Share Blog Post
Attacks on the Android platform have escalated with new findings. A widespread Android malware campaign impersonated Finnish banks and instructed victims to install a fake McAfee app, leading to bank account exposure. An Iranian threat actor has reared its head with new tools added to its arsenal. Mandiant reported attacks on NGOs, governments, and intergovernmental organizations by APT42 wherein the group used two never-before-seen backdoors: Nicecurl and Tamecat.
Additionally, know about a security issue in TinyProxy, which inadvertently invited significant risk to small network environments. A vulnerability duo has also been found in Linksys routers that allow remote attackers to execute unauthorized commands.
Top Malware Reported in the Last 24 Hours
Malicious campaign targets Finnish bank accounts
Finland's Traficom alerted citizens about an Android malware campaign impersonating banks, urging victims to install a fake McAfee app. Legitimate-appearing SMS messages direct recipients to call a specified number for "protection.” Once installed, the app grants threat actors access to victims' bank accounts. Financial institutions like the OP Financial Group also cautioned against sharing sensitive data or downloading apps prompted by such messages.
Lockbit faces law enforcement crackdown
Law enforcement claimed to have seized the Tor website of the LockBit ransomware group, once again. They further plan to reveal the identities of its members. However, LockBit has said it’s all a ‘show,’ dismissing law enforcement's actions. Earlier in February, Operation Cronos led to the disruption of LockBit's operations followed by arrests of some of its members. LockBit quickly resumed its activities, threatening cyberattacks on government sectors.
Iranian APT42 deploys new backdoors
Iran's APT42 is deploying two new backdoors, Nicecurl and Tamecat, in cyberespionage campaigns. These custom tools facilitate data harvesting and arbitrary command execution on infected machines. Nicecurl, written in VBScript, drops additional modules, while Tamecat, a PowerShell tool, executes malicious macros via documents. The group targets NGOs, governments, and intergovernmental organizations, often masquerading as media entities and NGOs to steal login credentials.
Top Vulnerabilities Reported in the Last 24 Hours
Android bug exposes DNS leaks
Despite enabling the ‘Always-on VPN’ feature with the ‘Block Connections Without VPN’ option on Android devices, a Mullvad VPN user discovered DNS leaks while switching VPN servers. Investigation revealed an Android bug leaking DNS queries when VPN tunnels are reconfigured, crashed, or forced to stop. These leaks pose privacy risks, exposing user locations and online activities. Mullvad called for OS-level fixes to protect all Android users.
Critical flaw in TinyProxy raises concerns
A critical vulnerability (CVE-2023-49606) in TinyProx posed a severe risk of remote code execution. Improper memory handling in its HTTP request parsing mechanism could enable attackers to trigger buffer overflows or use-after-free errors, leading to unauthorized access to network resources. Cisco Talos Intelligence Group identified the flaw, prompting swift updates from developers.
Command injection flaws in Linksys routers
Two critical vulnerabilities, CVE-2024-33788 and CVE-2024-33789, were found in Linksys routers. CVE-2024-33788 resulted from insufficient validation of input during device PIN number registration, while CVE-2024-33789 stemmed from inadequate verification of IP or URL addresses during ping command execution. Both vulnerabilities allow for command injection, potentially enabling threat actors to execute unauthorized commands on affected devices.
Tags
Posted on: May 06, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
