Cyber Security News — Past 24 hours | 18.05.2021
Android Trojan TeaBot Emerges As A New Malware Targeting European Banks
One more Android banking trojan TeaBot has surfaced online that does not belong to any of the existing trojan families. This malware is currently running active campaigns against banks in different European countries. About TeaBot Android Trojan Security researchers from Cleafy have caught the new TeaBot malware active in the wild. Sharing their analysis, the researchers revealed that the malware is so named to clarify its uniqueness from other known banking trojans. In brief, TeaBot is a typical Android banking trojan that aims at stealing users’ credentials and SMS to conduct fraud. The malware has a predefined list of over 60 banks that it currently targets. To spread the attack, the malware reaches a target device as it mimics a legitimate app. Initially, the malware app bore the name “TeaTV”. Later, it changed the name to “VLC MediaPlayer”, alongside adopting a few more names such as “DHL”, “Mobdro”, and “UPS” to trick Android users. Upon reaching a device, the malware establishes itself by seeking various permissions. These include access to messages, phonebook, audio settings, device biometric modalities, draw over other apps, and Android Accessibility Service. With these privileges, the malware conducts different malicious activities to steal data, such as keylogging, extracting the list of installed apps (presumably to check for the presence of the targeted bank app), taking screenshots, and perform overlay attacks. What makes it distinct and somewhat evasive is that it generates less traffic by typically targeting the predefined apps only. Also, the malware bears a lot of junk code and executes partially encrypted communication using Xor. Plus, the malware app basically serves as a dropper that only drops the actual payload after verifying the existence of the target bank app on the infected device. These techniques help the malware to stay under the radar. Malware Active Against European Banks The researchers first observed TeaBot running active campaigns against Spanish banks in January 2021. Since then, the malware underwent improvisations to expand its target list. By March 2021, the malware included German and Italian banks on its hit list. And by May 2021, aimed at Belgium and the Netherlands banks too. Currently, the banking trojan supports Spanish, Italian, German, Dutch, French, and English languages. While it’s currently in its initial development, TeaBot is swiftly developing for more aggressive campaigns in the future.
FragAttacks — Newly Discovered Vulnerabilities Affect WiFi And IoT Devices
FragAttacks Vulnerabilities In WiFi Systems Security researcher Mathy Vanhoef has elaborated on the newly discovered security flaws affecting the WiFi system. Specifically, Vanhoef discovered three different design flaws and numerous programming flaws that threaten WiFi security. While the design flaws are hard to abuse, the programming flaws surely demand attention. The bugs are particularly important as they affect the latest WPA3 specification as well as the oldest WEP. Thus, it seems that the vulnerabilities had existed since 1997, but remained unnoticed. Exploiting these vulnerabilities could let an attacker achieve different malicious goals. The first type of bugs includes injection vulnerabilities. These allow intercepting the WiFi network with malicious unencrypted frames to reroute traffic to malicious DNS servers or to bypass NAT/firewall. These include four different bugs — CVE-2020–26145, CVE-2020–26144, CVE-2020–26140, and CVE-2020–26143 Whereas, the design flaws include aggregation attack (CVE-2020–24588), mixed key attack (CVE-2020–24587), and fragment cache attack (CVE-2020–24586). Also, the researcher noticed some other implementation vulnerabilities that include forwarding handshake frames to the unauthenticated sender (CVE-2020–26139) thus allowing aggregation attacks and injecting malicious frames with no user interaction, mixing encrypted and plaintext fragments (CVE-2020–26146 and CVE-2020–26147), process fragmented frames as full frames (CVE-2020–26142). The latter affects even those routers that do not support fragmentation or aggregation. Besides, another bug, CVE-2020–26141, also existed due to a lack of verification of TKIP MIC of fragmented frames. This video demonstrates exploiting a few of the FragAttacks. Precisely, the video shows exploiting aggregation design flaws to steal data, exploiting IoT devices via a smart socket, and taking over target computers in a local home network by these exploits.
Apple’s Find My Network Can be Abused to Exfiltrate Data From Nearby Devices
Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending «Find My Bluetooth» broadcasts to nearby Apple devices.
«It’s possible to upload arbitrary data from non-internet-connected devices by sending Find My broadcasts to nearby Apple devices that then upload the data for you,» Positive Security researcher Fabian Bräunlein said in a technical write-up disclosed last week.
But the reverse engineering of Apple’s Find My offline finding system also left the door open to the possibility that the protocol could be emulated to upload arbitrary data to the Internet by broadcasting the information via Bluetooth beacons that would get picked up by Apple devices in close physical proximity, and then subsequently relay the encrypted data to Apple’s servers, from where a macOS application can retrieve, decode, and display the uploaded data.
«The security solely lies in the encryption of the location reports: The location can only be decrypted with the correct private key, which is infeasible to brute force and only stored on the paired Owner Device,» Bräunlein said.
The idea, therefore, is to exploit this gap by encoding a message into the broadcast payloads and then obtaining them on the other end using a data fetcher component based on OpenHaystack that decrypts and extracts the information transmitted from the sender device, say, a microcontroller.
Why Password Hygiene Needs a Reboot
In today’s digital world, password security is more important than ever.
The Compromised Credential Crisis
As Microsoft’s security team put it, «All it takes is one compromised credential…to cause a data breach.» Coupled with the rampant problem of password reuse, compromised passwords can have a significant and long-lasting impact on enterprise security.
Given the vulnerabilities associated with these legacy approaches, The National Institute of Standards and Technology has revised its recommendations to encourage more modern password security best practices. At the root of NIST’s most recent recommendations is the recognition that human factors often lead to security vulnerabilities when users are forced to create a password that aligns with specific complexity requirements or forced to reset it periodically.
The Role of Credential Screening Solutions
So, how can companies monitor for signs of compromise? By adopting another NIST recommendation; namely, that organizations screen passwords against blacklists containing commonly used and compromised credentials on an ongoing basis.
No Substitute for Dynamic
There are numerous static blacklists available online and some companies even curate their own. But with multiple data breaches occurring on a real-time basis, newly compromised credentials are continuously posted on the Dark Web and available for hackers to leverage in their ongoing attacks. Existing blacklists or ones that are only updated periodically throughout the year are simply no match for this high-stakes environment.
The Path Forward
While NIST guidelines often inform best practice recommendations across the security industry, it’s ultimately up to security leaders to determine what works best for their unique needs and tailor their strategies accordingly.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT