Watch the full episode on Youtube: https://youtu.be/Tl3pVMaCN60
Security weekly september 28 october 4, 2021
We review the Cyber Security news events that happened from September 28 - October 4, 2021.
3. Flubot Malware Targets Androids With Fake Security Updates
The Flubot banking trojan is using a fake security warning to trick
Android users into thinking they’ve already been infected … with Flubot.
It’s a lie, but it will become a reality if recipients of the text
message fall for it and click on the “install security update” button.
Flutbot works in a Malware as a Service (MAAS) model being
sold in underground forums by the operators to criminal
groups. The actors behind the Flubot botnet sending Smishing
(SMS phishing) messages with fake notices of upcoming
package deliveries and urge the victim to follow a link to track
the shipment.
The landing page then presents a download button supposedly
required to track the package. After a victim falls for this social
engineering trick, Flubot is downloaded to the mobile device
and requests various permissions, including access to the contact
list, sending SMS messages, and overlaying other applications.
Flubot, also called Cabassous, is an Android banking malware
(also a banking trojan) that is pushed by cybercriminals in large-
scale campaigns, targeting consumers across Europe this
spring.
4. Flubot Malware Targets Androids With Fake Security Updates
Users who clicked on the link but didn’t download anything likely didn’t
trigger a Flubot infection. However, it is “strongly recommends” that
such users change all their online account passwords and contact their
banks just to be safe.
The same goes for users who entered personal information into a
form – particularly payment card details: change passwords and
contact your bank to check for unusual activity.
These types of SMS phishing scams are known as smishing
attacks, and they’re far from new. In February, attackers were
harvesting personal data of users in the U..K. with fake
messages promising tax refunds for overpayment. Mobile
phishing has been a booming business since the start of the
COVID-19 pandemic, experts say, and is expected to keep
growing.
5. Flubot Malware Targets Androids With Fake Security Updates
If you’ve been infected you’re going to have to do a full factory reset as
soon as possible if your device is infected, deleting all your phone’s
data. Restoring from backups is, unfortunately, off the table, it said: “Do
not restore from backups created after installing the app. Seek the
services of a qualified IT professional if you require assistance.”
Also change all online account passwords, particularly to online
bank accounts and, again, contact your bank if you see suspicious
activity.
6. JSC GREC Makeyev and other Russian entities under attack
Security researchers from Malwarebytes uncovered multiple attacks
targeting many Russian organizations, including JSC GREC Makeyev,
a company that develops liquid and solid fuel for Russia’s ballistic
missiles and space rocket program.
Threat actors behind the cyberespionage campaign orchestrated
spear-phishing attacks, the messages sent to the target
organizations used weaponized Office documents.
The documents were crafted to exploit the CVE-2021-
40444 Internet Explorer flaw and pose to be sent by the company’s
HR department.
Recently Microsoft has warned of multiple threat actors, including
ransomware operators, that are exploiting the recently patched
Windows MSHTML remote code execution security flaw (CVE-
2021-40444) in attacks against organizations.
7. Credential Spear-Phishing Uses Spoofed Zix Encrypted Email
Armorblox researchers have spotted an ongoing credential-
phishing attack that spoofs an encrypted Zix email – one coming,
weirdly enough, from what looks like a legitimate domain
associated with the Baptist religion.
At least, the threat actor is sending the phishing attack from
“thefullgospelbaptist[.]com”: a domain that might be a deprecated
or old version of a legitimate Baptist domain,
fullgospelbaptist[.]org, which is a religious organization established
in 1994.
In a Tuesday post, researchers said that, to date, the fake-Zix
encrypted email has targeted close to 75,000 inboxes and has
slipped past embedded spam and security controls across Office
365, Google Workspace, Exchange, Cisco ESA and others.
The attack is targeting a range of companies across sectors
including state and local government, education, financial services,
healthcare, and energy, selectively going after a mix of senior
executives and cross-departmental employees.
8. Credential Spear-Phishing Uses Spoofed Zix Encrypted Email
Zix is a key player in the email encryption market, right up there
with Cisco Systems, Trend Micro, Proofpoint, Sophos and Norton
LifeLock, et al.
Building on the name recognition alone helps the email to pass a
sniff test it should rightfully flunk. But beyond the brand name
alone, the email attack also uses a “gamut” of additional
techniques to evade traditional security filters and to “pass the eye
tests of unsuspecting end users,” Armorblox explained, including
social engineering, exploiting a legitimate-looking Baptist domain
and replication of existing workflows.
The subject header is “Secure Zix message.” The email body’s
header reiterates that title and tells the intended victim that
they’ve received a secure Zix message. Click on the “Message”
button to check it out, the email instructs.
Clicking on the “Message” link in the email will trigger an
attempted drive-by download of an HTML file named
“securemessage.” Armorblox researchers couldn’t open that file in
their virtual machine (VM) instance, since that’s not where the
redirect appeared.
10. Google fixes 2 new actively exploited zero-day flaws in Chrome
Google this week rolled out urgent security updates for the
Chrome browser to address four security flaws, including two new
zero-day vulnerabilities that are being exploited in the wild.
Google has addressed a total of five zero-day flaws this month,
while the total number of zero-days fixed since the start of the year
is 14.
The two zero-day vulnerabilities fixed in the last turn are
tracked as CVE-2021-37975 and CVE-2021-37976.
The CVE-2021-37975 flaw is a use after free that resides in
the V8 JavaScript engine, it was reported by an anonymous
researcher. The CVE-2021-37976 is an Information leak that
resides in the core, it was reported by Clément Lecigne from
Google TAG, with technical assistance from Sergei Glazunov
and Mark Brand from Google Project Zero on 2021-09-21.
11. Google fixes 2 new actively exploited zero-day flaws in Chrome
Google this week rolled out urgent security updates for the
Chrome browser to address four security flaws, including two new
zero-day vulnerabilities that are being exploited in the wild.
