Search This Blog

Showing posts with label Malicious Campaign. Show all posts

Criminals sending malicious emails claiming to be from the rector of Moscow State University

A malicious program that steals passwords was sent out in mid-September by scammers in letters claiming to be from the rector of Moscow State University. The recipients were financial, industrial, and government organizations in Russia.

The mailing, as noted in the company Group-IB, was held in the period from 9 to 16 September.

"In the letter, the attackers, on behalf of rector Viktor Sadovnichy, ask recipients to read the attached document “ A description of the budget for 2020” and promptly send their commercial offer,” reported the company's press service.

The texts of the letters are illiterate and contain stylistic errors. In addition, the order of words and sentences indicates that fraudsters use an automatic translation program. The authors of the letter were too lazy to change or check all the links in the template before sending them out. Probably, similar attacks have already been carried out on behalf of other universities, most likely foreign ones.

The addresses of Moscow State University were indicated as the sender in the letters. In fact, the correspondence was sent from the hacked mail server of the Hotel Alfonso V in the Portuguese city of Aveiro. The hotel has already been notified of the break-in.

All the scammers’ emails contained an archive called "Request for a commercial offer" with an executable .exe file inside. After it was launched, a malicious program was installed on the user's device that could steal usernames and passwords.

"In the future, hackers can use them to gain access to email accounts or crypto wallets, for financial fraud, espionage, or sell stolen data on hacker forums,” said Group — IB.

According to Vasily Kuzmin, Deputy head of the information technology department of Moscow State University, neither the rector nor the University administration ever send letters with such content.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Cisco “critical security advisory” part of a phishing campaign ?


Amidst the coronavirus pandemic, there is an influx of telecommuters who, have come to heavily depend on online conferencing tools like Webex, Zoom and a few others.

With this rise in online meetings and ongoing phishing campaign is affecting more and more users with a recycled Cisco security advisory that cautions of a critical vulnerability and further urges the victims to "update," with the sole aim to steal their credentials for Cisco's Webex web conferencing platform.

Ashley Tran in a recent analysis said with Cofense's phishing defense center stated, “Targeting users of teleconferencing brands is nothing new, but with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue to be an increase in remote work phishing in the months to come.”

Researchers are of the view that phishing emails are being sent with various 'attention-grabbing subject lines', for example, "Critical Update" or "Alert!" and originate from the spoofed email address, "meetings@webex[.]Com".

They said to Threatpost, this was a mass "spray and pray" phishing campaign with "numerous end-users" accepting and reporting the email from a few several industries, including the healthcare and financial ones. The body of the email installs content from a real Cisco Security Advisory from December 2016, alongside Cisco Webex branding.

The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco's management tool for applications in numerous data-center, private-cloud and open cloud environments.

This critical flaw permitted unauthenticated, remote attackers to install Docker containers with high benefits on the influenced system; at the hour of disclosure in 2016, it was being exploited extensively. Notwithstanding, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch discharge (likewise in 2016).
 


The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and directs them to a "Join" button to become familiar with the "update."

The attackers behind this campaign focus explicitly on the details, right down to the URL linked to the "Join" button. On the off chance that cautious email beneficiaries hover over the button to check the URL, they'll discover the URL [hxxps://globalpagee-goad webex[.]com/signin] to be strikingly like the authentic Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].

Victims who click on the "Join" button are then diverted onto the phishing landing page, which is identical to the real Cisco WebEx login page.

Researchers said that there is one tiny difference is that when email addresses are typed into the authentic Webex page, entries are checked to confirm if there are associated accounts. On the phishing page, in the meantime, any email format entry takes the beneficiary straightforwardly to the following page to request a password.

Researchers, therefore, caution users to remain on the watch for bad actors 'spoofing' web conferencing and virtual collaboration applications on the grounds that in general.

The attackers are exploiting the frenzy around the coronavirus with phishing messages and emails around financial relied, guarantees of a cure and symptom data subtleties thus the users are advised to be on the lookout.

New Malicious Campaign Discovered Attacking Public and Private Entities via DNS Hijacking




A new malicious campaign called "Sea Turtle," as of late discovered by researchers allegedly, is said to have been attacking public and private elements in different nations utilizing DNS hijacking as a mechanism.

Moreover the campaign is known to have compromised no less than 40 different organizations across over 13 different nations amid this vindictive campaign in the first quarter of 2019.

Since DNS hijacking is a sort of malevolent attack that redirects the users to the noxious site by altering the DNS name records when they visit the site by means of compromised routers or attackers affecting a server's settings.

The attackers helped out their work through very industrious strategies and propelled apparatuses in order to gain access to the sensitive systems and frameworks as smoothly as possible.

By focusing on two distinct groups of victims they are focusing on a third party that is known to provide services to the primary targets to effectively play out the DNS seizing. The main aim of the attackers behind "Sea Turtle" is to ultimately aim to steal the credentials so as to access the systems and frameworks in the following manner:
  1.        Via establishing a means to control the DNS records of the target.
  2.        To modifying DNS records in order to point legitimate users of the target to actor-controlled servers.
  3.        To capturing legitimate user credentials when users interacted with these actor-controlled servers.
Researchers said that they "assess” with probably high certainty that these hijacking attacks are being propelled by an advanced, state-sponsored actor hoping to get to the sensitive systems and frameworks.

To ensure against these DNS hijacking attacks, the organizations are currently attempting to execute a registry lock service, multifaceted verification (to access the DNS records), and obviously keeping up to date on the patches, particularly on the internet facing machines.