Search This Blog

Attackers Denied of Full Control Over 'Wire' Users' Accounts

 

The developers of the Wire secure messaging app have patched the software against two critical security flaws, one of which could allow an attacker to takeover target users’ accounts. Specifically, the first of the two includes a cross-site scripting (XSS) vulnerability that allowed an attacker to fully control user accounts. The flaw tracked as, CVE-2021-32683, typically impacted the web app version 2021-05-10 and earlier.

According to security experts, threat actors often execute an XSS attack by sending a malicious link to a user and prompting the user to click it. If the app or website lacks proper security protocols, the malicious link executes the attacker’s chosen code on the user’s device. As a result, the attacker can steal the user’s active session cookie. 

Kane Gamble, an independent security researcher discovered two security issues in Wire Messenger versions for web and iOS. Headquartered in Germany with branches in the US, Sweden, and Switzerland, Wire is a popular messaging platform featuring audio, video, and text communications secured via end-to-end encryption with more than 500,000 users. 

The second flaw discovered by the researcher was a less critical denial of service (DoS) issue (CVE-2021-32666) in the iOS version of Wire.

“When we schedule the request to fetch the invalid asset, it’s not possible to create the URL object since the path contains an illegal URL character. This will in turn trigger an assertion which crashes the app,” the security researcher explained. 

Both flaws were subject to a coordinated disclosure process between Gamble and the Wire security team. “The DoS was fixed in version 3.81 and the stored XSS was patched in version 2021-06-01-production.0 [released June 1]. No update is required by the user other than updating your Wire on your iOS device if it hasn’t done so automatically,” Gamble further added.

A Wire spokesperson showed that there is no evidence of active exploitation of any of these bugs in the wild.

“The vulnerabilities were responsibly disclosed to us by a vulnerability researcher and after confirming their validity we fixed and released them as quickly as possible. We also proactively published the vulnerabilities as CVEs for full transparency,” the spokesperson said.

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Malware Sload Aiming Europe Again

 

Sload (also termed as Starslord loader) has proven to be one of the most destructive malware variants in recent years. It usually acts as a downloader, which is a computer virus that accumulates and exfiltrates data from an infected system in order to analyze the target and drop a more significant payload if the target is profitable. 

Sload has been active in Europe since at least 2018, with numerous vendors reporting assaults on targets in the United Kingdom and Italy. Instead of employing an executable or a malicious document to invade devices, the malware's developers have chosen to use scripts that are intrinsic to Windows operating systems such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing. 

The downloader is undergoing development and has gone through several iterations; the creator is continuously changing the first stage script but the main module remains basically unchanged. 

According to early reports, this virus downloads a PowerShell script, which then downloads and executes Sload, using a rogue LNK file (Windows shortcut). Later editions start with obfuscated WSF/VBS scripts that are frequently mutated to avoid detection by anti-virus software. The initial script used in attacks has a low VirusTotal score and is meant to get beyond complex security technologies like EDRs. 

This year, Minerva Labs has noticed Sload infections arriving from Italian endpoints. The script they found is an obfuscated WSF script that decodes a sequence of malicious commands and then secretly downloads and runs a remote payload in memory after being executed. 

The script does this by renaming legal Windows binaries, which is a straightforward evasion method. Both "bitsadmin.exe" and "Powershell.exe" are copied and renamed, with the former being used to download a malicious PowerShell script and the latter loading it into memory and executing it. 

The downloader's final payload varies, but it has been known to drop the Ramnit and Trickbot banking trojans, both of which are extremely dangerous malware that can lead to ransomware attacks. 

Six Major Flaws Identified in Schneider PowerLogic Devices

 

Earlier this month, Schneider Electric, a global supplier of energy and automation digital solutions published a security advisory for its customers stating the discovery of six major flaws in PowerLogic EGX100 and EGX300 communication gateways. Threat actors can exploit these security holes to access devices, launch denial-of-service (DoS) attacks, and for remote code execution. 

Security researchers have rated five of the security holes in the high severity category. They can be exploited for DoS attacks or remote code execution using specially designed HTTP products. The sixth flaw is related to the password recovery mechanism and it can be exploited to gain administrator-level access to a device. 