Google has addressed a total of five zero-day flaws this month,
while the total number of zero-days fixed since the start of the year
is 14.
The two zero-day vulnerabilities fixed in the last turn are
tracked as CVE-2021-37975 and CVE-2021-37976.
The Google Threat Analysis Group (TAG) focuses on
investigations into government-backed attacks, it is likely that
the CVE-2021-37976 was discovered while the experts were
investigating a campaign carried out by a nation-state actor.
Google has addressed a total of 14 zero-day vulnerabilities in
Google Chrome since the start of the year.
12. Trend Micro fixes a critical flaw in ServerProtec Solution, patch it now!
Trend Micro has released security patches to address a critical
authentication bypass vulnerability, tracked as CVE-2021-36745,
that affects the Trend Micro ServerProtect product.
Trend Micro Server Protect offers comprehensive real-time
protection for enterprise infrastructure, preventing them from being
targeted by viruses, spyware, and other Web threats.
A remote attacker can exploit the vulnerability to bypass
authentication on vulnerable installs, the issue received a
CVSS score of 9.8.
The vulnerability was reported by Yuto Maeda from Cyber
Defense Institute through Trend Micro’s Zero Day Initiative, it
is due to the lack of proper validation prior to authentication.
The vulnerability affects ServerProtect for Storage (SPFS) 6.0
for Windows, ServerProtect for EMC Celerra (SPEMC) 5.8,
ServerProtect for Network Appliance Filers (SPNAF) 5.8, and
Server Protect for Microsoft Windows / Novell Netware
(SPNT) 5.8.
13. QNAP Patches Critical Vulnerabilities in QVR Software
QNAP, the Taiwan-based maker of network-attached storage
(NAS) appliances, this week announced the availability of patches
for a couple of critical vulnerabilities in its QVR video
management solution.
Tracked as CVE-2021-34348 and CVE-2021-34351 and featuring a
CVSS score of 9.8, the vulnerabilities could be abused remotely to
run arbitrary commands on affected systems.
Additionally, the manufacturer patched CVE-2021-34349
(CVSS score of 7.2), a high-severity issue that leads to
arbitrary command execution as well.
Although all three security issues can be exploited remotely,
CVE-2021-34349 requires for the attacker to have high
privileges on the vulnerable system for successful
exploitation. The critical-severity flaws require no privileges.
The vulnerabilities, QNAP notes in its advisory, only affect
certain devices that have already reached their end-of-life
(EOL) status and are no longer available for sale.
15. Threat actors exploit a flaw in Coinbase 2FA to steal user funds
Threat actors have exploited a vulnerability in the SMS-based two-
factor authentication (2FA) system implemented by the crypto
exchange Coinbase to steal funds from more than 6,000 users.
According to a data breach notification letter filed with US state
attorney general offices, the attackers with the knowledge of their
username and password and phone number associated with the
account, were able to steal funds bypassing the SMS-based
authentication.
“Unfortunately, between March and May 20, 2021, you were a
victim of a third-party campaign to gain unauthorized access
to the accounts of Coinbase customers and move customer
funds off the Coinbase platform. At least 6,000 Coinbase
customers had funds removed from their accounts, including
you.” reads the data breach notification letter.
“In order to access your Coinbase account, these third parties
first needed prior knowledge of the email address, password,
and phone number associated with your Coinbase account, as
well as access to your personal email inbox.”
16. Threat actors exploit a flaw in Coinbase 2FA to steal user funds
Attackers exploited a flaw in Coinbase’s SMS Account Recovery
process to receive an SMS two-factor authentication token. Once
discovered the campaign, the company updated its SMS Account
Recovery protocols.
The company has yet to determine how attackers obtained the
above information, they likely gained access to the data through
phishing attacks, anyway, it excluded that they obtained the data
from the company itself.
“We have not found any evidence that these third parties
obtained this information from Coinbase itself,” the company
continues.
The cryptocurrency exchange announced it will reimburse all
impacted users and already started to send them the refunds.
17. Experts show how to make fraudulent payments using Apple Pay with VISA on
locked iPhones
Boffins from the University of Birmingham and the University of
Surrey exploited a series of vulnerabilities in an attack against
iPhone owners using Apple Pay and Visa payment cards.
The researchers explained that the attack could allow an
unauthenticated attacker to steal money from the targeted iPhone
when it is configured to use Apple Pay and a Visa card in “transit mode.”
Experts pointed out that the attack also works against locked
iPhones. Before going deep into the attack, let me introduce the
“Express Transit” / “Express Travel” feature implemented in Apple
Pay, which allows users to make a payment without having
authorized the payment with Face ID or Touch ID.
This feature could be very useful while paying for public
transportation.
The researchers attempted to simulate a similar scenario and
emulated a ticket-barrier transaction by using a Proxmark device
acting as a card reader communicating with the target iPhone and
an Android phone with an NFC chip (acting as a card emulator)
that communicated with a payment terminal.
18. Experts show how to make fraudulent payments using Apple Pay with VISA on
locked iPhones
In the attack scenario, hackers hold the reader emulator close to
the targeted iPhone.
The attack devised by the researchers is an active man-in-the-middle
replay and relay attack, the Proxmark replays the “magic bytes” to the
iPhone to trick it into believing that it’s a ticket-gate transaction that
doesn’t require any user action to authorize the payment.
In order to carry out the attack, the experts enabled offline data
authentication for online transactions through specific settings, this
step was necessary because some readers may have intermittent
connectivity (e.g. transit system entries
The researchers were also able to steal an amount of money over
the limit of the contactless card transactions, they published a
video PoC that demonstrates that was possible to steal steal £1,000
($1,300) from a locked phone.
The the attack does not work if Apple Pay is used with Mastercard
cards.
