WME Security Briefing 26 July 2024

WME Cybersecurity Briefings No. 020

Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

Overview

A suspected pro-Houthi group, OilAlpha, is targeting humanitarian organizations in Yemen with advanced Android spyware. The operation is associated with the activity cluster codenamed OilAlpha. It utilizes malicious mobile apps to harvest sensitive info from their victims.

Impact

The OilAlpha group specifically targets humanitarian organizations i.e. CARE International, the Norwegian Refugee Council (NRC), the Saudi Arabian King Salman Humanitarian Aid and Relief Centre, etc. That said, these attacks have been ongoing. And, the most recent campaign was discovered in early June 2024. The spyware-laden apps are disguised as legit apps related to humanitarian relief programs. They infiltrate devices and steal data once installed.

The malware strain used in these attacks, SpyNote, requests intrusive permissions to access victim data. That said, the campaign includes credential harvesting through fake login pages impersonating humanitarian organizations. This tactic aims to gather intelligence to potentially facilitate controlling aid distribution and delivery.

Recommendation

✓ Only download apps from official and verified sources.

✓ Conduct regular security audits of devices used in the field.

✓ Raise awareness among staff about the risks of downloading apps from unknown sources.

✓ Implement robust mobile security solutions that can prevent the installation of spyware.

✓ Monitor for any unusual activities.

APT41 Cyber Espionage Campaign in Multiple Countries

Overview

APT41 is a prolific hacking group based in China. It’s been targeting several organizations across Italy, Spain, Taiwan, Turkey, and the U.K. Since 2023, they have been infiltrating various sectors i.e. global shipping and logistics, media and entertainment, technology, etc. They’ve managed to access numerous networks without authorization and extracted sensitive data for an extended period.

Impact

✔ They have successfully extracted vast amounts of sensitive data.

✔ They use a combo of custom malware (DUSTPAN & DUSTTRAP) and publicly available tools (SQLULDR2 & PINEGROVE) to maintain persistence and exfiltrate data.

✔ Web shells like ANTSWORD and BLUEBEAM are used to download droppers that compromise remote systems.

✔ They use techniques like code-signing with stolen certificates and exploit legit platforms like Microsoft OneDrive to evade detection.

Recommendation

🔧 Enhance Network Monitoring

🔧 Update Security Protocols

🔧 Use ATP tools to neutralize custom malware and web shells

🔧 Employ data encryption and strict access controls

SolarWinds Patches Critical Vulnerabilities in Access Rights Manager Software

Overview

SolarWinds just fixed several major security issues in its Access Rights Manager (ARM) software. These problems could have let bad actors access sensitive data or run harmful code. Out of the 13 vulnerabilities found, eight were very serious, scoring 9.6 out of 10 on the CVSS scale. On the other hand, the other five were also significant.

Impact

The most severe vulnerabilities, if exploited, could permit attackers to read/delete files.

The specific vulnerabilities include:

✔️ CVE-2024-23472: Directory Traversal Arbitrary File Deletion & Information Disclosure

✔️ CVE-2024-28074: Internal Deserialization Remote Code Execution

✔️ CVE-2024-23469: Exposed Dangerous Method Remote Code Execution

✔️ CVE-2024-23475: Traversal and Information Disclosure

✔️ CVE-2024-23467: Traversal Remote Code Execution

✔️ CVE-2024-23466: Directory Traversal Remote Code Execution

✔️ CVE-2024-23470: UserScriptHumster Exposed Dangerous Method Remote Command Execution

✔️ CVE-2024-23471: CreateFile Directory Traversal Remote Code Execution.

Recommendation

SolarWinds has fixed these issues in version 2024.3. It’s important for admins to update to this latest version.

Major Security Breach at WazirX Cryptocurrency Exchange Leads to $230 Million Loss

Overview

Indian cryptocurrency exchange WazirX announces a major security breach. It led to the theft of $230 million in cryptocurrency assets. Despite using Liminal’s advanced digital asset custody and wallet infrastructure, hackers were able to target their multi-signature wallet.

Impact

The cyber attack stemmed from a mismatch between the information displayed on Liminal’s interface and the actual signed data. This discrepancy allowed the attacker to replace the payload, thereby transferring wallet control to their address. Liminal seams responsible for transaction verifications as one of the six signatories. However, they stated that the compromised wallet was created outside of their ecosystem. They have affirmed that wallets within their platform remain secure.

Blockchain analytics firm Elliptic has indicated that the attack bears the hallmarks of North Korean threat actors. These threat actors have a history of targeting the cryptocurrency sector since 2017.

Recommendation

  • Verify Wallet Security
  • Implement Robust Multi-Signature Protocols
  • Monitor Transactions for Any Discrepancies
  • Regularly Audit Security Measures

HotPage Adware Posing as Ad Blocker Installs Malicious Kernel Driver

Overview

Cybersecurity researchers uncover an adware module masquerading as an ad blocker. It covertly installs a kernel driver enabling attackers to execute arbitrary code with elevated permissions on Windows systems. Its named HotPage as it gets its name from the notorious installer “HotPage.exe”

Impact

HotPage adware deceptively offers to block ads and malicious websites. However, in reality, it deploys a driver capable of injecting code into remote processes. This malware can modify webpage contents and redirect users to different pages. It can also open new tabs based on specific conditions.

The adware is designed to display game-related ads and harvest system info. It then sends it to a remote server linked to a Chinese company. The embedded driver lacks proper access control lists (ACLs) and allows attackers with non-privileged accounts to gain elevated privileges. It then runs code as the NT AUTHORITY\System account.

This kernel component’s vulnerability permits other threats to exploit it. It can then compromise windows system security. That said, the driver is signed by Microsoft and highlights that the Chinese company managed to obtain an Extended Verification (EV) certificate. However, the fact of the matter is, it has since been removed from the Windows Server Catalog.

Recommendations

  • Admins should inspect their systems for the presence of HotPage.exe and associated malicious drivers.
  • If detected, immediately remove the HotPage installer and any related components.
  • Ensure that all systems have updated security patches.
  • Implement stricter policies for driver installations.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=