Search This Blog

Showing posts with label Malicious Campaign. Show all posts

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Cisco “critical security advisory” part of a phishing campaign ?


Amidst the coronavirus pandemic, there is an influx of telecommuters who, have come to heavily depend on online conferencing tools like Webex, Zoom and a few others.

With this rise in online meetings and ongoing phishing campaign is affecting more and more users with a recycled Cisco security advisory that cautions of a critical vulnerability and further urges the victims to "update," with the sole aim to steal their credentials for Cisco's Webex web conferencing platform.

Ashley Tran in a recent analysis said with Cofense's phishing defense center stated, “Targeting users of teleconferencing brands is nothing new, but with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue to be an increase in remote work phishing in the months to come.”

Researchers are of the view that phishing emails are being sent with various 'attention-grabbing subject lines', for example, "Critical Update" or "Alert!" and originate from the spoofed email address, "meetings@webex[.]Com".

They said to Threatpost, this was a mass "spray and pray" phishing campaign with "numerous end-users" accepting and reporting the email from a few several industries, including the healthcare and financial ones. The body of the email installs content from a real Cisco Security Advisory from December 2016, alongside Cisco Webex branding.

The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco's management tool for applications in numerous data-center, private-cloud and open cloud environments.

This critical flaw permitted unauthenticated, remote attackers to install Docker containers with high benefits on the influenced system; at the hour of disclosure in 2016, it was being exploited extensively. Notwithstanding, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch discharge (likewise in 2016).
 


The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and directs them to a "Join" button to become familiar with the "update."

The attackers behind this campaign focus explicitly on the details, right down to the URL linked to the "Join" button. On the off chance that cautious email beneficiaries hover over the button to check the URL, they'll discover the URL [hxxps://globalpagee-goad webex[.]com/signin] to be strikingly like the authentic Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].

Victims who click on the "Join" button are then diverted onto the phishing landing page, which is identical to the real Cisco WebEx login page.

Researchers said that there is one tiny difference is that when email addresses are typed into the authentic Webex page, entries are checked to confirm if there are associated accounts. On the phishing page, in the meantime, any email format entry takes the beneficiary straightforwardly to the following page to request a password.

Researchers, therefore, caution users to remain on the watch for bad actors 'spoofing' web conferencing and virtual collaboration applications on the grounds that in general.

The attackers are exploiting the frenzy around the coronavirus with phishing messages and emails around financial relied, guarantees of a cure and symptom data subtleties thus the users are advised to be on the lookout.

New Malicious Campaign Discovered Attacking Public and Private Entities via DNS Hijacking




A new malicious campaign called "Sea Turtle," as of late discovered by researchers allegedly, is said to have been attacking public and private elements in different nations utilizing DNS hijacking as a mechanism.

Moreover the campaign is known to have compromised no less than 40 different organizations across over 13 different nations amid this vindictive campaign in the first quarter of 2019.

Since DNS hijacking is a sort of malevolent attack that redirects the users to the noxious site by altering the DNS name records when they visit the site by means of compromised routers or attackers affecting a server's settings.

The attackers helped out their work through very industrious strategies and propelled apparatuses in order to gain access to the sensitive systems and frameworks as smoothly as possible.

By focusing on two distinct groups of victims they are focusing on a third party that is known to provide services to the primary targets to effectively play out the DNS seizing. The main aim of the attackers behind "Sea Turtle" is to ultimately aim to steal the credentials so as to access the systems and frameworks in the following manner:
  1.        Via establishing a means to control the DNS records of the target.
  2.        To modifying DNS records in order to point legitimate users of the target to actor-controlled servers.
  3.        To capturing legitimate user credentials when users interacted with these actor-controlled servers.
Researchers said that they "assess” with probably high certainty that these hijacking attacks are being propelled by an advanced, state-sponsored actor hoping to get to the sensitive systems and frameworks.

To ensure against these DNS hijacking attacks, the organizations are currently attempting to execute a registry lock service, multifaceted verification (to access the DNS records), and obviously keeping up to date on the patches, particularly on the internet facing machines.