Microsoft Teams Features Amp Up Orgs’ Cyberattack Exposure

China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion

[[{“value”:”The MITRE Corporation has offered more details into the recently disclosed cyber attack, stating that the first evidence of the intrusion now dates back to December 31, 2023.
The attack, which came to light last month, singled out MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) through the exploitation of two Ivanti Connect Secure zero-day”}]]   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site 

Python developers under attack.

A supply chain attack targets python developers. Russia targets German political parties. Romanian and Spanish police dismantle a cyber-fraud gang. Pwn2Own prompts quick patches from Mozilla. President Biden nominates the first assistant secretary of defense for cyber policy at the Pentagon. An influential think tank calls for a dedicated cyber service in the US. Unit42 tracks a StrelaStealer surge. GM reverses its data sharing practice. Our guest is Anna Belak, Director of the Office of Cybersecurity Strategy at Sysdig, who shares trends in cloud-native security. And a Fordham Law School professor suggests AI creators take a page from medical doctors.   Read More 

The CyberWire 

New Fake E-Shopping Attack Hijacking Users Banking Credentials

[[{“value”:”

A fake e-shop scam campaign has been targeting Southeast Asia since 2021, as CRIL observed a surge in activity in September 2022, with the campaign expanding from Malaysia to Vietnam and Myanmar. 

The attackers use phishing websites to distribute a malicious APK (Android application package), which steals user credentials through SMS and can now also take screenshots and utilize accessibility services on the victim’s device, giving the attackers more control. 

Cybercriminals have launched a fake e-shop campaign in Malaysia since 2021 by impersonating cleaning services on social media, tricking victims into contacting them via WhatsApp. 

It led users to download malicious APKs through phishing websites.

The malware specifically targeted login credentials for Malaysian banks, including Hong Leong, CIMB, Maybank, and others, demonstrating a growing trend of social engineering tactics combined with phishing attacks to steal banking information.

Document

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Run Free Threat Scan

A fake e-shop campaign observed by Cyble has been expanding its operations across Southeast Asia, where attackers use phishing websites disguised as legitimate payment gateways to distribute malware. 

The malware then delivers fake login pages designed to steal bank credentials; in Vietnam, the campaign targeted HD Bank customers with a website mimicking the bank’s online portal. 

They also used a command and control server to manage the malicious operation, as in Myanmar, the campaign used a similar tactic but targeted different banks and employed a Burmese language phishing page.  

A new wave of phishing sites targeting Malaysian online shoppers has been identified by mimicking legitimate e-commerce platforms that lack sophistication and offer only basic features and fake iOS download buttons. 

The malware behind the scam has also been updated, incorporating features like screen sharing and exploiting accessibility services to steal user data.

The latest version targets 18 Malaysian banks and utilizes two URLs, one for phishing and control and another for screen sharing.  

Technical Details:

eCart malware disguises itself as a shopping app but is designed to steal user data. Upon installation, it requests accessibility permission to perform automatic clicks and gestures. 

It then communicates with remote servers to initiate screen sharing and send logs, utilizing the Janus plugin to control gestures and obfuscate strings with Paranoid to hinder analysis. 

It attempts to replace the default SMS app and gain screen capture permissions where screen sharing wasn’t functional due to misconfiguration; its inclusion suggests the malware’s potential for more sophisticated attacks.  

The malware campaign uses fake e-shops to trick users into logging in with stolen credentials, which then presents fake products and uses a fake FPX payment page to steal banking information from 18 Malaysian banks. 

According to Cyble, the attackers have upped their game by adding screen-sharing and exploiting accessibility services, showing an effort to target a wider audience and steal more data. 

They use a phishing email (T1660) containing a malicious e-shop app link (hxxps://www[.]worldshopping-global[.]com/) to gain initial access (TA0027). 

Once installed, the malware registers broadcast receivers (T1624.001) to steal incoming SMS messages (T1636.004) and inject inputs (T1516) to potentially mimic user actions.

It also captures screenshots (T1513) using a Janus WebRTC plugin, and exfiltrated data, including SMS messages, is sent to a command and control server (T1646) at hxxps://superbunapp[.]com.  

The attackers also use similar tactics with a fake trading application distributed via a different phishing website (hxxps://ecart-global[.]com). 

Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide

The post New Fake E-Shopping Attack Hijacking Users Banking Credentials appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News