Document converter warning, Resurge exploits Ivanti, Blacklock hackers exposed
In today’s cybersecurity news…
FBI warns of increase in free online document converter scams
The agency’s Denver Field Office says it is seeing an increase in scams involving free online document converter tools, which ultimately either deliver malware including ransomware to users’ computers or facilitate identity theft. They explain that these fake file converters and download tools may indeed do the job as advertised, such as converting a Word document to a PDF, but at quite a cost. The agency warns consumers to be cautious with downloads and to report suspected incidents to IC3.gov.
Resurge malware exploits Ivanti flaw
CISA is warning of a new malware called Resurge that is targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances. Seemingly derived from the Spawnchimera malware variant, the file is capable of surviving reboots, and “contains capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler.” The vulnerability that it exploits is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution. It was patched by Ivanti in January of this year.
BlackLock hackers exposed through leak site vulnerability
The ransomware group once known as Eldorado has been infiltrated by threat hunters from Resecurity who have uncovered crucial information about how the group operates. The threat hunters said they found a security vulnerability in the group’s data leak site which “made it possible to extract configuration files, credentials, as well as the history of commands executed on the server. This misconfiguration led “clearnet IP addresses related to their network infrastructure behind TOR hidden services.” It is being described as “one of the biggest operational security failures of BlackLock ransomware.”
Oracle Health breach compromises patient data at U.S. hospitals
This breach is apparently unrelated to the Oracle Cloud federated SSO login breach that we have been covering in recent days. This one, at Oracle Health, impacts multiple U.S. healthcare organizations and hospitals and involves a threat actor who “stole patient data from legacy servers.” According to BleepingComputer, “Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed that patient data was stolen in the attack.” Oracle Health, used to be known as formerly known as Cerner, and is “a healthcare software-as-a-service (SaaS) company offering Electronic Health Records (EHR) and business operations systems to hospitals and healthcare organizations. After being acquired by Oracle in 2022, Cerner was merged into Oracle Health, with its systems migrated to Oracle Cloud.”
Recommended by LinkedIn
Huge thanks to our sponsor, Qualys
Hackers target Taiwan with malware-laden fake messaging apps
The malware was being delivered is named PJobRAT and was being delivered through malicious instant messaging apps, named SangaalLite and Cchat, which had been designed to resemble legitimate platforms. This is according to a report published Thursday by cybersecurity firm Sophos. “The apps were available for download on multiple WordPress sites, which have since been taken offline.” PJobRAT is an Android remote access trojan that “gives attackers greater control over infected devices, allowing them to steal data from various applications, and even includes disabling battery optimization to ensure they run continuously in the background. The campaign seems to have come to an end since “no recent activity has been observed.”
Microsoft removes Windows 11 account bypass
According to BleepingComputer, Microsoft has “removed the BypassNRO.cmd script from Windows 11 preview builds, which allowed users to bypass the requirement to use a Microsoft Account when installing the operating system.” Having been introduced in the latest Windows 11 Insider Dev preview build, this means the change will likely be coming to production builds. The change basically forces all users to have Microsoft Account, whether they want one or not.
Sam’s Club investigates alleged Cl0p ransomware attack
The Walmart-owned membership warehouse club chain has been listed as one of the victims of a software exploit and breach that occurred in December. The Cl0p ransomware gang has not leaked any data allegedly stolen from the club but has accused it of ignoring security. The ransomware group leaked files from Rackspace Technology and listed around 170 companies that were “allegedly hacked via zero-day vulnerabilities in the Cleo file-transfer software.”
Morphing Meerkat pops up with easy email spoofing
Morphing Meerkat is the name of a newly discovered phishing-as-a-service (PhaaS) operation that uses the DNS over HTTPS (DoH) protocol to evade detection. It also “leverages DNS email exchange (MX) records to identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands.” As a PhaaS platform, it provides “a complete toolkit for launching effective, scalable, and evasive phishing attacks that require minimal technical knowledge.” It can impersonate more than 114 email and service providers, including Gmail, Outlook, Yahoo, in multiple languages, including English, Spanish, Russian, and even Chinese, and can even spoof sender names and addresses.