Cyber Security Weekly Briefing 12-18 March

ElevenPaths    18 March, 2022

Vishing by impersonating Microsoft

The Office of Internet Security (OSI) has issued a security advisory to report an increase, in recent weeks, of fraudulent calls in which a supposed Microsoft employee indicates that the user’s device is infected. In this type of fraud, known as vishing, the attacker urges the victim to install a remote access application, which will supposedly disinfect the device. Once the cybercriminal has gained access to the user’s computer, they can steal all kinds of files stored on the device, get hold of the passwords stored in the browser, and even install malware that locks the computer and then asks for payment to unlock it. If the user has answered the call and installed the programme mentioned by the cybercriminal, the OSI recommends disconnecting the device from the network, uninstalling the installed programme and using an antivirus.

More info:

Linux kernel Netfilter vulnerability

Security researcher Nick Gregory has discovered a new vulnerability in the Linux kernel. This flaw, identified as CVE-2022-25636 and with a CVSSv3 of 7.8, involves an out-of-bounds write vulnerability in Netfilter, a Linux kernel framework that allows various network operations like packet filtering, address and port translation (NATP), connection tracing and other packet manipulation operations. A local attacker could exploit this vulnerability to escalate privileges and execute arbitrary code on the vulnerable system. It should be noted that the flaw affects Linux kernel versions 5.4 to 5.6.10, so it is recommended to upgrade to the new version as soon as possible, since there is a PoC available.

More info:

Brazilian trojan variant Maxtrilha targets Portuguese users

Researcher Pedro Tavares of Segurança Informática has detected a possible new variant of the Brazilian Trojan known as Maxtrilha. This variant has been detected being distributed via phishing templates impersonating the Portuguese tax services (Autoridade Tributária e Aduaneira), targeting banking users in Portugal. Researchers consider this malware to be a new variant of the Brazilian trojan Maxtrilha due to the similarity of the samples, and the fact that it uses the same templates to attack users. In the distributed malicious emails, there is a URL that downloads an HTML file called “Dividas 2021.html” or “Financas.htm”, which then downloads a ZIP file, ultimately downloading the malware. This new variant can install or modify trusted Windows certificates, perform a banking window overlay with the aim of stealing credentials, and can deploy additional payloads executed via the DLL injection technique.

More info:

Apple fixes 87 vulnerabilities

Apple has published 10 security bulletins that fix a total of 87 vulnerabilities in its different products and platforms: iOS 15.4 y iPadOS 15.4watchOS 8.5tvOS 15.4macOS Monterey 12.3macOS Big Sur 11.6.5Actualización de seguridad 2022-003 CatalinaXcode 13.3Logic Pro X 10.7.3GarageBand 10.4.6 e iTunes 12.12.3 para Windows. The vulnerabilities detected include flaws in WebKit (web browser engine used by Safari, Mail or App Store) that could lead to remote code execution (CVE-2022-22610, CVE-2022-22624, CVE-2022-22628 and CVE-2022-22629). There are also four other vulnerabilities in document, audio and video viewing components on iPhone and iPad that could allow malware deployment or privilege escalation (CVE-2022-22633, CVE-2022-22634, CVE-2022-22635 and CVE-2022-22636). Finally, it is worth noting that macOS includes updates for both the current version and the two previous versions, but only the most current versions of iOS, watchOS, iPadOS, and tvOS support these updates.

LokiLocker: new RaaS with wiper functionality

BlackBerry’s research team has identified a new Ransomware as a Service (RaaS) targeting computers running the Windows operating system. According to experts, this malware was first discovered in mid-August 2021, and would have affected victims worldwide, although most of these would be located in Europe and Asia. Among the most notable features of LokiLocker is that it is written in .NET and protected with NETGuard, and it also uses KoiVM, a virtualisation plugin that makes it difficult to analyse malware and is not commonly used. In addition, LokiLocker sets a time limit for paying the ransom if the victim does not agree to the ransomware’s blackmail, uses a file-wiping function on the computer, except for system files, and overwrites the master boot record (MBR) of the system drive to render it unusable.

More info:

Leave a Reply

Your email address will not be published. Required fields are marked *