SISA Weekly Threat Watch – September 19th, 2022

Researchers have observed a rapid increase in threat actors executing successful cyber attacks due to the availability of free malware builders and panels. As a result, malicious groups keep posing new challenges for users and the cybersecurity community with evolved malware versions. This past week also saw various APT and hacking groups exploiting new and unknown vulnerabilities by spreading ransomware, malicious apps, and upgraded malwares.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft Teams stores authentication tokens as cleartext in Windows, Linux, Macs

Security experts have discovered a major security flaw that allows threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) enabled in the desktop version for Microsoft Teams. The tokens could be stolen and then used to enter the victim’s account by an attacker with local access to a computer on which Microsoft Teams is installed.

Vectra further examined Microsoft Teams and found a ldb folder that includes access tokens in clear text. The analysts also discovered that the “Cookies” folder contained account information, session data, marketing tags, valid login tokens, and more. The information-stealing malware, which is now one of the payloads that is most frequently sent in phishing campaigns, may take full advantage of this flaw. Until Microsoft effectively fixes this issue, we recommend using Microsoft Edge’s web-based Teams client, which has several OS-level safeguards to protect against token leaks.

2. Vice Society Ransomware

The intrusion, exfiltration, and extortion hacking group – Vice Society that initially surfaced in the summer of 2021 have spread variants of the ransomware known as Hello Kitty/Five Hands and Zeppelin. The actors investigate the network, look for ways to gain further access, and steal data in preparation for double extortion, a strategy in which the actors threaten to make sensitive information available to the public unless a victim pays a ransom.

Actors from the Vice Society have been seen increasing privileges, getting access to domain administrator accounts, and then running scripts to change the passwords of victims’ network accounts to stop the victim from resolving the issue. It is recommended to maintain offline data backups, track, and record remote connections from outside sources, and mandate phishing-resistant MFA for all services to prevent ransomware attacks.

3. SharkBot Malware sneaks back on Google Play to steal your logins

The Google Play Store has been compromised by two malicious apps that have been downloaded more than 60,000 times by users worldwide. These malicious apps spread the upgraded SharkBot malware, which targets Android users’ banking logins. The malware gets activated only once the user installs and executes the dropper programmes; it is added as an update.

Researchers from Cyble discovered a tweet mentioning Zanubis – another Android banking virus that poses as a harmful PDF programme. Following the recent discovery of other banking trojans, threat actors are now using SharkBot and Zanubis as Android banking trojans. To reduce the risk of data compromise, ensure that Google Play Protect is turned on in Android devices, enforce MFA and use of strong passwords as well as educate employees on preventing such cyber threats.

4. APT42: Crooked charms, cons, and compromises

APT42, a nation cyberspy group targets people and organizations of strategic relevance to Iran with highly focused spear phishing and monitoring operations. According to Mandiant, the gang has utilized compromised credentials to try to get access to the networks, devices, and accounts of employers, co-workers, and family, as well as credential harvesting to gather MFA codes to bypass authentication mechanisms.

APT42 also has access to a number of lightweight tools and unique backdoors. It can use credential harvesting forms to get around MFA, intercept SMS-based one-time passwords, and send Android malware via SMS texts. APT42 frequently tries to gain access to the victim’s corporate accounts via the victim’s compromised personal email account. Users are advised to use secure computing methods, avoid installing software from unverified sources, and keep anti-virus and other security solutions updated to stay protected.

5. Hackers Leak MiniStealer’s Builder and Panel for Free

According to Cyble security analysts, Cybercrime forum threat actors were giving away the function and panel for MiniStealer. Builder: MiniStealerBuilder.exe, Stub, and Panel: Web Panel Source code are among the files mentioned inside the two folders that make up the leaked ZIP files. Such builders also assist less skilled hackers in the creation of malicious payloads, that too against Chromium-based browsers and FTP applications.

Furthermore, the malicious actor published the web panel’s source code, which can be used to receive data that was stolen from a target network. The 64-bit.NET binary for the MiniStealer application makes use of timestamping and to avoid sample debugging, it employs a number of anti-analysis checks. Data from configuration files is taken by the FTP application which duplicates specific files in the AppDataBrowser directory for browsers. It is recommended to avoid downloading pirated software from warez/torrent websites, deploy a Data Loss Prevention (DLP) solution on the computers and enable automatic software updates on your devices.