Select Page
Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers’ DNS Settings

Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers’ DNS Settings

Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking.

Kaspersky, which carried out an analysis of the malicious artefact, said the feature is designed to target specific Wi-Fi routers located in South Korea.

Roaming Mantis, also known as Shaoye, is a long-running financially motivated operation that singles out Android smartphone users with malware capable of stealing bank account credentials as well as harvesting other kinds of sensitive information.

Although primarily targeting the Asian region since 2018, the hacking crew was detected expanding its victim range to include France and Germany for the first time in early 2022 by camouflaging the malware as the Google Chrome web browser application.

The attacks leverage smishing messages as the initial intrusion vector of choice to deliver a booby-trapped URL that either offers a malicious APK or redirects the victim to phishing pages based on the operating system installed in the mobile devices.

images from Hacker News

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram

The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country.

“The Gamaredon group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload,” the BlackBerry Research and Intelligence Team said in a report shared with The Hacker News. “This kind of technique to infect target systems is new.”

Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults aimed at Ukrainian entities since at least 2013.

Last month, Palo Alto Networks Unit 42 disclosed the threat actor’s unsuccessful attempts to break into an unnamed petroleum refining company within a NATO member state amid the Russo-Ukrainian war.

Attack chains mounted by the threat actor have employed legitimate Microsoft Office documents originating from Ukrainian government organizations as lures in spear-phishing emails to deliver malware capable of harvesting sensitive information.

images from Hacker News

WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws

WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws

The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta’s WhatsApp for violating data protection laws when processing users’ personal information.

At the heart of the ruling is an update to the messaging platform’s Terms of Service that was imposed in the days leading to the enforcement of the General Data Protection Regulation (GDPR) in May 2018, requiring that users agree to the revised terms in order to continue using the service or risk losing access.

The complaint, filed by privacy non-profit NOYB, alleged that WhatsApp breached the regulation by compelling its users to “consent to the processing of their personal data for service improvement and security” by “making the accessibility of its services conditional on users accepting the updated Terms of Service.”

“WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security,” the DPC said in a statement, adding the data collected so far amounts to a contravention of GDPR.

Aside from the fine, the messaging application has also been ordered to bring its operations into compliance within a period of six months. It’s worth noting that Meta has its European headquarters in Dublin.

images from Hacker News

Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware

Chinese Hackers Exploited Recent Fortinet Flaw as 0-Day to Drop Malware

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.

Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were released.

“This incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\IDS appliances etc.),” Mandiant researchers said in a technical report.

The attacks entailed the use of a sophisticated backdoor dubbed BOLDMOVE, a Linux variant of which is specifically designed to run on Fortinet’s FortiGate firewalls.

The intrusion vector in question relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could result in unauthenticated remote code execution via specifically crafted requests.

images from Hacker News

New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks

New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks

A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application.

“The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu,” Ermetic researcher Liv Matan said in a report shared with The Hacker News. “By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application.”

The Israeli cloud infrastructure security firm, which dubbed the shortcoming EmojiDeploy, said it could further enable the theft of sensitive data and lateral movement to other Azure services.

Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000.

The Windows maker describes Kudu as the “engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync.”

images from Hacker News