Advisory ID: NCC-CSIRT-140723-026

Summary: The Uptycs threat research team has discovered a new malware called "Meduza Stealer" that targets Windows users. This sophisticated malware aims to steal various types of sensitive data, focusing on Windows browsers and vulnerable extensions like crypto wallets and password managers. Additionally, it can collect system-related information from compromised devices, including hardware specifications, IP address, and usernames. These findings underscore the importance of implementing strong security measures to safeguard against the Meduza Stealer malware and similar threats. 

Vulnerable Platform(s): Windows Operating Systems

Threat Type: Malware

Impact/Probability: CRITCIAL/MEDIUM

Product : Google Chrome, Microsoft\Edge, Opera, Thunderbird, and other prominent Browers. 

Version:  All Version

Description: The research team made a significant discovery by identifying the new Meduza Stealer Malware. Through monitoring dark web forums and Telegram channels, they observed the malware being promoted and distributed to potential cyber-criminals. Unlike typical ransomware, this malware solely focuses on stealing data and continuously evolves with the incorporation of new features. Its primary targets are Windows users and organizations, with the exception of ten specific countries that include Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Usbekistan, Armenia, Kyrgystan, Moldova, and Tajikistan. 

Once the malware infiltrates a machine, it initiates its operations. It first checks the geolocation of the victim. If the location is within the list of excluded countries, the malware immediately aborts its activities. Similarly, if the attacker's server is inaccessible, the malware terminates its operations. However, if both conditions are favorable, the malware proceeds to collect extensive data. This data is then packaged, uploaded, and sent to the attacker's server, completing the data theft operation on the infected machine. 

Consquences:  Meduza Stealer can lead to severe consequences, such as financial losses and potential large-scale data breaches for affected individuals and organizations. 

Solution: 

• Avoid storing your bank login information in web browsers. 
• Encrypt confidential documents before sending them through compromised web browsers. 
• Regularly install updates for your operating systems and browsers. 
• Only install browser extensions from trusted sources. 
• Employ strong and unique passwords for all your accounts. 
• Install security applications to patch vulnerabilities that malware can exploit. 
• Always scan files using security software before opening them. 

References: 

https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work#exclusionlist 

https://www.infosecurity-magazine.com/news/meduza-stealer-targets-windows/ 

Advisory ID: NCC-CSIRT-120723-025

Summary: A tool named TeamsPhisher has been uncovered by a researcher from the U.S. Navy's red team. This tool exploits a security vulnerability in Microsoft Teams, enabling attackers to bypass file-sending restrictions and deliver malware from an external account. If successfully exploited, this vulnerability allows attackers to bypass restrictions on incoming files from users outside of a targeted organization, known as external tenants. 

Vulnerable Platform(s): Microsoft Teams

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Microsoft Teams

Version: All Version

Description: The researcher explains that the Microsoft Teams application has client-side protections that can be deceived, treating an external user as an internal one simply by altering the ID in the POST request of a message. To carry out this attack, a Python-based tool called "TeamsPhisher" has been developed, offering a fully automated approach.
TeamsPhisher performs several steps to execute the attack successfully. It first verifies the target user's existence and their ability to receive external messages, which is a crucial requirement for the attack to proceed. It then creates a new thread with the target user and sends them a message containing a Sharepoint attachment link. This thread becomes visible in the sender's Teams interface, potentially allowing for manual interaction.
Initially, TeamsPhisher requires users to have a Microsoft Business account, including a valid Teams and Sharepoint license, which is commonly found in many large companies. The tool also offers a "preview mode" to help users verify the target lists and ensure the appearance of messages from the recipient's perspective. Additionally, TeamsPhisher provides other features such as sending secure file links that can only be accessed by the intended recipient, specifying delays between message transmissions to bypass rate limiting, and generating log files to record outputs.

Consquences: TeamsPhisher tool can allow sending a malicious payload directly to a target Microsoft Teams' inbox. 

