Weekly AppSec Bulletin

Hackers Spread Malware via Call of Duty

Malicious actors have been using player lobbies in Call of Duty: Modern Warfare 2 to distribute self-replicating malware or worms. On July 26, players were alerted to the malware through a post on Steam, where a user warned of hackers attacking through hacked lobbies. Players were advised to run antivirus software before playing the game.

Worms are a type of malware that can spread independently without the need for a host program. They can impact devices by taking up disk space and deleting files to replicate themselves. In this case, the worm appears to have been specifically coded for Call of Duty: Modern Warfare 2, and it prevents users from joining or hosting custom lobbies. The worm uses remote code execution (RCE) to function but also prevents any RCE attempts on its host.

As a response, the official Call of Duty Updates X account announced that the game was taken offline for investigation after receiving reports of the issue.

Source – Cyber Security Hub

Spyware App Compromised Over 60,000 Android Devices to Steal Sensitive Data

Spyware is a type of surveillance software used to collect sensitive information from victims and send it to the person who installed the application. These apps stealthily hide on the victim’s device, making them difficult to detect.

One widely used spyware called Spyhide allows individuals to spy on their partners if they know the victim’s device passcode. However, Spyhide was found to have a vulnerability in its web-based dashboard, allowing a hacker to access sensitive data from around 60,000 compromised devices dating back to 2016. The compromised data included call logs, text messages, location history, photos, and more, affecting thousands of victims across Europe, Brazil, and the United States.

The spyware developers attempted to hide their identity, but their involvement was traced back to two Iranian developers, Mostafa M and Mohammed A. Spyware apps like Spyhide are banned from official app stores, so users must download them from their official websites, which increases the risk of exposure to such malware. Spyware apps often disguise themselves as legitimate apps, making it essential for users to be cautious and only download apps from trusted sources like the Google Play Store or App Store. Additionally, using spyware detection apps like Google Play Protect can help detect and prevent spyware apps from transmitting data.

Source – Cyber Security News

New SEC Rules Require Incident Disclosure for Cybersecurity Breaches Within Four Days

The Securities and Exchange Commission (SEC) has voted in new rules that require all publicly traded companies to report any cybersecurity breaches that could have a material impact within four days. However, there are exceptions and caveats that can delay incident disclosures, such as when the breach might cause “substantial risk” to public safety or national security. Additionally, companies must file an annual report detailing their efforts to identify and prevent material cybersecurity breaches. Foreign private issuers are also subject to these rules.

The new requirements come into effect 30 days from publication, with “smaller” reporting companies granted a grace period of 180 days. The SEC aims to improve cybersecurity breach documentation and provide investors with timely information. However, the decision was barely passed with a 3-2 vote due to concerns about its impact on small businesses and potential for inaccurate reporting. Some experts worry that rapid public disclosure may lead to reactive market behavior and give attackers insight into detection and evasion strategies. Nonetheless, the new rules signal a growing push by regulatory bodies to address cybersecurity in private companies, with some comparing cybersecurity breaches to a fire destroying physical records.

Source – CPO Magazine

New Infostealer Uncovered in Phishing Scam Targeting Facebook Business Accounts

Unit 42 researchers have found a phishing campaign using a new infostealer variant to target Facebook business accounts. The threat actor behind the campaign is suspected to be of Vietnamese origin. While this specific campaign is no longer active, the researchers believe the attackers will continue using similar techniques to hijack Facebook business accounts in the future. The infostealer, known as ‘Nodestealer 2.0,’ is distributed through a phishing campaign that lures victims with advertising materials for businesses. It has the ability to steal Facebook business account information, download additional malware, and conduct cryptostealing. Organizations are advised to strengthen their protection policies and educate their teams on phishing tactics and the importance of strong passwords and multifactor authentication for Facebook accounts.

Source – Infosecurity Magazine

Hackers steal Signal, WhatsApp user data with fake Android chat app

Hackers from the Indian APT group ‘Bahamut’ are using a fake Android app called ‘SafeChat’ to spread spyware malware, stealing call logs, texts, and GPS locations from infected phones. The spyware is suspected to be a variant of “Coverlm,” targeting communication apps like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. The attackers employ spear-phishing messages on WhatsApp to deliver the malicious payload to victims mainly in South Asia. The app has a deceiving interface, imitating a genuine chat app, and tricks users into granting Accessibility Services permissions, allowing it to access contacts, SMS, call logs, and GPS data. Stolen information is encrypted and sent to the attacker’s server through a dedicated data exfiltration module. The evidence indicates that the Bahamut group is state-sponsored, and there are similarities between their techniques and another Indian APT group called ‘DoNot.’

Source – Bleeping Computer

New Android Malware Uses Optical Character Recognition to Steal Login Credentials

A new Android malware strain named “CherryBlos” uses Optical Character Recognition (OCR) techniques to extract sensitive data from images, targeting crypto wallet credentials and altering withdrawal addresses to steal cryptocurrency-related information. The malware is distributed through various channels, including social media, phishing sites, Google Play, and other Android app stores. It exploits accessibility service permissions and has the ability to perform OCR on images to extract text, potentially stealing mnemonic phrases used in crypto wallets. Users are advised to download apps from trusted sources, keep their systems and software updated, and use a robust antivirus solution to protect against such threats. Additionally, caution should be exercised while granting app permissions and clicking on suspicious links or attachments.

Source – GB Hackers on Security