Jun 20 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that doesnβt know who it hates more, cybercriminals or Just Stop Oil (Just Spoil? π) πΊοΈπΏπ¨π€―π€¬ #StoneHenge
Todayβs hottest cybersecurity news stories:
β Donβt answer the call! Markopolo scams w/ βmeeting softwareβ π₯
π²π» Beware! Chinese-speakers targeted w/ malicious VPN installers π₯
π₯ Donβt cry over spilt milk! Mailcow flaw discovered and patched ππ©Ή
Meet the Scammer: markopolo ππΎ A threat actor, alias markopolo, has been identified for targeting digital currency users with info-stealing malware. This large-scale scam spreads across social media platforms.
Fake Apps & Malware π¨π οΈ
Malicious Software: Vortax and 23 other apps
Malware Deployed: Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS)
Target: Cryptocurrency users
Social Media Deception π΅οΈββοΈπ²
Platforms: Dedicated Medium blog with AI-generated articles and a verified X (formerly Twitter) account
Method: Promoting Vortax, requiring a RoomID to download, leading to malware deployment
Campaign Tactics π οΈπ
Techniques: Shared hosting and C2 infrastructure
Strategy: Quickly abandon detected scams and pivot to new lures
Infostealer Threats ππ
Recent Target: Snowflake
Cloud Storage Abuse: Enea revealed SMS scammers using cloud storage services (Amazon S3, Google Cloud, etc.) to host phishing pages
How It Works π§©β οΈ
Links Distributed via SMS: Appearing authentic, bypassing firewalls
Redirection: Links lead to static websites with embedded spam URLs
Final Stage: Users are redirected to phishing pages, compromising personal and financial info
Security Reminder π‘οΈπ’
Stay Vigilant: Always verify app sources, avoid suspicious links, and update security software to protect against these evolving threats!
Stay safe in the digital world! ππ‘οΈ
New Threat Cluster Alert! β οΈπ΅οΈββοΈ Chinese-speaking users are under attack by a new threat activity cluster called Void Arachne, using malicious MSI files to deliver the Winos 4.0 command-and-control (C&C) framework.
Malicious Software π¨π»
MSI Files: Disguised as VPNs and popular software (Google Chrome, LetsVPN, QuickVPN, Telegram language pack)
Additional Bait: Compromised MSI files embedded with nudifiers, deepfake porn generators, AI voice and facial tech
Distribution Tactics π’π§
SEO Poisoning & Social Media π£π±
SEO Poisoning: Links to malware via black hat SEO
Social Media: Distributed on Chinese-language-themed Telegram channels
Messaging Platforms: Promoting fake software links
Infection Process π¨π¦
ZIP Archives: Links lead to adversary-controlled infrastructure
Firewall Modification: Installers modify firewall rules for malware traffic
Second-Stage Payload: Decrypts and executes additional malware
Persistence: Sets up VBS for continuous presence
Winos 4.0 Capabilities ππ§
Advanced Backdoor πͺπ
File Management: Full control over files
DDoS Attacks: Using TCP/UDP/ICMP/HTTP
Surveillance: Webcam control, screenshot capture, microphone recording, keylogging
Remote Shell Access: Full command access to infected systems
Plugin-Based: 23 components for 32- and 64-bit systems, expandable via external plugins
Security Evasion π‘οΈπ
Detection Avoidance: Identifies and bypasses security software common in China
Main Orchestrator: Loads plugins, clears logs, downloads additional payloads
Exploiting VPN Demand π§π
Great Firewall of China: Increased public interest in VPNs to bypass censorship
Threat Actor Interest: High exploitation of VPN software to evade government controls
Stay Safe Online! π‘οΈπ±
Verify Software Sources: Download only from trusted sites
Be Cautious: Avoid suspicious links and messages
Update Security: Keep your devices and software up-to-date
Stay vigilant and protect your digital life! ππ
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
Security Flaws in Mailcow! π‘οΈπ Two vulnerabilities in the Mailcow open-source mail server suite could allow attackers to execute arbitrary code. All versions before 2024-04 are affected.
Disclosed Vulnerabilities π΅οΈββοΈπ
Moderate Severity β οΈπ
CVE-2024-30270 (CVSS 6.7): Path traversal in "rspamd_maps()" allowing file overwrite by "www-data" user, leading to arbitrary command execution.
CVE-2024-31204 (CVSS 6.8): Cross-site scripting (XSS) via exception handling, allowing malicious script injection into admin panel.
How They Work π οΈπ§
Path Traversal π£οΈπ οΈ
Impact: Execution of arbitrary commands
Β Method: Overwrites files modifiable by "www-data" user
Cross-Site Scripting π₯οΈπ₯
Impact: Session hijacking and privileged actions
Method: Malicious scripts injected via unsanitized exception details
Combined Attack Scenario π¨π
An attacker can craft an HTML email with a CSS background image from a remote URL to trigger XSS. If an admin views this email while logged into the admin panel, arbitrary code can be executed on the server.
Theoretical Attack Example π§©π£
Step 1: Send HTML email with remote URL
Step 2: Admin views email while logged in
Result: XSS payload executes, leading to arbitrary code execution
Responsible Disclosure ππ
Reported by: SonarSource on March 22, 2024
Patch Released: April 4, 2024 (version 2024-04)
What to Do π‘οΈπ§
Update Mailcow:Β Ensure you are running the latest version (2024-04) to protect against these vulnerabilities.
Stay secure and keep your systems updated! ππ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!
