Advisory ID: NCC-CSIRT-090523-022
Summary: Malware analysis engineers from Meta discovered a new malware called NodeStealer that targets saved usernames and passwords in browsers, with the aim of compromising businesses' Gmail, Outlook and Facebook accounts.
Vulnerable Platform(s): Browsers
Threat Type: Malware
Impact/Probability: CRITICAL/HIGH
Product : Gmail, Outlook and Facebook Applications
Version: All Version
Description: According to the analysts, hackers are distributing the NodeStealer malware through Windows executables that look like PDF files and have filenames related to marketing, social media planning, and monthly budgets. The malware is being executed using the Node.js open source Javascript runtime environment, typically used to develop web applications. After execution, the malware steals the stored credentials and cookie session data from various browsers (Chrome, Opera, Edge and Brave) on victim computers, by referencing the file paths to access files storing cookies and credentials for various sites and decrypting this data.
Consquences: The malware specifically steals user credentials for Facebook, Gmail, and Outlook accounts.
Solution :
- To avoid NodeStealer Malware, you should practice safe computing habits, such as avoiding suspicious emails and downloads, keeping antivirus software up to date, and regularly backing up important data.
- If you suspect that your system has been infected with NodeStealer, disconnect from the internet and seek the assistance of a reputable cybersecurity professional or use a trusted anti-malware application to remove the threat automatically.
References:
https://www.bleepingcomputer.com/news/security/facebook-disrupts-new-nodestealer-information-stealing-malware/
https://www.securityweek.com/meta-swiftly-neutralizes-new-nodestealer-malware/
https://duo.com/decipher/nodestealer-malware-targets-gmail-outlook-facebook-credentials
https://www.cyclonis.com/remove-nodestealer-malware/
https://www.pcrisk.com/removal-guides/26669-nodestealer-malware
Advisory ID: NCC-CSIRT- 080523-021
Summary: Cybersecurity researchers from Elastic Security Labs discovered a new 'LOBSHOT' Malware distributed using Google ads in search results. The malware allows threat actors to stealthily take over infected Windows devices.
Vulnerable Platform(s): Google ads
Threat Type: Malware
Impact/Probability: CRITICAL/HIGH
Product : Windows Devices
Version: All Versions
Description: According to the researchers, threat actors distributed the LOBSHOT malware strains using an elaborate scheme of fake websites through Google Ads. Users download what they believe to be legitimate installers for genuine software applications. Once the installer is initiated the compromised system is backdoored (a feature or defect of a computer system that allows secret unauthorized access to data), and malware is installed without the victim’s knowledge.
The malware remains hidden on the compromised Windows devices, while still being capable of stealing sensitive information from the victim by using a Hidden Virtual Network Computing (hVNC).
Consquences: Full remote control of the compromised Windows devices.
Solution :
- Users should be careful of promoted Google ads.
- When online, always check on the website promoted by Google ads versus the legitimate website distributing genuine software.
References:
https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-hackers-hidden-vnc-access-to-windows-devices/
https://www.helpnetsecurity.com/2023/05/02/infostealer-hvnc/
https://www.pcrisk.com/internet-threat-news/26662-new-malware-granting-threat-actors-hidden-vnc-access
https://cybersecurityworldconference.com/2023/05/02/new-lobshot-hvnc-malware-spreads-via-google-ads/
Advisory ID: NCC-CSIRT-040523-020
Summary: A command injection vulnerability was identified in a TP-Link Archer AX21 routers. Remote attacker could send a specially crafted request to the router to exploit the vulnerability, which consequently trigger remote code execution on the targeted system.
Vulnerable Platform(s): Firmware of TP-Link Router
Threat Type: Vulnerability
Product : TP- Link Archer AX21 Routers
Version: TP-Link Archer AX21 prior to 1.1.4 20230219
Description: TP-Link Archer AX21 firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability on a parameter of the web management interface. If the parameter is not sanitized prior to usage, it enables an unauthenticated attacker to insert commands.
Consquences: Remote code execution on the targeted routers
Impact/Probability: HIGH/HIGH
Solution :
• Users of the affected TP-Link Archer AX21 should update the firmware to the later version.
• Upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link devices.
