Tag Archive for: VPN

Fortinet confirms VPN vulnerability exploited in the wild

/in


A critical zero-day vulnerability in Fortinet’s SSL-VPN has been exploited in the wild in at least one instance.

Fortinet issued an advisory Monday detailing the heap-based buffer overflow flaw, tracked as CVE-2022-42475, affecting multiple versions of its FortiOS SSL-VPN. Ranked a 9.3 on the common vulnerability scoring system, Fortinet warned the critical flaw could allow a remote unauthenticated attacker to execute arbitrary code.

“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” Fortinet wrote in the advisory.

Patches are available, and Fortinet recommended upgrading to the latest versions as well as the unaffected earlier version of FortiOS. In an email to TechTarget Editorial, Fortinet said it also continues to monitor the situation.

While the company’s Product Security Incident Response team made the advisory publicly available Monday, it was not the first notification on the critical flaw. Olympe Cyberdefense, a France-based cyber threat intelligence vendor, released an alert Friday citing that a “new critical flaw, not yet made public” affected Fortinet SSL-VPN.

The alert, which was first reported Monday by TechTarget sister publication Le Mag IT, warned the zero-day vulnerability was easy to exploit and that attackers could gain full control of intended devices. Additionally, Olympe Cyberdefense recommended disabling VPN-SSL functionality if it’s not essential.

Olympe updated its alert once Fortinet confirmed the vulnerability and urged customers to patch.

In a statement sent to TechTarget Editorial, Claire Tills, senior researcher engineer at Tenable, noted the time gap between the Olympe’s initial disclosure and Fortinet’s advisory. “Three days after its initial public disclosure, Fortinet patched CVE-2022-42475 and confirmed it has been exploited in the wild,” Tills said.

“Fortinet SSL-VPNs have been a major target for years now — to the extent that the FBI and CISA issued a dedicated advisory to these flaws and their exploitation in 2021. Nation state actors are still known to exploit those legacy vulnerabilities in…

Source…

Hackers Are Packing Malware Into VPN Apps For Android, Security Researchers Warn

/in


hackers packing malware vpn apps android news
Researchers at the cybersecurity firm ESET have discovered an active Android malware campaign that began in January 2022. The campaign in question distributes spyware injected into legitimate VPN apps. The researchers have tied this campaign to an advanced persistent threat (APT) group known as “Bahamut.”

Bahamut has been active since at least 2017, when it was first identified. The APT group conducts cyberespionage primarily in the Middle East and South Asia, working to steal sensitive information at the behest of paying clients. Bahamut has developed its own spyware, which it has packaged with fake applications in the past. However, the group has more recently been re-packaging legitimate apps with its spyware added to the code.

downloading malicious vpn app from website news
Downloading malicious VPN app from website (click to enlarge) (source: ESET)

ESET researchers have found Bahamut injecting its malware into the SoftVPN and OpenVPN apps, which are both legitimate VPN apps. The versions of these apps available on the Google Play Store are the legitimate, non-malicious versions of the apps. However, Bahamut has been running a fraudulent VPN website, where it distributes its own versions of these apps with its custom spyware included. While this website is no longer accessible at the domain name identified by the researchers, it contained a download button that visitors could click to download a malicious APK file.

free vpn web template used by threat actors news
Free web template used by the threat actors on the fraudulent VPN website (click to enlarge) (source: ESET)

The ESET researchers discovered that the APT group made use of a free VPN web template on its fraudulent website. Bahamut customized this template by borrowing the SoftVPN logo and combining it with the name of another legitimate VPN service, SecureVPN. The malicious APK file available for download on the website also bore this same name. The ESET researchers identified at least eight versions of the two malicious VPN apps pushed by Bahamut in this campaign, meaning the threat group has been actively updating its spyware over the course of this year. The researchers suspect that Bahamut switched from injecting its spyware into SoftVPN to doing the same to OpenVPN because the developers of SoftVPN…

Source…

Cyber-mercenaries Target Android Users with Fake VPN Apps

/in


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

Malicious Apps can Exfiltrate Information from Signal, Viber, and Telegram

Prajeet Nair (@prajeetspeaks) •
November 24, 2022    

Cyber-mercenaries Target Android Users with Fake VPN Apps
Trojanized versions of two legitimate apps used by attackers

A hacking-for-hire group is distributing malicious apps through a fake SecureVPN website that enables Android apps to be downloaded from Google Play, say researchers at Eset.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Dubbed “Bahamut”, researchers from the cybersecurity firm discovered at least eight versions of the spyware. The apps were being used as part of a malicious campaign that used Trojanized versions of two legitimate apps – SoftVPN and OpenVPN. In both cases, the apps were repackaged with Bahamut spyware.

“The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps,” the researchers say.

Exfiltration of sensitive data is conducted via keylogging, misusing Android’s accessibility service. It can also actively spy on chat messages exchanged through popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger.

The threat group also acts as a mercenary group, offering hacking-for-hire services that include espionage and disinformation services to target nonprofit organizations and diplomats across the Middle East and southern Asia.

Its initial attack vectors includes spearphishing messages and fake applications, whose…

Source…

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

/in


Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn’t mean attackers aren’t constantly trying to deploy other sophisticated mobile malware as well.

The latest example is “SandStrike,” a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran’s Baha’i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

Elaborate Social Media Lures

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group’s notorious Pegasus spyware along with emerging problems like Hermit.

Mobile Malware on the Rise

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint…

Source…