Search the Community

Multiple QNAP operating systems are affected, including QTS, QuTS hero, QuTScloud, and QVP Pro appliances, and some don't yet have patches available. Source: Aleskey Funtap via Alamy Stock Photo A pair of zero-day vulnerabilities in several Quality Network Appliance Provider (QNAP) operating systems (OS) for network-attached storage (NAS) appliances are impacting an estimated 80,000 devices worldwide. They remain unpatched for two of the four affected OSes. QNAP provides gear and software for Internet of Things (IoT) storage, networking, and smart video. The OS bugs, discovered by researchers at Sternum, are memory access violations, which could cause unstable code and could provide a path for an authenticated cybercriminal to execute arbitrary code. The vulnerabilities, tracked under CVE-2022-27597 and CVE-2022-27598, impact the QTS, QuTS hero, QuTScloud, and QVP OS, according to Sternum, and have been fixed in QTS version 5.0.1.2346 build 20230322 (and later) and QuTS hero version h5.0.1.2348 build 20230324 (and later). The QuTScloud and QVP OS remain unpatched, but QNAP said that it is "urgently fixing" the flaws. Source: QNAP Sternum researchers explain the memory access violations affect the performance, as well as the security of the QNAP devices. The QNAP security advisory adds, "If exploited, the vulnerability allows remote authenticated users to get secret values." While the bugs are rated "low severity," and so far, Sternum's researchers have not seen them exploited in the wild, getting a patch in place quickly matters — QNAP users continue to be a favorite target among cybercriminals. Why Is QNAP Cyberattacker Catnip? The DeadBolt ransomware group in particular was seen exploiting a range of zero-day vulnerabilities in a series of wide-rangingcybercampaigns against QNAP users in 2022 alone, surfacing regularly in May, June, and September. DeadBolt is clearly dead set, as it were, on putting effort into finding — and exploiting — QNAP flaws, preferably critical zero-days, according to Mark Parkin, senior technical engineer with Vulcan Cyber. "It's sometimes said that finding one vulnerability in a target will lead people into looking for more," Parkin explains. "The issue here is that they are finding more as they look. It almost makes you wonder if the attackers don't have access to the source code, or some other way to get an inside track." Collusion suspicions aside, it's up to organizations to make sure their highly targeted QNAP systems are up to date, especially given that new bugs are coming to light with some frequency. In addition to the most recent findings from Sternum, in February, users of QNAP QTS OS were alerted to a critical SQL injection issue with a CVSS score of 9.8. The disclosures just widen the attack surface further. In the case of the most recent vulnerabilities, users with systems without a patch available should employ a strong endpoint detection and response (EDR) solution and look for indicators of compromise. Because cyberattackers would need to be authenticated, doing an audit of who has access to vulnerable systems and providing additional authentication protection could also help mitigate an attack. One researcher warns that even in cases where patches are available, truly locking down the appliances might require a shift in mindset for some companies. "QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money," Bud Broomhead, CEO of Viakoo says. "Because QNAP devices, along with many other IoT devices, are largely managed outside of IT, they are often misconfigured, left unprotected by a firewalls, and left unpatched." He adds, "These devices often are invisible to corporate IT and security teams and do not get audited or observed when they fall out of compliance, such as by being on out-of-date and insecure firmware." Source

Computing giant tries to reassure users that the tool won’t be used for mass surveillance. Apple provided additional design and security details this week about the planned rollout of a feature aimed at detecting child sexual abuse material (CSAM) images stored in iCloud Photos. Privacy groups like the Electronic Frontier Foundation warned that the process of flagging CSAM images essentially narrows the definition of end-to-end encryption to allow client-side access — which essentially means Apple is building a backdoor into its data storage, it said. Apple’s new document explained that the tool is only available to child accounts set up in Family Sharing and the parent or guardian must opt-in. Then, a machine-learning classifier is deployed to the device in the messaging app, which will trigger a warning if the app detects explicit images being sent to or from the account. If the account is for a child under 13 years old, the parent or guardian will also receive a notification, according to Apple. The image is not shared with the parent, only a notification, Apple added. Apple Explains How It Protects Privacy While Monitoring CSAM Content The feature also detects collections of CSAM images uploaded to iCloud photos, Apple said. First it runs code on the device that compares any photo being uploaded to a known database of CSAM images. After a certain number of images is detected, the images are sent to a human reviewer and if an issue is detected, the information is turned over to the National Center for Missing and Exploited Children who will notify law enforcement as necessary. First, Apple said it generated a CSAM device database by combining information from two separate child-safety agencies. The company added that the database is never updated or shared over the internet. Apple added that it will publish a Knowledge Base article with a root hash of the encrypted database with each iOS update, to allow for independent third-party technical audits. It’s unclear how any of these details will reassure critics of the move. Via threatpost.com

