The Weekly Briefing - 04/21
Wormable Android Malware Spreading Through WhatsApp
A newly discovered Android malware has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign.
"This malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app," ESET researcher Lukas Stefanko said.
The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website.
Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack.
Specifically, it leverages WhatApp's quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically.
Besides requesting permissions to read notifications, the app also requests intrusive access to run in the background as well as to draw over other apps, meaning the app can overlay any other application running on the device with its own window that can be used to steal credentials and additional sensitive information.
Crypto-Mining Malware Linked to Iran
A relatively new crypto-mining malware that surfaced last year and infected thousands of Microsoft SQL Server (MSSQL) databases has now been linked to a small software development company based in Iran.
The attribution was made possible due to an operational security oversight, said researchers from cybersecurity firm Sophos, that led to the company's name inadvertently making its way into the cryptominer code.
First documented by Chinese tech giant Tencent last September, MrbMiner was found to target internet-facing MSSQL servers with the goal of installing a cryptominer, which hijacks the processing power of the systems to mine Monero and funnel them into accounts controlled by the attackers.
Hackers Expose Passwords Stolen From Businesses
A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to over a thousand corporate employees.
The cyber offensive is said to have originated in August last year, with the attacks aimed specifically at energy and construction companies, said researchers from Check Point Research today in a joint analysis in partnership with industrial cybersecurity firm Otorio.
Although phishing campaigns engineered for credential theft are among the most prevalent reasons for data breaches, what makes this operation stand out is an operational security failure that led to the attackers unintentionally exposing the credentials they had stolen to the public Internet.
"With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker," the researchers said.