Aug 31 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes cyber-attacks only happened once in a #SuperBlueMoon π€©ππ©
Todayβs hottest cybersecurity news stories:
π² China-linked BadBazaar Android spyware targets Signal & Telegram users π΅οΈ
π§βπ» Source Code 2: this time itβs (dev) personale. Malicious packages steal source code π
π΄ Russiagate: Putin puts in a BAD word for Ukraine w/ fake Washington Post, Fox stories
Cybersecurity researchers have uncovered sneaky Android apps on Google Play Store and Samsung Galaxy Store, carrying the dangerous BadBazaar spyware π±π΅οΈ. This sinister software steals sensitive info from infected devices π±.
Slovakian firm ESET has linked this campaign to China's GREF group. The appsβSignal Plus Messenger and FlyGramβhave been distributing BadBazaar since July 2020 and 2022, through legit app stores and dedicated rogue websites π΅οΈββοΈπ.
π Primary targets are in Germany, Poland, and the U.S., with others affected in Ukraine, Australia, Brazil, and more ππ.
π² BadBazaar was first spotted in 2022, targeting the Uyghur community in China. It grabs call logs, texts, and locations without victims knowing π¨.
π« While Google removed the apps, they're still lurking in Samsung's store. The malicious apps include:
Signal Plus Messenger (100+ downloads)
FlyGram (5,000+ downloads) π₯
π Victims were tricked into downloading via a Uyghur Telegram group, luring over 1,300 members π΅οΈββοΈπ©.
π The spyware can access Signal PINs and Telegram backups. Signal Plus Messenger can even spy on Signal chats without user actionβby secretly linking devices π±.
π‘οΈ FlyGram uses SSL pinning to dodge analysis, making it hard to intercept its network traffic. Around 13,953 users have activated its Cloud Sync feature π»π.
π ESET is monitoring GREF, but ties to APT15 are inconclusive. BadBazaar's main goal? Snatch data, contacts, call logs, and spy on Signal messages π₯ππ΅οΈββοΈ.
Stay vigilant against suspicious apps! π«π
I came across ZZZ money club during the crypto market bull run when everyoneβs a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.
The group is very active and everyone in this private discord group is very chatty and helpful.
Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.
If you are interested in joining the group you can through the link below.
π΅οΈββοΈ An undisclosed threat actor is using sneaky npm packages to steal source code and config files from developers' machines π₯οΈ. This highlights the lurking threats in open-source repositories.
π Software security firm Checkmarx revealed that this campaign traces back to 2021, with the threat actor consistently publishing harmful packages π». The recent report expands on a previous Phylum disclosure, where npm modules were manipulated to send sensitive data to a remote server π€.
βοΈ The packages are designed to trigger right after installation through a package.json file. This initiates the launch of preinstall.js, which then captures system data, source code, and secrets from specific folders π.
π¦ The attack finale involves compressing the data into a ZIP file and sending it to a preset FTP server π‘.
π All the packages have "lexi2" as the author in package.json, indicating their origins reaching back to 2021 π.
πͺ The campaign appears focused on the cryptocurrency sector, hinted by package names like binarium-client, binarium-crm, and rocketrefer π.
π‘οΈ Security researcher Yehuda Gelb emphasised the persistence and careful planning of these attacks, reminding us of the ongoing dangers in the cryptocurrency realm and the broader cybersecurity landscape π.
Stay vigilant! π«π
Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π°The Crypto Nutshell: Crypto News & Expert Predictions all in a nutshell πͺ
πThe Breakthrough: Receive one idea, one question, and one exercise each week that could spark your next breakthrough.
βοΈViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.
Let us know what you think!
Gif by franceinfo on Giphy
A recent report from Meta reveals that a Russian disinformation campaign has been distributing fake articles mimicking The Washington Post and Fox News, aiming to undermine support for Ukraine π.
The campaign expanded its focus from Germany, France, and Ukraine to target the United States π.
π΅οΈββοΈ Meta identified the culprits as Structura National Technology and Social Design Agency, previously sanctioned by the EU, involved in "the largest and most aggressive covert influence operation from Russia since 2017" π΅οΈββοΈπ΅οΈββοΈ.
π Named "Doppelganger," the operation delivers false stories critical of Ukraine's President and U.S. President Biden, spreading them across social media platforms π£.
π Elaborate spoofs were created, including a fabricated Washington Post articleΒ suggesting Ukraine's President was a CIA puppet π΅οΈββοΈ. The operation mimicked real journalists and employed genuine bylines π.
π‘οΈ This campaign kicked off after Russia's invasion of Ukraine in the previous year, mimicking reputable outlets like The Guardian and Der Spiegel. Even a UN-confirmed massacre was twisted by the operation to frame Ukraine as the perpetrator π°πΊπ¦.
π Meta calls for stronger domain name abuse policies to counteract these threats. The report highlights the need for industry-wide action to guard against such manipulative tactics and protect online users ππ‘οΈ.
Thatβs all for today, folks!
Remember to always stay one step ahead of cyber threats! π‘πͺπ Stay safe, cyber-squad!
So long and thanks for reading all the phish!