16 May 2021
The Roaming Mantis smishing campaign known to target Asian android users is now leveraging new malware called SmsSpy to target Japanese users. Researchers highlight how the operators lure victims by carrying out a smishing attack using fake domains resembling a logistics company and impersonating bitcoin operators. The new malware with its two variants infects the device depending on the Android OS version being used. On Android 10 or earlier – a fake Google Play app is downloaded; and on android 9 or earlier – a fake Chrome App will be downloaded. Apart from stealing phone numbers and SMS messages from the infected devices, the malware sends Android OS version, phone number, device model, internet connection type, and unique device ID as part of the handshake process of the command & control (C2) server.
The threat actors have reportedly used different mobile malware such as MoqHao, SpyAgent, and FakeSpy to target Android users in Asian countries in the past.
The threat actor starting with a simple DNS hijacking technique for distribution have improved upon their attack methods and are known to have enhanced anti-researcher tactics to avoid tracking. The groups while largely focused on Asian countries also reported having expanded their operations in the European region. The newly identified malware in the current campaign is observed to be using a modified infrastructure and payloads.
The analysis paper released by US law enforcement agencies highlights three threat vectors that could pose major cybersecurity risks for 5G networks, potentially making them a lucrative target for cybercriminals and nation-state adversaries to exploit valuable intelligence.
While the transition to 5G presents a wealth of opportunities and capabilities, it also introduces new vulnerabilities and threats. The following threat vectors identified represent an initial list of threats across the various 5G domains:
5G is projected to use more components than the previous generation of wireless networks providing an increased attack surface to malicious threat actors. Being an important technological advancement, 5G is expected to introduce digital and business revolution thereby presenting new threat vectors. This is going to attract new cybercriminals due to exposure of new connected devices, industries and services, and sensitive assets.
The industry has welcomed this EO as a step in the right direction to curb cyber threats. The key pillars of the EO rest on information sharing among public and private sectors, the need to develop a zero-trust framework, and strengthening software and cloud products which are increasingly adopted by government and businesses alike. The wide-ranging order includes the following:
Researchers have disclosed a new Android trojan that hijacks users’ credentials and SMS messages to facilitate fraudulent activities against banks across Europe. Once successfully installed, the Trojan allows threat actors to obtain a live stream of the device screen and interact with it via its Accessibility Services. According to researchers, when the malicious app ‘TeaTV’ is downloaded on the device, the malware – dubbed “Teabot” – gets installed as an Android Service, which is an application component that can perform long-running operations in the background. Post-installation will request Android permissions to observe users’ actions, retrieve window content, and perform arbitrary gestures. According to researchers, Teabot represents a shift in mobile malware – from just being a sideline issue to being a mainstream problem just as malware on traditional endpoints.
Researchers highlight that since 2019, the ransomware operators – which includes 34 different ransomware gangs – have leaked solen data of approximately 2103 organizations. The top five operators in term of the number of leaks that are active include:
The two notable operators that have more leaks than some of those in the top five include Maze (266 leaks) and Egregor (206 leaks). Few of the ransomware gangs listed below are no longer in operation, such as NetWalker, Sekhmet, Egregor, Maze, Team Snatch, or rebranded to a new name, such as NEMTY and AKO.
The complete list of tracked 34 ransomware operators includes Team Snatch, MAZE, Conti, NetWalker, DoppelPaymer, NEMTY, Nefilim, Sekhmet, Pysa, AKO, Sodinokibi (REvil), Ragnar_Locker, Suncrypt, DarkSide, CL0P, Avaddon, LockBit, Mount Locker, Egregor, Ranzy Locker, Pay2Key, Cuba, RansomEXX, Everest, Ragnarok, BABUK LOCKER, Astro Team, LV, File Leaks, Marketo, N3tw0rm, Lorenz, Noname, and XING LOCKER.
Ransomware is designed for direct revenue generation. Since the inception of modern ransomware attacks where operators adopted the simple tactic of encrypting as many victims as possible before demanding a ransom has evolved many folds. The ransomware operators have used cold-calling, threats to C-level executive in charge of approving the ransom, threats to notify business partner and journalists about the breach, threats to notify regulatory bodies, threats to notify threats to launch DDoS attacks, leveraging victim’s client to put pressure, threats to leak the data.
Most recently the DarkSide ransomware gang added a new tactic in practice by leveraging the negative effect of a publicly disclosed cyber-attack on the stock market to extort ransom from victims.
A team of security researchers has identified a critical authentication bypass vulnerability in Pega Infinity enterprise software platform in versions 8.2.1 to 8.5.2. The vulnerability was identified in Pega Infinity’s password reset system via a bug bounty program. An attacker could leverage the vulnerability to fully compromise the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages or templating. The Pega instances are largely public-facing and at the time of reporting the vulnerability, some of the customers included the FBI, US Air Force, Apple, American Express, and others. A hotfix has been released and users were advised to update their installations.
The incidents highlight the importance of running responsible disclosure programs (loosely referred to as bug bounty) for an organization. Independent security researchers can help businesses identify potential critical weaknesses in enterprise applications/ infrastructure. Such programs are alternative ways to detect software and configuration errors that may have been overlooked by the developer and security team.
To take complete advantage of a responsible disclosure program organizations must ensure an active response to the researchers and take timely steps to address issues highlighted by them.