Bullet points of key topics + chapter markers
[00:36] State-Backed Hackers Exploit ‘Follina’ to Target Entities in Europe and U.S
[06:06] Global Law Enforcement Operation Shuts Down FluBot
[11:16] SideWinder APT Launched More than 1,000 Attacks in Two Years
[17:50] Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

Links

https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html
https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html
https://cyware.com/news/global-law-enforcement-operation-shuts-down-flubot-6dedb412
https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-Shabab-SideWinderUncoilsToStrike.pdf
https://cyware.com/news/sidewinder-launched-more-than-1000-attacks-in-two-years-1244cd6e
https://thehackernews.com/2022/06/flubot-android-spyware-taken-down-by.html
https://thehackernews.com/2022/06/critical-unisoc-chip-vulnerability.html
https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/

State-Backed Hackers Exploit ‘Follina’ to Target Entities in Europe and U.S

• Talked about this on May 31, 2022, Show
  • “Follina”
    • Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code
  • CVE-2022-30190
    • CVSS score: 7.8)
• a suspected state-aligned threat actor
  • target government entities in Europe and the U.S
  • New Phishing campaign not linked to previous ATP actors
    • Nation-State thought because of the sophisticated recon capabilities
    • Proofpoint said
      • “The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target’s computer. This, coupled with the tight targeting of European government and local U.S. governments, led us to suspect this campaign has a state-aligned nexus”
• Proofpoint
  • blocked attempts at exploiting the remote code execution flaw
  • No less than 1,000 phishing messages containing a lure document were sent to the targets
• Attack
  • masqueraded as a salary increase
  • RTF Document
  • payload downloaded from 45[.]76[.]53[.]253
    • Runs a PowerShell that downloads 2^nd PowerShell
      • seller-notification[.]live
    • checks for virtualization
    • steals information from local browsers, mail clients, and file services
    • conducts machine recon
    • zips it for exfil
      • 45[.]77[.]156[.]179
• No Fix Yet
  • 0patch has released an unofficial fix
    • Link in show notes
    • “It doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors,” 0patch said

Global Law Enforcement Operation Shuts Down FluBot

• Europol
  • Takedown of FluBot
    • the fastest growing Android malware operation
      • Due to using a contact list of compromised devices to send SMS
    • infamous for stealing banking and cryptocurrency account credentials
  • law enforcement operations across 11 countries
    • Sweden, Australia, the Netherlands, Belgium, Hungary, Ireland, Spain, Switzerland, Finland, and the U.S
    • Dutch Police claimed to have disconnected 10,000 victims from the FluBot network and stopped over 6.5 million spam SMS from reaching potential victims.
    • pinpointing the bot’s most critical infrastructure
    • Spanish police arrested four suspects who were then considered the main members of the FluBot operation
  • its infrastructure is under the control of law enforcement
    • Making a comeback unlikely

SideWinder APT Launched More than 1,000 Attacks in Two Years

• Aggressive APT group
  • launched more than 1,000 attacks
    • Since April 2020
• targeted multiple industries
  • scientific and defense organizations
  • departments of foreign affairs
  • IT industry
  • legal firms
  • aviation.
• large C2 infrastructure comprising more than 400 domains and subdomains
  • host malicious payloads and manage them
  • The first stage domains are used to host the first stage malware that spread via spear-phishing.
    • They further receive information gathered by first-stage malware domains and host second-stage payloads.
  • To evade detection, the group uses obfuscation routines, multi-layer malware, encryption with unique keys for each malicious file, splitting infrastructure strings into different malware components, and memory-resident malware.
  • C2 domains used in the final stage of the attacks and URLs used for C2 communications are split into two parts:
    • The Installer module includes the first part of the URL, which is a C2 server domain name in encrypted form.
    • The second half of the URL is encrypted inside the second stage HTA module.

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

• A critical security flaw has been uncovered in UNISOC’s smartphone chipset
  • potentially weaponized to disrupt a smartphone’s radio communications
    • through a malformed packet.
• Check Point
  • The vulnerability is in the modem firmware, not in the Android OS itself.
• UNISOC
  • semiconductor company based in Shanghai
  • 4^th largest mobile processor manufacturer
  • 10% of all shipments in 2021
• CVE 2022-20210 (CVSS 9.4/10)
  • Patch Available
  • a case of buffer overflow
    • the component that handles Non-Access Stratum (NAS) messages
    • in the modem firmware
    • causes a Denial of Service
  • Mitigation
    • recommended that users update their Android devices to Security update for June 2022.
• Not the First Time
  • CVE-2022-27250, CVSS score: 9.8
  • malicious actors to take control over user data and device functionality