Anatsa banking trojan sneaks into Google Play Store

Researchers at Zscaler ThreatLabz have discovered a sophisticated Android banking Trojan called Anatsa (also known as TeaBot) that is actively targeting Android users through seemingly innocuous apps in the Google Play Store.
Anatsa is a known Android banking malware that targets the apps of more than 650 financial institutions, primarily in Europe. Anatsa uses a dropper technique where the original app appears to be clean when installed, but then downloads a malicious payload from the C2 server disguised as an innocent app update. This method allows the malware to evade detection by the Google Play Store.
Recently, researchers identified two malicious payloads associated with the Anatsa app that were distributed through the Google Play store. These campaigns masqueraded as PDF and QR code reader apps, which together accumulated more than 70,000 installs.
The scope of this threat is alarming. The Zscaler ThreatLabz lab identified more than 90 Anatsa-infected apps in the Play Store, with a combined total of more than 5.5 million installs.

PoC exploit for MacOS CVE-2024-27842 allows kernel-level code execution

Security researcher Wang Tielei recently published a PoC for a serious privilege escalation vulnerability (CVE-2024-27842) in MacOS.

The vulnerability is in the Universal Disk Format (UDF) component, specifically in the VNOP_IOCTL function. This vulnerability allows an attacker to execute arbitrary code with kernel privileges. At the heart of this exploit is UDF, a kernel extension that has been present in MacOS for decades.
Wang Tielei’s PoC shows how easy it is to exploit this vulnerability and emphasizes the urgency for users to update their systems.

In addition to CVE-2024-27842, Wang Tielei also published a PoC exploit for CVE-2023-40404, another privilege escalation vulnerability in MacOS Sonoma. This vulnerability, caused by a use-after-free flaw in the networking component, allows attackers to gain elevated privileges and execute arbitrary code with kernel privileges.

To protect against these vulnerabilities, MacOS users are strongly advised to update their systems immediately to MacOS Sonoma 14.5 or later. The update includes the necessary patches for both CVE-2024-27842 and CVE-2023-40404, providing enhanced security and protection against potential exploits.

The TP-Link Archer C5400X gaming router is vulnerable to CVE-2024-5035, a critical vulnerability that could allow an unauthenticated attacker to execute commands on the device.

The vulnerability in the TP-Link Archer C5400X is being tracked as CVE-2024-5035 (CVSS v4 rating: 10.0, “critical”) and was discovered by OneKey analysts using binary static analysis.
The researchers found that the “rftest” binary exposes a network service that is vulnerable to command injection and buffer overflows on TCP ports 8888, 8889 and 8890.

An attacker could use a shell to send specially crafted messages to these ports, potentially resulting in the execution of arbitrary commands with elevated privileges.

Because these ports are open and actively used by the “rftest” service in the default router configuration, all users running vulnerable firmware versions up to 1.1.1.6 are affected.
OneKey analysts reported their findings to TP-Link’s PSIRT group on February 16, 2024, and the vendor had a beta version of the patch ready by April 10, 2024.

Late last week, on May 24, 2024, the Archer C5400X(EU)_V1_1.1.7 Build 20240510 security update was finally released, effectively addressing CVE-2024-5035.

Users are advised to download the firmware update from TP-Link’s official download portal or use the router’s admin panel to perform the update.

PoC for CVE-2024-23108 Critical Vulnerability in FortiSIEM

Security researchers have published a PoC to exploit a critical vulnerability assigned a CVSS v3 score of 10 as CVE-2024-23108 in the FortiSIEM system. This is a command injection vulnerability discovered and reported by vulnerability researcher Zach Hanley of Horizon3 that allows remote command execution as root without authentication.

Vulnerability CVE-2024-23108 affects FortiClient FortiSIEM version 6.4.0 and above, and the company patched it on February 8 along with a second RCE vulnerability (CVE-2024-23109) with a severity rating of 10/10.

On Tuesday, more than three months after Fortinet released security updates to fix the vulnerabilities, the Horizon3 attack team shared a PoC and published a technical analysis.
Attempts to exploit CVE-2024-23108 leave a log message that includes a failed datastore.py nfs test command.

The PoC exploit published today by Horizon3 allows commands to be executed as root on any unpatched FortiSIEM device.

Fortinet vulnerabilities are commonly exploited, often as zero-day exploits, in ransomware and cyber espionage attacks targeting corporate and government networks.

Zajímáte se o kybernetickou bezpečnost? Podívejte se na další díly našeho týdeníku Bezpečnostní neděle.