HCL investigates ransomware, Agent Tesla returns, JavaScript bank malware
December 22, 2023
Indian tech company HCL investigating ransomware attack
The attack was reported to regulators on Wednesday and is being described as occurring in “an isolated cloud environment for one of its projects.” HCL Technologies is one of the largest tech companies in the world. Company reps stated, “there has been no impact observed due to this incident on the overall HCLTech network.”
An old malware and an old Microsoft Office revive old problems
Agent Tesla is a type of spyware that has been around for a decade, but threat actors are continuing to an old vulnerability in Microsoft Office to continue to spread it. The vulnerability, CVE-2017-11882 is a memory-corruption issue that affects a Microsoft Office component responsible for the insertion and editing of equations (OLE objects) in documents. Microsoft released a patch in 2017 but has seen a spike in the number of attacks leveraging the vulnerability in the past few weeks. According to Security Affairs, in recent campaigns, the attackers sent out spam messages using words like “orders” and “invoices” in an attempt to trick recipients into opening weaponized Excel documents.”
New JavaScript malware targets banks
This new campaign has been seen targeting banks in North and South America, Europe, and Japan, affecting at least 50,000 users, and is aimed at stealing users’ online banking account credentials. The malware has not yet been given a name, but researchers at IBM are observing similarities between it and the known stealer and loader family known as DanaBot. It is a dynamic malware that provides different courses of action, but in one of its forms it creates a fake bank customer login page followed by a notice that states that online banking services will be unavailable for a time period of 12 hours, thus deterring customers from accessing their accounts while the malware owners do their thing.
What’s Happening indeed: Twitter/X suffers temporary global outage
Early yesterday morning, the platform went dark for about an hour, with some users in the US, Canada and parts of Europe and Asia seeing a screen that said only “Welcome to X.” Although this was only a brief and quickly resolved issue, the company’s numerous controversies and challenges over recent months ensured this story was widely scrutinized.
Ivanti urges customers to patch new vulnerabilities
The maker of mobile device management technologies, which includes warehouse scanners and handheld tablets, has released patches for 22 flaws, 13 of which have CVSS ratings of 9.8. The company is recommending customers download and install the Avalanche 6.4.2 installation to help avoid the chances of remote code execution. No evidence of exploitation of these vulnerabilities in the wild has been noted, although during a previous zero-day vulnerability this past summer, CISA pointed out “Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices.”
(InfoSecurity Magazine and CISA Advisory)
Android malware Chameleon disables fingerprint unlock
The Android banking trojan called Chameleon has a new version capable of bypassing fingerprint and face unlock. According to Bleeping Computer, “it does this by using an HTML page trick to acquire access to the Accessibility service and a method to disrupt biometric operations to steal PINs and unlock the device at will.” Researchers at ThreatFabric are reporting Chameleon is being distributed via the Zombinder service, which poses as Google Chrome, and which “glues malware to legitimate Android apps so that victims can enjoy the full functionality of the app they intended to install, making it less likely to suspect that dangerous code is running in the background.”
Chrome zero-day fix released for already exploited flaw
Google Chrome’s fix deployed on Wednesday, is to manage a vulnerability tracked as CVE-2023-7024, which affects desktop versions of Chrome on Mac, Linux, and Windows. The flaw was reported by the Threat Analysis Group at Google on December 19, and was found in WebRTC, an open-source project communication API for web browsers and mobile applications.