Search This Blog

Latest News

Malicious Linux Shell Scripts Used to Evade Defenses

  Attackers' evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized.  New Linux shell s...

All the recent news you need to know

UBEL is the Android Malware Successor to Oscorp

 

As part of a fresh campaign that began in May 2021, an Android malware that was discovered misusing accessibility features in the device to steal user credentials from European banking applications has morphed into an altogether new botnet. Oscorp, a mobile malware built to attack several financial targets with the purpose of stealing funds from unsuspecting users, was revealed by Italy's CERT-AGID in late January. 

The Oscorp malware, like other Android malware, convinces users to provide them access to the Android Accessibility Service, which allows them to read text on the phone screen, determine an app installation prompt, traverse through the permission list, and install apps on the user's behalf. “Not being able to access the private files of other applications, the actions of these malicious apps are “limited” to the theft of credentials through phishing pages, to blocking the device and possibly to the capture of audio and video,” read the advisory published by Italy’s CERT-AGID. 

Malicious SMS messages were used to spread the malware, with attackers pretending as bank operators to deceive targets over the phone and secretly get access to the infected device using WebRTC protocol, allowing them to execute unlawful bank transfers. While no fresh activities have been detected since then, it appears as Oscorp has returned after a brief hiatus in the shape of the UBEL Android botnet. 

"By analysing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code appears to be shared between multiple [threat actors]," Italian cybersecurity company Cleafy said on Tuesday, charting the malware's evolution. 

UBEL, like its predecessor, is marketed on underground forums for $980 and asks for invasive permissions that allow it to read and send SMS messages, record audio, install and delete apps, initiate itself automatically after system boot, and exploit Android accessibility services to collect confidential data such as login credentials and two-factor authentication codes, the results of which are exfiltrated back to a remote server. 

Once installed on the system, the malware tries to disguise itself as a service and hide its presence from the target, allowing for long-term persistence. Surprisingly, using WebRTC to communicate with the hijacked Android phone in real-time eliminates the requirement to enroll a new device and take over an account in order to commit fraud. 

"The main goal for this [threat actor] by using this feature, is to avoid a 'new device enrolment', thus drastically reducing the possibility of being flagged 'as suspicious' since device's fingerprinting indicators are well-known from the bank's perspective," the researchers said.

The Russian Federation submitted to the United Nations the world's first draft convention against cybercrime

The Prosecutor General's Office of the Russian Federation reported that Russia has submitted to the UN the world's first draft convention on countering cybercrime and the criminal use of cryptocurrency.

Recall that last year an interdepartmental working group on combating information crime was established, one of the main tasks of which was to develop a draft of a universal comprehensive international convention on combating the use of information and communication technologies for criminal purposes.

The project has a number of advantages. It takes into account modern challenges and threats in the field of international information security, including the criminal use of cryptocurrency, introduces new elements of crimes committed using information and communication technologies.

It is stressed that Russia was the first country that developed and submitted to the special committee a draft convention to combating information crimes.

"Today cyber attacks are as much a weapon of mass destruction as a tactical nuclear weapon. Infrastructure, from the fuel supply to the water supply, can be stopped in an entire city. The settlement will be paralyzed with zero casualties. Thus, I would call cyberattacks bloodless killers, they do not set themselves the goal of destroying the population but simply teleport this population, in fact, to the Stone Age,” commented on the news the State Duma deputy Ruslan Balbek.

According to him, the Russian draft convention is timely and relevant.

In March, the President of Russia Vladimir Putin announced an increase in the number of crimes in the IT-sphere. He pointed out that over the past six years, the number of such crimes has increased 10 times.

Earlier, E Hacking News was reported that Russia-US summit was held in Geneva on June 16. Summing up the negotiations, Vladimir Putin said that the sides will start consultations on cybersecurity.

BlackMatter & Haron Targeting Firms with Revenue of $100 Million and More

 

Cybersecurity researchers from South Korean security firm S2W Labs have unearthed two new ransomware groups. A sample of the first group of malware — which is identifying itself as 'Haron', was first submitted to VirusTotal on July 19. 

According to S2W Lab, the layout, organization, and tactics used by Haron are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

Both groups are targeting high-profile organizations in order to maximize their profits. Haron also runs a “leak site” where it threatens to publish data stolen from companies who refuse to pay for decrypting their files. According to S2W Lab, the engine driving Haron ransomware is Thanos, a separate piece of ransomware that has been around since at least 2019.

Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, on the other hand, was written in C++. Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he would know more soon. 

The second ransomware newcomer goes by the name 'BlackMatter'. According to Flashpoint, BlackMatter threat actors registered an account on the Russian forums XSS and Exploit on July 19 and immediately followed up to an infected corporate network consisting of 500 to 15,000 hosts. He said he was trying to buy access. With annual revenues of over $100 million in the United States, Canada, Australia, and the United Kingdom, it may indicate the operation of large-scale ransomware.

“Actors have deposited 4 BTC (about US $ 150,000) into their escrow accounts, which shows the seriousness of threat actors when they deposit large amounts in forums. Black Matter does not openly state that they are ransomware collective operators. The language and goals of their posts clearly indicate that they are ransomware collective operators. But technically it doesn’t violate the rules of the forum,” FlashPoint researchers said in the report. 

The emergence of BlackMatter coincides with the disappearance of DarkSide and REvil in the wake of highly publicized incidents of Colonial Pipeline, JBS, and Kaseya — raising speculations that the groups may eventually rebrand and resurface under a new identity.

Raven Hengelsport Data Breach Exposes 18GB of Customer Data

 

The cybersecurity researchers from Safety Detectives uncovered an insecure Microsoft Azure Blob storage server linked to the Raven Hengelsport retail outlet (also called Raven Fishing B.V.), with PIIs presumably accessible for malicious hackers belonging to hundreds of thousands of consumers. 

Headquartered in Dronten, Netherlands is Raven Hengelsport, engaged in fishing gear and equipment. While online offering Raven.nl offers a wide choice of products, the corporation has many significant shops in the Netherlands and across Europe. 

In early March, the cybersecurity branch of antivirus screening site SafetyDetectives found the unsecured Azure Blob Storage Server with 18 GB of company data spanning at least 246,000 users in over 450,000 entries. Raven provides its clients across the Netherlands and Europe with a large variety of products in the retail industry. The website of Raven.nl works as a fishing supermarket to provide everything from conventional goods such as rods, rollers, and tackle boxes to more comprehensive merchandise such as tents, boats, and articles of clothing. 

"These files contained records that consisted of two different data sets, order details, and logs of PII, both of which expose the sensitive personal information of Raven's customers," the company's write-up this week explained. 

Raven.nl Order Details — include customer identifiers, delivery information, rebates, shipping charges, transactions, and tracking numbers of shipments. Customer PII [Personally Identified Information] - names, surnames, residence location, and phone numbers, e-mail, and even titles of a certain company's clients were also exposed. 

A great amount of the information leaked on the server is customer information with a total of 425,000 records of them being leaked. PII consumer data was leaked into several data rows, some even outlining the titles of key customer companies. 

Nevertheless, the situation was extremely hard for Raven, popularly known as Raven Fishing. 

"We immediately tried to get in touch with Raven once we discovered the open database, but did not receive a response from Raven regarding the breach," SafetyDetectives' researchers noted. "We later attempted to contact Raven through the live chat feature on their website.” 

The team sought to contact Raven as soon as the open database was detected, however they were not answered by Raven about the infringement. 

Afterward, they tried to get in touch with Raven via the live chat on their website. When the team first tried reaching Raven, the customer care officer concluded the live conversation without answering their statement. 

At the second attempt, the team was linked to the same employee who said they can not provide additional contact information. They were advised that their demand would be forwarded to the concerned parties and that if Raven found it appropriate, they would be approached. 

SecurityDetectives also notified Microsoft of this fault, however, MSRC refused to take any measures concerning the still-exposed server. The general customer care of Microsoft was also characterized as "not helpful," as it didn't help security researchers raising someone technical at Raven to see the data secured. 

An infringement of data of this kind has harmful effects for both Raven and its innocent clients, who have their personal information revealed. 

Raven is likely to be subject to EU data protection laws (GDPR), which could charge them up to €20 million in the company's territory or 4% of the yearly turnover of Raven (whichever is greater). However, it's the best way to deal with a data violation. If the GDPR decides to impose sanctions, small and medium-sized enterprises are more likely to obtain a mild punishment.