At a glance.
- Preinstalled malware in Lifeline phones.
- Third-party breach at FreddieMac.
- Evilnum threatens user data on fintech platforms and services.
- Joker malware resurfaces.
- Royal Military College of Canada hack may have been information-stealing ransomware.
Preinstalled malware found in Lifeline-provided phones.
Researchers at Malwarebytes report preinstalled malware on ANS (that is, American Network Solutions) UL40 phones running Android OS 7.1.1. The devices are among those sold by Assurance Wireless under the US Federal Communications Commission’s Lifeline program, which makes budget phones available to low-income consumers. This is the second time this year Malwarebytes has found preinstalled malware in discount Lifeline devices. Back in January the company found similar issues with UMX U683CL devices produced by Unimax Communications, which Malwarebytes says “officially removed all pre-installed malware” from its phone in February.
FreddieMac discloses a breach.
FreddieMac, the US Federal Home Loan Mortgage Corporation, has disclosed a data breach. It's apparently a third-party incident: borrowers whose loans were serviced by one of FreddieMac's "due diligence vendors" have received letters warning them of the breach. The third-party told FreddieMac that they haven't seen evidence that unauthorized parties got personal information, but they do say that borrowers' personal data "including your loan application data (e.g., name, address, social security number, date of birth, credit and bank account information)" were on their servers at the time of the compromise.
Evilnum and the threat to fintech users' privacy.
ESET has a report out on the Evilnum APT, a little-discussed group that's been active against financial technology companies since 2018 at least. The security firm’s researchers say that the threat group uses a mix of internally developed and commodity attack tools; they steal financial information from trading and investment platforms. Most of Evilnum’s targets have been in the EU or the UK, with a few in both Canada and Australia. The commodity tools they use are for the most part purchased on the criminal-to-criminal market from the Golden Chickens malware-as-a-service vendor whose other customers include FIN6 and the Cobalt Group.
The information Evilnum has taken includes spreadsheets and documents holding customer lists, investments and trading operations; internal presentations; software licenses and credentials for trading software and platforms; cookies and browser session information; email credentials; and customer credit card information, including proof of address and identity documents
Joker Android malware continues to react and adapt to being purged from Google Play.
Security firm Check Point today outlined a new variant of Joker Android malware hiding inside apparently legitimate apps, some of which circulate in the Play store. Forbes summarizes the findings as more evidence of Joker's dangerous sophistication. It hides itself in the manifest file of infected apps, which Check Point explained “is the file every Android app must have, where the developer declares permissions needed, usage of services, etc. The actor pushed encoded malicious payload into ‘metadata’ fields in that file, only to be decoded and loaded when on a victim’s device. That way no configuration or payload needs to be pulled from the internet.” Google has ejected the malicious apps from the Play store, but the Joker operators are adaptive, and once they’re detected they return in a similarly evasive form.
Royal Military College of Canada sustains a cyberattack.
Canada’s Department of National Defence is continuing its investigation of last week’s hacking incident at RMC, the Royal Military College of Canada at Kingston, Ontario. RMC is the equivalent of the US Military Academy at West Point or Britain’s Royal Military College at Sandhurst. The Department of National Defence has said “all early indications suggest this incident resulted from a mass phishing campaign.”
The Financial Post cites sources at the college as saying it was a ransomware attack. Emsisoft told the Financial Post that, assuming it was ransomware, the gangs responsible were probably either DoppelPaymer or NetWalker, both of which steal data before they encrypt drives and submit their ransom demand. NetWalker tends to add its victims to its public list and then remove them once they begin negotiating payment whereas DoppelPaymer’s style is not to disclose its victims until they refuse payment. Given that RMC hasn’t shown up on anyone’s list of victims, yet, they’re betting it’s DoppelPaymer.
The Department of National Defence said that “certain systems” of the Canadian Defence Academy, the umbrella organization for Canadian military education, were also affected. But the locus of the attack was RMC, whose networks have remained offline as a precaution. No classified information, the Department says, is at risk. The threat would appear, therefore, to be against network users' personal information.