InfoSecBulletin Cybersecurity for mankind
LightSpy mobile espionage campaign, which focuses on targets in Southern Asia and probably India, potentially indicating a renewed focus and grow tensions in the region.
VirusTotal submissions from India suggest potential victims within its borders, aligning with recent warnings by Apple on detections within the same country.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
Technical Details:
Infection vector:
Based on previous campaigns, initial infection likely occurs through compromised news websites carrying stories related to Hong Kong.
Weaponization:
The attack involves a first-stage implant that gathers device information and downloads further stages, including the core LightSpy implant and various plugins for specific spying functions.
Execution Chain:
The Loader starts by loading the encrypted and then decrypted LightSpy kernel. LightSpy is an espionage framework with a plugin system. The Loader loads these plugins, which extend the main LightSpy implant. The plugins are securely retrieved from the threat actor’s server in an encrypted format, decrypted, and then executed in the system environment.
The latest LightSpy campaign utilizes a versatile framework known as “F_Warehouse.” This framework exhibits a wide range of capabilities, enabling it to:
Exfiltrate files: Systematically search and steal files from the compromised mobile device.
Record audio: Covertly capture audio through the device’s microphone.
Perform network reconnaissance: Collect information about WiFi networks the device has connected to.
Track user activity: Harvest browsing history data to monitor online behavior.
Application inventory: Gather details about installed applications on the device.
Capture images: Secretly take pictures using the device’s camera.
Access credentials: Retrieve sensitive data stored within the user’s KeyChain.
Device enumeration: Identify and list devices connected to the compromised system. To read the full report click here.
