StrandHogg 2.0, ComRAT and PonyFinal – three biggest cyberthreats of the week

Welcome to the next episode of the Xopero Security Center! Three new biggest cyberthreats show that the attackers can be really adaptive. Gmail web interface used to command and control? Check. Human-operated ransomware attacks. Check. But let’s start with the newly discovered Android flaw which allows to carry on a large-scale StrandHogg 2.0 attack.

StrandHogg 2.0 – this new critical Android flaw affects over 1B devices

A newly discovered flaw, tracked as CVE-2020-0096, affects Android OS and allows attackers to carry out a sophisticated version of the Strandhogg 2.0 attack.

What is exactly the StrandHogg attack? The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to trick the user into granting it the permissions to control the devices. This way the app is able to spy on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations

Next-gen? The StrandHogg 2.0 flaw is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices. StrandHogg 1.0 could be used to attack apps one at a time, StrandHogg 2.0 allows attackers to attack nearly any app on a device simultaneously.

The Strandhogg 2.0 is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices.
Source: Promon

The attack begins when a victim clicks the icon of a legitimate app. But instead of loading the legitimate app, the malware is displayed and can request permissions under the disguise of other software. After the victim unknowingly grants permission to the attacker, he or she is redirected to the legitimate app next. And with such level of access, an attacker can proceed to upload data from a victim’s device.

Is there a security patch available? Researchers have not seen any malware using StrandHogg 2.0 in the wild. But Google released in April a security patch to manufacturing companies, that are going to release security updates to their devices with OS ver. 8.0, 8.1, and 9.0.

Read more

ComRAT uses Gmail Web Interface for Command and Control

ComRAT is a backdoor that has long been associated with Turla – Russia-based advanced persistent threat actor. The newest version gained some alarming new features. One of them allows the malware to receive commands and exfiltrate data via the Gmail Web user interface. It’s worth to mention that the malware doesn’t make HTTP, DNS, or other relatively easily observable requests to a suspicious domain. From a network point of view, only traffic to and from mail.google.com can be seen.

It brings to the light another alarming thing. If there is no suspicious request made, it is much harder to detect and block such attack. Especially if the targeted organization is using Gmail for legitimate purposes. How exactly ComRAT is able to connect to Gmail? This version of the backdoor is using cookies stored in its configuration to connect to Gmail’s Web interface in order to check the inbox and to download email attachments containing encrypted commands.

According to Matthieu Faou from ESET “ComRAT is a good example of a complex malware that is deployed once the victim is breached, in order to stay persistent and spy for a long time.”.

Read more

Microsoft warns about attacks with the PonyFinal ransomware

Microsoft has been warning organizations around the globe to deploy protections against a new ransomware that has been in the wild over the past two months. “PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks” – says company in a series of tweets. In such attacks, hackers breach corporate networks and deploy the ransomware on their own.

How it works…The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords.

Once inside,the gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal data. Attackers also deploy “a remote manipulator system to bypass event logging.” Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware.

In most cases, attackers target workstations where the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java. But Microsoft says it also has seen instances where the gang installed JRE on systems before running the ransomware.

PonyFinal - organizations should focus less on this payload and more on how it’s delivered.
Source: Microsoft

At last, PonyFinal encrypts files, changes their filenames (by appending the “.enc” extension) and generates a ransom note “README_files.txt” in every folder that contains encrypted files. The demanded ransom is…300BTC which equals $2,8M! 

There is no known way or free decrypter that can recover encrypted files – at least, at the time of writing.

Unfortunately, PonyFinal is one of the several human-operated ransomware that were employed in attacks aimed at the healthcare sector during the COVID-19 pandemic.

Read more

It’s not every day the NSA publicly warns of attacks by Kremlin hackers – take it seriously

According to The National Security Agency (NSA), the Kremlin’s military intelligence hackers are actively targeting some systems vulnerable to a remote-code execution flaw (CVE-2019-10149) in the widely used Exim mail transfer agent (MTA). The patch exists from…last June. So you have already patched it months ago, right?

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA said.

In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient’s address in Exim’s deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. 

Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.

The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. 

Updating Exim to version 4.93 or later will close off the vulnerability. While admins can download the update, using your Linux distro’s package manager will be the easiest way to get the fix, if for some reason you don’t already have it.

Admins are also advised to keep a close eye on their servers to check for suspicious activity, such as new accounts being added or security settings being changed.

Read more

500 million Facebook user data for sale 

A hacker is claiming to have access to a database with 500 million Facebook user data from 82 countries that has been stolen between November 2019 to May 2020. What’s worse is that the data is currently being sold on an infamous hacking forum…

As seen on the forum, the hacker has been offering the treasure trove of data since May 15th, 2020 and includes personal information such as names, surnames, gender, location, city name, job, marital status, mobile numbers, email addresses, Facebook profile links. 

Furthermore, the hacker has divided the price of the data into three parts. The entire database costs $30,000. But you can buy only 100 000 of data for only $450. 

The listing also states that the information in the database was stolen between November 2019 to May 2020.

The sample data seen by Hackread.com suggests that the database has been stolen from a misconfigured database or bought from a third-party marketing firm (gained by f.ex. data scrapping).

Nevertheless, the victims of the breach are yet again unsuspecting Facebook users who are now open to phishing scams, smishing attacks (SMS phishing), and identity theft using publicly available photos on their profiles, etc. If you are on Facebook – please pay attention to any suspicious email or message. 

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. GitHub warns Java developers of new malware poisoning NetBeans projects (ZDNet)
2. eBay port scans visitors’ computers for remote access programs (Bleeping Computer)
3. RangeAmp attacks can take down websites and CDN servers (ZDNet)
4. Docker Desktop danger discovered, patch now (Naked Security)
5. Hacking group builds new Ketrum malware from recycled backdoors (Bleeping Computer)
6. DoubleGun Group Builds Massive Botnet Using Cloud Services (ThreatPost)
7. Google finds Indian hack-for-hire firms exploiting coronavirus fears via spearphishing schemes (CyberScoop)
8 ‘Valak’ gives crooks flexibility in multi-stage malware attacks (CyberScoop)
9. PrintDeamon vulnerability explained: its risk and how to mitigate (CSO)
10. Michigan State University hit by ransomware gang (ZDNet)