Author: Charley Nash

A new Android banking malware named MaliBot has been discovered by cybersecurity researchers. The malware poses as a cryptocurrency mining app or the Chrome web browser to target users in Spain and Italy.

MaliBot focuses on stealing financial information, like e-banking credentials, crypto wallet passwords, and sensitive personal details. It is also capable of snatching two-factor authentication codes from notifications.

The malware was discovered by analysts at F5 Labs, who wrote a report with their findings. The report noted that the new malware is currently using multiple distribution channels, likely aiming to cover the gap in the market created by the shutdown of the FluBot operation.

MaliBot’s command and control server is based in Russia. Its IP has been associated with several malware distribution campaigns since June 2020.

The distribution of the malware takes place via websites that promote cryptocurrency applications in the form of APKs that victims download and install manually.

The sites pushing these files are clones of real projects like TheCryptoApp, which already has over a million downloads on the Google Play Store.

In another campaign, the malware is published as an app called Mining X. In this campaign victims are tricked into scanning a QR code to download the malicious APK file.

MailBot operators also use SMS phishing (smishing) messages to distribute their payloads to a list of telephone numbers determined by the C2. These messages are distributed by a compromise device abusing the “send SMS” permission.

The malware is a powerful trojan that secures accessibility and launcher permissions upon installation and then grants itself additional rights on the device.

MaliBot can intercept notifications, calls, SMS, capture screenshots, register boot activities, and give its operators remote control capabilities via a VNC system.

VNC allows the operations to navigate between screens, scroll, take screenshots, copy content, perform long presses, etc.

To evade MFA protections, it abuses the Accessibility API to click on confirmation prompts regarding suspicious login attempts, sends the OTP to the C2, and fills it out automatically.

Additionally, the malware can steal MFA codes from Google Authenticator and perform this action on-demand.

MaliBot retrieves a list of installed apps to determine which banks are used by the victim to fetch the matching overlays/injections from the C2.

The analysts have seen unimplemented features in the code of MaliBot, like the detection of emulated environments that could be used to evade analysis.

This shows that the development is active. New versions of the MaliBot are expected to enter circulation soon.

At present, MaliBot loads overlays that target Italian and Spanish banks. There are fears that it could expand by adding more injections.

The post New MaliBot Android Banking Malware Poses as Cryptocurrency Mining App appeared first on IT Security Guru.

Cybersecurity researchers from Dr. Web claim to have spotted numerous apps on the Google Play Store in May with adware and information-stealing malware built in.

According to the report, the most dangerous of these apps features spyware tools capable of stealing information from other apps’ notifications, mainly to capture one-time two-factor authentication (2FA) one-time passwords (OTP) and take over accounts.

Three of these apps remain online, the rest of the apps allegedly containing malicious codes have been removed by the Play Store.

One of the remaining apps is PIP Pic Camera Photo Editor. This is a malicious app with over a million downloads that reportedly steals people’s Facebook credentials.

Dr. Web also lists Wild & Exotic Animal Wallpaper, an adware app that currently has 500,000 downloads which changed its name SIM Tool Kit after installation. Another is Magnifier Flashlight.

Looking back over the month of May, Dr. Web researchers said that while apps stealing other apps’ notifications content had decreased, the activity of advertising trojans had increased throughout the month.

The report states, “in May, Android.Spy.4498, which steals information from other apps’ notifications, was again the most common mobile threat.”

“That said, its activity continued to decrease. Advertisement trojans from the Android.HiddenAds family also remained among the most widespread Android threats. Their activity, on the contrary, increased slightly compared to April.”

The report also brought attention to the presence of new malicious applications emerging on Google Play.

“Among them are fraudulent apps from the Android.FakeApp family and Android.Subscription trojans that subscribe users to paid services. Above that, new variants of trojans from Android.PWS.Facebook family were revealed.”

The report comes within days of Google publishing its monthly Android security bulletin, which outlined the fixing of a large number of critical vulnerabilities.

 

The post Several Data-Stealing Apps Remain on Google Play Store According to Cybersecurity Researchers appeared first on IT Security Guru.

‘Blue Mockingbird’, a threat actor, targets Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources.

The attacker leverages the CVE-2019-18935 flaw, a critical severity (CVSS v3.1: 9.8) deserialisation that leads to remote code execution in the Telerik UI library for ASP.NET AJAX.

In May 2020, the same threat actor was observed targeting vulnerable Microsoft IIS Servers that used Telerik UI.

Sophos researchers reported this week that, according to their detection data, Blue Mockingbird is still using the same flaw to launch cyberattacks.

To exploit CVE-2019-18935, the attackers require the encryption keys that protect Telerik UI’s serialisation on the target. This information can be obtained by using CVE-2017-11317 and CVE-2017-11357 or by exploiting another vulnerability in the target web app.

