At a glance.
- Nobelium launches spearphishing campaign.
- XCSSET macOS malware exploited third zero-day.
- New ransomware strain spotted.
- TeamTNT compromises nearly 50,000 Kubernetes clusters.
- Teabot and Flubot delivered by malicious Android apps.
Nobelium launches spearphishing campaign.
Microsoft has observed an ongoing spearphishing campaign launched by Nobelium, the threat actor behind the SolarWinds supply-chain attack (also tracked as APT29, or Russia's SVR). The threat actor in this case compromised an email marketing account belonging to the US State Department's USAID, then used the account to send more than 3,000 emails to 150 organizations:
"This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place."
Volexity has also been tracking the campaign, and attributes it "with moderate confidence" to APT29.
MacOS malware exploited third zero-day.
Researchers at Jamf have discovered that the XCSSET macOS malware was using a third zero-day to bypass Apple's Transparency Consent and Control (TCC) framework. The malware was previously known to have exploited two (now-patched) zero-days. Jamf explains, "[TCC] is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior. We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions."
Apple patched this vulnerability with macOS 11.4, and Jamf urges users to update promptly.
New ransomware strain spotted.
Sophos describes a new ransomware dubbed "Epsilon Red" that recently targeted a US-based hospitality company by exploiting an unpatched Microsoft Exchange Server. The malware is simple and manually operated, and simply encrypts folders selected by its operators. The researchers note that the ransom note is similar to the note dropped by REvil operators, but the malware itself doesn't bear similarities to any other strains.
TeamTNT compromises nearly 50,000 Kubernetes clusters.
Trend Micro says the cybercriminal group TeamTNT has compromised nearly 50,000 Kubernetes clusters to deploy the XMRig cryptominer:
"We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US — identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers). It should be noted the numbers reflect the likelihood of significantly more clusters in operation for the US and China than many other countries."
The researchers conclude, "This campaign is notable because it is the first time, we analyzed published tools from the TeamTNT group. Furthermore, the continued use of crypto-jacking and credential-stealing indicate that these will remain in the threat actor’s primary repertoire of techniques for the near future. The high number of targets shows that TeamTNT is still expanding its reach (especially in cloud environments) and perhaps infrastructure since the group can monetize a more significant amount from their campaigns with more potential victims."
Teabot and Flubot delivered by malicious Android apps.
Researchers at Bitdefender have found five Android apps that deliver the Teabot banking Trojan. The apps themselves aren't available from the Google Play Store, but they're modeled after some of the Play Store's most popular apps, including VLC media player and Kaspersky Antivirus.
"From Bitdefender’s telemetry, we were able to identify two new infection vectors, namely the applications with package names’ com.intensive.sound’ and ‘com.anaconda.brave’, which downloads Teabot. These are malware dropper applications known for imitating legitimate applications (such as Ad Blocker in our case).
"The fake Ad Blocker apps don’t have any of the functionality of the original version. They ask permission to display over other applications, show notifications, and install applications outside of Google Play, after which they hide the icon."