Advisory ID: NCC-CSIRT-170924-009

Summary: 

Researchers from Trend Micro's Zero Day Initiative have discovered a newly identified Windows vulnerability, exploited as a zero-day to execute code via the disabled Internet Explorer browser. This vulnerability, tracked as CVE-2024-43461, is classified as a high-severity issue. It was addressed in a patch released on Tuesday, September 10, 2024, over two months after it had already been exploited in the wild.

Threat Type(s): Vulnerability, Zero-Day Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): MS Windows

Platform(s): Internet Explorer bowser

Version(s): All Versions

Description: 

The research revealed that the security flaw is a spoofing vulnerability in a component of Internet Explorer’s Web Archive file format. This format combines HTML code and its related resources (such as images) into a single file, even when these resources are linked externally in the webpage's HTML. Despite Internet Explorer being disabled, the platform remains in Windows and is still utilized by certain applications in specific scenarios.

The vulnerability arises from how Internet Explorer handles user prompts after a file download. A maliciously crafted file name can conceal the true file extension, tricking users into thinking the file is safe. Exploiting this flaw, an attacker could execute code under the current user’s privileges.

Solution: 

The vulnerability identified as CVE-2024-43461 was exploited as part of an attack chain involving the CVE-2024-38112 flaw prior to July 2024. To ensure complete protection against this threat, users are advised to install both the Windows July 2024 security updates, which addressed CVE-2024-38112, as well as the Windows September 2024 updates. Links to the relevant security updates are provided below:

https://support.microsoft.com/en-us/topic/july-9-2024-kb5040437-os-build-20348-2582-5b28d9b8-fcba-43bb-91e6-062f43c7ec7c

https://support.microsoft.com/en-us/topic/september-10-2024-kb5043076-os-builds-22621-4169-and-22631-4169-215aad1e-3f3f-44bd-9868-91a2bd450a07

References:

• https://www.securityweek.com/microsoft-says-recent-windows-vulnerability-exploited-as-zero-day/

• https://www.securityweek.com/apt-exploits-windows-zero-day-to-execute-code-via-disabled-internet-explorer/

• https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes/

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43461

• https://www.zerodayinitiative.com/advisories/ZDI-24-1207/

Advisory ID: NCC-CSIRT-110924-008

Summary: 

Researchers from anti-malware vendor ESET have identified a sophisticated phishing technique targeting iOS and Android users. The tactic involves using web applications that imitate legitimate banking software, enabling cybercriminals to bypass security measures and steal users' login credentials.

These fraudulent web apps closely replicate the interfaces of well-known financial institutions, making it difficult for users to detect the deception. Once victims enter their credentials, the information is transmitted to attackers, granting them unauthorized access to sensitive banking accounts.

Threat Type(s): Phishing, and Malvertising

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Apple and Android based Mobile Devices

Platform(s): iOS and Android OS

Version(s): All Versions

Description: 

According to the researchers, attackers leveraged Progressive Web Applications (PWAs) on Apple devices—websites packaged to resemble standalone apps. These PWAs, built using web technologies, are platform-agnostic and do not require users to enable third-party app installations. On Android devices, the attackers utilized WebAPKs, a technology that allows web apps to be installed as native applications, appearing as if they were downloaded from Google Play.

In the observed attacks, iOS users were instructed to add the PWA to their home screens, while Android users were prompted to approve custom pop-ups before installing the WebAPK. WebAPKs, considered enhanced versions of PWAs, mimic native apps and do not trigger warnings on Android devices, even when installation from third-party sources is disabled. Moreover, the apps’ information pages falsely indicated that they were downloaded from Google Play.

When users opened the phishing link, they were redirected to a webpage mimicking the official Google Play or Apple Store, or the targeted bank’s website. They were then prompted to install an updated version of the banking app, which led to the installation of the malicious software without triggering any security alerts. Once installed, the PWA or WebAPK placed an icon on the home screen, and opening it led directly to a phishing login page designed to steal users' credentials.

Solution: 

•  Users should avoid installing apps that are not available on official platforms like the Play Store or Apple App Store.
• Always verify any messages received via SMS, email, or social media before taking action.
• If prompted to update an app via text message, visit the official website or app store to confirm the update before proceeding.
• Be cautious when dealing with Progressive Web Applications (PWAs) and avoid installing them from untrusted or suspicious websites.
• Utilize a reliable security solution that can detect and block websites using PWAs and WebAPKs for phishing attacks.
• Multi-factor authentication and user education on phishing threats are essential to enhance security.

References:

• https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps/ 

• https://www.securityweek.com/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://www.show.it/en/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://news.ycombinator.com/item?id=41312984 

• https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/

Advisory ID: NCC-CSIRT-260824-007

Summary: 

ESET malware researcher Lukas Stefanko has identified a new Android malware called NGate. This malware is capable of stealing funds from payment cards by transmitting data collected by the near-field communication (NFC) chip to an attacker’s device. With NGate, attackers can emulate the victims' cards, allowing them to make unauthorized payments or withdraw cash from ATMs.

Threat Type(s): Malware, and Phishing

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Android Devices

Platform(s): Android OS

Version(s): All Versions

Description: 

The attack begins with malicious texts, automated calls with pre-recorded messages, or malvertising, which trick victims into installing a malicious progressive web app (PWA) on their devices. These PWAs, disguised as urgent security updates, mimic the official icon and login interface of the targeted bank to steal client credentials. The apps require no special permissions upon installation, instead exploiting the web browser's API to gain access to the device's hardware components.

After the phishing stage, the victim is further deceived into installing NGate during the second phase of the attack. Once installed, NGate activates an open-source tool called 'NFCGate,' which enables on-device capturing, relaying, replaying, and cloning of NFC data. This tool can function without the device being rooted. NGate captures NFC data from payment cards near the infected device and transmits it to the attacker, either directly or via a server. The attacker can then save this data as a virtual card and use it to withdraw cash from ATMs or make payments at point-of-sale (PoS) systems.

Solution: 

• If you are not actively using NFC, you can mitigate the risk by disabling your device's NFC chip. On Android, click Settings > Connected devices > Connection preferences > NFCand turn the toggle to the off position.
• Only install bank apps from the bank's official webpage or Google Play.
• Ensure the bank app you are using is not a WebAPK

References:

• https://thehackernews.com/2024/08/new-android-malware-ngate-steals-nfc.html 

• https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-ngate-android-malware-which-relays-nfc-traffic-to-steal-victims-cash-from-atms-1/

Advisory ID: ngCERT-2024-0025

Summary: 

ngCERT has detected an increase in ransomware attacks by the Phobos ransomware group, specifically targeting critical cloud service providers within our national cyberspace. We are actively collaborating with vulnerable and affected organizations to swiftly resolve these incidents and prevent further escalation. The most at-risk entities include providers of information technology and telecommunication services, such as managed cloud services, whose clients include critical government agencies, financial institutions, telecommunications, education, healthcare, service providers, and NGOs in Nigeria. It is essential for organizations to proactively implement the mitigation strategies outlined in this document to help prevent the spread of the malware

Threat Type: Ransomware  (Email: )

Extension: (.xshell)

File Format: filename.id[xxxxxx-xxxx].email.xshell 

Damage/Probability: CRTICAL/HIGH

Description: 

Phobos attackers commonly gain entry into vulnerable networks through phishing campaigns to deliver hidden payloads or by employing IP scanning tools like Angry IP Scanner to identify susceptible Remote Desktop Protocol (RDP) ports. They also leverage RDP in Microsoft Windows environments. Upon discovering an exposed RDP service, they utilize open-source brute force tools to gain access. Alternatively, they deploy spoofed email attachments containing hidden payloads like SmokeLoader to initiate infection. To execute and escalate privileges, Phobos actors execute commands such as 1saas.exe or cmd.exe to install additional Phobos payloads with elevated privileges. They leverage Windows command shell capabilities for system control and utilize Smokeloader in a three-phase process for payload decryption and deployment, ensuring evasive actions against network defenses. Furthermore, to evade detection, Phobos ransomware modifies firewall configurations, utilizes evasion tools like Universal Virus Sniffer and Process Hacker, and employs techniques such as token theft and privilege escalation through Windows API functions.

Phobos actors use tools like Bloodhound and Sharphound for active directory enumeration, Mimikatz for credential extraction, and WinSCP/Mega.io for file exfiltration. They target various data types for exfiltration, including legal, financial, technical, and database files, which are archived and later exported. After exfiltrating data, Phobos ransomware targets backups by deleting volume shadow copies and encrypts connected drives on the target system. It delivers unique ransom notes and communicates with victims via email, voice calls, and instant messaging platforms, often utilizing onion sites for data hosting and communication. 

Consequences: 

A successful attack could result to the following:

1. System Compromise.
2. Ransom payment.
3. Data encryption or system lockout.
4. Data loss and exfiltration.
5. Financial losses.
6. Denial of Service (DoS).
7. Fraudulent activity using compromised systems

Solution: 

It is therefore recommended that relevant organizations:

1. Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools.
2. Prioritize remediating known exploited vulnerabilities.
3. Implement EDR solutions to disrupt threat actor memory allocation techniques.
4. Disable command-line and scripting activities and permissions.
5. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
6. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
7. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
8. Implement time-based access for accounts at the admin level and higher.
9. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
10. Install, regularly update, and enable real time detection for antivirus software on all hosts.
11. Disable unused ports and protocols.
12. Consider adding an email banner to emails received from outside your organization.
13. Disable hyperlinks in received emails.
14. Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure.
15. Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices. 

References:

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a