iTunes
Spotify
Episode 32: October 31 2022
Links
https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html
https://cyware.com/news/new-linkedin-phishing-campaign-bypasses-google-protection-de6f6752
https://thehackernews.com/2022/10/researchers-uncover-stealthy-techniques.html?&web_view=true
Data Wiper Frame Security Researchers
- Azov Ransomware
- New data wiper
- Distributed through the following application types:
- Pirated software
- Key Generators
- Adware Bundles
- Named For
- Ukrainian Azov Regiment
- a controversial military force that allegedly associated with neo-Nazi ideology in the past
- Its goal is to frame security researchers
- Falsely claims to have been:
- Hasherazade
- Lawrence Abrams
- Bleeping Computer
- MalwareHunter Team
- Michael Gillespie
- Vitali Kremez
- Points to their twitter accounts
- No way to contact the actors
- No recovery of files
- RESTORE_FILES.txt
- Device is encrypted in protest of seizure of Crimea
- Though Ukrainian organizations hit by this wiper
- Western Countries aren’t helping Ukraine enough
- Wants US Citizens to revolt against Biden administrator
- Wants Germany to do the same
- Ends with hashtag #TaiwanIsChina
- Smokeloader
- Malware Botnet
- Threat actors can buy installs of their malware
- Azov recently seen utilizing this servcie
- Sometimes paired with STOP ransomware
- Which double encrypts the data
- IOCs
- Random named file in %Temp%
- Wiper will copy C:\Windows\System32\msiexec.exe to C:\ProgramData\rdpclient.exe
- It then patches the file with Azov
- Can also be configured to start with the following key
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
“Bandera” = “C:\ProgramData\rdpclient.exe” - Scans the computer and encrypts all files except
- Ini
- Dll
- Exe
- Appends the .azov to encrypted files
- Every folder it places the RESTORE_FILES.txt
Chrome Urgent Update
- Thursday
- Emergency fix
- Actively exploited zero-day
- Update to version
- 107.0.5304.87 (Mac and Linux)
- 107.0.5304.87/88 (Windows)
- CVE-2022-3723
- Originally reported October 25, 2022
- cold fusion flaw
- V8 JavaScript engine
- Found by Avast
- Jan Vojtěšek, Milánek
- Przemek Gmerek
- Third cold fusion vulnerability in V8 this year
- CVE-2022-1096
- CVE-2022-1364
- 7th Zero Day Fix for Chrome this year
- CVE-2022-0609 – Use-after-free in Animation
- CVE-2022-1096 – Type confusion in V8
- CVE-2022-1364 – Type confusion in V8
- CVE-2022-2294 – Heap buffer overflow in WebRTC
- CVE-2022-2856 – Insufficient validation of untrusted input in Intents
- CVE-2022-3075 – Insufficient data validation in Mojo
- Chromium Browsers
- Edge
- Brave
- Opera
- Vivaldi
- Patch as soon as a fix is available.
LinkedIN Phishing Campaign Bypass Protections
- Armorblox
- Spotted a credential phishing campaign
- Target 500 mailboxes from a travel organization
- 3rd most impersonated brand
- Preceded by DHL and Microsoft
- Sept used LinkedIN smart links to redirector to Slovakia Postal Service
- Evaded security controls
- Phishing Message
- Titled “We noticed some unusual activity”
- Pretended to be from Linkedin
- Misspelled Linkedin
- Domain created on March 6
- Bypass Security
- Passes DMARC and SFP
Cranefly’s Stealthy Techniques
- CraneFly
- AKA UNC3524
- May 2022
- Focus on bulk email collection
- Companies that deal with mergers and acquisitions
- Possibly for intel
- Undocumented Malware
- New Backdoor program Danfaun
- Dropped via Geppei (dropper application)
- Used to install the backdoor and other tools
- Uses the IIS logs for commands that mimic harmless web access requests to a compromised server
- malicious encoded .ashx files
- arbitrary folder determined by the command parameter and they run as backdoors
- Can be used with or instead of reGeorge
- QUIETEXIT
- Groups key malware
- Backdoor application for network appliances
- No Antivirus or Endpoint Detection
- Let’s them operate undetected for a long time
- Unsure
- Symantec has been watching infected machines for 18 months
- No current exfil of data.