19. Tim’s RED Team Research reports 3 new CVEs, two of which in 4G/5G
Telecom Italia Red Team Research (RTR) laboratory led by
Massimiliano Brolli, reported three new vulnerabilities affecting
Oracle GlassFish and Nokia NetAct, as reported on the online
project’s page
Two vulnerabilities affect Nokia NetAct, a mobile network
management system, offering a centralized view of multi-
technology networks, as 5G, 4G, 3G and 2G. The system offers built-
in management of all the best daily operations without
interruptions, including configuration management, monitoring,
and software management. NetAct supports network elements in
both radio mobile and core network, Wi-Fi, IoT, public security and
telco cloud.
The last vulnerability has been found in GlassFish, an Oracle’s
product that offers full support to Java EE 8 specifications (it
is the reference implementation) with last API’s versions for
technologies as Java Servlet 4, JavaServer Pages (JSP 2.3),
Enterprise JavaBeans (EJB 3.2), Java Persistence API (JPA 2.1).
20. Tim’s RED Team Research reports 3 new CVEs, two of which in 4G/5G
The vulnerabilities have been discovered by Red Team Research’s
researchers and promptly reported to the respective vendors
where the relevant CVEs were subsequently issued, then,
published in the National Vulnerability Database of the United
States of America and finally, listed by NIST.
CVE-2021-26597 – NOKIA NetAct
• Vulnerability Description: Unrestricted Upload of File with
Dangerous Type – CWE-434
• Software Version: NOKIA NetAct 18A
CVE-2021-26596 – NOKIA NetAct
• Vulnerability Description: Improper Neutralization of Input
During Web Page Generation (Stored Cross-Site Scripting) –
CWE-79
• Software Version: NOKIA NetAct 18A
CVE-2021-3314 – Oracle GlassFish Server
• Vulnerability Description: Improper Neutralization of Input
During Web Page Generation (Cross-Site Scripting) – CWE-79
• Software Version: <= 3.1.2.18
21. Tim’s RED Team Research reports 3 new CVEs, two of which in 4G/5G
** UNSUPPORTED WHEN ASSIGNED ** Oracle GlassFish Server
3.1.2.18 and below allows /common/logViewer/logViewer.jsf XSS.
A malicious user can cause an administrator user to supply
dangerous content to the vulnerable page, which is then reflected
back to the user and executed by the web browser. The most
common mechanism for delivering malicious content is to include
it as a parameter in a URL that is publicly posted or sent via email
to victims. NOTE: This vulnerability only affects products that are
no longer supported by the maintainer.
22. Hydra Android trojan campaign targets customers of European banks
Experts warn of a malware campaign targeting European e-
banking platform users with the Hydra banking trojan. According
to malware researchers from the MalwareHunterTeam and Cyble,
the new campaign mainly impacted the customers of
Commerzbank, Germany’s second-largest bank. Hydra is an
Android Banking Bot that has been active at least since early 2019.
Threat actors set up a page posing as the official CommerzBank
page and registered multiple domains on the same IP
(91.214.124[.]225). Crooks used the fake website to spread the
tainted CommerzBank apps.
According to Cyble researchers, Hydra continues to evolve, the
variants employed in the recent campaign incorporates
TeamViewer functionality, similar to S.O.V.A. Android banking
Trojan, and leverages different encryption techniques to evade
detection along with the use of Tor for communication. The new
version is also able to disable the Play Protect Android security
feature.
23. Hydra Android trojan campaign targets customers of European banks
he experts warn that the malware requests for two extremely
dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and
BIND_DEVICE_ADMIN.
The Accessibility Service is a background service that aids users
with disabilities, while BIND_ACCESSIBILITY_SERVICE permission
allows the app to access the Accessibility Service.
The malware asks for other permissions to carry out malicious
activities such as access SMS content, send SMSs, perform calls,
modify device settings, spy on user activities, send bulk SMSs to
victim’s contacts and more.
The analysis of the code revealed that various classes are missing
in the APK file. The malicious code uses a custom packer to evade
signature-based detection.
24. Neiman Marcus discloses data breach, payment card data exposed
The attack against Neiman Marcus Group took place in May 2020,
as a result of the attack, threat actors had access to customers’
information, including payment card data.
Exposed personal information includes names and contact
information, usernames, passwords, and answers to security
questions associated with online accounts.
The security breach impacted 4.6 million online customers, 3.1
million payment and virtual gift cards were compromised, 85% of
which were either expired or invalid.
The attackers had access to payment card numbers and expiration
dates, while CVV numbers were not compromised. The company
also added that virtual gift card numbers, PINs were not
compromised too.
In response to the security breach, NMG is requiring an online
account password reset for affected customers who had not
changed their password since May 2020.
25. Weaponizing Apple AirTag to lure users to malicious sites
Security researcher Bobby Rauch discovered a stored cross-site
scripting (XSS) vulnerability in the Apple AirTag product that can
be exploited by attackers to lure users to malicious websites.
Apple AirTag is a tracking device designed to act as a key finder, it
allows users to find personal objects (e.g. keys, bags, apparel, small
electronic devices, vehicles).
Rauch, like other researchers recently, decided to disclose the
vulnerability because Apple did not address it.
Apple AirTag Lost Mode allows a user to mark their device as
missing if they have misplaced it. This generates a unique
https://found.apple.com page, which the Airtag info (i.e. serial
number, the phone number and message from the owner). In case
an individual with an iPhone or Android device will find the missing
Airtag, they can scan it using the NFC and opens the Airtag’s
unique https://found.apple.com page on their device.
26. Weaponizing Apple AirTag to lure users to malicious sites
In the attack scenario described by the expert, an attacker enables
“lost mode” for an AirTag and injects the malicious payload into
the phone number field. When the victim will find the device and
will scan it, the malicious payload is triggered immediately.
Rauch demonstrated the attack using a payload to redirect the
victim to a fake iCloud login page.
process to exploit the issue that was described by the expert in a
post published on Medium includes:
1. An attacker sets their Airtag into lost mode.
2. An attacker intercepts this request, and injects a malicious
payload into the phone number field:
3. A victim then discovers the lost Airtag. They open up their Find
My app, and scan the Airtag.
4. This opens up the generated https://found.apple.com page.
The victim is immediately redirected to the malicious attacker
page, which is a direct clone of one of the iCloud.com login
pages.
5. The victim enters their iCloud credentials, which are
immediately exfiltrated to the attacker’s server.
27. A wolf in sheep's clothing: Actors spread malware by leveraging trust in Amnesty
International and fear of Pegasus
Threat actors are impersonating the group Amnesty International
and promising to protect against the Pegasus spyware as part of a
scheme to deliver malware
Amnesty International recently made international headlines when
it released a groundbreaking report on the widespread use of
Pegasus to target international journalists and activists.
Adversaries have set up a phony website that looks like Amnesty
International's — a human rights-focused non-governmental
organization — and points to a promised anti-virus tool to protect
against the NSO Group's Pegasus tool. However, the download
actually installs the little-known Sarwent malware.
Sarwent contains the usual abilities of a remote access tool (RAT)
— mainly serving as a backdoor on the victim machine — and can
also activate the remote desktop protocol on the victim machine,
potentially allowing the adversary to access the desktop directly.
28. Popular Android apps with 142.5 million collective installs leak user data
• 14 top Android apps with 142.5 million installs are
misconfigured, leaving their data exposed to unauthorized
parties.
• Nine out of 14 popular Android apps are still potentially leaking
the data of more than 30.5 million users.
• Firebase is a cross-platform tool, which suggests that Firebase
misconfigurations affect their iOS versions as well.
If you have an Android app installed on your smartphone, there’s a
high chance it is using Firebase. With an active monthly base
of more than 2.5 million apps, Firebase is a mobile application
development platform that offers a multitude of useful features,
including analytics, hosting, and real-time cloud storage.
CyberNews decided to analyze over a thousand top apps on
Google Play and see how many were storing their data on Firebase
real-time databases insecurely.
29. Popular Android apps with 142.5 million collective installs leak user data
What their Investigations team discovered was eye-opening: 14
top Android apps with 142.5 million installs were suffering from
Firebase misconfigurations, which enabled them – and anyone
else who knows the right URL – to access their real-time databases
and all the user information stored without any kind of
authentication.
Although they only looked at top Android apps on the Google Play
store, Firebase is platform-agnostic. This means that iOS apps that
use Firebase might be affected by these misconfigurations as well.
On September 14, CyberNews researchers reported their findings
to Google and asked them to help the developers of the exposed
apps secure their real-time databases. Google has as of yet
ignored the queries
As a result, nine out of 14 popular Android apps, which have not
responded to our requests and could only be secured with
assistance from Google, are still leaking the data of more than 30.5
million users.
30. Threat actors use recently discovered CVE-2021-26084 Atlassian Confluence
Trend Micro researchers have spotted crypto-mining campaigns
that are actively exploiting a recently disclosed critical remote
code execution vulnerability in Atlassian Confluence deployments
across Windows and Linux.
At the end of August, Atlassian released security patches to
address the critical CVE-2021-26084 flaw that affects the
Confluence enterprise collaboration product.
The flaw is an OGNL injection issue that can be exploited by an
authenticated attacker to execute arbitrary code on affected
Confluence Server and Data Center instances.
“An OGNL injection vulnerability exists that would allow an
authenticated user, and in some instances unauthenticated user, to
execute arbitrary code on a Confluence Server or Data Center
instance. ” reads the advisory published by the company.
The issue was discovered by Benny Jacob (SnowyOwl) through the
Atlassian public bug bounty program, the vulnerability received a
CVSS score of 9.8.
31. Expert discloses new iPhone lock screen vulnerability in iOS 15
The security researcher Jose Rodriguez (@VBarraquito) discovered
a new lock screen vulnerability for iOS 15 (& iOS 14.8) that has yet
to be addressed by Apple. A threat actor with physical access to a
vulnerable device can access Notes via Siri/Voice Over.
Rodriguez explained that in real incidents, unattended or stolen
devices with a lock screen bypass vulnerability are exposed to
attacks that could leverage a lock screen vulnerability to access
sensitive information.
This specific type of vulnerability represents a serious threat to individuals
and organizations, for this reason, the expert suggests including their
research when conducting a mobile pen-testing assessment.
The expert disclosed details about the lock screen bypass
vulnerability after Apple downplayed similar flaws, tracked as CVE-
2021-1835 and CVE-2021-30699, reported by the researcher
earlier this year.
The flaws allowed an attacker to access instant messaging apps like
WhatsApp or Telegram even while the mobile device was locked.
32. SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor
The threat actors behind the notorious SolarWinds supply-chain attacks
have dispatched new malware to steal data and maintain persistence
on victims’ networks, researchers have found.
Researchers from the Microsoft Threat Intelligence Center (MSTIC)
have observed the APT it calls Nobelium using a post-exploitation
backdoor dubbed FoggyWeb, to attack Active Directory Federation
Services (AD FS) servers. AD FS enables single sign-on (SSO) across
cloud-based apps in a Microsoft environment, by sharing digital
identity and entitlements rights.
The attacks started as far back as April, Ramin Nafisi from
MSTIC wrote in a blog post published Monday.
Nobelium is employing “multiple tactics to pursue credential
theft” to gain admin privileges to AD FS servers, Nafisi wrote.
Then, once a server is compromised, the threat group deploys
FoggyWeb “to remotely exfiltrate the configuration database of
compromised AD FS servers, decrypted token-signing
certificates and token-decryption certificates,” he said, which
can be used to penetrate into users’ cloud accounts.
33. SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor
In addition to remotely exfiltrating sensitive data, FoggyWeb also
achieves persistence and communicates with a a command-and-control
(C2) server to receive additional malicious components and execute
them, Nafisi added.
Nafisi provides a thorough breakdown of the sophisticated
FoggyWeb backdoor, which operates by allowing abuse of the
Security Assertion Markup Language (SAML) token in AD FS, he
explained in the post.
“The backdoor configures HTTP listeners for actor-defined URIs
that mimic the structure of the legitimate URIs used by the
target’s AD FS deployment,” Nafisi wrote. “The custom listeners
passively monitor all incoming HTTP GET and POST requests
sent to the AD FS server from the intranet/internet and intercept
HTTP requests that match the custom URI patterns defined by
the actor.”
34. GriftHorse malware infected more than 10 million Android phones from 70
countries
Security researchers from Zimperium have uncovered a piece of
malware, dubbed GriftHorse, that has infected more than 10
million Android smartphones across more than 70 countries.
According to the experts, the malware campaign has been active
since at least November 2020, threat actors are spreading via
apparently harmless apps that were uploaded to the official
Google Play Store and third-party Android app stores.
Operators behind the campaign are carrying out a global premium
services Trojan campaign, the malicious code subscribes the owners of
infected devices to paid services, charging a premium amounting to
around 36 Euros per month.
The users are bombarded with alerts on the screen that inform
them that they have won a prize and ask them to accept the
invitation to receive it. The victims are bombarded with pop-ups
that reappear no less than five times per hour.
Zimperium researchers pointed out that GriftHorse coders invested
a significant effort in developing high-quality code, they also used
a wide spectrum of websites, over 200 Trojan applications to infect
the largest number of users as possible remaining under the radar.
35. Experts observed for the first time FinFisher infections involving usage of a UEFI
bootkit
Malware researchers at Kaspersky have spotted a new
improvement of the infamous commercial FinSpy surveillance
spyware (also known as Wingbird), it can now hijack and replace
the Windows UEFI (Unified Extensible Firmware Interface)
bootloader to infect the target machines.
Replacing the UEFI bootloader allows that attackers to install a
bootkit that could not be detected security solutions running on the
machine and allows the malware to gain persistence on the infected
systems.
Kaspersky experts shared the results of an 8-months
investigation into FinSpy spyware at the Security Analyst Summit
(SAS) 2021. The researchers uncovered four-layer obfuscation and
advanced anti-analysis measures employed by the authors that
currently make FinFisher one of the hardest-to-detect spywares to
date.
Kaspersky experts pointed out that the FinFisher variant they
detected did not infect the UEFI firmware itself, the attackers
replaced the Windows Boot Manager (bootmgfw.efi) with a
malicious one to infect the machine.
36. A complete PoC exploit for CVE-2021-22005 in VMware vCenter is available online
A working exploit for the CVE-2021-22005 vulnerability in
VMware vCenter is publicly available, and attackers are already
attempting to use it in the wild.
VMware recently addressed the critical arbitrary file upload
vulnerability CVE-2021-22005, it impacts appliances running default
vCenter Server 6.7 and 7.0 deployments.
vCenter Server is the centralized management utility for VMware,
and is used to manage virtual machines, multiple ESXi hosts, and
all dependent components from a single centralized location.
The vulnerability is due to the way it handles session tokens.
While the company urges its customers to immediately apply the
security patch to fix the vulnerability, threat actors
started scanning the internet for vulnerable systems.
The threat intelligence firm Bad Packets reported that scanning
activity for this vulnerability started immediately after the
virtualization giant addressed the flaw.
37. ERMAC, a new banking Trojan that borrows the code from Cerberus malware
Researchers from Threatfabric found in July a new Android
banking trojan dubbed ERMAC that is almost fully based on the
popular banking trojan Cerberus. The source code of
Cerberus was released in September 2020 on underground
hacking forums after its operators failed an auction.
According to the experts, ERMAC is operated by threat actors behind
the BlackRock mobile malware.
On August 17, two forum members named “ermac” and
“DukeEugene” started advertising the malware. “DukeEugene”,
posted the following message in his account:
“Android botnet ERMAC. I will rent a new android botnet with wide
functionality to a narrow circle of people (10 people). 3k$ per
month. Details in
DukeEugene is a threat actor known to be behind the BlackRock
banking Trojan
ERMAC differs from Cerberus in the usage of different obfuscation
techniques and Blowfish encryption algorithm.
38. New BloodyStealer malware is targeting the gaming sector
Researchers from Kaspersky have spotted a new malware dubbed
BloodyStealer that is being used by threat actors to steal accounts
for multiple gaming platforms, including Steam, Epic Games Store,
GOG Galaxy, EA Origin, and more.
The infostealer is available for sale on dark web forums, the
researchers explained that the malware allows operators to harvest a
broad range of information, including cookies, passwords, bank cards,
and sessions from various applications.
Stolen data are later sold by the operators in underground
marketplaces, gaming accounts are in demand in the cybercrime
ecosystem.
Gaming login credentials to popular platforms such as Steam,
Origin, Ubisoft or EpicGames can be bought for 14.2 USD per
thousand accounts when sold in bulk, and for 1-30% of an
account’s value when sold individually.
BloodyStealer is offered through a malware-as-service model, it it
offered for less than 10 USD for a 1-month subscription or 40 USD
for a lifetime subscription.
39. New BloodyStealer malware is targeting the gaming sector
The researchers explained that the malware implements several
anti-analysis methods, including the use of packers and anti-
debugging techniques.
Below is the list of capabilities advertised by the developer of the
malware:
The ad highlights the following features of BloodyStealer
(translated from Russian as is):
• Grabber for cookies, passwords, forms, bank cards from browsers
• Stealer for all information about the PC and screenshots
• Steals sessions from the following clients: Bethesda, Epic Games,
GOG, Origin, Steam, Telegram, VimeWorld
• Steals files from the desktop (.txt) and the uTorrent client
• Collects logs from the memory
• Duplicate logging protection
• Reverse engineering protection
• Not functional in the CIS
40. Expert found RCE flaw in Visual Studio Code Remote Development Extension
Visual Studio Code Remote Development allows users to adopt a
container, remote machine, or the Windows Subsystem for
Linux (WSL) as a full-featured development environment.
