Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, September 12, 2023, 9:23 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


CISA Warns of Apple Device Vulnerabilities

The Cybersecurity & Infrastructure Security Agency has added two new vulnerabilities to the Known Exploited Vulnerabilities Catalog, warning that "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." The two vulnerabilities, which are present in iOS, iPadOS and macOS are:

The two vulnerabilities can be chained to create a zero-click exploit chain - i.e. with no user interaction required - used to deliver NSO Group's Pegasus spyware. The exploit chain was discovered by The Citizen Lab of the Munk School at University of Toronto while examining the device of an individual employed by a Washington DC-based NGO with international offices.

Citizen Lab stated:

We encourage everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode. We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack.

Apple has fixed the vulnerabilities in iOS 16.6.1, iPadOS 16.6.1 and macOS Ventura 13.5.2; users are encouraged to upgrade as soon as possible.

CitizenLab, BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild, news release, 7 September 2023. Available online at https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/.

CISA, CISA Adds Two Known Vulnerabilities to Catalog, cybersecurity advisory, 11 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/11/cisa-adds-two-known-vulnerabilities-catalog.

MrTonyScam Stealer Spreads Via Facebook Messenger

A campaign to steal the Facebook and other accounts of businesses is spreading via Facebook Messenger. The campaign, dubbed "MrTonyStealer", originates in Vietnam, according to Guardio Labs researcher Oleg Saytsev, and while it relies on social engineering the victim into downloading a file attachment, unzipping and then running it, it is achieving a concerning success rate, with roughly one in each 350 recipients becoming infected.

The goal is to hijack Facebook business accounts that have a good reputation, seller rating and many followers, with the intention of selling them on Telegram and other dark markets. The purchaser can then use such an account for advertising or scams. And business account owners are particularly vulnerable: while private users can happily ignore messages from unkown senders, a business cannot ignore what could be a legitimate enquiry, especially if the lure message threatens a copyright strike or other penalty. And, of course, once the stealer infects the victim, it can also gather credentials for other accounts - banks, cloud-hosted accounting, email, e-commerce platforms, etc. - from the browser's cookies and stored passwords.

The attack delivers an archive file - .rar or .zip - which the recipient is lured to download and open to reveal a batch file. This is a first-stage dropper which, if run, downloads a stage 2 dropper from GitHub. This, in turn, starts the Chrome browser, pointing it to the Alibaba web site as a distraction, while in the background it downloads additional components and starts the main stealer, called project.py, in a standalone Python environment and makes it persistent via a startup batch file.

Once running, the stealer extracts all cookies and login credentials from the victim's browsers, sending them to a Telegram channel via the Telegram/Discord bot API, and then deletes all the cookies, locking the victim out of their accounts and giving the scammers time to hijack the session and change the password. The code uses a variety of obfuscation and detection evasion techniques, but the presence of Vietnamese-language comments in the code, and the inclusion of the "Coc Coc" Chromium-based browser, popular in Vietnam, betray its origin.

The GuardIO blog post provides a comprehensive analysis and IOC's, but the basic message, and mitigation technique, is obvious: don't just double-click on Facebook Messenger attachments, and treat archive files as highly suspicious.

Zaytsev, Oleg, “MrTonyScam” - Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts, blog post, 11 September 2023. Available online at https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: