Select Page
Attention! FluBot Android Banking Malware Spreads Quickly Across Europe

Attention! FluBot Android Banking Malware Spreads Quickly Across Europe

Attention, Android users! A banking malware capable of stealing sensitive information is “spreading rapidly” across Europe, with the U.S. likely to be the next target.

According to a new analysis by Proofpoint, the threat actors behind FluBot (aka Cabassous) have branched out beyond Spain to target the U.K., Germany, Hungary, Italy, and Poland. The English-language campaign alone has been observed to make use of more than 700 unique domains, infecting about 7,000 devices in the U.K.

In addition, German and English-language SMS messages were found being sent to U.S. users from Europe, which Proofpoint suspects could be the result of malware propagating via contact lists stored on compromised phones. A concerted campaign aimed at the U.S. is yet to be detected.

FluBot, a nascent entry in the banking trojan landscape, began its operations late last year, with campaigns leveraging the malware infecting more than 60,000 users in Spain, according to an analysis published by Proactive Defence Against Future Threats (PRODAFT) in March 2021. It’s said to have amassed more than 11 million phone numbers from the devices, representing 25% of the total population in Spain.

Primarily distributed via SMS phishing (aka smishing), the messages masquerade as a delivery service such as FedEx, DHL, and Correos, seemingly notifying users of their package or shipment delivery status along with a link to track the order, which, when clicked, downloads malicious apps that have the encrypted FluBot module embedded within them.

images from Hacker News

Hackers Threaten to Leak D.C. Police Informants’ Info If Ransom Is Not Paid

Hackers Threaten to Leak D.C. Police Informants’ Info If Ransom Is Not Paid

The Metropolitan Police Department (MPD) of the District of Columbia has become the latest high-profile government agency to fall victim to a ransomware attack.

The Babuk Locker gang claimed in a post on the dark web that they had compromised the DC Police’s networks and stolen 250 GB of unencrypted files. Screenshots shared by the group, and seen by The Hacker News, include various folders containing what appears to be investigation reports, arrests, disciplinary actions, and other intelligence briefings.

Also called the DC Police, the MPD is the primary law enforcement agency for the District of Columbia in the U.S.

The ransomware gang has given the department three days to heed to their ransom demand or risk leaking sensitive files that could expose police informants to criminal gangs.

“Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as possible, to prevent leakage, if no response is received within 3 days, we will start to contact gangs in order to drain the informants, we will continue to attack the state sector of the usa, fbi csa, we find 0 day before you, even larger attacks await you soon,” the ransomware group said on their data leak site.

 

images from Hacker News

Cybersecurity Webinar: Understanding the 2020 MITRE ATT&CK Results

Cybersecurity Webinar: Understanding the 2020 MITRE ATT&CK Results

The release of MITRE Engenuity’s Carbanak+Fin7 ATT&CK evaluations every year is a benchmark for the cybersecurity industry.

The organization’s tests measure how well security vendors can detect and respond to threats and offers an independent metric for customers and security leaders to understand how well vendors perform on a variety of tasks.

However, for the uninitiated, the results can be hard to decipher and contextualize properly. Unlike many benchmarks that compare participants in a competitive manner, MITRE’s framework evaluates companies exclusively on how they respond to the tests.

This means that customers must really know what they’re looking for. A new webinar (register here) aims to provide some clarity on what to look for and how to interpret the results.

Cynet’s new live webinar will dig a little deeper into the MITRE ATT&CK evaluation. The company’s research team will break down how the evaluations work, what the results mean, and how they should be interpreted (and not interpreted).

images from Hacker News

Hackers Exploit 0-Day Gatekeeper Flaw to Attack macOS Computers

Hackers Exploit 0-Day Gatekeeper Flaw to Attack macOS Computers

Security is only as strong as the weakest link. As further proof of this, Apple released an update to macOS operating systems to address an actively exploited zero-day vulnerability that could circumvent all security protections, thus permitting unapproved software to run on Macs.

The macOS flaw, identified as CVE-2021-30657, was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021.

“An unsigned, unnotarized, script-based proof of concept application […] could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system,” security researcher Patrick Wardle explained in a write-up. “Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users.”

Apple’s macOS comes with a feature called Gatekeeper, which allows only trusted apps to be run by ensuring that the software has been signed by the App Store or by a registered developer and has cleared an automated process called “app notarization” that scans the software for malicious content.

But the new flaw uncovered by Owens could enable an adversary to craft a rogue application in a manner that would deceive the Gatekeeper service and get executed without triggering any security warning. The trickery involves packaging a malicious shell script as a “double-clickable app” so that the malware could be double-clicked and run like an app.

images from Hacker News

FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers

FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.

By employing “stealthy intrusion tradecraft within compromised networks,” the intelligence agencies said, “the SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.”

The cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and formally pinned the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.

APT29, since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.

images from Hacker News