At a glance.
- Two iOS zero-days in the Mail app.
- Antivirus products were vulnerable to post-compromise attacks.
- Large cryptomining botnet sinkholed and partially taken down.
- Android malware campaign tied to OceanLotus.
- COVID-19 phishing campaign reaches more than 800,000 Brazilians.
Two iOS zero-days in the Mail app.
Researchers at ZecOps discovered and disclosed two zero-days in iOS's default Mail app, one of which could be triggered remotely without user interaction (a "zero-click" flaw) by simply sending the victim a malformed email. The flaws can enable remote code execution within the context of the Mail app, allowing an attacker to read, modify, or delete emails. The researchers suspect the flaws are being used in combination with a kernel vulnerability to achieve full device access, but they don't share why they believe this is the case. They also believe a nation-state actor is exploiting the flaws in targeted attacks, adding that they "are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier."
Other researchers questioned ZecOps's assertion that the vulnerabilities are being exploited in the wild, since their conclusion was based only on crash reports and the existence of the vulnerabilities, rather than any hard evidence of intentional exploitation. ZecOps's researchers said the attackers would delete the malformed emails to cover their tracks, and as a result, ZecOps didn't actually see any of these emails. Apple stated, "We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers."
Jamf security researcher Patrick Wardle explained to WIRED, however, that that zero-click attacks generally don't leave much evidence anyway, so it's "unlikely that if this vulnerability was used in highly targeted attacks that Apple would find evidence of such attack." Based on the information in ZecOps's report, Wardle told Motherboard, "We have all the pieces that likely indicates a vulnerability that’s being actively exploited."
Apple has already fixed the flaws in the publicly available iOS beta release, and the patches will be included in the next iOS update. Users who are concerned about the vulnerability in the meantime can simply delete the Mail app and reinstall it after the next update.
Many antivirus products were vulnerable to post-compromise attacks.
Researchers at RACK911 Labs uncovered race-condition flaws affecting twenty-eight popular antivirus products, including software by Avast, Bitdefender, Comodo, F-Secure, ESET, FireEye, Kaspersky, Malwarebytes, McAfee, and Sophos. Most of the vendors have already patched the flaws, and the researchers believe the rest will issue fixes promptly following the publication of their research.
The attacks use directory junctions in Windows and symlinks in Linux and macOS. Directory junctions are files that link two directories together, while symlinks are shortcut files, but both are similar in that they simply point to data stored in another location. The researchers used this functionality to trick the antivirus products—which usually run as root into performing operations on the wrong files by exploiting "the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after." During this interval, they replaced the malicious file with a symlink or directory junction pointing to an innocuous file on the computer. Since the antivirus runs as root, it's allowed to delete any file in the environment, including its own internal programs or essential parts of the operating system.
The vulnerabilities can only be exploited by an attacker who's already compromised the device, but the attacker doesn't need administrative privileges and the flaws are easy to exploit. The RACK911 researchers released a proof-of-concept showing how the flaws could be used for file deletion, allowing them to disable the antivirus product or even the operating system itself. They also note that in some cases the flaws could have led to privilege escalation.
Large cryptomining botnet sinkholed and partially taken down.
ESET discovered and disrupted a botnet that's been active since at least May 2019 and had infected more than 35,000 devices, more than 90% of which were located in Peru. The botnet, which ESET calls "VictoryGate," was primarily used for cryptomining, although the researchers note that the operator could have issued and executed new malware payloads at will. The cryptomining itself was taxing and disruptive, causing consistent CPU usage of between 90-99%. ESET estimates based on their visibility that the botnet has generated at least $6,000 worth of Monero.
The botnet malware was distributed via infected USB drives, which ESET notes is a common mode of malware distribution in Latin America. The malware would spread to any USB drives that connected to an infected computer, and those USB drives would in turn infect any computer they were plugged into. ESET researcher Alan Warburton told CyberScoop that this physical mode of distribution is the reason the botnet was largely confined to a single geographic region.
The USB malware is stealthy, and it will copy the names and file types of the files that were originally on a USB while replacing their content with AutoIt scripts. Meanwhile, the original files are moved to a hidden folder on the USB. When a user tries to open one of the visible files, they'll unknowingly run the AutoIt script, which will install a malware agent while simultaneously opening the legitimate file in the hidden folder.
All of the botnet's command-and-control domains were registered with the dynamic DNS provider No-IP, and No-IP promptly shut them down after being notified by ESET. This will block new victims from downloading additional payloads over the internet, but it won't stop previously infected machines from mining Monero.
Android malware campaign tied to OceanLotus.
Kaspersky discovered a long-running Android malware campaign in the Google Play Store. The malware involved was more sophisticated than the usual Android adware or phishing apps, and the researchers tied the campaign "with medium confidence" to OceanLotus, a threat actor associated with the Vietnamese government.
The campaign deployed malicious apps in the Play Store beginning in 2016, although Kaspersky tied the activity to an earlier OceanLotus Android campaign that ran from 2014 to 2017. The apps functioned as spyware and had the ability to install additional payloads. The apps were taken down by Google when they were detected over the years, but they're still being offered in some third-party app stores. The malware hit users across South Asia, with some victims in Iran and Africa, but some of the malicious apps were clearly targeted at users in Vietnam.
COVID-19 phishing campaign reaches more than 800,000 Brazilians.
Akamai researchers describe a widespread phishing campaign targeting Brazil with "three-question quiz" scams that purport to offer government benefits to low-income families during the COVID-19 pandemic. (Akamai provided an overview of three-question quiz scams in 2018.) In this case, the victims are asked to answer several questions about themselves within five minutes in order to see if they're qualified to receive R$500 (approximately US$96) from the government. No matter which answers are given, the victim will be told they're eligible for the money so long as they share the page with ten friends or five groups via WhatsApp. After this, the victims will either be asked to answer more personal questions or sent to another site where they'll be tricked into installing adware.
Akamai observed more than 850,000 victims of this scam, 99% of which were located in Brazil. 99.9% of the victims were using Android phones, since the website was designed to only accept mobile devices. The campaign peaked on March 21st and 22nd, then tapered off by the end of the month as its domains were taken offline.