Your Weekly Cybersecurity Update (01 November 2024)

• Mishing in Motion: Zimperium Uncovering the Evolving Functionality of FakeCall Malware
• Massive UN Data Leak Exposes Personal Information of Violence Against Women Victims
• Mandiant Report: Exploited Vulnerabilities Reach Record Lows in Time to Patch, But Zero-Days on the Rise
• Your Site Was Hacked, and You Never Knew About It: My Real-Life Encounter with a Supply Chain Attack
• Sydney-based Western Sydney Uni is breached, again!

Mishing in Motion: Zimperium Uncovering the Evolving Functionality of FakeCall Malware

As part of zLab’s ongoing research initiative aimed at uncovering emerging threats within mobile security, the team has been diligently monitoring a new variant of a previously documented malware referred to as FakeCall. This malware employs a method known as Vishing (voice phishing), which consists of conducting fraudulent phone calls or sending deceptive voice messages.

The primary goal of these tactics is to trick victims into revealing sensitive personal information, such as login credentials, credit card numbers, or banking details. Vishing is categorised as one component of a broader phenomenon known as “Mishing,” which encompasses a range of mobile-targeted phishing techniques. Cyber attackers are increasingly leveraging these methods to exploit the unique functionalities of mobile devices, including voice calls, SMS text messaging, and integrated cameras.

The various attack methods associated with Mishing include:

1. Vishing (Voice Phishing): In this method, attackers use fraudulent voice calls to manipulate victims into disclosing confidential information or performing actions that could compromise their security. The FakeCall variant is an exceptionally advanced form of Vishing, utilising malware to monitor and control the mobile device almost entirely. This enables the malware to intercept both incoming and outgoing calls seamlessly, leading victims to contact fraudulent numbers that are under the attacker’s control while replicating a familiar user experience to maintain the illusion of legitimacy.
2. Smishing (SMS Phishing): This technique involves sending deceptive SMS messages that entice recipients into clicking on malicious links or disclosing sensitive information. Smishing messages often impersonate trusted entities to increase the likelihood of recipients falling for the scam.
3. Quishing (QR Code Phishing): In this emerging method, attackers exploit mobile device cameras to deliver phishing attacks via malicious QR codes. When victims scan these codes, they may inadvertently gain access to fraudulent websites designed to steal personal information or install malware on their devices.
4. Email-based Mobile Phishing: This approach involves phishing emails that are optimised for mobile email clients. These emails are designed to exploit the mobile browsing experience, often employing mobile-specific tactics to trick users into taking harmful actions or revealing sensitive information.

Overall, FakeCall stands out as a particularly sophisticated Vishing attack capable of executing a wide range of malicious activities on infected devices. By combining advanced malware with social engineering techniques, attackers create scenarios that deceive victims into believing they are engaging in legitimate interactions, thereby increasing the likelihood of successfully obtaining valuable information. As mobile security threats continue to evolve, it is crucial for users to remain vigilant and informed about these emerging dangers. Read this article from Zimperium to get more insights into how FakeCall is designed, weaponised and executed.

Massive UN Data Leak Exposes Personal Information of Violence Against Women Victims

A security researcher uncovered a massive data leak from the UN Trust Fund to End Violence against Women, jeopardizing the privacy of victims and staff. The UN Trust Fund’s database was misconfigured and entirely unsecured, accessible to anyone with an internet connection.

What Was Exposed:

• Over 115,000 sensitive documents (228GB)
• Victim information: Names, email addresses, personal experiences
• Staff information: Names, tax data, salary information, job roles
• Financial details: Bank account information, audits, financial reports
• Organisational documents: Contracts, certifications, registration documents

Potential Consequences:

• Identity theft and fraud: Exposed information could be used to steal identities or commit financial fraud.
• Targeted attacks: Phishing campaigns or blackmail attempts could target victims, staff, and the UN Trust Fund itself.
• Harm to vulnerable populations: The leak could put those the UN protects at further risk.
• Exposure of internal operations: Leaked documents may reveal sensitive information about the organisation’s operations.

UN Women has secured the database after receiving notification from the researcher. They have also issued a scam alert to warn potential victims of fraudulent activity.

This incident highlights the critical need for robust cybersecurity measures, especially for organisations handling sensitive data and supporting vulnerable populations.

Mandiant Report: Exploited Vulnerabilities Reach Record Lows in Time to Patch, But Zero-Days on the Rise

A new report by cybersecurity firm Mandiant reveals a concerning trend: attackers are exploiting vulnerabilities faster than ever before, with zero-day attacks (exploits for unknown vulnerabilities) outpacing patched vulnerabilities (n-days) at a record rate.

Key Findings:

• Zero-Day Dominance: 70% of vulnerabilities exploited in 2023 were zero-days, a significant increase from previous years.
• Rapid Exploitation: The average time to exploit a vulnerability after it’s discovered has plummeted to just five days, down from 63 days in 2018.
• Patching Challenges: Faster exploitation times make patch prioritization even more difficult for defenders.
• N-Day Persistence: Despite the rise of zero-days, attackers continue to exploit patched vulnerabilities, highlighting the importance of timely patching.
• Diversification of Targets: Attackers are targeting a wider range of vendors and products, expanding the attack surface for defenders.

Recommendations:

• Prioritise Efficient Detection and Response: Defenders need to improve their ability to detect and respond to attacks quickly, regardless of whether they exploit zero-day or n-day vulnerabilities.
• Strengthen Patch Management: Prioritisation of patches needs to be more efficient, considering factors beyond just the release date.
• Segment Networks and Implement Access Controls: Limit the potential damage from a successful attack by segmenting networks and restricting access.
• Don’t Rely Solely on Patching: While patching remains crucial, organizations shouldn’t neglect other security measures as a vulnerability can be exploited for months or even years after a patch is available.

The report highlights the evolving threat landscape and the need for organizations to adopt a layered approach to cybersecurity. Early detection, rapid response, and a focus on mitigating the potential impact of successful attacks are essential in today’s environment.

Your Site Was Hacked, and You Never Knew About It: My Real-Life Encounter with a Supply Chain Attack

A chance discovery by the inquisitive mind of Edwin Kwan after receiving a LinkedIn message about an interesting job opportunity, complete with a link to the job ad. Before clicking, he took a quick look at the URL to ensure it was legitimate—something we all do in this line of work.

The website appeared normal enough, but then something caught his eye. An overlay popped up, prompting him to connect crypto wallet. Now, this was a bit odd. He certainly didn’t expect a job board to be asking for crypto credentials!

After an initial assessment, he found that a site used an NPM library called @lottiefiles/Lottie-player, a popular animation plugin. The site was pulling the latest version directly from NPM:

@lottiefiles/lottie-player@latest/dist/lottie-player.js

As he started investigating this suspicious-looking URL in the GitHub repository, he noticed recent issues with others reporting similar suspicious behaviour. Turns out, versions 2.0.5, 2.0.6, and 2.0.7—released within an hour of each other—were all affected by what looked like a crypto drainer. This was clearly a supply chain attack, potentially affecting thousands of websites.

He boldly shares his findings on his blog and recognizes that the problem goes far beyond crypto wallets. If the overlay had demanded login credentials for email, social media, or banking, the consequences would have been significantly more severe. Many organizations remain oblivious to the fact that individuals could have been compromised through their websites. It’s crucial to acknowledge this risk.

Your Site Was Hacked, and You Never Knew About It: My Real-Life Encounter with a Supply Chain Attack

Just yesterday, I received a LinkedIn message about an interesting job opportunity, complete with a link to the job ad.

Cyber Bites by Edwin KwanEdwin Kwan

Key Lessons Learned and Recommendations:

1. Pin Your Dependencies – Avoid using @latest versions in production. Pinning dependencies means you know exactly which version is running on your site and can thoroughly assess each new update.
2. Consider Local Hosting for Critical Libraries – Serving libraries locally adds an extra layer of control over what’s running on your systems. You avoid the risk of suddenly pulling in compromised code.
3. Vulnerability Management in the Supply Chain – Third-party code brings functionality and speed, but it also introduces risk. Regularly review and audit third-party dependencies, and monitor for vulnerabilities impacting your software supply chain.

Sydney-based Western Sydney Uni is breached, again!

Western Sydney University recently reported a significant cyber incident involving unauthorized access to its student management system and data warehouse. The breach occurred over a span of two weeks, from August 14 to August 27, and was only contained by the university’s IT security team on August 31.

The current incident was reported on 31 October, marking this incident the third notable cyber event for the university in the year, raising concerns about the effectiveness of its cybersecurity protocols.

 During the breach, the attacker gained access to a wide range of personal information from a substantial number of students. This included sensitive data such as full names, residential addresses, email addresses, student identification numbers, tuition fee details, and demographic information. While the university has initiated an ongoing investigation into the matter, preliminary findings indicate that there is currently no evidence suggesting any alterations to student records or any direct threats arising from the compromised data.

The university had also received no threats related to the data nor seen it appear on any dark web forums.

Western Sydney University said it is “enhancing detection and implementing 24/7 monitoring capabilities, implementing additional firewall protection, increasing our cyber security team capacity” in response to this latest incident.”

It added: “Students and staff are advised that there may be ongoing disruption to the IT network as the university continues to uplift its cyber security protections. 

“The university is not in a position to provide any further specific information about our remediation efforts to protect the ongoing security of our system.”