DEV Community

Cover image for Security news weekly round-up - 17 May 2024
Habdul Hazeez
Habdul Hazeez

Posted on

Security news weekly round-up - 17 May 2024

Introduction

Welcome to this week's security review. In today's edition, most of the articles that we'll examine are about malware, and just one that's about social engineering. So, let's get started.


Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

This article is a classic tale of what I'll refer to as "confuse them and offer help". When you read the article you'll discover that the threat actors will send multiple emails and then follow it up with a call, offering assistance about the volume of emails that the impacted users received.

Here is an excerpt from the article that shows the threat of this campaign:

The impacted users are then approached over phone calls by masquerading as the company's IT team, tricking them into installing a remote desktop software under the guise of resolving the email issues.

The remote access to their computer is subsequently leveraged to download additional payloads to harvest credentials and maintain persistence on the hosts.

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach

It's quite an interesting read and it's based on research from ESET. Nonetheless, this article further proves that even high-end, critical infrastructure can be compromised.

Here is a quick one from the article:

After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware.

Threat Actors Abuse GitHub to Distribute Multiple Information Stealers

An article that reminds us that legitimate tools can be abused by malicious users. Here, I'll advise that you get your application software from the vendor's website directly (if they are hosting it themselves).

Here is what's going on:

The GitHub profile, belonging to a user named ‘papinyurii33’, was created on January 16, 2024 and contained only two repositories. Recorded Future said its researchers observed multiple changes made to the files in these repositories in February and early March, but no new activity since March 7.

The investigation also revealed the use of a FileZilla file transfer protocol FTP server for malware management and for distributing the Lumma and Vidar information stealers.

New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

It is called the SSID Confusion Attack, and it impacts all operating systems and Wi-Fi clients. The excerpt below briefly explains how the attack works.

The issue underpinning the attack is the fact that the Wi-Fi standard does not require the network name (SSID or the service set identifier) to always be authenticated and that security measures are only required when a device opts to join a particular network.

The net effect of this behavior is that an attacker could deceive a client into connecting to an untrusted Wi-Fi network than the one it intended to connect to by staging an adversary-in-the-middle (AitM) attack.

New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data

The article's title says it all and the disturbing thing about this malware is the following: it employs an overlay attack to harvest victims credentials. This is scary for anyone; the panicking tech-savvy user or one that has no idea what's showing on their phone screen.

The following excerpt summaries the Antidot malware:

The newly surfaced Antidot banking trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

Top comments (0)