Fake aerobics-instructor profile delivers malware in a supply-chain attack attempt from TA456. Most people have probably heard of catfishing. That’s when someone adopts a fake online persona, usually to trick someone into falling in love. Now, threat actors have developed their own spin on the grift, developing appealing — objectively hot — profiles to charm victims into downloading malware. In a new report, Proofpoint details how the group TA456, associated with the Iranian Revolutionary Guard, invested years in developing the false profile of a fantasy woman named Marcella Flores, an impossibly shiny haired aerobics instructor from the U.K., to rein in unsuspecting targets. The first signs of Marcella on social media started in 2018, according to Proofpoint’s analysis. Starting about eight months ago, Proofpoint found TA456 used the Marcella Flores profile to slowly build a relationship with someone who worked for a subsidiary of an aerospace defense contractor in the U.S. Over the months, Marcella shared many emails, pictures and even a video to build trust. “Marcella’s” Facebook profile. Source: Proofpoint. It wasn’t until early June that the attackers sent an email from Marcella Flores with the malware, the report added. TA456 Lempo Malware Once it gains a foothold in a target’s system, Lempo performs reconnaissance and exfiltrates data to an email account controlled by TA456. Then, it deletes the host artifacts to cover its tracks, the report explained. As for the attack chain, an Excel macro drops the Lemgo reconnaissance tool and Windows does the rest. Lempo collects sensitive domain data, computer and username information, firewall rules, IP config information and tons of other useful stuff that could be used to launch a successful supply-chain attack on the government or various contractors. In fact, Proofpoint’s Sherrod DeGrippo told Threatpost the fake “Marcella” profile they found was also connected on social media with others who publicly identify themselves as employees of defense contractors. Alluring Photos Are a Standard Scammer Tactic Besides general cybersecurity hygiene and awareness training, DeGrippo advises those who work in sensitive industries — like aerospace and defense — to avoid shoring too much personal information on social media, which could ultimately be used by threat actors to build a detailed personal profile on you for abuse. Catfishing by cyberattackers isn’t new; in 2020, Hamas was caught taking a classic catfish approach to tempt Israeli soldiers into installing spyware on their phones. Members posed as teen girls who are looking for quality chat time. Iran-linked threat actors have used similar tactics on LinkedIn and WhatsApp before, targeting industries of geo-political interest to the country, Sean Nikkel, threat intelligence analyst from Digital Shadows told Threatpost. Unfortunately, there’s no one simple answer to eliminating the risk of these types of sophisticated social-engineering attacks, according to Dirk Schrader from New Net Technologies. Via threatpost.com

