2 December 2022

Cyber Security week in review: December 2, 2022


Cyber Security week in review: December 2, 2022

Samsung, LG, Mediatek certs used to sign Android malware

A number of Android OEM device vendors either got tricked into signing malware or had at least one of platform keys used to sign devices' core ROM images containing the Android OS and associated apps compromised. Łukasz Siewierski, a Reverse Engineer on Google's Android Security team has shared the SHA256 hashes for malware samples and digitally signed certificates he discovered.

New DuckLogs malware service provides sophisticated features to threat actors

Security researchers have spotted a new Malware-as-a-Service called “DuckLogs” that offers low-skilled cyber criminals easy access to multiple modules to steal users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc. The DuckLogs provides a sophisticated web panel that allows TAs to perform several operations, such as building the malware binary, monitoring, and downloading victims’ stolen logs. According to the service’s web panel, over 2,000 threat actors are using the malicious platform and the current victim count is above 6,000.

New Schoolyard Bully Android trojan steals Facebook credentials

Mobile security firm Zimperium released a technical report on a new Android trojan dubbed “Schoolyard Bully,” which appears to be focused on stealing credentials of Facebook users. Active since 2018, the malware is being spread via malicious applications disguised as legitimate, educational apps. The apps, which were available for download from the official Google Play Store, have now been taken down, but are still available on third-party app stores. To date, the malicious campaign affected more than 300,000 users across 71 countries.

Threat actors are selling access to networks breached vis recently patched Fortinet vulnerability

At least one threat actor, operating on a Russian dark web forum, has begun selling access to multiple networks compromised via the Fortinet auth bypass vulnerability (CVE-2022-40684) that impacts Fortinet FortiOS, FortiProxy, and FortiSwitchManager products. In October, a proof-of-concept (PoC) exploit code was released for this bug. According to cybersecurity firm Cyble, there are over 100 thousand FortiGate firewalls exposed over the internet.

Cuba ransomware gang stole $60M from at least 100 orgs across the globe

Operators behind the Cuba ransomware has extorted more than $60 million from over 100 entities worldwide between December 2021 and August 2022, according to a new joint security advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and FBI. The two agencies said that based on some findings there may be a possible link between Cuba ransomware group, RomCom Remote Access Trojan (RAT) operators, and Industrial Spy ransomware actors.

The advisory also provides network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware.

Security researchers unintentionally crash the KmsdBot botnet

Akamai security researchers accidently took down the KmsdBot cryptomining botnet while analyzing its capabilities. The researchers modified a recent sample of KmsdBot in order to test various scenarios related to C&C functionality, and discovered that the malware lacks a an error-checking mechanism to verify that the commands are properly formatted, which allowed the expert to deactivate the malware.

New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

Google’s Threat Analysis Group (TAG) has published details on a new exploit framework, which it believes has been developed by the Barcelona-based company Variston IT that claims to be a provider of custom security solutions.

Called “Heliconia,” the framework exploits n-day vulnerabilities in the Chrome and Firefox browsers, as well as the Microsoft Defender tool, fixed by Google, Microsoft and Mozilla in 2021 and 2022. The TAG team says that these bugs were likely utilized as zero-day vulnerabilities before they were fixed, although the researchers admitted that they didn’t find evidence to support this claim.

Chinese cyber spies are using USB devices to breach targets in Southeast Asia

A new cyber-espionage group focused the Southeast Asian region, is using a novel self-replicating malware that is currently being spread via infected USB devices and could potentially collect information from air-gapped systems.

Tracked under temporary moniker UNC4191, the group believed to be operating out of China has been observed targeting public and private sector entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines. According to Google-owned Mandiant, the discovered artifacts suggest that the campaign has been ongoing since September 2021.

Spanish police dismantle cybercrime gang that stole €12M via fake banking sites

The Spanish National police arrested six individuals in Madrid and Barcelona believed to be members of a cybercrime group that has defrauded over €12 million from more than 300 victims across Europe.

The malicious operation involved several fraudulent websites disguised as legitimate bank and cryptocurrency investment portals used to trick victims into making deposits, which were sent to the criminals’ bank accounts.

US Cyber Command shares details on its hunt forward operations in Ukraine

US Cyber Command has shared some details on its “hunt forward” missions the agency conducted in Ukraine before and after Russian troops crossed the country’s boarders on February 24.

The Ukrainian mission, which lasted from December 2021 to March 2022 and which CYBERCOM described as the “largest hunt forward team” it deployed to date, consisted of US Navy and US Marine Corps operators who worked together with Ukrainian teams to hunt and detect potential threats on Ukrainian networks.

Bleed You campaign exploits Windows IKE RCE to deploy ransomware

Suspected Chinese hackers are trying to take advantage of a known remote code execution vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions to deploy malware or carry out ransomware attacks.

The new campaign, dubbed “Bleed You” by Cyfirma researchers, is aimed at organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the US, the UK, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel. Since September 2022, the threat actors have been targeting weak or vulnerable Windows OS, Windows Servers, Windows protocols, and services.

Popular TikTok “Invisible Body” challenge used to spread malware

Hackers are using a trending TikTok challenge that amassed millions views to trick unsuspecting people into downloading malware on their devices. The threat actors posted their own TikTok videos with links to fake software hosted on a Discord server. This software called “unfilter” claims to be able to remove the TikTok filters and expose people’s naked bodies, but actually installs the WASP stealer malware which steals passwords, accounts and cryptocurrency.

Meta fined €265M over a massive 2021 Facebook data leak

Meta, the parent company of Facebook and Instagram, has been fined nearly €265 million by Ireland’s data privacy regulator for failing to prevent the massive 2021 Facebook data breach.

The Irish data protection commission (DPC) launched the investigation into whether Facebook complied with Europe’s General Data Protection Regulation (GDPR) laws in April 2021 after the phone numbers and personal data of 533 million Facebook users was leaked on a hacker forum for free. At the time, Meta said the cyber thieves obtained the information using a vulnerability that the company fixed in 2019, and that this was the same information involved in a prior leak reported in January 2021.

Ragnar Locker gang leaks data stolen from Belgium police

Threat actors behind the Ragnar Locker ransomware operation have published what they thought was data stolen from the municipality of Zwijndrecht, but the data actually belonged to Zwijndrecht police, a police department in Antwerp, Belgium.

The leaked data reportedly contained thousands of car number plates, fines, crime report files, personnel details, investigation reports, and other information. According to local media that call the leak one of the biggest in the country’s public service history, the incident exposed all data kept by Zwijndrecht police from 2006 until September 2022.

Dell, HP, Lenovo devices are still using outdated OpenSSL versions

Devices made by Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library, potentially introducing risks to the UEFI firmware supply chain ecosystem. While analyzing Lenovo Thinkpad enterprise devices the researchers found that they used different versions of OpenSSL in the firmware image (0.9.8zb, 1.0.0a, and 1.0.2j), with the most recent OpenSSL version dating back to 2018. Moreover, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was rolled out on August 4, 2014.

Furthermore, some of the firmware packages from Lenovo and Dell used an even older version (0.9.8l) released on November 5, 2009. HP's firmware code used a 10-year-old version of the library (0.9.8w).

Sandworm hackers target Ukraine with new RansomBoggs ransomware

Multiple organizations in Ukraine have been hit with a wave of attacks deploying a new ransomware strain called “RansomBoggs.” Researchers with cybersecurity firm ESET, who first detected the attacks, linked this new campaign to Sandworm, a Russia-based state-backed threat actor, which has been increasingly targeting Ukrainian entities since the start of the Russia’s invasion of the country.

First spotted on November 21, the RansomBoggs malware is written in .NET, and its “deployment is similar to previous attacks attributed to Sandworm.”

US, UK ban Chinese surveillance equipment over national security fears

The British government has forbidden the use of networking and surveillance equipment manufactured by Chinese companies on sensitive government sites due to potential information security issues.

In a similar move, the US authorities announced a ban on the import or sale of communications equipment deemed “an unacceptable risk to national security,” including devices from Chinese telecoms giants Huawei Technologies and ZTE.

5.4 million Twitter users' stolen data offered for free on hacker forum

More than 5.4 million Twitter user records containing data stolen via an API vulnerability fixed in January have been leaked for free on a cybercriminal forum. Furthermore, it appears that there may be another, even larger data damp, containing about 17 million Twitter user’s records obtained via the same vulnerability. The new dump allegedly contains information of tens of millions Twitter users in the US and EU, including personal phone numbers, as well as public information.

Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023