Newsletter Issue 1
Xenomorph Banking Trojan Served Through GitHub
Researchers found a Xenomorph banking trojan loaded over a lifestyle app called ‘Todo: Day manager’ in the Google Play store with more than 1000 downloads. The Xenomorph banking malware is dropped from GitHub as a fake Google Service application upon installation of the app. It starts with asking users to enable access permission. Once provided, it adds itself as a device admin and prevents users from disabling Device Admin, making it uninstallable from the phone. Xenomorph creates an overlay of legit banking applications to trick users into entering their credentials.
As per reports, it is a trojan that steals credentials from banking applications on users’ devices. It can also intercept users’ SMS messages and notifications, enabling it to steal one-time passwords and multifactor authentication requests. When the app is opened, it reaches out to a Firebase server to get the stage/banking malware payload URL. It then downloads the malicious Xenomorph banking trojan samples from Github. This banking malware later reaches out to the command-and-control (C2) servers decoded via Telegram page content or a static code routine to request further commands, extending the infection. The parent malware downloader (Google Play Store) application gets its config from Firebase for its database.
Multiple High-Severity Flaws Found In OpenLiteSpeed Web Server Software
Researchers have found multiple high-severity flaws ( CVE-2022-0072, CVSS score: 5.8, CVE-2022-0073 and CVE-2022-0074 with CVSS scores: 8.8) in the open source OpenLiteSpeed Web Server as well as its enterprise variant that could be weaponized to achieve remote code execution. As per findings, By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution.
OpenLiteSpeed, the open-source edition of LiteSpeed Web Server, is the sixth most popular web server, accounting for 1.9 million unique servers worldwide.
The first of the three flaws is a directory traversal flaw (CVE-2022-0072, CVSS score: 5.8), which could be exploited to access forbidden files in the web root directory. The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) relate to a case of privilege escalation and command injection, respectively, that could be chained to achieve privileged code execution.
Venus Ransomware Targets Healthcare organizations
Security researchers warned that Venus ransomware is targeting healthcare organizations. As per reports, the operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model, and no associated data leak site (DLS) exists at this time.
The threat actors behind the Venus ransomware attacks are known for hacking into the victims’ publicly-exposed Remote Desktop services to encrypt Windows devices. Apart from terminating database services and Office apps, the ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention on compromised endpoints. Since August this year, the ransomware has begun operating & it seems very active.
New Extortion Scam Threatens To Damage Sites’ Reputation, Leak Data
An active extortion scam targets website owners and admins worldwide, claiming to have hacked their servers and demanding $2,500 not to leak data.
The attackers (self-dubbed Team Montesano) are sending emails with “Your website, databases, and emails have been hacked” subjects. The emails appear non-targeted, with ransom demand recipients from all verticals, including personal bloggers, government agencies, and large corporations.
The spam messages warn that the hackers will leak stolen data, damage their reputation, and get the site blacklisted for spam if the targets don’t pay $2,500. Even though these emails can be scary to those website owners who receive them, it is important to remember that they are just scams. They are being mass-emailed to many people and are just trying to scare people into making a payment. It is highly recommended to mark these emails as spam and delete them.
Black Basta ransomware hits Canadian food retail giant Sobeys
Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend. Sobeys has only referred to the incident as a week of “IT system issues” and has yet to confirm it was because of a cyberattack. But photographs shared by Sobeys employees online show in-store computers displaying a Black Basta ransom note.
As per the Company, all the grocery stores remain open to serve customers and are not experiencing significant disruptions. However, some in-store services are functioning intermittently or with a delay. However, according to employee reports, all computers were locked out in affected Sobeys stores, with point-of-sale (POS) and payment processing systems still online and working since they’re set up to work on a separate network.