Nov 08 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter and we for one welcome our new insect overlords 😂😂😂 #Trump
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Google, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 Google Warns of Actively Exploited Android Security Flaw – Update Now! 👇
Google has flagged CVE-2024-43093, a privilege escalation flaw in Android's Framework, that’s under active exploitation in the wild! ⚠️ This flaw could allow unauthorised access to critical directories like Android/data, Android/obb, and Android/sandbox, exposing sensitive app data. 🔓 Details on how it’s being weaponized are sparse, but Google notes limited, targeted exploitation is underway. 📲💥
Additionally, a Qualcomm DSP vulnerability (CVE-2024-43047) has also been actively exploited, causing memory corruption. This bug, identified by Google Project Zero and Amnesty International Security Lab, might be part of spyware attacks aimed at civil society groups. 🌐🔒 While it’s unclear if these vulnerabilities are being chained together for broader exploits, Android users are urged to update immediately to guard against these active threats! 🚀🔧
Now, on to this week’s hottest cybersecurity news stories:
👮 Interpol cracks down on cybercrime by disrupting 22k servers 🌐
🕵🏻♂️ FBI asks public for help identifying elusive Chinese hackers 👨🏻💻
🐼 'ToxicPanda' targets users with fraudulent money transfers 💱
Operation Synergia II Strikes Cyber Threats 💥 INTERPOL's global operation, Synergia II, has successfully dismantled over 22,000 malicious servers linked to phishing, ransomware, and info-stealing malware. Running from April to August 2024, this crackdown targeted approximately 30,000 suspicious IPs, leading to a 76% takedown success rate and the seizure of 59 servers.
Global Impact 🌎
The international effort led to 41 arrests, with 65 more under investigation. Key actions across countries include:
Hong Kong: Shut down over 1,037 servers 🚫
Mongolia: Seized a server, identifying 93 individuals linked to cybercrime 📋
Macau: Disrupted 291 servers 💥
Madagascar: Identified 11 individuals and seized multiple devices 📱
Estonia: Captured 80GB of critical data 💽
Private Sector Partnerships 🤝
Tech giants like Group-IB, Kaspersky, Team Cymru, and Trend Micro collaborated on this mission. Group-IB alone identified over 2,500 IP addresses tied to phishing sites and nearly 1,300 IPs associated with malware across 84 countries.
Team Cymru’s Role 🔎
David Monnier from Team Cymru emphasised their focus on identifying and mapping the extensive web of malicious servers rather than dissecting individual malware types. This strategic approach aimed to map tens of thousands of nodes for a broader view of cybercrime infrastructure.
Phase 1: Synergia’s Origins 🏁
The first phase, in late 2023, led to 31 arrests and the identification of 1,300 IPs and URLs tied to phishing, banking malware, and ransomware—laying the groundwork for Synergia II’s expanded mission.
Final Thoughts 💡
With Phase 2 yielding even more significant results, INTERPOL’s efforts showcase the power of global cooperation in tackling cyber threats. Stay vigilant; cybercriminals now face a united front!
🚀 Earn 15%+ APY on BTC + 3X Lombard Points
💥 MORE points: Babylon, Symbiotic & Corn, Etherfi Veda, and VCX
🔥 $300K VCX pool + 2X multiplier in week 1 – Act fast!
FBI Calls for Action 🚨 The FBI is turning to the public for help in identifying those responsible for a major cyber campaign targeting edge devices and networks in both government and business sectors. An advanced threat group is believed to have leveraged a malware vulnerability (CVE-2020-12271) to breach firewalls globally, syphoning sensitive data from critical infrastructure.
Sophos Reports: A History of Attacks 📊
According to cybersecurity firm Sophos, the breaches began in 2018 and continued through 2023, with attackers exploiting vulnerabilities in edge devices. These campaigns, codenamed "Pacific Rim," focused on surveillance, sabotage, and cyber espionage, targeting infrastructure in South and Southeast Asia. The attackers—thought to be Chinese state-sponsored groups like APT31, APT41, and Volt Typhoon—reportedly aimed at nuclear facilities, airports, government ministries, and military hospitals.
Targeted Vulnerabilities 🛡️
Sophos identified multiple exploited vulnerabilities in firewall appliances, including CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236. The attacks became more focused over time, shifting from broad campaigns to specific targets such as healthcare, government, and military sectors in Asia-Pacific.
Pygmy Goat: The Sneaky Backdoor 🐐
A novel backdoor, “Pygmy Goat,” used by attackers, offered persistent remote access to targeted firewalls, enabling them to quietly collect data and avoid detection. The U.K. National Cyber Security Centre described the malware’s design as clean and efficient, indicating skilled development.
Suspected Ties to Chinese Institutions 🎓
Sophos suggests that research institutions in Sichuan, China, may have developed some of these exploits. Researchers are suspected of sharing vulnerabilities with state actors through government-mandated disclosure, fueling attacks carried out by Chinese state-sponsored groups.
Increasing Risks on Edge Devices 🔍
The report aligns with recent findings of Chinese groups using botnets like KV-Botnet to conduct reconnaissance. This trend underscores the rising threat to edge network devices and the value they represent in cyber espionage campaigns worldwide.
Craving knockout rest that doesn’t leave you groggy?
CBDistillery’s Enhanced Deep Sleep Gummies are formulated to relax your body and mind and keep you asleep through the night. Try them risk-free and save 25% on your first order with code SLP25.
ToxicPanda Malware Infections Surge 📱 A newly discovered Android malware strain, ToxicPanda, has compromised over 1,500 devices worldwide, focusing on financial gain through unauthorised banking transactions. This banking trojan allows cybercriminals to execute fraudulent transfers by taking over victims' accounts through a method known as on-device fraud (ODF), bypassing traditional security measures like identity verification.
Cleafy Research Reveals Key Insights 🔍
The malware, attributed to a Chinese-speaking threat actor, bears similarities to TgToxic—a previous Android malware variant documented by Trend Micro. ToxicPanda seems to be in early development stages, displaying fewer obfuscation measures than TgToxic but introducing 33 unique commands for broader data theft. ToxicPanda has mainly infected users in Italy (56.8%), Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%).
How ToxicPanda Operates ⚙️
ToxicPanda is disguised as popular apps, including Google Chrome and Visa, and distributed through counterfeit pages mimicking legitimate app stores. After being sideloaded, it exploits Android's accessibility services to gain elevated permissions, intercepting SMS-based one-time passwords and bypassing two-factor authentication. The malware enables attackers to remotely control devices, initiating unauthorised transfers without users’ knowledge.
Behind the Scenes: C2 Panel Control 👨💻
Researchers gained access to ToxicPanda’s command-and-control (C2) panel, showing operators can monitor infected devices by model, location, and status, and even access devices in real-time. The C2 interface, presented in Chinese, reinforces the suspicion of a China-based origin.
Rising Android Malware Landscape 📈
ToxicPanda’s emergence follows the discovery of HookBot—an Android trojan also exploiting accessibility services to overlay fake login screens and harvest user data. Targeting financial institutions and services like Airbnb, Coinbase, and PayPal, HookBot also spreads via WhatsApp messages, logging keystrokes and screenshots to steal sensitive data. HookBot is sold through a malware-as-a-service (MaaS) model on Telegram, allowing other criminals to generate and deploy new malware samples.
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!