SAN MATEO, CA, October 2, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Major phishing campaign targeting Booking.com customers
- Hackers use zero-font phishing technique to trick Outlook into showing fake antivirus scans
- New ZenRAT malware posing as password manager to infect Windows users
- Threat actors encrypting servers via severe flaw in Openfire
- CISA publishes Hardware Bill of Materials Framework (HBOM) to tighten up Supply Chain Risk Management (SCRM)
- Updated Xenomorph banking trojan targets US financial institutions
- Atlassian products and ISC BIND server found to harbor high-severity security flaws
- Recently patched Apple and Chrome vulnerabilities exploited for spyware
Major phishing campaign targeting Booking.com customers
Researchers at Perception Point have discovered a phishing campaign with its sights set on customers of Booking.com. After accessing a hotel’s Booking.com account, the attackers extract information belonging to the hotel’s guests, creating fraudulent messages that “play on the fears and urgency of potential victims.” Guests are warned that bookings are at risk of cancellation unless their credit card data is provided and clicking the link to do so lands them on a page that mimics Booking.com but is built to steal their payment info. Research indicates this campaign is being carried out extensively, “affecting hotels and resorts on a global scale.” Read more.
Hackers use zero-font phishing technique to trick Outlook into showing fake antivirus scans
Zero-font techniques that load phishing emails with text too small for the recipient to see are commonly deployed to confuse email scanners that look for suspicious content. However, hackers are now using this technique to evade machine detection and make emails that slip through show text that fool the targeted victim into believing it has been deemed safe. “The technique alters the text that typically would be shown in the listing pane of Outlook” to display “text indicating that the message had been scanned and secured by a threat protection service.” Zero-font, while invisible when an email is opened, is still picked up by email providers such as Outlook and displayed as a preview, allowing criminals to create messaging that appears to be from the platform itself. Read more.
New ZenRAT malware posing as password manager to infect Windows users
Fraudulent installation packages purporting to be the Bitwarden password manager have been found to harbor a new malware strain called ZenRAT, a “modular remote access trojan (RAT) with information-stealing capabilities.”. According to findings by Proofpoint, ZenRAT “is specifically targeting Windows users and will redirect people using other hosts to a benign web page.” Once launched, ZenRAT collects information about its host system, such as CPU name, GPU name, OS version, security software, and browser credentials and then sends the data to a command-and-control server under the control of the perpetrators. The method by which victims are lured to the fake website is unknown, although phishing is suspected. Read more.
Threat actors encrypting servers via severe flaw in Openfire
Hackers exploit a high-severity flaw in Openfire messaging servers to encrypt targeted systems with ransomware and install crypto miners. CVE-2023-32315 is a high-severity authentication bypass “impacting Openfire’s administration console, allowing unauthenticated attackers to create new admin accounts on vulnerable servers.” All Openfire versions “from 3.10.0, dating to 2015, to up to 4.6.7 and from 4.7.0 to 4.7.4” are affected by the bug. Although a patch for the exploit has been issued, it is reported that more than 3,000 Openfire servers continue to run a vulnerable version. Ransomware deployed to compromised systems is of an unknown origin and thus far only demands small sums of money. Openfire is widely used, having been downloaded 9 million times. Read more.
CISA publishes Hardware Bill of Materials Framework (HBOM) to tighten up Supply Chain Risk Management (SCRM)
CISA has created and published new guidelines for improving the “accuracy of risk assessments related to hardware products in the supply chain.” Meant to build consistency around the “naming of component attributes, a format for identifying and providing information on those components, and guidelines on what HBOM information is required,” the HBOM will facilitate communication about hardware components between vendors by standardizing naming, offering guidance, and allowing for more transparency. The framework is meant to make it easier to identify supply chain risks and help secure against cyberattackers taking advantage of fragmented communications and disorganized naming conventions. Read more.
Updated Xenomorph banking trojan targets US financial institutions
An Android banking trojan known as Xenomorph has targeted over 35 US-based financial institutions, according to findings by Dutch security firm ThreatFabric. The campaign, utilizing an updated variant of the malware, uses phishing web pages “to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors.” Xenomorph now features an Automatic Transfer System (ATS) that allows its operators to “seize control over the device by abusing Android’s accessibility privileges” and transfer funds from a compromised device directly into the threat actor’s account. The malware also displays fake login screens on top of target banking apps to steal credit card numbers and login credentials. Read more.
Atlassian products and ISC BIND server found to harbor high-severity security flaws
Four high-severity flaws disclosed by Atlassian and the Internet Systems Consortium (ISC) could allow threat actors to achieve denial-of-service and remote code execution on systems that have not been updated. The bugs affect Jira Service Management Server and Data Center, Confluence Server and Data Center, Bitbucket Server and Data Center, and Bamboo Server and Data Center and have been patched in current versions of these products. ISC has also issued fixes for two high-severity bugs “affecting the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could pave the way for a DoS condition.” Users are urged to update immediately to prevent exploitation. Read more.
Recently patched Apple and Chrome vulnerabilities exploited for spyware
Citizen Lab and Google’s Threat Analysis Group (TAG) have reported that the three zero-day patches recently issued by Apple were part of a campaign that saw threat actors exploiting vulnerabilities to install Cytrox’s Predator spyware on affected devices. For example, criminals used “decay SMS and WhatsApp messages to target former Egyptian MP Ahmed Eltantawy after announcing plans to join the Egyptian presidential election in 2024.” A bug recently fixed in Google’s Chrome browser was also being abused to launch the same spyware variant in Egypt. Read more.