Here is a rundown of news and events that happened over the week.
Chinese App Uses Android Flaw To Spy On Users, CISA Warns
A top US security firm has given the government until May 4 to patch a zero-day vulnerability that allowed e-commerce software to eavesdrop on customers. CVE-2023-20963 was added to CISA’s Known Exploited Vulnerabilities List late last week. After “limited, focused exploitation,” Google patched the high-severity issue last month. Darknet offered dangerous Android apps for $20,000+. CISA claimed the weakness allows attackers to raise privileges on vulnerable systems without user intervention.
Last month, Lookout found rogue Pinduoduo Android apps exploiting CVSS 7.8. Two third-party app store versions of the popular Chinese e-commerce app were responsible. Researchers warned that threat actors remotely controlled millions of devices, stole data, and installed new malware. Over 750 million people shop on Pinduoduo each month. The corporation denies the software is hazardous despite researchers identifying two apps signed with an official key. Play has temporarily deleted Pinduoduo. Read more
Google Uncovers “APT41” Tools Targeting Media And Job Sites
An obscure Taiwanese media company, Google Command and Control (GC2), received an open-source red teaming tool from China. The IT giant’s Threat Analysis Group (TAG) attributed the endeavor to HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. Phishing emails lead to password-protected Google Drive files that employ the GC2 tool to read Google Sheets commands and exfiltrate data.
Google claims the virus attacked an Italian job search website in July 2022. Two reasons: Second, Chinese threat organizations are increasingly using publicly available tools like Cobalt Strike and GC2 to obfuscate attribution. Second, Go-written malware and tools are gaining popularity due to their modularity and cross-platform compatibility. Google cautioned that cybercriminals and government-backed actors target cloud services “either as hosts for malware or supplying the infrastructure for command-and-control (C2)” due to their “undeniable value.” Google Drive stores Ursnif (Gozi) and DICELOADER (Lizard or Tirion) ZIP archive files for phishing attacks. Read more
NCR Datacenter Affected By Massive Ransomware Attack
In its April 12 issue report, NCR Datacenter outage dusturbed a small number of ancillary Aloha applications in the hospitality customers. Aloha Point of Sale (POS) handles payments for restaurants. The company blamed malware for the disruption on April 13. After learning of this development, we contacted customers, recruited cybersecurity specialists, and began an investigation. “Law enforcement was informed,” it added.
The BlackCat ransomware organization claimed responsibility on its Tor-based data dump website. However, it was deleted. “We’re working hard to restore full service to our client. As we work toward full restoration, we provide dedicated support and solutions to keep our clients operational. Affected restaurants could still serve customers. Some functionality was limited. The company said on-premises infrastructure and payment applications are unaffected. Read more
Apple MacOS Devices Now Subject Of LockBit Ransomware
New LockBit ransomware artifacts can encrypt macOS files. Weekend news came from MalwareHunterTeam. It appears to be the first macOS-based payload from a significant ransomware gang. According to vx-underground samples, the macOS variant has been available since November 11, 2022, and anti-malware engines have yet to find it.
Since 2019, LockBit has been a notorious cybercrime gang with Russian ties. Threat actors made two major locker upgrades between 2021 and 2022. Last week, Malwarebytes reported that LockBit replaced Cl0p as the second most common ransomware in March 2023 with 93 successful attacks. According to an examination, the latest Apple macOS version (“locker Apple M1 64”) is still in development and employs an erroneous signature to sign the executable. Apple’s Gatekeeper security mechanisms will prevent it from being utilized even if it’s downloaded and launched. Read more
Phishing Operations Escalating As Threat Actors Utilize AI Tools
Zscaler’s research team found that fraudsters are using more complicated phishing assaults with generative AI tools like OpenAI’s ChatGPT. After studying 280 billion daily transitions and 8 billion halted attacks in 2022, the team found an almost 50% increase in phishing attacks compared to 2021. In 2022, the most targeted industries were government, banking, insurance, and education. US, UK, Netherlands, Russia, and Canada were the top five targets. Microsoft, Binance, Netflix, Facebook, and Adobe are regularly copied, according to the report.
These AI-driven phishing campaigns are harder to detect and fight, making them more likely to fool victims. Vishing and recruiting frauds targeting job seekers increased, according to the poll. Zscaler expects threat actors to use AI more often to locate new phishing targets. Expect more sophisticated internet, SMS, and email scams. As thieves utilize AI to orchestrate attacks on larger populations, expect more phishing. Read more
Goldoson Malware Hits 100 Million Downloads On Google Play Store
Over 60 basic Google Play Store apps with over 100 million downloads include Goldoson malware, a new Android malware outbreak. ONE shop, a major South Korean third-party app marketplace, added eight million installations. The rogue component, part of a third-party software library used by apps, can collect information about installed programs, Wi-Fi, Bluetooth, and GPS locations.
Cyble disclosed Chameleon, an Android banking trojan targeting Australia and Poland since January 2023. Like previous banking malware, it steals passwords and cookies, logs keystrokes, prevents uninstallation, and more via Android’s accessibility services. It intercepts SMS messages, shows rogue overlays on a list of programs, and has an unused function to download and execute another payload. Read more
Google Chrome Hit By Second Zero-Day Attack, Urgent Patch Update Released
Google provided emergency fixes for another actively exploited high-severity Chrome zero-day on Tuesday. CVE-2023-2136 is Skia integer overrun. Lecigne of Google’s Threat Analysis Group (TAGClément) reported the issue on April 12, 2023.
