Daily Brief

The notorious Vultur Android banking trojan has returned with new capabilities, including improved remote control functions and evasion techniques. Cybersecurity researchers at NCC Group report that Vultur now encrypts Command and Control (C2) communications and masquerades as legitimate apps to avoid detection. Originally discovered in early 2021, Vultur exploits Android’s accessibility services to carry out its attacks, and while primarily distributed through the Google Play Store, it now also uses SMS and phone calls. The malware leverages a dropper-as-a-service operation named Brunhilda and a technique known as telephone-oriented attack delivery (TOAD) to distribute an updated version disguised as a McAfee Security app. It employs three payloads that secure permissions, facilitate remote access via AlphaVNC and ngrok, and execute commands from the C2 server for extensive device control. Advanced features of Vultur allow it to perform clicks, scrolls, swipe gestures, and file management; it can block apps, display custom notifications, and disable lock screen security. Parallel findings highlight the conversion of the Octo (Coper) Android banking trojan into a malware-as-a-service operation with capabilities of keylogging, intercepting messages, and remote device control, affecting 45,000 devices worldwide. Additional campaigns in India have been identified distributing malicious APKs related to online services as part of a malware-as-a-service offering targeting confidential banking and personal information.

Google has reported significant productivity gains using Rust compared to C++ and Go languages, especially in rewrites of existing code. Lars Bergstrom from Google highlighted the switch to Rust for better memory safety, which aligns with recent government concerns about software in critical infrastructure. Despite skepticism about Rust’s safety and practicality, the language is gaining traction due to its potential to reduce memory-related security vulnerabilities. High-profile tech companies like Microsoft are also advocating for Rust, moving away from C++ and other non-memory safe languages to bolster software security. Critics of the move towards Rust, such as C++ creator Bjarne Stroustrup, argue that with appropriate tools, C++ can achieve comparable memory safety at a lower cost. Institutions like the Carnegie Mellon Software Engineering Institute have pointed out that while memory safety is important, it is not the sole factor in software security, and language choice should be based on fitness for purpose. Internal Google surveys reveal that developers find Rust code easier to review and express high confidence in its correctness, offering strong internal support for the transition.

DinodasRAT, primarily targeting Red Hat and Ubuntu Linux servers, has been implicated in an espionage campaign possibly since 2022. ESET had previously discovered the malware attacking Windows in 'Operation Jacana,' aiming at governmental bodies. Kaspersky's report indicates that DinodasRAT for Linux creates a hidden mutex file, establishes persistence, and communicates with C2 servers securely using TEA in CBC mode. The malware's functionality includes monitoring, controlling, and data exfiltration from infected systems, granting attackers full control over compromised servers. While the initial infection vectors are unclear, Kaspersky observed infections in regions like China, Taiwan, Turkey, and Uzbekistan since October 2023. Trend Micro has linked the malware to a Chinese APT group 'Earth Krahang,' which has compromised both Windows and Linux systems at government targets worldwide.

AT&T has acknowledged a significant data breach impacting 73 million current and former customers, with data dating back to 2019 or earlier. The leaked dataset contains customer names, addresses, phone numbers, and for many, social security numbers, and birth dates, but not financial info or call history. Shiny Hunters were the first to claim the sale of the stolen AT&T data in 2021; AT&T had initially denied the breach at that time. Subsequent analysis and customer validation have confirmed the leaked data's authenticity, as unique AT&T account-related email addresses were part of the dataset. DirectTV referred queries back to AT&T since the data leak predates their spinoff; AT&T has reset compromised passcodes and is reaching out to affected customers. The breach has not impacted personal financial information; AT&T will be notifying all affected parties and providing guidance on securing their information. Customers can check if their information was part of the breach using the Have I Been Pwned service.

A sophisticated version of the Vultur banking trojan targets Android devices, now disguised as the McAfee Security app. Security experts from ThreatFabric and Fox-IT have uncovered the new variant with improved evasion techniques and remote control capabilities. Vultur employs a hybrid attack strategy involving smishing and phone calls to dupe victims into downloading the malicious app. Once installed, the malware deploys multiple payloads to gain control over the device's Accessibility Services, enabling real-time monitoring and interference. The latest Vultur iteration features encrypted command and control communications, multiple layered payloads, and the use of native code for payload decryption, complicating detection and reverse engineering efforts. The malware authors have enhanced remote control options, adding gestures and blocking functionality for heightened stealth and device manipulation. Recommendations for Android users include downloading apps solely from trusted sources like the Google Play Store and being vigilant about app permissions during installation.

Cybersecurity researchers at Jamf Threat Labs have identified an ongoing campaign targeting macOS users, utilizing malicious ads and fake websites to distribute two types of stealer malware. Victims searching for Arc Browser are lured by bogus ads on search engines to malicious sites that cannot be accessed directly, indicating tactics to avoid detection. The downloaded disk image files prompt users to enter their system passwords, which facilitate the theft of sensitive information. One of the malware disguises itself as a free group meeting scheduling software on a phony site named meethub[.]gg, aiming to extract credentials from keychains, browsers, and cryptocurrency wallets. Attackers engage potential victims with job or podcast interview propositions and direct them to download an application for a video conference, specifically targeting individuals in the cryptocurrency industry. Additional threats include malicious DMG files spreading stealer malware with obfuscated AppleScript and payloads from a Russian IP address, designed to circumvent macOS Gatekeeper security. MacPaw's Moonlock Lab warns of threat actors using sophisticated anti-virtualization techniques and self-destruct mechanisms in stealer attacks to escape detection. These reports underscore the increasing threats to macOS users and the importance of heightened awareness and security measures.

Secret backdoor discovered in XZ Utils library, affects major Linux distributions. RedHat issued an urgent security alert for a supply chain compromise in versions 5.6.0 and 5.6.1 of XZ Utils, with a CVSS score of 10.0. The malicious code in the compromised library intercepts data interactions, potentially impacting sshd daemon and systemd, facilitating unauthorized remote system access. Microsoft security researcher Andres Freund identified the sophisticated obfuscation and reported the hidden malicious code. The GitHub repository for XZ Utils has been disabled after a series of suspicious commits linked to a user named JiaT75. While there's no evidence of active exploitation, users of Fedora Linux 40 are advised to downgrade XZ Utils to avoid potential security risks. CISA has issued an alert recommending downgrading to a secure XZ Utils version, impacting distributions including Fedora 41 and Fedora Rawhide; Red Hat Enterprise Linux (RHEL), Debian Stable, Amazon Linux, and SUSE Linux Enterprise, and Leap remain unaffected.

Red Hat issued a warning about a backdoor in the xz data compression library, potentially affecting Fedora Linux versions and the Fedora Rawhide developer distribution. The backdoor, rating 10/10 in severity, could allow remote unauthorized access and has been assigned CVE-2024-3094. Versions 5.6.0 and 5.6.1 of xz contain malicious code which became part of Fedora Linux 40 and may affect Fedora Linux 41 as well as Fedora Rawhide. Users are strongly urged to cease using Fedora Rawhide instances until a safe reversion to xz-5.4.x is completed. Red Hat confirms that Red Hat Enterprise Linux (RHEL) is not compromised by this issue. The backdoor, which was sophisticatedly obfuscated, interferes with SSH authentication, potentially enabling attackers to gain remote system access. Details surrounding the commits of the malicious code have led to the possibility of the involvement of a sophisticated attacker, even nation-state affiliated. The US Cybersecurity and Infrastructure Security Agency (CISA) has been notified of the security breach.

A new Linux kernel vulnerability, CVE-2024-1086, allows for easy privilege escalation to root access, affecting kernels from version 5.14 to 6.6.14. The exploit, which boasts a 99.4% success rate on kernel 6.4.16, impacts major Linux distributions such as Debian, Ubuntu, Red Hat, and Fedora. The flaw, a double-free bug in the kernel's netfilter component, was patched at the end of January, with updates being rolled out since. Security researcher Notselwyn detailed a new exploit method, termed Dirty Pagedirectory, for gaining control over a system's memory and operation. The exploit necessitates the default-enabled 'unprivileged-user namespaces' option for access to nf_tables in Linux distributions. To leverage the exploit, attackers must trigger a double-free, find the kernel base address to circumvent KASLR, and gain read/write to the modprobe_path kernel variable, ultimately leading to a root shell. Administrators are urged to apply the latest patches to prevent potential exploitation of this critical security flaw.

An infostealer malware campaign has claimed millions of gaming-related account logins. The database was discovered by Phantom Overlay cheat developer who noted it's the largest campaign targeting gamers and cheaters. Discord, with 14 million affected entries, is the most impacted domain in the database. Some of the stolen credentials, including those from a gaming forum, are confirmed to be valid and are not duplicated in other databases. Activision Blizzard advises the gaming community to secure accounts with two-factor authentication (2FA), ensuring their servers are secure. Cybersecurity researchers encourage users to change passwords and enable 2FA to guard against unauthorized access. The extent of account validity or duplication within the stolen data is currently uncertain.

