Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 15-21 July
Campaign targeting the financial sector in Latin America
IBM Security X-Force has detected an email phishing campaign distributing the BlotchyQuasar malware from late April to last May. The malware, developed by a group identified as Hive0129, is coded to collect credentials from multiple banking websites and applications in Latin America.
It is a banking Trojan developed on the code base of QuasarRAT, which is under continuous development and has functionalities such as the installation of certificates and automatic proxy configuration URLs that can facilitate the impersonation of financial institutions. It also installs third-party tools such as PuTTY, RDP, Chrome/Opera Portable, AnyDesk and other credential stealers.
The campaign consists of sending victims an email impersonating government agency in Latin America, which includes a link to a document and a PDF that starts the infection chain. As for the group, Hive0129, tracked by X-Force since 2019, its origin is believed to be in South America, targeting government and private entities in Colombia, Ecuador, Chile, and Spain.
NoEscape: new ransomware threatening double extortion and data breaches
A new ransomware was recently spotted and is believed to be the successor to Avaddon, which shut down operations in 2021.
Known as NoEscape, this new ransomware began operating in June 2023, targeting businesses in double extortion attacks. They threaten to release data to the public unless a ransom is paid, ranging from hundreds of thousands to more than $10 million.
NoEscape steals corporate data before encrypting files and deletes processes associated with security software, backup applications, web servers and databases. In addition, it uses Salsa20 encryption and adds a unique 10-character extension to encrypted files. It also modifies the wallpaper and displays ransom notes providing ransom payment instructions on its Tor website.
There are currently ten affected victims from different countries and industries on their data breach site, indicating that they do not focus on a specific industry and region.
BundleBot stealer analysis
Researchers at Check Point Research have published a paper analysing a new stealer/bot that abuses the dotnet bundle as a single file.
Referred to as BundleBot, it is distinguished by its infection chain, which is more sophisticated, leveraging Facebook ads and compromised accounts to redirect victims to websites that spoof software, AI tools and games. Some of these include Google AI, PDF Reader, Canva or Super Mario 3D World.
Once the victim accesses and downloads the illegitimate program, the first stage of infection begins, which consists of a RAR file containing the dotnet package. In the second stage, a password-protected ZIP is downloaded, extracted, and executed by BundleBot, which exploits the dotnet package. As a stealer, its functionalities include the exfiltration of system information via its C2, including computer data such as user name, operating system version, IP, web browser data such as cookies, credentials or credit cards, Facebook account information or screenshots.
It should be noted that due to the use of the dotnet package as a single file, multi-stage infection and obfuscation, BundleBot is characterised by the fact that it is difficult to detect.
Oracle Security Bulletin
Oracle has released security patches to fix security flaws affecting more than 130 products used in various industries. A total of 508 new security patches have been addressed in July, 76 of which are considered critical. Among the patched products are Oracle Financial Services Applications, with a total of 147 vulnerabilities, of which 115 could be exploited remotely.
In addition, Oracle Communications said that of the 77 security flaws collected, 57 could also be exploited remotely by malicious actors. And Oracle Fusion Middleware with similar figures of 60 security updates of which 40 have been identified as remotely exploitable.
It should also be noted that MySQL is also one of the most affected products, with a total of 21 vulnerabilities. Oracle recommends that users update to the latest version to avoid possible exploitation by malicious actors.
Photo: rawpixel.com / Freepik.
