Advisory ID: ngCERT-2023-0038

Summary: Cloud storage misconfigurations have emerged as one of the most serious threats to data security in cloud storage systems. In a recent instance, 25,000 participants in PricewaterhouseCoopers' (PwC) Nigeria Tech Talent Bootcamp were at risk of identity theft after confidential data was stolen through a misconfigured Amazon Web Services account. In another development, the World Baseball Softball Confederation (WBSC) left a data repository open, exposing approximately 50,000 files, some of which were highly sensitive. Furthermore, a misconfiguration in the San Francisco Metropolitan Transportation Commission (MTC) systems resulted in the release of over 26,000 files, exposing clients' home addresses and vehicle plate numbers. It is important to know that threat actors are always looking for vulnerabilities such as misconfigured AWS, Azure, or Google Cloud resources in order to exploit them. Given the foregoing, cloud-based digital end-users must ensure correct configuration of their data buckets to avoid data breaches.   

Threat Type(s): Vulnerability

Damage/Probability: HIGH/HIGH

Description: Cloud misconfiguration is an improper configuration of a cloud system and may occur when a user or administrator fails to implement the correct security settings in a cloud application. Although there may be shared responsibilities between the cloud providers and end users, it often the obligation of the end users to ensure the proper configuration of cloud services acquired. Some common cloud misconfigurations include inadequate monitoring and logging of activities to track changes, using default credentials provided by the cloud service provider, using third-party resources, storage access misconfigurations, non-validation of cloud security controls, excessive permissions and unrestricted ports. Such vulnerabilities could be exploited by threat actors to gain access to an organisation’s storage, resulting in the theft of sensitive information such as sensitive credentials and API keys.

Consequences: Misconfigured cloud assets can be a doorway to the theft of location data, passwords, financial information, phone numbers, health records and other exploitable personal data. Threat actors may then leverage this data for phishing and other social engineering attacks.

Solution: Cloud storage end-users should:

1. Ensure strict monitoring and logging of activities to keep track of changes or suspicious behaviour.
2. Avoid using default credentials in the production environment.
3. Conduct extensive research on the security vulnerabilities of third-party resources before opting for their services.
4. Ensure that storage access is restricted to individuals within the organisation and enable robust encryption for critical data stored in the buckets.
5. Apply the principle of least privilege for both machines and humans for access to all systems. 

References:

• https://cybernews.com/security/san-francisco-mtc-bart-data-leak/ 
• https://cybernews.com/security/wbsc-data-leak-passports/
• https://cybernews.com/security/pwc-nigeria-tech-bootcamp-ids-exposed/
• https://securityintelligence.com/articles/why-cloud-misconfigurations-major-issue/

Advisory ID: NCC-CSIRT-161023-038

Summary: Trend Micro security researchers discovered DarkGate, a piece of malware that is being spread via instant messaging platforms such as Microsoft Teams and Skype. On successful compromise, the malware has a wide range of features that allow its operators to remotely control the infected devices while also collecting sensitive data from web browsers and mining cryptocurrencies. Additionally, access to the victim's Skype and Microsoft Teams accounts allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history.

Threat Type(s): Malware, and Phishing

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Android and iOS device types, including mobile phones, tablets, and CTV products.

Platform(s): Android and iOS Operating Systems

Version(s): All Versions

Description: According to the researchers, the attackers leveraged compromised Skype accounts to infect targets via a Visual Basic for Applications (VBA) loader script disguised as a PDF attachment. When read, the VBA causes the download and execution of an AutoIt script meant to start the DarkGate malware.

Moreover, malicious actors targeted Microsoft Teams users via compromised Office 365 accounts outside their organizations and a publicly available tool named TeamsPhisher. This tool enables attackers to bypass restrictions for incoming files from external tenants and send phishing attachments to Teams users.

Although, the researchers declared that it is yet unclear how the originating accounts of the messaging apps were compromised, it is hypothesized to be either through leaked credentials or a previous compromise of the parent organization.

Consequences: The malware offers a wide range feature, including concealing a Virtual Network Computing (VNC) graphical desktop-sharing system, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer..

Solution: 

• Organizations should enforce rules regarding instant messaging applications.
• Install and scan your system with strong and reliable anti-malware solution.
• Be wary of emails and SMS containing malicious attachments
• Utilize multifactor authentication on your system to prevent the misuse of credentials.
• Apply safe configurations and disabling external access to your Microsoft Team if not necessary.

