CyberSecurity News Byte – Weekly

Hosted ByJim Guckin

A new podcast has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart with souls like mine.

Episode 21: June 06 2022

Bullet points of key topics + chapter markers
[00:36] State-Backed Hackers Exploit ‘Follina’ to Target Entities in Europe and U.S
[06:06] Global Law Enforcement Operation Shuts Down FluBot
[11:16] SideWinder APT Launched More than 1,000 Attacks in Two Years
[17:50] Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

Links

https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html
https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html
https://cyware.com/news/global-law-enforcement-operation-shuts-down-flubot-6dedb412
https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-Shabab-SideWinderUncoilsToStrike.pdf
https://cyware.com/news/sidewinder-launched-more-than-1000-attacks-in-two-years-1244cd6e
https://thehackernews.com/2022/06/flubot-android-spyware-taken-down-by.html
https://thehackernews.com/2022/06/critical-unisoc-chip-vulnerability.html
https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/

State-Backed Hackers Exploit ‘Follina’ to Target Entities in Europe and U.S

  • Talked about this on May 31, 2022, Show
    • “Follina”
      • Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code
    • CVE-2022-30190
      • CVSS score: 7.8)
  • a suspected state-aligned threat actor
    • target government entities in Europe and the U.S
    • New Phishing campaign not linked to previous ATP actors
      • Nation-State thought because of the sophisticated recon capabilities
      • Proofpoint said
        • “The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target’s computer. This, coupled with the tight targeting of European government and local U.S. governments, led us to suspect this campaign has a state-aligned nexus”
  • Proofpoint
    • blocked attempts at exploiting the remote code execution flaw
    • No less than 1,000 phishing messages containing a lure document were sent to the targets
  • Attack
    • masqueraded as a salary increase
    • RTF Document
    • payload downloaded from 45[.]76[.]53[.]253
      • Runs a PowerShell that downloads 2nd PowerShell
        • seller-notification[.]live
      • checks for virtualization
      • steals information from local browsers, mail clients, and file services
      • conducts machine recon
      • zips it for exfil
        • 45[.]77[.]156[.]179
  • No Fix Yet
    • 0patch has released an unofficial fix
      • Link in show notes
      • “It doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors,” 0patch said

Global Law Enforcement Operation Shuts Down FluBot

  • Europol
    • Takedown of FluBot
      • the fastest growing Android malware operation
        • Due to using a contact list of compromised devices to send SMS
      • infamous for stealing banking and cryptocurrency account credentials
    • law enforcement operations across 11 countries
      • Sweden, Australia, the Netherlands, Belgium, Hungary, Ireland, Spain, Switzerland, Finland, and the U.S
      • Dutch Police claimed to have disconnected 10,000 victims from the FluBot network and stopped over 6.5 million spam SMS from reaching potential victims.
      • pinpointing the bot’s most critical infrastructure
      • Spanish police arrested four suspects who were then considered the main members of the FluBot operation
    • its infrastructure is under the control of law enforcement
      • Making a comeback unlikely

SideWinder APT Launched More than 1,000 Attacks in Two Years

  • Aggressive APT group
    • launched more than 1,000 attacks
      • Since April 2020
  • targeted multiple industries
    • scientific and defense organizations
    • departments of foreign affairs
    • IT industry
    • legal firms
    • aviation.
  • large C2 infrastructure comprising more than 400 domains and subdomains
    • host malicious payloads and manage them
    • The first stage domains are used to host the first stage malware that spread via spear-phishing.
      • They further receive information gathered by first-stage malware domains and host second-stage payloads.
    • To evade detection, the group uses obfuscation routines, multi-layer malware, encryption with unique keys for each malicious file, splitting infrastructure strings into different malware components, and memory-resident malware.
    • C2 domains used in the final stage of the attacks and URLs used for C2 communications are split into two parts:
      • The Installer module includes the first part of the URL, which is a C2 server domain name in encrypted form.
      • The second half of the URL is encrypted inside the second stage HTA module.

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

  • A critical security flaw has been uncovered in UNISOC’s smartphone chipset
    • potentially weaponized to disrupt a smartphone’s radio communications
      • through a malformed packet.
  • Check Point
    • The vulnerability is in the modem firmware, not in the Android OS itself.
  • UNISOC
    • semiconductor company based in Shanghai
    • 4th largest mobile processor manufacturer
    • 10% of all shipments in 2021
  • CVE 2022-20210 (CVSS 9.4/10)
    • Patch Available
    • a case of buffer overflow
      • the component that handles Non-Access Stratum (NAS) messages
      • in the modem firmware
      • causes a Denial of Service
    • Mitigation
      • recommended that users update their Android devices to Security update for June 2022.
  • Not the First Time
    • CVE-2022-27250, CVSS score: 9.8
    • malicious actors to take control over user data and device functionality

Leave a Reply

Your email address will not be published.