WME Security Briefing 21 November 2024

WME Cybersecurity Briefings No. 035

New Android Malware ‘ToxicPanda’ Conducts Fraudulent Money Transfers

Overview

In the latest news, this Android banking malware, dubbed ToxicPanda, has been discovered, targeting 1,500+ Android devices. The malware is designed to assist with a type of fraud scheme known as on-device fraud (ODF), in which the malware effectively hijacks user accounts to carry out banking transactions without needing an external command and control (C2) server to process transactions. Widely attributed to a Chinese-speaking threat actor, ToxicPanda is similar to an earlier TgToxic malware targeting financial accounts and crypto wallets.

Impact

ToxicPanda lets an attacker transfer money without the bank’s authentication. The malware was primarily found in Italy, Portugal, Hong Kong, Spain, and Peru. While it bears similarities with TgToxic, its behaviour is rather different: It misses some typical higher-level features but has introduced new commands to assist the data collection process.

The malware disguises itself as legit apps like Google Chrome and Visa, and is distributed via fake app store listings. This way, it exploits Android’s accessibility services for elevated control over compromised devices. It allows the malware to intercept OTPs and evade two-factor authentication to ensure the smooth processing of unauthorized transactions.

Recommendation

To avoid the damage of ToxicPanda, you should not download apps from unverified sources. Always be vigilant against potential smishing attempts or suspicious links. Admins, on the other hand, should reinforce Android security settings and update device security protocols regularly.

Synology Alerts Users to Critical Zero-Click RCE Flaw in NAS Devices

Overview

Synology is a leading network-attached storage (NAS) provider. They just announced a critical vulnerability in their popular DiskStation and BeePhotos products.

The flaw, known as CVE-2024-10443 or “RISK:STATION,” has been revealed by security researchers during Pwn2Own Ireland 2024. The vulnerability allows attackers to execute root-level commands remotely on Synology NAS devices. The zero-click nature of the vulnerability allows it to be triggered without any user interaction. Therefore, it poses a huge threat to the security of millions of devices globally.

Impact

RISK:STATION is particularly harmful because it allows unprivileged attackers to remotely gain root privileges to DiskStation and BeeStation devices without user interaction. An attacker can use it to exploit and gain entry to the user database, run malicious code, and initiate additional attacks using the compromized NAS devices as a launch point for further exploitation. 

According to Synology, this flaw affects the following versions:

  • BeePhotos for BeeStation OS 1.0: Users should upgrade to version 1.0.2-10026 or later.
  • BeePhotos for BeeStation OS 1.1: Users should upgrade to version 1.1.0-10053 or later.
  • Synology Photos 1.6 for DSM 7.2: Users should upgrade to version 1.6.2-0720 or later.
  • Synology Photos 1.7 for DSM 7.2: Users should upgrade to version 1.7.0-0795 or later.

About two million vulnerable Synology devices are connected to the Internet. So, this flaw poses a severe risk to the broader global security landscape.

Recommendation

Synology strongly advises all users to update their affected devices to the latest versions ASAP. Users should check their device’s firmware as well and update accordingly.

That said, admins should monitor Synology’s security advisories. NAS devices and services have been a popular target for ransomware, so timely patches are critical to avoid unauthorised access and protect confidential data.

Malware Campaign Leveraging Ethereum Smart Contracts to Control npm Typosquat Packages

Overview

A new malware campaign targets npm developers, introducing hundreds of typosquat packages into the npm registry. The packages appear as legit libraries but contain embedded code that starts a cross-platform malware attack.

Independent cybersecurity reports indicate that this campaign relies on Ethereum smart contracts to distribute command-and-control (C2) server addresses, which makes it challenging to mitigate. This activity may have begun up to a week earlier than October 2024.

Impact

The malicious packages, totalling over 280, resembled popular libraries like Puppeteer, Bignum.js, and other cryptocurrency-related tools. When installed, these packages execute obfuscated JavaScript code that connects to a remote server. It then installs a secondary binary that establishes persistence on the host system. It exfiltrates sensitive machine data back to the attacker’s server.

What makes this campaign especially difficult to prevent is the use of Ethereum smart contracts to obtain server IP addresses via the ethers.js library. Such a decentralized approach allows attackers to update IP addresses in the smart contract, enabling infected malware to reconnect with a new server whenever its previous IPs are black-listed.

