FireEye describes a Chinese cyberespionage campaign targeting Israeli entities. The researchers identified some similarities between this threat actor, dubbed "UNC215," and APT27 (also known as Emissary Panda), but they don't definitively attribute the activity to APT27: "In early 2019, Mandiant began identifying and responding to intrusions in the Middle East by Chinese espionage group UNC215. These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia….In addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region." FireEye notes that the threat actor's malware contains some Farsi strings and references to Iran, which the researchers believe are false flags. Zimperium outlines a new Android Trojan dubbed "FlyTrap" that compromises victims' Facebook accounts by stealing session cookies. The malware is first installed via malicious apps in the Google Play store and third-party app stores ( though Google has since removed the apps from its own store). Once installed, the apps prompt the user to log in to their Facebook account in order to receive a coupon. The login occurs through Facebook's legitimate single sign-on (SSO) service. As a result, the malware isn't able to obtain the victim's Facebook credentials, but it can extract information about the session: "Contrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an account, there are ways to hijack sessions even by logging into the original and legit domain. This Trojan exploits one such technique known as JavaScript injection. Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code." Zimperium says at least 10,000 victims in 140 countries have been infected by FlyTrap. The researchers also note that the attackers have inadvertently left their command-and-control server unsecured, so all of the stolen session cookies are accessible from the public internet. Researchers at Symantec have observed a cyberespionage campaign that targeted four critical infrastructure entities in an unnamed Southeast Asian country. The researchers state, "Among the organizations targeted were a water company, a power company, a communications company, and a defense organization, with evidence the attackers were interested in information about SCADA systems. The attacks were ongoing from at least November 2020 to March 2021, several months before the Colonial Pipeline attack that drew the attention of the world to the danger posed by attacks on critical infrastructure, and may have begun even earlier than that." The researchers suspect the threat actor is based in China, though they don't attribute the campaign to any specific actor. Juniper Networks warns that attackers are exploiting CVE-2021-20090, an authentication-bypass vulnerability routers that use Arcadyan firmware. The vulnerability was disclosed by Tenable on August 3rd. Tenable noted that the scope of the vulnerability will be difficult to quantify, since Arcadyan firmware is used in "at least 20 models across 17 different vendors." Juniper found that a threat actor began exploiting the vulnerability to install Mirai botnet malware just two days after the flaw was disclosed: "As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wildcoming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers usingscripts similar in name to the onesmentioned by Palo Alto Networksin March. We had witnessed the same activity starting February 18. The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability. Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out." New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices (Unit42) A new variant of eCh0raix ransomware targets devices common in the small office and home office. Learn technical details and mitigations. Freshly disclosed vulnerability CVE-2021-20090 exploited in the wild (Official Juniper Networks Blogs) Juniper Threat Labs continuously monitors in-the-wild networktrafficfor maliciousactivity.Today, we have discovered an active exploitation ofa vulnerabilitythat was disclosed just 2 days ago. CVE-2021-20090 is a vulnerability that was discovered by XLSM Malware with MacroSheets | McAfee Blogs XLSM Malware with MacroSheets (McAfee Blogs) Excel-based malware has been aroundfor decadesandhas beeninthelimelight in recent years.During the second half of 2020,we saw adversaries using Prometheus TDS (Group-IB) Review of malicious campaigns executed with the help of Prometheus TDS — a service designed to distribute malicious files and redirect users to phishing and malicious sites ‘Glowworm’ Attack Turns Power Light Flickers into Audio (Threatpost) Researchers have found an entirely new attack vector for eavesdropping on Zoom and other virtual meetings.
