Advisory ID: NCC-CSIRT-220124-001 

Summary: Warnings have been issued by U.S. federal agencies, such as the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), regarding the emergence of a significant botnet setup by threat actors utilizing the Androxgh0st malware. This botnet is employed to distribute malicious payloads after the compromise of cloud credentials. Observations indicate that threat actors utilizing the botnet systematically verify accounts for email limitations, facilitating their spamming activities. Additionally, these malicious actors have been detected creating deceptive pages on compromised websites, establishing a covert entry point to databases containing sensitive data. This access allows them to deploy additional malicious tools crucial to their operations. 

Threat Type(s): Malware, Botnet, Vulnerability, and Spam 

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Amazon Web Services (AWS), Twilio, Microsoft Office 365, Microsoft Azure, and SendGrid 

Platform(s): Cloud Platform 

Version(s): All Versions

Description: The Androxgh0st malware is a script developed in Python programming language, primarily designed to target ‘.env’ files containing sensitive information related to prominent cloud applications, such as Amazon Web Services [AWS], Microsoft Office 365, Microsoft Azure, SendGrid, and Twilio, commonly associated with the Laravel web application framework. This malware utilizes the Simple Mail Transfer Protocol (SMTP) for deploying web shells (A web shell is a malicious program that is used to access a web server remotely during cyberattacks) and takes advantage of leaked credentials. It systematically scans servers and websites for specific vulnerabilities associated with remote code execution, including those in the Apache HTTP Server, PHPUnit testing framework, and Laravel PHP web framework. Once it successfully identifies and compromises cloud credentials on a vulnerable website, there have been instances of attempts to create new users and user policies. 

Consequences: 

• Androxgh0st malware is capable of scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.  
• Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.
• Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet. 

Solution: Organizations' network defenders should implement the following mitigation measures: 

• Keep all operating systems, software, and firmware updated. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
• Verify that the default configuration for all URIs is set to deny all requests unless there is a specific need for accessibility.
• Ensure that any active Laravel applications are not in "debug" or testing mode. Remove all cloud credentials from .env files and promptly revoke them.
• Conduct a one-time review for previously stored cloud credentials and perform ongoing assessments for other credential types that cannot be removed. Check platforms or services listed in the .env file for any signs of unauthorized access or use.
• Scan the server's file system for any unfamiliar PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder. 
• Monitor outgoing GET requests (via cURL command) to file hosting sites such as GitHub or Pastebin, especially when the request involves accessing a ‘.php’ file. 

References:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a 

https://www.bleepingcomputer.com/news/security/fbi-androxgh0st-malware-botnet-steals-aws-microsoft-credentials/ 

https://www.spiceworks.com/it-security/security-general/news/federal-agencies-warning-androxgh0st-malware-botnet/ 

https://www.techrepublic.com/article/androxgh0st-malware-botnet/ 

Advisory ID: ngCERT-2024-0001

Summary: Security researchers uncovered a new technique used by cyber criminals to hack into people' Google accounts without requiring their passwords. Google accounts are potentially exposed due to authentication cookies that bypass two-factor authentication. In this hack, criminals employ malware to gain access to Google accounts without requiring any passwords. According to the findings, the malware uses third-party cookies to gain access to private information from affected accounts. Furthermore, the new weakness allows hackers to access Google services even after a user's password has been reset. However, Chrome is currently cracking down on third-party cookies.

Damage/Probability: CRTICAL/HIGH

Description: This attack exploits a major weakness in the cookie generating process. During an attack, hackers use session persistence techniques to keep their sessions valid despite changes in credentials. This is due to a weakness in cookies, which are used by websites and browsers to track users and improve their efficiency and functionality. Google authentication cookies enable users to access their accounts without repeatedly inputting their login information. However, hackers identified a technique to extract these cookies and bypass two-factor authentication. This exploit allows for continued access to Google services, even when a user's password is reset. The vulnerability was first put into the Lumma Infostealer malware, which was thereafter adopted by the Rhadamanthys, Risepro, Meduza, Stealc Stealer, white snake and eternity stealer malwares.

They target Chrome's token_service WebData table to collect tokens and account IDs from logged-in chrome profiles. The encrypted tokens are decoded using an encryption key saved in Chrome's Local State within the UserData directory, just like passwords. The attack strategy is based on a subtle alteration of the token:GAIA ID pair, a vital component in Google's authentication process. This pair, when used with the MultiLogin endpoint, allows Google service cookies to be regenerated. This strategic innovation is based on the encryption of the token:GAIA ID pair and their own private keys. By doing so, they essentially 'blackbox' the exploitation process, keeping the core mechanics of the hack hidden.

Consequences: Successful exploitation will result to the following:

• Attackers can gain session persistence even when the account password is changed by bypassing typical security measures.
• Attacker's ability to maintain unauthorized access can be enhanced with the capability to generate valid cookies in the event of a session disruption.
• The criminals can also steal and exfiltrate sensitive data from a compromised account.
• The criminals can steal user’s identity to conduct other nefarious activities

Solution: It is therefore recommended that:

• Users should continually take steps to protect and remove any malware from their computers using a reliable anti-malware software.
• Users should turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
• Users should avoid accepting third-party cookies from untrusted websites.
• If a user suspect that account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
• Users should always update their web browsers immediately there is an update notification.

References:

• https://www.independent.co.uk/tech/google-account-password-security-hackers-b2474195.html/
• https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking
• https://ciso.economictimes.indiatimes.com/news/cybercrime-fraud/cybercriminals-find-new-way-to-access-google-accounts-without-password-report/106628035/

Advisory ID: NCC-CSIRT-151223-046

Summary: The vulnerabilities in Android/Samsung Galaxy smartphones, as warned by the Indian government, are significant and affect Android versions 11, 12, 13, and 14. These vulnerabilities can lead to a range of serious security issues. They allow attackers to potentially bypass security measures, access sensitive information, and execute arbitrary code on the devices. This means hackers could gain unaut​horized access to personal data, control phone functions, or even introduce harmful software without the user's knowledge. The update is crucial in mitigating the risk and safeguarding personal and sensitive information stored on the phones.

Threat Type(s): Malware, Phishing. 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Android versions 11, 12, 13, and 14, Samsung Galaxy Smartphones.

Platform(s): Android Operating Systems.

Version(s): Versions 11, 12, 13, and 14.

Description: The vulnerabilities identified in Samsung Galaxy smartphones, specifically affecting Android versions 11, 12, 13, and 14, present serious security concerns. They open doors for unauthorized access, allowing hackers to bypass existing security protocols. Once inside the system, attackers can access sensitive personal and financial information, posing a significant risk of data theft and privacy invasion. The severity of these vulnerabilities lies in their potential to let attackers execute arbitrary code on the devices, potentially leading to complete control over the phone's functions. This scenario could result in malicious software installations, surveillance, data manipulation, or even financial fraud if payment apps are compromised. The vulnerabilities underscore the critical need for regular software updates and robust digital security practices.

Consequences: The vulnerabilities in Samsung Galaxy smartphones pose several risks. Hackers could gain unauthorized access to devices, leading to personal data exposure, including contacts, messages, and financial information. This access could also allow them to control phone functions or install harmful software, potentially leading to privacy breaches.

Solution:

• Immediate Software Update
• Regular Security Checks
• Enhanced User Awareness 

References: 

 https://m.economictimes.com/news/new-updates/govt-issues-warning-for-some-samsung-phones-advises-urgent-update/articleshow/106012861.cms

https://www.timesnownews.com/technology-science/using-samsung-smartphone-indian-govt-has-a-warning-for-you-article-105991466

Advisory ID: ngCERT-2023-0041

Summary: According to a recent research, the year 2023 has witnessed an alarming increase in the activities of deceptive Android loan apps, that promote themselves as reputable personal loan services, promising quick and easy access to funds. These apps allegedly defraud users by presenting them with enticing loan offers backed up by false claims, while exfiltrating its victims' financial and personal data, which is then used to blackmail and steal their funds. Consequently, android app users are advised to take necessary precautions against the activities of these loan shark apps.   

Threat Type(s): Malware

Damage/Probability: HIGH/HIGH

Description: These malicious SpyLoan apps impersonate reputable loan providers and financial services, as well as promote the same through SMS messages and popular social media channels, as a means to lure victims who are in need of financial assistance. Also, it is important to note that these apps are available to download from dedicated scam websites and third-party app stores, and sometimes on Google Play. Once a user installs the app, they are prompted to accept the terms of service and grant extensive permissions to access sensitive data stored on the device, such as list of accounts, call logs, calendar events, device information, lists of installed apps, local Wi-Fi network information, contact lists, location data, and SMS messages.

Subsequently, the app requests for user registration, which is typically accomplished through SMS one-time password verification to validate the victim’s phone number. Furthermore, the users are compelled to complete the loan application process, by providing extensive personal information, including address details, contact information, proof of income, bank account details, Bank Verification Number (BVN), photos identification cards, National Identification Number (NIN) as well as a selfies. These exfiltrated and acquired data are forwarded to the attackers’ servers, and are used to either harass or blackmail users, even if a loan was not provided. The data can also be sold or used to conduct other malicious activities against their targets.  

Consequences: Subscribing to the services of Loan Shark Android Apps can result to the following:

• Data exfiltration.
• Damage to reputation.
• Financial losses.
• Identity theft.
• Impersonation of victims
• Hacking of mobiles devices.
• Possible installation of malicious software. 

Solution: The following are recommended

• Avoid the installation of loan apps from unofficial sources and third-party app stores.
• Validate the authenticity of financial apps before patronizing them.
• Seek the services of legitimate and financial service providers.
• Report identified or known incidents involving loan sharks.

References:

• https://www.welivesecurity.com/en/eset-research/beware-predatory-fintech-loan-sharks-use-android-apps-reach-new-depths/
• https://www.eset.com/sg/about/newsroom/press-releases1/products/predatory-spyloan-apps-loan-sharks-expand-their-range-to-android-eset-research-finds/