The resilient C2 infrastructure based on the blockchain provides attackers with a system that is more difficult to tackle for cybersecurity counter strategists to tackle.

Recommendation

It is recommended that developers and admins enforce strict security controls on package installations.

Examine Package Sources: Always inspect the given npm packages to verify the names are legit and inspect everything concerning the source. Do not install any package that indicates typosquatting (although such a package may not always be easily visible) or unclear or suspicious requirements.

Network tracking: Monitor network connections for strange behavior, especially to IP addresses obtained through blockchain-based protocols, as they may be suspicious.

Use Package Scanners: Use tools like Checkmarx, Socket, or any other package security solutions to identify and prevent suspected npm packages before they are installed.

Critical Security Vulnerabilities in Ollama AI Framework Expose Users to DoS, Model Theft, and Poisoning

Overview

Ollama AI framework is an open-source tool widely used to deploy large language models (LLMs) on local devices. Recent reports reveal that it has gathered several critical vulnerabilities. These security flaws could allow malicious actors to perform harmful actions i.e. DoS attacks, model theft, model poisoning, etc. The vulnerabilities highlight the need for urgent attention to securing Ollama deployments.

Impact

The identified vulnerabilities could let attackers manipulate Ollama through specific HTTP requests. It can then cause system crashes or compromise sensitive AI models.

Among the six vulnerabilities disclosed:

  1. File Existence Check – CVE-2024-39719 (CVSS 7.5): Attackers can probe for files on the server using the /api/create endpoint.
  2. Out-of-Bounds Read – CVE-2024-39720 (CVSS 8.2): Attackers can crash the app and cause a DoS condition.
  3. Resource Exhaustion – CVE-2024-39721 (CVSS 7.5): It can repeatedly invoke the /api/create endpoint. So, attackers can deplete resources, causing a DoS.
  4. Path Traversal – CVE-2024-39722 (CVSS 7.5): This flaw lets them access server files/directories.
  5. Model Poisoning Vulnerability: Allows unauthorized sources to inject malicious data into models.
  6. Model Theft Vulnerability: Enables unauthorized model access and potential extraction.

The security research identified nearly 10,000 exposed instances of Ollama globally.

Recommendation

To protect against these vulnerabilities, Ollama users should immediately:

  • Update to the latest patched versions (starting from 0.1.47).
  • Limit endpoint exposure by configuring network filters through a proxy or web application firewall.

Admins need to review their current deployment settings and restrict HTTP endpoint exposure. Remember, open endpoints could allow easy access to exploit these vulnerabilities.

Google’s AI-Driven Discovery of Zero-Day Vulnerability in SQLite Database Engine

Overview

Google has reported an essential breakthrough in cybersecurity. Their AI tool discovered a zero-day vulnerability in the SQLite database engine. Identified as “Big Sleep,” it’s an AI-based framework designed to aid in vulnerability detection augmented by Machine learning based techniques. Big Sleep’s AI capabilities allow it to simulate human-like reasoning in code analysis. It can navigate codebases and run tests in a controlled environment to detect vulnerabilities early.

It was previously known as Project Naptime. Now it’s the first time that an AI agent discovered a novel real-world vulnerability in commonly-used software. The Big Sleep team stated, “This marks the first public case of an AI agent identifying an exploitable memory safety issue in widely used real-world software.”

Impact

The identified vulnerability is a stack buffer underflow in SQLite. It gets triggered when the software references memory before the allocated buffer starts. The flaw could crash software or execute arbitrary code, just in accordance with the Common Weakness Enumeration (CWE) description for such bugs.

Google has maintained that the issue occurs by using pointer arithmetic to position a pointer or index before the start of the memory buffer or by using a negative index. Fortunately, this vulnerability was found in a development branch of SQLite. It was then promptly fixed, so it couldn’t reach the level of official release.

Recommendation

Google’s team advises developers and admins using SQLite to update to the latest stable release to avoid potential security risks. Keeping up with patches means better security against this kind of vulnerability, particularly for popular systems like SQLite.

Incorporating advanced tools like Big Sleep can increase the effectiveness of your organization’s vulnerability detection efforts and minimize the exposure surface to zero-day vulnerabilities prior to production.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=