Advisory ID: NCC-CSIRT-090523-022

Summary: Malware analysis engineers from Meta discovered a new malware called NodeStealer that targets saved usernames and passwords in browsers, with the aim of compromising businesses' Gmail, Outlook and Facebook accounts.  

Vulnerable Platform(s): Browsers

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Gmail, Outlook and Facebook Applications

Version: All Version

Description: According to the analysts, hackers are distributing the NodeStealer malware through Windows executables that look like PDF files and have filenames related to marketing, social media planning, and monthly budgets. The malware is being executed using the Node.js open source Javascript runtime environment, typically used to develop web applications. After execution, the malware steals the stored credentials and cookie session data from various browsers (Chrome, Opera, Edge and Brave) on victim computers, by referencing the file paths to access files storing cookies and credentials for various sites and decrypting this data.

Consquences: The malware specifically steals user credentials for Facebook, Gmail, and Outlook accounts.

Solution : 

• To avoid NodeStealer Malware, you should practice safe computing habits, such as avoiding suspicious emails and downloads, keeping antivirus software up to date, and regularly backing up important data.
• If you suspect that your system has been infected with NodeStealer, disconnect from the internet and seek the assistance of a reputable cybersecurity professional or use a trusted anti-malware application to remove the threat automatically.

References: 

https://www.bleepingcomputer.com/news/security/facebook-disrupts-new-nodestealer-information-stealing-malware/

https://www.securityweek.com/meta-swiftly-neutralizes-new-nodestealer-malware/

https://duo.com/decipher/nodestealer-malware-targets-gmail-outlook-facebook-credentials

https://www.cyclonis.com/remove-nodestealer-malware/

https://www.pcrisk.com/removal-guides/26669-nodestealer-malware

Advisory ID: NCC-CSIRT- 080523-021

Summary: Cybersecurity researchers from Elastic Security Labs discovered a new 'LOBSHOT' Malware distributed using Google ads in search results. The malware allows threat actors to stealthily take over infected Windows devices.  

Vulnerable Platform(s):  Google ads

Threat Type: Malware

Impact/Probability: CRITICAL/HIGH

Product : Windows Devices

Version: All Versions

Description: According to the researchers, threat actors distributed the LOBSHOT malware strains using an elaborate scheme of fake websites through Google Ads. Users download what they believe to be legitimate installers for genuine software applications. Once the installer is initiated the compromised system is backdoored (a feature or defect of a computer system that allows secret unauthorized access to data), and malware is installed without the victim’s knowledge.
The malware remains hidden on the compromised Windows devices, while still being capable of stealing sensitive information from the victim by using a Hidden Virtual Network Computing (hVNC).

Consquences: Full remote control of the compromised Windows devices.

Solution :

• Users should be careful of promoted Google ads.
• When online, always check on the website promoted by Google ads versus the legitimate website distributing genuine software.

References:

https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-hackers-hidden-vnc-access-to-windows-devices/
https://www.helpnetsecurity.com/2023/05/02/infostealer-hvnc/
https://www.pcrisk.com/internet-threat-news/26662-new-malware-granting-threat-actors-hidden-vnc-access
https://cybersecurityworldconference.com/2023/05/02/new-lobshot-hvnc-malware-spreads-via-google-ads/

Advisory ID: NCC-CSIRT-040523-020

Summary:  A command injection vulnerability was identified in a TP-Link Archer AX21 routers. Remote attacker could send a specially crafted request to the router to exploit the vulnerability, which consequently trigger remote code execution on the targeted system.

Vulnerable Platform(s):  Firmware of TP-Link Router

Threat Type:  Vulnerability

Product :  TP- Link Archer AX21 Routers 

Version:   TP-Link Archer AX21 prior to 1.1.4 20230219

Description:  TP-Link Archer AX21 firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability on a parameter of the web management interface. If the parameter is not sanitized prior to usage, it enables an unauthenticated attacker to insert commands.

Consquences:   Remote code execution on the targeted routers

Impact/Probability: HIGH/HIGH

Solution :  

• Users of the affected TP-Link Archer AX21 should update the firmware to the later version.
• Upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link devices.

References:

https://www.govcert.gov.hk/en/alerts_detail.php?id=1018

https://www.hkcert.org/security-bulletin/tp-link-router-remote-code-execution-vulnerability_20230426

https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware 

Advisory ID: NCC-CSIRT-180423-019

Summary:  A New Android malware named 'Goldoson' has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The Android malware, discovered by McAfee's research team, is capable of collecting a range of sensitive data, including information on the user's installed apps, WiFi and Bluetooth-connected devices, and GPS locations Additionally, it can perform ad fraud by clicking ads in the background without the user's consent.

Vulnerable Platform(s): Android Operating Systems  

Threat Type:  Malware

Product :  Google Play Store Applications

Version:  All Versions

Description:  

The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps. When a user runs a Goldoson-containing app, the library registers the device and obtains its configuration from an obfuscated remote server. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.The data collection mechanism is commonly set to activate every two days, transmitting a list of installed apps, geographical position history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version. 

Some of the impacted apps are: 

• L.POINT with L.PAY - 10 million downloads 
• Swipe Brick Breaker - 10 million downloads 
• Money Manager Expense & Budget - 10 million downloads 
• GOM Player - 5 million downloads 
• LIVE Score, Real-Time Score - 5 million downloads 
• Pikicast - 5 million downloads 
• Compass 9: Smart Compass - 1 million downloads 
• GOM Audio - Music, Sync lyrics - 1 million downloads 
• LOTTE WORLD Magicpass - 1 million downloads 
• Bounce Brick Breaker - 1 million downloads 
• Infinite Slice - 1 million downloads 
• SomNote - Beautiful note app - 1 million downloads 
• Korea Subway Info: Metroid - 1 million downloads 

Consquences:  Stealing of Sensitive Data and Performing Ad fraud by clicking ads in the background without the user's consent

Impact/Probability: HIGH/HIGH

Solution : 

• Users are to update their applications with latest Security Patches.
• Users should install anti-malware software to routinely scan their devices for malware.
• Users should always download applications from official sites and application stores. (Avoid downloading Apps from third-party Android App store).

References: 

https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/ 

https://malwaretips.com/threads/android-malware-infiltrates-60-google-play-apps-with-100m-installs.122573/ 

https://www.business-standard.com/amp/companies/news/android-malware-infects-60-google-play-apps-with-100-million-downloads-123041700123_1.html