U.S. federal agency hack and the return of FakeCalls Android malware
Cybercriminals use an old software bug to hack a U.S. federal agency, FakeCalls Android malware returns with new capabilities and Samsung Exynos chipset flaws. Catch all this and more in this week’s edition of Cybersecurity Weekly.
1. Hackers exploit a four-year-old vulnerability to breach a U.S. federal agency
The CISA, FBI, and MS-ISAC released a joint alert on Wednesday informing that nation state-backed hackers managed to hack a U.S. federal agency via a four-year-old bug exploit. The vulnerability in the agency’s UI tool for web servers Telerik allowed malicious actors to successfully deploy remote code, exposing access to the agency’s internal network. CISA did not identify the agency in question, but warned that the vulnerability is one of the most frequently exploited in 2020 and 2021.
2. FakeCalls Android malware returns targeting banks in South Korea
Check Point Research (CPR) has uncovered a new version of the vishing malware tool “FakeCalls” targeting banking users in South Korea. The malware lures victims into confirming their credit card numbers by impersonating one of the 20 leading institutions in the region. Researchers found over 2,500 samples of the malware that use several unique evasion techniques not previously seen in the wild. CPR also warned that the techniques used by FakeCalls could be used in other applications targeting markets worldwide, urging people to be wary of unusual delays or pauses in phone calls.
3. Google detects 18 critical security flaws in Samsung Exynos chipsets
Google’s Project Zero team found 18 zero-day vulnerabilities in Samsung’s Exynos chips for mobiles, wearables and vehicles, including four “serious” ones. Attackers could remotely execute code without user interaction and detection, using just a victim’s phone number. The other 14 vulnerabilities can only be exploited with local access or by a malicious mobile network operator. Samsung has provided patches to other vendors, but not to all affected users. Users can disable Wi-Fi calling and Voice-over-LTE to thwart baseband RCE attempts. Users are urged to update devices as soon as possible.
4. YoroTrooper targeting government and energy firms in Europe and CIS
Cisco has identified a new threat actor, YoroTrooper, targeting government and energy organizations in the European and CIS regions for espionage and data theft. The group has been active since June 2022 and is believed to consist of Russian-speaking individuals. YoroTrooper uses malicious and typosquatted domains to trick victims with phishing emails that carry a shortcut file triggering the infection and a decoy PDF document. Its threat portfolio includes in-house and commodity malware families, such as LodaRAT and AveMaria/Warzone RAT.
5. Cybercriminals exploit Adobe Acrobat Sign to distribute info-stealing malware
Cybercriminals are exploiting Adobe Acrobat Sign, an online document signing service, to distribute Redline information stealer malware. Threat actors register with the free-to-try service and send malicious emails to target email addresses containing a link to a document hosted on Adobe’s servers. The documents contain a link to a website that asks visitors to solve a CAPTCHA before downloading a ZIP archive containing the Redline malware. Avast researchers warn about the effectiveness of the method in bypassing security layers. Highly targeted attacks employing this method have also been spotted, including one targeting a popular YouTube channel.