Users can:
• Develop on the same operating system you deploy to or use
larger or more specialized hardware.
• Separate your development environment to avoid impacting
your local machine configuration.
• Make it easy for new contributors to get started and keep
everyone on a consistent environment.
• Use tools or runtimes not available on your local OS or manage
multiple versions of them.
• Develop your Linux-deployed applications using the Windows
Subsystem for Linux.
• Access an existing development environment from multiple
machines or locations.
• Debug an application running somewhere else such as a
customer site or in the cloud.
41. Expert found RCE flaw in Visual Studio Code Remote Development Extension
Security experts from cybersecurity firm Shielder discovered that
Visual Studio Code Remote Development Extension, version 1.50,
fails to sanitize the host field passed as an argument of
the ssh command. A threat actor could exploit this issue, tracked
as CVE-2020-17148, to inject a ProxyCommand option that could
result in the execution of arbitrary commands.
The security advisory published by Microsoft states that an
attacker would have to convince a user with the Visual Studio Code
Remote Development Extension installed to click on a specially
crafted link.
According to the security expert Abdel Adim `smaury` Oisfi, the
argument injection resides in the “Remote – SSH” extension, which
is used and installed by the “Remote Development” one.
42. TangleBot Malware Reaches Deep into Android Device Functions
A malware campaign targeting Android devices in the United States
and Canada with convincing text messages and links that lead to a
downloader has highlighted the danger from SMS spam and phishing,
security experts report.
The campaign, dubbed TangleBot, uses coronavirus-themed
messages to convince users to click a link, which leads to websites
that attempt to collect sensitive information from the victim,
according to researchers from email and messaging security firm
Cloudmark in a September 23 analysis. The campaign follows
attempts by attackers to use SMS phishing, also known as smishing,
to perpetrate unemployment insurance fraud in the US.
Remote work has made SMS attacks easier for fraudsters in
many ways, says Jacinta Tobin, vice president of global sales and
operations at the Cloudmark division of Proofpoint.
43. TangleBot Malware Reaches Deep into Android Device Functions
In the TangleBot case, once the malware compromises a machine, the
attacker can monitor many user activities — such as websites they have
visited and passwords they have entered — as well as record audio from
the microphone and video from the camera. TangleBot also uses many
levels of obfuscation to make analysis difficult, such as placing code in
hidden files, bulking up files with unused code, and removing the spaces
from the code — a technique known as minification.
"The capabilities also enable the theft of considerable personal
information directly from the device and through the camera and
microphone, spying on the victim," Cloudmark's analysis stated.
"Harvesting of personal information and credentials in this manner
is extremely troublesome for mobile users because there is a
growing market on the dark web for detailed personal and account
data."
44. TangleBot Malware Reaches Deep into Android Device Functions
TangleBot does not exploit flaws in the Android system, but it socially
engineers users to click through multiple dialogue boxes. Depending on
how the Android device is configured, as many as nine different dialogue
boxes and security alerts would have to be clicked to complete the
installation of the software. While on its face such a chain of notifications
would appear sufficient, experience has shown users have become
accustomed to clicking through warnings.
"Based on what we've seen with similar mobile malware attacks
recently, such as FluBot attacks that have been active in the UK and
Europe, users tend to disregard the multiple warning and
permissions and still download and install software from untrusted
sources," Proofpoint's Tobin says.
Not all attacks on messaging apps require so many steps. Other
attackers have found ways to use vulnerabilities in messaging apps,
on both Apple and Android phones, to conduct zero-click or one-
click attacks, in which just receiving a malicious message or clicking
a link in a message is enough to compromise the device.
45. Jupyter infostealer continues to evolve and is distributed via MSI installers
Cybersecurity researchers from Morphisec have spotted a new
version of the Jupyter infostealer that continues to be highly
evasive.
In November 2020, researchers at Morphisec have spotted
Russian-speaking threat actors that have been using a piece of
.NET infostealer, tracked as Jupyter, to steal information from their
victims.
The Jupyter malware is able to collect data from multiple
applications, including major Browsers (Chromium-based browsers,
Firefox, and Chrome) and is also able to establish a backdoor on
the infected system.
“Jupyter is an infostealer that primarily targets Chromium, Firefox,
and Chrome browser data. However, its attack chain, delivery, and
loader demonstrate additional capabilities for full backdoor
functionality.” reads the analysis published by Morphisec. “These
include:
46. Jupyter infostealer continues to evolve and is distributed via MSI installers
The experts spotted the infostealer during a routine incident
response process in October, but according to forensic data earlier
versions of the info-stealer have been developed since May.
The malware was continuously updated to evade detection and
include new information-stealing capabilities, the most recent
version was created in early November.
On 8 September 2021, the researchers observed a new delivery
chain that was able to avoid detection by using an MSI payload
that executes a legitimate installation binary of Nitro Pro 13.
Two of the variants analyzed by the researchers are signed with a
valid certificate issued to a Polish business named ‘TACHOPARTS
SP Z O O’. Another variant analyzed by the experts was signed with
a revoked certificate named ‘OOO Sistema.’
47. Port of Houston was hit by an alleged state-sponsored attack
One of the major US ports, the Port of Houston, revealed that it was
hit by a cyber attack in August that had no impact on its systems.
Cybersecurity and Infrastructure Security Agency Director Jen
Easterly disclosed the attack at a Senate committee hearing
Thursday morning. She believed the attack was conducted by a
“nation-state actor” that exploited a zero-day flaw in a Zoho user
authentication device.
Sen. Rob Portman, R-Ohio expressed concerns about attacks
against critical infrastructure and urges US authorities to “push
back against these nation-state actors who continue to probe and
to commit these crimes against our public and private sector
entities.”
In mid-September, the FBI, CISA, and the Coast Guard Cyber
Command (CGCYBER) issued a joint advisory to warn that nation-
state APT groups are actively exploiting a critical vulnerability,
tracked as CVE-2021-40539, in the Zoho ManageEngine
ADSelfService Plus software.
48. Google TAG spotted actors using new code signing tricks to evade detection
Researchers from Google’s Threat Analysis Group reported that
financially motivated actors are using new code signing tricks to
evade detection.
By code signing executables, it is possible to verify their integrity
and provide information about the identity of the signer.
The experts noticed that the technique was employed by operators
behind OpenSUpdater, which is a known family of unwanted
software
The threat actors aimed at infecting as many users as possible,
most of their targets appear to be US users interested in
downloading game cracks and grey-area software.
The researchers noticed that OpenSUpdater samples were often
signed with the same code-signing certificate, but since mid-
August, they noticed that the executables had an invalid signature.
Further investigation revealed that the invalid signature was used
in the attempt to evade detection.
49. Hackers Targeting Brazil's PIX Payment System to Drain Users' Bank Accounts
Two newly discovered malicious Android applications on Google
Play Store have been used to target users of Brazil's instant
payment ecosystem in a likely attempt to lure victims into
fraudulently transferring their entire account balances into another
bank account under cybercriminals' control.
"The attackers distributed two different variants of banking
malware, named PixStealer and MalRhino, through two separate
malicious applications […] to carry out their attacks," Check
Point Research said in an analysis shared with The Hacker News.
"Both malicious applications were designed to steal money of
victims through user interaction and the original PIX application."
The two apps in question, which were uncovered in April 2021,
have since been removed from the app store.
PixStealer, which was found distributed on Google Play as a fake
PagBank Cashback service app, is designed to empty a victim's
funds to an actor-controlled account, while MalRhino —
masquerading as a mobile token app for Brazil's Inter bank —
comes with advanced features necessary to collect the list of
installed apps and retrieve PIN for specific banks.
51. CISA releases Insider Risk Mitigation Self-Assessment Tool
The US Cybersecurity and Infrastructure Security Agency (CISA)
has released the Insider Risk Mitigation Self-Assessment Tool, a
new tool that allows organizations to assess their level of exposure
to insider threats.
Insider threats pose a severe risk to organizations, the attacks are
carried out by current or former employees, contractors, or others
with inside knowledge, for this reason they are not easy to detect.
An attack from insiders could compromise sensitive information,
cause economic losses, damages the reputation of the
organization, theft of intellectual property, reduction of market
share, and even physical harm to people.
The tool elaborates the answers of the organizations to a survey
about their implementations of a risk program management for
insider threats.
The tool allows organizations to create their own programs to
prevent and mitigate insider threats.
CISA provides further info and tools to mitigate insider threat risks
that are available on its website.
52. NSA, CISA share VPN security tips to defend against hackers
Virtual Private Networks (VPNs) allow users to remotely connect to a
corporate network via a secure tunnel. Through this tunnel, users can
take advantage of the internal services and protections normally
offered to on-site users, such as email/collaboration tools, sensitive
document repositories, and perimeter firewalls and gateways. Because
remote access VPN servers are entry points into protected networks,
they are targets for adversaries.
The National Security Agency (NSA) and CISA have released the
cybersecurity information sheet Selecting and Hardening
Standards-based Remote Access VPN Solutions to address the
potential security risks associated with using Virtual Private
Networks (VPNs). Again, Remote-access VPN servers allow off-
site users to tunnel into protected networks, making these entry
points vulnerable to exploitation by malicious cyber actors.
53. NSA, CISA share VPN security tips to defend against hackers
Exploitation of these devices can enable:
• Credential harvesting
• Remote code execution on the VPN device
• Cryptographic weakening of encrypted traffic sessions
• Hijacking of encrypted traffic sessions
• Arbitrary reads of sensitive data (e.g., configurations, credentials,
keys) from the device
The two agencies created the document to help organizations
improve their defenses particularly against attacks from nation-
state adversaries, who in the past have exploited bugs in VPN
systems to “steal credentials, remotely execute code, weaken
encrypted traffic’s cryptography, hijack encrypted traffic
sessions, and read sensitive data from the device.”
The document provides direction for selecting VPN solutions
that follow the industry standards and the best practices for
using strong authentication credentials.
54. German Federal Office for Information Security (BSI) investigates Chinese
mobile phones
German Federal Office for Information Security (BSI) is launching an
investigation into the cybersecurity of mobile phones of certain
Chinese manufacturers.
The investigation was requested by both the SPD politician Jens
Zimmermann and the CDU digital politician Tankred Schipanski.
The decision of the BSI comes after the Lithuanian cyber
defense published a report claiming that some mobile phones
that are commercialized by Xiaomi and Huawei revealed an
undocumented behavior that was possible to trigger remotely
by the Chinese vendors.
Lithuanian government experts have analyzed three specific
smartphone models, the Huawei P40 5G, the Xiaomi Mi 10T 5G
and the OnePlus 8T 5G. According to the report, Xiaomi phones
could be instructed to censor terms such as “Long live Taiwan
independence” or “Free Tibet.”
Welcome to this weeks Cyber Security weekly where we review the security events that happened in the last week. Last week was the week of the Bank trojans, as you will see by the recurring theme in many of these news articles
In case you have not seen my episode on Phishing, the link is above, pinned in the comment section below and will be in the credits at the end of this video. I highly recommend you watch that video. I discuss the the most prevalent types of Phishing campaigns and how to spot them so check it out. AFTER, of course you finsih watching this episode.
The IT giant says that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed in August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites.
Now Malwarebytes observed multiple attacks exploiting the same MSHTML vulnerability aimed at Russian entities.
I did an episode on this vulnerability as well. Check it out if you have not already. The link is above and in the comments section below.
Techniques used int eh campaign include
Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims
Brand impersonation: The email has HTML stylings and content disclaimers similar to real emails from Zix.
