image
Malicious Android apps disguised as TikTok and offers for free Lenovo laptops are being used in ad-stuffing attacks underway against devices on the Jio telecom network in India, security researchers warn. Researchers from Zscaler report this threat actor has been operating various phishing scams since March 2020, all using recent headlines as lures. Their most recent socially engineered messages try to convince users to download their fake version of TikTok by saying the app, which is banned in India, is now available, the report found. Another scam misleads victims into thinking they’re eligible for a free Lenovo laptop courtesy of the Indian government. The Jio User Attack “The malware involved has features that are also commonly found in other families as well, e.g. it follows common methods of persistence, and propagation using victim’s contact information,” Deepen Desai, Zscaler CISO, told Threatpost. “The attack campaign is fairly targeted and leverages trusted resources like Weebly and GitHub for distributing the malicious content to the victims.” Targeted but widespread: Jio telecom serves more than half of India’s internet subscribers, which according to a March 2020 report from the Indian Telecom Regulatory Authority topped 743 million people. He added that the Zscaler team observed more than 200 malicious Android apps using “themes related to current affairs in India.” Victims are told to share the fake TikTok app via WhatsApp – once it’s shared 10 times, the…

Source

image
Cisco Systems said it will not fix a critical vulnerability found in three of its SOHO router models. The bug, rated 9.8 in severity out of 10, could allow unauthenticated remote users to hijack targeted equipment and gain elevated privileges within effected systems. The three Cisco router models (RV110W, RV130, and RV215W) and one VPN firewall device (RV130W) are of varying age and have reached “end of life” and will not be patched, according to Cisco. The company is advising customers to replace the equipment. “Cisco has not released and will not release software updates to address the vulnerability described in this advisory. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process,” the company wrote. The company added no workaround is available either. Buffer Overflow Bug In the Cisco Systems Security Advisory posted Wednesday, the networking giant said the flaw is due to improper validation of user-supplied input in the web-based management interface. “An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco wrote. Workaround mitigation options, such as disabling the web-based management interface, are not available. “The web-based management interface of these devices is available through a local LAN connection, which cannot…

Source

image
The banking trojan known as IcedID appears to be taking the place of the recently disrupted Emotet trojan, according to researchers. IcedID (a.k.a. BokBot), bears similarities to Emotet in that it’s a modular malware that started life as a banking trojan used to steal financial information. Increasingly though, it’s being used as a dropper for other malware, researchers noted – also just like Emotet. The malware has been circulating at increasing rates, thanks to a spate of email campaigns using Microsoft Excel spreadsheet file attachments, according to Ashwin Vamshi and Abhijit Mohanta, researchers with Uptycs. In fact, in the first three months of the year, Uptyc’s telemetry flagged more than 15,000 HTTP requests from more than 4,000 malicious documents, the majority of which (93 percent) were Microsoft Excel spreadsheets using the extensions .XLS or .XLSM. If opened, targets would be asked to “enable content” to view the message. Enabling the content allows embedded Excel 4 macro formulas to execute. “.XLSM supports the embedding of Excel 4.0 macro formulas used in Excel spreadsheet cells,” according to an analysis published on Wednesday. “Attackers leverage this functionality to embed arbitrary commands, which usually download a malicious payload from the URL using the formulas in the document.” The URLs generally belong to legitimate but compromised websites, they added. Looking deeper into the activity, they were able to see similarities between all of the attacks,…

Source

image
A privilege-escalation vulnerability Microsoft’s Azure Functions cloud container feature could allow a user to escape the container, according to researchers. Intezer researchers dubbed the bug “Royal Flush” after a flush-to-disk limitation that an exploit would need to evade. Flushing to disk means that data is handed off to the kernel, where it’s visible to other processes but may not survive a reboot. The firm found that Azure Functions containers run with the –privileged Docker flag, which means that device files in the /dev directory can be shared between the Docker host and the container guest. The vulnerability stems from the fact that these device files have read-write permissions for “others.” “The lax permissions on the device files are not standard behavior,” according to the analysis, released on Thursday. The issue becomes a problem given that the Azure Functions environment contains 52 different partitions with file systems, which can be visible across users, according to Intezer. “We suspected that these partitions belonged to other Azure Functions clients, but further assessment showed that these partitions were just ordinary file systems used by the same operating system, including pmem0, which is the Docker host’s file system,” researchers explained. “If a user is able to escalate to root, they would be able to escape to the Docker host using various Docker escape techniques.” Royal Flush Cloud-Container Exploit To probe for attack paths that could arise…

Source

image
Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe. Researchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as CVE-2018-13379, in Fortinet’s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a report by Kaspersky researchers published this week. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. Cring is relatively new to the ransomware threat landscape—which already includes dominant strains REvil, Ryuk, Maze and Conti. Cring was first observed and reported by the researcher who goes by Amigo_A and Swisscom’s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom. Last week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company’s SSL VPN products. One of those bugs,…

