Advisory ID: ngCERT-2024-0011

Summary: 

A new version of the Vultur banking trojan posing as a security app, authenticator or productivity apps to steal sensitive data and gain total control over compromised android devices has been discovered. The malware has been embedded in over 800 apps on the Google Play Store and many android devices have been compromised. This latest version of the malware includes more advanced remote-control capabilities and an improved evasion mechanism, enabling its operators to remotely interact with a mobile device and harvest sensitive data. This type of attack relies on "smishing" (SMS phishing) and phone calls to trick their targets into installing a version of the malware. Additionally, it can also be distributed via trojanized dropper apps known as Brunhilda.

Damage/Probability: HIGH/HIGH

Platform(s): Android

Description: 

The infection chain begins with the victim receiving an SMS message alerting them of an unauthorised transaction and instructing them to call a provided number for guidance. As the victim follows the instructions, the call is answered by a fraudster who then persuades the victim to open the link which arrives with a second SMS. Clicking on this link then directs the victims to a site that offers a fake version of a security app such as McAfee app or other apps such as, My Finances Tracker, RecoverFiles, Zetter Authenticator, etc. Once the app is installed, the fake app decrypts and executes three Vultur-related payloads (two APKs and a DEX file) that can obtain access to the Accessibility Services, initialise the remote-control systems and establish a connection with its command and control (C2) server. In a second infection chain, the malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. The dropper-framework called Brunhilda is used to deploy Vultur via three payloads, the last two designed to invoke each other’s functionality.

Consequences: 

Successful installation of this malware on any android device will allow the attacker to:

• Remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android's accessibility services, as well as download, upload, delete, install, and find files on the device.
• Steal sensitive financial information to carryout transactions on the victim’s devices.
• Use the services to prevent victims from deleting the malicious app via traditional measures. Specifically, whenever the user tries to access the app details screen in the Android settings, Vultur automatically clicks the back button which blocks the user from accessing the uninstall button.
• Prevent the user from interacting with legitimate applications on the device, which are defined in a list provided by the attacker.

Solution: 

It is therefore recommended that android users should:

• Avoid calling numbers provided in unsolicited messages or emails.
• Be cautious of links in messages or emails, especially those related to financial transactions.
• Install apps only from trusted sources like the Google Play Store.
• Keep Android device and apps updated to the latest versions.
• Use antivirus software and keep it updated to detect and remove malware.
• Regularly review financial transactions for any unauthorized activity and report it.

References:

• https://www.securityweek.com/vultur-android-malware-gets-extensive-device-interaction-capabilities/
• https://thehackernews.com/2024/04/vultur-android-banking-trojan-returns.html

Advisory ID: NCC-CSIRT-150424-007

Summary: 

Recent reports indicate that a sophisticated mercenary spyware has attacked iPhone users. This attack, distributed through deceptive links and vulnerabilities in software, has capabilities for extensive surveillance, including accessing messages, call logs, emails, and even activating cameras and microphones without user consent.

Threat Type(s): Spyware

Impact/Vulnerability: CRITICAL/HIGH

Product(s): iPhones

Platform(s):iOS Devices

Version(s): All Versions

Description: 

The spyware, referred to as "Pegasus," exploits several vulnerabilities in the iOS ecosystem, making it possible to install without the victim's knowledge. Once installed, it provides the attacker with unprecedented access to personal data, allowing real-time and historical tracking of the victim's activities. The software can evade typical security measures and is capable of self-deletion to avoid detection, making it extremely dangerous and stealthy.

Consequences: 

The identified vulnerabilities in this Spyware attack includes but is not limited to:

• Unauthorized access to personal data, including messages, photos, and contacts.
• Monitoring of communications and activities, jeopardizing privacy and confidentiality.
• Potential for financial loss, identity theft, or blackmail.
• Compromised device security, leading to broader system vulnerabilities.

Solution: 

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users take the following steps.

• Update Devices: Users should immediately update their iOS devices to the latest version to patch any known vulnerabilities.
• Enhanced Security Practices: Employ robust security solutions, including VPNs and end-to-end encryption apps.
• Awareness and Education: Users should be educated on the signs of potential spyware infection and the importance of avoiding suspicious links and downloads.
• Report Suspicious Activity: Promptly report any unusual behavior or unauthorized access to IT security professionals.
• Exercise Caution: Avoid clicking on suspicious links or downloading apps from untrusted sources.

References:

• https://support.apple.com/en-in/102174
• https://www.bleepingcomputer.com/news/security/apple-mercenary-spyware-attacks-target-iphone-users-in-92-countries/#google_vignette
• https://www.gsmarena.com/apple_warns_users_in_over_90_countries_on_mercenary_spyware_attacks-news-62396.php
• https://www.techrepublic.com/article/apple-threat-notifications-mercenary-spyware/

Advisory ID: ngCERT-2024-0010

Summary: 

A threat researcher uncovered a new arbitrary command injection vulnerability and a backdoor account flaw vulnerability in four old D-Link NAS models that could be exploited to compromise internet-facing devices. Reports further indicate that over 92,000 devices globally have been affected. Cyber criminals could exploit these flaws to perform an arbitrary command execution, system configuration alteration or Denial of Service (DoS), while gaining access to sensitive information on the affected system. 