Exploiting legitimate domain: The parent domain of the email sender was a deprecated or old version of a legitimate domain – ‘thefullgospelbaptist[.]com’.
“This vulnerability allows remote attackers to bypass authentication on affected installations of Trend Micro ServerProtect. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI. “The specific flaw exists within the ServerProtect console. The issue results from the lack of proper validation prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system.”
The experts shared their findings with both Visa and Apple and also provided recommendations on how to mitigate the attack. Both companies have yet to fix the vulnerabilities exploited by the experts because they believe that the attack method proposed by the researchers is impractical in the real world.
In early 2014, Neiman Marcus disclosed another data breach, at the time attackers had access to its customers’ data, including payment information of those who visited its stores.
The same vulnerability could be exploited in multiple ways, for example, redirecting the users to a website designed to serve malware.
“Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all. The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag. Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support “Lost Mode” as part of Apple’s Find My network.” concludes the expert.
The malicious software being deployed is not a standard information stealer that, once executed, steals credentials and exfiltrates them immediately. In this case, Sarwent has a look and feel that could easily be recognized as a regular anti-virus program. It provides the attacker with the means to upload and execute any other malicious tools. Likewise, it can exfiltrate any kind of data from the victim's computer.
The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access.
Apps investigated include:
Universal Remote Control (over 100 million downlaods)
Remote for Roku: Codematics with more than a million installs
Hybrid Warrior: Dungeon of the Overloard: Over 1 million installs
Find my Kids: Child Cell phone Location tracking (They turned of ftheir firebase DB)
An attacker could trigger the issue by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.
Researchers from Threat intelligence firm Bad Packets also detected mass scanning and exploit activity targeting Atlassian Confluence servers vulnerable to the above RCE.
Now Trend Micro researchers shared technical details of the vulnerability and published a report for a crypto-currency mining campaign distributing z0Miner.
Rodriguez explained that Apple partially fixed the issue and did not involve him in the test of the released patch.
Then the expert proposed a variant of the same bypass issue that leverages Apple Siri and VoiceOver services to access the Notes app.
The attackers are spreading their apps across multiple categories in order to extend the range of potential victims.
The researchers also estimated the potential profits of this malware campaign, the GriftHorse operators are currently making between €1.2 million and €3.5 million per month from the criminal activity.
Unlike previous FinSpy versions, the new samples leverage two components to prevent malware analysis, a non-persistent pre-validator and a post-validator. The former ensures that the victim machine is not used for malware analysis, the latter is a persistent implant used to ensure that the victim is the intended one.
The experts also observed that when the spyware targets machines that do not support UEFI, the infections involve the use of the MBR (Master Boot Record).
Researchers from BleepingComputer also reported that threat actors have started to exploit CVE-2021-22005 using code released by security researcher Jang.
If you have not yet watched that episode and you use VMware VCenter then here is the link and it is pinned in the comments section below.
The new banking Trojan supports the same latest Cerberus commands, except for a couple of commands that allow to clear the content of the cache o
At the time of writing, ThreatFabric researchers with the help of support @malwrhunterteam experts determine that ERMAC is only targeting Poland, where is being distributed under the guise of delivery service and government applications.
The new banking trojan can target over three hundred banking and mobile apps.
f the specified application and steal device accounts.
According to Kaspersky, various threat actors rented the malware and used it as a part of other malware attack chain. The researchers observed attackers using the malware in attacks aimed at delivering KeyBase or Agent Tesla, in some cases crooks combined the stealer component with other malware families and protected it with other packers, such as Themida.
Once exfiltrated the data, BloodyStealer will send them to a C&C server, then cybercriminals can access the stolen info by using Telegram or via a web panel.
BloodyStealer is being used in attacks targeting victims from Europe, Latin America, and the Asia-Pacific region.
The attack works also on Linux and MacOS by editing the ProxyCommand.
Microsoft addressed the flaw with the release of Visual Studio Code Remote Development Extension version 1.51 or higher.
If you have not seen my episode on Phishing, the link is above, pinned in the comment section below and will be in the credits at the end of this video. I highly recommend you watch that video. I discuss the the most prevalent types of Phishing campaigns and how to spot them so check it out. AFTER, of course you finsih watching this episode.
a C2 client
download and execute malware
execution of PowerShell scripts and commands
hollowing shellcode into legitimate windows configuration applications.”
“The evolution of the Jupyter infostealer/backdoor from when we first identified it in 2020 proves the truth of the statement that threat actors are always innovating. That this attack continues to have low or no detections on VirusTotal further indicates the facility with which threat actors evade detection-based solutions.” concludes the experts. “It’s clear that a new approach is required to threat prevention, as it’s likely these evasive attacks will continue.”
ManageEngine ADSelfService Plus is self-service password management and single sign-on solution.
If you remember I did na episode on this issue. IF you’d like to watch that the likn is above and pinned in the comments below
The researchers explained that security products using OpenSSL to extract signature information will consider this encoding invalid. However, some parsers consider valid these encodings allowing to validate the digital signature of the executables, this is what happens in Windows operating system.
Experts explained that this is the first time it has spotted attackers using this technique to evade detection.
OpenSUpdater’s authors have employed different variations on invalid encodings over time to evade detection.
"When a user opens their PIX bank application, Pixstealer shows the victim an overlay window, where the user can't see the attacker's moves," the researchers said. "Behind the overlay window, the attacker retrieves the available amount of money and transfers the money, often the entire account balance, to another account."
I highly recommend watching the full episode I created to get more indepth details. The link is above and will be pinned in the comments section below.
A BSI spokesman told Tagesschau that Chinese manufacturers are already excluded from a list of smartphone vendors that can be officially ordered as service phones by the federal authorities.
Experts fear that Chinese manufactures could have also introduced in their devices hidden features that could give them deep access to any communications through the mobile phones before they were encrypted.