Threat Pulse – October 2023
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls
An android trojan by the name of SpyNote has been analysed to reveal the infiltration process.
Typically spread over SMS phishing, the spyware tricks users into installing the app by clicking on an embedded link. The app hides its presence from the Android home screen and has the ability to be remotely triggered.
It seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone.
QR Code Phishing
“Quishing” is where an attacker creates a QR code with malicious intent which contains a link that can automatically download infected files or steal credentials with fake login pages.
These QR codes can be found physically in public places or sent via email. QR based phishing is being used in place of the traditional URLs in emails. This is a new tactic to bypass security solutions and users who see QR codes in every part of life and automatically trust them. We have seen that threat actors will send one email, which is very similar to previous phishing URL exercises that try to direct a user to a fake page, often the corporate Office365 login. This will be trying to get the user to enter their details.
The user will then receive a send email, similar to the first, but asking to confirm their 2FA\MFA. The threat actor is trying to capture the user’s MFA authentication token using an AitM attack.
Once the threat actor has these, they can reuse the token until it expires; often, this is set to 30 days. We are seeing that threat actors will then typically sit in the user’s mailbox as part of reconnaissance and will sometimes try to gain information that can be used to make an internal email look more convincing (invoice template, email signatures). This will often be around two weeks or so.
The threat actor will identify a likely email thread they can target, and they will then put an inbox rule in place to delete all email replies to the compromised user for that thread. They will then inject themselves into the email conversation and use the information gained to make a convincing email trying to pay an invoice and note that the company’s bank account details have changed.
As with other phishing attacks make sure to check the sender, subject and grammar of the email and think whether or not your organisation would send you such emails, in many cases they wouldn’t.
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
Attackers have exploited a recently disclosed critical zero-day bug (CVE-2023-20198) to compromise and infect Cisco IOS XE devices with malicious implants. The vulnerability affects both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled.
Successful exploitation allows an attacker to create an account on the affected device with privilege level 15 access which grants them full control of the device and hence allows them to deploy malicious implants.
Cisco recommends disabling the HTTP server feature on internet-facing systems until a patch is released and to check for newly created or suspicious accounts which could indicate compromise. Free software updates have been made available for the affected systems
BlackSuit Ransomware Strikes Windows and Linux Users
A new report on the growing threat posed by ransomware groups has been released, including BlackSuit ransomware, which is targeting Windows and Linux users.
New SprySOCKS Linux malware used in cyber espionage attacks
A Chinese espionage-focused hacker tracked as ‘Earth Lusca‘ was observed targeting government agencies in multiple countries, using a new Linux backdoor dubbed ‘SprySOCKS‘.
Analysis of the novel backdoor showed that it originates from the Trochilus open-source Windows malware, with many of its functions ported to work on Linux systems. However, the malware appears to be a mixture of multiple malware as the SprySOCKS’ command and control server (C2) communication protocol is similar to RedLeaves, a Windows backdoor.
In contrast, the implementation of the interactive shell appears to have been derived from Derusbi, a Linux malware.
Citrix NetScaler Critical Vulnerability
Citrix is urging administrators to ensure they have updated, and are using the latest versions of all NetScaler ADC and NetScaler Gateway applications.
Citrix NetScaler is an Application Delivery Controller (ADC) designed to optimise, manage and secure network traffic. Within the last month, Citrix has released that their NetScaler ADC and NetScaler gateway are exploitable from CVE-2023-4966.
This is a critical information exposure bug, and there have already been credible reports of session hijacking and targeted attacks from hackers.
In response to this security threat, Citrix urges all users to take immediate action and apply a recently released patch. The security vulnerability poses a significant risk to Citrix users and their systems.
Failing to apply the patch could expose systems to exploitation, making it imperative for admins to take action quickly.
Sticky Werewolf spies attack government organisations in Russia and Belarus
A new group that uses presumably legitimate software to interfere with government organisations has been discovered.
A characteristic feature of this criminal community, dubbed Sticky Werewolf, is the use of popular Malware as a Service tools that are easy to detect and block.
Nevertheless, this has not stopped Sticky Werewolf from succeeding. The group’s activity can be traced back to April 2023 with at least 30 attacks to date.
When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief
PAM is a widely used framework for authentication and authorisation on Linux systems. Many popular applications and services on Linux systems rely on PAM and use its APIs for authentication, which includes SSH service, GNOME Display Manager (GDM) and system services such as sudo.
The flexible and modular design of PAM makes it an attractive target for attackers, who seek to leverage PAM APIs in malware as a way to intercept or manipulate the authentication process.
F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution
F5 has issued a warning to its customers regarding a critical security vulnerability in the BIG-IP system. This vulnerability, associated with the configuration utility component, has been labelled as CVE-2023-46747 and has a high CVSS score of 9.8 out of 10. It could potentially lead to unauthorised remote code execution.
The vulnerability allows an unauthenticated attacker with network access to the BIG-IP system via the management port or self IP addresses to execute arbitrary system commands. Notably, it impacts the control plane and does not expose the data plane to risk.
F5 has provided a shell script as a mitigation measure for users of BIG-IP versions 14.1.0 and later. However, they caution against using this script on versions prior to 14.1.0, as it could prevent the Configuration utility from functioning.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.
