Weekly Intelligence Trends and Advisory – 15 Aug 2021

Weekly Intelligence Trends and Advisory – 15 Aug 2021

Threat Actor in Focus

Kimsuky is Attacking Using PDF Documents

Suspected Threat Actors: Kimsuky(Suspected)

  • Attack Type: Vulnerabilities & Exploits
  • Objective: Unauthorized Access, Malware Implant
  • Target Geography: Korea
  • Target Technology: PDF Documents
  • Business Impact: Data Loss, Financial Loss

A targeted attack is presumed to be carried out by a North Korean-related group using PDF documents. Researchers suspect that the activities are carried out by Kimsuky, however, there is a possibility that the other threat actor groups are imitated it. The threat actors used PDF document files as attack baits. Through the Adobe Acrobat program vulnerability, malicious JavaScript contained in PDF documents is executed, and malicious EXE files are executed in the system memory. It is believed that the use-after-free vulnerability CVE-2020-9715 was leveraged. This vulnerability is currently patched with security updates.

It is estimated that the document contains inter-Korean relations-related matters and may be used to target individuals or organizations. Attacks using PDF document files have not been found in many ongoing exploits; it is suspected this could be an emerging new attack method.

 

Latest Cyber-Attacks, Incidents, and Breaches

FlyTrap, a New Android Malware, Compromises Thousands of Facebook Accounts

  • Attack Type: Malware Implant, Data Theft, Social Engineering, Session Hijacking, Rogue Mobile App
  • Target Industry: Multiple
  • Target Geography: Global
  • Target Technology: Facebook Accounts, Android
  • Business Impact: Operational Disruption, Data Loss, Financial Loss

Researchers have recently observed a new Android trojan used by attackers to compromise Facebook accounts. Dubbed as FlyTrap, the malware has Impacted approximately 10,000 users from at least 144 countries since March 2021. The malware is distributed via fraudulent apps through Google Play Store and other third-party app marketplaces and employs social engineering techniques to compromise Facebook accounts. FlyTrap is suspected to be operating out of Vietnam carrying out a session hijacking campaign. After infecting the victim’s device Facebook ID, Location, Email address, IP address, Cookie, and Tokens associated with the Facebook account. The attackers leveraged several appealing themes such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football team or player. The fraudulent application tricks users into installing with its high-quality designs and social engineering. While the nine offending applications listed below have been removed from Google Play, they continue to be available in third-party app stores.

  • GG Voucher (com.luxcarad.cardid)
  • Vote European Football (com.gardenguides.plantingfree)
  • GG Coupon Ads (com.free_coupon.gg_free_coupon)
  • GG Voucher Ads (com.m_application.app_moi_6)
  • GG Voucher (com.free.voucher)
  • Chatfuel (com.ynsuper.chatfuel)
  • Net Coupon (com.free_coupon.net_coupon)
  • Net Coupon (com.movie.net_coupon)
  • EURO 2021 Official (com.euro2021)

The threat actors are taking advantage of common user misconceptions that they are protected when logging into the right domain irrespective of the application used to log in. Further, the use of high-quality graphics and official-looking login screens are common tactics to lure users into taking action that targets their sensitive information.

Rogue Mobile Apps, a counterfeit app designed to impersonate trusted brands is a constant problem for businesses as well as app stores trying to protect users from such malicious apps. Due to increased digitization and wider reach of social media penetration, attackers have been increasingly using Rogue Mobile Apps as an attack vector. Earlier this year, while tracking threat actors Triangulum and HeXaGon Dev – known to have distributed multiple Android malware, including crypto miners, key loggers, and sophisticated P2P (Phone to Phone) mobile RATs – researchers have observed advertisements on “Rogue” mobile RAT for sale in one of the dark web forums.

 

Vulnerabilities and Exploits

Freshly Disclosed Vulnerability Being Exploited in The Wild

  • Attack Type: Vulnerabilities & Exploits
  • Target Geography: Global
  • Target Technology: Arcadyan Firmware
  • Vulnerabilities: CVE-2021-20090 (CVSS Score 9.8)
  • Vulnerability Type: Path Traversal Vulnerability, Authentication Bypass, Remote Code Execution (RCE), Distributed-Denial-of-Service (DDoS)
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Tracked as CVE-2021-20090 is a Path Traversal vulnerability that was made public on August 3, 2021, by researchers. The vulnerability potentially affects millions of devices such as home routers including IoT devices that use the same vulnerable code base. The flaw allows unauthenticated remote attackers to bypass authentication. In another report from researchers on August 5, 2021, attackers attempted to exploit this vulnerability targeting home routers and infecting them with a variant of the Mirai botnet – likely for a DDoS attack. The attacker attempted to deploy the Mirai variant on the affected routers using similar scripts which were also reported in activity observed in March targeting vulnerable network security devices from different vendors.

Researchers also observed other vulnerabilities and exploits being exercised alongside CVE-2021-20090, namely:

  • CVE-2020-29557 (DLink routers)
  • CVE-2021-1497 and CVE-2021-1498 (Cisco HyperFlex)
  • CVE-2021-31755 (Tenda AC11)
  • CVE-2021-22502 (MicroFocus OBR)
  • CVE-2021-22506 (MicroFocus AM)
  • Other exploits from exploit-db with associated CVEs.

Apart from the current activity, researchers have observed a similar campaign around February this year. It is suspected that the similarity between the two activities indicates the same threat actor is behind the new attack.

This also demonstrates that threat actors keep a close eye on all disclosed vulnerabilities and are quick to take advantage of them. Whenever there is an exploit PoC published, threat actors often take very little time to integrate it into their attack routine.

CYFIRMA Researchers also observed an unknown threat actor selling Arcadyan Firmware RCE Exploit referring CVE-2021-20090 in one of the underground forums.

 

Source: Underground Forums