iOS devices or want to use a security key but need more incentive to make the investment. Hardware security keys provide one of the highest levels of security for MFA [multi-factor authentication] setups.” Finally, Advanced Data Protection for iCloud brings end-to-end encryption to cloud security. This feature can be turned on for individual elements within the iOS ecosystem, including iCloud Backup, Photos, Notes and more.”

Recent Posts

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...

November 30, 2022

Title: China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines Date Published: November 30, 2022 https://securityaffairs.co/wordpress/139097/apt/unc4191-used-usb-devices.html Excerpt: “An alleged China-linked cyberespionage group,...