At a glance.
- Chinese threat actor targets Israeli entities.
- Android Trojan compromises Facebook accounts.
- Cyberespionage campaign targets critical infrastructure in Southeast Asia.
- New router vulnerability exploited.
Chinese threat actor targets Israeli entities.
FireEye describes a Chinese cyberespionage campaign targeting Israeli entities. The researchers identified some similarities between this threat actor, dubbed "UNC215," and APT27 (also known as Emissary Panda), but they don't definitively attribute the activity to APT27:
"In early 2019, Mandiant began identifying and responding to intrusions in the Middle East by Chinese espionage group UNC215. These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia....In addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region."
FireEye notes that the threat actor's malware contains some Farsi strings and references to Iran, which the researchers believe are false flags.
Android Trojan compromises Facebook accounts.
Zimperium outlines a new Android Trojan dubbed "FlyTrap" that compromises victims' Facebook accounts by stealing session cookies. The malware is first installed via malicious apps in the Google Play store and third-party app stores ( though Google has since removed the apps from its own store). Once installed, the apps prompt the user to log in to their Facebook account in order to receive a coupon. The login occurs through Facebook's legitimate single sign-on (SSO) service. As a result, the malware isn't able to obtain the victim's Facebook credentials, but it can extract information about the session:
"Contrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an account, there are ways to hijack sessions even by logging into the original and legit domain. This Trojan exploits one such technique known as JavaScript injection. Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code."
Zimperium says at least 10,000 victims in 140 countries have been infected by FlyTrap. The researchers also note that the attackers have inadvertently left their command-and-control server unsecured, so all of the stolen session cookies are accessible from the public internet.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, lamented the impression of safety users have generally granted app stores:
"It’s unfortunate that app stores have cultivated an image of safety and security for the software they distribute. Most users are under the false impression that apps distributed by first party stores are legitimate and safe to uses when the reality is that malware routinely slips through. In general users should be on guard for apps that advertise getting paid services for free and only enter account credentials in apps for those services. It’s a difficult problem to solve 100%, but app stores really must step up review and enforcement of the apps they distribute to keep their users safe."
Cyberespionage campaign targets critical infrastructure in Southeast Asia.
Researchers at Symantec have observed a cyberespionage campaign that targeted four critical infrastructure entities in an unnamed Southeast Asian country. The researchers state, "Among the organizations targeted were a water company, a power company, a communications company, and a defense organization, with evidence the attackers were interested in information about SCADA systems. The attacks were ongoing from at least November 2020 to March 2021, several months before the Colonial Pipeline attack that drew the attention of the world to the danger posed by attacks on critical infrastructure, and may have begun even earlier than that." The researchers suspect the threat actor is based in China, though they don't attribute the campaign to any specific actor.
New router vulnerability exploited.
Juniper Networks warns that attackers are exploiting CVE-2021-20090, an authentication-bypass vulnerability routers that use Arcadyan firmware. The vulnerability was disclosed by Tenable on August 3rd. Tenable noted that the scope of the vulnerability will be difficult to quantify, since Arcadyan firmware is used in "at least 20 models across 17 different vendors."
Juniper found that a threat actor began exploiting the vulnerability to install Mirai botnet malware just two days after the flaw was disclosed:
"As of August 5, we have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. The attacker seems to be attempting to deploy a Mirai variant on the affected routers using scripts similar in name to the ones mentioned by Palo Alto Networks in March. We had witnessed the same activity starting February 18. The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability. Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out."