InfoSec Weekly

July 31, 2023

Table Of Contents

New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data

Description

A new Android malware named CherryBlos has been identified, using optical character recognition (OCR) to extract sensitive data from pictures. Distributed through fake social media posts, it steals cryptocurrency credentials, acts as a clipper to replace wallet addresses on the clipboard, and displays fake overlays on legitimate crypto wallet apps. CherryBlos uses OCR to recognize mnemonic phrases from images on devices, targeting users who take screenshots of wallet recovery phrases. The threat actors behind CherryBlos are also connected to a scam app campaign called FakeTrade. Another malware, SpyNote, was discovered in a SMS phishing campaign against Japanese Android users. Users are advised to be cautious when downloading apps from unverified sources, and Google plans to require valid D-U-N-S numbers for new developer accounts from August 31, 2023.

Infected Technology

Android devices

Source

https://thehackernews.com/2023/07/new-android-malware-cherryblos.html

Recommendation

• Download apps from trusted sources.

• Be cautious with social media links and downloads.

• Keep software and apps updated.

• Enable two-factor authentication (2FA) for critical accounts.

• Stay informed about the latest threats and security practices.


Hackers Exploiting Windows Search Feature: A Growing Cybersecurity Concern

Description

Hackers are capitalizing on weaknesses in the Windows Search Feature to execute various attacks. By crafting malicious files or payloads, they can bypass security measures and inject harmful code directly into the search results. Unsuspecting users who initiate a seemingly innocent search may inadvertently trigger the execution of malicious code, leading to the compromise of their systems. The exploitation of this widely-used feature presents a significant challenge to cybersecurity professionals and poses a severe threat to data integrity and confidentiality. The potential consequences of these attacks are far-reaching. Cybercriminals could gain unauthorized access to sensitive information, leading to data breaches and exposing private data to unauthorized parties. Furthermore, the malware propagated through the Windows Search Feature could disrupt critical system processes, leading to system instability, downtime, and potential financial losses for businesses. Additionally, the exploitation of this feature might provide a foothold for advanced persistent threats (APTs) to persist within compromised networks, evading detection and enabling long-term espionage.

Infected Technology

Windows Operating System

Source

https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html

Recommendation

• Limit user privileges to the minimum required for their roles. Restrict administrative access to authorized personnel only to minimize the impact of successful attacks.


CISA: New Submarine malware found on hacked Barracuda ESG appliances

Description

CISA says new malware known as Submarine was used to backdoor Barracuda ESG (Email Security Gateway) appliances on federal agencies’ networks by exploiting a now-patched zero-day bug.A suspected pro-China hacker group (UNC4841) deployed the backdoor in a series of data-theft attacksdetected in May but active since at least October 2022. Barracuda revealed that the attackers exploited the CVE-2023-2868 remote command injection zero- day todrop previously unknown malware dubbed Saltwater and SeaSpy and a malicious tool called SeaSide to establish reverse shells for easy remote access.

Infected Technology

Email Security Gateway

Source

https://www.bleepingcomputer.com/news/security/cisa-new-submarine-malware-found-on-hacked-barracuda-esg-appliances/

Recommendation

• ESG appliances needed immediate replacement.

CVE ID

CVE-2023-2868 (CVSS score:9.8)


Severe Vulnerability in MikroTik RouterOS Unveiled

Description

A severe vulnerability has been discovered in MikroTik RouterOS, allowing remote threat actors to exploit it for executing arbitrary code and gaining full control over vulnerable devices. This vulnerability is identified as CVE-2023-30799 with a high CVSS score of 9.1. It puts approximately 500,000 to 900,000 RouterOS systems at risk if their web and or Winbox interfaces are accessible from the internet. However, it’s important to note that exploiting CVE-2023-30799 requires authentication. Essentially, unauthorized users can elevate their privileges from admin to ‘super-admin,’ providing them access to perform any arbitrary function. Exploiting vulnerabilities in Mikrotik routers could allowed attackers to gather and bring these routers together into a distributed denial-of-service botnet like Mēris and utilize them as proxies for command-and-control operations.

Infected Technology

MikroTik RouterOS

Source

https://thehackernews.com/2023/07/critical-mikrotik-routeros.html

Recommendation

• Update MikroTik RouterOS to the latest patch version.

• Disable Winbox and the web interfaces.

• Configure SSH to use public and private keys.

• Remove MikroTIk administrative interfaces from the internet

CVE ID

CVE-2023-30799

Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users

Description

Cybersecurity researchers at Wiz have discovered two critical security flaws in the Ubuntu kernel, known as GameOver(lay), which could lead to local privilege escalation attacks. These vulnerabilities affect the OverlayFS module, allowing an attacker to gain elevated privileges and potentially impact around 40% of Ubuntu users.The first flaw, CVE-2023-2640, enables unprivileged users to set privileged extended attributes on mounted files without undergoing proper security checks. The second flaw, CVE-2023-32629, leads to a local privilege escalation vulnerability in the overlayfs ovl_copy_up_meta_inode_data, bypassing permission checks when calling ovl_do_setxattr.These issues are particularly significant as Ubuntu is widely used in cloud environments by default, making cloud instances vulnerable to exploitation. An attacker could craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into granting root-like privileges when executed.

Ubuntu has since addressed the vulnerabilities in response to responsible disclosure, releasing fixes on July 24, 2023. The incident underscores the importance of thorough security testing and prompt mitigation of potential risks introduced by changes to critical components in the Linux kernel. By comparing these flaws to known vulnerabilities, the researchers highlight the severity of the GameOver(lay) vulnerabilities. Timely action from Ubuntu has mitigated the risks, but the incident serves as a reminder of the continuous vigilance required to maintain the security and integrity of widely-used operating systems and cloud environments.

Infected Technology

• Ubuntu

Source

https://thehackernews.com/2023/07/gameoverlay-two-severe-linux.html

Recommendation

• Keep the Ubuntu system upto date

CVE ID

CVE-2023-2640, CVE-2023-32629


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us