WPS Malware Target, iOS Exploit Apps, REvil Sanctions Trio – Cybersecurity News [January 22, 2024]

New threats keep emerging, but we’re here with the latest in cybersecurity to help your organization and employees stay safe. This week, we’ve seen a range of new malware attacks and phishing campaigns. From Blackwood’s new malware targeting organizations around the world to iPhone applications collecting user data, the US SEC’s account being hacked, the new Facebook phishing campaign, and more; we’ll share everything about these.

Cybercriminals Target WPS Office Update with Malware Installation Scheme

A new threat actor going by the name of “Blackwood” has emerged with malware called NSPX30.

The tool is for cyberespionage attacks against major organizations and was analyzed by ESET’s researchers. Blackwood is targeting Chinese, Japanese, and UK organizations and delivering malware via the update mechanisms of the WPS Office. It is also using the Tencent QQ instant messaging service and the document editor by Sogou Pinyin.

The threat actors carry out AitM (Adversary in the Middle) attacks and intercept the traffic generated by the tool NSPX30 to hide their activities and the C2 server. They also share access with other Chinese APT groups. NSPX30 is an implant that can steal away system data, key strokes, and also take screenshots of the victim systems. The threat actors intercept unencrypted HTTP communication between the system and the WPS update server to deliver the malware implant.

ESET noted the technical details and highlighted how it works in their report, outlining that the original backdoor behind NSPX30 looks like the work of skilled malware developers.

iPhone Applications Exploit iOS Notification System to Gather User Information

There are many iOS applications that are using background processes started by push notifications to collect data about devices.

Mysk, a mobile researcher discovered this and says that it can allow the creation of fingerprinting profiles for tracking. These applications bypass Apple’s background app activity restrictions. Apple designed the iOS so you can choose to allow apps to run in the background to prevent battery drain and better security. When you’re not using an app, it is suspended and then terminated after a while.

iOS 10 had an update that allowed apps to launch a hidden process for new push notifications before the device displayed them. Once the process is finished, the app is terminated. However, it was found that many applications abuse this feature and use that window to transmit device data back to their servers. Applications can easily steal system uptime, locale, memory, battery and storage usage, device model, keyboard language, and brightness info. Mysk also shared that many popular applications such as TikTok, Facebook, X, LinkedIn, and Bing are sending much device data to their servers.

Apple took notice and will now plug this gap so further abuse of push notifications cannot be done. The update will be out in spring 2024. These types of attacks underscore the significance of having effective phishing protection solutions for iOS and all other user platforms.

US, UK, and Australia Impose Sanctions on REvil Hacker for Medibank Data Leak

The governments of the US, the UK, and Australia have sanctioned the Russian person behind the 2022 Medibank hack.

Aleksandr Gennadievich Ermakov was behind the attack and is also a member of the Revil ransomware group. The threat actor stole information from the health insurance provider in October 2022 and leaked the data of nearly 10 million people the next month. The data leaked consisted of names, emails, phone numbers, residential addresses, passports, and health information.

The investigation revealed that Ermakov was indeed behind the attack and also had multiple online profiles. The Medibank hack was one of the most damaging cyberattacks in the history of the nation and was claimed by BlogXXX. However, it was later found that BlogXXX was a short-lived relaunch of the original Revil operation.

Ermakov has been sanctioned, and his identity is known to everyone around the world. Anyone who tries to aid him with financial assets like crypto or ransoms will be committing an offense. Having robust solutions for ransomware protection can help safeguard you against such attacks.

SEC Acknowledges Hacking of X Account via SIM Swap Fraud

The US SEC (United States Securities and Exchange Commission) shared the news that their X (Twitter) account was hacked in a SIM-swapping attack.

The SEC’s account was hacked when it issued a fake announcement this month sharing news that the agency had approved Bitcoin ETFs on security exchanges. The news was made official via an announcement the next day. However, it was not clear how the account was breached.

The SEC carried out an investigation and shared the news that they suffered a SIM-swapping attack, which allowed the threat actor to port the phone number associated with the account to a new device (hacker’s device). Once all the texts and phone calls were retrieved on the device, the threat actor easily bypassed OTPs and password resets to gain control of the account. The SEC did highlight that the threat actor did not have any access to internal systems or data. They’re continuing the investigation with law enforcement.

The SEC also confirmed that MFA (Multi-Factor Authentication) was not enabled with the account. You should use MFA with an authentication app instead of a phone number to stay safe from similar attacks.

Beware of Facebook Phishing Scams Using “I can’t believe he is gone” Posts

There’s a new Facebook phishing campaign that has been going on with the line, “I can’t believe he is gone. I’m gonna miss him so much.”

The phishing attack is widely spread on the app and is often seen through a hacked friend’s account, allowing the threat actor behind the campaign to build a database of stolen accounts for further attacks. The posts are seen with the message along with a redirect link that takes you to a phishing website – asking for your Facebook account credentials for “identity confirmation.”

You might also come across a news post with a video link to “NewsAmericaVideos” or similar sites. The thumbnail of the video is blurred, and the site asks for your login details. The threat actors steal the credentials and redirect you to Google. It’s still not clear what the threat actor is using these credentials for. If you use Facebook on your laptop or PC, the site takes you to other scams like VPNs, browser extensions, and more.

The attack cannot steal 2FA (Two Factor Authentication) tokens, so we recommend enabling 2FA to stay safe. Also, if you come across a similar post, it’s best to steer clear.