Welcome to the next episode of the Xopero Security Center. This week we are taking a break from MS Exchange and ProxyLogon vulnerabilities. Maybe except this small update: according to Microsoft, 92% of vulnerable Exchange servers are now patched or mitigated. But Microsoft’s ecosystems are profitable targets and attackers take advantage of newer vulnerabilities to infect systems over and over again. Thus, this time we are taking a closer look into an upgraded variant of Purple Fox malware with worm capabilities that targets Microsoft Windows machines. Which one exactly? To find out more, read the full post.
Purple Fox malware with new worm capabilities targets exposed Windows systems
Purple Fox is malware previously distributed via exploit kits and phishing emails. Now it gained a worm module that allows it to scan for and infect Windows systems reachable over the Internet in ongoing attacks.
The malware has been first spotted in 2018. But starting with May 2020, Purple Fox attacks have significantly intensified, reaching a total of 90,000 attacks and 600% more infections. Check yourself:
Infected systems exhibit worm-like behaviour
After discovering an exposed Windows system while scanning for devices reachable over the Internet, Purple Fox’s newly added worm module uses SMB password brute force to infect it.
So far, Purple Fox has deployed its malware droppers and additional modules on an extensive network of bots, an army of almost 2,000 compromised servers. Devices ensnared in this botnet include Windows Server machines running IIS version 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.
Purple Fox is also using phishing campaigns and web browser vulnerabilities to deploy its payloads. It also installs a rootkit module that uses the hidden open-source rootkit to hide dropped files and folders or Windows registry entries created on the infected systems. After deploying the rootkit and rebooting the device, the malware will rename its DLL payload to match a Windows system DLL and will configure it to be launched on system start.
Once the malware is executed on system launch, each of the infected systems will exhibit the same worm-like behaviour, continuously scanning the Internet for other targets and attempting to compromise them and add them to the botnet.
Fleeceware scam earns cybercriminals $400M in revenue so far – it could cost you 3,400 USD per year, every year…
About 204 different fleeceware applications with combined billion+ downloads have raked in more than $400 million in revenue so far, via the Apple App Store and Google Play.
What is a Fleeceware app?
Fleeceware apps generally offer users a free trial to “test” the app, before commencing automatic payments that can be exorbitant. In an analysis from Avast released on Wednesday, some of those subscriptions can reach $3,400 or more per year. And often, users are charged even after they’ve deleted the offending application.
The study
Avast analysed over 200 mobile applications – and then flagged to Apple and Google – and found that most of the offending apps are musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and something called “slime simulators”. Clearly, many of these apps are marketed towards children. Scammers target children mostly through and catchy advertisements on popular social media platforms such as Facebook, Instagram, Snapchat and TikTok – promising ‘free installation’ or ‘free download’.
Most of the apps that Avast discovered are offering a free three-day trial, according to the research. After that, the models vary. Most of the apps charge between $4 to $12 per week, which equates to $208 to $624 per year; but others charge as much as $66 per week, totalling $3,432 per year.
Uninstalling is an option but it doesn’t help
Fleeceware apps are not malware but in this case, users deal with the quasi-permanent state of the “infection”. Both Google and Apple aren’t responsible for subscription refunds after a certain time period, leaving victims with the app developers themselves as their main recourse. And scammers usually don’t cooperate with victims – that’s the unwritten low. So it appears there is very little that victims can do other than contacting their bank and requesting a chargeback.
Fleeceware apps will stay for some time, so be aware
In January, Sophos research uncovered that these type of apps have been installed nearly 600 million times on 100 million-plus devices, just from Google Play alone. This business model is attracting more and more developers – there is big money guaranteed even if only a small percentage of users fall victim to fleeceware.
Critical F5 BIG-IP flaw under active attack. Patch ASAP!
Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated.
The unauthenticated remote command execution flaw (CVE-2021-22986) exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure and could allow attackers to take full control over a vulnerable system. And it’s worth noting that the F5 BIG-IP is a very juicy target due to the fact that it can handle highly sensitive data.
Earlier in March, F5 issued a patch for the flaw, which has a CVSS rating of 9.8 and exists in the iControl REST interface. After the patch was issued, several researchers posted proof-of-concept (PoC) exploit code after reverse engineering the Java software patch in BIG-IP.
Fast forward to last week, researchers reported mass scanning for – and in-the-wild exploitation of – the flaw.
The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged companies to fix the critical F5 flaw, along with another bug being tracked as CVE-2021-22987 (rating 9.9) which affects the infrastructure’s Traffic Management User Interface (TMUI).
The scenario is particularly urgent as F5 provides enterprise networking to some of the largest tech companies in the world, including Facebook, Microsoft and Oracle, as well as to a trove of Fortune 500 companies.
WARNING: A new Android zero-day vulnerability is under active attack
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks.
Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an “improper input validation” issue in Qualcomm’s Graphics component. It could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device’s memory.
The flaw was discovered and reported by Google’s Android Security team in July 2020, and Qualcomm fixed it in January 2021.
It’s worth noting that to launch a successful attack, the bad actor must either have physical access to the vulnerable smartphone or use other means – e.g., a watering hole – to deliver malicious code and set off the attack chain.
Specifics about the attacks, the identity of the attacker, and the targeted victims have not been undisclosed. Better install the update now to not get listed.
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. Cisco Jabber for Windows, macOS, Android and iOS is affected by a critical issue (Security Affairs)
2. Microsoft: 92% of vulnerable Exchange servers are now patched, mitigated (ZDNet)
3. Critical code execution vulnerability fixed in Adobe ColdFusion (Bleeping Computer)
4. Energy Giant Shell Is Latest Victim of Accellion Attacks (Threat Post)
5. Cybercriminals exchange tips on avoiding arrest, jail in underground forums (ZDNet)
6. Ransomwared Bank Tells Customers It Lost Their SSNs (Vice)
7. Ransomware attack shuts down Sierra Wireless IoT maker (Bleeping Computer)
8. Forex Broker Leaks Billions of Customer Records Online (Infosecurity Magazine)
9. Microsoft fixes Windows PSExec privilege elevation vulnerability (Bleeping Computer)
10. Perkiler malware turns to SMB brute force to spread (Malwarebytes Labs)