FluBot botnet behind messaging company impersonation campaign
Last Friday, researchers at Threat Fabric named the threat behind the campaign to impersonate SMS messaging companies. Specifically, they talk about the Cabassous malware, a banking trojan discovered in December 2020 and which would be very much centred in Spain. ESET malware researcher Lukas Stefanko also confirmed the link between fraudulent SMS campaigns in Spain and Poland that impersonate messaging companies, and the FluBot malware (aka Cabassous). He also provided a link to a report by Prodaft (Proactive Defense Against Future Threats) analysing the activity linked to the FluBot botnet. The report includes some of the statistics linked to the botnet, with more than 60,000 infected devices, where 97% of the victims are located in Spain. The total number of phone numbers collected could exceed 11 million (at that moment). The objective of the trojan is the collection of users’ banking credentials. However, in addition to this main goal, and unlike other banking trojans, FluBot has the ability to steal its victims’ address books and send fraudulent SMS messages from compromised devices. It is this ability that has fuelled its rapid and effective spread. That same day, the Mossos d’Esquadra reported the dismantling of a criminal group specialized in smishing campaigns. Mossos’ announcement did not specify that the detainees were the operators of the FluBot botnet, known that same day in the morning thanks to a detailed report from the firm Prodaft. However, one of the Prodaft investigators confirmed, linking the Mossos announcement, that those arrested were FluBot operators and that the C&C had already been down since early in the morning. One of the articles in the press that echo the dismantling, El Periódico indicates that the investigation, which would still be open, would have started last October 2020 as a result of the complaint by a user of receiving an SMS fraudulent. This news could make it possible to suggest that the aggressive smishing campaign that we have been seeing in recent weeks could be finished. However, the reception of fraudulent sms continues to be reported on social networks after the moment of dismantling, so we cannot rule out that the dismantling was only of a part of the infrastructure.
Airline data leak due to cyber-attack on IT supplier SITA
On February 24, SITA, an international telecommunications company that provides technology services to companies in the aeronautical industry, was the victim of a security incident that affected certain passenger data stored on the SITA Passenger Service System (SITA PSS) servers. This platform manages ticketing, boarding and other user transactions for major airlines. As confirmed by a SITA representative to online media, the affected entities include Lufthansa, Air New Zealand, Singapore Airlines, SAS, Cathay Pacific, Jeju Air, Malaysia Airlines and Finnair. In total, it is estimated that more than two million end users could have been affected by this incident. In its own statement, SITA indicates that it is taking steps to contact all affected SITA PSS customers, in addition to initiating other specific containment measures. The investigation into the origin of the incident is still ongoing.
Microsoft security newsletter
Microsoft has published its monthly security newsletter for March in which it has fixed 84 vulnerabilities, including two 0-day vulnerabilities, as well as ten other vulnerabilities of high criticality. The 0-day fixes are: CVE-2021-27077, privilege escalation in Windows Win32k; and CVE-2021-26411, memory corruption vulnerability in Internet Explorer. It is known that this last vulnerability, with high criticality, was exploited by the North Korean group Lazarus last January. Finally, Microsoft has released security updates for currently unsupported Microsoft Exchange servers that are vulnerable to ProxyLogon attacks (CVE-2021-26855), which are not compatible with the patches released in early March.
Fire in several OVH data centers
Octave Klava, OVH’s founder, announced at 3:42am via Twitter that a fire was detected in one of its data centers in Strasbourg. The fire started in SBG2 and affected part of SBG1 shortly after, with the firemen struggling to effectively isolate SBG3 and SBG4. Earlier in the morning, Klava announced that the fire was now under control but that there was no access to any of the four sites. A further update at 10.00 a.m. indicated the intention to restore at least the service provided from SBG3 and SBG4, and perhaps SBG1, during the course of today. In its initial announcement of the incident, Klava recommended its customers to make use of the firm’s disaster recovery plan, which was set up to avoid major problems when the service fails to function. As a result of the fire, there is currently severe disruption to a large number of OVH-hosted websites.
All the details: https://twitter.com/olesovhcom/status/1369478732247932929
News about ProxyLogon, vulnerabilities in Exchange
Since the active exploitation of 4 Microsoft Exchange 0-day vulnerabilities by the Chinese actor Hafniun came to light last week, news have been published in which it has been known that among the victims of these attacks would be the European Banking Authority (EBA). In addition, ESET researchers have learned of the exploitation of these vulnerabilities by other cybercriminal organizations, including the DearCry ransomware operators. Microsoft has also published updates to correct these vulnerabilities, warning about the need to follow the instructions correctly because they could be installed without repairing the vulnerabilities; it has also released security updates for unsupported servers that are vulnerable. In addition, Microsoft has launched a script to search for IoCs associated with these vulnerabilities in the system, and has updated its Microsoft Safety Scanner tool that detects and removes webshells. Additionally, the Latvian CERT has developed a script that detects webshells but does not remove infected files.