At a glance.
- Bogus RedAlert app delivered spyware as well as panic.
- BloodAlchemy backdoors ASEAN targets.
- Cisco IOS XE zero-day exploited.
- Valve implements additional security measures for Stream.
- Warning on Atlassian vulnerability exploitation.
- Allies update their security-by-design guide.
- Ukrainian telecommunications providers hit by cyberattack.
- A Russian credential-harvesting campaign.
- Russian hacktivist auxiliaries hit Belgian websites.
Bogus RedAlert app delivered spyware as well as panic.
Cloudflare looked into the compromised RedAlert app that served false alarms of rocket attacks against Israeli users. They traced it to a knock-off of the legitimate RedAlert app, and they found that it had spyware functionality as well as the obvious panic-inducing disinformation. Cloudflare wrote, "The malicious RedAlert version imitates the legitimate rocket alert application but simultaneously collects sensitive user data. Additional permissions requested by the malicious app include access to contacts, call logs, SMS, account information, as well as an overview of all installed apps."
The researchers also found that the bogus app was flacked using domain impersonation. The bogus website ("hxxps://redalerts[.]me") differed by the single letter "s" from the legitimate RedAlert site ("hxxps://redalert[.]me"). The site directed Apple users to the real RedAlert source, but Android users were sent to a site that served a malicious version of the app. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, urged users of any apps to use only official app stores. "This is another example of why all phone apps should only be downloaded from the official app stores. Just too many trojan apps taking excessive permissions to trust any app downloaded from anywhere. Trojan apps are found in the official play stores, but they are less likely and will be removed as soon as someone reports them. There is just too much risk in downloading apps outside the official app stores." A viper may sometimes make its way into those official walled gardens, but it's usually swiftly ejected. And the unofficial sources of apps are a regular reptile house.
BloodAlchemy backdoors ASEAN targets.
Researchers at Elastic Security Labs are tracking a new backdoor dubbed “BLOODALCHEMY” that’s being used to conduct cyberespionage against governments and organizations in the Association of Southeast Asian Nations (ASEAN). BLOODALCHEMY is part of the REF5961 intrusion set described by Elastic earlier this month. The researchers believe the activity is “state-sponsored and espionage-motivated,” launched by a threat actor aligned with the Chinese government.
The researchers note, “BLOODALCHEMY is a backdoor shellcode containing only original code (no statically linked libraries). This code appears to be crafted by experienced malware developers. The backdoor contains modular capabilities based on its configuration. These capabilities include multiple persistence, C2, and execution mechanisms. While unconfirmed, the presence of so few effective commands indicates that the malware may be a subfeature of a larger intrusion set or malware package, still in development, or an extremely focused piece of malware for a specific tactical usage.”