A sophisticated social engineering cybercrime campaign bent on financial gain was observed being run from Tencent servers in Singapore.

Source: Rastislav Sedlak via Alamy Stock Photo

The Dubai Police are the latest victims of impersonation by fraudsters in the United Arab Emirates (UAE), who are sending thousands of text messages out to unwitting mobile users while purporting to represent the law enforcement agency.

Researchers at BforeAI observed a recent surge in phishing attacks leveraging alleged police communications, which encourage text recipients to click on a malicious URL to respond to supposed legal trouble or to register with an "official" online portal. The included links redirect victims to fake websites designed to harvest sensitive information, including bank details or personal identification details.

The campaign uses well-crafted lures with official branding, suggesting a moderate level of sophistication, according to BforeAI. But while the lures are tailored to UAE citizens, the phishing methodology resembles a 'spray-and-pray' model in its broad reach.

"The campaign targets individuals likely to respond to law enforcement-related communications, of which legitimate comms of this nature are not uncommon in the UAE — targeting particularly those with a limited understanding of digital threats," Abu Qureshi, lead for threat intelligence and mitigation at BforeAI, tells Dark Reading.

"The most striking aspect of this campaign is the calculated misuse of Dubai Police branding to establish credibility and deceive victims," he adds. "This demonstrates a sophisticated understanding of social engineering techniques and reliance on psychological manipulation, exploiting fear and trust in law enforcement — which for citizens of the UAE is of utmost importance."

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**Cybercriminals Increasingly Target UAE, Middle East**

Cybercrime campaigns targeting organizations and individuals in Dubai and other parts of the UAE are noticeably on the rise. According to research from Kaspersky earlier this year, 87% of companies in UAE have faced some form of cyber incident in the past two years.

"The UAE is a high-value target due to its affluent population, high Internet penetration, and reliance on digital services," Qureshi says. "Cybercriminals exploit these factors alongside vulnerabilities in newly adopted technologies."

The cybercrime spree is part of a larger trend in the targeting of individuals and organizations in some areas of the Middle East in general, he notes.

"There's a focus on wealthy regions and individuals to maximize financial gain," he says. "There are also regional geopolitical interests and an increased focus on Middle Eastern entities due to economic and political dynamics."

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

To boot, because the area has embraced digital transformation and IT modernization with gusto, cybercriminals are targeting digital adoption vulnerabilities that come from the rapid implementation of advanced technologies without adequate protections, according to Qureshi.

**Anchoring a UAE Cybercrime Campaign in Singapore**

The cyberattackers behind the Dubai Police offensive appear to have used an automated domain generation algorithm (DGA) or bulk registration to quickly cycle through different domains to host malicious Web pages bent on financial fraud. Each domain is short-lived, in order to better avoid detection.

Most of those domains originated from Tencent servers based in Singapore, according to BforeAI researchers, who noted the company's servers have hosted malicious activity before, including spam, phishing, and botnets.

"Tencent, a Chinese-based technology giant, maintains a significant hub in Singapore, leveraging the city-state's strategic location and robust digital infrastructure," says Qureshi. "Despite Singapore's strong cyber-resilience and rigorous policies to address malicious activity, its status as a global tech hub makes it a prime location for abuse of legitimate platforms by cybercriminals."

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Qureshi adds that the presence of malicious activity on Tencent servers could be due to the exploitation of legitimate services.

"High-traffic servers can be abused to host or relay malicious content without the company's direct knowledge," he explains, adding that jurisdictional complexity could also be at play: "Singapore's law enforcement may face challenges in coordinating with foreign entities and differentiating criminal use from legitimate operations. While Tencent is based in Singapore — they are a Chinese firm."

Two of the registrants were found to be from India and Dubai itself, with suspicious names suggesting that they originate from a legitimate company, according to the research. For the most part though, the cyberattackers have managed to keep their identity anonymous.

Tencent did not immediately return a request for comment.

**How Organizations in the Middle East Can Protect Against Cyber Fraud**

For organizations in the region, campaigns like this should prompt changes in risk management, Qureshi advises. Although the phishing messages are broad-based, in the age of the mobile office, even campaigns designed to hit individuals can end up affecting companies.

Common-sense security hygiene includes the basics, like double-checking the official domain of the Dubai government and the payment portal before proceeding with any payment, as well as looking for red flags like missing HTTPs protocol, broken links, out-of-place Web designs, or suspicious phrasing or grammar.

Qureshi advises organizations to take several additional steps to mitigate their risk, including:

*   Enhanced monitoring: Implement robust predictive phishing detection systems and actively monitor for misuse of branding;
    
*   Awareness programs: Train employees on phishing recognition and reporting;
    
*   Collaboration: Work with CERTs and law enforcement to address identified threats;
    
*   Incident response: Develop and test response plans to address phishing-related breaches;
    
*   Reporting: Alert phishing reporting websites such as Etisalat and DU when employees receive phishing messages;
    
*   And continuous vigilance: Adopt a proactive cybersecurity stance to protect brand reputation and customer trust.
    

And finally, "this Dubai Police campaign highlights the globalized nature of cybercrime, where local targets are exploited using international infrastructure," Qureshi warns. "The importance of cross-border cooperation and leveraging threat intelligence to stay ahead of evolving tactics cannot be overstated."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device.

Source: Hilke Maunder via Alamy Stock Photo

Internet of Things (IoT) vendor Ruijie Networks has shored up its Reyee cloud management platform against 10 newly discovered vulnerabilities that could have given adversaries control of thousands of connected devices in a single cyberattack.

The Fuzhou, China-based infrastructure maker's Ruijie Networks devices, are commonly used to provide free Wi-Fi in public settings like airports, schools, shopping malls, and governments across more than 90 countries.

A pair of researchers from Claroty Team82 have developed an attack they named "Open Sesame" that they used to successfully take control of Rujie Networks devices through its cloud-based Web management portal for remote monitoring and configuration.

"The Ruijie Reyee cloud platform lets admins remotely manage their access points and routers," researchers Noam Moshe and Tomer Goldschmidt explained in a statement. "By exploiting these vulnerabilities, attackers could access these devices and the internal networks to which they connect. Our research found tens of thousands of potentially affected devices worldwide."

Moshe and Goldschmidt presented their findings in a presentation titled "The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices" at Black Hat Europe 2024 this week.

Of the 10 CVEs outlined by a new Claroty Team82 report, all of which have been patched by Ruijee, three received CVSS scores of 9 or higher: CVE-2024-47547, a weak password recovery bug with a CVSS score of 9.4; CVE-2024-48874, a server-side request forgery vulnerability with a CVSS score of 9.8; and CVE-2024-52324, flagged as a "use of inherently dangerous function," also with a 9.8 CVSS score.

"The most serious vulnerability we discovered was the vulnerability allowing devices to impersonate the Ruijie cloud platform, sending commands to other devices," the Clarity researchers said.

The collection of bugs allowed remote code execution (RCE) on devices connected to the Ruijie cloud platform, they explained.

"An attacker would be able to exploit weak authentication mechanisms to generate valid device credentials," the research team commented. "After authenticating as a device, we discovered that the attacker could impersonate the Ruijie cloud platform and send malicious payloads to other devices in its stead, gaining full control through legitimate cloud functionality."

**Open Sesame Attack**

As spectacular as taking over 50,000-plus IoT devices at one time would be, the Claroty researchers suspect that not many adversaries want that kind of attention. Instead, they predicted, threat actors armed with these bugs would take a more low-profile approach, taking over specific devices in distinct locations.

"Exploiting this vulnerability at scale could alert the vendor, who would issue a fix to the vulnerabilities needed for this exploit," according to a blog post detailing Claroty's findings. "In addition, many attackers would simply not gain anything by mass-exploiting tens of thousands of devices; this is only relevant in the case of an attacker attempting to build a botnet. Instead, most attackers would take a more targeted, stealthy approach."

With this in mind, the Claroty team built the Open Sesame attack scenario, allowing them to execute code on a vulnerable Ruijie device with nothing more than a serial number.

To make it work, an attacker needs close proximity to a Wi-Fi network using Ruijie access points to sniff out the raw beacons sent out by the Wi-Fi network for users to find and connect. That beacon also contains the device's serial number.

"Then, using the vulnerabilities in Ruijie's MQTT communication, an attacker could impersonate the cloud and send a message to the target device (identified by its SN the attacker leaked)," the blog post added. "This will result in the attacker supplying a malicious OS command for the device to execute, resulting in a reverse shell on the attacked Ruijie access point, giving the attacker access to the device internal network."

The researchers went on to explain that they hope this work highlights how the porousness of clouds can become a big vulnerability for IoT networks.

"Team82's research on Ruijie's infrastructure further exposes how vulnerable devices that are insecurely connected to, and managed through, the cloud can be," the report said.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

BforeAI has discovered a surge in phishing attacks targeting the Dubai Police, a government-run entity. Learn how cybercriminals are exploiting the Dubai Police name to steal personal information and money.

****SUMMARY:****

*   **Researchers found a rise in phishing attacks in the UAE impersonating Dubai Police via SMS.**

*   **Attackers use fake domains with typosquatting and suspicious extensions like “.xyz” and “.top.”**

*   **Many domains originate from Singapore servers linked to prior malicious activity.**

*   **The scams aim to steal financial data and exploit fear using emergency numbers like 999.**

*   **Residents should verify websites, avoid unknown contacts, and check for “HTTPS” to stay safe.**

Cybersecurity researchers at BforeAI have identified a rise in phishing attacks targeting residents of the United Arab Emirates (**UAE**) by impersonating the Dubai Police. The attacks are primarily relayed via SMS texts and redirect users to malicious domains.

The researchers analyzed 268 domains from September 17 to November 22 to identify patterns and trends. Most domains originated from Singapore servers and have a history of malicious activity, including spam, phishing, and botnets. Around 50% of these domains were registered by Gname, and the rest by NameSilo, and Dominet.

One such SMS with a malicious link (Via BforeAI)

Further probing revealed that over two dozen domains have expired, with some registered as recently as November. Two registrants, from India and Dubai, have suspicious names suggesting legitimate company origins. Threat actors, however, have managed to keep their identities anonymous, revealed BeforeAI’s **advisory** shared exclusively with Hackread.com ahead of its publishing.

This update follows **last month’s revelations** that 99% of UAE’s .ae domains are vulnerable to phishing and spoofing attacks due to insufficient DMARC implementation.

****What’s going on****

The attackers are deploying a multi-sided approach to deceive victims. This includes registering numerous domains in fast succession, often with sequential numbering, hinting at the use of automated tools, and using **Typosquatting**. This means they are creating misspelled variations of “Dubai Police” (e.g., “dubaiploce”) to trick unsuspecting recipients into clicking on illegitimate links.

Furthermore, attackers are adding terms like “police,” “gov,” “portal,” and “online” to the domain names to appear official and trustworthy.

Beyond the “.com” domain, the attackers are heavily utilizing less-regulated extensions like “.top,” “.xyz,” and “.click,” which provide them with more anonymity. Interestingly, a significant portion of the domains were registered using Tencent servers in Singapore, previously linked to malicious activities.

****Who are the Targets?****

These fraudulent campaigns seem to have two main targets- stealing financial information from individuals who believe they’re interacting with a legitimate government entity and exploiting fear by incorporating emergency numbers like 999 (UAE emergency services) to target those worried about supposed fines or seeking genuine assistance from Dubai Police.

Researchers observed a quick turnaround time for these phishing campaigns.  Many domains expire within weeks, suggesting the attackers launch frequent, short-lived operations to evade detection.

To avoid falling victim to such scams, UAE residents should verify official websites, be cautious of unfamiliar contacts, and be wary of websites lacking the “HTTPS” protocol, broken links, or unprofessional design.

1.  **Stolen UAE InvestBank Data Sold on Dark Web**
2.  **Anonymous Sudan Hits UAE’s Flydubai with DDoS Attack**
3.  **US Gov Agencies Impersonated in DocuSign Phishing Scams**
4.  **In UAE Supporting Qatar on the Internet is Now a Cybercrime**
5.  **Google takes on sites with ties to hack-for-hire groups in UAE**

Scammers Exploit Fake Domains in Dubai Police Phishing Scams

Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.

Thursday, December 12, 2024 06:00

As long as we've had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.

This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.

**Proxy Chain Services**

It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:

*   **VPN and TOR:** These services provide the user anonymity, but the defender can, for the most part, determine that it's receiving requests from these networks. As such, there is no expectation that the origin of the connection is the exact same as the user’s physical location. The user has no control of the path or exit node location. 
*   **Commercial residential services:** These provide anonymity to users, while at the same time allowing them to choose the exit point. These services do not provide any clues to the defender about the nature of the connection. 
*   **Malicious proxy services:** Threat actors use these networks to hide their location and choose their exit node. These are set up to be used by malicious operators from multiple sources. They can take two shapes: The nodes are installed on leased servers from different providers in different regions, or their nodes can be compromised edge devices that bounce connections in chains.

The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.

**History**

Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously. 

Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.

State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.

VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers. 

The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities. 

This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise. 

This wasn't the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices. 

The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting. 

Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.

**State of the Art**

As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.

Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities. 

The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks. 

The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space. 

These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we've seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.

**Network Resiliency Coalition**

The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks' reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.  

More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.

**Impact on Defenders**

This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult. 

Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly. 

This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior. 

Increasingly, organizations should be looking at users’ behavior when it comes to connections.

*   Are they using their typical device type? (e.g., Windows desktop/MacOS laptop)
*   Are they logging on during their typical hours? (e.g., 9-5 M-F)
*   Are there other managed devices in proximity?
*   Are they using their managed device?

This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option. 

This ensures that only managed devices can connect to corporate VPNs through technologies like certificates. 

The downside to this approach is that it's expensive, and for many organizations not practical, but for those with the budgets and the concern, it's a needed escalation beyond just multi-factor authentication (MFA). 

You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it's assumed you've already rolled out MFA for medium to large enterprises. It is no longer an optional security feature. 

Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.

The evolution and abuse of proxy networks

SUMMARY Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake,…

****SUMMARY****

*   **Dubbed AuthQuake; the flaw in Microsoft MFA allowed attackers to bypass security measures and access accounts.**

*   **Vulnerability impacted Azure, Office 365, and other Microsoft services with over 400 million users at risk.**

*   **Exploit leveraged the lack of rate limiting and extended validity of TOTP codes for login sessions.**

*   **Attackers could bypass MFA in under 70 minutes with a 50% success rate without user interaction.**

*   **Microsoft patched the flaw permanently on October 9, 2024, with stricter rate-limiting mechanisms.**

Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake, which allows attackers to bypass security measures and gain unauthorized access to user accounts. 

With over 400 million paid Office 365 subscriptions, the vulnerability could be a highly lucrative opportunity for cyber criminals to steal sensitive information such as emails, files, and communications across Microsoft’s platforms like Outlook, OneDrive, Teams, Azure, etc.

****Exploiting Rate Limit and Time-Based One-Time Password (TOTP)****

The exploit takes advantage of two key weaknesses in the MFA setup: Lack of Rate Limiting and Extended Timeframe for TOTP Codes. When users log in, they’re assigned a session ID and asked to verify their identity using a Time-Based One-Time Password (TOTP) from an authenticator app. The problem is that the system permits up to 10 failed login attempts per session without notifying the user or triggering any alerts.

The lack of rate limiting allows attackers to quickly create new login sessions and trial multiple TOTP codes, which are essentially six-digit numbers. Given that there are a million possible combinations for these codes, an attacker could theoretically exhaust all options without encountering any security measures.

On the other hand, TOTP codes are typically valid for only 30 seconds, the testing conducted by Oasis revealed that the system allowed codes to remain valid for up to 3 minutes. This extended time frame significantly increases the chances of success for an attacker attempting to guess the correct code.

****Result?****

According to Oasis Security’s **blog post** shared with Hackread.com ahead of its publishing on Wednesday, December 11, researchers concluded that attackers could bypass MFA in under 70 minutes with a 50% success rate, all without any user interaction or alerts. Here’s a demonstration the researchers created while testing the exploit themselves:

****Microsoft’s Response****

Oasis Security reported the incident to **Microsoft**. The tech giant was quick to respond and implemented a permanent fix on October 9, 2024, after a temporary fix was deployed on July 4, 2024. The fix involved introducing stricter rate limits that activate after a number of failed attempts, lasting for about half a day.

**Jason Soroko**, Senior Fellow at Sectigo, emphasizes the broader implications of this discovery stating, _“_AuthQuake highlights significant flaws in Microsoft’s MFA implementation. It’s a wake-up call for organizations to adopt patches and reconsider their reliance on outdated MFA solutions. The move towards passwordless authentication is not just a trend but a necessity for future-proofing our security measures._“_

****Lesson for Users and Companies****

While the specific flaw has been patched, organizations should inform employees about the importance of cybersecurity and encourage them to report any suspicious login attempts. Moreover, despite the recent issues, MFA remains a critical security measure therefore, use authenticator apps or explore stronger **passwordless methods** for added protection.

1.  **Microsoft Bookings Flaw Enables Account Hijacking**
2.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
3.  **Hackers Use Excel Files to Deliver Remcos RAT Variant**
4.  **Azure AI Flaws Lets Attacks Bypass Moderation Safeguards**
5.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**

AuthQuake Flaw Allowed MFA Bypass Across Azure, Office 365 Accounts

SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…

****SUMMARY****

*   **The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.**

*   **Attack exploits the IMsiServer interface for remote code execution and persistence.**

*   **Malicious DLLs are remotely written, loaded, and executed to compromise systems.**

*   **It requires the attacker and victim to be within the same domain, limiting the scope.**

*   **Consistent DCOM hardening patches can mitigate attack effectiveness.**

Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.

The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.

The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.

For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.

On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.

The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.

The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.

The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.

Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.

COM interfaces and tables (Credit: Deep Instinct)

Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.

This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.

1.  Voice assistant devices manipulated with ultrasonic waves
2.  Hackers can Downgrade Windows to Exploit Patched Flaws
3.  Electromagnetic Waves Steal Data from Air-Gapped Systems
4.  ‘Matrix’ Hackers Deploy Massive IoT Botnet for DDoS Attacks
5.  Hackers Can Steal Data from Air-Gapped PCs via SATA Cables

New DCOM Attack Exploits Windows Installer for Backdoor Access

A malicious botnet called Socks5Systemz is powering a proxy service called PROXY.AM, according to new findings from Bitsight.
"Proxy malware and services enable other types of criminal activity adding uncontrolled layers of anonymity to the threat actors, so they can perform all kinds of malicious activity using chains of victim systems," the company's security research team said in an analysis

Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices

DroidBot, a sophisticated Android RAT, is targeting individuals and financial institutions across Europe.

****KEY POINTS****

*   **DroidBot Discovery**: A new Android spyware, DroidBot, was identified in mid-2024, operating as Malware-as-a-Service (MaaS).

*   **Targets and Tactics**: It targets financial institutions and users by disguising itself as security or banking apps and exploiting Android Accessibility Services.

*   **Capabilities**: DroidBot can intercept messages, log keystrokes, capture screenshots, and remotely control devices.

*   **Affiliate Network**: Used by 17 affiliate groups, it has attacked 77 targets across Europe, with expansion likely.

*   **Prevention Tips**: Avoid unknown apps, update devices, and use reliable antivirus tools.

A recent discovery by Cleafy Labs has shed light on a new Android spyware threat dubbed DroidBot, identified in mid-2024 and operates on the MaaS (Malware-as-a-Service) operation model.

Similar to the legitimate Software-as-a-Service (SaaS) model, malware developers rent access to the malware in the MaaS model, making it easier for cybercriminals to launch attacks without requiring advanced technical expertise.

Spyware advert on a Russian forum (Credit: Cleafy Labs)

According to Cleafy Labs’ investigation, DroidBot is a sophisticated Android Remote Access Trojan (RAT) targeting financial institutions and individuals across Europe. This spyware is believed to have been developed by a Turkish-speaking group and leverages advanced techniques to steal sensitive information and control infected devices.

Research revealed that DroidBot is designed to target a wide range of victims, including banking customers, cryptocurrency exchange users, and government employees. It employs various tactics to compromise devices, such as disguising itself “as generic security applications, Google services, or popular banking apps,” and exploiting the Android Accessibility Services for its malicious activities.

After infecting your device, DroidBot can intercept SMS messages, log keystrokes, and capture screenshots of the device’s screen. It can also remotely control the device, allowing attackers to make calls, send messages, and access sensitive data.

This spyware offers a combination of hidden VNC and overlay capabilities with spyware-like features. It includes a keylogger and monitoring routines, enabling user interception, making it a potent tool for surveillance and credential theft.

Additionally, DroidBot’s dual-channel communication mechanism allows for outbound data transmission using the MQTT protocol, which was also used by Copybara and BRATA/AmexTroll banking trojans, and inbound commands over HTTPS, enhancing its operational flexibility and resilience.

The most concerning aspect of DroidBot is that it operates on the MaaS model with 17 distinct affiliate groups identified each using a unique identifier. This allows cybercriminals to rent access to the malware, making it easier for them to launch attacks without requiring advanced technical expertise.

“At the time of analysis, 77 distinct targets have been identified, including banking institutions, cryptocurrency exchanges, and national organisations, underscoring its potential for widespread impact,” researchers noted in the blog post.

DroidBot is currently in active development, with some functions like root checks being placeholders and features varying between samples. Despite these inconsistencies, the malware has demonstrated potential, targeting users in the UK, Italy, France, Spain, Turkey, and Portugal, and a probable expansion into Latin American regions.

“Within the code, we can see that this information is customised for 4 main languages: **English**, **Italian**, **Spanish**, and **Turkish**,” Cleafy Labs revealed.

To protect yourself from DroidBot and similar threats, be cautious when downloading apps from unknown sources, keep your devices updated with the latest security patches and use reliable antivirus software.

1.  **First Mobile Crypto Drainer on Google Play Steals $70K**
2.  **Spyware Found in Google Play Store Apps, 2m Downloads**
3.  **Google Removes Swing VPN App Exposed as DDoS Botnet**
4.  **Malware infected Minecraft modpacks hit Google Play Store**
5.  **These 8 Apps on Play Store Contain Android/FakeApp Trojan**
6.  **35 malicious apps found on Google Play, installed by 2m users**

New DroidBot Android Spyware Targeting Banking and Crypto Users

The vulnerability was first identified in 2014.

****SUMMARY:****

*   **Critical Patch Alert:** Cisco ASA users must urgently address a 10-year-old WebVPN vulnerability (CVE-2014-2120) that attackers are now actively exploiting.

*   **XSS Risk Identified:** The flaw allows unauthenticated attackers to perform cross-site scripting (XSS) attacks via malicious links, potentially compromising sensitive data and injecting malware.

*   **Active Exploitation:** Recent reports highlight that malware like AndroxGh0st is leveraging CVE-2014-2120, prompting Cisco to update its advisory in November 2024.

*   **Government Action Required:** CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, mandating federal agencies to patch it by December 3, 2024.

*   **No Workaround Available:** Upgrading the Cisco ASA software to a patched version is the only solution—reach out to Cisco support or service providers to secure your network.

If you are using a Cisco Adaptive Security Appliance (ASA) for your network security, it is time to patch a critical vulnerability that’s been around, surprisingly, for ten years.

Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA.

This vulnerability, tracked as CVE-2014-2120, is a medium-severity vulnerability caused due to insufficient input validation of a parameter, which could be exploited by convincing a user to access a malicious link. Clicking this link can force them into giving away sensitive information, hijacking browsing sessions, or even injecting malware. 

The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. 

In November 2024, the Cisco Product Security Incident Response Team (PSIRT) identified this emerging pattern of new exploitation attempts. This coincides with a report from security firm CloudSEK, which revealed that malware called AndroxGh0st is using CVE-2014-2120 (among others) to spread.

It is worth noting that CISA added CVE-2014-2120 to its KEV (Known Exploited Vulnerabilities) catalogue on November 12, requiring government agencies to address it by December 3, 2024.

The re-exploitation of this flaw shows the need for timely software updates and security patches. Unfortunately, there’s no quick fix or workaround for this vulnerability. Your only protection is to upgrade your Cisco ASA software to a version that includes a patch. Don’t wait – contact your Cisco support channel and get the update process rolling. Upgrading is crucial to ensure your network remains secure. 

Customers with Cisco products that are provided or maintained through agreements with third-party support organizations like Cisco Partner/resellers/service providers should consult their service providers to identify the best workaround or fix for their networks before deployment.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed in on the situation stating, _“_These attacks highlight how technical debt and low cybersecurity maturity can compound risk. Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats._“_

_“_If adversaries can exploit older flaws, they will. Addressing the risks associated with legacy systems is imperative, however, it demands investments that many organizations lack the resources to make,_”_ Jason explained.

1.  **Decade Old Software Bug Sets 3000 US Prisoners Free**
2.  **Goldoon Botnet Exploits 9-Year-Old Flaw on D-Link Devices**
3.  **7-Year-Old Pre-Installed Google Pixel App Flaw Risks Millions**
4.  **Intel Broker Cisco Breach: Selling Stolen Data from Major Firms**
5.  **Cisco Web UI Flaw Exploited Massly, Impacting Over 40K Devices  
    **

Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability

Mikhail Pavlovich Matveev (aka Wazawaka) has been wanted by the FBI since 2023.

****SUMMARY****

*   **FBI-Wanted Hacker Arrested**: Russian authorities have reportedly detained Mikhail Pavlovich Matveev, known by aliases like Wazawaka and Boriselcin.

*   **Cybercrime Connections**: Matveev is linked to major ransomware groups such as Hive, LockBit, and Babuk, responsible for high-profile attacks on critical infrastructure and government agencies.

*   **Significant Ransom Demand**: The Department of Justice alleges Matveev extorted at least $75 million in ransom payments from global victims.

*   **Notable Attacks**: He is suspected of involvement in the 2021 Babuk attack on Washington D.C.’s police and a 2022 Hive attack on a New Jersey healthcare NGO.

*   **Potential Global Impact**: His arrest could disrupt several ransomware groups, but extradition to the U.S. remains uncertain due to geopolitical tensions.

Mikhail Pavlovich Matveev, known by his online aliases Wazawaka, Uhodiransomwar, m1x, and Boriselcin, is believed to have been arrested in Russia, which could be a potential turning point in the fight against cybercrime since the hacker is wanted by the FBI (Federal Bureau of Investigation).

Matveev is a big deal in the dark web underworld. He’s been linked to some of the most damaging ransomware attacks in recent years that have targeted critical infrastructure, government agencies, and businesses worldwide. His alleged involvement with groups like Hive, LockBit, and Babuk has made him a powerful cybersecurity threat worldwide.

Reports suggest that he was involved in a lockout attack on the Washington D.C. Metropolitan Police Department from Babuk in April 2021 and a ransomware attack from Hive, targeting a healthcare NGO in New Jersey in 2022.

It is worth noting that in early 2023, the Hive ransomware gang was disrupted by the FBI, Europol, German, and Dutch agencies, seizing their dark web website, The Hive Leak site, preventing the gang from attacking and extorting victims

Also, in 2022, LockBit infected the computer systems of 1,400 victims, including a Holiday Inn hotel in Turkey, likely involving Matveev. The Department of Justice (DoJ) suspects he extracted at least $75 million in ransom payments.

Investigators allege that in January, the accused developed specialized malicious software to encrypt files and data without user consent, intending to use it to encrypt data of commercial organizations and receive ransoms for decryption.

The US government has been on the hunt for Matveev, offering a $10 million reward for information leading to his arrest. The DoJ had previously filed criminal charges against him, accusing him of launching attacks on US law enforcement and healthcare organizations.

While Russian authorities have not officially confirmed the arrest, Russian state news agency PИA Hoвocти reported that the Kaliningrad Interior Ministry and Russian prosecutors have sent a case against “a programmer accused of creating a malicious program to court,” with an anonymous source confirming Matveev as the detained programmer. The charges against him include creating malicious software designed to encrypt files and data, with the intent of extorting ransom payments from victims.

The arrest of Matveev, if confirmed, could have significant implications. It could potentially disrupt the activities of several ransomware groups and deter future attacks. However, the question of whether the US will be able to extradite him remains uncertain, given the complex geopolitical tensions between the two countries.

1.  Russia ”neutralizes” REvil ransomware gang, arrests 14
2.  Infraud Organization Group Members Arrested by Russian
3.  50 hackers Who Stole $25M Arrested by Russian Authorities
4.  Russian Authorities Arrest Nine for Stealing $17M from Banks
5.  FBI Kills Kelihos Botnet Amid Russian Hacker’s Arrest in Spain

Tag

#botnet