CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Subscribe

Episode 31: October 24 2022

October 24, 2022 Jim Guckin CyberSecurity News Byte 24:13 Comments Off on Episode 31: October 24 2022

Links 

https://thehackernews.com/2022/10/emotet-botnet-distributing-self.html

https://cyware.com/news/spikes-in-cyberattacks-against-open-source-repositories-e7337780

https://thehackernews.com/2022/10/hackers-started-exploiting-critical.html?&web_view=true

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

https://nvd.nist.gov/vuln/detail/CVE-2022-33980

https://thehackernews.com/2022/10/these-16-clicker-malware-infected.html?&web_view=true

  • Trustwave SpiderLabs researchers 
  • New wave of malspam  
  • Does not require the target into opening the dummy document 
  • Batch script will run when the archive decompresses 
  • Uses a batch file to automatically supply the password to unlock. 
  • Utilizes PDF or Excel icon to make it appear legitimate 
  • Uses an invoice themed scheme 
  • Using a password protected archive file 
  • Nested self-extracting archive 
  • Drops CoinMiner or Quasar RAT 
  • 3 components 
  • Password Protected Self Extracting RAR (RARsfx) 
  • Batch Script 
  • Decoy file 
  • Excel, Image, or PDF 
  • Password Protected Zip 
  • 96% are emotet based 
  • Increase in current usage 
  • CoinMiner 
  • Crypto miner 
  • Can double as credential harvester 
  • Quasar 
  • Open source, .NET based, RAT (Remote Access Trojan) 

Are Open-Source Repositories Safe? 

  • If you know what you are downloading and check it 
  • Safe 
  • For everyone else? 
  • Maybe 
  • SonaType Report 
  • 633% rise in attacks against open-source repos year over year 
  • since 2019, there has been an annual, overall increase of 742% in such attacks 
  • Rise in the adoption of open-source repos by enterprises 
  • top downloaded open-source ecosystems 
  • Java 
  • JavaScript 
  • Python 
  • Scary 
  • 1.2 downloads of code with vulnerable Java dependencies a month 
  • 6 out of 7 vulnerabilities in projects other project dependencies 
  •  96% of known vulnerable open-source downloads are avoidable 
  • exploitations of the open-source ecosystem, from Log4j to crypto heists tied to open-source repositories 
  • What you can do 
  • Where possible avoid the open-source repositories 
  • Make sure your security program’s software development process includes the potential risk of using outdated and vulnerable systems 
  • employ a rigorous evaluation and testing process 

Text4Shell Concern 

  • WordFence 
  • WordPress security company 
  • Detected exploitations of the new Apache Commons Text 
  • October 18th 
  • Known as Text4Shell 
  • That the likelihood of successful exploitation is significantly limited in scope when compared to Log4j 
  • most detected payloads so far designed to scan for vulnerable installations. 
  • CVE-2022-42889 (CVSS 9.8) 
  • Originally reported March 2022 
  • Updated on 9/24 (1.10.0) 
  • Advisory on 10/13 
  • Apache Commons Text versions 1.5 to 1.9 
  • Like Log4Shell 
  • Rooted in the manner string substitutions during DNS, Script and URL lookups 
  • Exploitation leads to execution of code from untrusted input. 
  • English: is that a malicious attacker can send a specifically crafted payload externally using ‘script,’ ‘dns,’ and ‘url’ lookups which makes the server get and run code 
  • Biggest fear here, is reverse shell 
  • Unlike Log4Shell 
  • Not as large of a footprint 
  • Need to expose the attack service and then utilize vulnerability 
  • To our last news story 
  • another indication of the potential security risks posed by third-party open source dependencies 
  • Previously on Apache Commons 
  • July 2022 
  • CVE-2022-33980, (CVSS 9.8),  
  • results in arbitrary code execution through the variable interpolation functionality. 

16 Apps Pulled Due to Malware 

  • Google Play 
  • Removed 16 apps after finding Clicker Malware 
  • Combined 20 million downloads 
  • Pretended to be normal apps 
  • cameras, currency converters, QR code readers, note-taking apps, and dictionaries 
  • All to trick users into downloading them 
  • Attack 
  • covertly visit bogus websites and simulate ad clicks 
  • Doesn’t kick in for the first hour 
  • Helps hide the source 
  • Cause heavy network traffic 
  • Consume device power faster than normal 
  • Payout 
  • generates profit for the threat actor 
  • The list of offending apps is as follows – 
  • High-Speed Camera (com.hantor.CozyCamera) – 10,000,000+ downloads 
  • Smart Task Manager (com.james.SmartTaskManager) – 5,000,000+ downloads 
  • Flashlight+ (kr.caramel.flash_plus) – 1,000,000+ downloads 
  • 달력메모장 (com.smh.memocalendar) – 1,000,000+ downloads 
  • Korean for calendar notepad 
  • K-Dictionary (com.joysoft.wordBook) – 1,000,000+ downloads 
  • BusanBus (com.kmshack.BusanBus) – 1,000,000+ downloads 
  • Flashlight+ (com.candlencom.candleprotest) – 500,000+ downloads 
  • Quick Note (com.movinapp.quicknote) – 500,000+ downloads 
  • Currency Converter (com.smartwho.SmartCurrencyConverter) – 500,000+ downloads 
  • Joycode (com.joysoft.barcode) – 100,000+ downloads 
  • EzDica (com.joysoft.ezdica) – 100,000+ downloads 
  • Instagram Profile Downloader (com.schedulezero.instapp) – 100,000+ downloads 
  • Ez Notes (com.meek.tingboard) – 100,000+ downloads 
  • 손전등 (com.candlencom.flashlite) – 1,000+ downloads 
  • Korean for Flashlight 
  • 계산기 (com.doubleline.calcul) – 100+ downloads 
  • Korean for Calculator 
  • Flashlight+ (com.dev.imagevault) – 100+ downloads