By Deeba Ahmed
The takedown resulted from a global law enforcement operation involving eleven countries, headed by Europol’s European Cybercrime Center.…
This is a post from HackRead.com Read the original post: Authorities Take Down SMS-based FluBot Android Spyware

The takedown resulted from a global law enforcement operation involving eleven countries, headed by Europol’s European Cybercrime Center.

The European Cybercrime Center/EC3 of Europol and law enforcement agencies from eleven countries launched a joint operation to take down FluBot spyware. The investigation involved Australia, Finland, Belgium, Spain, Ireland, Hungary, Sweden, the Netherlands, Switzerland, and the USA law enforcement authorities while EC3 coordinated the operation.

Ireland’s Garda National Cyber Crime Bureau (GNCCB) was part of the investigation team. GNCCB Detective Superintendent Pat Ryan stated that “the investigation is ongoing to identify the individuals behind this global malware campaign.”

**Details of the Operation**

In a blog post, Europol explained that the FluBot Android malware was distributed through SMS and was capable of stealing online banking credentials, passwords, and other sensitive data. Hence, an extensive investigation was launched since FluBot spyware targeted Android smartphones across Australia, Europe, and other parts of the world.

Authorities noted that its distribution scope was widening quickly. Now the spyware is under the control of Dutch Police/Politie, which carried out the operation in May, rendering the malware strain inactive.

A Flubot alert received by one of the victims as a text message

**About FluBot**

FluBot malware is distributed as an application, making it difficult to detect it. The malware gets installed on the Android smartphone through text messages. The user is asked to click on a link and install an app for tracking a package delivery or access a fake voice mail message.

After the app is installed, it asks for accessibility permissions. The malware operators use the access to steal sensitive data from the smartphone, including banking app login details and cryptocurrency wallet credentials. It can also effectively disable the mobile phone’s built-in security mechanisms.

Furthermore, it doesn’t open when the user taps on the app icon, and an error message appears when the user tries to uninstall it. The notorious malware was detected in 2021 when it infected many devices in Spain and Finland.

According to Interpol, FluBot was excessively virulent. It could be multiplicated automatically by forwarding the SMS message to the infected smartphone’s contact list. To avoid infection, smartphone users should immediately reset their phones on factory settings if they believe a malicious app was downloaded on the device.

1.  Microsoft takes down largest botnet network “Necurs”
2.  World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
3.  Authorities take down scam campaign impersonating the WHO
4.  Dutch Police takes down 15 DDoS-for-hire services in one week
5.  Europol takes down VPN service VPNLab used by ransomware operators

Authorities Take Down SMS-based FluBot Android Spyware

The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.

 “While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.” 

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. 

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. 

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.

With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. 

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

Deja-Vu data from this year's DBIR report feels like  we are stuck in the movie 'Groundhog Day.'

Deja-Vu data from this year’s DBIR report feels like we are stuck in the movie ‘Groundhog Day.’

Ransomware and social engineering continue to dominate challenges facing cybersecurity professionals, according to Verizon’s 15th annual Data Breach Investigations Report (DBIR).

In general, the results of DBIR merely confirm well-established trends, such as the growing threats of ransomware – up 13% this year – and the inescapability of the “human element”, which was tied to 82% of all breaches.

DBIR data is based on 23,896 reported security incidents, including 5,212 verified breaches.

**Ransomware is Still Rising**

The number of ransomware incidents increased this year by nearly 13%, which the analysts noted is “an increase as large as the last five years combined.” Ransomware now plays a role in one out of every four breaches.

Though the prevalence of ransomware has been rising, the nature of these attacks have remained surprisingly consistent. Verizon first wrote about ransomware in their 2013 report, where they explained how:

_When targeting companies, typically SMBs, the criminals access victim networks via Microsoft’s Remote Desktop Protocol (RDP) either via unpatched vulnerabilities or weak passwords._ – DBIR 2013.

Nine years later, the most common vector for ransomware attackers is still desktop sharing software – used in around 40% of attacks. The overwhelming majority of those instances involve stolen credentials.

“Had we known that what was true nine years ago would still be true today,” the researchers concluded, “we could have saved some time by just copying and pasting some text.”

**Hackers are Targeting Us**

There are all kinds of technical mechanisms by which attackers can obtain initial access into a target organization. But they usually don’t need to try all that. The much simpler solution, usually, is to just trick people.

According to Verizon, 82% of this year’s data breaches involved the “human element” – “the Use of stolen credentials, Phishing, Misuse, or simply an Error.”

Phishing, as expected, is still the hackers’ go-to. Well over 60% of this year’s breaches began that way. Phishers are still using all the same tricks, like pretexting – inventing a story to convince targets to divulge sensitive information – leading to business email compromise (27% of all attacks).

That doesn’t necessarily mean that targets are still so unaware, so naive as to click on any wayward link or smooth-talking email. “Only 2.9% of employees may actually click on phishing emails,” the researchers noted. It’s just that 2.9% is “more than enough for criminals to continue to use it” as a method for intrusion.

**It’s the Same Old Story**

Whenever human error arises in cybersecurity discourse, someone’s bound to mention training. But, as the authors of DBIR noted, “Most training takes twice as long to complete than was expected, with 10% taking three times as long.” Additionally, “while getting training is easy, proving it’s working is a bit harder.”

It may just be that the cyber threat landscape is in a holding pattern, as it has been for some time now. Every year, it seems, we’re facing the same kinds of attacks, and offering variations of the same solutions that haven’t entirely worked before. John Gunn, CEO of Token, summed it up best in an email to Threatpost:

“The most important research by and for the cybersecurity industry is out, and it feels like the movie Groundhog Day. We are waking up to the same results year after year since the first report in 2008,” Gunn wrote.

Old Hacks Die Hard: Ransomware, Social Engineering Top Verizon DBIR Threats – Again

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.
In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.

In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "moderate confidence."

The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.

Targets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.

In a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances (CVE-2018-13379), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.

Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.

"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.

This is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason disclosed an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.

Additionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called MuddyWater (aka Mercury), which has been characterized by the U.S. Cyber Command as a "subordinate element" within MOIS.

The victim overlaps lend credence to earlier reports that MuddyWater is a "conglomerate" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).

To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

Real Player 'external::Import()' Arbitrary file download, Directory Traversal Vulnerabilities leads to Remote Code Execution

video demo: https://youtu.be/CONlijEgDLc

Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:

The 'external' object and it exposes several custom methods and properties.

The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait until reboot (true when file is planted in 'startup' folder).

The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. The directory 'appdata' must be placed in the share´s root.

Also a DOS condition in 'external.PreloadURL()' helps so that the files are not deleted by Real Player

The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)

tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309

CVE-2022-32270: GitHub - Edubr2020/RP_Import_RCE

A pair of phishing campaigns against users of WhatsApp and Telegram's Telegraph expose them to extortion, credential harvesting, and even account takeover.

Within just a few days of each other, researchers sounded the alarm about phishing campaigns against two popular, global messaging platforms, Telegraph and WhatsApp.

Lat week, Rahul Sasi, founder and CEO of CloudSEK, posted a warning on LinkedIn that WhatsApp accounts were being targeted by phishing attacks trying to trick users into placing a call to the number "\*\*67\*< 10 digit number > or \*405\* <10 digit number >". Just a few minutes later, the device would log out of WhatsApp and the attacker would have full control of the account, Sasi added.

Turns out, dialing those digits forwards a victim's calls to a number controlled by the threat actors.

"Now in the backend, the attacker triggers the WhatsApp registration process for your number and chooses the option to send OTP via phone call," Sasi wrote. "Since your phone is engaged — the OTP will go to the attacker's phone, and it's game over for you."

**Telegraph Phishing Attacks**

Likewise, recent phishing attacks on users of Telegram's privacy-focused blogging platform, Telegraph, have spiked recently. Cyberattackers are looking to harvest Microsoft 365 credentials and run cryptocurrency scams, according to analysis from Inky.

Telegraph allows users to set up webpages without registration, and Telegram deletes sent messages after they are read, helping attackers to carry out their scams anonymously. As such, the researchers said Telegram is quickly replacing the underground web as the platform of choice for cybercriminals.

"Although many such sites are available, Telegraph is more attractive than most because of its unusually libertarian heritage; its founders openly propound a 'live and let die' philosophy, catnip to phishers," Inky researcher Roger Kay wrote about the Telegraph phishing scam findings.

Phishers Having a Field Day on WhatsApp, Telegraph

Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

COOKEVILLE, TENN. (PRWEB) JUNE 02, 2022

As cyberthreats continue to expand and progress worldwide, the need for qualified cybersecurity professionals is increasing with experts predicting there will be 3.5 million cybersecurity jobs open by 2025, a 350% increase over eight years. Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

The expansion will include: Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Germany, India, Ireland, Israel, Italy, Japan, Korea, Mexico, New Zealand, Norway, Poland, Romania, South Africa, Sweden, Switzerland, and the United Kingdom.

