Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 31, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 31, 2024
Cybercriminals are always on the lookout for a way to infiltrate mobile devices as they serve as the gateway to our digital lives. A new attack campaign has capitalized on this through over 100,000 Android malware apps designed to steal OTP codes from SMS messages and commit identity fraud. The campaign has ensnared victims in 113 countries, with India and Russia being the most targeted.
Meanwhile, email security is under threat due to the discovery of two vulnerabilities affecting multiple SMTP email servers. The vulnerabilities, CVE-2024-7208 and CVE-2024-7209, exploit weaknesses in SPF and DKIM authentication mechanisms, enabling attackers to conduct email spoofing attacks.
Speaking of email-based attacks, the Tycoon 2FA phishing kit has been used to orchestrate a phishing campaign that exploits Amazon Simple Email Service (SES) for credential theft. The attack involves emails with valid signatures and attachments posing as documents from Docusign.
OTP-stealing malware on the prowl
A new malicious campaign using over 100,000 Android malware apps to steal OTP codes from SMS messages has been detected since February 2022. These apps intercept OTPs to commit identity fraud from over 600 global brands with millions of users. The victims are in 113 countries, with India and Russia being the most targeted. The attack starts with tricking victims into downloading a malicious app from fake ads or Telegram bots, which then steals SMS messages and transmits them to command-and-control servers.
Botnet source code on sale
The source code for the Trik Loader (aka Phorpiex) botnet is being sold in antivirus circles, raising concerns among cybersecurity experts. The botnet includes a crypto clipper, a USB emitter, and a PE infector targeting cryptocurrency wallets. Its ability to protect itself from detection (FUD) and the absence of a control panel make it a serious threat. Modules like the VNC bruteforcer and USB emitter further enhance its capabilities, posing risks to individuals and organizations by gaining unauthorized access to systems and spreading through USB drives.
Ubuntu fixes OpenVPN bugs
Ubuntu has addressed two vulnerabilities in OpenVPN software that could lead to a closing session staying active or a denial of service. Canonical released security updates for affected Ubuntu versions, including 24.04 LTS, 23.10, 22.04 LTS, and 20.04 LTS. One vulnerability allowed remote authenticated clients to keep the connection active, affecting Ubuntu 23.10 and 24.04 LTS. Another vulnerability involved incorrect handling of control channel messages, potentially causing high CPU load or denial of service.
SMTP servers vulnerable to spoofing
Multiple SMTP servers have been found vulnerable to spoofing attacks, allowing hackers to bypass authentication measures. The vulnerabilities, known as CVE-2024-7208 and CVE-2024-7209, exploit weaknesses in SPF and DKIM authentication mechanisms, enabling attackers to spoof sender information. DMARC, which enhances email security, can be circumvented, allowing attackers to impersonate legitimate senders within hosted domains. These vulnerabilities could lead to widespread email impersonation, causing reputational and financial harm to organizations.
Phishing kit exploits Amazon SES
A sophisticated phishing campaign with Tycoon 2FA Phish-kit has been identified, exploiting Amazon SES to steal user credentials. The attack involves emails with valid signatures and attachments posing as documents from Docusign, despite potential SPF and DKIM failures. Upon clicking links in the emails, victims are redirected through multiple URLs to obscure the final phishing domain. The phishing engine utilizes various services to store scripts and resources, while communication with the C2 server is encrypted using AES in CBC mode. Stolen user data is sent to the attackers' C2 server, managed by a custom communication protocol.