Advisory ID: ngCERT-2024-0002

Summary: A critical vulnerability (CVE-2023-49647) has been identified in Zoom products, exposing the potential for threat actors to exploit it for activities such as denial of service, privilege escalation and unauthorized disclosure of sensitive information on impacted systems. This jeopardizes the confidentiality and integrity of Zoom sessions and user data, underscoring the urgency to implement essential measures to effectively mitigate this threat.

Damage/Probability: CRTICAL/HIGH

Description: The identified vulnerability in Zoom products are due to improper authentication, path traversal, improper access control and cryptograph. Precisely, an Improper Access Control vulnerability exists in Zoom Desktop Client, Zoom VDI Client, and Zoom SDKs for Windows. The vulnerability allows an unauthenticated user to conduct an escalation of privilege via local access, potentially leading to unauthorized actions, such as modifying system settings, installing malware, or accessing sensitive data. Some of the affected products identified include:

• Zoom Desktop Client for Windows before version 16.10
• VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 15.12)
• Zoom Video SDK for Windows before version 16.10
• Zoom Meeting SDK for Windows before version 16.10s 

Consequences: Successful exploitation of this vulnerability could result in the following:

• Data Exfiltration
• Execution of malware on systems
• Launch of DoS or DDoS
• Further compromise of individual or organizations

Solution: Users can help keep themselves secure by Upgrading to version 5.16.10 which eliminates this vulnerability or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

References:

• https://www.zoom.com/en/trust/security-bulletin/ZSB-24001/
• https://securityonline.info/cve-2023-49647-a-high-risk-zoom-vulnerability/

Advisory ID: NCC-CSIRT-260124-002 

Summary: 

A widespread phishing campaign is currently circulating on Facebook with a message that reads, "I can't believe he is gone. I'm gonna miss him so much." This campaign is extensively propagated through the accounts of friends of the victims. Scammers exploit the Facebook accounts of targeted victims to disseminate harmful links masquerading as Facebook posts or news articles related to a person's demise. The perpetrators behind this scam aim to gather a large pool of hijacked accounts, intending to utilize them in subsequent attacks on the social media platform. The fraudulent links redirect compromised users to a website designed to steal their Facebook credentials.  

Threat Type(s): Phishing 

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Mobile Devices, and Desktop Computers

Platform(s): Facebook

Version(s): All Versions

Description: 

The Facebook phishing posts come in two forms, with one simply stating, "I can't believe he is gone. I'm gonna miss him so much," and containing a Facebook redirect link. The other uses the same text but shows what appears to be a BBC News video of a car accident or other crime scene. According to the BleepingComputer, two links in the phishing posts, brought victims to different sites depending on the type of device used. Clicking on the link from the Facebook app on a mobile device will bring victims to a fake news site called 'NewsAmericaVideos' that prompts them to enter their Facebook credentials to confirm their identity and watch the video. To convince victims to enter their password, they show what appears to be a blurred-out video in the background, which is simply an image downloaded from Discord. If they enter the Facebook credentials, the threat actors will steal them, and the site will redirect them to Google. The threat actors likely use the stolen credentials further to promote the same phishing posts through the hacked accounts. Likewise, visiting the phishing pages from a desktop computer causes a different behavior, with the phishing sites redirecting victims to Google or other scams promoting VPN apps, browser extensions, or affiliate sites.  

Consequences: 

The phishing post look more convincing and trustworthy, leading many to fall for the scam as they come from their friends' accounts. 

Solution:

• Do not click on links and URLs that appear suspicious or unfamiliar to you. 
• Since the phishing attack does not aim to steal two-factor authentication (2FA) tokens, it is highly recommended that Facebook users activate 2FA to safeguard their accounts in the event of falling victim to a phishing scam. With 2FA enabled, only the user possesses access to the 2FA codes, ensuring that even if their credentials are compromised, unauthorized logins are prevented.
• While configuring two-factor authentication on Facebook, opt for an authentication app instead of relying on SMS texts, as phone numbers are susceptible to theft in SIM swapping attacks. 

References:

• https://www.bleepingcomputer.com/news/security/watch-out-for-i-cant-believe-he-is-gone-facebook-phishing-posts/ 
• https://www.verifythis.com/article/news/verify/scams-verify/rip-dead-facebook-post-message-scam/536-efb6c9b7-5995-4b3a-a9b3-c797f99f3e05 
• https://www.news9live.com/technology/tech-news/cant-believe-gone-facebook-scam-cybersecurity-hacking-hackernews-explained-2414635 
• https://www.blackhatethicalhacking.com/news/widespread-i-cant-believe-he-is-gone-facebook-phishing-scam-targets-users-through-hacked-accounts/ 

Advisory ID: NCC-CSIRT-220124-001 

Summary: Warnings have been issued by U.S. federal agencies, such as the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), regarding the emergence of a significant botnet setup by threat actors utilizing the Androxgh0st malware. This botnet is employed to distribute malicious payloads after the compromise of cloud credentials. Observations indicate that threat actors utilizing the botnet systematically verify accounts for email limitations, facilitating their spamming activities. Additionally, these malicious actors have been detected creating deceptive pages on compromised websites, establishing a covert entry point to databases containing sensitive data. This access allows them to deploy additional malicious tools crucial to their operations. 

