SISA Weekly Threat Watch
Researchers have observed a rapid #increase in #threatactors executing successful cyber attacks due to the availability of?free malware builders and panels. As a result, malicious groups keep posing new challenges for users and the cybersecurity community with?evolved malware versions. This past week also saw various?APT?and?hacking groups?exploiting new and unknown vulnerabilities by spreading ransomware, malicious apps, and upgraded malwares.
SISA Weekly Threat Watch?– our weekly feature brings you a quick snapshot of all the major security vulnerabilities that pose a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
Security experts have discovered a major security flaw that allows threat actors access to?authentication tokens?and accounts with multi-factor authentication (MFA) enabled in the desktop version of?Microsoft Teams. The tokens could be stolen and then used to enter the victim’s account by an attacker with local access to a computer on which Microsoft Teams is installed.
Vectra further examined Microsoft Teams and found a?ldb folder?that includes access tokens in clear text. The analysts also discovered that the?“Cookies”?folder contained account information, session data, marketing tags, valid login tokens, and more. The information-stealing malware, which is now one of the payloads that is most frequently sent in?phishing campaigns, may take full advantage of this flaw. Until Microsoft effectively fixes this issue, we recommend using Microsoft Edge’s?web-based Teams?client, which has several?OS-level safeguards?to protect against token leaks.
The intrusion, exfiltration, and extortion hacking group –?Vice Society?that initially surfaced in the summer of 2021 have spread variants of the ransomware known as?Hello Kitty/Five Hands?and?Zeppelin. The actors investigate the network, look for ways to gain further access, and steal data in preparation for?double extortion, a strategy in which the actors threaten to make sensitive information available to the public unless a victim pays a ransom.
Actors from the Vice Society have been seen increasing privileges, getting access to?domain administrator accounts, and then running scripts to change the passwords of victims’ network accounts to stop the victim from resolving the issue. It is recommended to maintain?offline data backups, track, and record remote connections from outside sources, and mandate?phishing-resistant MFA?for all services to prevent ransomware attacks.
领英推荐
The Google Play Store has been compromised by?two malicious apps?that have been downloaded more than?60,000 times?by users worldwide. These malicious apps spread the upgraded?SharkBot malware, which targets Android users’ banking logins. The malware gets activated only once the user installs and executes the dropper programmes; it is added as an update.
Researchers from Cyble discovered a tweet mentioning?Zanubis?– another?Android banking virus?that poses as a harmful?PDF?programme. Following the recent discovery of other banking trojans, threat actors are now using SharkBot and Zanubis as Android banking trojans. To reduce the risk of data compromise, ensure that?Google Play Protect?is turned on in Android devices, enforce MFA and use of strong passwords as well as educate employees on preventing such cyber threats.
APT42, a?nation cyberspy group?targets people and organizations of strategic relevance to Iran with highly focused?spear phishing?and monitoring operations. According to?Mandiant, the gang has utilized compromised credentials to try to get access to the networks, devices, and accounts of employers, co-workers, and family, as well as?credential harvesting?to gather MFA codes to bypass authentication mechanisms.
APT42 also has access to a number of lightweight tools and unique?backdoors. It can use credential harvesting forms to get around MFA, intercept?SMS-based one-time passwords, and send Android malware via SMS texts. APT42 frequently tries to gain access to the victim’s corporate accounts via the victim’s compromised?personal email account. Users are advised to use secure computing methods, avoid installing software from unverified sources, and keep?anti-virus?and other security solutions updated to stay protected.
According to Cyble security analysts, Cybercrime forum threat actors were giving away the function and panel for?MiniStealer. Builder: MiniStealerBuilder.exe, Stub, and Panel: Web Panel Source code are among the files mentioned inside the two folders that make up the?leaked ZIP files. Such builders also assist less skilled hackers in the creation of?malicious payloads, that too against Chromium-based browsers and?FTP applications.
Furthermore, the malicious actor published the?web panel’s source code, which can be used to receive data that was stolen from a target network. The 64-bit.NET binary for the MiniStealer application makes use of?timestamping?and to avoid sample debugging, it employs a number of?anti-analysis checks. Data from configuration files is taken by the FTP application which duplicates specific files in the?AppDataBrowser?directory for browsers. It is recommended to avoid downloading pirated software from warez/torrent websites, deploy a?Data Loss Prevention (DLP)?solution on the computers and enable automatic software updates on your devices.
See you next week with more interesting bites!!