Red Hat issued an urgent warning to halt the use of Fedora development versions due to a backdoor found in XZ Utils. The compromise affects XZ versions 5.6.x built for Debian unstable, but no stable versions of Debian are impacted. The malicious code has the potential to interfere with sshd authentication, potentially allowing unauthorized remote system access. Security expert Andres Freund uncovered the issue during a performance analysis and noted the code's purpose isn't fully understood yet. Red Hat has reverted Fedora to safe XZ versions, moving back to 5.4.x in response to the security vulnerability tracked as CVE-2024-3094. CISA released an advisory for developers and users to downgrade to a secure version of XZ and to monitor systems for any signs of compromise.

Security researchers have identified vulnerabilities in Dormakaba electronic RFID locks used in millions of hotel rooms worldwide. The flaws could allow attackers to create forged keycards and gain access to any room in a hotel. Vulnerable lock models include the Saflok MT, Quantum, RT, Saffire, and Confidant series, which coupled with certain management software, affect over three million locks in 13,000 properties across 131 countries. Dormakaba has reportedly updated or replaced 36% of the impacted locks since November 2023. Attackers can initiate the breach by using a reading device on any keycard from the property, including expired ones, and then creating forged keycards to unlock doors. The researchers utilized tools such as Proxmark3, Flipper Zero, or NFC-capable Android phones to demonstrate the exploit. Hotels can audit locks for suspicious activities through the HH6 device, but the researchers note that some attack traces might attribute entries to the wrong keycard or staff member. No confirmed real-world exploitation of these vulnerabilities has been reported, but their existence raises significant security concerns for the hospitality industry.

TheMoon, a botnet first detected in 2014, has resurfaced, taking control of outdated routers and IoT devices to grow its network for a proxy service named Faceless. Over 40,000 compromised bots from 88 countries were part of TheMoon’s network in early 2024, offering anonymity services for other threat actors at a low cost. The compromised devices are primarily utilized for password spraying, data exfiltration, and concealing the origins of malicious traffic from malware operators. Black Lotus Labs discovered the resurgence of TheMoon in late 2023, where attackers infect end-of-life devices with an updated version of the malware to integrate them into the Faceless service. The malware employs various techniques, including spreading via a worm module, configuring iptables rules to manage incoming traffic, and evading sandboxes by checking internet connectivity through legitimate NTP servers. Analysis showed significant persistence with 30% of infections lasting more than 50 days, indicating the strength of the Faceless proxy service within cybercriminal circles. The elderly and vulnerable status of target devices, such as unsupported routers and IoT products, underscores the importance of protecting and updating hardware to prevent exploitation.

Automation and AI are revolutionizing network penetration testing, making it more accessible and affordable for companies. Traditional manual pen testing is expensive and often only conducted annually due to compliance requirements, leaving security weaknesses undetected. The scarcity of cybersecurity professionals has led the National Institute of Standards in Technology (NIST) to predict a significant cybersecurity workforce shortage by 2025. Automated penetration testing provides comparable results to manual testing at a fraction of the cost, making it a financially viable option for frequent security assessments. Regular automated pentesting allows for proactive detection and mitigation of vulnerabilities, reducing the risk of costly cyberattacks. Automated solutions like vPenTest offer comprehensive, on-demand network penetration testing that is fast, accurate, and cost-effective. By leveraging automation, IT teams can perform more extensive network assessments and remediate vulnerabilities before they are exploited by attackers. Vonahi Security is a pioneer in the field of automated offensive cybersecurity consulting services, offering its vPenTest SaaS platform to a range of service providers and IT teams.

A new vulnerability, CVE-2024-28085, named WallEscape, affects the Linux "wall" command, risking user password leaks and clipboard hijacking. The issue arises from improper neutralization of escape sequences in command line arguments, allowing unprivileged users to broadcast arbitrary text to other users' terminals. Unique conditions in distributions like Ubuntu 22.04 and Debian Bookworm, where the command has setgid permissions and message utility set to "y," make them susceptible. An attacker could potentially create a fake SUDO prompt to phish for user passwords or manipulate the clipboard on affected systems. The vulnerability, present since August 2013, is fixed in util-linux version 2.40, and users are urged to update their systems. Certain Linux distributions, like CentOS, RHEL, and Fedora, are not affected by the CVE-2024-28085 due to different default settings for the wall command. Another Linux kernel vulnerability, CVE-2024-1086, related to the netfilter subsystem, capable of causing DoS or code execution, has been addressed. The article also includes references to cloud security strategies and backups for Atlassian Cloud, along with promoting Censys Search for security teams.