Cyber Pulse: Edition 102

​Researchers share technical details of the Fox Kitten campaign

Many companies have been targeted by the widespread Fox Kitten offensive campaign linked to Iran. The campaign has been orchestrated against companies from telecoms, aviation, government and security sectors globally. A new report published by cybersecurity firm ClearSky has revealed that the purpose of the hacker groups is to infiltrate and take control of critical corporate information, and they have managed to do so by exploiting known vulnerabilities in systems with unpatched VPN and RDP services.

Researchers believe it to be the work of three Iranian groups – Elfin (APT33), OilRig (APT34), and Chafer (APT39). Currently, the purpose of these attacks appears to perform reconnaissance and plant backdoors for surveillance operations. Researchers fear that access to all of these infected enterprise networks could also be weaponised in future to deploy data-wiping malware. Researchers claim that the campaign will be more significant in 2020 as there will be a discovery of new vulnerabilities in VPNs and other remote systems.

Unsigned firmware for computer peripherals puts Windows and Linux systems at risk

New research has shown that unsigned firmware used in Lenovo and Dell computer peripherals can be abused to compromise computers and servers. Researchers from Eclypsium analysed a couple of devices using insecure firmware, including touchpad and TrackPoint firmware in Lenovo laptops and a WiFi adapter on the Dell XPS laptop.

Though the ways to abuse the firmware varied from component to component, the final result could allow an attacker to sniff, copy, redirect or alter traffic and launch man-in-the-middle attacks. After the disclosure, many HDD and SSD vendors made changes to ensure their components would only accept valid firmware. However, there are many that are yet to follow the routine of using signed firmware. Researchers have stated that the underlying problem in a device or product line cannot be fixed. This indicates that all of the devices in that product line will continue to be vulnerable throughout the lifetime.

Mobile banking users need to watch out for SMS messages that look legit

Security researchers at Lookout reported a worldwide phishing campaign that aims to obtain bank-account details through SMS-based phishing attacks. According to an official from the research team, this should be considered as a warning for mobile users. In a blog post, the research vendor stated it detected at least 4,000 unique IP addresses of mobile users who seemed to have fallen for the scam. It wasn't clear, however, what financial impact the attack had on its victims because there’s much less known about how the attackers may have used the compromised credentials.

What is known is that the hackers used an automated off-the-shelf SMS tool to create unique fake messages for customers of different banks, and they sent the text messages out en masse. Researchers have so far identified over 200 phishing pages very realistically imitating bank login pages, including branding, backgrounds and even security messages. Such malware kits are easily available to threat actors on the dark web and other hacking forums. At this time, experts cannot yet point at a particular threat group behind the campaign.

New card-not-present fraud: Scammers conceal stolen credit card data on reward card barcodes 

In an evolution of the traditional card-not-present fraud, scammers have come up with a new way to hide stolen credit card data by using barcodes affixed to rogue rewards cards. The alert sent to law enforcement agencies documented a recent fraud incident involving a counterfeit club membership card containing a barcode, a card expiration date and CVV printed below the barcode. The fake card was used to make payment for merchandise.

Krebson Security reported that scammers instruct the cashier to select card payment and scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number. The instructions on the rogue rewards card are designed to make the cashiers believe that it is a payment alternative designed for use at specific stores. When the transaction is made through a fake rewards card, it is recorded as card-not-present and the scammer makes away with the purchases. 

Adwind 3.0 found malspam campaign

A malspam campaign has been found to distribute Adwind 3.0 RAT by way of phishing emails. Discovered by Check Point researchers, the initial attack vector starts with a phishing email that includes a malicious Office file attachment. The file is heavily obfuscated with several evasion techniques to avoid detection. Once the malicious file is opened, it drops the Adwind 3.0 that is configured to steal sensitive information. The stolen data is then sent to the attacker’s C2 server. Security professionals can help their organisations defend against attacks like these by developing and refining processes for promptly responding to successful phishing and business email compromise (BEC) attacks. Companies should also conduct simulated phishing attacks to evaluate the preparedness of their team against any kind of email phishing attacks.

Edited and compiled by cyber security specialist James Aguilan.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.