29-Aug-23: In Security News Today

New Android Trojan MMRat Allows Attackers to Control Devices and Perform Bank Fraud

A newly identified Android trojan called MMRat has been targeting users in Southeast Asia, allowing attackers to remotely control devices and perform bank fraud. The malware is distributed through websites posing as official application stores and has been tailored in different languages to target victims in Vietnam and Thailand. MMRat can capture user input, take screenshots, and execute various actions on the infected device, including sending text messages, capturing screen or camera video, and enabling the microphone.

Food Delivery Company PurFoods Admits to Cyberintrusion Exposing Personal and Medical Data of Over 1 Million Individuals

PurFoods, a US food delivery company, has disclosed a cyberintrusion that occurred between January 16 and February 22, 2023. The attack involved the encryption of certain files and the potential exfiltration of data. The personal and medical information of over 1.2 million individuals, including clients, employees, and contractors, was compromised, including Social Security numbers, financial account information, and health records. Affected individuals are advised to replace payment cards, monitor financial statements, and consider implementing a credit freeze. Companies are urged to act immediately when anomalies are detected, consider using Managed Detection and Response services, and be transparent in data breach notifications.

Kroll’s Crypto Breach Highlights SIM-Swapping Risk

A recent supply chain breach at Kroll exposed personal information on hundreds of claimants in bankruptcy proceedings related to crypto trading firms FTX, BlockFI, and Genesis. The breach occurred through a SIM-swapping attack, where an attacker gained unauthorized access to an employee’s phone number and used it to access sensitive information. This incident highlights the ongoing danger of SIM-swapping attacks and the need for organizations to move away from SMS-based two-factor authentication.

Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom

A Chinese-nexus hacking group known as UNC4841 has been exploiting a zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense, aerospace, high-tech, and telecom sectors. The group is highly responsive to defensive efforts and has been deploying new and novel malware to maintain access to compromised targets. The attacks involve the exploitation of CVE-2023-2868 and have led to the deployment of additional malware, such as SUBMARINE, SKIPJACK, DEPTHCHARGE, and FOXTROT, to maintain persistence and conduct post-exploitation activities.

Cybercriminals Utilize Leaked LockBit Builder for Ransomware Attacks

Cybercriminals are leveraging the leaked code of Lockbit v3, a prominent ransomware-as-a-service (RaaS) operation, to carry out their own ransomware attacks. The leaked builder code has allowed unaffiliated actors to adopt Lockbit as their malware-making tool. These actors have made minor customizations to the malware, indicating that they may be lazy or seeking quick gains.

New DarkGate Malware Campaign Utilizes Phishing Emails to Deliver Malware

A recent “malspam” campaign has been observed deploying DarkGate, an off-the-shelf malware. The campaign leverages hijacked email threads to trick recipients into downloading the malware. DarkGate, sold mainly on underground forums, has capabilities to evade detection, set up persistence, escalate privileges, steal data, and establish contact with a command-and-control server.

UN Warns of Cybercrime Scams in Southeast Asia

A new report from the UN Human Rights Office highlights the issue of cybercrime scams in Southeast Asia, with hundreds of thousands of people being forced to participate in unlawful online scams. The report reveals that at least 120,000 people in Myanmar and 100,000 in Cambodia are being held in situations where they are forced to carry out online scams. The impact of these scams in terms of people and revenues generated is believed to be in the billions of dollars every year.

Chinese Cyberespionage Group Exploits Barracuda Email Security Gateway Appliances

A Chinese cyberespionage group known as UNC4841 has been exploiting a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances since at least October 2022. Despite patches being released in May 2023, the group has maintained access to compromised systems through the deployment of persistent backdoors. The group mainly targeted governmental organizations, information technology and high-tech firms, telecommunication providers, manufacturers, and educational entities, with a significant number of North American government offices being affected.

Meta Purges Thousands of Chinese Spam Accounts Boosting China and Criticizing the West

Meta, the parent company of Facebook, has removed thousands of accounts that were part of a Chinese spam operation aimed at covertly promoting China and criticizing the West. The operation, known as ‘Spamouflage,’ was active on various platforms including Facebook, Instagram, TikTok, YouTube, and Twitter. Meta has described it as the largest and most prolific covert influence operation known today, with links to individuals associated with Chinese law enforcement. Additionally, Meta’s threat report also analyzed a Russian influence campaign called ‘Doppelganger,’ which involved mimicking websites of mainstream news outlets to spread bogus stories about Russia’s war on Ukraine.

Android Malware Apps Evade Detection with Stealthy APK Compression

Hackers are employing unconventional compression techniques within Android Package (APK) files to avoid detection during malware analysis. Security firm Zimperium found over 3,300 instances of such artifacts, 71 of which can be smoothly loaded onto operating systems. These APK files are distributed through untrusted app stores or social engineering methods rather than the Google Play Store, using unsupported compression methods that hinder easy decompilation, allowing them to work on Android devices running operating system versions above Android 9 Pie.

Ransomware Hackers Exploit Critical Vulnerability in Citrix NetScaler

Unknown threat actors are targeting unpatched Citrix NetScaler systems in a suspected ransomware attack. The attack involves the exploitation of a critical code injection vulnerability, allowing for unauthenticated remote code execution. The attackers are using obfuscated PowerShell scripts, PHP web shells, and an Estonian service called BlueVPS for malware staging.

Microsoft Warns of Increasing AiTM Phishing Attacks in PhaaS Model

Microsoft has issued a warning about the rise of adversary-in-the-middle (AiTM) phishing techniques within the phishing-as-a-service (PhaaS) cybercrime model. The tech giant has observed an increase in AiTM-capable PhaaS platforms, including existing services like PerSwaysion. These platforms enable attackers to conduct large-scale phishing campaigns that attempt to bypass multi-factor authentication (MFA) protections. Phishing kits with AiTM capabilities use reverse proxy servers and synchronous relay servers to capture user credentials, two-factor authentication codes, and session cookies. The objective of these attacks is to gain access to privileged systems without reauthentication, necessitating the revocation of stolen session cookies.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.