The malware is spreading rapidly through ‘missed package delivery’ SMS texts, prompting urgent scam warnings from mobile carriers. Android mobile phone users across the U.K. are being targeted by text messages containing a particularly nasty piece of spyware called “Flubot,” according to the country’s National Cyber Security Centre. Victims are asked to download a fake app from a malicious website. Click to enlarge. The malware is delivered to targets through SMS texts and prompts them to install a “missed package delivery” app. Instead, it takes victims to a scam website where they download the “app” — which is really just the spyware. Once installed, it then sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information. It also sends out additional text messages to the infected device’s contact list, which allows it to “go viral” — like the flu. The U.K.’s National Cyber Security Centre (NCSC) has issued security guidance about how to identify and remove FluBot malware, while network providers including Three and Vodafone have also issued warnings to users over the text message attacks. So far, most of the phishing texts are branded to look like they are being sent from DHL, the NCSC said, but warned, “the scam could change to abuse other company brands.” One victim posted a message posing as a link from the Royal Mail. Another user on Twitter spotted this scam “Amazon” message which they point out swaps the “o” for a zero in the link. Telecom carriers Vodafone UK, Three UK and EE have all confirmed the scam is traversing their networks, which collectively have more than 58 million subscribers across the country. Anyone who receives what they believe to be a scam text is advised not to click on any links and forward the text to “7726” a “free spam-reporting line” established to combat fraud in the U.K. Finally, delete the message and block the sender. If a user has already clicked on the link, the NCSC warned not to enter any password or other personal information. To remove the malware from the infected device, “Perform a factory reset as soon as possible,” the NSCS guidance reads. “The process for doing this will vary based on the device manufacturer…Note that if you don’t have backups enabled, you will lose data.” The NCSC added that if a user has entered their personal information, it’s critical to change those passwords immediately to prevent further compromise. To prevent future attacks, NSCS said users should back up any important information, only install a minimal number of apps from trusted sources and use available virus protection offered by Google Play and others. SMS Phishing (‘Smishing’) On the Rise These types of SMS phishing scams, also known as “smishing,” aren’t anything new. In February, attackers were harvesting personal data of users in the U..K. with fake messages promising tax refunds for overpayment. Mobile phishing has been a booming business since the start of the COVID-19 pandemic, experts say, which they expect will only continue to grow. Paul Ducklin, researcher at Sophos, explained why smishing is becoming such a popular choice for threat actors in discussing the February campaign. Via threatpost.com

Fake job offers lure professionals into downloading the more_eggs backdoor trojan. A threat group called Golden Chickens is delivering the fileless backdoor more_eggs through a spear-phishing campaign targeting professionals on LinkedIn with fake job offers, according to researchers at eSentire. The phishing emails try to trick a victim into clicking on a malicious .ZIP file by picking up the victim’s current job title and adding the word “position” at the end, making it appear like a legitimate offer. Once downloaded, more_eggs can fetch additional malware and provide access to the victim’s system, the report said. The Golden Chickens group is also selling more_eggs as malware-as-a-service to other cybercriminals, who use it to gain a foothold in victim’s systems to install other types of malware, including banking malware, credential stealers and ransomware, or just to exfiltrate data, eSentire reported. More_Eggs Malware: A ‘Formidable Threat’ Rob McLeod, eSentire’s Threat Response Unit director ,highlighted three specific aspects of the more_eggs trojan that make it what he described as a “formidable threat to business and business professionals.” First, it abuses normal Windows processes to avoid antivirus protections. Second, McLeod pointed out the personalized spear phishing emails are effective in enticing victims to click on the fake job offer. What’s perhaps most pernicious is that the malware exploits job hunters desperate to find employment in the midst of a global pandemic and skyrocketing unemployment rates, he added. While eSentire hasn’t been able to pinpoint the group behind more_eggs, researchers have observed the groups FIN6, Cobalt Group and Evilnum have each used the more_eggs malware as a service for their own purposes. More_Eggs Malware-As-A-Service The financial threat gang FIN6 used the more_eggs malware to target various e-commerce companies back in 2019. At the same time, attackers used more_eggs to breach retail, entertainment and pharmaceutical companies’ online payments systems, which reSentire esearchers haven’t definitively linked to FIN6, but are suspected to be linked. Other groups have used the malware too. Evilnum likes to attack financial tech companies, according to eSentire, to steal spreadsheets, customer lists and trading credentials, while Cobalt Group is usually focused on attacking financial companies with the more_eggs backdoor. Rather than attack someone who is unemployed, experts agree that the goal of the campaign is likely to attack people who are employed and have access to sensitive data. How to Avoid Being a LinkedIn Victim The motivation for the attacks is unclear, researchers said. In the report, eSentire follows the more_eggs LinkedIn attack on someone in the health care technology sector. Chris Hazelton with mobile security provider Lookout told Morales added that to avoid compromise, all users on LinkedIn should be on the lookout for spear-phishing scams. Via threatpost.com