Risky Biz News: IRGC installed malware on phones of Iranian protesters following their arrest

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

BSI, the German cybersecurity agency, took down this week a web server used to control malware deployed by the Iranian government to spy on participants of recent anti-government protests.

The server was identified over the weekend by Hamid Kashfi, a security engineer at Trail Of Bits, who confirmed a tip that the Islamic Revolutionary Guard Corps, a branch of the Iranian military, was manually installing malware on the devices of detained anti-government protesters.

Kashfi obtained multiple copies of the malware—which he later identified as a version of the L3MON Android remote access trojan—and found that all samples were communicating with a VPS server based in Germany, on which the BSI acted this week.

The researcher is now warning that even if this server is now down, the danger to protesters continues, as IRGC operators are most likely to set up a new one for subsequent deployments.

Iranians detained by the IRCG are advised to reset their smartphones as Kashfi says that the L3MON RAT has no advanced persistence capabilities, and this will remove it from compromised devices.

Breaches and hacks

Parlor leak: Woorkweek CEO Adam Ryan revealed this week that right-wing social media site Parler accidentally revealed the personal email addresses of more than 300 of its verified users in a marketing email this week. This is your typical case of confusing CC and BCC fields.

Stimme Mediengruppe ransomware attack: German news agency Stimme Mediengruppe published an e-version of their newspapers this week after a ransomware attack last Friday crippled the company's ability to print its daily newspaper

Verizon discloses SIM swapping attack: Verizon notified some of its customers this week that their accounts were targeted during a recent wave of SIM swapping attacks that took place between October 4 and 10. The company said it reversed the SIM card changes and found no evidence of new attacks. [Additional coverage in BleepingComputer]

BitKeep hack: Cryptocurrency wallet application BitKeep said an attacker exploited a bug in its platform to steal roughly $1 million worth of crypto from its customers. The company said it would reimburse all users who lost funds.

Mango Markets exploiter comes forward: In a series of tweets over the weekend, an individual named Avraham Eisenberg took credit for the attack on Mango Markets following which he walked away with $114 million worth of cryptocurrency. Eisenberg came clean after he was publicly identified as the attacker last week and after the Mango Markets community voted to allow him to keep $47 million of the exploited funds if he returned $67 million back to the platform, so it and all the other projects that depended on it could avoid insolvency.

General tech and privacy

Firefox 106: ...is out, including the usual security fixes.

KataOS: Google open-sourced last week KataOS, a "secure" operating system written in the Rust programming language, designed for smart IoT devices. The OS is definitely an early alpha and a work in progress. Use appropriately.

Government, politics, and policy

BSI chief dismissed: The German Interior Ministry dismissed the chief of its national cybersecurity agency, the BSI. Arne Schoenbohm was sacked after German media found suspected ties to Russia's intelligence services in one of his past private sector endeavors. Officials didn't confirm the reports but said Schoenbohm "damaged the necessary confidence of the public in the neutrality and impartiality" of the BSI. Schoenbohm has been leading the BSI since February 2016.

Israel backdoored the Netherlands' wiretapping system: Guilhem Giraud, a former employee of the French internal security service DGSI, revealed in a book published last month that during a visit for exchange of experience in 2006 with their Dutch counterparts, Dutch officials revealed that they found a backdoor in equipment supplied by an Israeli vendor to the country's Driebergen communications wiretapping center. Giraud said the 2006 visit and the candid disclosure from Dutch officials was one of the reasons why French authorities built the PNIJ interception platform using only homemade systems, taking what he described as a "no Israeli suppliers" approach. After the book made some waves in the Netherlands last week, a spokesperson for the Dutch government rebuffed Giraud and told local newspaper de Volkskrant that the backdoor story was just "nonsense."

CYBERCOM cleans its network: US CYBERCOM said it executed what the agency described as a global cyberspace defensive operation earlier this month between October 3 and 14. CYBERCOM said the operation focused on internal DOD systems, where together with its partners, the agency searched, identified, and mitigated "publicly known malware."

Chinese hackers scanning US political party domains: The Washington Post reported on Tuesday that the FBI has notified US political parties that Chinese threat actors are scanning their domains ahead of the upcoming midterm election in what appears to be "a potential precursor to hacking operations."

IDF's first-ever cyberattack: Israeli news outlet Ynet has a cool feature on the Israel Defense Forces' first-ever cyber operation, way back in the 90s.

Sponsor section

Proofpoint is one of this newsletter's main sponsors. Below is a product demo Patrick Gray, the host of the main Risky Business podcast, recorded with them last year, where they show off Nexus People Risk Explorer, the company's product for mitigating insider threats:

Cybercrime and threat intel

Car hackers arrested: Europol said authorities in France, Spain, and Latvia have detained 31 suspects and dismantled a car thief ring that used malicious software to hijack key fobs and steal vehicles. Europol said the group used a special tool that targeted keyless vehicles from two French car manufacturers. The tool was marketed online as an automotive diagnostic solution, allowing owners to replace a car's original software but also allowed to open doors and start the vehicle without the actual key fob. Europol said it detained the tool's developers, resellers, and the car thieves who used it.

Bulgaria seeks Russian hacker: Bulgaria's prosecutor's office charged and is seeking the extradition of a Russian citizen for launching a series of DDoS attacks against government websites earlier over the weekend. Desislava Petrova, the Sofia City Prosecutor's Office spokesperson, said Russian authorities were not complying with their request (shocker!) and that they were most likely also involved in the attack as well.

South Korea takes down scam site: The South Korean Ministry of Science and ICT said on Monday that it took down a malicious website that was using the nationwide confusion caused by a major fire at one of KakaoTalk's data centers to distribute malware to users impacted by the downtime.

Loan forgiveness scams: With news that the Biden administration is preparing to forgive some student loans, the FBI published a warning this week about the potential email, phone, and web scams that may arise in the coming months. The FBI said scammers would most likely try to obtain personally identifiable information, financial information, or payment from US citizens who are eligible for student loan forgiveness, and the agency reminded everyone that the US government does not intend to charge any processing fees for this process.

Reporter accuses law firm of hacking: Former WSJ reporter Jay Solomon has accused Philadelphia-based law firm Dechert LLP of hiring Indian hackers to compromise his email account and using the stolen information to have him fired. Solomon's public statement comes after Iranian-American aviation executive Farhad Azima, one of his former sources, also sued the same law firm last week, together with a New York City public relations company and an Israeli private investigator, accusing the three of conspiring to hack his email account and tamper with witnesses part of ongoing litigation, and even leak information to the press.

New UEFI bootkit sold in underground forums: Eclypsium CTO Scott Scheferman spotted an ad on an underground hacking forum for Black Lotus, a new UEFI rootkit being sold to cybercrime gangs for a meager $5,000.

The features that stand out to me the most, I've captured in bullet form.

• Written in assembly and C, only 80kb in size
• Works globally other than in CIS states, filterable by Geo, etc.
• Anti-VM and Anti-Debug with Code Obfuscation
• Bypasses UAC, Secure Boot, and Can Load Unsigned Drivers
• Disables HVCI, BitLocker, Windows Defender
• Persists on the UEFI with Ring 0 agent protection
• Fully featured Install Guide with SOPs and FAQ's
• Stable and scales to a high number of bots, full backend API (PHP/SQL)
• Fully featured tasking, file transfer, robust security, all needed functionality possible to persistent and operate indefinitely within an environment undetected. (perhaps for years akin to current UEFI implants in the wild that are discovered 2-5 years after the begin)
• Vendor independent, uses a signed bootloader if Secure Boot enabled, wild distribution potential across IT and OT environments.

Malware technical reports

Gafgyt: SecurityScorecard malware analyst Vlad Pasca published a report this week on the Gafgyt IoT malware strain, also known as Bashlite.

APTs and cyber-espionage

Spyder Loader: Broadcom Symantec researchers said they spotted new attacks part of Operation CuckooBees. But unlike previous attacks, where this Chinese threat actor went after intellectual property, the new attacks targeted Hong Kong organizations with a version of the Spyder Loader malware.

"The victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign."

APTs went after Zimbra: Kaspersky researchers said in a blog post last week that they've seen multiple APT groups exploiting a recently disclosed Zimbra zero-day (CVE-2022-41352), and that one of these groups has been "systematically infecting all vulnerable servers in Central Asia." In the meantime, after leaving the vulnerability unpatched for almost a month, Zimbra has finally delivered a patch.

Vulnerabilities and bug bounty

Zimbra zero-day: As mentioned in a section above, Zimbra has finally released a patch for a zero-day (CVE-2022-41352) that has been under active exploitation for more than a month.

ProxyRelay: Security researcher Orange Tsai published details on ProxyRelay, the fourth major vulnerability he found in Exchange servers. His previous findings include well-known vulnerabilities like ProxyLogon, ProxyOracle, and ProxyShell.

Much ado about nothing: A recently disclosed vulnerability in the Apache Commons Text library (tracked as CVE-2022-42889) has been widely described as the next Log4Shell disaster, but a more in-depth analysis by Rapid7 reveals that this assessment is only misplaced hype.

Git security updates: The Git Project released security updates for the Git versioning system this week. GitHub said none of these issues affect its service.

Oracle CPU: The quarterly Oracle security updates are out, with patches for 370 vulnerabilities.

Magento patch warning: Web security firm Sansec warned users of the Magento e-commerce platform to look into upgrading their online stores to the latest version of the CMS rather than install a security hotfix patch released for older versions.

MagSound attack: A team of academics from the Hong Kong Polytechnic University published details about MagSound [PDF], an attack that uses magnetic interference induced by a wireless charger to send malicious voice commands to a smartphone. Since the voice commands are created using magnetic waves, they are also inaudible to humans.

"Essentially, we show that the microphone components of smart devices suffer from severe magnetic interference when they are enjoying wireless charging, due to the absence of effective protection against the EMI at low frequencies (100 kHz or below). By taking advantage of this vulnerability, we design two inaudible voice attacks, HeartwormAttack and ParasiteAttack, both of which aim to inject malicious voice commands into smart devices being wirelessly charged. They make use of a compromised wireless charger or accessory equipment (called parasite) to inject the voice, respectively. We conduct extensive experiments with 17 victim devices (iPhone, Huawei, Samsung, etc.) and 6 types of voice assistants (Siri, Google STT, Bixby, etc.). Evaluation results demonstrate the feasibility of two proposed attacks with commercial charging settings."

Infosec industry

CCC conference canceled again: The Chaos Computer Club has canceled its yearly security conference for the second year in a row, citing the uncertainty around the state of the COVID-19 pandemic and what requirements will be later this year in December.

New tool—Antignis: EU cybersecurity firm Hunt&Hackett released this week a new tool called Antignis that can create firewall rules based on a host's context, configuration, and usage patterns. The company said they plan to make the tool available via GitHub later this week.

New tool—SAM: BSI, the German cybersecurity agency, released a new tool this week named SAM (System Activity Monitor) that extends the default Windows ETW (Event Tracing for Windows) to enable the recording of extra parameters and events on Windows systems, which could later be used for debugging or incident response.

Certstream troubles: Certstream needs your help. Avengers, assemble!