Deepfakes employed by Chinese hackers in mobile banking attacks

Feb 16 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got that fry day feeling ???????????? So, let’s getting cooking! ????

It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.

Congrats, the cybercriminals are no match… for your patch! ????????????

Check out these freshly hatched patches ????????????

Happy Shrove Patch Tuesday ????????????

????️ Microsoft’s February Patch Tuesday Update: 73 Flaws Fixed! ????

Microsoft’s latest Patch Tuesday has rolled out, addressing a whopping 73 security vulnerabilities across its software lineup, with 2 zero-days actively exploited by cyber attackers. ???? Among these, 5 are critical, 65 important, and 3 moderate in severity. Notably, 24 fixes have been implemented in the Chromium-based Edge browser since January. ????

???? Key Vulnerabilities

  •  CVE-2024-21351: Windows SmartScreen Bypass (CVSS: 7.6)

  • CVE-2024-21412: Internet Shortcut Files Bypass (CVSS: 8.1)

These flaws allow attackers to inject and execute malicious code, circumventing security measures like SmartScreen. ???? Users must beware of opening suspicious files to avoid exploitation. ???? CVE-2024-21351 marks the second SmartScreen bypass after CVE-2023-36025, exploited by multiple hacking groups. Trend Micro links CVE-2024-21412 to Water Hydra’s advanced attacks targeting financial markets. ????

???? Critical Flaws Patched

  • Windows Hyper-V DoS

  • Windows PGM Remote Code Execution

  • Microsoft Dynamics NAV Info Disclosure

  • Microsoft Exchange Server Privilege Escalation

  • Microsoft Outlook Code Execution

Better luck next time! ???? Exchange Server exploited day after patch…

???? Critical Exchange Server Flaw Exploited in the Wild! ????

Microsoft has confirmed active exploitation of a critical security flaw in Exchange Server, tracked as CVE-2024-21410 (CVSS: 9.8), just a day after releasing patches as part of its Patch Tuesday updates. ????️ This flaw allows attackers to escalate privileges, potentially compromising Exchange servers. ????

???? Key Details

  • Attackers can exploit an NTLM credentials-leaking vulnerability in Outlook to gain privileges on the Exchange server.

  • Redmond warns that successful exploitation enables attackers to authenticate as users and perform malicious operations.

  • Microsoft has enhanced protection with Extended Protection for Authentication (EPA) enabled by default in Exchange Server 2019 CU14.

???? Potential Threat Actors

While specific details of exploitation are unclear, Russian state-affiliated groups like APT28 have a history of similar attacks.

Trend Micro implicates APT28 in NTLM relay attacks targeting various high-value sectors since April 2022.

Stay vigilant and update systems promptly! ????????

Now, on to today’s hottest cybersecurity stories:

  • ???? Deepfakes employed by Chinese hackers in mobile banking attacks ????

  • ???? UPDATE: Atlassian vulnerability to blame in January’s GAO breach

  • ???? Move over Turla. Meet Tiny Turla, coming to a Polish NGO near you ????

You heard about the Chinese godfather? He made them an offer they couldn’t understand ????????????


???? GoldFactory: Masterminds Behind Sophisticated Mobile Banking Trojans ????

A Chinese-speaking threat actor group known as GoldFactory has been identified as the brains behind highly advanced banking trojans, including a newly discovered iOS malware named GoldPickaxe. ????️

GoldPickaxe targets both iOS and Android platforms, gathering identity documents, facial recognition data, and intercepting SMS messages. The group is believed to have close ties to Gigabud and has been active since mid-2023, primarily targeting the Asia-Pacific region, particularly Thailand and Vietnam. ????

This sophisticated malware is distributed through smishing and phishing campaigns, with Android variants often hosted on counterfeit websites mimicking Google Play Store pages. The iOS version utilises Apple’s TestFlight platform and booby-trapped URLs to trick users into downloading rogue apps. ????️‍♂️

Notably, GoldPickaxe for iOS sidesteps security measures, including facial recognition for transaction confirmation, by using deepfake videos created from victim recordings. Both Android and iOS variants collect ID documents, intercept SMS messages, and proxy traffic, potentially enabling unauthorised fund transfers. ????

While the iOS variant is limited due to Apple’s closed ecosystem, the Android version, an evolution of GoldDiggerPlus, targets over 20 applications to steal credentials. It abuses Android’s accessibility services to log keystrokes and extract on-screen content. ????

GoldFactory’s arsenal also includes GoldDigger, which targets Vietnamese financial apps, and GoldKefu, an embedded trojan used in conjunction with GoldDiggerPlus to steal banking credentials. These trojans employ various tactics like fake overlays and fake bank alerts to deceive victims. ????

To mitigate these threats, users are advised to avoid clicking on suspicious links, install apps only from trusted sources, and review app permissions regularly. GoldFactory’s operational sophistication underscores the evolving landscape of mobile malware and the need for heightened cybersecurity measures. ????????

They finally got to the bottom of it, At long Lassian ????

???? Government Accountability Office (GAO) Breach ⚠️

The Government Accountability Office (GAO) recently suffered a data breach affecting thousands of current and former employees, along with some affiliated companies, due to a vulnerability in the Atlassian Confluence workforce collaboration tool. ????️

The breach, disclosed by GAO contractor CGI Federal, impacted approximately 6,600 individuals, primarily GAO employees from 2007 to 2017. The vulnerability, actively exploited by malicious actors, allowed unauthorised access to victim systems even after patching. ????️‍♂️

Despite a CISA advisory in October warning of the vulnerability, there was a three-month gap before GAO was notified in January 2024. CGI Federal has since taken remediation actions and is collaborating with authorities to address the breach. ????

Atlassian, the provider of Confluence, alerted customers promptly and emphasised the importance of immediate action to safeguard data. The GAO is conducting an investigation into the breach’s cause and plans to provide identity theft monitoring services to affected individuals. ????

This incident underscores the critical importance of timely vulnerability management and proactive cybersecurity measures to protect sensitive data from evolving threats. ????????

???? Catch of the Day!! ????????????


Get access to the info


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

NGOh-no! ????

???? Turla Threat Actor Strikes with TinyTurla-NG Backdoor ????

A recent campaign targeting Polish non-governmental organisations has shed light on the activities of the Russia-linked threat actor Turla, known for its association with the Federal Security Service (FSB). ????️‍♂️

Cisco Talos has uncovered a new backdoor dubbed TinyTurla-NG, reminiscent of the previously documented TinyTurla implant. These “last chance” backdoors serve as a failsafe for the threat actor when other access methods have been compromised or detected. ????️

This sophisticated actor, also known by various aliases, including Iron Hunter and Snake, has a history of targeting defence sectors in Ukraine and Eastern Europe. In this latest campaign, TinyTurla-NG was observed in operation from December 2023 to January 2024, leveraging compromised WordPress sites as command-and-control servers. ????

The backdoor allows for remote command execution via PowerShell or Command Prompt, facilitating the download and upload of files as well as the execution of malicious scripts. Particularly concerning is the deployment of PowerShell scripts like TurlaPower-NG, designed to extract sensitive password database information from popular password management software. ????

This revelation coincides with reports of Russian nation-state actors exploring advanced AI tools, including large language models like ChatGPT, to delve into satellite communication protocols and radar imaging technologies. ????️

As threat actors continue to evolve their tactics, organisations must remain vigilant and bolster their cybersecurity defences to safeguard against sophisticated cyber threats. ????????

????️ Extra, Extra! Read all about it! ????️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter
  • ???? CACTUS ransomware exploits flaws in Qlik Sense ????

Recent articles