Whiffy malware stinks after tracking location via Wi-FI

Trending 3 weeks ago

Infosec successful Brief No 1 likes malware, but malicious codification that tracks your location is peculiarly unlovable.

Case successful point, a caller portion of nasty codification dubbed "Whiffy Recon" by researchers from Secureworks. First spotted being deployed by nan venerable Smoke Loader botnet earlier this month, Secureworks said nan malware uses scans of Wi-Fi entree points wrong scope of infected machines to geolocate them. 

It's troubling capable that there's malware retired location geolocating victims utilizing Wi-Fi data, but Secureworks researchers said they person nary thought what, precisely, nan malware's operators are doing pinch that data. 

"Demonstrating entree to geolocation accusation could beryllium utilized to intimidate victims aliases unit them to comply pinch demands," nan researchers said, and noted that nan malware appears group up for further improvement – suggesting these first deployments could lead to early nefarious activities.

Whiffy is only targeting Windows machines truthful far, and upon infection instantly checks for nan Wireless AutoConfig Service (WLANSVC) that Windows uses to observe and link to Wi-Fi networks. Once Whiffy knows WLANSVC is coming (it doesn't cheque to spot if it's operational) it checks for a record named str-12.bin successful nan wlan subfolder of nan APPDATA folder.

If nan record isn't coming connected nan system, Whiffy connects to its bid and power server, transmits a random UUID for nan infected instrumentality and originates nan 2nd measurement of its infection: Wi-Fi scanning, which it does each 60 seconds.

The scan information is mapped to a JSON building that's transmitted to nan Google Geolocation API, which estimates latitude and longitude based connected compartment towers and Wi-Fi signals successful scope of a client. Along pinch nan location, Whiffy besides identifies what encryption methods Wi-Fi networks are using, perchance signaling that Whiffy's controllers whitethorn beryllium looking to infect adjacent networks aliases machines, too. 

Secureworks warned that organizations looking to limit nan scope of nan malware should usage disposable controls to restrict entree to indicators of discuss specified arsenic Whiffy's C2 server IP address, and nan URL utilized to driblet nan malware. Secureworks's archiving lists those items, and more.

Kroll kracked by SIM swapping attack

Security consequence managers astatine financial advisory and intelligence outfit Kroll sewage an unpleasant astonishment aft personification managed to person T-Mobile to manus complete power of a unit member's smartphone.

"On Saturday, August 19, 2023, a cyber threat character targeted a T-Mobile US relationship belonging to a Kroll worker successful a highly blase 'SIM swapping' attack," nan institution said successful a statement issued past Friday.

"T-Mobile, without immoderate authority from aliases interaction pinch Kroll aliases its employee, transferred that employee's telephone number to nan threat actor's telephone astatine their request. As a result, it appears nan threat character gained entree to definite files containing individual accusation of bankruptcy claimants successful nan matters of BlockFi, FTX and Genesis."

The accounts are now locked down, Kroll said, pinch section and national constabulary connected nan case. The bully news is that if your specifications were affected successful nan onslaught nan biz says you will already person been notified. The bad news is nan baddies still person your data.

Critical vulnerabilities: A bad week for ICS

The Reg's information squad could not find excessively galore vulnerabilities to study that we haven't already covered elsewhere this week, but a fewer alternatively terrible flaws successful business power systems guidelines out.

  • CVSS 9.8 – Multiple CVEs: Multiple versions of Rockwell Automation's ThinManager ThinServer are improperly validating input, leaving devices susceptible to an attacker.
  • CVSS 9.6 – Multiple CVEs: A full slew of vulnerabilities successful Hitachi Energy's AFF660 and 665 business firewalls time off them susceptible to availability, integrity and confidentiality compromise.
  • CVSS 9.6 – CVE-2023-3663: CODESYS's CODESYS Development System is insufficiently verifying information authenticity, leaving it unfastened to MITM attacks that execute arbitrary code.
  • CVSS 8.6 – CVE-2022-1737: A ample number of Rockwell Automation I/O modules are susceptible to an out-of-bounds constitute onslaught that could origin denial of service

CISA besides added 3 much vulnerabilities to its catalog of known exploited vulnerabilities, truthful champion get patching if immoderate of them whitethorn impact your systems.

  • CVSS 9.8 – CVE-2023-26359: Adobe Coldfusion has a nasty deserialization of untrusted information vulnerability (not this one) that it patched successful March, yet is still being abused. 
  • CVSS 7.5 – CVE-2023-27532: Veeam backup and replication package contains a bug that allows encrypted credentials to beryllium retrieved from a configuration database. It was besides patched successful March, but is nether progressive exploit.  

European spot shaper admits to information breach

NXP, 1 of Europe's largest semiconductor manufacturers, has admitted that it knowledgeable a breach successful July and is starting to stock specifications of nan effect pinch victims. 

A spokesperson told The Register that nan breach impacted NXP's online portal, and progressive nan spilling of information including name, email address, beingness address, telephone numbers, employer, occupation explanation and connection preferences. 

"Other than [those] pieces of accusation … nary different individual information was impacted," NXP told us.

No accusation was provided arsenic to nan quality of nan breach, nor really galore customers were affected, and NXP didn't reply circumstantial questions to that end. The patient said it has nary logic to judge nan information has been misused, but is urging customers to return action regardless. 

"We return nan information of individual accusation very seriously, and we continually show and fortify our IT systems to protect against ever-evolving threats," nan shaper told us. 

Ransomware pack wants to beryllium its activity is uninsurable

Ransomware actors don't for illustration cyber insurance, because if their target has a argumentation it tin screen nan costs of remediation, truthful reducing nan inducement to salary a ransom.

One pack has a measurement astir that problem: sharing secrets of its onslaught techniques to show why its victims aren't eligible for an security payout. 

The Snatch ransomware pack made nan threat precocious successful a station shared connected X/Twitter by cybersecurity expert Brett Callow. While Callow blurred nan sanction of nan victim, Snatch based on successful its station that nan victim's bad behaviour should mean nan Snatch onslaught against it is uninsurable.  

"The elemental carelessness of nan company's labor and nan greed of nan company's management, which spared money for capable instrumentality and precocious master specialists," nan pack said, intends "the hack onslaught connected nan institution and breaches are not an insured event."

"Today we commencement [to] people specified accusation connected almost each companies mentioned successful our blog," Snatch threatened. "The era of making money connected security is OVER." 

Snatch said that it will gladly talk to security agents, and will manus them a afloat web dump pinch grounds that cases are uninsurable. That's rather an escalation successful nan ransomware warfare – particularly if different groups travel suit. ®