Global cyber-espionage investigation published
A joint consortium of organizations and media outlets has published an investigation revealing the indiscriminate marketing and use of Pegasus spyware. According to the investigators, a data leak has identified at least 10 governments as potential customers of the Israeli company NSO Group, which owns Pegasus. The leak contains a list of more than 50,000 phone numbers of “persons of interest” from 2016. Identified victims reportedly include corporate executives, religious figures, academics, NGO employees, trade union leaders and members of several governments. Pegasus’ functionalities include targeting iOS or Android devices in order to exfiltrate messages, emails, photos, record calls and activate microphones. Both the company and some of the states involved have denied its use for such purposes. It is worth noting that this spyware was allegedly used last year to infect Jeff Bezos’ device.
Since the publication, news and reactions have continued to emerge. On the one hand, Amazon Web Services has reported the closing of infrastructure and accounts linked to the company NSO Group, owner of Pegasus, after it became public that the company had used AWS infrastructure to carry out espionage tasks. In addition, Apple’s share price fell yesterday following news of the active exploitation of multiple 0-days on an iPhone 12 upgraded to the latest iOS 14.6 operating system. It is also worth noting that the United Nations Office in Geneva has tweeted a reminder to countries that all surveillance measures must be carried out under justified and narrowly defined circumstances, with a legitimate aim, and be proportional to that aim.
Malware distribution campaign targeting Spanish-speaking corporate users
Proofpoint’s team has identified a new threat group, named TA2721, that is distributing malware via emails in Spanish. This group is targeting users with Spanish surnames who belong to global organizations in different industries. As these are specific targets, researchers raise the possibility that the group performs some kind of reconnaissance of the targeted entities before sending the fraudulent emails. The TA2721 infection chain is characterized by the use of PDF documents attached to the emails, which contain a URL that redirects to the download of an encrypted and compressed .RAR file that eventually installs the Bandook malware on the victim’s computer, an old RAT-type malware that is not very common. Researchers have found that this threat actor tends to use the same C2 infrastructure for several weeks or months; in fact, in six months, Proofpoint has identified only three domains that would act as C2.
SeriousSAM: Privilege escalation vulnerability in Windows 10
Security researcher Jonas Lyk, along with other experts, has discovered a vulnerability in Windows 10 that would allow threat actors to escalate privileges to access hashed user account passwords and important system configuration details. The flaw, named SeriousSAM (CVE-2021-36934), lies in the way Windows 10 controls access to directories such as SAM, SECURITY and SYSTEM (within C:Windows System32) since Windows 10 v1809. In these versions, Microsoft fails to restrict access to these configuration files in the backups generated by the Windows Shadow Volume Copy functionality. Microsoft has not yet released security patches or mitigations for this vulnerability. However, it has shared a workaround while it continues to investigate this security flaw. Meanwhile, some tips for system administrators and security providers on how to log and monitor access to SAM data have been posted on Reddit. In addition, Kevin Beaumont has published a proof of concept that would allow system administrators to test which of their systems are vulnerable to these attacks. Finally, US-CERT has also published a briefing note on the flaw.
XLoader: Formbook variant for Windows and MacOS
Researchers at CheckPoint have published a report on the XLoader malware, a variant of the Formbook malware. According to the research, a new malware called XLoader, which advertises itself as a cross-platform botnet and is capable of stealing information on Windows and MacOS systems, has recently been detected in underground forums. This new variant is known to have emerged in February 2021 and is an evolution of the well-known Formbook, a stealer that is still prevalent five years after its activation and would target Windows machines. XLoader is a much more sophisticated malware than Formbook, with the ability to collect credentials from web browsers and some email clients, take screenshots, log keystrokes and execute other types of malware. It is a Malware-as-a-Service where customers can rent the macOS version and the vendor provides them with access to a server that would allow them to manage the compromised devices. In this way, the attackers also maintain control over their customers’ use of the tool. Finally, it is worth noting that most of XLoader’s victims are located in the US.