Jake Baines, a principal industrial control vulnerability analyst at industrial cybersecurity firm Dragos, assigned the flaws from CVE-2021-22763 to CVE-2021-22768. The flaws were identified in EGX devices, but Schneider has determined that two of the flaws also affect PowerLogic PM55xx power metering devices due to their sharing web server code. The affected devices are part of the company’s power monitoring and control offering, but they have reached the end of life.

“For example, CVE-2021-22763 is a backdoor account that gives full admin access to the device's web server. As long as the attacker can reach the server, and knows the device's ethernet address, they have full administration rights to the device. Although, this is largely only useful to an attacker to block access to the connected serial devices, so the true impact of the attack is dependent on the connected devices.CVE-2021-22764 is a similar situation. A remote and unauthenticated adversary can send HTTP requests that will cause the device to block access to the connected serial devices,” Baines said while explaining a few theoretical attack scenarios that attackers could use to exploit vulnerabilities.

“The more interesting, but more complicated are the vulnerabilities scored 9.8. These all allow an unauthenticated and remote attacker to run arbitrary code on the device. The vulnerabilities are stack-based buffer overflows, so writing a full exploit would take effort. While it's possible that could happen, it's unlikely that it actually has or ever will. However, the ability to run code on the device is interesting because it would allow the adversary to alter communication between the connected serial device and the monitoring/control systems,” he further described.

PowerLogic EGX100 and EGX300 devices have reached the end of life and are no longer useful. Users can either replace the products or execute mitigations recommended by the firm to minimize the risk of exploitation.

Latest Campaign by Molerats Hackers Target Middle Eastern Governments

 

After two months of break, a Middle Eastern advanced persistent-threat (APT) organization has resurfaced and is targeting government institutions in the Middle East -- global government bodies affiliated with geopolitics as a part of its recent malicious activities. 

Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam. 

TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine. The attacks covered verticals such as technology, telecoms, finance, the academy, the army, the media, and governments. 

The two months' break in the operation is not apparent, but the Proofpoint researchers have suggested that it could have played a part either in the holy month of Ramadan or in the recent incidents in the region as well as in the violence which followed in May. 

The current wave of attacks started with spear-phishing Arabic-listed emails carrying PDF files embedded in a geofenced malicious URL that can only selectively route victims to the password-protected file if the source IP address of these files is in the targeted Middle East nations. 

The beneficiaries outside of the target Group are relocated to benign websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net), generally Arabic language news websites. 

The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher, as Molerats espionage campaign targeting the Middle East. 

The LastConn is executed with a Decoy document, the malware relies largely on Dropbox API for downloading and executing cloud-hosted files in addition to arbitrary instructions and screenshots that are then returned to Dropbox. 

The continually expanding toolkit of TA402 emphasizes that the Group continues to develop and adapt tailored malware implants to sneak up past defenses and detect thwarts. 

"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."

Audi And Volkswagen's Data Breach Affected 3.3 Million Customers

 

Volkswagen announced that a massive data breach exposed the personal information of over 3.3 million customers after one of its vendors left a cache of customer data unencrypted on the internet. In a letter to customers, Volkswagen said that the vendor utilized by Volkswagen, its subsidiary Audi, and authorized dealers in the United States and Canada had left customer data from 2014 to 2019 unsecured for two years between August 2019 and May 2021. 

Personal information about clients and potential buyers were included in the data, which was collected for sales and marketing purposes. Volkswagen Group of America, Inc. (VWGoA) is the German Volkswagen Group's North American subsidiary, responsible for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc. operations in the United States and Canada. 

Between August 2019 and May 2021, a vendor left insecure data accessible on the Internet, according to data breach notices submitted with the California and Maine Attorney General's offices. This specific vendor informed the VWGoA in March that an unauthorized person had gained access to the data and may have accessed customer information for Audi, Volkswagen, and some authorized dealers. 

According to VWGoA authorities, the hack affected 3.3 million customers, with almost 97% of those affected being Audi customers or potential buyers. The data breach appears to have exposed information ranging from contact information to more sensitive data including social security numbers and loan numbers. 

"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages," disclosed VWGoA in a data breach notification. 

"The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers." 

The hackers are demanding between $4,000 and $5,000 for all of the records, claiming that the database contains no social security numbers. The threat actors earlier stated that the database for a VPN service provider with various Android apps on the Google Play Store was on sale for $1,000. 

Volkswagen is offering free credit protection and monitoring services to the 90,000 customers whose personal information was exposed, as well as $1 million in identity theft insurance.

Stolen Card Validation Service Illuminated A New Corner of the Skimming Ecosystem

 

In the recent analysis, experts discovered that the digital credit card skimming ecosystem evolves as experts identify new players, tooling, services, and economies that make it up in much of the recent threat infrastructure studies. Experts also noticed that significant patterns emerge in the infrastructure that these groups utilize and share. 

Many domains used for digital skimming and other criminal activities have been hosted on Alibaba IP space in recent years. Because bulletproof hosting companies host a large percentage of skimming campaigns, Alibaba IP space's popularity could be due to one of these bulletproof services exploiting Alibaba hosting services. Some of these domains have recently been accused of abusing Google's user content hosting service. 

While looking into the MobileInter skimmer's infrastructure, the analysts discovered that one of its skimmer domains was temporarily hosted by a Google IP address. This IP then hosted a domain that offered card skimmers a useful service that allowed them to validate stolen payment data for a fee. The experts were able to discover multiple associated websites, services, and social media accounts connected to this authentication activity known as bit2check using RiskIQ's Internet Intelligence Graph. Some bit2check names have been spotted abusing Alibaba and Google hosting services in the same way as that of Magecart domains.

Following additional investigation, the analysts discovered that the person behind bit2check is a Kurdish actor who goes by the name Hama. There was no apparent relationship between an individual and the bulletproof hosting operation seen on Alibaba. On the other hand, this connection could lead to more information about who is providing these malicious hosting services. 

The bit2check website advertises a bit2check Telegram group and promotes itself as the "greatest CVV/cc checker in town." Many Kurdish language telegram channels also link to the bit2check site and others, including bin-checker[.]net, which is a free version of bit2check. These card-skimming services promote each other through links on their websites and Telegram channels. 

The domains and accounts linked to Hama are also associated with the activities of other players in the carding sector. Code produced by another actor known as namso can be seen on some of Hama's websites. A directory called namso_files can be found in Hama's Github source. 

Since RiskIQ first reported on Magecart in 2016 and its historic attack against British Airways in 2018, they have been investigating browser-based card skimming. 

Bit2check is another part of this vast ecosystem that caters to skimmers looking to validate their loot or buy more stolen information. Many of the companies in this ecosystem network, both the skimmers and the services that cater to them, are using the same strategies and infrastructure, according to RiskIQ.

Every fifth child faced with malware and adult content

Experts analyzed how often children encounter cyber incidents in the online space. It turned out that every fifth child has at least once encountered malware and viruses. Also (in 19% of cases), children come across unwanted content "for adults". In 18% of cases, children's social media accounts were hacked or attempted, and 15% of parents also reported that suspicious strangers wrote to their child.

Parents also noted that children make unconscious or uncoordinated spending on the Internet: they subscribe to paid services or buy access to online games. Parents whose children bought something on the Internet said that in most cases (81%) the purchase amount was up to 1 thousand rubles ($14).

“Parents need to abandon online wallets and cash and make a separate bank card for the child in order to protect the family from unwanted spending. This can be a virtual account or an additional card to your own. The fact is that openly criminal websites and services on the Internet do not accept bank cards for payment. In addition, adults have access to the limits and settings of the children's card, and they can always challenge unwanted spending in the bank and save the family budget," said Alexey Govyadov, head of analytics and automation at ESET in Russia.

Cyber threats that children most often face online: malware (viruses, etc.); unwanted content 18+; hacking or attempted hacking of a page in social networks; suspicious strangers wrote to the child; unconscious or uncoordinated spending; the child was in suspicious groups or communities.

Speaking about child safety on the Internet, half of the parents surveyed say that their child knows that in the event of a cyber incident, they should immediately contact adults. More than a third of the respondents also noted that their child knows safe sites and applications, and also makes online payments only on trusted resources.

Chinese Military Unit Linked to Cyber Espionage Campaign Targeting India

 

Recorded Future, a US security firm, revealed a cyber espionage campaign linked to a suspected Chinese state-sponsored threat activity group, named RedFoxtrot. Recorded Future's threat research arm Insikt Group, discovered evidence dating back to 2014 that interconnects RedFoxtrot and Chinese military-intelligence apparatus, the People's Liberation Army (PLA) Unit 69010. 

Before restructuring in 2015, PLA’s cyber-attack unit 69010 was known as the Lanzhou Military Region’s Second Technical Reconnaissance Bureau, and now it has been incorporated into the Network Systems Department of the PLA’s Strategic Support Force (SSF). According to a report published by Recorded Future’s Insikt Group, cybersecurity experts have detected intrusions targeting aerospace, defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan.

“Notable RedFoxtrot victims over the past 6 months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region. Activity over this [past six-month] period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC,” analysts explained.

According to the research team, for its attacks, the RedFoxtrot group employs both bespoke and publicly available malware families, including IceFog, ShadowPad, Royal Road, PCShare, PlugX, and web server infrastructure to host and deliver payloads and to collect stolen information. Some of the group’s past campaigns have been previously documented by other security firms under different names in something that has become a common sight in modern-day threat hunting.

“The recent activity of the People's Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government's security posture", Christopher Ahlberg, CEO, and Co-Founder of Recorded Future, stated.

Recorded Future researchers were successful in making connections inside this nebula of Chinese state-sponsored hacking activity to RedFoxtrot (and subsequently to PLA Unit 69010) due to lax operational security (OpSec) measures of one of its members. 

“Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy located in Wuhan,” the researchers further stated.

The Russian government plans to create a unified video surveillance system

The Russian government wants to create a single video surveillance system that will unite smart cameras in Russian cities. The devices will be able to recognize faces and license plates. The project will help to quickly respond to crimes, and in some cases, prevent them. The personal data of ordinary people is promised to be reliably protected.

The development of the project and the installation of cameras is estimated at 250 billion rubles ($3,500,000), and the implementation may take five years. Previously, the project was estimated at 97 billion rubles ($1,350,000).

Now the cameras in Moscow send video to the Data Processing Center, and in the new system, they will recognize suspicious situations themselves and only then send the video to the Data Processing Center.

It is expected that different cameras will be installed in the cities, depending on the tasks. A face recognition system will be needed somewhere and there will be cameras with powerful computing modules. In other places, there will be enough cameras with motion sensors.

According to the expert, the system will make it possible to better detect violations, respond promptly to them, and in some cases even predict them.

The emergence of a unified video surveillance system may raise fears that personal data will be sent to smart cameras. The CEO of Lab.Ag and the developer of many government sites, Artem Geller, explained that such an outcome is inevitable because the cameras are aimed at fixing the physical data of people.

"Of course, they will process the physiological aspects such as face, gait, clothing, license plate. But don't forget that cameras are already doing this,” Geller added.

Cybersecurity specialist Sergey Vakulin recalled the experience of video surveillance systems in China, where there is also a face recognition function, but each person is assigned his own identification number. And only then this data is encrypted, but even with such a process, there are vulnerabilities.

"The biggest problem is that a lot of data is stored and transmitted using a global network. And devices connected to the global network are more vulnerable," Vakulin added.

According to Vakulin, it is too early to worry about possible hacking and data leaks. He explained that each system has cybersecurity specialists, testers who detect bugs.

Cisco Smart Switches Detected with Vulnerabilities

 

In Cisco's Small Business 220 Series smart switches a researcher has uncovered various vulnerabilities, especially those with high severity assessments. This Monday, the networking giant advised its consumers that patches for these vulnerabilities are available. 

The impact switch runs firmware versions earlier than 1.2.0.6 and has the web-based management interface enabled. 

Cisco Systems, Inc. is a US conglomerate based in San Jose, California, in the Silicon Valley center. Cisco designs manufacture and distribute high-tech services and products for networking hardware, software, telecommunications equipment, and others. 

Security researcher Jasper Lievisse Adriaanse has identified the vulnerabilities. He discovered four kinds of safety holes on the small enterprise switch as published in a notice by Cisco. 

One can be used by a remote, unverified attacker, tracked as CVE-2021-1542, which is rated as high severity to take over the user session and obtain access to the web portal of a switch. The attacker could acquire managerial access to the management interface, based on the rights of the potential customer. 

Another high-severity problem is CVE-2021-1541, which enables a remote device attacker with admin access to perform arbitrary root-privileged commands on the operating system underneath it. 

The two other weaknesses identified by the investigator, both of which were Cisco's medium severity, might allow a remote attacker to initiate XSS (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571). 

“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Adriaanse explained. 

He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged-in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.” 

The XSS defect is due to inspections by the web-based management interface of the device being submitted by the user. An attacker could use this error by deceiving the victims into clicking a malicious link and accessing a certain page. The attacker may induce weakness in running arbitrary script code in connection with the affected interface or access sensitive, browser-based information. 

The HTML Injection Vulnerability is caused by faulty parameter checks on affected pages. In order to address certain vulnerabilities, Cisco has published software updates. 

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.

Phishing Campaign that Imitates Legitimate WeTransfer Applications

 

The Cofense Phishing Defense Center (PDC) has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways (SEG) and trick users into providing their credentials. 

WeTransfer is a file-sharing website that makes it simple for users to share files. Because of the service's popularity, it's possible that consumers may disregard the email's threat level. Threat actors have reimagined this site in order to attract unwary recipients to click on a malicious link that takes them to a phishing website, where they will be asked to pass up their credentials. 

The threat actor instructs the victim to respond to an email that says, "Pending files will be deleted shortly." The timestamps convey a sense of urgency. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the "Get your files" button. Threat actors provide a list of typical document names to make this appear more authentic. 

Another intriguing aspect is the email address's legitimacy. The threat actors have gone to great lengths to spoof the email address in order to convince recipients that the email came from the correct WeTransfer top-level domain: "@wetransfer.com." The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. The top-level domain is specified by the Message-ID: @boretvstar[.]com – has nothing to do with WeTransfer. Furthermore, analysts discovered that @boretvstar[.]com is for sale and links to an error page that reads, “This site can't be reached.”

It's evident that the threat actors went to great lengths to resemble the official "WeTransfer" page as closely as possible. However, upon closer examination, the researchers found that Apple and Google logos are missing from the login buttons, and the URL does not match the actual URL. 

When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials. The login area on the phishing landing page is prepopulated with the user's email address. The user is displayed a failed login attempt after entering the password, which is a frequent approach used by threat actors. 

In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers' settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.

'Vigilante Malware' Blocks Users From Downloading Pirated Software

 

Scientists have unearthed one of the most abnormal findings in the malware chronicles. It is a booby trap file that attempts to make the downloader a mouse and try to prevent future unauthorized downloads. 

Andrew Brandt, Sophos Labs Principal Investigator named the malware ‘Vigilante’. When the victim downloads and runs what appears to be pirated software or games, it gets installed. Behind the scenes, the malware reports the filename that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. Lastly, Vigilante attempts to modify the victim’s computer to make piratebay.com and 1,000 other pirate sites inaccessible.

As web servers normally log a visitor's IP address, the hacker now has the access to both the pirate's IP address and the name of the software or movie that the victim attempted to use. While it is unknown what this information is used for, the attackers could share it with ISPs, copyright agencies, or even law enforcement agencies. 

“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff. Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals,” Brandt explained. 

Vigilante updates files on infected computers and hijacks them from connecting to The Pirate Bay and other Internet destinations known to be used by people who trade pirated software. Brandt has discovered some of the Trojans lurking in software packages available for Discord-hosted chat services. He found others disguised as popular games, productivity tools, and security products available through BitTorrent. 

“Pading an archive with a purposeless file of random length is an easy way to change the hash value of the archive. Filling it with a racist slur taught me everything I needed to know about its creator,” Brandt wrote on Twitter. 

Since Vigilante does not have a persistence technique, it means it has no solution to stay put in. Users who have been infected only want to edit their Hosts files to be disinfected. There are other strange things – Many Trojanized executable files are digitally signed using fake code signing tools. The signature contains a randomly generated 18-character uppercase and lowercase.

Carnival Cruise Line Unveiled a New Data Breach

 

Carnival Corporation one of the biggest cruise ship operators in the world, and another major firm that reveals it is affected by data breaches. 

Carnival Corp. encountered an illegal entry to its computer networks on 19 March. According to the company, authorities have been contacted and a cybersecurity company has been employed. 

The research discovered that third parties, using a "limited number of e-mail accounts" could access personal information of clients, staff, and crew on their Carnival, Holland America, and Princess cruise lines.

The data obtained included names, addresses, telephone numbers, passport numbers, birth dates, health information, and in some cases additional information, like national identity numbers or social security. 

According to Carnival, the impacted information includes “data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or another safety testing.” The Carnival letter stated that data was exploited with "low likelihood." 

It is worth noting that ever since 2019 Carnival has been attacked by numerous cyber threat actors, including last summer's ransomware attack. Just as cruise lines start booking trips following an extended COVID-19 halt, Carnival faces yet another question mark on cyber safety, said Erich Kron, the KnowBe4 security adviser. 

