Cybersecurity Weekly Briefing November 14-20

Malware distribution campaign supplants the identity of Spanish ministries

ESET researchers warn of a malware distribution campaign that is impersonating Spanish ministries to distribute a malicious Android application through links sent by WhatsApp. The link provided in the messaging application would take users to a recently created domain gobiernoeconomica[.]com, where they offer information about alleged financial aid. Meanwhile, when accessing the website, an alleged PDF file is automatically downloaded, which is in fact a malicious application for Android.

More info: https://blogs.protegerse.com/2020/11/18/web-fraudulenta-con-supuestas-ayudas-economicas-del-gobierno-espanol-descarga-troyano-bancario-para-android/

Campaign against organizations in Japan

Symantec researchers have discovered a campaign against Japanese companies in different sectors and located in 17 different countries. This campaign would have been active for one year, from October 2019 to October 2020 and, according to the researchers, could be attributed to the APT Cicada, also known as APT10, Stone Panda, Cloud Hopper, being espionage its final purpose. Among the techniques used by Cicada are the use of DLLs and the exploitation of the ZeroLogon vulnerability (CVE-2020-1472). It is worth highlighting that the APT would have been within the network of some of the victims for almost a year, which shows the wide range of resources and skills available to them.

All the details: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

Vulnerabilities in industrial control systems

Real Time Automation (RTA) and Paradox industrial control system providers have recently warned of critical vulnerabilities that expose their systems to remote attacks by threat agents. Likewise, Schneider Electric supplier has addressed nine highly critical flaws in its SCADA systems. According to Claroty researchers, the RTA flaw assigned with CVE-2020-25159 is located in the ENIP stack (versions prior to 2.28) which is used in up to 11 devices from six different suppliers. On the other hand, the vulnerability in Paradox assigned with CVE-2020-25189 is due to a buffer overflow that affects its internet module IP150. This same system is also affected by a second high-importance vulnerability assigned as CVE-2020-25185. Finally, Schneider’s vulnerabilities affect its Interactive Graphical SCADA system and include read and write errors, as well as an incorrect restriction of operations within the memory buffer limits. CISA has also issued alerts on critical vulnerabilities as they could allow remote code execution.

More: https://threatpost.com/ics-vendors-warn-critical-bugs/161333/

New Cyberpionage campaign called CostaRicto

For the past six months, the Blackberry Intelligence team has been monitoring a cyberspionage campaign targeting a number of victims around the world. The campaign, called CostaRicto, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who use tailored malware and complex VPN proxy and SSH tunnelling capabilities. This type of cybercriminals offering their service on demand is becoming popular in sophisticated state-funded campaigns, although on this occasion the diversity of objectives makes it impossible to identify the interests of a single group. This campaign has been directed against entities from various sectors, particularly financial institutions, located in Europe, America, Asia, Australia, Africa and, especially, Southeast Asia. Among the set of tools used in the CostaRicto campaign, a custom-designed malware was identified that first appeared in October 2019 and had hardly been used, so it could be exclusive to this operator.

All the details: https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced