Malicious Android Apps Used to Target Iranian Banks
An ongoing Android malware campaign targeting users of Iranian financial institutions has expanded to include new abilities to target an even greater number of people and prevent detection on compromised devices. The campaign consists of fake Android applications imitating the legitimate version of apps used by financial institutions. While originally only forty (40) Android apps had been discovered by researchers, a new report from Zimperium now states that more than 200 apps are connected to the malware campaign. These applications trick the device user into allowing escalated privileges before the malware abuses Android’s accessibility services to harvest financial information, including bank account details, passwords, and credit card numbers. The latest findings suggest that these apps can also intercept SMS messages as well as prevent the uninstallation of the application so it may continue to harvest information. Additionally, greater use of public hosting services and command-and-control (C2) servers has allowed the threat actors to quickly adapt to changes in the environment to continue the attack, such as certain domains being taken down. Additionally, the threat actor has been observed launching phishing attacks against the financial institutions they are attempting to impersonate. These phishing campaigns utilize malicious webpages to impersonate the original website of the bank or crypto exchange. These combined campaigns against both the banks and their users have allowed the threat actors to capture information about the devices used by the victims and their financial account information all while exfiltrating the information to two (2) different Telegram channels. CTIX analysts will continue to monitor the evolution of this campaign.
Threat Actor Activity
Iranian-linked Hackers Actively Exploiting PLCs Used in US Water Sector
The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning that hackers are targeting Water and Wastewater Systems (WWSs) facilities by exploiting their programmable logic controllers (PLCs), specifically Unitronics PLCs which are commonly used by many organizations in the water sector. PLCs are used in industrial settings to control and manage devices such as pumps, valves, pressure regulation, and the gathering of compliance data or the alerting of critical alarms to operations. A successful attack on PLCs located at a WWS could produce serious physical damages that could prevent the distribution of clean, portable water to the surrounding facility's community. The CISA advisory was linked to the recent attack on the Municipal Water Authority of Aliquippa in Pennsylvania which researchers have attributed to the Iranian-backed hacktivist known as Cyber Av3ngers who have been said to be attacking water and energy facilities using products from Israel. Following the attack, the water utility in Pennsylvania took systems offline and switched to manual operations to avoid risks to the municipality's water supply. Along with measures highlighted in the advisory, CTIX analysts recommend utilities enable multifactor authentication (MFA), change default passwords, install firewalls and VPNs where remote access is necessary, and disconnect PLCs from the open internet.
- The Hacker News: Unitronics PLCs Article
- Bleeping Computer: Unitronics PLCs Article
- The Record: Unitronics PLCs Article
6th Google Chrome Zero-day Vulnerability Under Active Exploitation
Google Chrome has released urgent security updates in its latest patch that remediate seven (7) vulnerabilities, one of them being an actively-exploited critical zero-day bug. The zero-day vulnerability, tracked as CVE-2023-6345, is an integer overflow weakness existing in Chrome's Skia open-source 2D graphics library, an engine providing common APIs compatible with a wide variety of hardware and software. If successfully exploited, this flaw could allow threat actors that have compromised the renderer process to perform a sandbox escape via maliciously crafted files. The vulnerability was found by researchers from Google's own Threat Analysis Group (TAG) who indicated that the bug could be exploited by state-sponsored threat actors to deliver spyware to unsuspecting high-profile victims like journalists and politicians. The technical details of the exploit are currently being withheld to allow as many Chrome users as possible to update their vulnerable browsers, but Google has acknowledged that that a proof-of-concept (PoC) exploit exists in-the-wild. CTIX analysts will continue to monitor the fallout of this zero-day and may release an update if new information becomes public.
- Bleeping Computer: CVE-2023-6345 Article
- The Hacker News: CVE-2023-6345 Article
- Google: Chrome Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.