Weekly cyber-factsin review

18/04/21

Vulnerabilities In Review

3 | Weekly cyber-facts in review

Microsoft

This week Microsoft has released its bundle of patches for its products. The batch fixes more than 100 vulnerabilities, and among them, 5 were made public before

being patched. The releases also include the correction for 4 vulnerabilities under exploitation by advanced threat actors against Exchange servers.

Chromium

During Pwn2Own, an hacking event which took place past week in Texas (US), a critical vulnerability was found in Chromium-based browsers. The vulnerability allows a

remote code exceution thanks to an issue in JavaScript libraries. The vulnerability is partly mitigated by the built-in sandbox. Even with that in place, cybersecurity

researchers achieve to triger XSS (Cross Site Scripting) attacks. Up to the moment, two exploits were discovered.

Patches of the month

Along with Microsoft; SAP (Business Client, Commerce and NetWeaver) and Adobe (Pothoshop, Bridge, Digital Editions and RoboHelper) release patches for multiple

products. The patches tacle vulnerabilities which could allow an attacker to take control of the affected systems.

Vulnerabilities in NAS

9 vulnerabilities were made public and patched in Synology NAS. Vulnerabilities could allow an attacker to trigger a remote code execution. At the same time, a

vulnerability wich relies on authentication bypass was found in Qnap Surveillance Station (software for CCTV's to store their content). The vulnerability allows an attacker

to execute code.

Issues to keep in mind

5 | Weekly cyber-facts in review

The VPN siege

This According to US agencies, the Russian Foreign Intelligence Service (SVR)

is currently exploiting vulnerabilities in VPN devices a a part of a cyber-

espionage campaign.

The attack campaign consists of two phases: scanning and exploiting the

following assets:

• Fortigate VPN

• Synacor Zimbra Collaboration Suite

• Pulse Connect Secure VPN

• Citrix Application Delivery Controller & Gateway

• VMware Workspace ONE Access

The scanning and exploitation of vulnerabilities in VPN devices can be the first

phase in a cyberattack against any entity. With this action, the attacker seeks to

establish an entry point in the victim's network. The objective to be completed is

to enter the internal network or obtain credentials to also access from other

points, such as email or cloud infrastructure.

Name: Wreck

Details of 9 vulnerabilities in the implementation of the DNS protocol are published in

at least 4 TCP / IP stacks.

The vulnerabilities allow remote code executions (RCE), denial of service (DoS)

conditions, and NAME: IP table poisoning (DNS poisoning). All the vulnerabilities are

found in the compression algorithms of DNS (Domain Name Service) requests

through TCP / IP calls. These compression algorithms have errors in the allocation of

memory spaces, input validation or parsing of incoming packets. The four stacks

identified as vulnerable are FreeBSD (v12.1), IPnet (VxWorks 6.6), NetX (v6.0.1), and

Nucleus NET (v4.3). The highest scoring vulnerability allows a stack overflow,

allowing code to be executed remotely.

An attacker could exploit vulnerabilities to take control of systems, make network

users access malicious sites, or be unable to access resources on the internet by

referencing domain names.

Phishing Campaigns in Review

A recent phishing campaign attacking MS Office 365 is using a clever trick to evade detection

A new phishing campaign targeting MS Office 365 credentials has been identified using a trick to evade detection. It is building

fraudulent web page from chunks of HTML code store locally and remotely. Inside it hides JavaScript files to obtain the fake login

interface and prompt the potential victim to type in the sensitive information.

Celsius Network is a cryptocurrency rewards platform. Celsius suffered a data breach via the compromise of a third-party marketing

server. This data breach gave attacker access to the customer list. Then, these customers were targeted by a phishing campaign

impersonating Celsius, with which attacker were trying to steal cryptocurrency.

A new phishing campaign impersonating Celsius has been identified attempting to steal cryptocurrency

International Phishing Campaigns

Threat actors are trying to capitalize on NFT’s sales. To do so, attackers are typosquatting domain names impersonating the popular

NFT’s Rarible[.]com site to lead victims to scams, malware and other unwanted content, such as cryptominers.

Phishing campaign impersonating NFT marketplace is installing adware and cryptominers

Impersonating Microsoft, McAfee and Norton, cybercriminals are luring victims with fake antivirus billing renewals in a large-scale email

campaign.

New phishing campaign luring victims with fake antivirus billing emails

A phishing campaign pretending to be an online burofax is distributing droppers

With a nation-wide potential impact, a new phishing campaign pretending to be a “Burofax Online” is targeting different victims with fake

bills to trick them into downloading spyware.

It is not the first time that the Spanish National Department of Traffic (DGT) is being impersonated in several phishing campaigns, to

trick victims into downloading malware.

The most common technique used to trick users is to deliver a fake traffic ticket. Now, cybercriminals are renewing tactics and are

delivering messages falsely advising victims about the expiration of their driver's license.

Phishing campaign impersonating National Department of Traffic

National Phishing Campaigns

Malware in Review (1/2)

Threat actors use Slack and Discord's content distribution

network to store malicious files loaded with Trojans,

specifically Agent Tesla, which are distributed through

communication channels. Actors post malicious links that

download the files. They are using this technic to evade

security and distribute malware.

Slack and Discord have been infiltrated by threat

actors

The Joker trojan has infected more than 500,000 mobile

devices

The Joker Trojan, also known as Bread, has infected more than 500.000

Android devices of Huawei due to the download of an infected application

in App Gallery store. This trojan was first discovered in 2017, focusing on

SMS fraud. It is known for subscribing users to premium services by

requesting access to background apps to obtain confirmation codes sent

by SMS for the subscription.

New backdoor used by Lazarus group

Due to the analysis of an attack by the Lazarus group on a

South African transport company, it has detected a new

backdoor, called Vyveva. This group, also known as Hidden

Cobra, is supported by the Korean government and has a

global impact. The backdoor was first identified in December

2018.

Malware in Review (2/2)

Attackers are using Google's SEO tactics to redirect users to

more than 100 thousand web pages controlled by them that

offer free corporate forms that, when downloaded, installs on

The Jupyter Trojan, also known as SolarMarket. Google and

Microsoft have warned about this campaign.

Used Google websites to distribute the Jupyter

trojan

Brata trojan

It has been identified numerous variants of malware very similar to FluBot

which target Android devices. Among these, BRATA stands out, a trojan

originated in Brazil that was identified in late 2018 and is being distributed

through the Google Play Store against users in the area. In addition to this,

as an input vector has phishing, websites that impersonates financial

institutions from various countries including Brazil, EE.UU and Spain.

New malware that is put into an NPM Browserify

package

A new malicious package has been identified in the NPM

repository, known as Browserify, which targets developers in

NodeJS who use Linux and Apple macOS operating systems.

It contained the malware they tracked as "web-browserify“.

Is IcedID the new EMOTET?

14 | Weekly cyber-facts in review

IcedID, the new EMOTET?

After the recently disruption that EMOTET has suffered, researchers have found the trojan IcedID appearing to be filling the void

left by EMOTET. IcedID (aka BokBot) was discovered in 2017 as a baking trojan, now it has been updated to also deploy second-

stage malware payloads, such as Trickbot, Qakbot and Ryuk ransomware. So, it could be used to download additional modules

after infecting a device, steal credentials and information, and move laterally across the victims’ networks. I is using two different

entry vectors, a widespread email campaign using malicious Microsoft Excel attachments, and also a phishing campaign using

legitimate corporate contact forms threating enterprises targets with lawsuits.

Other cases

New fake profiles and a website used in a campaign

targeting cybersecurity researchers

It has been observed that hackers from an identified and

reported campaign in January have included new fake social

media profiles and a fraudulent website to attract more

cybersecurity researchers. The campaign was attributed to a

government-backed North Korean group.

CISA has published additional details about the malware used

in the MS Exchange servers that were hacked exploiting

ProxyLogon vulnerabilities. Thus, it has revealed additional data

about the China chopper webshells and the DearCry

ransomware. It has also included a malware analysis report.

CISA published additional details about malware

found in MS Exchange servers

Codecov suffers a supply chain attack

An attack on the supply chain has compromised Codecov's

tool (Codecov Bash Uploader), exposing confidential

information from organizations around the globe since

January. Codecov is a tool that measures the coverage of

code tests.

Hackers increasingly using web shells to steal credit

cards

VISA warns that threat actors are increasingly deploying web

shells on compromised servers to exfiltrating customers' credit

card information. They use credit card skimmers into hacked

online stores in web skimming attacks. This allow them to steal

the payment and personal information and send it to servers

under their control.

Doom and Gloom

18 | Weekly cyber-facts in review

Doom and Gloom

This week Aiuken Cybersecurity had access to a report which indicates that around 80% of utility operators in USA does not sign their domain name references

in Internet (DNSSEC). DNSSEC is a security control that ensures that the name on the Internet of the company refers to the specific server the company wants

to head "you". If it is not enabled, miscreants could launch attacks to try, for example, to disguise the website visitors to malicious sites. Far from being web the

only service that relies on DNS, there are out there plenty of industrial and automation bits and software which relies on this system to gather telemetry, send

orders to components... If an attacker achieves to redirect a user to a malicious site, we are in front a nefarious action with limited scope and damage. But when

a criminal achieves to redirect the control systems that operate in a nuclear plant, the consequences automatically go "nuclear".

Since SolarWinds attacks cyberwarfare got to a whole new level. Threat actors seem not to cover their tracks not so well than before and direct attribution of

offences is made more often. A missing BASIC control of the kind of DNSSEC in an era of cyberattacks as part of the default "communication" method with

one's "not so friends" represents a high risk not only for any given company part of the group of strategic enterprises in their countries, but also it represents a

risk for the whole country which host that company. This lack also manifests the lack of concern among such companies.

Traditionally USA has been seen as one of the references in cybersecurity worldwide. If we accept it as true, we should expect other NATO countries to be in

worse conditions to respond cyberattacks than USA, and it also implies security controls in DNS... In Europe, France is the country with more nuclear plants in

whole Europe, Italian machinery moves the backbones of half world, Spain provides with warships and cars to majority NATO countries...

In upcoming years, if tendencies remain the same, whole society is going to witness a scalation of violence without precedents. The companies which want to

scape future calamities in cyberspace and real world will be forced to change their mindsets to avoid such "doom and gloom".

Calle Francisco Tomás y Valiente nº 2

Boadilla del Monte · 28660 Madrid (España)

Teléfono:+34 912 909 805

aiuken.com