Security News > 2022 > January

Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on. That vulnerability, now known as CVE-2022-22594, showed up in Safari because of a bug in WebKit, the "Browser rendering engine", as these things are generally known, on which the Safari app is based.

The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and swoops down on financial data. Once downloaded, the app installs Vultur banking trojan, which steals financial and banking data on the compromised device - but can do much more.

Another Android trojan called TeaBot has been observed lurking on the Google Play Store in the form of an app named "QR Code Reader - Scanner App," attracting no fewer than 100,000 downloads while delivering 17 different variants of the malware between December 6, 2021, and January 17, 2022. BitDefender said it identified four more dropper apps - 2FA Authenticator, QR Scanner APK, QR Code Scan, and Smart Cleaner - that were available on the Play Store and distributed the TeaBot malware since at least April 2021.

A new, sophisticated phishing attack has been observed delivering the AsyncRAT trojan as part of a malware campaign that's believed to have commenced in September 2021. "Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT designed to remotely monitor and control its infected computers through a secure, encrypted connection," Michael Dereviashkin, security researcher at enterprise breach prevention firm Morphisec, said in a report.

Delta Electronics, a Taiwanese electronics company and a provider for Apple, Tesla, HP, and Dell, disclosed that it was the victim of a cyberattack discovered on Friday morning. While Delta's statement did not say who was behind the attack, an undisclosed information security company found a Conti ransomware sample deployed on the company's network, as CTWANT first reported.

North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries and is now actively using it to execute malicious code on Windows systems. In the next stage, the LNK file is used to launch the WSUS / Windows Update client to execute a command that loads the attackers' malicious DLL. "This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," Malwarebytes said.

Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails. "The inbox rule allowed the attackers to avoid arousing the compromised users' suspicions by deleting non-delivery reports and IT notification emails that might have been sent to the compromised user."

The BotenaGo botnet source code has been leaked to GitHub. Uploading of the source code to GitHub "Can potentially lead to a significant rise of new malware variants as malware authors will be able to use the source code and adapt it to their objectives," Alien Labs security researcher Ofer Caspi wrote.

QNAP has urged NAS users to act "Immediately" to install its latest updates and enable security protections after warning that product-specific ransomware called Deadbolt is targeting users' boxen. Security advice from QNAP includes disabling port-forwarding and UPnP port forwarding if your NAS is internet-facing.

Dubbed PwnKit, it's been sitting in a user policy module used in Linux distros for over a decade and can be used by anyone to gain root privileges. Heads up, Linux users: A newly discovered vulnerability in pretty much every major distro allows any unprivileged user to gain root access to their target, and it's been hiding in plain sight for 12 years.