November 29, 2022

Fortify Security Team
Nov 29, 2022

Title: Malicious Android App Found Powering Account Creation Service

Date Published: November 28, 2022

https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/

Excerpt: “A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook. A researcher says the infected devices are then rented out as “virtual numbers” for relaying a one-time passcode used to verify a user while creating new accounts. While the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple OTPs (one-time passwords) upon installation. “Fake app I just download this app 4-5 times of OTP by Google, Airtel payment, Bank OTP, dream11 OTP, etc. Type of OTP comes at the time of login,” reads one of the reviews. Symoo was discovered by Evina’s security researcher Maxime Ingrao, who reported it to Google but has yet to hear back from the Android team. At the time of writing, the app remains available on Google Play. BleepingComputer has also contacted Google about Symoo, and we will update this story as soon as we receive a response.”

Title: A Flaw in Some Acer Laptops Can Be Used to Bypass Security Features

Date Published: November 28, 2022

https://securityaffairs.co/wordpress/139055/hacking/acer-flaw-uefi-secure-boot.html

Excerpt: “ESET announced the discovery of a vulnerability impacting Acer laptops that can allow an attacker to deactivate UEFI Secure Boot. ESET researchers announced in a series of tweets the discovery of a vulnerability impacting Acer laptops, the issue can allow an attacker to deactivate UEFI Secure Boot. The experts explained that the flaw, tracked as CVE-2022-4020, is similar to the Lenovo vulnerabilities the company disclosed earlier this month. Same as in Lenovo’s case, an attacker can trigger the issue to deactivate the UEFI Secure Boot by creating an NVRAM variable directly from OS. The Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.” An attacker that is able to bypass the Secure Boot could bypass any security measure running on the machine and achieve persistence even in case the OS is reinstalled.”

Title: Experts Find 16,000+ Scam FIFA World Cup Domains

Date Published: November 29, 2022

https://www.infosecurity-magazine.com/news/experts-16000-scam-fifa-world-cup/

Excerpt: “Security researchers have warned of a deluge of phishing scams, fake apps and malicious merchandising sites spoofing the branding of the FIFA World Cup in Qatar to target football fans. Group-IB said it tracked over 16,000 scam domains and 40 malicious apps in the Google Play store that were using FIFA World Cup 2022 branding to lure users. Scammers are using a range of tactics to part football fans from their money, personal information and credentials. They’ve launched fake merchandising sites and spoofed ticketing sites designed to harvest money and/or bank details from victims. In both cases, social media marketplace ads and malicious social media accounts help to direct traffic to the fake sites, Group-IB said. The fake apps are set up to do a similar job – stealing banking and account credentials by promising access to purchase tickets. In other cases, scam job sites have been set up using the World Cup as a lure to steal victims’ personal data. Group-IB said it spotted at least five of these, using keywords such as “job” and “Qatar,” and driving traffic to the sites from over 30 specially designed social media pages. Another tactic is to create fake surveys impersonating major brands, as well as the World Cup itself. These promise a gift for filling out the form with personal information and phone numbers. Victims are also often asked to share a link to the scam on WhatsApp, the report claimed. Group-IB identified more than 16,000 of these fake surveys. The security company also revealed that over 90 users of the official fan ID app, Hayya, had their accounts hijacked after passwords were lifted via commodity info-stealing malware such as RedLine and Erbium.”

Title: Meta Fined by Irish Privacy Regulator for GDPR Violations

Date Published: November 28, 2022

https://www.databreachtoday.com/meta-fined-by-irish-privacy-regulator-for-gdpr-violations-a-20571

Excerpt: “The Irish data privacy watchdog levied a 265 million euro fine against Facebook parent company Meta after a data set containing details of more than half a billion social media users appeared online last year. The Irish Data Protection Commission initiated an investigation shortly after Facebook acknowledged the data came from its site. Bad actors, it said, had scraped the data, exploiting a technique the social media giant remedied in 2019. The exposed data of 533 million users included names, phone numbers and birthdates from consumers in 106 countries who used the platform between 2018 and 2019. The Irish investigation, which assessed the internal workings of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer, revealed Meta had violated the “data protection by design and default” requirement mandated by the General Data Protection Regulation. In addition to the fine, the Irish regulator directed Facebook to ensure against a repeat occurrence. Facebook, like many U.S. tech companies, houses its international headquarters in Dublin, giving the Irish privacy watchdog outsized oversight influence over Silicon Valley. The company did not immediately respond to a press inquiry.”

