Weekly Top 10: 11.04.2024: Android Malware ‘FakeCall’ Hijacks Outgoing Calls; PTZ Cameras Being Targeted Using Two Zero-Days; Hacker Group TeamTNT Targets Docker Environments, and More.

WEEKLY TOP TEN: November 4, 2024, 16:00 GMT

1. Android Malware ‘FakeCall’ Hijacks Outgoing Calls
   
   A new version of the Android malware named FakeCall is a banking trojan being used to redirect outgoing calls to user’s banks to an attacker-controlled phone number to perform a phone phishing attack to deceive users to convey sensitive banking information. Kaspersky first identified this trojan in April 2023, and by March of that same year, CheckPoint had issued a warning because FakeCall was capable of impersonating over 20 different financial institutions. FakeCall not only redirects phone calls; it can also capture live video and audio streams in an effort to gain additional information without user interaction.
2. Researchers Discovered Windows OS Downgrade Vulnerability
   
   Researchers led by Alon Leviev found that it is possible to roll back Windows OS to an earlier version by turning off Virtualization-Based Security (VBS) or invalidating the SecureKernal executable. This lets you roll back the ‘ci.dll’ library to version 10.0.22621.1376, which can be used to get around Microsoft’s Driver Signature Enforcement (DSE) by loading an unsigned kernel driver. This lets anyone run any code in the kernel. Microsoft has responded to this new attack and is working on a patch but noted that it will take some time to release a working patch.x`
3. PTZ Cameras Being Targeted Using Two Zero-Days
   
   GreyNoise researchers discovered an exploit attempt in April 2024 after their AI-powered threat detection tool spotted unusual activity in their honeypot network that did not match any known threats. This attack is not attributed to two CVE entries CVE-2024-8956 and CVE-2024-8957, the former exploits the weak authentication problem in the camera’s lighthttpd web server allowing for unauthorized access to the CGI API. CVE-2024-8957 is cause by improper input sanitization in the ntp.addr field allowing for an attacker remote code execution. 
4. New Version of LightSpy Discovered Targeting IOS Devices
   
   Researchers from ThreatFabric discovered a new version of the Apple IOS spyware called LightSpy. This new version has extended its capabilities and added new destructive features. LightSpy is now capable of targeting IOS versions up to version 13.3 using publicly available exploits, and capturing sensitive data such as SMS messages, iCloud Keychain, sound recordings, photos, network information and more. As well with this update, LightSpy can now delete files, SMS messages, network configurations, contacts, and freeze the device preventing it from starting again.
5. Black Basta Ransomware Affiliates Switch to Using Microsoft Teams
   
   ReliaQuest researchers discovered in recent attacks that Black Bast affiliates have changed their approach to flooding targeted users with spam emails as much as 1,000 emails in 50 minutes in one instance, then the attacker will message the users using Microsoft Teams posing as IT support using external accounts to trick the users into downloading remote access tools such as AnyDesk.
6. Microsoft Revealed a Chinese Controlled Botnet
   
   Microsoft disclosed that a Chinese threat actor named Storm-0940 that has been active since 2021, is using a botnet named Quad7 to perform highly evasive password spray attacks.  Storm-0940 has grown this botnet by targeting several brands of SOHO routers and VPN appliances such as TP-Link, Asus, and Netgear. After exploiting these devices through an undiscovered security flaw that allows for remote code execution, they infect the device with a backdoor that listens on port ‘7777’ allowing for remote access.
7. Xiū gǒu Phishing Kit Discovered Targeting Multiple Countries
   
   Researchers at Netcraft discovered a new phishing kit named ‘Xiū gǒu’ that has been targeting the UK, US, Spain, Australia, and Japan since September 2024. Over 2,000 phishing websites have been identified in the kit and has been deployed by more they 1,500 unique IP address targeting organizations across multiple different sectors such as the public sector, digital services, and banking sectors.
8. WordPress Plugin LiteSpeed Cache Unauthenticated Admin Rights
   
   The free version of the popular WordPress plugin LiteSpeed Cache recently fixed a privilege elevation security flaw that is tracked as CVE-2024-50550. This exploit is cause by a weak hash check in the plugin’s role simulation feature allowing for an attacker to simulate an administrator role. This is the 4th critical security flaw this plugin has faced this year, the previous three are an unauthenticated cross-site scripting flaw (CVE-2023-40000), an unauthenticated privilege escalation vulnerability (CVE-2024-28000), and a unauthenticated admin account takeover bug (CVE-2024-44000).
9. New Zero-day Vulnerabilities Discovered for Windows 7 to Windows 11
   
   Researchers from ACROS Security discovered a security flaw allowing attackers to capture NTLM authentication hashes from users that affects all version of Windows clients from Windows 7 to the current Windows 11 version. They discovered this vulnerability while writing a patch for a related vulnerability tracked as CVE-2024-38030 intended for older Windows systems. With this new discovered vulnerability, it marks the third flaw found related to Windows themes spoofing with the other one being CVE-2024-21320.
10. Hacker Group TeamTNT Targets Docker Environments
    
    The hacking group TeamTNT has been seen targeting exposed Docker daemons via attack scripts using ports 2375, 2376, 4243, and 4244 and deploying an Alpine Linux image with malicious command for further exploitation in efforts to deploy the Silver C2 agent, a cyber worm, and cryptominers using already compromised servers and Docker Hub to spread their malware. TeamTNT additionally rents out the breached servers to third parties for crypto mining.