Invasive Linux Malware Symbiote Stealthily Steals Credentials and Enables Backdoor Access

Hackers use Follina to spread banking Trojan, Stalkerware TruthSpy exposes data, Russian warns West to stop cyberattacks or else, Hacker exploits Optimism lapse to swipe $16 million, much more

Photo by Sai Kiran Anagani on Unsplash

Researchers at BlackBerry and Intezer Labs say that a newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.

The malware acts as a system-wide parasite, leaving no identifiable signs of infection even during in-depth inspections because it uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packets and to hide its own communication channels from security tools. The malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the "libc read" function. (Bill Toulas / Bleeping Computer)

Related: CSO Online, Teiss, The Hacker News, Cyberintel Magazine, ZDNet, ZDNet, Intezer, The Hacker News, SiliconANGLE, GovInfoSecurity.com, DataBreachToday.com, Ars Technica, BetaNews, The Info Op, Blackberry, Security Week, PC Risk, TechCentral.ie, Help Net Security

Researchers at Proofpoint say that hackers are using the recently disclosed Windows zero-day vulnerability Follina (CVE-2022-30190) to spread a widely-used banking trojan with ties to several ransomware groups.

Proofpoint shared evidence that a threat actor they’ve named “TA570”, who they’ve been tracking since 2018 and is heavily associated with the Qbot malware, is now using CVE-2022-30190 to deliver the widespread malware used to steal banking information.

Several cybersecurity experts corroborated Proofpoint’s findings, including Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. (Jonathan Greig / The Record)

Related: Security Week, Techradar, The Register - Security, The Hacker News, Forbes, Proofpoint

Spouse-monitoring stalkerware TruthSpy, part of a network of stalkerware apps that use infrastructure maintained by a Vietnam-based company called 1Byte, is exposing a wealth of data from phones with the malware installed, including photos of children, pets, and others related to babies. These images are available to anyone visiting a URL on TheTruthSpy’s website.

The exposed data also includes a selection of apparent GPS locations of victims’ phones. TruthSpy did not respond to a request for comment. (Joseph Cox / Motherboard)

Zack Whittaker @zackwhittaker

TheTruthSpy is a notorious Android stalkerware app that encourages users to spy on their spouse's phone. @josephfcox reports that the spyware app is spilling victims' photos — including of children and babies — from its website. vice.com/en/article/5d3…

Joseph Cox @josephfcox

New: TheTruthSpy, a popular piece of Android stalkerware that has marketed itself to abusive people to spy on their spouses, is exposing images of children and others related to babies. Very personal photos just sitting there online https://t.co/PIiR3Hxbt9

June 9th 2022

12 Retweets14 Likes

Researchers at PIXM uncovered a large-scale phishing operation that abused Facebook and Messenger to lure millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements.

The operation used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions. The researchers found that in 2021, 2.7 million users had visited one of the phishing portals. This figure went up to 8.5 million in 2022, reflecting the massive growth of the campaign. (Bill Toulas / Bleeping Computer)

Related: Malwarebytes Labs, TechGenix, PIXM

Russia warned the West that cyber attacks against its infrastructure risked direct military confrontation and that attempts to challenge Moscow in the cyber sphere would be met with targeted countermeasures.

Russia’s foreign ministry said that Russia's critical infrastructure and state institutions are being hit by cyberattacks and pointed to figures in the United States and Ukraine as being responsible. The statement, issued by the ministry's head of international information security, said Washington was "deliberately lowering the threshold for the combat use" of IT. (Reuters)

Related: Ministry of Foreign Affairs of the Russian Federation

Alexander Martin @AlexMartin

New: In a statement emailed to me (in русский - machine translated below) a spokesperson for 🇷🇺 MFA has given more detail about the cyber attacks on Russia's critical infrastructure.

June 10th 2022

1 Retweet3 Likes

Around 20 million Optimism governance tokens (OP) worth around $16 million loaned to facilitate transactions were lost, with cryptocurrency market maker Wintermute taking responsibility for the lapse. Optimism blames the lapse on human error.

