Robin Banks Phishing Platform Reactivated
Researchers at IronNet have published the second part of their investigation into the Robin Banks phishing-as-a-service platform. The platform was discovered in June this year following the detection of a massive phishing campaign against US financial institutions, after which it was blocked by Cloudflare and its operations were halted.
The platform is now reportedly back in business through Russian ISP DDoS-Guard, incorporating new features such as multi-factor authentication and Adspect redirectors, which would help avoid detection by redirecting suspicious traffic to legitimate-looking websites.
In addition, Robin Banks also makes use of Evilginx2, a proxy that captures victims’ session cookies and helps attackers evade protection measures such as two-factor authentication.
* * *
Cybersecurity incident at an Orange provider
Orange has revealed that one of its suppliers had suffered a cybersecurity incident that resulted in the compromise of personal information of the telecommunications company’s customers.
According to the company’s statement, the incident at the provider occurred several days ago and involved unauthorised access to systems. As a result, the data of a limited number of customers, who have already been notified by Orange via SMS or email, have been compromised.
Some of the exposed data would be the name, postal address, email address, telephone number, ID number, date of birth, or bank IBAN code of the customers, although not all of this data would have been exposed in the affected cases. It should be noted that no passwords or credit card details were compromised.
The company proceeded to cut off access to the systems when they became aware of the attack, in addition to notifying the Spanish Data Protection Agency and the Central Technological Investigation Brigade (BCIT) of the National Police.
More info (PDF) →
* * *
Microsoft fixes 68 vulnerabilities including six 0-day vulnerabilities
In its latest security update, Microsoft has fixed a total of 68 vulnerabilities, six of them included actively exploited 0-day flaws:
- CVE-2022-41128, a remote code execution vulnerability with a CVSS score of 8.8.
- CVE-2022-41091, which would allow an attacker to evade Mark-of-the-Web (MOTW) security defences with a CVSS score of 5.4.
- CVE-2022-41073 and CVE-2022-41125, which would allow a malicious actor to gain system privileges and have a CVSS score of 7.8.
- CVE-2022-41040 and CVE-2022-41082, privilege escalation and remote code execution vulnerabilities in Microsoft Exchange with a CVSS score of 8.8.
These last two would be the vulnerabilities identified last September as ProxyNotShell. Other vulnerabilities categorised by Microsoft as critical and fixed in this latest update are CVE-2022-37966 and CVE-2022-37967 in Windows Kerberos, CVE-2022-41080 in Microsoft Exchange Server and CVE-2022-38015 in Windows Hyper-V.
* * *
Critical vulnerabilities in Citrix Gateway and Citrix ADC
As part of its security bulletin released on Tuesday, Citrix has announced three vulnerabilities that users urgently need to patch affecting its Citrix Gateway and Citrix ADC software.
Of these vulnerabilities, CVE-2022-27510 (CVSS 9.8) stands out as a critical flaw that allows bypassing the authentication process by using alternative channels or routes when the application is configured as a VPN. The other two vulnerabilities are also considered critical by NIST, although Citrix has downgraded their criticality to high and medium respectively.
These are CVE-2022-27513 (CVSS 9.6 according to NIST, 8.3 according to manufacturer), which allows attackers to take control of the remote desktop via phishing by not correctly verifying the authenticity of the data when the RDP proxy is configured in VPN mode; and CVE-2022-27516 (CVSS 9.8 according to NIST, 5.6 according to manufacturer), a vulnerability that allows circumvention of the protection mechanism against brute-force login attempts.
This last vulnerability can be exploited in VPN mode or if configured as an AAA virtual server with a maximum number of login attempts. The company has already patched these flaws for customers of its cloud services, but users who directly manage this software will have to patch individually.
* * *
StrelaStealer: new malware to steal email credentials
Researchers at DCSO CyTec have identified a new malware, named StrelaStealer, that steals email credentials from Outlook and Thunderbird.
The malware is distributed via ISO files attached to emails with different content. In one of the variants observed, this attachment was a polyglot file, which can be interpreted as different formats depending on the application with which it is opened.
In the case analysed, this file could either act by downloading StrelaStealer, or display a decoy document in the default browser.The campaign was reportedly first observed in November 2022 targeting Spanish-speaking users.
