SAN MATEO, CA, August 5, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Sponsored by NetworkTigers.
US election integrity safe from DDoS attacks
DDoS attacks may “hinder public access to information but will have no impact on the integrity or security of the 2024 U.S. general election processes,” according to CISA and the FBI assurances. This contradicts threat actors’ claims that they have compromised voting systems using this type of attack. There is no evidence that a DDoS attack has affected election results or the ability to cast ballots. “These low-level attacks, which are expected to continue as we approach the 2024 U.S. general election, could disrupt the availability of some election-related functions, like voter look-up tools or unofficial election night reporting, during the election cycle but will not impact voting itself,” the agencies said in a joint statement. Voters are encouraged to report any suspicious messaging or activity related to voting to a local FBI field office or online. Read more.
SMS Stealer targeted more than 600 global brands
A threat called SMS Stealer has targeted more than 600 brands around the world, according to findings from Zimperium’s zLabs team. “SMS Stealer uses fake ads and Telegram bots to gain access to victims’ SMS messages.” Once it worms its way in, “the malware connects to one of its 13 command-and-control (C2) servers to transmit stolen SMS messages, including one-time passwords (OTPs).” More than 2,600 Telegram bots are also linked to the SMS Stealer campaign, acting as a distribution platform. According to Jason Soroko, senior vice president of product at Sectigo, while SMS redirect scams aren’t new, “the ability of SMS Stealer to intercept OTPs, facilitate credential theft and enable further malware infiltration poses severe risks.” Read more.
Fake Facebook ad campaign steals credit card data
A fraudulent e-commerce network of hundreds of websites targets Facebook users with malvertising and brand impersonation scams to steal credit card information. The campaign was discovered by Recorded Future’s Payment Fraud Intelligence team and uses ads promising discounts to trick users into visiting malicious sites. The campaign only targets mobile users, which Recorded Future says is “a tactic aimed at evading automated detection systems.” The scheme mostly impersonates major online e-commerce sites and a power tool manufacturer. It also uses fake user comments to give its content a look of authenticity. “Merchant accounts and related domains linked to the scam websites are registered in China, indicating that the threat actors operating this campaign likely established the business they use to manage the scam merchant accounts in China,” Recorded Future said. Read more.
BingoMod Android malware drains bank accounts and wipes devices
A new Android malware called BingoMod can wipe infected devices after successfully draining associated banking accounts, according to research from Cleafy. Their findings reveal that “BingoMod is distributed in smishing (SMS phishing) campaigns and uses various names that typically indicate a mobile security tool (e.g., APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo).” BingoMod requests permission to use Accessibility Services upon installation, allowing the malware access to a deep level of device control. BingoMod appears to be in the early stages of development, with its creator likely adding more evasion techniques to its toolkit. It is believed to be the work of a programmer from Romania. Read more.
Bumble and Hinge’s flaws allow stalkers to locate their victims
Security researchers have discovered significant vulnerabilities in several dating apps, including Bumble, Grindr, and Hinge, which allowed stalkers to pinpoint users’ locations within two meters. The flaw was uncovered through a technique called oracle trilateration, which is a novel method that only requires someone to “roughly estimates the victim’s location… then, the attacker moves in increments ‘until the oracle indicates that the victim is no longer within proximity, and [repeats] this for three different directions. The attacker now has three positions with a known exact distance, i.e., the preselected proximity distance, and can trilaterate the victim.'” The researchers shared their findings with the developers of the affected apps, who modified their distance filters to make them less precise. Read more.
Blood donation center shortage due to ransomware attack
OneBlood, a US-based blood donation center, has “asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being,” according to Susan Forbes, Senior Vice President of Corporate Communications and Public Relations. The call is in response to a recent ransomware attack against the organization that reduced OneBlood’s ability to collect, test, and distribute blood to hospitals in the Southeastern US. Forbes says that OneBlood is “working diligently to restore full functionality to our systems as expeditiously as possible.” They are also working with law enforcement and cybersecurity specialists to determine the nature and scope of the attack. The incident is an example of the disruption and potentially dire consequences that cyberattacks aimed at the healthcare sector can cause. Read more.
Ransomware gangs exploit VMware ESXi authentication bypass
Microsoft has warned that ransomware gangs exploit a VMware ESXi authentication bypass vulnerability (CVE-2024-37085) to gain full administrative access to ESXi hypervisors. The flaw, fixed in ESXi 8.0 U3, allows attackers to add users to an ‘ESX Admins’ group of their own creation, enabling complete administrative control. High privileges and user interaction are needed for successful attacks, but Microsoft says that a number of groups “exploit it to escalate to full admin privileges on domain-joined hypervisors.” Ransomware operators like Storm-0506 and Storm-1175 have used this vulnerability to deploy ransomware such as Black Basta and Akira. The growing trend of targeting a victim organization’s ESXi hypervisors shows no signs of slowing, as companies often use them to host critical applications and store potentially valuable data. Read more.
Mandrake Android spyware hidden in Google Play apps since 2022
Research from Kaspersky shows that a version of the Android Mandrake spyware has been found in five apps downloaded 32,000 times from the Google Play store. The new version of Mandrake has features that allow for better obfuscation and evasion, and the apps it is hidden in were uploaded to Google Play in 2022. The malicious apps were all available for download for at least a year. The most popular of them, a file-sharing app called AirFS, was available up until the end of March 2024. The other apps carrying the malware were Astro Explorer, Amber, CryptoPulsing, and Brain Matrix. Once it takes hold, Mandrake can collect data, record a victim’s screen, simulate swipes and taps, install apps, and perform command injection. Android users should only install apps provided by reputable developers. Read more.
FBCS breach now impacts 4.2 million people
The data breach at debt collection agency Financial Business and Consumer Solutions (FBCS) has expanded, now affecting 4.2 million individuals in the US. Initially reported in February 2024, the breach was believed to have affected 1.9 million people. However, the company increased that number to 3.2 million in May 2024 and added another one million to the total in a supplemental notice filed with the Office of the Maine Attorney General. Exposed data includes names, Social Security numbers, birth dates, account information, and driver’s license numbers. The nature of the incident has not yet been revealed. FBCS has advised impacted individuals to watch for phishing attempts and monitor their credit reports for fraudulent activities, offering free credit monitoring and identity restoration services through CyEx. Read more.
US crypto exchange Gemini breached
Gemini, a US-based cryptocurrency exchange, has reported that a supply chain breach compromised users’ banking and personal information. Between June 3 and June 7, 2024, and affecting approximately 15,000 customers, the breach is said to be due to a threat actor gaining “access to an internal collaboration tool on the bank partner’s system.” Exposed information included customers’ names, bank account numbers, and routing numbers used for ACH transfers. Gemini assured that other personal details such as Social Security numbers, passwords, and email addresses were not compromised. The company is investigating with external experts and has advised affected individuals to monitor for fraudulent activities and take preventive measures such as enabling multi-factor authentication and asking their bank to change their account number. This follows a similar breach in 2022 involving another third-party vendor, where the contact information of millions of customers was exposed. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
