News Bytes – 08/04/22
Malicious APK setting up suspicious C2 server
It appears to be a bad week for Android users as yet another critically dangerous piece of malware has been found to be targeted attacks on the Google-owned software. This time, the malware installs a program named Process Manager and gains 18 permissions. This is concerning behaviour on its own, but it also adds information about calls, the contact list, and other files before collecting all files on the device, saving information to the JSON files, and reporting to a C2 server.
At present, this Process Manager application is installed alongside the Roz Dhan: Earn Wallet cash application.
At first appearances, this seems to be another case of hackers taking aim at cryptocurrency enthusiasts that are wanting to make some easy money with various attacks.
First Python Ransomware attack targeting Jupyter Notebook
If you use Jupyter Notebook, you should be on high alert. The open-source web application is being targeted by a ransomware gang that has infiltrated the tool through misconfigured environments, ran a ransomware script to encrypt every file on a given path, and then deleted itself before it can be analyzed.
The full analysis of the ransomware can be found here, but best practices for defending your Jupyter Notebook include:
- Identifying all vulnerable entry points for attackers to gain access to your network
- Scan all running notebooks for the identified vulnerabilities
- Scan for vulnerabilities elsewhere in the CI/CD pipeline
- Scan all workloads for suspicious behavior
Microsoft takes aim at APT28
Having received obtained a court order earlier this week, Microsoft has attempted to take control of seven domains used by APT28, a nation state hacking team that is suspected to work with Russian military intelligence services. Known by many names such as Sofacy, Sednit, Pawn Storm, and Strontium, the cyber-espionage group has been on the cybersecurity radar since 2009.
By re-directing the domains to a sinkhole controlled by Microsoft, APT28’s ability to “enable victim notifications” is greatly diminished, reports Tom Burt, Microsoft’s corporate vice president of customer security and trust. The group had apparently targeted Ukrainian institutions, European governments, and US and EU think tanks.
International cybersecurity talks break down
The United States has apparently withdrawn from cybersecurity talks with Russia this week after both Russia and the US agreed to work together to stop the spread of cybercrime. Although this feels somewhat odd in the context of multiple Russian cyberattacks on Ukrainian infrastructure over the last month and a half, the Kremlin has stated that the US government is behind Anonymous’s attacks on Russian websites, banks, and governmental organizations.
While this Cyber Cold War seems to be warming up, it is not yet clear what the goals of the talks were. Oleg Khramov, Russian Security Council Deputy Secretary, reported to RT that the international talks were held with the intention of stopping cybercriminals, dismantling European cyberbases, and ending “revenge” cyberattacks. As of yet, there has been no American comment on the situation.