Police Disrupts FluBot, One of the Fastest-Spreading Mobile Spyware To Date
Read also: Chinese hackers are exploiting a Windows MSDT zero-day, Costa Rica’s health service hit by a ransomware attack, and more.
Thursday, June 2, 2022
SMS-based FluBot spyware disrupted in international law enforcement operation
An international law enforcement operation involving 11 countries has resulted in the disruption of FluBot, one of the fastest-spreading mobile malware to date.
First spotted in 2020, FluBot, aka Fedex Banker and Cabassous, is a piece of aggressive mobile malware targeting Android users, which spreads via SMS and is designed to steal sensitive data, such as passwords, online banking details and other information from infected devices.
According to Europol, the Dutch Police (Politie) disrupted the malware’s infrastructure in May and took control over it. The law enforcement authorities are working to identify the individuals behind the FluBot global campaign.
Chinese hackers caught exploiting a Windows MSDT zero-day
China-linked state-sponsored hackers have been observed exploiting a recently disclosed zero-day RCE vulnerability in a Windows tool in attacks targeting the international Tibetan community.
The zero-day flaw in question (CVE-2022-30190, aka “Follina”) is a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). By exploiting the issue a remote attacker can execute arbitrary code with the privileges of the calling application, and install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. CVE-2022-30190 affects all supported Windows client and server platforms.
According to Proofpoint, the TA413 APT group believed to be working on behalf of the Chinese government has exploited the said vulnerability in attacks involving a Microsoft Word document used to install malicious payloads on victim devices.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
DoJ seizes domains used to sell stolen data, DDoS services
US authorities have seized three internet domains - weleakinfo[.]to and two related domain names, ipstress[.]in and ovh-booter[.]com - used by cybercriminals to sell stolen data or launch cyber-attacks on victims networks.
The WeLeakInfo website offered a subscription service where customers could access personal information such as names, email addresses, usernames, phone numbers, and passwords for online accounts obtained through data breaches. The other two sites, Iipstress and Ovh-booter, offered to conduct DDoS (Distributed Denial of Service) attacks, for hire.
The three domains were seized as part of an international law enforcement effort with the help of National Police Corps of the Netherlands and the Federal Police of Belgium.
Over 1,200 of unsecured Elasticsearch databases are being held for ransom by hackers
Hundreds of poorly secured Elasticsearch instances were targeted in a mass hijacking campaign, with threat actors replacing data stored in the databases with a ransom note demanding $620 to restore contents.
Securework researchers have identified over 1,200 of Elasticsearch servers that contained the ransomware note, but they believe that the number of victims could be higher. The researchers identified at least 450 individual requests for ransom payments, totaling over $280,000.
It appears that the attackers used an automated script to identify the vulnerable databases, delete the data, and drop the ransom note.
Costa Rica's public health service hit by the Hive ransomware
Following a disruptive ransomware attack by the Conti group that hit multiple Costa Rican government bodies back in April, the country’s public health service has been targeted in yet another ransomware attack.
According to the Costa Rican Social Security Fund (CCSS), the attack impacted around 1,200 Costa Rica's hospitals and clinics potentially affecting thousands of patients. Due to the attack, the public health agency was forced to shut down its digital record-keeping system.
CCSS President Alvaro Ramos said that the incident impacted 30 of the 1,500 servers belonging to the CCSS, but there is no evidence that a critical database or system was compromised.
While officials did not share what malware was used in the attack, some news outlets reported that the CCSS was hit by the Hive ransomware. Although Conti and Hive are separate operations, there has been speculation that the groups might have established some sort of working relationship.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
