AppSec News Bulletin

News Date - 1st to 7th December 23

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

A new Linux remote access trojan called Krasue, named after a nocturnal female spirit, has been targeting telecom companies in Thailand since at least 2021. This malware conceals itself during initialization and may enter systems via various methods, potentially exploiting vulnerabilities or using fake software. Krasue operates through a rootkit disguised as an unsigned VMware driver, ensuring persistence without drawing attention. It shares code with the XorDdos malware, hinting at a common origin or shared code access. Using RTSP messages as 'alive pings,' it communicates with its command-and-control server, enabling control and self-termination. Group-IB, investigating multiple potential incidents, emphasizes the need for heightened cybersecurity measures due to the challenges posed by such stealthy malware.

Source - The Hacker News

Nissan is investigating cyberattack and potential data breach

Nissan, the Japanese car manufacturer, is investigating a cyberattack that targeted its systems in Australia and New Zealand, potentially allowing hackers to access personal information. While specific details of the attack haven't been disclosed, Nissan's Oceania division, responsible for distribution, marketing, sales, and services in the region, informed customers about a possible data breach. The company's Australian and New Zealand websites displayed a notice acknowledging a cyber incident affecting their systems, prompting Nissan to deploy its global incident response team to assess the impact. Nissan is actively collaborating with stakeholders to ascertain if any personal information was accessed and is cautioning customers about potential scams and account hijacking risks. Although website functionality seems unaffected, Nissan is working to restore affected systems and urges customer patience. Importantly, Nissan reassures that its dealers' network remains unaffected, ensuring no disruptions in vehicle and service queries. Authorities in Australia and New Zealand have been notified, emphasizing the significance of cyber vigilance amid ongoing investigations.

Source - The Bleeping Computer

Meta Launches Default End-to-End Encryption for Chats and Calls on Messenger

Meta has initiated the rollout of end-to-end encryption (E2EE) in Messenger, marking it as a significant milestone. This default E2EE feature covers personal calls and one-to-one messages. The revamp was a comprehensive rebuild of the app, in consultation with privacy and safety experts, as stated by Loredana Crisan, VP of Messenger at Meta. CEO Mark Zuckerberg highlighted this move as part of a long-term privacy-focused vision, following years of redesign work. While E2EE for group messaging is still in testing, encrypted chats, previously available as "secret conversations" in Messenger since 2016, are now default. Meta's Instagram also supports E2EE but is limited in availability. E2EE ensures message and call content security from sender to receiver devices. Meta re-architected Messenger, upgrading numerous features and introducing a new encrypted storage system named Labyrinth to manage message history across devices, including a PIN for message recovery. Labyrinth aims to enhance message privacy while enabling server-side message storage. This encryption update by Meta is likely to spark discussions around privacy concerns and law enforcement's access to evidence, echoing a U.K. government campaign voicing concerns about potential misuse by criminals.

Source - The Hacker News

Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

CISA warned of active exploitation of a critical Adobe ColdFusion vulnerability (CVE-2023-26360) allowing access to government servers. The flaw affects older ColdFusion versions, patched in updates released in March 2023. The vulnerability enables arbitrary code execution and was added to CISA's Known Exploited Vulnerabilities catalog. Threat actors compromised public-facing servers via this flaw, dropping malware and attempting reconnaissance. No lateral movement or data theft occurred, but malicious actions included uploading malware capable of decrypting ColdFusion passwords and deploying a modified remote access trojan, ByPassGodzilla. Efforts to exfiltrate files and view sensitive data were also noted, emphasizing the severity and sophistication of the attack.

Source - The Hacker News

Centre bans 100 websites involved in organised investment crimes, task-based job frauds

The Ministry of Home Affairs has disclosed that over 100 websites involved in organized investment and part-time job frauds have been banned. Overseas actors were reportedly behind these websites, utilizing digital ads, chat messengers, and rented accounts. They facilitated illegal economic crimes and laundered proceeds using various means such as card networks, cryptocurrency, and international fintech companies. The Indian Cyber Crime Coordination Centre identified and recommended these websites for blocking by the Ministry of Electronics and Information Technology. Citizens are cautioned against transactions with unknown accounts to avoid potential involvement in money laundering or terror financing, leading to account blocks and legal actions.

Source - The Indian Express

Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack

A new "post-exploitation tampering technique" uncovered by Jamf Threat Labs can deceive iPhone users into believing their device is in Lockdown Mode, while it's actually compromised by hackers. Lockdown Mode, designed to enhance security, can be manipulated by malware to create a fake perception of security even after its activation. By manipulating Lockdown Mode functions, attackers can bypass it, simulate a reboot, and persistently spy on users without being detected. This exploit undermines the user's trust in security features, allowing malicious activities to operate in the background. Although Apple has elevated Lockdown Mode's security in iOS 17, this technique highlights the challenge of maintaining secure user interfaces amidst evolving cyber threats. Jamf's research underscores the potential for such manipulations in the future, indicating an evolution in social engineering tactics and the need for heightened cybersecurity awareness.

Source - The Hacker News