New banking trojan called Vizom
IBM Security Trusteer’s research team has published a report analysing the new “Brazilian family” banking Trojan called Vizom. This malicious software uses similar techniques to other banking trojans, such as overlaying a screen that is generated when the victim logs in and performs banking transactions with the aim of exfiltrating such information, keylogger functions, as well as taking screenshots. Likewise, Vizom stands out for the way it infects and implements on victims’ devices, due to the fact that it is obfuscated as legitimate video-conferencing software, which guarantees that the operating system runs its malicious DLLs, allowing the infiltration in legitimate directories of devices that use Windows. The entry vector used by threat agents is by sending malicious emails in which a malicious file is attached. Another aspect to highlight is the mechanism used to create persistence. To do this Vizom modifies the browser shortcuts so that, no matter which browser is used, the legitimate Vivaldi browser is executed in the background, which is actually a malicious process. In this way, the stolen information is exfiltrated and transmitted to its Command & Control.
Google corrects 0-day vulnerability
Google has released a security update that fixes five bugs in its Google Chrome browser, including a 0-day vulnerability that is being actively exploited. This latest vulnerability (CVE-2020-15999) is a memory corruption bug in the FreeType font rendering library, which is included by default in Chrome. According to Ben Hawkes, leader of Google’s Project Zero team, the threat agents would be exploiting this flaw in the library to carry out attacks against Chrome users. It is recommended to update the Google Chrome browser to version 86.0.4240.111. In addition to this, the bug in 2.10.4 version of FreeType has been corrected.
Ransomware incident in Sopra Steria
Yesterday early afternoon, Le Mag IT media reported a ransomware incident at Sopra Steria that would have affected the company’s active directory, managing to encrypt part of the consultant’s information systems. The company confirmed in an official statement that the attack was detected on the night of October 20th and that measures were taken to limit the risk of it spreading. Sopra Steria has also said that it is in close contact with its clients and partners, as well as with the competent authorities. There is still no official confirmation about the ransomware family that would have caused the incident. However, the journalist Tristan Brossat assured in the early afternoon that it would be Erica Ransomware, while the media that has spread the news, Le Mag IT, has updated the information on the incident informing that this attack would be related to Ryuk Ransomware. More information on the extent to of this incident and the possible causes is expected to be published in the coming hours.
Privilege escalation vulnerabilities in Citrix Gateway Plug-in
Citrix has updated its security newletter with two new vulnerabilities (CVE-2020-8257 and CVE-2020-8258) in the Citrix Gateway Plug-in for Windows systems. Cymptom’s security researchers have analysed these vulnerabilities and published proofs of concept. If exploited, these vulnerabilities could result in a local user escalating their privileges to SYSTEM. The Citrix Gateway client installs a service that runs as SYSTEM, which runs a script on PowerShell every 5 minutes. The flaw is that the call to PowerShell is not made to the full path, allowing the attacker to add a malicious powershell.exe file. Both vulnerabilities can be mitigated with access control lists (ACLs) by setting more restrictive permissions to local Citrix folders. Citrix recommends updating the Citrix Gateway Plug-in to a corrected version as soon as possible.