New Windows Installer Zero-Day Vulnerability
  • Advisory

This type of vulnerability involves gaining unauthorized access to elated rights or privileges that are not intended or entitled to. The "InstallerFileTakeOver" proof-of-concept (PoC) exploit replaces any executable file on the system with an MSI installer file by overwriting the discretionary access control list (DACL) for Microsoft Edge Elevation Service, allowing an attacker to run code with SYSTEM privileges. An attacker with administrative privileges could then exploit the vulnerability to gain complete control of the compromised system. SYSTEM privileges are the highest user rights available to a Windows user and make it possible to perform any operating system command.

Apache Log4j Remote Code Execution Vulnerability.
  • Advisory

Log4j is a widely used open-source logging library for Java applications. Log4j provides additional logging capabilities, like log levels (fatal, error, warn, etc), mechanisms to write to different log files, log rolling patterns, and more. The critical remote code execution (RCE) vulnerability discovered in Log4j is affecting versions between 2.0-beta9 to 2.14.1. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. Due to the Log4j library’s widespread use in popular frameworks, many third-party apps may also be vulnerable to exploitation. In addition, Log4j is often used in enterprise Java software and is also included in several Apache frameworks including but not limited to: Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Other Java frameworks also include it in their libraries, including but not limited to: Netty, MyBatis and the Spring Framework.

Ransomware Attack Warning
  • Advisory

The USB drives contain so-called 'BadUSB' attacks. The BadUSB exploits the USB standards versatility and allows an attacker to reprogram a USB drive to emulate a keyboard to create keystrokes and commands on a computer, install malware prior to the operating system booting, or to spoof a network card and redirect traffic. Numerous attack tools are installed in the process that allowed for exploitation of PCs, lateral movement across a network, and installation of additional malware. The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil. This attack has been seen in the US where the USB drives were sent in the mail through the Postal Service and Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.  

SMS-Based Malware Infecting Mobile Devices
  • Advisory

TangleBot Android malware is installed when an unsuspecting user clicks on a malicious link disguised as COVID-19 vaccination appointment-related information in an SMS message or information about fake local power outages that are due to occur. The aim behind both messages remain to encourage potential victims to follow a link that supposedly offers detailed information. Once at the page, user are asked to update applications such as Adobe Flash Player to view the page’s content by going through nine (9) dialogue boxes to give acceptance to different permissions that will allow the malware operators initiate the malware configuration process.

Wordpress Themes and Plugins Vulnerabilities
  • Advisory

The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites. When downloaded or installed directly from the WordPress[.]org directory, the same extensions worked fine. Some of the infected websites discovered using this backdoor had spam payloads dating back nearly three years, indicating that the actors behind the operation were selling access to the sites to operators of other spam campaigns. Cybersecurity firm eSentire revealed how compromised WordPress websites belonging to legitimate businesses are used as a hotbed for malware delivery, serving an implant called GootLoader to unsuspecting users searching for postnuptial or intellectual property agreements on search engines like Google. A total of 10,359 WordPress plugin vulnerabilities have been discovered to date. Among the plugins affected are Login/Signup Popup (Inline Form + Woocommerce), Side Cart Woocommerce (Ajax), and Waitlist Woocommerce (Back in stock notifier). The vulnerability stems from a lack of validation when processing AJAX requests, allowing an attacker to set the "users can register" (i.e., anyone can register) option on a site to true and the "default role" setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

New Variant of BRATA Banking Trojan Infecting Android Devices
  • Advisory

This malware initially targeted Brazilian users and therefore called Brazilian Remote Access Tool Android (BRATA). Recently, the malware has been reported to be currently targeting banks and financial institutions in Italy, Latin America, Poland and the United Kingdom with the potential of spreading to more countries across the globe. The malware has received many upgrades and changes with capability of remaining undetected by virtually all malware scanning engines and is used to download and run real malicious software. After a victim unknowingly installs the downloader app, they only need to accept one permission to download and install a malicious application from an untrusted source. When the victim clicks the install button, the downloader app sends a GET request to the C2 server to download the malicious .APK. In some cases, the link redirects the victim to a phishing page that looks like the bank’s, and it is used to steal credentials and other relevant information (e.g. pin code, password and security questions).Once the malicious app is installed, the fraud operators can take control of the victim infected devices to perform the following:

  • Through the Accessibility Service, the malware clicks the “start now” button (of the popup) automatically, so the victim is not able to deny the recording/casting of the owned device.
  • Remove itself from the compromised device to reduce detection.
  • Uninstall specific applications (e.g., antivirus).
  • Hide its own icon app to be less traceable by not advanced users.
  • Disable Google Play Protect to avoid being flagged by Google as suspicious app.
  • Modify the device settings to get more privileges.
  • Unlock the device if it is locked with a secret pin or pattern.
  • Show phishing page.
  • Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate click on the screen. This information is then sent to the C2 server of the attackers.

Latest Articles