Kron said that this is no surprise that they have been attacked, given the type of data and the volume it gathers, and that Carnival records some highly important information to attackers. 

The majority of large cruises prefer to visit ports abroad in their very nature so that they acquire sensitive data that is necessary for the processing of customs as well as other travel-related objectives. Such types of attacks are generally initiated by e-mail phishing and firms seeking to avoid problems like Carnival would be advised to invest in high-quality e-mail filters and a training program for employees focusing on recognizing e-mail phishing attacks and proper password hygiene. 

Cohn Bambenek, Threat Intelligence Advisor at Netenrich, stressed the necessity for the organization to ask some important questions about what it is doing to secure the sensitive information since it has been hit three times in the past few months. 

“At a certain point, they are advertising to the world that they are an easy target and can look forward to more frequent and serious attacks,” Bambenek added.

Carnival Cruise Line is a multinational cruise line with its headquarters in Doral, Florida. It is a division of Carnival Corporation & plc. The corporation operates several of the largest cruise lines, including the Princess Cruises and Carnival Cruise Line. 

Operations of the LockBit Ransomware Group: A Quick Look

 

Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates. 

As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection. 

By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again. 

According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors. 

The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit. 

Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday. 

According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks. 

LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches. 

"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates." 

Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed. As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform. 

After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased. The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded. 

If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed. Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information. 

The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing. 

LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim." 

LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.

Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

 

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.

The Polish Prime Minister asked the Sejm to hold a closed meeting on cyber attacks

 The lower house of the bicameral parliament of Poland (Sejm) will hold a closed session on hacking attacks against representatives of the country's authorities on Wednesday. This was announced on Tuesday at a briefing by the official representative of the Government of the republic, Peter Muller.

"The Prime Minister [Mateusz Morawiecki] asked the Speaker of the Sejm, Elzbieta Witek, to organize a meeting of the chamber in closed mode, so that the government could inform about the cyber attacks that were aimed at Poland," he informed, stressing that during the meeting, the deputies will be acquainted with the classified data.

"Recently, we have been the target of an unprecedented cyber attack aimed at Poland, at Polish institutions, at individual email users," said Muller.

Witek has already confirmed that a closed meeting on the topic of cyber attacks will be held on Wednesday. "We will listen to the Prime Minister's explanations and information," she informed journalists.

On June 9, the head of the office of the head of the Polish government, responsible for the implementation of the National Vaccination Program, Michal Dvorczyk, said that he was attacked by hackers. E-mail and social media pages belonging to him and his wife were hacked. In a statement, the politician suggested that Russian-speaking hackers were involved in the attack, as the information was published in the Russian social network Telegram. The incident is being investigated by the Polish special services and the prosecutor's office.

On Tuesday, Radoslaw Vogel, deputy press secretary of the Poland's ruling conservative Law and Justice (PiS), said that"today someone made an attempt to get data from parliamentary emails." "Anyone can be under threat, there is a constant arms race in matters of online security," he wrote on Twitter.

In addition, on June 11, the UK accused Russia of aiding cyberattacks and called on the G7 to unanimously oppose such acts.

Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks

 

On Thursday, researchers at email and collaboration security firm Avanan revealed that attackers are using standard tools within Google Docs/Drive that delivers malicious links aimed at stealing victims’ credentials. 

In a blog post, Avanan said attackers are bypassing link scanners and are dodging common security protections that aim to verify the links sent via email. Jeremy Fuchs, marketing content manager at Avanan, said this is the first time they have seen hackers employing these types of attacks through a Google-hosted document service. Usually, attackers lure their victims to a legitimate website before exploiting a particular website. 

According to the report published by Trend Micro, phishing remains the top threat vector in today's cybercrime scene. Of the 62.6 billion cyber-threats analyzed by Trend Micro last year, over 91% were sent via email. Previously, attackers have used the attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink, according to Avanan. 

According to researchers, once the hacker publishes the lure, “Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.”

The hackers then use the phishing lure to get the victim to “Click here to download the document.” Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the “View Document” button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a “Log in” button.

 “Combining this tactic with social engineering could create a very convincing campaign where the attacker can swipe personal or corporate login credentials. Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Once the attacker has those login credentials and can log into the cloud platform, they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate,” said Hank Schless, senior manager, security solutions at Lookout.