SISA Weekly Threat Watch – January 02nd, 2023
SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.
Organizations can also opt-in for our free daily threat advisories by subscribing here.
From Android trojans and fake malware to ransomware and DDoS attacks, threat actors exploited new and existing software vulnerabilities to launch evolved cyber-attacks against businesses this week. While some critical vulnerabilities required immediate patches and updates to software solutions, others prompted security teams to leverage fraud detection and prevention systems to keep such threats at bay.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Cybercriminals launch new BrasDex Android trojan targeting Brazilian banking users
Several Brazilian apps were targeted by the Android malware known as BrasDex, together with a powerful Automated Transfer System (ATS) engine, as part of an ongoing multi-platform operation. The Android trojan pretends to be a financial app for Banco Santander BR. In addition to logging credentials, malware may also record account balances for use in device takeover.
The infection chain is scalable and versatile due to its ATS features, which lets it leverage stolen data to start automatic fraudulent transactions. The most recent incident involved threat actors attaching malicious payloads to trustworthy Android apps utilizing the Zombinder darknet platform. Ermac, Sova, Xenomorph, Aurora, Laplas clipper, and Erbium stealer are a few examples of Android malware that has been spread in this manner. The growth of BrasDex and new malware capabilities for Android devices emphasize the need for fraud detection and prevention systems in organizations.
2. Raspberry Robin worm drops fake malware to confuse researchers
A new Raspberry Robin campaign, which has targeted government offices and telecommunications systems primarily since September 2022 was recently reported by researchers. A wide range of threat groups have increasingly used the malware as a loader to distribute payloads. Ransomware such as LockBit and Clop are included in these payloads. The malware spreads to the targeted systems, in accordance with Trend Micro researchers, using an infected USB.
The fake payload, an adware system called BrowserAssistant, tries to read the Windows registry to look for infection flags and then goes on to collect rudimentary system data. The real payload places a copy of itself in a system folder and employs privilege escalation strategies to get administrator rights. When completed, the malware tries to establish a link with the hard-coded Tor addresses to communicate with its operators. Organizations can defend against this threat by monitoring or restricting the use of USB drives. It is also recommended to spread awareness to prevent users from accepting unsolicited USB drives or drives from unverified sources.
3. Zerobot botnet emerges as a growing threat with new exploits and capabilities
The Zerobot botnet has been upgraded to spread to new machines by utilizing security vulnerabilities affecting Apache servers that are exposed to the Internet and are not patched. It attacks unsecured devices via brute force attacks and leverages web application and IoT device vulnerabilities. Once it has successfully infected a system, it downloads a script that will let it spread to further vulnerable devices that are available on the internet.
After having persistence on infected devices, it either acquires initial access to the networks of its victims or starts DDoS attacks. Microsoft researchers revealed that the malware can now target seven additional categories of hardware and software thanks to the newly added flaws. Zerobot is promoted as a DDoS-for-hire service that other criminal actors can buy to employ against anybody they wish to target. It is recommended to ensure that all devices on a network are up to date with their patches, particularly any Internet-facing devices. It is also advised to only allow remote interaction protocols, like SSH and Telnet, to be open to the Internet in cases where it is necessary websites.
4. BlueNoroff introduces new methods bypassing MoTW
The notorious Lazarus Group subcluster BlueNoroff has been seen incorporating fresh strategies into its playbook to get against Windows Mark of the Web (MotW) security measures. The new approach aims to get around Windows’s MOTW warning message that appears when a user tries to open a file downloaded from the internet. Numerous fake domains imitating banks and venture capital firms were created by BlueNoroff.
They try to fingerprint the victim and install additional malware with high privileges through the installed backdoor. When the operator became infected, they ran various Windows commands to acquire basic system information. The actor used Living Off the Land Binaries to avoid detection (LOLBins). It is recommended to install software updates to prevent hackers from exploiting known issues or vulnerabilities. To stay protected from such attacks, avoid any unsolicited email attachments, if they seem suspicious as new viruses are continually being released by attackers.
5. Thousands of Citrix servers still unpatched for critical vulnerabilities
Thousands of Citrix ADC and Gateway deployments exposed on the Internet were determined to still be vulnerable to two critical-severity vulnerabilities that have recently been patched. CVE-2022-27510, the initial vulnerability, was resolved on November 8. An attacker might use an authentication bypass to circumvent the login brute force security, perform remote desktop takeover, or obtain unauthorized access to the laptop.
The second vulnerability, designated CVE-2022-27518, was identified on December 13 and patched. It enables remote command execution on vulnerable devices and remote device control by unauthenticated attackers. Thousands of Citrix servers that are connected to the internet remain unpatched, making them a potential target for attackers. It is highly recommended to patch any Citrix devices in an organization’s environment as soon as possible if they are vulnerable to either of these vulnerabilities.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.