Smishing warning. Initial access trends: brokers advertise; gangs look for rogue


Attacks, Threats, and Vulnerabilities

Iran-Linked Hackers Expand Arsenal With New Android Backdoor (SecurityWeek) The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM’s X-Force threat intelligence team.

China-Linked Cyberespionage Operation Suggests Interest in SCADA Systems (SecurityWeek) A threat group possibly based in China has been seen targeting critical infrastructure organizations in Southeast Asia, and they may be interested in SCADA systems.

Report Draws Attention to Vulnerabilities in Commercial-Off-the-Shelf Products  ( Commercial products bought without modification are largely exempt from government acquisition regulations, including the Defense Department’s emerging certification program.

GrammaTech | Osterman Research Report Download (Gramma Tech) Osterman Research | Uncovering the Presence of Vulnerable Open-Source Components in Commercial Software

Threat Thursday: Don’t Let njRAT Take Your Cheddar (BlackBerry) njRAT, also known as Bladabindi, is a remote access Trojan (RAT) used in attacks targeting organizations in Middle Eastern countries. The malware’s capabilities include logging keystrokes, capturing screenshots, password stealing, exfiltrating data, accessing web cameras and microphones, and downloading files.

Phishing scheme targets unemployment insurance benefits and PII (Consumer Information) Have you gotten an alarming text message about your unemployment insurance benefits from what seems to be your state workforce agency?

Protect Against BlackMatter Ransomware Before It’s Offered (Recorded Future) BlackMatter encrypts victim’s files and appears to have been developed by a relatively sophisticated group.

LockBit ransomware recruiting insiders to breach corporate networks (BleepingComputer) The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts.

Ransomware poses threat to vulnerable local governments (Washington Post) Ransomware is the invisible threat that’s sweeping the nation.

Disgruntled ransomware affiliate leaks the Conti gang’s technical manuals (The Record by Recorded Future) A disgruntled member of the Conti ransomware program has leaked today the manuals and technical guides used by the Conti gang to train affiliate members on how to access, move laterally, and escalate access inside a hacked company and then exfiltrate its data before encrypting files.

Initial access brokers unaffected by ransomware content bans ( Banning ransomware content from cyber crime forums has done little to prevent initial access brokers from advertising their services, with the number of access listings increasing in the second quarter of 2021.

The heist: nobody is safe from Russia’s digital pirates (Spectator) In April, the Harris network of London schools was held to ransom by hackers. ‘The first thing I did was panic,’ said Sir Dan Moynihan, the chief executive. It wasn’t simply that their computers didn’t work; many of the 50 schools couldn’t function. Some couldn’t open because their internet-controlled doors were jammed shut.

Ransomware Gangs and the Name Game Distraction (KrebsOnSecurity) It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much…

Researchers turn the spotlight on the hidden workers of the cybercrime world (ZDNet) Phishing schemes, malware campaigns and other operations involve an array of workers beyond the criminal masterminds. Could giving them better opportunities for legitimate work help cut crime?

Red Canary Intel: When Dridex and Cobalt Strike give you Grief (Red Canary) Many conspicuous, detectable behaviors manifest in the leadup to a Gr
ief ransomware infection. Here’s what you need to look out for.

Critical Cobalt Strike bug leaves botnet servers vulnerable to takedown (Ars Technica) New exploit available for download lets hackers crash Cobalt Strike team servers.

“Cobalt Strike” network attack tool patches crashtastic server bug (Naked Security) Ahhhh, the irony! Red-team network attack tool has its very own bug for Blue Teams to counterexploit.

Messaging Apps Have an Eavesdropping Problem (Wired) Vulnerabilities in Signal, Facebook Messenger, Google Duo, and more all point to a pervasive privacy issue.

Amazon Kindle Vulnerabilities could have led Threat Actors to Device Control and Information Theft (Check Point Software) Check Point Research (CPR) found security flaws in Amazon Kindle, the world’s most popular e-reader. By tricking victims into opening a malicious e-book,

EU officials investigating breach of Cybersecurity Atlas project (The Record by Recorded Future) The European Commission is investigating a breach of its Cybersecurity Atlas project after a copy of the site’s backend database was put up for sale on an underground cybercrime forum on Monday.

Major Tea Party Group Was Backed by Salsa Billionaire and Other Wealthy Donors, Hacked Documents Reveal (The Intercept) Tea Party Patriots’ web database contained only a small fraction of the “3 million patriots” it heralds on its site.

Ransomware Attack Forces Indiana Hospital to Turn Ambulances Away (The Daily Beast) Hackers are targeting U.S. hospitals just as COVID-19 cases surge again.

Ransomware attack forces Indiana hospital to divert patients  (Becker’s Hospital Review) Indianapolis-based Eskenazi Health shut down its IT network and went on diversion early Aug. 4 in response to an attempted ransomware attack, the hospital confirmed to Becker’s Hospital Review. 

Ransomware Attack Forces Indiana Hospital to Turn Ambulances Away (The Daily Beast) Hackers are targeting U.S. hospitals just as COVID-19 cases surge again.

Eskenazi Health diverting ambulances as cyber-attack investigation continues (Fox 59) Companywide email and online medical record keeping are all a part of the self-imposed network shutdown at Eskenazi Health. Eskenazi Spokesperson Tom Surber said they decided to shut…

Passwordstate customers complain of silence and secrecy after cyberattack (TechCrunch) The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world.

StarHub suffers data breach, but says no system was compromised (ZDNet) Personal data including mobile numbers and email addresses of 57,191 customers have been found on a third-party data dump website, the Singapore telco says, adding that the leaded information appears to date back to 2007.

Birth, death, marriage certificates are back online as state Vital Statistics returns after massive cyberattack took it down (Must Read Alaska) The Alaska Department of Health and Social Services completed the first of a three-step process to recover from the attack on its information technology infrastructure.

Security Patches, Mitigations, and Software Updates

HCC Embedded InterNiche TCP/IP stack, NicheLite (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: HCC Embedded
Equipment: InterNiche stack (NicheStack), NicheLite
Vulnerabilities: Return of Pointer Value Outside of Expected Range, Improper Handling of Length Parameter Inconsistency, Use of Insufficiently Random Values, Improper Input Validation, Uncaught Exception, Numeric Range Comparison Without Minimum Check, Generation of Predictable Numbers or Identifiers, Improper Check or Handling of Exceptional Conditions, Improper Null Termination

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: FATEK Automation
Equipment: FvDesigner
Vulnerabilities: Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-bounds Write
Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

CVSS v3 X8.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: mySCADA
Equipment: myPRO
Vulnerabilities: Improper Access Control, Unrestricted Upload of File with Dangerous Type, Path Traversal, Exposure of Information Through Directory Listing



Read More:Smishing warning. Initial access trends: brokers advertise; gangs look for rogue