| title | date | draft | logo |
|---|---|---|---|
Jan 08, 2023 |
2023-01-08 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
The Android malware family known as SpyNote (or SpyMax) saw a rise in detections in the fourth quarter of 2022, which has been attributed to a source code leak of one of its most recent variants, known as 'CypherRat.''CypherRat' combined SpyNote's spying capabilities, such as remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials. From August 2021 to October 2022, CypherRat was sold through private Telegram channels before its author decided to publish its source code on GitHub. Threat actors quickly snatched the malware's source code and launched their own campaigns. Almost immediately, custom variants appeared that targeted reputable banks. Other actors chose to disguise their versions of CypherRat as Google Play, WhatsApp, and Facebook to reach a larger audience. While it is not disclosed how these malicious apps are spread, they are most likely spread via phishing sites, third-party Android app sites, and social media.
Android
- Do not download third party apps
- Reject requests to grant access to the Accessibility Service to third party apps.
A new Linux malware has been discovered that deploys a cryptocurrency miner on compromised systems. The malware is developed using the shell script compiler (shc) and is used to convert shell scripts into binaries to protect against unauthorized source code modifications. This is similar to the BAT2EXE utility in Windows which converts batch files into executables. The malware can bypass detection by security software because the executables are encoded using the RC4 algorithm. After successfully compromising an SSH server, the malware installs a shc downloader and a Perl-based DDoS IRC bot. The shc downloader then fetches the XMRig miner software to mine cryptocurrency, while the IRC bot can connect to a remote server to fetch commands for DDoS attacks. The campaign appears to primarily target poorly secured Linux SSH servers in South Korea. It is recommended that users practice good password hygiene and keep their operating systems up to date to prevent such attacks.
Linux SSH Servers
https://thehackernews.com/2023/01/new-shc-based-linux-malware-targeting.html
To secure your system, practice good password hygiene and keep your operating system up to date.
Fortinet has identified a high-severity flaw in multiple versions of its FortiADC application delivery controller that could allow an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests. The vulnerability, tracked as CVE-2022-39947 and internally discovered by Fortinet's product security team, impacts versions 5.4.0 through 5.4.5, 6.0.0 through 6.0.4, 6.1.0 through 6.1.6, 6.2.0 through 6.2.3, and 7.0.0 through 7.0.2. Users are recommended to upgrade to versions 6.2.4 and 7.0.2 when they become available. The January 2023 patches also address several command injection vulnerabilities in FortiTester (CVE-2022-35845) that could allow an authenticated attacker to execute arbitrary commands. Meanwhile, enterprise software provider Zoho is urging customers to upgrade to the latest versions of Access Manager Plus, PAM360, and Password Manager Pro following the discovery of a severe SQL injection vulnerability (CVE-2022-47523).
Fortinet’s FortiADC
https://thehackernews.com/2023/01/fortinet-and-zoho-urge-customers-to.html
Password Manager Pro should upgrade to the latest available versions to protect against the identified SQL injection vulnerability. Fortinet's FortiADC application delivery controller should be upgraded to the latest available versions to protect against the identified vulnerability.
- CVE-2022-39947
- CVE-2022-47523
- CVE-2022-35845
The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole.One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”.
Rockwell Automation controllers
- Update to the latest version of the system.
- See Vendor’s guide to mitigate other risks
- CVE-2022-3156
- CVE-2022-3157
- CVE-2022-46670
- CVE-2022-3166
Dridex is a malware that steals sensitive information and executes malicious modules in targeted machines. Initially, the malware used phishing email that contained macro-enabled Microsoft Excel documents as an entry point into the user’s system. However, the analysis by Trend Micro of the Dridex samples contained a Mach-o executable file that runs Auto-Open macro upon opening a Word document. Furthermore, while the macro feature in Microsoft Word is disabled by default, the executable searches and overwrites all “.doc” files in the current user directory with malicious macro code including the clean files which further contacts a remote server to retrieve additional files. While the payload is a .EXE file, which minimizes the impact on macOS as it is not compatible with the environment, the documents can still be overwritten which now carries the Dridex’s malicious macros.
macOS
https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html
Refrain from clicking links or opening attachments and embedded documents in emails