Cyber Security News — Past 24 hours | 05.05.2021
Hackers Target Rogers With a New SMS Phishing Campaign
Rogers Communications Inc. Rogers Communications Inc. Rogers’ offices are located in Toronto and Ontario. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station. Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link.
A message from Rogers CTO Jorge Fernandes to customers the next day said, «We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers». Rogers is aware of the scam and has advised users to «forward the content of the SMS to 7726 , to register it for investigation/blocking from the network,» according to a tweet from the company.
How Should the Service Desk Reset Passwords?
Ask the average helpdesk technician what they do all day, and they will probably answer by saying that they reset passwords. Sure, helpdesk technicians do plenty of other things too, but in many organizations, a disproportionate number of helpdesk calls are tied to password resets.
Security and the service desk
The first step in the password reset process involves a user picking up the phone and calling the helpdesk to request a password reset. The problem with this is that the helpdesk technician who answers the phone has no way of knowing whether or not the user is truly who they claim to be.
Positively establishing a caller’s identity was less of an issue when virtually all users worked in the corporate office, because a user’s caller ID information could sometimes be used as a validation tool. While using caller ID in this way does not completely eliminate the chances of one user spoofing another user’s identity, it does make it so that a user who wishes to impersonate another user would have to call the helpdesk from that user’s desk.
Today of course, things are far different than they once were. As the pandemic drags on, many workers continue to work from home.
Needless to say, there are some major challenges associated with the password reset process. The best way to overcome these challenges is to adopt a third-party password solution that can securely verify a user’s identity prior to performing a password reset
New FluBot Android Banking Trojan Spread Via SMS Phishing
Specifically, they have spotted a new Android banking trojan in the wild identified as ‘FluBot’. Briefly, the malware leverages SMS phishing to spread its infection. The attack begins when a potential victim receives an SMS about some package delivery. While it predominantly functions like a banking trojan as it aims at stealing financial data by displaying overlay screens.
This should serve as a red alert since clicking on a simple harmless URL from an SMS doesn’t require such permissions. After the user grants the permissions, the malware executes. Reaching out to the C2 server, the malware sends the victim’s contact list and retrieves an SMS phishing message and number to continue its spread using the victim’s device. Additional functionality includes intercepting SMS messages, USSD messages from the telecom operator, and app notifications, opening pages on a victim’s browser, disabling Google Play Protect to prevent its detection, opening a SOCKS connection and creating a SOCKS proxy for communication depending on the C2 request, and uninstalling any app as directed by the C2.
To ensure the campaign goes on, the malware uses Domain Generation Algorithm to connect with C&C. Malware Active In Europe — Likely To Spread Further Explaining more about this banking trojan, Proofpoint explained that the malware first surfaced online in late 2020. The researchers from ThreatFabric then identified it as ‘Cabassous’.
Shlayer Malware Exploited macOS Zero-Day To Bypass Apple Security
Apple has recently released macOS Big Sur 11.3. This update addresses numerous security flaws including a zero-day under attack. As revealed, this zero-day attracted Shlayer malware to target vulnerable macOS devices via Gatekeeper bypass. Shlayer Malware Exploiting macOS Zero-day Apple security firm Jamf Protect has shared details of a serious macOS zero-day that a Shlayer malware variant actively exploits.
The vulnerability first caught the attention of researcher Cedric Owens who then reported it to Apple. It was a serious security issue that allowed an adversary with a malicious app to bypass Apple’s security check Gatekeeper. Elaborating further on this issue, Patrick Wardle explained that a logic issue existed in the way macOS evaluates an app. Following this discovery, Wardle reached out to Jamf Protect that detected active exploitation of the bug by a Shlayer variant.
Shlayer first caught attention in June 2020 when researchers noticed it actively targeting macOS devices. The malware would easily bypass Apple’s underlying security mechanisms, such as Gatekeeper, Notarization, and File Quarantine. And now, Jamf detected a Shlayer variant already designed in a way to exploit this logic issue CVE-2021–30657. This vulnerability caught the attention of F-Secure researcher Rasmus Sten who then reported it to Apple.
While the researcher hasn’t shared more details of the bug for now due to security. Zip file that exploits the vulnerability, allowing them to bypass macOS Gatekeeper’s code signature and notarization checks. Alongside the two, Apple has also released tens of other security fixes with macOS Big Sur 11.3.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT