Metacurity

Share this post
Invasive Linux Malware Symbiote Stealthily Steals Credentials and Enables Backdoor Access
metacurity.substack.com

Invasive Linux Malware Symbiote Stealthily Steals Credentials and Enables Backdoor Access

Hackers use Follina to spread banking Trojan, Stalkerware TruthSpy exposes data, Russian warns West to stop cyberattacks or else, Hacker exploits Optimism lapse to swipe $16 million, much more

Cynthia Brumfield
Jun 10
1
Share this post
Invasive Linux Malware Symbiote Stealthily Steals Credentials and Enables Backdoor Access
metacurity.substack.com
selective focus photography of computer code monitor display
Photo by Sai Kiran Anagani on Unsplash

Researchers at BlackBerry and Intezer Labs say that a newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.

The malware acts as a system-wide parasite, leaving no identifiable signs of infection even during in-depth inspections because it uses the BPF (Berkeley Packet Filter) hooking functionality to sniff network data packets and to hide its own communication channels from security tools. The malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the "libc read" function. (Bill Toulas / Bleeping Computer)

Related: CSO Online, Teiss, The Hacker News, Cyberintel Magazine, ZDNet, ZDNet, Intezer, The Hacker News, SiliconANGLE, GovInfoSecurity.com, DataBreachToday.com, Ars Technica, BetaNews, The Info Op, Blackberry, Security Week, PC Risk, TechCentral.ie, Help Net Security

Researchers at Proofpoint say that hackers are using the recently disclosed Windows zero-day vulnerability Follina (CVE-2022-30190) to spread a widely-used banking trojan with ties to several ransomware groups.

Proofpoint shared evidence that a threat actor they’ve named “TA570”, who they’ve been tracking since 2018 and is heavily associated with the Qbot malware, is now using CVE-2022-30190 to deliver the widespread malware used to steal banking information.

Several cybersecurity experts corroborated Proofpoint’s findings, including Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows. (Jonathan Greig / The Record)

Related: Security Week, Techradar, The Register - Security, The Hacker News, Forbes, Proofpoint

Spouse-monitoring stalkerware TruthSpy, part of a network of stalkerware apps that use infrastructure maintained by a Vietnam-based company called 1Byte, is exposing a wealth of data from phones with the malware installed, including photos of children, pets, and others related to babies. These images are available to anyone visiting a URL on TheTruthSpy’s website.

The exposed data also includes a selection of apparent GPS locations of victims’ phones. TruthSpy did not respond to a request for comment. (Joseph Cox / Motherboard)

Twitter avatar for @zackwhittakerZack Whittaker @zackwhittaker
TheTruthSpy is a notorious Android stalkerware app that encourages users to spy on their spouse's phone. @josephfcox reports that the spyware app is spilling victims' photos — including of children and babies — from its website.
vice.com/en/article/5d3…

Joseph Cox @josephfcox

New: TheTruthSpy, a popular piece of Android stalkerware that has marketed itself to abusive people to spy on their spouses, is exposing images of children and others related to babies. Very personal photos just sitting there online https://t.co/PIiR3Hxbt9

June 9th 2022

12 Retweets14 Likes

Researchers at PIXM uncovered a large-scale phishing operation that abused Facebook and Messenger to lure millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements.

The operation used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions. The researchers found that in 2021, 2.7 million users had visited one of the phishing portals. This figure went up to 8.5 million in 2022, reflecting the massive growth of the campaign. (Bill Toulas / Bleeping Computer)

Related: Malwarebytes Labs, TechGenix, PIXM

Russia warned the West that cyber attacks against its infrastructure risked direct military confrontation and that attempts to challenge Moscow in the cyber sphere would be met with targeted countermeasures.

Russia’s foreign ministry said that Russia's critical infrastructure and state institutions are being hit by cyberattacks and pointed to figures in the United States and Ukraine as being responsible. The statement, issued by the ministry's head of international information security, said Washington was "deliberately lowering the threshold for the combat use" of IT. (Reuters)

Related: Ministry of Foreign Affairs of the Russian Federation

Twitter avatar for @AlexMartinAlexander Martin @AlexMartin
New: In a statement emailed to me (in русский - machine translated below) a spokesperson for 🇷🇺 MFA has given more detail about the cyber attacks on Russia's critical infrastructure.
Alexander Krutskikh, Special Presidential Representative for International Cooperation in Information Security and Director of the International Information Security Department, to the media's question about attacks on Russian critical infrastructure facilities: "I will start with the last part of the question. Do not doubt that Russia will not leave aggressive actions unanswered. How and where - you will find out after the fact. All our steps will be of a verified, targeted nature, in accordance with our legislation and international law.
"I am ready to share some data about cyber attacks. It's mainly about DDoS attacks. According to experts, in order to carry out massive DDoS attacks involving "cyber volunteers", attackers use malicious software based on the servers of supplier companies Hetzner (Germany) and DigitalOcean (USA). Foreign specialized platforms (War.Apexi.Tech, Ban-Dera.com) are actively used, online capacities of IPstress.in and Google servers are regularly used. As of May 2022, more than 65,000 "armchair hackers" from the United States, Turkey, Georgia, and EU countries regularly took part in coordinated DDoS attacks on critical information infrastructure of our country, including Rutube video hosting.
"As for attacks using ICTs and their interpretation in international law, I would like to emphasise what has already been said many times: state institutions, critical and social infrastructure facilities, and personal data storage facilities of our citizens and foreigners living in Russia are being attacked. Officials in the United States and Ukraine are taking responsibility for the sabotage. It is there that they flatly refuse to develop an international legal framework. They don't seem to fully realise how dangerous aggressiveness and encouragement of information security thuggery are.
"In total, 22 hacker groups are involved in illegal operations against Russia, the most active are the IT-army of Ukraine (Ukraine), GhostClan (USA), GNG (Georgia), Squad303 (Poland). It is also alarming that Washington is deliberately lowering the threshold for the combat use of ICT. The militarisation of the information space by the West, attempts to turn it into an arena of interstate confrontation have greatly increased the threat of a direct military clash with unpredictable consequences. Once again, I want to repeat to those who do not immediately reach: the uncontrolled distribution of 'virtual weapons' and the encouragement of their use will not lead to good."

June 10th 2022

1 Retweet3 Likes

Around 20 million Optimism governance tokens (OP) worth around $16 million loaned to facilitate transactions were lost, with cryptocurrency market maker Wintermute taking responsibility for the lapse. Optimism blames the lapse on human error.

A hacker took advantage of the lapse to transfer the 20 million OP tokens from layer-1 to layer-2, even as Wintermute scrambled to recover the in-limbo funds. The attacker, however, had, as of publication, only liquidated about a million of the stolen tokens sending the one million tokens meant for crypto market maker Wintermute to Ethereum co-founder Vitalik Buterin’s wallet address, according to PeckShield. (Osato Avan-Nomayo / The Block)

Related: Blockworks, Optimism Foundation, Motherboard, CryptoPotato, BeinCrypto, Crypto Briefing

Twitter avatar for @Jennife50322251Jennifer Smith @Jennife50322251
RT @5OShadeOfGreen: Optimism Just lost 20 million tokens amidst interlayer chaos
ift.tt/JK7atgh #NFT #NFTCommunity #NFTGiveaway #M…Optimism Just lost 20 million tokens amidst interlayer chaos - InsideBitcoins.comOptimism just lost 20 million token amidst interlayer chaos. All set to launch its DAO, the layer 2 solution has sent tokens to wrong addressift.tt

June 9th 2022

1 Retweet

Osmosis, a decentralized exchange built using CosmosSDK, was exploited, with its liquidity pools losing approximately $5 million. Developershalted the Osmosis blockchain to prevent further damage. 

One user on Reddit warned the Osmosis developers about a critical bug in their decentralized exchange. The user maintained that by providing liquidity to the liquidity pools, a malicious actor would then be able to withdraw 50% more than your deposit without any bonding period (a period over which the funds are locked). The recent loss resulted from just such a bug. (Sujith Somraaj / Decrypt)

Related: The Block, BeInCrypto

Twitter avatar for @osmosiszoneOsmosis 🧪 @osmosiszone
Liquidity pools were NOT "completely drained". Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery. More info to come.

Junønaut @TheJunonaut

A critical bug has been found on $OSMO / @OsmosisZone which could have potentially drained all liquidity pools. It has been discovered after a post on the subreddits /r/CosmosNetwork and /r/OsmosisLab. The chain was halted under immediate emergency to avoid further damage. 🧵 https://t.co/VE2drIZjtw

June 8th 2022

131 Retweets462 Likes

Seth Green's "kidnapped" Bored Ape has been returned to its original owner, ending weeks of frantic speculation about its whereabouts and the intentions of its alleged abductor, a pseudonymous NFT collector known as “Mr. Cheese.”

Bored Ape #8398 was stolen from Green in early May after the actor fell for a phishing scam. Mr. Cheese, who has also used the moniker “DarkWing84,” said they believed the ape was “bought in good faith” and claimed they had no idea it was illicitly obtained. The pseudonymous investor had purchased the NFT from Green’s scammer for a whopping $200,000. (Sarah Emerson / BuzzFeed News)

Twitter avatar for @zakiscornerZaki Hasan @zakiscorner
We’re trapped in the dumbest of all possible timelines.
Seth Green’s Stolen Bored Ape Is Back Home“Fred is back home.”buzzfeednews.com

June 9th 2022

1 Retweet23 Likes

U.S. District Judge Edward Davila in San Jose, California, dismissed a proposed class-action lawsuit accusing Apple of defrauding customers by selling iPhones and iPads whose processors proved vulnerable to two cybersecurity memory flaws, Meltdown and Spectre, first disclosed in 2018.

Davila said customers failed to prove that they overpaid for their devices because Apple knowingly concealed defects and provided security patches that made its devices significantly slower. (Jonathan Stempel / Reuters)

Related: Apple Insider, Tom’s Hardware, The Register, Law360

In a paper presented at the IEEE Security and Privacy Conference last month, Researchers at the University of California San Diego showed for the first time that Bluetooth signals each have an individual, trackable fingerprint.

"By their nature, BLE [Bluetooth Low Energy] wireless tracking beacons have the potential to introduce significant privacy risks," the researchers wrote. "For example, an adversary might stalk a user by placing BLE receivers near locations they might visit and then record the presence of the user's beacons."

However, to exploit the fingerprint, an attacker would first need to isolate the target to capture the fingerprint in the wireless transmissions and find the unique physical-layer features of the device's Bluetooth transmitter. After that, they would need to have a receiver in a place the device might be and have it passively sniff for the target's Bluetooth transmissions. (Jeff Burt / The Register)

Related: USCD.edu, USCD.edu

The Cybersecurity and Infrastructure Agency (CISA) added 36 new flaws to its catalog of vulnerabilities known to be exploited by cybercriminals. 

Among the 36 vulnerabilities that have been added are flaws in software and products from Microsoft, Google, Adobe, Cisco, Netgear, QNAP, and others.  (Danny Palmer / ZDNet)

Related: Security Week, CISA

Share this post
Invasive Linux Malware Symbiote Stealthily Steals Credentials and Enables Backdoor Access
metacurity.substack.com
Comments

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNew

No posts

Ready for more?

© 2022 DCT Associates
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing