In today’s cybersecurity news…
Android malware found on Amazon Appstore disguised as health app
The app is named “BMI CalculationVsn” and was found by researchers at McAfee who saw that rather than being a health tool, it was in fact stealer malware. As could be guessed by its name, malicious app, published by PT Visionet Data Internasional [sic], was promoted as a simple body mass index (BMI) calculator tool. Something it actually does, but while doing so, also records all activity on the phone and scans the device and collects SMS messages sent and stored on the device, including one-time passwords (OTPs) and verification codes. It has been removed from the Amazon App store, and anyone who has downloaded it is being urged to manually remove it and perform a full scan to eliminate any leftover traces.
BeyondTrust suffers cyberattack
BeyondTrust, a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions, itself suffered a cyberattack in on December 2. “Its products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.” After detecting “anomalous behavior” it was determined that “hackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.” “BeyondTrust immediately revoked the API key, and notified known impacted customers. It is not yet clear whether the threat actors were able to use the compromised Remote Support SaaS instances to breach downstream customers.
Fortinet warns of critical flaw in Wireless LAN Manager
This flaw, which has now been patched, tht could have allowed admin access and sensitive information disclosure on the Wireless LAN Manager (FortiWLM) product. Security researcher Zach Hanley from Horizon3.ai stated that the vulnerability, which has a CVE number as well as a CVSS score of 9.6, “enables remote attackers to exploit log-reading functions via crafted requests to a specific endpoint.” A subsequent report from Horizon3 stated that FortiWLM’s verbose logs “expose session IDs, enabling attackers to exploit log file read vulnerabilities to hijack sessions and access authenticated endpoints.” The CVE number for this vulnerability is available in the show notes to this episode. CVE-2023-34990
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
DHS official who launched cyber safety review board departs
Rob Silvers served as the undersecretary for policy at the Department of Homeland Security until his departure on Wednesday. As stated by Recorded Future News, such departures are common following an election in the period prior to Inauguration day, which is January 20. During his tenure, Silvers focused heavily on cybersecurity issues such as ransomware, and also chaired the Cyber Safety Review Board, established by President Joe Biden to probe major digital incidents.
Juniper routers with default passwords are attracting Mirai infections, says manufacturer
According to an advisory from Juniper, customers last week started reporting “suspicious behavior” on their Session Smart Routers. What the customers all had in common was that they were still using the factory-set passwords on the devices. Investigation found a variant of Mirai malware that had been scanning for such vulnerable routers. Once infected, the devices were “subsequently used as a DDOS attack source” attempting to disrupt websites with junk traffic, Juniper says. The company does not mention how many devices were infected or where the attacks were directed. Juniper recommends that customers with Session Smart Routers “immediately apply strong, unique passwords and continue to monitor for suspicious network activity such as unusual port scanning, increased login attempts and spikes in outbound internet traffic.”
CISA urges senior government officials to lock down mobile devices due to Salt Typhoon
The Salt Typhoon saga continues, now with CISA urging via a five-page advisory released on Wednesday, that all “highly targeted individuals rely on the consistent use of end-to-end encryption.” Although CISA executive Jeff Greene has declined to provide more information on the government’s investigation into the Salt Typhoon breaches, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, has previously said Chinese actors are still inside the breached systems. As such, “senior government officials and politicians need to use end-to-end encrypted apps and should assume all of their messages are at risk of being stolen or manipulated,” they said.
Ukrainian sentenced to five years in jail for work on Raccoon Stealer
Following up on a story we covered last we have been covering for quite a while, Ukrainian national Mark Sokolovsky has been sentenced to five years in federal prison for his role in “operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data.” The 28 year old was described in court documents as being “integral to operations that allowed the leasing of Raccoon Infostealer for $200 per month, payable via cryptocurrency.” The malware was used to extract data such as log-in credentials, financial information, and other personal records.