Damage/Probability: CRTICAL/HIGH

Platform(s): D-Link CVE-2024-3273

Description: 

The vulnerabilities tracked as (CVE-2024-3273) include a backdoor facilitated through a hardcoded account (username: "messagebus" and empty password) and a command injection problem via the "system" parameter. When chained together, any attacker can remotely execute commands on the device. A threat actor could craft a malicious HTTP request targeting the nas_sharing.cgi (Common Gateway Interface) script that has a hardcoded account which could be used as a backdoor through username and password exposure. The resulting response of this HTTP request contains the decoded system parameter value sent in the request, which includes a username (user=messagebus) and an empty password (passwd=). These further grants unauthorized access to threat actors without any proper authentication. Additionally, command injection can be performed through the System command parameter to execute system configuration alteration or denial of service. Some of the device models impacted by CVE-2024-3273 are:

• DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
• DNS-325 Version 1.01
• DNS-327L Version 1.09, Version 1.00.0409.2013
• DNS-340L Version 1.08

Consequences: 

Successful exploitation of this vulnerability could lead to the following:

• Unauthorized access to sensitive information.
• Data exfiltration.
• Modification of system configurations.
• Denial of Service (DoS).

Solution: 

There will be no patches for this flaw. This exploit affects a legacy D-Link products and all hardware revisions, which have reached their End of Life ("EOL")/End of Service Life ("EOS") Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. It is therefore recommended that:

• D-Link devices that have reached EOL/EOS be retired and replaced.
• If consumers continue to use these devices against D-Link's recommendation, please make sure the device has the last known firmware which can be located on the Legacy Website link (https://legacy.us.dlink.com/).
• Make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.
• Users are also advised not to expose management interfaces to the internet.
• Users should disable UPnP (Universal Plug and Play) and connections from remote Internet addresses unless they’re absolutely necessary and configured correctly.

References:

• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383  
• https://cybersecuritynews.com/d-link-nas-command-injection-impact/
• https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/amp/

Advisory ID: NCC-CSIRT-030424-006

Summary: 

Several vulnerabilities have been identified in Google Chrome that could be exploited by attackers to compromise systems and data. These vulnerabilities pose a serious risk to customers and organizations worldwide, ranging from further remote code execution to data and information disclosure.

Threat Type(s): Denial of Service (DoS), User Interface (UI) Spoofing, Remote Code Execution (RCE)

Impact/Vulnerability: HIGH/HIGH

Product(s): Google Chrome

Platform(s): Google Chrome for Windows, MacOS and Linux, Google Chrome for Android and iOS

Version(s): All Versions.

Description: 

The vulnerabilities affect various components of Google Chrome including:

• Type Confusion Vulnerabilities: Type confusion vulnerabilities can cause memory corruption and even provide an opportunity for code execution in some Chrome operations.
• Usage-After-Free Vulnerabilities: These flaws in Chrome's memory management could be used to execute arbitrary code or result in a denial-of-service attack.
• Insecure Origin Policy Bypass: Attackers might be able to obtain sensitive data across sources if they manage to get around some of Chrome's security model's controls.
• UI Spoofing Attacks: Users may be tricked into engaging with malicious content by manipulating Chrome's user interface, which could result in undesired behaviours or the disclosure of confidential information.

Consequences: 

The identified vulnerabilities in Google Chrome pose risks to users and organizations, potentially leading to:

• Execution of arbitrary code
• Access to sensitive information
• Denial of Service (DoS)
• UI manipulation to deceive users.
• Compromise of user privacy

Solution: 

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users take the following steps.

• Update Google Chrome: Ensure that Google Chrome is updated to the latest version available. Google frequently releases security patches and updates to address known vulnerabilities. Users can manually check for updates by navigating to Chrome's settings and selecting the "About Chrome" option.
• Proceed with Caution: Avoid clicking on suspicious links or downloading files from untrusted sources while browsing the web. Be cautious when connecting with content or websites you are not familiar with.
• Utilize Security Features: Turn on built-in security measures like Safe Browsing to guard against malware, phishing scams, and other dangerous websites.
• Report Security Issues: If you discover any suspicious activity or believe you have encountered a security vulnerability in Google Chrome, report it to Google immediately through their Vulnerability Reward Program or security reporting mechanisms.

References:

• https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20240403
• https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html
• https://www.google.com/about/appsecurity/chrome-rewards/
• https://chromereleases.googleblog.com/