Alert

Cybercriminals have launched a new phishing campaign that infects Windows computers with backdoored Linux virtual machines (VMs). These VMs allow attackers to bypass traditional antivirus software and maintain persistence on the compromised system.

The Phishing Scheme

The phishing emails contain a ZIP file attachment that, when opened, installs a Linux VM on the victim’s Windows machine. The VM is then used to deliver malware and conduct malicious activities, such as data theft and remote access. The attackers can control the VM from a remote server, making it difficult to detect and remove.

How the Attack Works

The ZIP file attachment contains a script that downloads and installs the Linux VM using a tool called VirtualBox. Once installed, the VM runs in the background and connects to a remote server controlled by the attackers. The attackers can then use the VM to execute commands, transfer files, and maintain access to the compromised system.

Consequences of the Attack

The backdoored Linux VMs can bypass traditional antivirus software, making it challenging to detect the infection. The VMs also provide a persistent foothold for the attackers, allowing them to stay on the system even after the initial malware is removed. This enables the attackers to continue their malicious activities undetected.

Protecting Yourself

To avoid falling victim to this attack:

1. Be Cautious of Suspicious Email Attachments: Avoid opening attachments from unknown or suspicious senders, especially ZIP files. Verify the sender’s identity and the attachment’s purpose before opening it.
2. Use Antivirus Software with Linux Detection: Ensure your antivirus software has the capability to detect Linux malware and VMs. Keep your antivirus software up to date to stay protected against the latest threats.
3. Regularly Update Your Operating System and Software: Keep your Windows operating system and software up to date with the latest security patches and updates. This will help fix vulnerabilities that attackers could exploit.
4. Implement Robust Endpoint Detection and Response: Use an endpoint detection and response (EDR) system to monitor your system for suspicious activity and respond to potential threats in real-time.

Stay vigilant and protect your Windows PC from these sophisticated phishing attacks. Be cautious of suspicious email attachments, use antivirus software with Linux detection, keep your system updated, and implement robust endpoint security. By following these steps, you can reduce the risk of falling victim to this new phishing campaign.

Citation: BleepingComputer, “Windows infected with backdoored Linux VMs in new phishing attacks, “

Sophos Uncovers China-Based Threats Targeting Pacific Rim Infrastructure: A Five-Year Investigation

For over five years, Sophos has been investigating multiple China-based groups targeting its firewalls, using botnets, novel exploits, and custom malware. With the assistance of other cybersecurity vendors, governments, and law enforcement agencies, Sophos has attributed specific clusters of activity to groups like Volt Typhoon, APT31, and APT41/Winnti. Sophos X-Ops has identified exploit development in Sichuan, China, which was likely shared with various state-sponsored groups.

The attackers’ tactics have evolved significantly over time. Initially, they launched noisy, widespread attacks on perimeter devices, but shifted to stealthier operations against high-value targets in the Indo-Pacific region, including nuclear energy suppliers, military organizations, telecoms, and government agencies. Sophos has observed improved stealth and persistence techniques, such as living-off-the-land tactics, backdoored Java classes, memory-only Trojans, and a previously unknown rootkit. They’ve also sabotaged firewall telemetry and reduced their digital footprint to evade detection.

Sophos X-Ops has tracked the activity from December 2018 to November 2023, with notable attacks including the 2018 Cyberoam intrusion, the Asnarök and Personal Panda campaigns, and the Covert Channels and Under-the-Radar attacks. The attackers have become more skilled at hiding their activities, blocking telemetry, and improving their operational security. Sophos has provided TTPs and IOCs in the detailed timeline and outlined steps to detect and respond to attacks.

Edge devices are high-value targets for state-sponsored adversaries, who use them for initial access and persistence. Defenders should follow vendor hardening guides, enable hotfixes, and monitor vulnerability disclosures. The targeting is not limited to high-value espionage targets; threat actors use edge devices as operational relay boxes to attack other targets and obscure their origin.

Sophos X-Ops has identified three key evolving attacker behaviors:

1. Shift in focus: From indiscriminate noisy attacks to stealthier operations against specific high-value and critical infrastructure targets primarily located in the Indo-Pacific region. Victim organizations include nuclear energy suppliers and regulators, military, telecoms, state security agencies, and central government.
2. Evolution in stealth and persistence: Notable recent TTPs include increased use of living-off-the-land, insertion of backdoored Java classes, memory-only Trojans, a large and previously undisclosed rootkit (with design choices and artifacts indicative of cross-platform multi-vendor capability), and an early experimental version of a UEFI bootkit. Sophos believes this is the first observed instance of bootkit use specifically on a firewall.
3. Threat actor OPSEC improvements: Sabotaging firewall telemetry collection, impacting detection and response capability, and hampering OSINT research via a reduced digital footprint.

In response to calls from NCSC-UK and CISA, Sophos aims to transparently highlight the scale and widespread exploitation of edge network devices by state-sponsored adversaries. The company encourages other vendors to follow their lead.

To aid defenders, Sophos has:

• Provided TTPs and IOCs in the appendix of the detailed timeline to help identify detection opportunities
• Outlined the steps it takes to detect and respond to attacks against its customers’ firewalls
• Warned that state-sponsored attackers use both zero-day and known vulnerabilities to attack edge devices
• Recommended closely following vendor device hardening guides to reduce the attack surface and limit exploitability of zero-day vulnerabilities
• Emphasized the importance of enabling hotfixes, monitoring vendor vulnerability disclosure communications, and quickly responding accordingly
• Stressed that state-sponsored targeting is not limited to high-value espionage targets

The adversaries appear to be well-resourced, patient, creative, and unusually knowledgeable about the internal architecture of the device firmware. The attacks highlighted in this research demonstrate a level of commitment to malicious activity rarely seen in Sophos’ nearly 40-year history.