Threat Type(s): Malware, Botnet, Vulnerability, and Spam 

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Amazon Web Services (AWS), Twilio, Microsoft Office 365, Microsoft Azure, and SendGrid 

Platform(s): Cloud Platform 

Version(s): All Versions

Description: The Androxgh0st malware is a script developed in Python programming language, primarily designed to target ‘.env’ files containing sensitive information related to prominent cloud applications, such as Amazon Web Services [AWS], Microsoft Office 365, Microsoft Azure, SendGrid, and Twilio, commonly associated with the Laravel web application framework. This malware utilizes the Simple Mail Transfer Protocol (SMTP) for deploying web shells (A web shell is a malicious program that is used to access a web server remotely during cyberattacks) and takes advantage of leaked credentials. It systematically scans servers and websites for specific vulnerabilities associated with remote code execution, including those in the Apache HTTP Server, PHPUnit testing framework, and Laravel PHP web framework. Once it successfully identifies and compromises cloud credentials on a vulnerable website, there have been instances of attempts to create new users and user policies. 

Consequences: 

• Androxgh0st malware is capable of scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.  
• Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.
• Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet. 

Solution: Organizations' network defenders should implement the following mitigation measures: 

• Keep all operating systems, software, and firmware updated. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
• Verify that the default configuration for all URIs is set to deny all requests unless there is a specific need for accessibility.
• Ensure that any active Laravel applications are not in "debug" or testing mode. Remove all cloud credentials from .env files and promptly revoke them.
• Conduct a one-time review for previously stored cloud credentials and perform ongoing assessments for other credential types that cannot be removed. Check platforms or services listed in the .env file for any signs of unauthorized access or use.
• Scan the server's file system for any unfamiliar PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder. 
• Monitor outgoing GET requests (via cURL command) to file hosting sites such as GitHub or Pastebin, especially when the request involves accessing a ‘.php’ file. 

References:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a 

https://www.bleepingcomputer.com/news/security/fbi-androxgh0st-malware-botnet-steals-aws-microsoft-credentials/ 

https://www.spiceworks.com/it-security/security-general/news/federal-agencies-warning-androxgh0st-malware-botnet/ 

https://www.techrepublic.com/article/androxgh0st-malware-botnet/ 

Advisory ID: ngCERT-2024-0001

Summary: Security researchers uncovered a new technique used by cyber criminals to hack into people' Google accounts without requiring their passwords. Google accounts are potentially exposed due to authentication cookies that bypass two-factor authentication. In this hack, criminals employ malware to gain access to Google accounts without requiring any passwords. According to the findings, the malware uses third-party cookies to gain access to private information from affected accounts. Furthermore, the new weakness allows hackers to access Google services even after a user's password has been reset. However, Chrome is currently cracking down on third-party cookies.

Damage/Probability: CRTICAL/HIGH

Description: This attack exploits a major weakness in the cookie generating process. During an attack, hackers use session persistence techniques to keep their sessions valid despite changes in credentials. This is due to a weakness in cookies, which are used by websites and browsers to track users and improve their efficiency and functionality. Google authentication cookies enable users to access their accounts without repeatedly inputting their login information. However, hackers identified a technique to extract these cookies and bypass two-factor authentication. This exploit allows for continued access to Google services, even when a user's password is reset. The vulnerability was first put into the Lumma Infostealer malware, which was thereafter adopted by the Rhadamanthys, Risepro, Meduza, Stealc Stealer, white snake and eternity stealer malwares.

They target Chrome's token_service WebData table to collect tokens and account IDs from logged-in chrome profiles. The encrypted tokens are decoded using an encryption key saved in Chrome's Local State within the UserData directory, just like passwords. The attack strategy is based on a subtle alteration of the token:GAIA ID pair, a vital component in Google's authentication process. This pair, when used with the MultiLogin endpoint, allows Google service cookies to be regenerated. This strategic innovation is based on the encryption of the token:GAIA ID pair and their own private keys. By doing so, they essentially 'blackbox' the exploitation process, keeping the core mechanics of the hack hidden.

Consequences: Successful exploitation will result to the following:

• Attackers can gain session persistence even when the account password is changed by bypassing typical security measures.
• Attacker's ability to maintain unauthorized access can be enhanced with the capability to generate valid cookies in the event of a session disruption.
• The criminals can also steal and exfiltrate sensitive data from a compromised account.
• The criminals can steal user’s identity to conduct other nefarious activities

Solution: It is therefore recommended that:

• Users should continually take steps to protect and remove any malware from their computers using a reliable anti-malware software.
• Users should turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
• Users should avoid accepting third-party cookies from untrusted websites.
• If a user suspect that account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.
• Users should always update their web browsers immediately there is an update notification.

References:

• https://www.independent.co.uk/tech/google-account-password-security-hackers-b2474195.html/
• https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking
• https://ciso.economictimes.indiatimes.com/news/cybercrime-fraud/cybercriminals-find-new-way-to-access-google-accounts-without-password-report/106628035/