The tech giant, which fixed seven other security holes with the latest update, said it’s aware of active exploitation but didn’t share information to prevent future abuse. After Google fixed CVE-2023-2033 last week, attackers exploited a second Chrome zero-day vulnerability. Wild assaults may have linked the two zero-days. Upgrade to 112.0.5615.137 for security. When available, Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should adopt the updates. Read more
Warning From UK Cyber Agency For A New ‘Class’ Of Russian Hackers
On Wednesday, the UK government’s cyber defense organization warned of a growing threat to Western key national infrastructure from hackers who support Russia and its conflict with Ukraine. Russian “hacktivists” have destroyed or taken down some popular public websites. The British National Cyber Security Centre (NCSC), a subsidiary of the eavesdropping spy agency GCHQ, warned that some of those organizations are actively preparing additional physical harm. The NCSC reports that some want to disrupt Western important national infrastructure, especially in the UK.
During a two-day NCSC-GCHQ seminar in Belfast, the alert noted that “we expect these organizations to hunt for ways to create such an impact, especially if systems are not well protected.” Although ideologically oriented and supporting Russian state aims, these organizations are “not subject to formal official oversight,” the report noted. If a hack hits critical infrastructure like the energy grid or water supply, it may be devastating. The NCSC report warned that hacktivist organizations “may become more effective over time,” although saying such attacks were “unlikely” without outside help. Read more
Raspberry Robin Adopts Initiates Evasion Techniques
Organizations must be cautious in the face of growing cyber threats as new evasion methods like Raspberry Robin develop. Organizations must prioritize cybersecurity by investing in the newest security solutions, personnel training, and regular security assessments.
Organizations must also exchange threat intelligence and develop innovative solutions with the cybersecurity community to stay up with the continuously changing threat environment. Organizations may defend their systems and data from threats like Raspberry Robin by working together and being proactive. Read more
Daggerfly Cyberattack Campaign Strikes African Telecom Providers
Daggerfly Attacks African Telecom Providers. The Daggerfly cyberattack campaign stunned the cybersecurity community. This sophisticated hack caused tremendous damage, making it one of the most dangerous. The Daggerfly cyberattack campaign has devastated several organizations globally. Early April 2023 cybersecurity professionals discovered the hacking campaign.
The campaign’s perpetrators used advanced tactics to hack into several firms’ networks, stealing sensitive data and causing major harm. The Daggerfly malware operation uses sophisticated methods to enter targeted firms’ networks. The Daggerfly campaign uses spear-phishing, social engineering, and zero-day vulnerabilities to compromise targets. Once in, the attackers use viruses and other tools to steal data and start additional assaults. The attack may target critical infrastructure, intellectual property, or espionage. Read more
New Ransomware Attack Hits Health Insurer Point32Health
This week’s ransomware attack forced Point32Health, a nonprofit health insurance company, to shut down its servers. Harvard Pilgrim and Tufts Health Plan merged in 2021 to form Point32Health, Massachusetts’ second-largest health insurer, covering over 2 million people. This week, the company said that it was hit by a ransomware attack on April 17 and had to shut down operations. Point32Health said the hack affected its systems “to service members, accounts, brokers, and providers,” most of which are related to Harvard Pilgrim Health Care.
Harvard Pilgrim Health Care announced on Facebook this week that its website and communications are down. Our website and phone lines are having issues. The group apologized. The company claims it is investigating whether the attack revealed personal data. Point32Health says that Harvard Pilgrim Health Care serves 1.1 million people. However, it did not identify how many people were injured by the occurrence. Read more.
Cisco and VMware Issues Security Updates For Critical Flaws
Cisco Systems has released patches that resolve significant vulnerabilities to improve product security. Attackers could exploit these vulnerabilities. Due to inadequate input validation during Device Pack uploading, Cisco Industrial Network Director’s web UI component’s command injection bug, CVE-2023-20036, is one of the most severe vulnerabilities. Cisco also fixed CVE-2023-20039, a medium-severity vulnerability that allowed local attackers to examine sensitive data in the same product.
Cisco Credits External Researcher For Reporting Two Issues
An external researcher found the two Cisco Industrial Network Director security vulnerabilities. An external security audit by the anonymous researcher revealed the vulnerabilities, which hackers might exploit to run arbitrary code on compromised systems. Read more
GhostToken GCP Bug Gives Entry To Attackers Into Google Accounts
A GCP vulnerability may have allowed attackers to purposefully change an OAuth application and disguise it to create a stealthy backdoor to any Google account. GhostToken could have allowed attackers to conceal the malicious application from Google users and retrieve account tokens to access their data. When OAuth clients, GCP projects, were terminated last June, Astrix, an app-to-app security company, uncovered the issue. The developer can resurrect a GCP project when the owner or management authority deletes it after 30 days.
Deletion removes them from the Google account application management page, even if they still have access. Same OAuth-client GCP projects. Despite an error claiming the client was destroyed, the software can access the account until erased. Astrix noticed that recovering an OAuth client from “pending deletion” activates the refresh token created when the user authorized the application. An attacker could use an OAuth application to steal the refresh token. The attacker could delete the project to prevent uninstallation. Read more.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.