CoralRaider Strikes

Apr 05 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Sponsored by

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that eats, sleeps, and breathes cybersecurity, just like Joe Biden eats, sleeps, and umm, you know, the thing πŸ‘΄πŸ˜΄πŸ™ˆ #WWIII πŸ’€

It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.

Congrats, the cybercriminals are no match… for your patch! 🩹🩹🩹

Google: These aren’t the Androids you’re looking for πŸ˜΅β€πŸ’«πŸ’€

🚨 Google releases April patches for Android OS πŸ“±

πŸ”’πŸ“± Google's latest Android OS update patches 28 vulnerabilities, including a critical one affecting devices with Qualcomm chips. Users can find their device's Android version number and security update level in Settings, where they can also check for updates.

The updates are available for Android 12, 12L, and 13, but availability may vary among device vendors. Notably, CVE-2023-28582 poses a high risk, with a CVSS score of 9.8, allowing remote attackers to execute code due to a memory corruption in the Data Modem during DTLS handshake. Another concern is CVE-2024-23704, an elevation of privilege vulnerability in the System component affecting Android 13 and 14.

Pixel users face potential exploitation of CVE-2024-29745 and CVE-2024-29748, both resolved with the latest security patch. Stay protected with Malwarebytes for iOS and Android. πŸ›‘οΈπŸ“²

Now, on to today’s hottest cybersecurity news stories:

  • 🍜 Vietnam hackers engage in guerrilla cyber warfare w/ Asia via malware πŸ‘¨β€πŸ’»

  • 🎣 Fresh phish! New campaign targets oil & gas w/ data-stealing malware πŸ€πŸ‘€

  • ⚠️ Don’t DoS about! New HTTP/2 vulnerability leaves web servers exposed πŸ”“

You don’t know, man. You weren’t there! πŸ’€πŸ’€πŸ’€

🚨 CoralRaider Strikes: Malware Mayhem in Asia! πŸ’»

Since May 2023, CoralRaider, a suspected Vietnamese-origin threat actor, has wreaked havoc across Asia and Southeast Asia, targeting victims primarily for financial gain. Tracked by Cisco Talos, their sinister schemes involve plundering valuable data in countries like India, China, and Vietnam.

Employing RotBot πŸ€– and XClient stealer πŸ’°, they snatch credentials, financial data, and social media accounts. Their arsenal includes various stealer malware families and Telegram for data exfiltration πŸ“². With roots traced to Vietnam, the cybercriminals go the extra mile, even exploiting Facebook in malvertising campaigns, mimicking renowned AI tools to lure European users.

Bitdefender recently disclosed details of this pervasive malvertising campaign, revealing threat actors hailing from Vietnam, the U.S., Indonesia, the U.K., and Australia. Their modus operandi involves seizing existing Facebook accounts, tweaking their appearance, and expanding their influence through sponsored ads.

One imposter page, masquerading as Midjourney, amassed a staggering 1.2 million followers before being dismantled. Stay vigilant and fortify your defences against the CoralRaider onslaught! πŸ”’πŸŒπŸ›‘οΈ

Sounds like an oily phish πŸ‘€πŸ™ƒπŸŸ

🚨 Rhadamanthys Resurfaces: Oil & Gas Sector Under Siege! πŸ’ΌπŸ”’

An updated version of the infamous information-stealing malware, Rhadamanthys, has reemerged in phishing campaigns targeting the oil and gas sector. Cofense researcher Dylan Duncan unveiled the sinister tactics, revealing phishing emails employing a unique vehicle incident lure and spoofing the Federal Bureau of Transportation in a PDF, threatening hefty fines.

The emails contain a malicious link leading to a supposed PDF document, which, upon clicking, downloads a ZIP archive housing the stealer payload. Crafted in C++, Rhadamanthys establishes connections with a command-and-control (C2) server to pilfer sensitive data from compromised hosts. This resurgence coincides closely with the law enforcement takedown of the LockBit ransomware group, hinting at potential collaboration or shared resources.

Trend Micro's August 2023 revelation of a Rhadamanthys variant bundled with a leaked LockBit payload suggests ongoing evolution within the malware landscape. Additionally, the emergence of new stealer malware families like Sync-Scheduler and Mighty Stealer, alongside the evolution of existing strains like StrelaStealer, underscores the persistent threat to cybersecurity. Stay vigilant against phishing attacks and fortify your defences! πŸ”πŸ“‰

Join the webinar on April 10: Combating threats through a continuous compliance with Vanta, CrowdStrike, and AWS

As the movement towards cloud-first continues, how can teams ensure their cloud security and compliance programs are optimized? On April 10, join leaders from Vanta, CrowdStrike, and AWS as they discuss ways to leverage continuous compliance and security to proactively monitor cloud infrastructure.

Hackson Fury: Ya big DoSser! πŸ‘€πŸ₯ŠπŸ˜‚

🚨 New Security Threat in HTTP/2 Protocol! πŸ”

Recent research uncovered a vulnerability dubbed the HTTP/2 CONTINUATION Flood, allowing denial-of-service (DoS) attacks. Security researcher Bartek Nowotarski alerted CERT Coordination Center (CERT/CC) about this on January 25, 2024. πŸ“’πŸ“’Β πŸ“’Β 

CERT/CC issued a warning on April 3, 2024, stating that many HTTP/2 implementations don't adequately limit CONTINUATION frames, enabling attackers to overload servers with a flood of frames, potentially causing crashes or performance issues. 🚨

In HTTP/2, header fields are transmitted via header blocks, broken into fragments, and sent within HEADER or CONTINUATION frames. Attackers exploit this by sending multiple CONTINUATION frames without the END_HEADERS flag, overwhelming servers. πŸ”„

This vulnerability πŸ’₯, more severe than previous threats, impacts various projects including Apache HTTP Server, Node.js, and Golang. Upgrading software is crucial to mitigate risks. If an update isn't available, consider temporarily disabling HTTP/2.

Stay vigilant! πŸ›‘οΈ Ensure your systems are protected against this emerging threat. For more details, refer to the CVE IDs associated with affected projects.

That’s all for this week folks and keep your eyes peeled for new exclusive content coming this weekend. πŸš€πŸš€πŸš€

Stay safe, cyber squad! 🦺

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles