Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 21 - 27 September
Necro infects 11 million Android devices via Google Play
Kaspersky researchers have published a report stating that the Necro malware has infected 11 million Android devices via two apps hosted on Google Play. Specifically, the first app, Benqu's Wuta Camera, with more than 10 million downloads, is a photo editing tool whose versions 6.3.2.148 to 6.3.6.148 contain malware, while the other, WA message recover-wamr with 1 million downloads, up to its latest version 1.2.0, is infected. It should be noted that both legitimate applications were infected by an advertising SDK and Google is investigating these facts following Kaspersky's warning.
As for Necro, it stands out as a loader that downloads malicious payloads using steganography, as well as being able to execute DEX files, install applications, access the victim's device, sign up for paid subscriptions, open links and execute JavaScript code.
Mozilla accused of activating a feature in Firefox without consent
The noyb group has filed a complaint against Mozilla with the Austrian data protection authority, alleging that the company tracks the online behavior of Firefox users without their consent using the Privacy-Preserving Attribution (PPA) feature. This feature, automatically enabled in browser version 128, was designed in collaboration with Meta and allows the effectiveness of ads to be measured without websites collecting personal data.
However, noyb claims that the tracking occurs within Firefox itself, which violates the EU's General Data Protection Regulation (GDPR). Mozilla, for its part, claims that this feature enhances user privacy by allowing ad performance to be measured without individual websites collecting personal data and assures that PPA does not share personal information or track users.
Although PPA can be disabled, the complaint arises because the feature was enabled by default without prior consultation with users.
Detected the SnipBot malware, a new version of RomCom
Researchers at Unit 42 have observed a new version of the RomCom malware family called SnipBot. It is a remote access trojan developed in C++ that gives the attacker the ability to execute commands and download various modules on the victim's system, among other functionalities. RomCom has been active since at least 2022 and has been used in ransomware attacks, as well as for extortion and targeted credential harvesting.
In the case of SnipBot, the strain consists of several stages where the initial payload is always an executable downloader and the rest are EXE or DLL files intended to perform discovery tasks, as well as to extract files and information from the victim and infected systems. The downloader would have a valid and legitimate code signing certificate, while the subsequent modules would be unsigned.
In addition, SnipBot uses custom obfuscation and anti-analysis techniques to make detection and analysis more difficult.
Critical TOCTOU vulnerability detected in NVIDIA products
Researchers at Wiz have detected a critical TOCTOU (Time-of-check Time-of-Use) vulnerability in NVIDIA's Container Toolkit 1.16.1. The flaw, identified as CVE-2024-0132 and with a CVSSv3 score of 9, exposes cloud environments to information disclosure, denial of service, privilege escalation, code execution and data manipulation attacks when the Container is used with default settings.
A purpose-built container image could allow an attacker to escape the containers and take control of the underlying host system. Researchers also noted that the vulnerability is especially dangerous in multi-user and orchestrated environments, where GPUs are shared between workloads and different services could be compromised.
✅ The vendor has indicated that users should upgrade to version 1.16.2 of the Container Toolkit and NVIDIA GPU Operator to mitigate the flaw and reduce the risk of exposure.
UNC1860 operates as an initial access facilitator for cyber operations in the Middle East
An investigation by Mandiant revealed that UNC1860, an APT group linked to Iran's Ministry of Intelligence and Security, may be operating as an early access provider, facilitating intrusions into high-value networks in the Middle East, such as government and telecommunications networks. Since its emergence in 2022, UNC1860 has been linked to destructive attacks in Albania and Israel, using ransomware and wipers.
The group employs specialized tools such as TEMPLEPLAY and VIROGREEN to maintain remote and persistent access on compromised networks. In addition, it shares links with APT34, another Iranian group. Their attacks begin by exploiting vulnerabilities in servers, deploying malware such as STAYSHANTE and TEMPLEDOOR, and then perform post-exploitation activities.
UNC1860 has a diverse arsenal of tools for lateral movement, intelligence gathering and defense evasion, making it a key asset to Iran's interests in the region.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