Source

image
Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware. The pandemic-induced shift to remote work drove business processes onto these collaboration platforms in 2020, and predictably, 2021 has ushered in a new level cybercriminal expertise in attacking them. Cisco’s Talos cybersecurity team said in a report on collaboration app abuse this week that during the past year threat actors have increasingly used apps like Discord and Slack to trick users into opening malicious attachments and deploy various RATs and stealers, including Agent Tesla, AsyncRAT, Formbook and others. “One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked,” Talos researchers explained in their report. “By leveraging these chat applications that are likely allowed, they are removing several of those hurdles and greatly increase the likelihood that the attachment reaches the end user.” Content Delivery Network Abuse The researchers explained that Slack, Discord and other collaboration app platforms use content delivery networks (CDNs) to store the files shared back and forth within channels. As an example, Talos uses the Discord CDN, which is accessible by a hardcoded CDN URL from anywhere, by anyone on the internet. “This functionality is not…

Source

image
The Cold War concept isn’t outdated. In the decades since the fall of the Soviet Union, the battleground has simply shifted from conflicts between ideological proxy governments to cyberspace. And the opponents have grown from a few primary nations into a broad range of sovereign threat actors. The question is, when does a cyberattack cross the line between a criminal action or mere prank, to an act of war? Is it the nature of the victim? The nature of the attacker? The nature of the damage? Or a combination of them all? To be sure, this is not a determination for cybersecurity professionals to make. Our role is to defend IT assets for our organizations by reducing risk, mitigating threats, remediating the situation after an attack, and generally trying to keep everything running safely and smoothly. It doesn’t matter whether we are facing a script kiddie trying to deface a website, a political hacktivist trying to make a statement, a cybercriminal trying to steal or ransom our data, or a state actor trying to steal confidential information. Our goal is to keep them out, and minimize the damage when they do manage to get in. The only thing that changes is how well-resourced and tenacious our opponents are. Defining an Act of War Oxford’s Reference Dictionary defines an act of war as: “An act by one nation intended to initiate or provoke a war with another nation; an act considered sufficient cause for war.” That’s a good definition, but it leaves some ambiguity when applied…

Source

image
Malware disguised as a Netflix app, lurking on the Google Play store, spread through WhatsApp messages, researchers have discovered. According to a Check Point Research analysis released on Wednesday, the malware masqueraded as an app called “FlixOnline,” which advertised via WhatsApp messages promising “2 Months of Netflix Premium Free Anywhere in the World for 60 days.” But once installed, the malware sets about stealing data and credentials. The malware was designed to listen for incoming WhatsApp messages and automatically respond to any that the victims receive, with the content of the response crafted by the adversaries. The responses attempted to lure others with the offer of a free Netflix service, and contained links to a fake Netflix site that phished for credentials and credit card information, researchers said. “The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.” The fake app in Google Play, featuring the Netflix logo. Source: Check Point. The malware was also able to self-propagate, sending messages to users’ WhatsApp contacts and groups with links to the fake app. To that end, the automated…

Source

image
The leak of personal data from more than 533 million Facebook users was scraped from their profiles by malicious actors because of a security flaw in the company’s platform prior to September 2019, the social media giant said Tuesday. Threat actors posted that data to a public hacker forum over the weekend, once again raising privacy concerns and putting Facebook in the middle of controversy over its protection, or lack thereof, of user data. At the time it was suspected the data had been scraped due to a bug in the Add Friend feature that was discovered in 2019. In an attempt to set the record straight, the company confirmed in a blog post Tuesday that the leak indeed was due to a flaw in its “contact importer” that has been previously reported and already fixed by the company. “We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” according to the post by Mike Clark, a Facebook product management director. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists.” In his post, Clark called the leak “another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services” and said the company is confident that the issue that allowed for the data scraping “no longer exists.” Possible Regulatory Action No matter,…

Source

image
A critical security vulnerability in the VMware Carbon Black Cloud Workload appliance would allow privilege escalation and the ability to take over the administrative rights for the solution. The bug (CVE-2021-21982) ranks 9.1 out of 10 on the CVSS vulnerability-severity scale. The VMware Carbon Black Cloud Workload platform is designed to provide cybersecurity defense for virtual servers and workloads that are hosted on the VMware’s vSphere platform. vSphere is VMware’s cloud-computing virtualization platform. The issue in the appliance stems from incorrect URL handling, according to VMware’s advisory issued last week. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” That in turn would allow the attacker to access the administration API of the appliance. Once signed in as an admin, the attacker could then view and alter administrative configuration settings. Depending on what tools an organization has deployed within the environment, an adversary could carry out a range of attacks, including code execution, disabling security monitoring, enumerating virtual instances within a private cloud and more. “A remote attacker could exploit this vulnerability to take control of an affected system,” said the Cybersecurity and…

Source