All Things Newz
Law \ Legal

Ankura CTIX FLASH Update – August 19, 2022 – Security


Ransomware/Malware Activity

“DarkTortilla” Crypter Malware Used to Drop
Information Stealers, RATs, Ransomware

Researchers from Secureworks Counter Threat Unit (CTU) released
a report detailing a malware they have been tracking since January
2021. Dubbed “DarkTortilla”, the malware is a
“complex and configurable .NET-based crypter” that has
been active since at least August 2015. Crypters are malware that
use encryption, obfuscation, and code manipulation to evade
detection software and drop other malware. DarkTortilla delivers
popular information stealers and remote access trojan malware such
as “AgentTesla”, “AsyncRat”,
“NanoCore”, and “RedLine Stealer” and has been
known to drop ransomware in some cases. DarkTortilla has been
observed being deployed using malicious spam campaigns. The
phishing emails typically use a logistics lure and includes the
malicious payload in a malicious document or an archived attachment
with the file types .iso, .zip, .img, .dmg, and .tar. The CTU
researchers discovered emails written in multiple languages
including English, German, Romanian, Spanish, Italian, and
Bulgarian. When a victim executes the initial payload, DarkTortilla
grabs the “core processor” from a public paste site. This
core processor provides the main functionality for the malware such
as establishing persistence and injecting the dropped malware into
memory. CTU researchers identified ninety-three (93) unique
DarkTortilla samples out of the 10,000 total samples; only nine (9)
of the samples were used to drop ransomware. The researchers were
unable to determine where or how DarkTortilla is being sold. CTIX
analysts are continuing to monitor this malware and will provide
updates for new developments.

Thirty-Five Malicious Android Apps Serving Adware Discovered in
Google Play Store

Cybersecurity technology company Bitfinder identified a new
malware campaign that involves thirty-five (35) malicious Android
applications uploaded to the Google Play Store. Researchers
employed a real-time behavior-based analysis method that identified
the campaign and discovered that the applications have been
installed over 2 million times on victims’ mobile devices. The
mobile applications lure users by offering fraudulent
“specialized functionality” but once installed,
immediately change their names and icons in order to conceal their
presence and make the uninstall process more difficult. The app
developers also push updates to the apps to advance their
persistence abilities. The apps then serve the victims various
intrusive advertisements by abusing “WebView”, which
generates “fraudulent impressions and ad revenue for their
operators.” The apps offer advertisements to their users via
their own frameworks which also allow malware to be served.
Researchers noted one example of a “GPS Location Maps”
app that, once installed, changes its name to “Settings”,
declared an alias launcher, and immediately shows additional
websites in WebViews as well as an advertisement. Once the icon is
clicked, the alias launcher renders this activity with “a
“0” size in a corner, then launches the settings page for
the phone, tricking the user into thinking that the real settings
button was pressed.” This app has zero (0) reviews and over
100,000 downloads. Other applications disguise themselves as
Motorola, Oppo, and Samsung system apps. Various functionalities,
such as heavy code obfuscation, encryption, and excluding the app
from the devices’ “Recent apps” list, are present to
bypass detection and complicate reverse engineering efforts. As of
August 18, 2022, three (3) of the thirty-five (35) applications are
still available in Google Play Store: “Walls light -
Wallpapers Pack”, “Animated Sticker Master”, and
“GPS Location Finder”. A full list of malicious
applications as well as a deeper dive into the technical aspects of
this campaign can be viewed in Bitdefender’s report linked
below.

Threat Actor Activity

Threat Profile: TA558

In a recent reporting from Proofpoint, a small threat group
tracked as TA558 has been targeting several corporations throughout
the hospitality, travel, and hotel industries over the past four
(4) years. TA558 has launched several campaigns and deployed
several malicious payloads with the overall goal of significant
financial gain for the threat group. Throughout 2022, TA558 has
conducted roughly fifty (50) social engineering campaigns
attempting to deliver malicious payloads through various methods:
twenty (20) via file attachments, twenty-six (26) via infected URL
hyperlinks, and some phishing emails combining both malicious
URL’s and file attachments. Much like other recent campaigns,
TA558 has shifted from utilizing macro-infected malware to infected
ISO images and ZIP archives which contain payloads to be deployed
on the compromised device. Other malicious tools and payloads that
TA558 has utilized previously include the Revenge RAT, Loda,
Vjw0rm, and the Async RAT. Research shows that TA558 threat actors
favor the use of Spanish and Portuguese language in their
campaigns, with very little social engineering emails scribed in
English. With the extensive number of campaigns from TA558 threat
actors and a clear financial motive, CTIX believes that this
activity will continue to persist and evolve in the weeks to
come.

APT41 Compromises Thirteen Organizations in the Past Year

Threat actors from the widely known APT41 threat group have
compromised thirteen (13) organizations worldwide over the past
year, including breaching six (6) government infrastructures in six
(6) US states. APT41, also tracked as Wicked Panda and Winniti, is
one of the oldest known Chinese-backed espionage organizations
which focuses heavily on financially-motivated operations.
Historically, APT41 has targeted corporations within the
technology, gaming, telecommunications, and healthcare industries
across over a dozen countries. In recent campaigns by APT41, threat
actors initialize their reconnaissance phase by scanning the target
with port scanners, network mappers, and vulnerability scripts such
as Nmap, Sublist3r, and Acunetix, followed by exploiting web
applications susceptible to SQL injection attacks. Once breached,
APT41 actors have the ability to execute arbitrary code via the
server command shell and begin communications between target and
command-and-control (C2) servers. Furthermore, threat actors
continue to execute payloads on the compromised systems
establishing persistence, escalating privilege rights, masking
communications to avoid detection, and deploying espionage scripts
to gather data across the enterprise and exfiltrating data to APT41
C2 servers. APT41 has been a significant player in the threat
landscape since 2007 and is predicted to continue to be so in the
near future. CTIX continues to monitor threat actor activity
worldwide and will provide additional updates accordingly.

Vulnerabilities

Amazon Patches Vulnerability Exposing Ring Smart Doorbell
Cameras

In May, Amazon patched a high-severity vulnerability in their
Android application for Ring smart doorbell cameras which if
exploited, could expose sensitive user data. The exposed data would
include the full name of the user, their email and phone number,
geolocation data and street address, as well as the camera video
recordings. Researchers from the application security firm
Checkmarx first reported this to Amazon via their Vulnerability
Research Program. On May 27, 2022, Amazon released a fix for both
the Android and iOS Ring applications. The flaw was identified
after Checkmarx researchers investigated the Android Ring APK
manifest and found an exposed program component known as an
“activity” which could be launched by any application
installed on the device. To successfully exploit this
vulnerability, attackers could install a malicious application that
launches the exposed activity and redirects it to an
actor-controlled command-and-control (C2) web server. A researcher
from Checkmarx stated that by exploiting this vulnerability, it was
possible to use Ring’s APIs to extract the customer’s
personal and device data. Once they had extracted the video data,
the researchers were able to use Amazon’s own machine learning
image and video analysis service, known as Amazon Rekognition, to
parse through hours of recordings until finding the data that would
be considered valuable. At this point, an attacker could use the
data to access other parts of the victim network, extort the
victim, and spy on their day-to-day activity. At this time there is
no evidence that Ring customers were exploited in-the-wild. Amazon
was very quick to patch this vulnerability and did not publicly
disclose it until a working patch and full report was available.
There are over 10 million downloads of the Ring application, and
smart doorbells are just one of millions of new IoT devices that
represent fresh attack-vectors for threat actors. The Checkmarx
report will be published in the coming weeks, and CTIX analysts
recommend any Ring customers verify that the software version of
their device is up to date to prevent any exploitation
attempts.

Google Patches Zero-Day Allowing for the Execution of Arbitrary
Code

Google has released a patch for a critical zero-day
vulnerability in their Chrome browser that has been actively
exploited in-the-wild. The flaw, tracked as CVE-2022-2856, is an
insufficient validation of untrusted input in Intents
vulnerability. If exploited, the vulnerability could allow
attackers to perform arbitrary code execution. Input validation is
a technique for verifying if inputs are potentially dangerous to
process or not; an attacker could exploit a flaw in input
validation by maliciously crafting inputs that aren’t expected
by the application, altering the order in which a computer executes
statements in a script. This could allow for the attacker to take
complete control of resources to conduct follow-on actions or
execute arbitrary code. This flaw was identified in July 2022 by
Google’s own Threat Analysis Group (TAG) and at this time, the
specifics of the exploit are being withheld from the public to
allow as many Chrome users as possible to update their vulnerable
browsers. This patch addresses ten (10) other vulnerabilities, and
the specific information can be found in the linked Google
advisory. CTIX analysts recommend all Chrome users ensure they have
installed the patch. If noteworthy exploit information is disclosed
about this flaw in the near future, CTIX will publish an update to
this piece.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link

Related posts

Short-term Lets Licensing Scheme In Scotland: Staying Compliant – What Are The Consequences Of Getting It Wrong? – Real Estate

Work Beyond Pay Grade Can Be Grounds For Constructive Termination, Court Rules – Unfair/ Wrongful Dismissal

TGIF – Inquiry into Australian corporate insolvency regime commences – Insolvency/Bankruptcy