New capabilities discovered with spyware.

May 29 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s keeps it 100 even on a bank holiday. Shout out to our UK readers! 😬

Today’s hottest cyber security stories:

  • Predator Android Spyware: New capabilities discovered

  • Barracuda warns of zero-day exploitations

  • Phishing up 356% in 2022

ALIEN VS PREDATOR

The commercial Android spyware known as Predator, previously marketed by the Israeli company Intellexa (formerly Cytrox), has been extensively analysed by security researchers.

Initially identified by Google’s Threat Analysis Group (TAG) in May 2022, Predator was involved in attacks exploiting five zero-day vulnerabilities in the Chrome web browser and Android operating system.

This spyware, delivered through a loader component called Alien, possesses the capability to capture audio from phone calls and voice over IP (VoIP) applications. It can also collect contacts and messages, including those from popular platforms like Signal, WhatsApp, and Telegram.

Additionally, Predator has features enabling it to hide applications and prevent their execution after a device is restarted.

Cisco Talos, in a technical report, explained that a comprehensive investigation of both spyware components revealed Alien to be more than just a loader for Predator. Can’t make this up right? Alien actively establishes the necessary low-level functionalities for Predator to carry out its surveillance activities.

Predator, along with NSO Group’s Pegasus, belongs to a category of spyware that is delivered meticulously through highly targeted attacks. These attacks leverage zero-click exploit chains, which typically require no interaction from the victims, allowing for the execution of malicious code and privilege escalation.

Talos further described Predator as a notable form of mercenary spyware, which has been operational since at least 2019. Its design emphasizes flexibility, enabling the delivery of new Python-based modules without the need for repeated exploitation. This adaptability makes it especially versatile and hazardous.

What the experts say:

“A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims,” Cisco Talos said in a technical report.

“Predator is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous,” Talos explained.

BARRACUDA WOULDA SHOULDA 

Users are being alerted by Barracuda, a provider of email protection and network security services, about a zero-day vulnerability that has been exploited to breach the company’s Email Security Gateway (ESG) appliances.

Tracked as CVE-2023-2868, this zero-day flaw is described as a remote code injection vulnerability impacting versions 5.1.3.001 through 9.2.0.006.

The vulnerability originates from a component responsible for screening incoming email attachments, as stated in an advisory from the National Vulnerability Database of NIST.

The flaw emerges due to inadequate sanitization of the processing of .tar files (tape archives). Specifically, it relates to incomplete input validation of user-supplied .tar files, particularly the names of files within the archive. As a result, a remote attacker can manipulate these file names in a specific manner to execute system commands remotely using Perl’s qx operator, with the privileges of the Email Security Gateway product.

Barracuda identified this vulnerability on May 19, 2023, and swiftly released a patch for all ESG devices worldwide on the following day. As part of their containment strategy, a second fix was issued on May 21.

Furthermore, during their investigation, Barracuda discovered evidence of active exploitation of CVE-2023-2868, leading to unauthorized access to a subset of email gateway appliances.

So, be careful folks, you don’t want to go web surfing with the barracudas!

 

giphy.com

 

“YOU’RE GONNA NEED A BIGGER BOAT”

Perception Point’s 2023 Annual Report: Cybersecurity Trends & Insights highlights a significant surge in advanced phishing attacks by threat actors, with a staggering 356% increase observed in 2022.

The report reveals that the overall number of attacks rose by 87%, underscoring the alarming trend. One key factor contributing to this escalation is the widespread availability of new tools for malicious actors, including artificial intelligence (AI) and machine learning (ML) technologies.

These advanced tools have revolutionized the attack landscape by automating the creation of sophisticated phishing attempts. This includes attacks that employ social engineering tactics and evasion techniques, further amplifying the risks faced by organizations and individuals.

“As the global threat landscape continues to evolve, we are sharing vital data that portrays the meteoric rise in the number of attacks, combined with increasingly sophisticated attack techniques that are designed to breach and damage organizations,” said Perception Point CEO, Yoram Salinger.

All the more reason to stay up to date on the latest phishing trends with your daily dose of Gone Phishing.

Happy Monday, true believers!

So long and thanks for reading all the phish!

Recent articles