The countries were chosen because of an elevated cyberthreat risk, gap in the workforce and lack of diversity. One of the traditionally excluded populations Microsoft wants to provide opportunities for are women, who are significantly underrepresented. In the countries where Microsoft expanded its cybersecurity skilling campaign, only 17% of the cybersecurity workforce are female. Microsoft is working to understand the skills gap, offering free training, helping train more teachers, and providing more support to diverse and underserved job seekers, which is where WiCyS will help.

WiCyS is working to expand its student chapters in the 23 countries by promoting the retention and advancement of women in cybersecurity. WiCyS has over 5,700 members worldwide, including several in those countries Microsoft is trying to engage. WiCyS also has over 160 student chapters, largely in the U.S.

WiCyS student chapters receive funding, access to resources and conferences as well as networking opportunities for both students and faculty advisors. The group of women, men, allies, and advocates meets monthly to participate in CTFs, hackathons, engage in cyber trivia, and learn new technical skillsets. Other events include hosting resume workshops, mock interviews, career development panels, speed networking events and more.

“Thanks to this collaboration, WiCyS seeks to expand our global cyber sisterhood far and wide,” said Lynn Dohm, WiCyS executive director. “While WiCyS works to ensure equity in the gender imbalanced cybersecurity workforce, the student chapter initiative creates a community on campuses so that women are retained in their field of study, grow their network, and have a reliable gateway for future advancement opportunities.”

For more information on the Microsoft Philanthropies Global Student Chapter Initiative, visit http://www.wicys.org/initiatives/wicys-global-student-chapter-initiative-made-possible-by-microsoft-philanthropies/

**About WiCyS:**  
Women in CyberSecurity (WiCyS) is a nonprofit organization with international reach dedicated to the recruitment, retention and advancement of women in cybersecurity. Founded by Dr. Ambareen Siraj from Tennessee Tech University through a National Science Foundation grant in 2013, WiCyS offers opportunities, trainings, events, and resources for its members. Strategic partners include Tier 1: Amazon Web Services, Bloomberg, Carnegie Mellon University – Software Engineering Institute, Cisco, Fortinet, Google, Intel, Lockheed Martin, Meta, Microsoft, Optum, Sandia National Laboratories, SentinelOne. Tier 2: Abbvie, JPMorgan Chase & Co., Linkedin, McKesson, Navy Federal Credit Union, Nike, Wayfair, Workday. To partner, visit https://www.wicys.org/support/strategic-partnerships/.

Microsoft Philanthropies Collaborates With WiCyS to Help Close the Cybersecurity Skills Gap

Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997.

Date

April 26, 2022

Percona XtraBackup for MySQL Databases enables MySQL backups without blocking user queries. Percona XtraBackup is ideal for companies with large data sets and mission-critical applications that cannot tolerate long periods of downtime. Offered free as an open source solution, Percona XtraBackup drives down backup costs while providing unique features for MySQL backups.

Percona XtraBackup 2.4 does not support making backups of databases created in _MySQL 8.0_, _Percona Server for MySQL 8.0_, or _Percona XtraDB Cluster 8.0_. Use Percona XtraBackup 8.0 to make backups for these versions.

*   Release Highlights
    
*   New Features
    
*   Bugs Fixed
    
*   Useful Links
    

**Release Highlights¶**

The xbcloud binary adds support for the Microsoft Azure Cloud Storage using the REST API.

**New Features¶**

*   PXB-1883: Implements support for Microsoft Azure Cloud Storage in the xbcloud binary. (Thanks to Ivan Groenewold for reporting this issue)
    

**Bugs Fixed¶**

*   PXB-2608: Upgraded the Vault API to V2 (Thanks to Benedito Marques Magalhaes for reporting this issue)
    
*   PXB-2649: Fix for compilation issues on GCC-10.
    
*   PXB-2648: CURL prior to 7.38.0 version doesn’t use CURLE\_HTTP2 and throws an error 'CURLE_HTTP2' is not a member of 'CURLcode'. Added CURLE\_OBSOLETE16 as a connectivity error code. In CURL versions after 7.38.0, CURLE\_OBSOLETE16 is translated to CURLE\_HTTP2.
    
*   PXB-2711: Fix for libgcrypt initialization warnings in xtrabackup.
    
*   PXB-2722: Fix for when via command line, a password, passed using the -p option, was written into the backup tool\_command in xtrabackup\_info.
    

**Useful Links¶**

*   The Percona XtraBackup installation instructions
    
*   The Percona XtraBackup downloads
    
*   The Percona XtraBackup GitHub location
    
*   To contribute to the documentation, review the Documentation Contribution Guide

CVE-2022-26944: Percona XtraBackup 2.4.25 — Percona XtraBackup 2.4 Documentation

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

Tag

#microsoft