A hacker took advantage of the lapse to transfer the 20 million OP tokens from layer-1 to layer-2, even as Wintermute scrambled to recover the in-limbo funds. The attacker, however, had, as of publication, only liquidated about a million of the stolen tokens sending the one million tokens meant for crypto market maker Wintermute to Ethereum co-founder Vitalik Buterin’s wallet address, according to PeckShield. (Osato Avan-Nomayo / The Block)

Related: Blockworks, Optimism Foundation, Motherboard, CryptoPotato, BeinCrypto, Crypto Briefing

Jennifer Smith @Jennife50322251

RT @5OShadeOfGreen: Optimism Just lost 20 million tokens amidst interlayer chaos ift.tt/JK7atgh #NFT #NFTCommunity #NFTGiveaway #M…Optimism Just lost 20 million tokens amidst interlayer chaos - InsideBitcoins.comOptimism just lost 20 million token amidst interlayer chaos. All set to launch its DAO, the layer 2 solution has sent tokens to wrong addressift.tt

June 9th 2022

1 Retweet

Osmosis, a decentralized exchange built using CosmosSDK, was exploited, with its liquidity pools losing approximately $5 million. Developershalted the Osmosis blockchain to prevent further damage. 

One user on Reddit warned the Osmosis developers about a critical bug in their decentralized exchange. The user maintained that by providing liquidity to the liquidity pools, a malicious actor would then be able to withdraw 50% more than your deposit without any bonding period (a period over which the funds are locked). The recent loss resulted from just such a bug. (Sujith Somraaj / Decrypt)

Related: The Block, BeInCrypto

Osmosis 🧪 @osmosiszone

Liquidity pools were NOT "completely drained". Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery. More info to come.

Junønaut @TheJunonaut

A critical bug has been found on $OSMO / @OsmosisZone which could have potentially drained all liquidity pools. It has been discovered after a post on the subreddits /r/CosmosNetwork and /r/OsmosisLab. The chain was halted under immediate emergency to avoid further damage. 🧵 https://t.co/VE2drIZjtw

June 8th 2022

131 Retweets462 Likes

Seth Green's "kidnapped" Bored Ape has been returned to its original owner, ending weeks of frantic speculation about its whereabouts and the intentions of its alleged abductor, a pseudonymous NFT collector known as “Mr. Cheese.”

Bored Ape #8398 was stolen from Green in early May after the actor fell for a phishing scam. Mr. Cheese, who has also used the moniker “DarkWing84,” said they believed the ape was “bought in good faith” and claimed they had no idea it was illicitly obtained. The pseudonymous investor had purchased the NFT from Green’s scammer for a whopping $200,000. (Sarah Emerson / BuzzFeed News)

Zaki Hasan @zakiscorner

We’re trapped in the dumbest of all possible timelines. Seth Green’s Stolen Bored Ape Is Back Home“Fred is back home.”buzzfeednews.com

June 9th 2022

1 Retweet23 Likes

U.S. District Judge Edward Davila in San Jose, California, dismissed a proposed class-action lawsuit accusing Apple of defrauding customers by selling iPhones and iPads whose processors proved vulnerable to two cybersecurity memory flaws, Meltdown and Spectre, first disclosed in 2018.

Davila said customers failed to prove that they overpaid for their devices because Apple knowingly concealed defects and provided security patches that made its devices significantly slower. (Jonathan Stempel / Reuters)

Related: Apple Insider, Tom’s Hardware, The Register, Law360

In a paper presented at the IEEE Security and Privacy Conference last month, Researchers at the University of California San Diego showed for the first time that Bluetooth signals each have an individual, trackable fingerprint.

"By their nature, BLE [Bluetooth Low Energy] wireless tracking beacons have the potential to introduce significant privacy risks," the researchers wrote. "For example, an adversary might stalk a user by placing BLE receivers near locations they might visit and then record the presence of the user's beacons."

However, to exploit the fingerprint, an attacker would first need to isolate the target to capture the fingerprint in the wireless transmissions and find the unique physical-layer features of the device's Bluetooth transmitter. After that, they would need to have a receiver in a place the device might be and have it passively sniff for the target's Bluetooth transmissions. (Jeff Burt / The Register)

Related: USCD.edu, USCD.edu

The Cybersecurity and Infrastructure Agency (CISA) added 36 new flaws to its catalog of vulnerabilities known to be exploited by cybercriminals. 

Among the 36 vulnerabilities that have been added are flaws in software and products from Microsoft, Google, Adobe, Cisco, Netgear, QNAP, and others.  (Danny Palmer / ZDNet)

Related: Security Week, CISA