Sophos X-Ops is happy to collaborate with others and share additional detailed IOCs on a case-by-case basis. The company is committed to continuing to tell this story over time, so long as it doesn’t interfere with or compromise law enforcement investigations in progress.

Citation: Sophos X-Ops. Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats. https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/

Cybersecurity researchers have discovered an updated version of the LightSpy iOS spyware that not only expands its surveillance capabilities but also incorporates destructive features to prevent the infected device from booting up. The malware targets sensitive information on iPhones, including Wi-Fi networks, location data, and app data, and can even delete files and freeze the device.

LightSpy, first identified in 2020 targeting Hong Kong users, is a modular implant with a plugin-based architecture that captures a wide range of data. Attack chains distributing the malware exploit known iOS and macOS vulnerabilities to drop a Mach-O binary disguised as a PNG file, which retrieves next-stage payloads from a remote server using a memory corruption flaw (CVE-2020-3837).

The latest version (7.9.0) includes 28 plugins, up from 12 in previous versions, and can gather data from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. New plugins also add destructive capabilities, such as deleting media files, SMS messages, Wi-Fi profiles, contacts, and browser history, and freezing the device to prevent booting.

The malware’s command-and-control (C2) server checks for arguments passed from the FrameworkLoader component, which downloads LightSpy’s Core module and plugins. The Core module creates folders for logs, database, and exfiltrated data in /var/containers/Bundle/AppleAppLit/. Plugins can capture Wi-Fi networks, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, and call history.

The exact distribution method is unclear, but watering hole attacks are suspected. The operators are believed to be based in China, as the location plugin uses the GCJ-02 coordinate system exclusive to Chinese map services. ThreatFabric notes that the threat actors closely monitor security researcher publications to reuse newly disclosed exploits.

“The LightSpy iOS case highlights the importance of keeping systems up to date,” the company said. “The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices.”

1.3 Million Android TV Boxes Infected with Vo1d Malware, Warns Doctor Web

A new malware called Vo1d has infected nearly 1.3 million Android-based TV boxes worldwide, compromising the security of users in 197 countries. The backdoor malware can download and install third-party software without users’ knowledge, and most infections have been detected in Brazil, Morocco, Pakistan, and other countries.

Malware Details

Vo1d replaces the “/system/bin/debuggerd” daemon file and introduces two new files, “/system/xbin/vo1d” and “/system/xbin/wd,” containing malicious code. It targets TV models such as KJ-SMART4KVIP, R4, and TV BOX, which run outdated Android versions. The malware operates by starting the “wd” module and downloading executables from a command-and-control server.

Infection Method

The source of the infection is unknown, but it may have involved prior compromise or the use of unofficial firmware with built-in root access. The malware disguises itself as the “vold” program, substituting the lowercase “l” with a number “1” in the filename.

Google Response

Google notes that the infected devices were not Play Protect certified, as they used source code from the Android Open Source Project without undergoing the necessary security and compatibility tests. Users can check if their devices are Play Protect certified on the Android TV website.

Mitigations

To protect against Vo1d, users should update their TV boxes to the latest Android version and avoid using unofficial firmware. Manufacturers should prioritize security and use up-to-date OS versions to prevent similar attacks.

Conclusion

The Vo1d malware highlights the importance of keeping devices up-to-date and using official firmware to prevent infections. Users should be cautious when using non-certified devices and manufacturers should prioritize security to protect their customers.

(Citation: The Hacker News, “Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide,” September 12, 2024, by Ravie Lakshmanan)

Threat actors, including those affiliated with the Akira ransomware group, have begun exploiting a critical remote code execution (RCE) vulnerability in SonicWall’s Gen 5, Gen 6, and some Gen 7 firewall products. This vulnerability, identified as CVE-2024-40766, allows attackers to gain complete control of affected devices and potentially cause them to crash. SonicWall disclosed the bug on August 22 and patched it, but attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities catalog, requiring federal agencies to address it by September 30.

Vulnerability Details

 The flaw, an improper access control bug in SonicWall SonicOS, affects management access components on Gen 5 and Gen 6 devices and some Gen 7 devices running SonicOS 7.0.1-5035 or earlier. SonicWall urges customers to update to fixed versions as soon as possible and limit firewall management to trusted sources, disable WAN management over the internet, and secure SSLVPN access. The company also recommends enabling multifactor authentication (MFA) for all SSLVPN users.

Popular Target 

SonicWall’s products are a popular target due to the elevated privileges attackers can gain on a network, allowing access to all traffic and sensitive data. Network security products like firewalls, routers, and VPNs are often compromised to gain initial access, as seen with recent attacks on Fortinet, Ivanti, and Cisco devices. CISA has issued a binding directive for federal agencies to secure management interfaces for network devices.

Recommendations

 SonicWall advises customers to:

• Update to fixed versions of the technology

• Limit firewall management to trusted sources

• Disable WAN management via the internet

• Secure SSLVPN access

• Enable MFA for all SSLVPN users

• Change locally managed SSLVPN user passwords immediately

Reference: Akira Ransomware Actors Exploit SonicWall Bug for RCE,” Dark Reading, September 9, 2024