This Week in Cyber 27th August

RTLS systems found vulnerable to man-in-the-middle attacks

Real-time locating systems (RLTS) are a technology that can track the locations of objects or people usually via tags such as ID badges or asset tags. In modern organisations, RLTS is very common as it assists in safety for people and increases security for high value assets such as servers and confidential data. The vulnerability involves intercepting and manipulating network packets between the anchor and central server to inform the anchor that the tag is wherever the attacker wants it to be. The repercussions of this can lead to people entering restricted zones, stealing assets, or disrupting a service that is used for production. However, this vulnerability is difficult to execute as it requires the attacker to be on the same network as the RLTS central server which is a difficult task. This becomes increasingly more difficult if the network is segmented or locked down properly. This vulnerability effects Ultra-Wideband technology which is incredibly accurate and can detect objects and people within a few centimetres of their actual location. Although the attack is difficult to execute, the impact could be detrimental to any organisation because the breach might not even be detected until an asset review has been carried out. Interestingly, this could also be used as a method from an APT to access certain facilities, steal high value assets or disrupt important production lines.

Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks

Raven Storm is a powerful open-source DDoS kit written almost entirely in the Python programming language. It is primarily intended for penetration testing within an organisation to attack Wi-fi infrastructure, take down servers and attack across the 3rd, 4th and 5th (Network, Transport, Session) layers of the OSI model. Many servers can be interlinked using this software by sharing a specific URL from the C&C (Command and Control) node to the systems making up the botnet. A custom password can be created, preventing the setup from being tampered with, then running a simple one word command at user permissions level from the C&C node will connect all the systems and launch a potentially catastrophic DDoS attack on an intended target.

The threat actor in this case is a seemingly new group known as ‘Mysterious Team’ and according to CloudSEK, an AI / threat intelligence organisation based in India, multiple companies were targeted. CloudSEK’s advice was to install anti-DDoS protection onto critical systems and use IP geo-blocking to prevent attack from an unusual country or province.

DDoS detection is fairly straight forward compared to some attacks. During a DoS or DDoS attack, up to several millions of packets are sent every second to a victim system which appears to an analyst as a unreasonably large spike in data to a select amount of IP addresses. DDoS attacks will also tend to span as many ports as possible to aid the exhaustion of the victim, which can be easily detected with equipment like the TDACplatform.

Bumblebee Loader Used to Compromise Active Directory Services

The Bumblebee loader has been in the wild since March 2022 and has been associated with BazarLoader, Trikbot and IcedID. The main delivery tactic is spear-fishing attempts which then use a macro-laced documents to deliver the payload however Microsoft made the decision to disable macros by default making this delivery method less efficient. Recently, the Bumblebee loader has now been seen using ISO and LNK files to combat this, as discovered by the research group Cybereason. Once the victim opens the LNK file, the Bumblebee loader will initiate which leads to next-stage actions such as persistence, privilege escalation, reconnaissance, and credential theft. In the particular incident that was analysed by Cybereason, they found that a highly privileged users’ credentials were harvested and used to seize control of the Active Directory. The attackers then created a new user account for data exfiltration all within 2 days of initial access which is alarming as this loader is known to be used for delivering ransomware. The timeframe between initial access and execution is incredibly short and could be missed even by a dedicated IT team, this promotes the need for extensive and updated user awareness training.

Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

Counterfeit models of budget Android devices are finding their way onto the mobile phone market, containing trojans designed to target WhatsApp user and business accounts. The malware was discovered by antivirus company Dr Web in July 2022, in the system partition of at least 4 different mobile phone models: P48Pro, Radmi Note 8, Note30u and Mate40. These models are direct copycats of famous brands including Samsung, Huawei, and Xiaomi and all have a very old version of Android installed on them.

The current version of Android is 12 (13 is being rolled out) and the counterfeit version is 4.4.2, first released in December 2013. The reason the version is this old, is because it will not include a patch for the pre-installed malware and would be susceptible to a lot of further security vulnerabilities. 2 files in particular were tampered with so that when any app is run, it triggers the malware to execute. The malware is stored in the "/system/lib/libmtd.so" file, while the initial execution is carried out by the "/system/lib/libcutils.so" file when an app is opened.

When WhatsApp is run, the malware can read the chats, send spam and intercept the calls to harvest the user’s data. Dr Web theorises that the malware could be a branch of the FakeUpdates malware which specialises in setting up backdoors into devices using over-the-air firmware updates.

To avoid this kind of issue, its recommended users only purchase mobiles from legitimate distributors from trusted stores.