Many web apps were projects that embedded the Telerik UI framework version available at time of development and then were forgotten about or discontinued. This means that there are still valid targets available for exploitation.

Once acquired, the attackers can compile a malicious DLL containing the code to be executed during desealisation and run it within the context of the ‘w3wp.exe’ process.

Sophos spotted that Blue Mockingbird employs a readily available proof-of-concept (PoC) exploit, which automates the DLL compilation and handles the encryption logic.

The payload used in the recent attacks is a Cobalt Strike beacon, a legitimate penetration testing tool Blue Mockingbird abuses for executing encoded PowerShell commands.

Persistence is established via Active Directory Group Policy Objects (GPOs), which create scheduled tasks written in a new registry key containing base64-encoded PowerShell.

In order to evade Windows Defender detection to download and load a Cobalt Strike DLL onto memory, the script uses common AMSI-bypassing techniques.

The second-stage executable (‘crby26td.exe’) is an XMRig Miner, a standard open-source cryptocurrency miner used for mining Monero. Monero is one of the least traceable crypto coins.

This was the threat actor’s main goal in their 2020 campaign.

The deployment of Cobalt Strike opens the way to easy lateral movement within the compromised network, account takeover, data exfiltration, and deployment of more potent payloads.

 

The post Hackers Exploit Old Telerik Flaws to Deploy Cobalt Strike appeared first on IT Security Guru.

Microsoft issued its last regular patch update round this week, fixing over 50 CVEs, including the malicious zero-day bug “Follina.”

Officially named CVE-2022-30190, Follina, as reported last week, is being exploited in the wild by state-backed actors and the operators behind Qakbot, which has links to ransomware groups. It’s a remote code execution (RCE) bug affecting the popular utility Windows Support Diagnostic Tool (MSDT).

As well as patching Follina, Microsoft patched three other critical vulnerabilities this month.

CVE-2022-30126 is an RCE vulnerability in the Windows Network File System (NFS), impacting Windows Server 2012-2019.

CVE-2022-30139 is an RCE bug in Microsoft’s Lightweight Directory Access Protocol (LDAP) affecting Windows 10 and 11 and Windows Server 2016-2022.

The final patch was for CVE-2022-30163. CVE-2022-30163 is a RCE bug in Windows Hyper-V.

Allan Liska, Recorded Future senior security architect, says: “according to Microsoft this is a complex vulnerability to exploit; however, successful exploitation would allow an attacker with access to a low-privileged guest Hyper-V instance to gain access to a Hyper-V host, giving them full access to the system,”

“This vulnerability impacts Windows 7 through 11 and Windows Server 2008 through 2016.”

The CEO of HighGround, Mark Lamb, said that firms have historically been slow to apply the fixes listen in Patch Tuesday unless the vulnerabilities listed receive a lot of publicity.

Many organisations have a problem with prioritising the vast number of CVEs according to business risk.

Lamb said, “companies should be diligent in approving and deploying patches on a weekly basis, if possible, because you don’t know what the next vulnerability is going to be and whether it could have been mitigated by consistent and diligent patching.”

“It’s also something that IT teams need to get stricter on with their users – there is always friction with users not wanting to be interrupted during the day, but in my opinion, this is something IT teams should be unwilling to compromise on.”

This July, Microsoft are switching to Windows Autopatch, a new managed service that aims to streamline the product update process for Windows 10/11 Enterprise E3 users with automated patching.

The post Microsoft Patch Fixes Follina Bug appeared first on IT Security Guru.

Technical details have emerged about a vulnerability affecting certain versions of the Zimbra email solution that hackers could exploit to steal logins without user interaction or authentication.

The security issue is currently being tracked as CVE-2022-27924 and impacts Zimbra releases 8.8x and 9.x for both open-source and commercial versions of the platform.

Since the 10th May, a fix has been published and made available in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is frequently used by organisations around the world that handle sensitive data, including those in government, educational, and financial sectors.

A report has been written, describing the flaw, by researchers at SonarSource. They summarised it as “Memcached poisoning with an unauthenticated request.” Exploitation is possible via a CRLF injection into the username of Memcached lookups.

Memcached is an internal-service instance that stores key/value pairs for email accounts to improve Zimbra’s performance by reducing the number of HTTP requests to the Lookup Service. The service sets up and retrieves those pairs using a simple text-based protocol.

According to the researchers, a malicious actor could overwrite the IMAP route entries for a known username via a specially crafted HTTP request to the vulnerable Zimbra instance. When the real user logs in, the Nginx Proxy in Zimbra would forward all IMAP traffic to the attacker. This information would include credentials.

The report says: “usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk.”

“When the Mail client restarts or needs to re-connect, which can happen periodically, it will re-authenticate itself to the targeted Zimbra instance.”

Whilst there are ways to exploit the vulnerability without them, knowing email addresses and IMAP clients allows exploitation of the vulnerability to occur more easily.

Another exploitation technique allows bypassing the above step to steal credentials for any user with no interaction and without any knowledge about the Zimbra instance.

This is achieved through “response smuggling,” that leverages the use of a web-based client for Zimbra.

This way, an attacker could hijack the proxy connection of random users whose email addresses are unknown, generating no alert or requiring any interaction from the victim.

The findings were disclosed by Zimbra on 11th March 2022 by SonarSource. Although insufficient to fix the issue, a first patch was released on March 31st.

On 10th May, SonarSource addressed the issues via ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1, by creating an SHA-256 hash of all the Memcache keys before being sent to the server.

No new lines can be created for the CRLF injection because SHA-256 cannot contain whitespaces. Similarly, no poisoning attacks can take place on the patched versions.

Zimbra released ZCS 9.0.0 Patch 25 and ZCS 8.8.15 Patch 31 updates earlier this week with an update to OpenSSL 1.1.1n. Tracked as CVE-2022-0778, this addresses an infinite loop vulnerability causing a denial of service.

The post New Zimbra Bug Allows Data Stealing With No User Interaction appeared first on IT Security Guru.

A major new state-backed spear-phishing operation targeting multiple high-ranking Israeli and US officials has been uncovered by security researchers.

The campaign has been traced to the Iranian Phosphorus ATP group, according to Check Point.

It has targeted former Israeli foreign minister and deputy Prime Minister Tzipi Livni, a former US ambassador to Israel, and a former major general in the Israeli Defence Forces (IDF). These have been dated back to at least December 2021.

The attacker compromises the inbox of a frequent contact of the target and then hijacks an existing conversation between the two. They then open a new spoofed email address impersonating the same contact.

The attacker then attempts to continue the conversation, across multiple messages, using this spoofed address. Check Point noted that real documents are sometimes added to create a legitimate appearance.

In one case, Livni was contacted by the ‘retired IDF major general’ via his real email address and asked multiple times to click on a link and use her password to open the document. When she met him later on, he confirmed that he had never sent the email.

Check Point threat intelligence group manager Sergey Shykevich said: “We have exposed Iranian phishing infrastructure that targets Israeli and US public sector executives, with the goal to steal their personal information, passport scans, and steal access to their mail accounts.”

“The most sophisticated part of the operation is the social engineering. The attackers use real hijacked email chains, impersonations of well-known contacts of the targets and specific lures for each target. The operation implements a highly targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks.”

In 2019, Microsoft claimed to have disrupted the Phosphorous group (also known as APT35 and Charming Kitten) after a court order allowed it to take control of 99 phishing domains used by the group.

 

 

The post New Iranian Spear-Phishing Campaign Hijacks Email Conversations appeared first on IT Security Guru.

The New York City Fire Department (FDNY) said it’s aiming to build a digital firewall to protect the city’s emergency workers from cyber-attacks.

The request was published in the City Record and called for consultant services “for the development and implementation of protective strategies to address the cyber-threat of doxxing and to provide resiliency for the security of personal information.”

These include the development of a training program targeting agents that regularly interact with the public and anti-hack software.

The request says: “The service should provide real time threat mitigation and recovery capabilities in the event of access to and misappropriation of personally identifiable data during the course of official duties as a member of the FDNY.”

According to the New York Post, who spoke with FDNY spokesman Frank Dwyer, the move was preventative and not motivated by a particular attack.

The FDNY department database currently includes the personal information of over 15,000 emergency responders, as well as patient data and retirees.

Those records are usually kept to be shared with hospitals, health insurers and the federal Medicare system to allow the FDNY to submit reimbursement for a range of patient transport expenses and medical suppliers.

The creation of a reliable cybersecurity infrastructure could substantially aid efforts against malicious actors, given that data-in-transit is also usually more vulnerable than data-at-rest.

 

 

The post FDNY Building Digital Firewall to Protect Emergency Workers From Cyber Attacks appeared first on IT Security Guru.

BlackCat, the ALPHV ransomware gang, has created a website that allows customers and employees of their victim to check if their data was stolen in an attack.

Ransomware gangs typically quietly steal corporate data and harvest everything of value. After they’ve done this, the threat actor starts to encrypt devices.

The hackers then, in a double-extortion scheme, demand a ransom payment to deliver a decryptor and prevent public release of corporate data.

Ransomware gangs create data leak sites to pressure victims into paying.

These extortion techniques do not always work though. Some companies simply decide not to pay, despite risk of corporate, customer, and employee data being released.

