Cybersecurity Update January 6, 2023

Malware activity

New phishing campaign with scam shops “selling” Flipper Zero products

Security-minded members of the Flipper Zero community have been targeted in a new phishing campaign. Flipper Zero is a portable Tamagotchi-like multifunctional cybersecurity tool used to interact with access control systems. Since the launch of the Kickstarter campaign in 2020, security researchers have demonstrated the product’s capabilities on social media, garnering interest in the information security community for the product’s release. Attackers began capitalizing on this interest and lack of product availability in 2022 by creating fraudulent Twitter accounts and shops claiming to sell their products. One of the two currently identified shops is still online as of January 4, 2022 and claims to be selling Flipper Zero, Wi-Fi modules and cases for the same prices as the products above. claim. legit website. The obvious goal of the phishing campaign is to obtain the victim’s email address, name, and shipping address. Buyers can “pay” for products in Ethereum or Bitcoin cryptocurrencies. Note that the wallet on the site has not received payment as of January 4th, so the shop may use a new wallet after each transaction. Given the continuing shortage of , we expect attackers to continue to target communities. CTIX analysts continue to monitor newly discovered phishing campaigns to provide context on notable incidents.

Attacker activity

Threat Profile: Blind Eagle/APT-C-36

Threat actors associated with the Blind Eagle threat organization (APT-C-36) recently launched a large-scale phishing campaign in an apparent resurgence of the group. Active since 2018, Blind Eagle is a fundraising organization serving companies in various South American countries, including companies in the manufacturing, financial and oil/gas industries. This type of activity has seen an apparent resurgence from the group in recent campaigns. started the campaign. The phishing emails distributed by the attackers in this campaign commonly mimic government agencies, with malicious URLs and PDF attachments. Unlike other recent phishing campaigns, the Blind Eagle attackers used geofencing protocols to execute malicious code only against users within authorized areas (in this case, Colombia and Ecuador). increase. Otherwise, the malicious code will not run and the user will be redirected to the fake government agency’s legitimate her website. The QuasarRAT malware detonated in this campaign is unusual in that it is usually associated with cyber espionage activities by other threat organizations. Analysis of the embedded code shows that the Blind Eagle attackers leveraged his QuasarRAT to collect banking information from these compromised devices and adapted their tactics. CTIX continues to monitor attacker activity around the world and will provide additional updates accordingly.

Vulnerability

Synology patches multiple critical vulnerabilities

In a published advisory, networking device maker Synology says it has patched a critical remote code execution (RCE) vulnerability affecting its VPN Plus Server solution in Synology Router Manager (SRM). This flaw, tracked as CVE-2022-43931, received the highest severity with his CVSS score of 10/10. The vulnerability has been described as an out-of-bounds write flaw that specifically affects remote desktop functionality and could be exploited by an attacker to remotely execute arbitrary code or commands on a target system. . VPN Plus is an add-on package that allows a Synology NAS device to become a VPN server, allowing a Synology DiskStation Manager (DSM) user to securely access resources shared by his Synology device’s network over the Internet. will do so. Successful exploitation of this vulnerability could allow an attacker to take full control of a vulnerable system and perform devastating additional attacks. A week before Synology’s RCE advisory, the company released patch advisories for multiple other vulnerabilities (some of which were disclosed in his Pwn2Own contest in December 2022). Read arbitrary files after exploiting a vulnerable version of SRM. These are very low complexity attacks that can be exploited by unsophisticated attackers. To prevent exploitation of the vulnerability, a CTIX analyst strongly recommends all his SRM users update to the latest secure version of their device firmware immediately. Specific details regarding the update can be found in the Synology advisory linked below.