At a glance.
- Watering-hole attacks target Hong Kong users with iOS exploits.
- More watering-hole attacks focused on an Asian religious and ethnic group.
- COVID-19 phishing still going strong.
- An overview of Nigerian cybercriminal activity.
iOS exploits used against Hong Kong forum users.
Trend Micro and Kaspersky both published reports on a watering-hole attack discovered in January 2020 that targeted users in Hong Kong with a full iOS exploit chain. Kaspersky has temporarily assigned the name "TwoSail Junk" to the threat actor, but the company suspects the campaign is linked to the Chinese-speaking APT known to the industry as "SpringDragon," "Lotus Blossom," "Billbug," and "Thrip."
Trend Micro outlines the infection chain in a detailed report. The attackers posted links on four popular Hong Kong-based forums. The links led to what appeared to be local news pages, but were actually web pages created by the attackers. These web pages contained three iframes, two of which were invisible to the user. The visible iframe loaded a web page from a legitimate news site, so the user would believe they were on the right website. One of the invisible iframes recorded visitor statistics, while the other would connect to a server and load the script for the iOS exploit.
This script exploited a silently patched Safari vulnerability in iOS versions 12.1 and 12.2, as well as a known kernel vulnerability (CVE-2019-8605) that grants root privileges. After this, the attacker installed what Trend Micro calls "undocumented and sophisticated spyware for maintaining control over devices and exfiltrating information." A URL found in the payload led Trend Micro to believe there is also an Android version of the malware.
Kaspersky released additional details to supplement Trend Micro's report, noting that the attackers used backdoors that are 99% similar to those used by the SpringDragon APT.
Targeted watering-hole attacks against undisclosed Asian religious and ethnic group.
Kaspersky reported on another watering-hole attack discovered in December 2019 that's been targeting "an Asian religious and ethnic group" since at least May 2019. The attacks used compromised websites that belonged to "personalities, public bodies, charities and organizations of the targeted group." All of these sites are hosted on the same server, and some are still compromised as of March 31st, 2020. The goal of the campaign is unknown, but the researchers say the malware delivered by the websites is "probably used to conduct reconnaissance and data-exfiltration operations."
The compromised websites first use a script to gather information on visitors and determine whether or not they should be targeted. When the site decides to target a user, it will display a fake Flash Player update notification prompting the user to download an installer. This file installs a backdoor hosted on the attacker's GitHub channel (which has since been taken down). The backdoor is written in Go, and the researchers identified several hints indicating that the malware may have been authored by someone who speaks Chinese.
Kaspersky doesn't attribute the campaign to any known groups. The researchers describe the group's toolset as "unsophisticated but creative," and they suspect the malware is still under development.
COVID-19 phishing still going strong.
Proofpoint has found that coronavirus-themed lures are currently being used in "more than 80 percent of the threat landscape," and these attacks are still on the rise. Proofpoint's researchers emphasize the versatility of this topic, stating, "We have seen nearly every type of attack being used with coronavirus themes, including (but not limited to) business email compromise (BEC), credential phishing, malware, and spam email campaigns. Overall, we’ve seen a significant amount of credential phishing in these attacks. The threat actors behind these attacks run the gamut from small unknown actors to prominent threat actors like TA542 (the group behind Emotet)."
Malwarebytes describes a scam attempting to take advantage of the out-of-work and unemployed by telling people they can make millions of dollars in Bitcoin while working from home.
Bitdefender reports that a Netflix phishing campaign peaked in Brazil following the streaming service's announcement that it would reduce its streaming quality from high-definition to standard in an effort to conserve bandwidth. These emails tried to trick users into entering their payment information by telling them their account had been suspended.
Looking ahead, FireEye warns that scammers can be expected to make broad use of the US stimulus bill over the next few weeks. Attackers are already taking advantage of this theme in ongoing phishing campaigns, but FireEye says more attackers will "incorporate these themes in proportion to the media’s coverage of these topics."
Trends in Nigerian cybercriminal activity.
Palo Alto Networks's Unit 42 outlines the activities of more than 480 Nigerian cybercriminal groups, which Unit 42 collectively calls "SilverTerrier." The researchers found that Nigeria-based groups have "produced more than 81,300 samples of malware linked to 2.1 million attacks" since 2014. In 2019, these groups carried out an average of 92,739 business email compromise (BEC) attacks per month. Since these actors are financially motivated, they are "indiscriminate in their targeting." The high-technology sector received the most attention from Nigerian threat groups last year, but notably the professional and legal services industry saw a 1163% increase in attacks from these actors in 2019.