Title: Cyber-Threat Group Targets Critical RCE Vulnerability in ‘Bleed You’ Campaign

Date Published: November 28, 2022

https://www.darkreading.com/threat-intelligence/cyber-threat-weak-windows-servers-bleed-you-campaign

Excerpt: “The “Bleed You” campaign is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions, and more than 1,000 systems are unpatched and vulnerable to compromise. The critical flaw, tracked as CVE-2022-34721, has been under active attack since September, a new report from Cyfirma warns, affecting vulnerable Windows OS, Windows Servers, along with Windows protocol and services. Once they achieve compromise the threat actors move laterally to deploy ransomware and other malware, the team observed. The threat actors speak Mandarin but also have ties to the Russian cybercriminals, according to Cyfirma, which adds that the attacks aren’t limited to a specific sector with targets across retail, government, IT services, and more. Victims likewise were spread across a number of mostly Western countries, including Canada, the UK, and the US.”

Title: Trio of New Vulnerabilities Allow Code Manipulation, Denial of Service (And Worse) For Industrial Controllers

Date Published: November 29, 2022

https://www.scmagazine.com/analysis/critical-infrastructure/trio-of-new-vulnerabilities-allow-code-manipulation-denial-of-service-and-worse-for-industrial-controllers

Excerpt: “Researchers at Vedere Labs disclosed a trio of new security vulnerabilities that can be used to attack automated industrial controllers and a popular piece of software used to program millions of smart devices in critical infrastructure. The bugs (tracked under CVE-2022-4048, CVE-2022-3079 and CVE-2022-3270) allow for logic manipulation and denial of service, primarily impacting products from two major German vendors: Festo automated controllers and CODESYS runtime, an application that allows developers to program smart devices and is, according to Vedere Labs, “used by hundreds of device manufacturers in different industrial sectors.” The flaws are part of OT Icefall, a broader research project undertaken by Vedere Labs to raise the visibility of security vulnerabilities in operational technology responsible for controlling the machinery powering much of our critical infrastructure, from manufacturing plants and telecommunications to clean water and electricity. The company disclosed nearly 60 such vulnerabilities earlier this year affecting more than a dozen major industrial products and equipment. Daniel Dos Santos, head of security research at Vedere Labs, told SC Media that the weaknesses the three vulnerabilities exploit — poor cryptography, lack of authentication and insecure engineering — are among the most common ones discovered through the project and illustrate long standing core security and supply chain challenges throughout many industrial sectors.”

Title: Pre-auth RCE in Oracle Fusion Middleware Exploited in the Wild (CVE-2021-35587)

Date Published: November 29, 2022

https://www.helpnetsecurity.com/2022/11/29/cve-2021-35587-exploited/

Excerpt: “A pre-authentication RCE flaw (CVE-2021-35587) in Oracle Access Manager (OAM) that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its ?Known Exploited Vulnerabilities (KEV) Catalog. CVE-2021-35587 was discovered by security researchers “Jang” (Nguyen Jang) and “Peterjson” in late 2021 by accident, while “building PoC for another mega-0day.” The vulnerability is in the OpenSSO Agent component of the Oracle Access Manager product, which is widely used by corporations for single sign-on (SSO) as part of the Oracle Fusion Middleware suite. It may allow an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager and use it to create users with any privileges or to execute arbitrary code on the victim’s server, Jang explained earlier this year. The vulnerability affected v11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0 of Oracle Access Manager and has been patched in those supported versions, but according to Jang, it also affects Oracle Weblogic Server 11g (10.3.6.0) and OAM 11g (11.1.2.0.0), which stopped being supported on January 1, 2022, and therefore don’t have a patch available for this RCE.”

Title: TikTok ‘Invisible Body’ Challenge Exploited to Push Malware

Date Published: November 28, 2022

https://www.bleepingcomputer.com/news/security/tiktok-invisible-body-challenge-exploited-to-push-malware/

Excerpt: “Hackers are capitalizing on a trending TikTok challenge named ‘Invisible Challenge’ to install malware on thousands of devices and steal their passwords, Discord accounts, and, potentially, cryptocurrency wallets. A new and trending TikTok challenge requires you to film yourself naked while using TikTok’s “Invisible Body” filter, which removes the body from the video and replaces it with a blurry background. This challenge has led to people posting videos of them allegedly naked but obscured by the filter. To capitalize on this, threat actors are creating TikTok videos that claim to offer a special “unfiltering” filter to remove TikTok’s body masking effect and expose the TikTokers’ nude bodies. However, this software is fake and installs the “WASP Stealer (Discord Token Grabber)” malware, capable of stealing Discord accounts, passwords and credit cards stored on browsers, cryptocurrency wallets, and even files from a victim’s computer. These videos received over a million views shortly after being posted, with one of the threat actor’s Discord servers amassing over 30,000 members.”

Title: Phishing Campaign Impersonating UAE Ministry of Human Resources Grows

Date Published: November 28, 2022

https://www.infosecurity-magazine.com/news/phishing-impersonating-uae/

Excerpt: “A phishing campaign discovered in July that saw threat actors impersonating the Ministry of Human Resources of the UAE government may be more significant in scale than previously believed. The findings come from security researchers at CloudSEK, who published a new advisory about the threat earlier today. The technical write-up says the company has discovered an additional cluster of phishing domains registered using similar naming schemes to the July ones to target contractors in the UAE with vendor registration, contract bidding and other types of lures. “The threat actors behind this campaign are strategically buying/registering domains with keywords similar to the victim domains and are targeting multiple industries, such as travel and tourism, oil & gas, real estate, and investment across the Middle East,” the advisory reads. The company also warned that it spotted several scams being used to lure users. “Apart from vendor registration and contract bidding, they also use fake job offers and investment opportunities to hoodwink victims.” Of all the domains unearthed by CloudSEK, some only had an email server enabled, while others had set up websites to trick the users into thinking they were legitimate businesses. “Some scam domains redirect to legitimate domains to trick victims into trusting the phishing emails,” CloudSEK explained. “The campaign is resilient to takedowns or hosting bans as it uses pre-stored static web pages with similar templates. These are uploaded from one domain to another in case of a ban.” The company said it analyzed 35 phishing domains, of which 90% were targeting Abu Dhabi National Oil Company (ADNOC), Sharjah National Oil Corporation (SNOC) and Emirates National Oil Company (ENOC) and are hosted in North America.”

Title: Indiana Health Entity Reports Breach Involving Tracking Code

Date Published: November 28, 2022

https://www.databreachtoday.com/indiana-health-entity-reports-breach-involving-tracking-code-a-20569

Excerpt: “An Indiana healthcare network is the latest medical entity to classify its use of online tracking code as a data breach reportable to federal regulators. Community Health Network on Nov. 18 reported to the U.S. Department of Health and Human Services an unauthorized access/disclosure breach affecting 1.5 million individuals involving the use of website tracking code. The nonprofit health system, which has more than 200 sites and affiliates throughout Central Indiana, says in a breach notification statement that it recently learned some of the third-party tracking technologies installed on its websites – including from Facebook and Google – transmitted certain patient information to the tracking technology vendors. From August to November, Community Health Network disabled and/or removed the “problematic technologies” from its website platforms and began an investigation to better understand the nature and extent of patient information that was transmitted, the statement says. Its breach report comes on the heels of at least two other healthcare entities making reports of similar incidents in October to HHS’ Office for Civil Rights.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...