Cyber Security Weekly Briefing 30 October-5 November

Telefónica Tech    5 November, 2021
Cyber Security Weekly Briefing 30 October-5 November

Trojan Source: vulnerability in source code compilers

Researchers at the University of Cambridge have published a paper detailing a new attack method called “Trojan Source” that exploits a flaw in most existing source code compilers and software development environments. The method exploits features of text encoding standards such as Unicode, making modifications that generate vulnerabilities in the source code that would go unnoticed by a human and could be implemented in major programming languages such as C, C++, C#, JavaScript, Java, Rust, Go and Python.

As a result, such an attack would lead to a compromise of the software supply chain. In addition, the research warns that vulnerabilities introduced in source code persist in the copy and paste functions of most modern browsers, editors and operating systems, meaning that any developer copying code from an untrusted source into a protected code base could inadvertently introduce “invisible” vulnerabilities into a system. The researchers have already shared these findings with 19 organisations involved, many of which are already developing updates to address the problem in code compilers, interpreters, code editors and repositories (e.g., Rust has catalogued it with the identifier CVE-2021-42574). There are also several proof-of-concepts that simulate attacks in the programming languages described.

All information: https://trojansource.codes/trojan-source.pdf

BlackMatter ​announces operational shutdown under pressure from authorities

Threat actors linked to the BlackMatter ransomware have announced the shutdown of operations due to pressure from local authorities. Researchers from the VX-Underground platform have released a screenshot of the statement, posted on the private RaaS (Ransomware-as-a-service) website where operators communicate and offer their services to affiliates. Originally written in Russian, the translation of the message states that BlackMatter’s infrastructure will be shut down in the next 48 hours, although they open the possibility of continuing to provide affiliates with the necessary decryptors to continue their extortion operations. Some media reports suggest that the group’s motivation comes in response to the recent publication of reports by Microsoft and Gemini Advisory linking the FIN7 group (believed to be the creators of BlackMatter) to a public company Bastion Secure, as well as an increase in arrests of individuals belonging to other ransomware groups.

More: https://twitter.com/vxunderground/status/1455750066560544769

Mekotio banking trojan is back with an improved campaign

Checkpoint researchers have detected a new campaign of the Mekotio banking trojan with more than a hundred attacks in recent weeks via phishing emails containing malicious links or zip file attachments. According to researchers, this new wave of attacks started following the operation carried out by the Spanish Guardia Civil last July which led to the arrest of 16 people involved in the distribution of this malware. However, current indications point to Brazil as the command centre of Mekotio’s operators, while maintaining some collaboration from Spain.

Mekotio’s main objective is the theft of banking credentials from Spanish-speaking users, and its current version brings with it striking new features in its attack flow, as its developers have achieved greater stealth and concealment when implementing its techniques. Apart from having more layers of obfuscation, the zip attached to phishing emails contains a script with location and analysis capabilities that allow it to discriminate victims based on their nationality or even detect if the malware is running from a virtual machine, allowing the threat actor to evade detection and therefore successfully deploy the malware.

All details: https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/

Threat actor Tortilla campaign distributing Babuk ransomware

Cisco Talos security researchers have identified an active campaign aimed at deploying Babuk ransomware by exploiting Microsoft Exchange servers vulnerable to ProxyShell and PetitPotam. This campaign is reportedly run by the threat actor known as Tortilla, a group that has been active since July 2021 and primarily targets organisations located in the United States, as well as the United Kingdom, Germany, Ukraine, Finland, Brazil, Honduras and Thailand to a lesser extent. The infection process usually starts with a downloader in DLL or EXE format, which will execute an obfuscated PowerShell command and download the final Babuk ransomware payload by inserting it into a new ad-hoc process (AddInProcess32). Additionally, researchers have also observed the presence of the webshell China Chopper on multiple infected systems; as well as the attempted exploitation of other vulnerabilities in Atlassian, Apache Struts, Oracle WebLogic, or WordPress.

More details: https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html

Leave a Reply

Your email address will not be published. Required fields are marked *