References:

https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/

https://heimdalsecurity.com/blog/darkgate-malware-spreaded-via-pdf-files-through-microsoft-teams-and-skype/

https://www.redpacketsecurity.com/darkgate-malware-spreads-through-compromised-skype-accounts/

https://thehackernews.com/2023/10/darkgate-malware-spreading-via.html

https://nquiringminds.com/cybernews/darkgate-malware-distributed-through-compromised-skype-and-microsoft-teams-accounts/

https://cybersecuritynews.com/hackers-abusing-skype/

https://www.techrepublic.com/article/darkgate-loader-malware-microsoft-teams/

https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html

Advisory ID: NCC-CSIRT-101023-037

Summary: The PEACHPIT Ad Fraud Botnet is part of a larger operation called BADBOX, which involves the sale of off-brand mobile and connected TV (CTV) devices on popular online marketplaces and resale sites. These devices are tainted with Android malware called Triada.

The threat also allows hackers to create messaging accounts on platforms like WhatsApp by pilfering one-time passwords from the compromised devices. Additionally, it enables them to create Gmail accounts that appear legitimate and evade bot detection.

Threat Type(s): Malware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Android and iOS device types, including mobile phones, tablets, and CTV products.

Platform(s): Android and iOS Operating Systems

Version(s): All Versions

Description: The PEACHPIT botnet’s network of associated apps was discovered in 227 countries and territories, reaching a peak of 121,000 Android devices and 159,000 iOS devices daily. Infections occurred through 39 apps that were downloaded more than 15 million times. 

The attribute of this Ad fraud is the use of counterfeit apps available on significant app marketplaces like the Apple App Store and Google Play Store, as well as apps automatically downloaded onto compromised BADBOX devices. These apps contain a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps.

Consequences: The malware-infected devices enabled the operators to steal sensitive data, establish residential proxy exit peers, and carry out ad fraud through fraudulent apps.

Solution: 

• Do not click on ads, especially those that include typos, unfamiliar brand names, or offer services that sound too good to be true.
• If you cannot find any information on the company of a device you are buying, avoid it.
• When buying devices online, you will find a never-ending stream of good deals. When you come across one of those deals that appeals to you, the first thing you should do is research the brand device name.
• If you find information from a reliable source that indicates the brand is both legit and trustworthy, you can continue considering the purchase. Otherwise, do not even bother putting that item in your shopping cart.

References:

https://thehackernews.com/2023/10/peachpit-massive-ad-fraud-botnet.html
https://www.purevpn.com/blog/news/beware-of-devices-with-an-ad-fraud-botnet-named-peachpit/
https://www.zdnet.com/article/newly-discovered-android-malware-has-infected-thousands-of-devices/

Advisory ID: ngCERT-2023-0037

Summary: A Pakistani-linked threat actor known as Transparent Tribe is discovered to be deploying malicious apps masquerading as YouTube to distribute CapraRAT mobile remote access trojan (RAT) to Android devices. This underscores the need for individuals particularly in sensitive positions and organisations to take proactive steps to forestall such malicious activities.

Threat Type(s): Malware

Damage/Probability: CRITICAL/HIGH

Description: The malicious apps utilized in these infiltrations are distributed outside of Google Play, the official Android app store, suggesting that victims are likely tricked into downloading and installing them. Two of these apps have been identified to pose as ‘YouTube’,  one of which reaches out to a YouTube channel belonging to "Piya Sharma", indicating that the adversary uses romance-based phishing techniques to entice targets into installing the applications.

During installation, these malware apps request for permissions that might initially appear harmless for a media streaming app like YouTube. However, the interface of the apps lacks certain features as the genuine YouTube app but rather functions more like a web browser due to the use of WebView within the trojanized app. Once these permissions have been granted, CapraRAT becomes active on the device, and could serve as a functioning spyware tool. Subsequently, it performs actions such as recording through the microphone and cameras, collecting SMS and call logs, sending SMS messages, taking screen shots, modifying system settings, including accessing and modifying files on the device’s filesystem.

Consequences: A successful download and execution of the CapraRAT Malware on an Android device could have negative consequences. When the apps are installed on a victim’s device, they can collect data, record audio and video, initiate phone calls, as well as gain access to sensitive communication information.

Solution: The following precaution should be heeded to:

1. Android users should never install Android applications distributed outside of the Google Play store itself.
2. Avoid downloading new social media applications advertised within social media communities.
3. Evaluate the permissions requested by an application that you download, particularly for new or previously unfamiliar apps, to ensure you are not being exposed to risk.
4. Never install a third-party version of an application that's already present on their device.

References:

• https://www.hackread.com/fake-youtube-android-apps-caprarat/
• https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/
• https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html