Cyber Security Weekly Briefing 28 February – 4 March

Telefónica Tech    4 March, 2022

Daxin: highly sophisticated backdoor

Researchers at Symantec have published a paper reporting a new backdoor they have called Daxin, which they attribute to actors linked to China. According to Symantec, it is the most advanced malware they have seen from Chinese threat actors. Daxin can read and write files and start processes, but is particularly notable for its stealth and the way it communicates with its Command & Control. The malware is able to hijack legitimate TCP/IP connections in order to achieve a key exchange with its remote peer, thus opening an encrypted communication channel to receive commands and send responses by hiding among legitimate traffic and bypassing security solutions. Another notable functionality is its ability to create a new communication channel across multiple infected computers on the same network using a single command for a set of nodes. This allows it to quickly re-establish connections and encrypted communication channels. Symantec has identified Daxin in government organisations, as well as entities in the telecommunications, transportation and industry sectors that are of strategic interest to China. The attacks observed date back to November 2021 but note that the oldest sample identified dates back to 2013.

More info: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

Critical vulnerability in GitLab

GitLab has released a security update that fixes a total of 7 vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE). Among the security flaws, the most notable is the one identified as CVE-2022-0735, which has a CVSS score of 9.6. Exploitation of this vulnerability could allow an unauthenticated attacker to obtain a registration token from a runner, enabling remote code execution. Although the technical details of the vulnerability have not been published, the exploitation of this vulnerability would be of low complexity and would not require privileges or user interaction to be exploited. This vulnerability affects all versions from 12.10 to 14.6.4, 14.7 to 14.7.3, and all versions from 14.8 to 14.8.1. As a result, GitLab has recommended upgrading to versions 14.8.2, 14.7.4, and 14.6.5 of GitLab Community Edition (CE) and Enterprise Edition (EE).

All the details: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/

Distribution of TeaBot via the Google Play shop

Researchers at Cleafy have published a new article on the TeaBot banking trojan, also known as Anatsa, which has reportedly started to be distributed via rogue apps hosted on the Google Play shop. This banking trojan emerged in early 2021 and was primarily distributed via smishing campaigns. The new samples, however, have switched to using Google Play as a means of distribution, with a Teabot dropper hiding behind a QR code scanner app (QR Code & Barcode – Scanner). Upon downloading the app, the dropper will require the user to update the app via a pop-up message. This supposed update will not actually be an update, but a second application (‘QR Code Scanner: Add-On’) will be downloaded from an untrusted source. This second application is the one already identified as Teabot, which asks the user for permissions to accessibility services to obtain privileges such as viewing and controlling the screen and viewing and performing actions. Recent Teabot campaigns have gone on to support languages such as Russian, Slovakian and Mandarin Chinese, so the malware could be expanding its targets geographically.

More: https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe

Leave a Reply

Your email address will not be published.