References:
https://www.govcert.gov.hk/en/alerts_detail.php?id=1018
https://www.hkcert.org/security-bulletin/tp-link-router-remote-code-execution-vulnerability_20230426
https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware
Advisory ID: NCC-CSIRT-180423-019
Summary: A New Android malware named 'Goldoson' has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The Android malware, discovered by McAfee's research team, is capable of collecting a range of sensitive data, including information on the user's installed apps, WiFi and Bluetooth-connected devices, and GPS locations Additionally, it can perform ad fraud by clicking ads in the background without the user's consent.
Vulnerable Platform(s): Android Operating Systems
Threat Type: Malware
Product : Google Play Store Applications
Version: All Versions
Description:
The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps. When a user runs a Goldoson-containing app, the library registers the device and obtains its configuration from an obfuscated remote server. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.The data collection mechanism is commonly set to activate every two days, transmitting a list of installed apps, geographical position history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version.
Some of the impacted apps are:
- L.POINT with L.PAY - 10 million downloads
- Swipe Brick Breaker - 10 million downloads
- Money Manager Expense & Budget - 10 million downloads
- GOM Player - 5 million downloads
- LIVE Score, Real-Time Score - 5 million downloads
- Pikicast - 5 million downloads
- Compass 9: Smart Compass - 1 million downloads
- GOM Audio - Music, Sync lyrics - 1 million downloads
- LOTTE WORLD Magicpass - 1 million downloads
- Bounce Brick Breaker - 1 million downloads
- Infinite Slice - 1 million downloads
- SomNote - Beautiful note app - 1 million downloads
- Korea Subway Info: Metroid - 1 million downloads
Consquences: Stealing of Sensitive Data and Performing Ad fraud by clicking ads in the background without the user's consent
Impact/Probability: HIGH/HIGH
Solution :
- Users are to update their applications with latest Security Patches.
- Users should install anti-malware software to routinely scan their devices for malware.
- Users should always download applications from official sites and application stores. (Avoid downloading Apps from third-party Android App store).
References:
https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/
https://malwaretips.com/threads/android-malware-infiltrates-60-google-play-apps-with-100m-installs.122573/
https://www.business-standard.com/amp/companies/news/android-malware-infects-60-google-play-apps-with-100-million-downloads-123041700123_1.html
Advisory ID: ngCERT-2023-0008
Summary: Phishing is a type of cyberattack that employs social engineering techniques to persuade a potential victim(s) to reveal sensitive information via deceptive emails, text messages, phone calls, and/or social media. The attacker may be looking for personally identifiable information (PII), banking details, and account credentials. The goal could also be to trick the victim into downloading malware.
Description: Such an attack usually starts with a phishing email, text message (also known as smishing), or even a direct message (DM) on a social media app that appears urgent and requires you to either click on a link that takes you to an external website or download a file attachment. This website is fraudulent and is intended to collect sensitive, potentially damaging information from the potential victim.Another technique involves using a phone call, or vishing, to trick victims into disclosing sensitive information. In order to collect their information and compromise their accounts, the attacker would either call the victim or use an automated system to pretend to be calling from their bank.
Consquences: Phishing attacks can lead to identity theft, data theft, and massive financial losses for the victims.
Damage/Probability: CRITICAL/HIGH
Solution : Some countermeasures against phishing are:
i. Enable multifactor authentication (MFA) – if possible, use more than a two-step process.
ii. Change passwords regularly.
iii. Use spam filters.
iv. Change web browser settings to prevent fraudulent websites from opening i.e. web filters.
v. Always use “https” when browsing the web (there are settings in most web browsers that allow for strict usage of “https”).
vi. Use anti-malware to detect malware in phishing emails
vii. Usage of comprehensive solutions by organisations such as security information and event management (SIEM) and endpoint detection and response (EDR) can help filter phishing emails before they get to the users.
viii. Cybersecurity awareness training for staff to spot characteristic features of phishing scams, such as:
a. Poor spelling or grammar
b. Requests to transfer money or for personal and payment information
c. Suspect file attachments
d. Discrepancies in the sender address
e. A sense of urgency e.g. ‘You will lose access to this service in 24 hours…’
f. Usage of a link-shortening service
Hyperlink:
- Two- Factor Authentication (2FA) For WhatsApp
- Nexus Android Trojan Targeting Financial Applications
- Sophisticated Fake AI Chatbot Browser Extension Compromises Thousands of Facebook Accounts
- Xenomorph (Xenomorph 3rd generation) Android Banking Trojan That performs Financial Fraud in a seamless manner