10-Jul-23: In Security News Today

Android device-fingerprint spoofing tools makes it difficult for anti-fraud teams to detect fraudsters using stolen sessions
Fraud prevention controls implemented by anti-fraud teams form the last line of defense from attacks exploiting compromised credentials or exfiltrated session cookies. Researchers from Resecurity’s HUNTER threat intelligence unit have uncovered cybercriminal groups using Android-focused antidetect toolkits that allows fraudsters to spoof device fingerprints to match those that belonged to victims’ devices rendering the anti-fraud controls useless ineffective.

Banking firms in Latin America are target of a sophisticated new ToiToin malware that steals critical system information and data from financial institutions
Researchers from Zscaler have identified a sophisticated 6-step Email to Trojan campaign that is targeting businesses in Latin America. The trojan is specifically built to detect the presence of Topaz OFD Protection Module on the target systems. Topaz OFD Protection is a device authentication measure used by banks in Latin America.

Recent Firefox update blocks browser add-ons with broad permissions from running on certain sites
Firefox has introduced the concept of Quarantined Domains with most recent release v115. This feature blocks extensions from executing on certain high-profile sites such YouTube if Mozilla has “reason to believe” that the add-on is being used by fraudsters to perform malicious actions. Mozilla hasn’t been clear about their criteria to define the “reason to believe” malicious activities.

First Deepfake scam in the wild featuring a popular Consumer Finance expert sends shockwaves through the AI and Cyber Security community
A deepfake advert showing consumer finance expert Martin Lewis alongside a picture of Elon Musk was widely being circulated on Facebook. The deep-fake video was promoting investment in an Elon Musk-backed project. Martin Lewis, in an interview to BBC, said that he is not new to his identity being used in fake adverts on social media, but this was the first time a sophisticated deep fake was used. Cyber fraudsters are surely watching the development in deepfakes as closely as Cyber Security experts. Proactive steps need to be taken to thwart the yet-to-be-unleashed menace of deepfakes.

Iran-linked threat actor APT35 launched a spear phishing campaign delivering an advanced Mac malware to New-York based nuclear security journalist
As Tehran gets increasing isolated within its sphere of influence, it is believed to orchestrate these attacks against individuals who are responsible for directly influencing decisions impacting its position. The attack started with a lure to share a draft paper titled “Iran in the Global Security Context”. What followed is an exploit chain of sophisticated malware downloaders and injector designed to install a PowerShell backdoor “GorjolEcho” on the victim’s system. On encountering a Mac system, the perpetrators ported the attack chain for Mac, which has been dubbed a NokNok by Proofpoint.

Ex-Microsoft developer who fixed the infamous Autorun vulnerability in Windows says: Microsoft Can Fix Ransomware Tomorrow
Adam Shostack, an ex-Microsfot engineer, who was responsible for driving the fix of the dreaded AutoRun vulnerability says that Microsoft can fix ransomware using a novel approach. In his opinion piece written on Dark Reading, Adam says that limiting a process’ calls to the CreateFile() API can significantly slow down file encryption does rendering Ransomware ineffective. Obviously, this is easier said than done, he acknowledges that picking the right rate and creating bypasses for legitimate programs such as compilers would be challenging.

Cybercrime groups exploiting Netwrix Auditor RCE vulnerability to introduce Truebot malware inside US and Canadian organizations
Federal agencies from US and Canada have warned of increased activity aimed towards delivery of Truebot malware. Earlier variants of the malware were primarily delivered via Phishing attacks, however, recent findings indicate that threat actors are exploiting CVE-2022-31199 (a remote code execution vulnerability in the Netwrix Auditor application) to deliver the malware thus enabling its delivery at scale.

The Internet is done with MOVEit
Security researchers have uncovered multiple SQL injection vulnerabilities and a DoS vulnerability affecting MOVEit products. A few days ago, MOVEit was in the news for being the point of entry for sophisticated cyber attacks that have cost millions in damages for reputed organizations including Shell and PwC. Developers at MOVEit were in for a rude shock when white hat researchers decided to poke their products for more security vulnerabilities. MOVEit has released security patches for the identified vulnerabilities.

StackRot Linux Kernel Bug Has Exploit Code on the Way
Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported to Linux administrators in mid-June. The bug, which the researcher labeled StackRot (CVE-2023-3269), affects Linux kernel 6.1 through 6.4 and gives attackers a way to escalate privileges on affected systems. A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches to address the vulnerability. Linus and team have provided a pretty detailed explanation of the root cause of the bug and its fix in this git commit.

Google Searches for ‘USPS Package Tracking’ Lead to Banking Theft
Threat actors are impersonating the United States Post Office (USPS) in a legitimate-looking malvertising campaign that diverts victims to a phishing site to steal payment-card and banking credentials, Malwarebytes researchers have found. The malicious Google advert is hard to discern even for trained eyes.