SAN MATEO, CA, July 10, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Two malicious apps on Google Play Store found to be sending user data to China
- CISA and FBI warn of Netwrix Auditor RCE bug exploited in Truebot attacks
- New RedEnergy stealer-as-a-ransomware threat inflicts maximum damage on victims
- Bug in Cisco switches allow for the breaking of traffic encryption
- New Meduza Stealer aims to be comprehensive data collector
- New “Snappy” tool can detect data-stealing rogue wifi access points
- 330,000 FortiGate firewalls remain unpatched and vulnerable to critical flaw
- CISA warns of 8 flaws in Samsung and D-Link devices
- BlackCat ransomware gang engaging in malvertising campaign
Two malicious apps on Google Play Store found to be sending user data to China
Two Android apps in the Google Play Store are spyware, siphoning user data and sending it to multiple “malicious servers” in China. The apps, called “File Recovery and Data Recovery” and “File Manager,” have over 1 million and over 500,000 installs, respectively. Data stolen by the apps include “contact lists, media files (images, audio files and videos), real-time location, mobile country code, network provider details, SIM provider network code, operating system version, device brand, and model.” Each app performs more than a hundred transmissions, resulting in an unusually large amount of data transfers for malicious apps of this nature. Read more.
CISA and FBI warn of Netwrix Auditor RCE bug exploited in Truebot attacks
Attacks targeting organizations in the United States and Canada exploit a bug that impacts Netwrix Auditor software. The vulnerability, tracked as CVE-2022-31199, has prompted a warning to users from CISA and the FBI. Networks compromised with this flaw are being targeted with a new version of TrueBot malware designed to steal sensitive information from them. Users of Netwrix’s IT system auditing products should apply current patches and update to version 10.5 to protect themselves from attacks. Read more.
New RedEnergy stealer-as-a-ransomware threat inflicts maximum damage on victims
RedEnergy is a new stealer-as-a-ransomware threat that has been observed targeting victims in the energy, telecom, oil, and gas industries in Brazil and the Philippines. According to researchers, RedEnergy “possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data while incorporating different modules for carrying out ransomware activities.” The goal, they note, is to inflict as much damage as possible. It uses reputable LinkedIn pages to direct victims to malicious landing pages that prompt them to update their browsers. Clicking the link then downloads a malicious executable. Read more.
Bug in Cisco switches allows for the breaking of traffic encryption
Cisco has warned customers regarding CVE-2023-20185, a high-severity vulnerability that allows threat actors to “tamper with encrypted traffic” and view its contents. The flaw impacts “Cisco Nexus 9332C, 9364C, and 9500 spine switches (the last ones equipped with a Cisco Nexus N9K-X9736C-FX Line Card) only if they are in ACI mode, are part of a Multi-Site topology, have the CloudSec encryption feature enabled, and are running firmware 14.0 and later releases.” Exploitation of the bug has not yet been observed in the wild and Cisco has yet to issue a patch for it. Those who use impacted products are urged to turn off the features that open them up to abuse and explore alternative solutions. Read more.
New Meduza Stealer aims to be comprehensive data collector
Security firm Uptycs has reported that a new Windows-based information stealer, Meduza Stealer, has been observed. According to security researchers, the stealer is in active development and has “comprehensive data theft” as its primary objective. The malware is designed to harvest browsing history, bookmarks, crypto wallet extensions, password manager info, and 2FA extensions. Meduza Stealer is being offered for sale on underground forums as a subscription-based service and the data it collects can be accessed via a user-friendly web portal. Read more.
New “Snappy” tool can detect data-stealing rogue wifi access points
Tom Neaves, a security researcher at Trustwave, has created a tool to detect fake or malicious data-stealing wifi access points that impersonate legitimate ones provided by coffee shops, malls, supermarkets, etc. The tool, “Snappy,” analyzes Beacon Management Frames to determine whether an access point is legitimate or a spoof. Unfortunately, the tool requires that the user have Python installed on their laptop or a trustworthy emulator on their Android or iOS device, which makes using it a bit of an obstacle for the masses. Researchers hope the tool will continue developing and be widely available in a more easily used form. Read more.
330,000 FortiGate firewalls remain unpatched and vulnerable to critical flaw
According to a report by cybersecurity firm Bishop Fox, 330,000 FortiGate firewalls remain unpatched and vulnerable to CVE-2023-27997, an actively exploited security flaw. Referred to as XORtigate, the flaw is a “critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.” With nearly 70% of all vulnerable FortiGate appliances still at risk, users are urged to update immediately. Read more.
CISA warns of 8 flaws in Samsung and D-Link devices
CISA has issued a statement describing eight new flaws the organization has added to its Known Exploited Vulnerabilities (KEV) catalog. The list “includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices.” While these bugs have had patches available to fix them since 2021, they have made the list due to being currently exploited in the wild. CISA did not elaborate on how these bugs are being abused. Based on the “nature of the targeting,” security experts believe that purveyors of commercial spyware are attacking the devices. Read more.
BlackCat ransomware gang engaging in malvertising campaign
The BlackCat ransomware gang has been discovered to be engaging in a malvertising campaign targeting people searching for WinSCP with fake ads that lead victims to malicious pages. Mimicking the official WinSCP page, those who fall for BlackCat’s scam download a file containing “setup.exe” and “msi.dll.” After the user executes setup.exe, “it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine.” Doing so also “installs a trojanized python310.dll and creates a persistence mechanism by making a run key named ‘Python’ and the value ‘C:\Users\Public\Music\python\pythonw.exe.’ Read more.