Solution: At present, there is no specific solution as Microsoft has not made a decision regarding corrective actions for this vulnerability. However, the following measures are recommended: 

• Microsoft Teams users should adopt safe online computing practices, such as being cautious when clicking on web page links, opening unfamiliar files, or accepting file transfers. 
• Organizations are strongly advised to disable external tenant communications if not required.
• Organizations should establish an allow-list comprising trusted domains to minimize the risk of exploitation. 

References: 

https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/ 

https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allows-malware-delivery-from-external-accounts/ 

https://www.hkcert.org/security-news?item_per_page=10&year%5B%5D=2023&month%5B%5D=06&month%5B%5D=07 

Advisory ID: NCC-CSIRT-090523-022

Summary: Malware analysis engineers from Meta discovered a new malware called NodeStealer that targets saved usernames and passwords in browsers, with the aim of compromising businesses' Gmail, Outlook and Facebook accounts.  

Vulnerable Platform(s): Browsers

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Gmail, Outlook and Facebook Applications

Version: All Version

Description: According to the analysts, hackers are distributing the NodeStealer malware through Windows executables that look like PDF files and have filenames related to marketing, social media planning, and monthly budgets. The malware is being executed using the Node.js open source Javascript runtime environment, typically used to develop web applications. After execution, the malware steals the stored credentials and cookie session data from various browsers (Chrome, Opera, Edge and Brave) on victim computers, by referencing the file paths to access files storing cookies and credentials for various sites and decrypting this data.

Consquences: The malware specifically steals user credentials for Facebook, Gmail, and Outlook accounts.

Solution : 

• To avoid NodeStealer Malware, you should practice safe computing habits, such as avoiding suspicious emails and downloads, keeping antivirus software up to date, and regularly backing up important data.
• If you suspect that your system has been infected with NodeStealer, disconnect from the internet and seek the assistance of a reputable cybersecurity professional or use a trusted anti-malware application to remove the threat automatically.

References: 

https://www.bleepingcomputer.com/news/security/facebook-disrupts-new-nodestealer-information-stealing-malware/

https://www.securityweek.com/meta-swiftly-neutralizes-new-nodestealer-malware/

https://duo.com/decipher/nodestealer-malware-targets-gmail-outlook-facebook-credentials

https://www.cyclonis.com/remove-nodestealer-malware/

https://www.pcrisk.com/removal-guides/26669-nodestealer-malware

Advisory ID: NCC-CSIRT- 080523-021

Summary: Cybersecurity researchers from Elastic Security Labs discovered a new 'LOBSHOT' Malware distributed using Google ads in search results. The malware allows threat actors to stealthily take over infected Windows devices.  

Vulnerable Platform(s):  Google ads

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Windows Devices

Version: All Versions

Description: According to the researchers, threat actors distributed the LOBSHOT malware strains using an elaborate scheme of fake websites through Google Ads. Users download what they believe to be legitimate installers for genuine software applications. Once the installer is initiated the compromised system is backdoored (a feature or defect of a computer system that allows secret unauthorized access to data), and malware is installed without the victim’s knowledge.
The malware remains hidden on the compromised Windows devices, while still being capable of stealing sensitive information from the victim by using a Hidden Virtual Network Computing (hVNC).

Consquences: Full remote control of the compromised Windows devices.

Solution :

• Users should be careful of promoted Google ads.
• When online, always check on the website promoted by Google ads versus the legitimate website distributing genuine software.

References:

https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-hackers-hidden-vnc-access-to-windows-devices/
https://www.helpnetsecurity.com/2023/05/02/infostealer-hvnc/
https://www.pcrisk.com/internet-threat-news/26662-new-malware-granting-threat-actors-hidden-vnc-access
https://cybersecurityworldconference.com/2023/05/02/new-lobshot-hvnc-malware-spreads-via-google-ads/