Due to this, ransomware gangs evolve their tactics to apply additional pressure on their victims.

Yesterday, the AlphV/BlackCat ransomware operation began releasing allegedly stolen data that they claim was stolen from a hotel and spa in Oregon.

The ransomware gang claims to have stolen 112GB of data, including information about 1,500 employees, in this attack.

The ransomware gang have created a dedicated website that allows customers and employees to check if their data was stolen during the attack. On this site anyone can see information about hotel guests, employees, and other sensitive data. Traditionally, data is leaked via Tor sites.

While the guest data only contains names, stay costs, and arrival date, the employee data is much more sensitive and includes things such as Social Security Numbers, date of birth, phone numbers, and email addresses.

The threat actors have also created “data packs” for each employee that contain files all about that person’s employment at the hotel.

The site is hosted on the clear web (publicly) and is indexable by search engines. This means that the exposed data will likely be added to search results, which could be even more harmful for victims.

The goal of the site is to get the resort to pay a ransom.

Brett Callow, security analyst at Emisoft, discovered this new extortion strategy.

He said, to BleepingComputer, “Alphv is no doubt hoping that this tactic will increase the probability of them monetizing attacks. If companies know that information relating to their customers and employees will be made public in this manner, they may be more inclined to pay the demand to prevent it from happening – and to avoid potentially being hit with class action lawsuits.”

It is too early to tell whether or not it has been successful.

AlphV is believed to be a rebrand of the DarkSide/BlackMatter gang responsible for the attack on Colonial Pipeline, which brought these hacking groups to the media’s attention.

The ransomware gang has always been considered one of the top-tier ransomware operations. On the other hand, they’re also known for their crazy ideas that land them in trouble.

The post Ransomware Gang Develops New Website That Allows Victims To Search For Their Data appeared first on IT Security Guru.

UK law enforcement have shut down one of the country’s largest-ever drugs laboratories, thanks to the takedown of a popular encrypted comms service in 2020.

Before police cracked it two years ago, EncroChat was used by tens of thousands of criminals globally. Hundreds of arrests and several convictions have been made as a result.

The latest convictions were handed to Andrew Gurney, 51, of Quinton, Birmingham, and Keith Davis, 62, of Chalfont St Giles. Gurney received a six year and three month sentence and Davis was handed a five year and three month sentence at Kingston Crown Court on Friday.

Both helped run a massive drugs lab near Redditch, capable of producing 400kgs of amphetamine per month. According the National Crime Agency (NCA), this could be worth up to £10 million.

The NCA said that work started on converting a double garage into the drugs lab in March 2020, and it began producing drugs two months later. Gurney used his knowledge of plumbing and electrical installation to help with this part of the project. Davis was given training in chemistry in order to operate the site.

Initially, the gang bought amphetamine pre-cursor chemical benzyl methyl ketone (BMK) but then switched to making it themselves to increase profits.

NCA officers raided the site in Ullenhall Lane, Henley-in-Arden, Warwickshire, in April 2021, although they were forced to wait several hours before entering due to the hazardous chemicals inside.

The alleged ringleader John Keet, 41, of Chalfont St Giles, is due to be sentenced in August. Elliott Walker, 49, of Kidbrooke, purchased specialist equipment for the lab and was sentenced to six years in jail last December.

These convictions are the latest to come from the NCA’s Operation Venetic, which is based on intel gathered from messages on EncroChat.

 

The post Two Convicted in Major Drugs Bust Discovered by Police on EncroChat appeared first on IT Security Guru.

Emotet malware has deployed a new module that is designed to steal credit card information stored in the Chrome web browser.

Exclusively targeting Chrome, the module has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to Proofpoint. The enterprise security company discovered the component on the 6th June.

Emotet activity has seen a spike following a 10-month-long absence after its infrastructure was attacked by law enforcement in January 2021.

This malware is an advanced, self-propagating and modular trojan delivered via email campaigns. It’s linked to a threat actor known as TA542 (Mummy Spider or Gold Crestwood). Earlier this year, it was found to be the most popular malware. The growth is substantiated by phishing emails and mass scale spam campaigns.

ESET said that detections jumped a 100-fold, with a growth of 11,000%, during the first four months of the year when compared to September to December 2021. The biggest wave was recorded on 16th March 2022.

Dušan Lacika, senior detection engineer at Dušan Lacika,”the size of Emotet’s latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March.”

“This suggests that the operators are only using a fraction of the botnet’s potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros.”

Researchers from CyberArk also showed a new technique to extract plaintext credentials from memory in Chromium-based web browsers.

The post New Emotet Malware Targets Chrome Users Card Information appeared first on IT Security Guru.