Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 3 - 9 February
Greenbean: new banking trojan on Android
Cyble's team of researchers has discovered a new Android banking trojan called Greenbean that spreads via a phishing site promoting a cryptocurrency system. This malware has been designed to attack five banking and cryptocurrency-related apps.
The name of the app and the presence of Chinese and Vietnamese characters in the code indicate that the primary target is Android users in those countries. Greenbean uses the Accessibility service to collect credentials from target apps and incorporates video streaming via WebRTC. The phishing site is still up and running now, suggesting that the malware is still active.
Critical flaw in Shim bootloader discovered affecting Linux
A Microsoft security researcher has disclosed a new critical flaw in the Shim Linux boot loader that allows attackers to execute code and take control of the system.
The vulnerability has been classified as CVE-2023-40547 and resides in Shim's httpboot.c source code, which is used to boot a network image over HTTP. The flaw was first reported on January 24, but Eclypsium has expanded details with a new report published on February 2 to draw attention to this critical vulnerability.
Analysis of Black Hunt ransomware code published
Researchers at Rapid7 Labs have published an analysis of a variant of the Black Hunt ransomware, which has been active since at least 2022. The analyzed code shows significant similarities to that of LockBit, and its leaked code may have been used in Black Hunt; moreover, its techniques are like those of another ransomware, REvil.
Among the features that differentiate Black Hunt from other ransomwares is the initial check for the presence of a "Vaccine.txt" file which, if detected, terminates the execution of the malware. The ransomware also disables Windows security tools, deletes Shadow Copies and, finally, changes the extension of encrypted files to “. Hunt2”.
Researchers stress the importance of monitoring this threat, which recently carried out an attack against more than 300 companies in Paraguay.
Volt Typhoon threatens critical infrastructure
CISA, along with other federal agencies and cybersecurity centers in Australia, Canada, the United Kingdom, and New Zealand, have issued a report detailing the actions of the Chinese-backed Volt Typhoon APT, which is targeting critical infrastructure.
The report emphasizes that Volt Typhoon, also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite and Insidious Taurus, has a special focus on IT/OT (information technology/operational technology) networks by pre-positioning itself, performing lateral movement and maintaining stealthy persistence to then execute disruptive or destructive cyber-attacks against critical infrastructure in the event of a major geopolitical crisis or conflict, thus being a potential threat.
In this regard, the report also notes that Volt Typhoon would have remained hidden in the U.S. critical infrastructure for at least five years, using Living-off-the-Land (LotL) attack techniques, thus successfully evading detection. It also warns that software obsolescence in IT/OT environments increases the risk, and that the threat extends beyond the U.S., with evidence of attacks on infrastructure in Australia, the U.K., Canada, and New Zealand. The report also includes recommendations for detection and mitigation of this threat.
Security flaws in Ivanti
Recently alerted about the active exploitation of the 0-day vulnerability, CVE-2024-21893, affecting Ivanti Connect Secure and Ivanti Policy Secure devices. The Shadowserver research team identified around 170 IP addresses attempting to attack vulnerable Ivanti assets.
Although it was suspected that the PoC published by Rapid7 may have exacerbated the situation, attacks were already underway prior to this. Considering this concern, CISA issued an alert recommending disconnecting out-of-date devices, while Ivanti also issued its own warning.
Ivanti then issued another security advisory warning about a vulnerability affecting Connect Secure, Policy Secure and ZTA gateways. The flaw, registered as CVE-2024-22024, is due to an XXE weakness in the SAML component of the gateways, allowing remote attackers to access restricted resources on vulnerable devices.
In this new advisory Ivanti reports that they have no evidence that any of their customers have been affected, but they recommend taking immediate security measures to correct the flaw. In addition, they indicate that customers who applied the patch released on January 31 or February 1 and performed a factory reset of their device do not need to do so again for this vulnerability.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
