Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Android Spyware Plunders Phones, Sends Data to China

Security vendor Pradeo has detected two malicious Android apps which pose as file managers and could have aggregated 1.5 million installs from the Google Play Store. However, the apps are actually spyware which, despite claims to the contrary, exfiltrate a massive amount of data from the victims' phones.

The two apps are:

• File Recovery and Data Recovery - com.spot.music.filedate - over 1 million installs
• File Manager - com.file.box.master.gkd - over 500 thousand installs

On their Play Store Pages, the apps claim that no user data is collected (and that if it was, it would be encrypted in transit but cannot be deleted - a breach of many privacy laws, including the EU GDPR). However, according to Pradeo's analysis using their behavioural analysis engine, the data that is stolen and sent to servers in China includes:

• Users’ contact lists from the device itself and from all connected accounts such as email and social networks
• Media compiled in the application: Pictures, audio and video contents
• Real time user location
• Mobile country code
• Network provider name
• Network code of the SIM provider
• Operating system version number
• Device brand and model

That's quite a shopping list! Much of that information could be used to profile users and identify targets for a variety of purposes such as cyber-espionage or cybercrime, while the OS version and device information could be used in selecting an appropriate exploit.

The claimed installation numbers could have been faked in order to make the apps appear legitimate and rank higher in searches - in particular, an absence of reviews backs this interpretation. The apps are also somewhat stealthy - they hide their icons from the home screen, making them difficult to locate and uninstall - and they also force a reboot of the device, which then allows them to run automatically, and invisibly, in the background. It's entirely possible that some users may have forgotten they even installed these programs.

All this illustrates the dangers of mindlessly collecting lots of apps on a phone; users need to be careful to assess the legitimacy of apps before installing them, by reading reviews and looking for red flags, and in particular, reviewing the requested permissions before allowing installation to proceed. A 'flashlight' app that is a 40 MB download and requests access to everything on the phone is clearly not legitimate - and neither is a file manager that requests permission to access the phone book, user location information, etc.

Suau, Roxane, Two spyware tied with China found hiding on the Google Play Store, blog post, 6 July 2023. Available online at https://blog.pradeo.com/spyware-tied-china-found-google-play-store.

CISA Advisory on New Truebot Variants

The US Cybersecurity & Infrastructure Security Agency, along with its partners, has released an advisory on new variants of the Truebot loader. Traditionally, Truebot's operators - generally Russian cybercrime groups - have used phishing campaigns with malicious redirect hyperlinks to infect victims with the malware, which is then used to download the Clop ransomware.

However, the newer variants are now also obtaining initial access by exploiting CVE-2022-31199, a known vulnerability in the Netwrix Auditor - an application used for auditing both on-premises and cloud systems. In this campaign, after gaining a foothold, Truebot renames itself and then loads a remote access trojan called FlawedGrace. From there, FlawedGrace is used both for privilege escalation and to install payloads which allow the attackers to persist.

In fact, the entire campaign is quite complex, involving a variety of tools, such as Raspberry Robin malware, FlawedGrace, a custom data exfiltration tool which Cisco Talos call Teleport, and Cobalt Strike beacons. The 26-page CISA advisory provides a mapping to MITRE ATT&CK tactics and techniques, a comprehensive list of IOC's, guidance for incident response and suggested mitigations

CISA, Increased Truebot Activity Infects U.S. and Canada Based Networks, cybersecurity advisory, 6 July 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a.

Mozilla Releases Security Advisories

The Mozilla Foundation has released a number of advisories to address vulnerabilities in Thunderbird, Firefox and Firefox ESR. The obvious first defence for most users is to let their currently-installed versions download and install the next versions (Thunderbird 102.13, Firefox 115 and Firefox ESR 102.13).

Uncredited, Mozilla Foundation Security Advisory 2023-24 - Security Vulnerabilities fixed in Thunderbird 102.13, 4 July 2023. Available online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/.

Uncredited, Mozilla Foundation Security Advisory 2023-23 - Security Vulnerabilities fixed in Firefox ESR 102.13, 4 July 2023. Available online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/.

Uncredited, Mozilla Foundation Security Advisory 2023-22 - Security Vulnerabilities fixed in Firefox 115, 4 July 2023. Avilable online at https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.