CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 32: October 31 2022

Links 

https://www.bleepingcomputer.com/news/security/new-azov-data-wiper-tries-to-frame-researchers-and-bleepingcomputer

https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html

https://cyware.com/news/new-linkedin-phishing-campaign-bypasses-google-protection-de6f6752

https://thehackernews.com/2022/10/researchers-uncover-stealthy-techniques.html?&web_view=true 

Data Wiper Frame Security Researchers 

  • Azov Ransomware 
  • New data wiper 
  • Distributed through the following application types: 
  • Pirated software 
  • Key Generators 
  • Adware Bundles 
  • Named For 
  • Ukrainian Azov Regiment 
  • a controversial military force that allegedly associated with neo-Nazi ideology in the past 
  • Its goal is to frame security researchers 
  • Falsely claims to have been: 
  • Hasherazade 
  • Lawrence Abrams 
  • Bleeping Computer 
  • MalwareHunter Team 
  • Michael Gillespie 
  • Vitali Kremez 
  • Points to their twitter accounts 
  • No way to contact the actors 
  • No recovery of files 
  • RESTORE_FILES.txt 
  • Device is encrypted in protest of seizure of Crimea 
  • Though Ukrainian organizations hit by this wiper 
  • Western Countries aren’t helping Ukraine enough 
  • Wants US Citizens to revolt against Biden administrator 
  • Wants Germany to do the same 
  • Ends with hashtag #TaiwanIsChina 
  • Smokeloader 
  • Malware Botnet 
  • Threat actors can buy installs of their malware 
  • Azov recently seen utilizing this servcie 
  • Sometimes paired with STOP ransomware 
  • Which double encrypts the data 
  • IOCs 
  • Random named file in %Temp% 
  • Wiper will copy C:\Windows\System32\msiexec.exe to C:\ProgramData\rdpclient.exe 
  • It then patches the file with Azov 
  • Can also be configured to start with the following key 
  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 
    “Bandera” = “C:\ProgramData\rdpclient.exe” 
  • Scans the computer and encrypts all files except 
  • Ini 
  • Dll 
  • Exe 
  • Appends the .azov to encrypted files 
  • Every folder it places the RESTORE_FILES.txt 

Chrome Urgent Update 

  • Thursday 
  • Emergency fix 
  • Actively exploited zero-day 
  • Update to version 
  • 107.0.5304.87 (Mac and Linux) 
  • 107.0.5304.87/88 (Windows) 
  • CVE-2022-3723 
  • Originally reported October 25, 2022 
  • cold fusion flaw 
  • V8 JavaScript engine 
  • Found by Avast 
  • Jan Vojtěšek, Milánek 
  • Przemek Gmerek 
  • Third cold fusion vulnerability in V8 this year 
  • CVE-2022-1096 
  • CVE-2022-1364 
  • 7th Zero Day Fix for Chrome this year 
  • CVE-2022-0609 – Use-after-free in Animation 
  • CVE-2022-1096 – Type confusion in V8 
  • CVE-2022-1364 – Type confusion in V8 
  • CVE-2022-2294 – Heap buffer overflow in WebRTC 
  • CVE-2022-2856 – Insufficient validation of untrusted input in Intents 
  • CVE-2022-3075 – Insufficient data validation in Mojo 
  • Chromium Browsers 
  • Edge 
  • Brave 
  • Opera 
  • Vivaldi 
  • Patch as soon as a fix is available. 

LinkedIN Phishing Campaign Bypass Protections 

  • Armorblox 
  • Spotted a credential phishing campaign 
  • Target 500 mailboxes from a travel organization 
  • LinkedIN 
  • 3rd most impersonated brand 
  • Preceded by DHL and Microsoft 
  • Sept used LinkedIN smart links to redirector to Slovakia Postal Service 
  • Evaded security controls 
  • Phishing Message 
  • Titled “We noticed some unusual activity” 
  • Pretended to be from Linkedin 
  • Misspelled Linkedin 
  • Domain created on March 6 
  • Bypass Security 
  • Passes DMARC and SFP 

Cranefly’s Stealthy Techniques 

  • CraneFly 
  • AKA UNC3524 
  • May 2022 
  • Focus on bulk email collection 
  • Companies that deal with mergers and acquisitions 
  • Possibly for intel 
  • Undocumented Malware 
  • New Backdoor program Danfaun 
  • Dropped via Geppei (dropper application) 
  • Used to install the backdoor and other tools 
  • Uses the IIS logs for commands that mimic harmless web access requests to a compromised server 
  • malicious encoded .ashx files 
  • arbitrary folder determined by the command parameter and they run as backdoors 
  • Can be used with or instead of reGeorge 
  • QUIETEXIT 
  • Groups key malware 
  • Backdoor application for network appliances 
  • No Antivirus or Endpoint Detection 
  • Let’s them operate undetected for a long time 
  • Unsure 
  • Symantec has been watching infected machines for 18 months 
  • No current exfil of data.