OpenOffice and LibreOffice Digital Signature Spoofing Vulnerabilities
  • Advisory

OpenOffice, is a discontinued open-source office suite. LibreOffice is a free and open-source office productivity software suite. It was forked in 2010 from OpenOffice.org, which was an open-sourced version of the earlier StarOffice. In two out of the three attack scenarios, LibreOffice incorrectly displays a validly signed indicator that suggests that the document has not been tampered with since it was signed. A trusted party that presents the signature of an unknown algorithm as a legitimate signature issued

Google Warn Users of Government-Sponsored Attacks
  • Advisory

Google discovered activities used by government-backed attackers to steal a password or other personal information. Such activity includes receiving an email with a malicious attachment, links to malicious software downloads, or links to fake websites designed to steal passwords.

Additionally, Google has also revealed that it disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as APT35 (aka Charming Kitten, Phosphorous, or Newscaster), including a sophisticated social engineering attack dubbed "Operation SpoofedScholars" aimed at think tanks, journalists, and professors with the goal of soliciting sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS).

Other past attacks involved the use of a spyware-infested VPN app uploaded to the Google Play Store that, when installed, could be leveraged to siphon sensitive information such as call logs, text messages, contacts, and location data from the infected devices.

Furthermore, an unusual tactic adopted by APT35 concerned the use of Telegram to notify the attackers when phishing sites under their control have been visited in real-time via malicious JavaScript embedded into the pages.

Flubot Malware Targets Androids With Fake Security Updates and App Installations
  • Advisory

FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device. It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app.

New Android Rooting Malware
  • Advisory

A total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps as been reported to contain the rooting functionality of the malware. The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure. The apps includes, All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, Phone Plus, etc.  

Rooting malware although rare, is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances.

Iranian Hacking Group targets Telecos, ISPs and Ministry of foreign Affairs (MFA) with Upgraded Malware
  • Advisory

Lyceum's initial attack vectors include credential stuffing attacks and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In this attack, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan - a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups' command-and-control (C2) servers. The APT maintains a C2 server network that connects to the group's backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.

Rootkits Malware Attacks
  • Advisory

Most rootkits open a backdoor on victims' systems to introduce malicious software including viruses, ransomware, keylogger programs or other types of malware or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by deactivating endpoint anti malware and antivirus software. Rootkits are a type of malware that is designed to remain undetected on your computer. But, even if you don't notice them, they're there to allow Cybercriminals to remotely control your computer. Rootkits can include a variety of tools, from programs that allow hackers to steal your passwords to modules that make it simple for them to steal your credit card or online banking information. Rootkits can also enable hackers to circumvent or disable security software and track the keys you press on your keyboard, making it easier for criminals to steal your personally identifiable information (PII). 
Rootkits are installed through the same common vectors as any malicious software, including by email phishing campaigns, executable malicious files, crafted malicious PDF files or Microsoft Word documents, connecting to shared drives that have been compromised or downloading software infected with the rootkit from unsafe websites. You may open an email and download a file that appears to be safe but is in fact a virus. You could also unintentionally download a rootkit via an infected mobile app.

Latest Articles