Apr 08, 2024NewsroomCybersecurity / Malvertising

A new phishing campaign has set its eyes on the Latin American region to deliver malicious payloads to Windows systems.

“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado said.

The email message, the company said, originates from an email address format that uses the domain “temporary[.]link” and has Roundcube Webmail listed as the User-Agent string.

The HTML file points containing a link (“facturasmex[.]cloud”) that displays an error message saying “this account has been suspended,” but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.

This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well as checks for the presence of antivirus software in the compromised machine.

It also incorporates several Base64-encoded strings that are designed to run PHP scripts to determine the user’s country and retrieve a ZIP file from Dropbox containing “many highly suspicious files.”

Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.

“Understandably, from the threat actors’ point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection,” Agregado said.

“Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.”

The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with bogus ads for NordVPN that lead to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a phony website (“besthord-vpn[.]com”).

“Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads,” security researcher Jérôme Segura said. “Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.”

It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.

The network security company said it also discovered a Golang malware that “uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server].”

Jan 20, 2024NewsroomCyber Espionage / Emails Security

Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

It further said that it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have commenced in late November 2023.

“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

Redmond said the nature of the targeting indicates the threat actors were looking to access information related to themselves. It also emphasized that the attack was not the result of any security vulnerability in its products and that there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems.

The computing giant, however, did not disclose how many email accounts were infiltrated, and what information was accessed, but said it was the process of notifying employees who were impacted as a result of the incident.

The hacking outfit, which was previously responsible for the high-profile SolarWinds supply chain compromise, has singled out Microsoft twice, once in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time breaching three of its customers in June 2021 via password spraying and brute-force attacks.

“This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” the Microsoft Security Response Center (MSRC) said.

Dec 28, 2023NewsroomSpyware / Hardware Security

The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.

Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the “most sophisticated attack chain” it has ever observed to date. The campaign is believed to have been active since 2019.

The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.

The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities –

• CVE-2023-41990 – A flaw in the FontParser component that could lead to arbitrary code execution when processing a specially crafted font file, which is sent via iMessage. (Addressed in iOS 15.7.8 and iOS 16.3)
• CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. (Addressed in iOS 15.7.7, iOS 15.8, and iOS 16.5.1 )
• CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. (Addressed in iOS 15.7.7 and iOS 16.5.1)
• CVE-2023-38606 – An issue in the kernel that permits a malicious app to modify sensitive kernel state. (Addressed in iOS 16.6)

It’s worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.

This also brings the tally of the number of actively exploited zero-days resolved by Apple since the start of the year to 20.

Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (MMIO) registers, a feature that was never known or documented until now.

The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. It’s currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or it’s a third-party component like ARM CoreSight.

To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain that’s closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.

“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake,” security researcher Boris Larin said. “Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.”

“Hardware security very often relies on ‘security through obscurity,’ and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on “security through obscurity” can never be truly secure.”

The development comes as the Washington Post reported that Apple’s warnings in late October about Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of “algorithmic malfunction” within the tech giant’s systems.

In addition, senior administration officials demanded that the company soften the political impact of the warnings and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Group’s Pegasus.

Citing people with knowledge of the matter, the Washington Post noted that “Indian officials asked Apple to withdraw the warnings and say it had made a mistake,” and that “Apple India’s corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple’s warnings could be false alarms” to shift the spotlight away from the government.