This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
439 Comments
Tomi Engdahl says:
Polkit Vulnerability Provides Root Privileges on Linux Systems
https://www.securityweek.com/polkit-vulnerability-provides-root-privileges-linux-systems
Tomi Engdahl says:
Europol Ordered to Delete Data Not Linked With Crime
https://www.securityweek.com/europol-ordered-delete-data-not-linked-crime
The European Union crime agency has been ordered by the 27-nation bloc’s data protection watchdog to erase information related to individuals with no proven link to crime.
The European Data Protection Supervisor said Monday that Europol was notified of the order on Jan. 3 following an inquiry that started in 2019.
As part of the investigation, the EDPS said it reprimanded Europol two years ago “for the continued storage of large volumes” of such data, “which poses a risk to individuals’ fundamental rights.”
It said Europol has since introduced some measures but has not complied with requests to set an appropriate data retention period.
“This means that Europol was keeping this data for longer than necessary,” the EDPS said.
EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity
https://edps.europa.eu/press-publications/press-news/press-releases/2022/edps-orders-europol-erase-data-concerning_en
Tomi Engdahl says:
SonicWall Customers Warned of Possible Attacks Exploiting Recent Vulnerability
https://www.securityweek.com/sonicwall-customers-warned-possible-attacks-exploiting-recent-vulnerability
Hackers have started targeting a recently patched vulnerability affecting SonicWall’s Secure Mobile Access (SMA) 100 series appliances, and while the attacks observed to date do not appear to have been successful, that could soon change.
The security flaw in question is CVE-2021-20038, a critical remote code execution vulnerability that SonicWall patched in December alongside several other issues impacting SMA 100 series products.
CVE-2021-20038 is a stack-based buffer overflow that can allow attackers to take complete control of a device or virtual machine running an SMA appliance.
Rapid7, whose researchers discovered the vulnerability, disclosed details earlier this month, and at least one proof-of-concept (PoC) exploit has been released by others.
Rich Warren, principal security consultant at NCC Group, warned this week that they had started seeing in-the-wild attempts to exploit CVE-2021-20038.
Tomi Engdahl says:
Haittaohjelma lietsoo pelkoa ei lähde edes Windowsin uudelleenasennuksella https://www.tivi.fi/uutiset/tv/521b1ca1-ab6f-4b27-8cbf-d0ec229cd3ca
MoonBounce-niminen haittaohjelma on tehty toimimaan tietokoneen uefi-laiteohjelmistossa, joka vastaa tietokoneen käynnistämisestä.
Haittaohjelma asentuu emolevyn flash-muistiin tietokoneen kovalevyn sijaan. Siksi käyttöjärjestelmän uudelleenasennus tai kovalevyn vaihto eivät poista haittaohjelmaa.
Tomi Engdahl says:
9-vuotiaat pommittavat palvelimia nurin syypäänä tuttu syntipukki, lääkkeenä hyödytöntä kiusaa https://www.tivi.fi/uutiset/tv/d71e18e1-0e4b-4654-a4be-e0419032f5dc
Iso-Britannian National Crime Agency (NCA) on käynnistänyt uuden hankkeen, jolla pyritään ohjaamaan nuoria hakkerinalkuja pois mieron tieltä. Syytä on, sillä NCA:n kyberrikosyksikkö NCCU:n mukaan nuorimmat pahantekijät ovat vasta yhdeksänvuotiaita.
Tomi Engdahl says:
Log4j vulnerability – update from the CSIRTs Network https://www.enisa.europa.eu/news/enisa-news/log4j-vulnerability-update-from-the-csirts-network
The EU CSIRTs Network has been closely following the development of the Log4Shell situation since 10 December 2021.
Tomi Engdahl says:
Cross-Country Exposure
https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/
Analysis of the MY2022 Olympics App
Tomi Engdahl says:
BitLocker encryption: Clear text key storage prompts security debate online https://portswigger.net/daily-swig/bitlocker-encryption-clear-text-key-storage-prompts-security-debate-online
This month, a Twitter and StackOverflow debate has been taking place over how BitLocker encryption keys are stored before users sign in with a Microsoft account. In a Twitter thread started by user @atomicthumbs, the question was why, when an installation of Microsoft Windows 11 with a local account takes place, the drive will still be encrypted with BitLocker “but it keeps the key on the drive… in clear text… until you sign in with a Microsoft account”.
Tomi Engdahl says:
Crime Shop Sells Hacked Logins to Other Crime Shops https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other-crime-shops/
Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.
Tomi Engdahl says:
Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft https://nakedsecurity.sophos.com/2022/01/21/cryptocoin-broker-crypto-com-says-2fa-bypass-led-to-35m-theft/
Maltese cryptocoin broker Foris DAX MT Ltd, better known by its domain name Crypto.com, experienced a multi-million dollar “bank robbery”
earlier this month.
Tomi Engdahl says:
Magecart Attacks Continue to Skim’ Software Supply Chains https://securityintelligence.com/articles/magecart-software-supply-chain/
Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack.
Tomi Engdahl says:
Over 90 WordPress themes, plugins backdoored in supply chain attack https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plugins-backdoored-in-supply-chain-attack/
A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360, 000 active websites.
Tomi Engdahl says:
Merck wins cyber-insurance lawsuit related to NotPetya attack https://therecord.media/merck-wins-cyber-insurance-lawsuit-related-to-notpetya-attack/
A New Jersey court has ruled in favor of Merck in a lawsuit the pharmaceutical company filed against its insurer, Ace American, which declined to cover the losses caused by the NotPetya ransomware attack.
[...] Ace American refused to cover the losses, citing that the NotPetya attack was part of Russian hostilities against Ukraine and, as a result, was subject to the standard “Acts of War” exclusion clause that is present in most insurance contracts. Merck sued Ace American in November 2019 and argued in court that the attack was not “an official state action, ” hence the Acts of War clause should not apply.
Tomi Engdahl says:
Spyware Blitzes Compromise, Cannibalize ICS Networks https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/177851/
The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud.
Tomi Engdahl says:
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html
We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution.
Tomi Engdahl says:
CISA adds 13 exploited vulnerabilities to list, 9 with Feb. 1 remediation date https://www.zdnet.com/article/cisa-adds-13-exploited-vulnerabilities-to-list-9-with-feb-1-remediation-date/
CISA released its latest update to the Known Exploited Vulnerabilities catalog, adding 13 new vulnerabilities. Nine of the vulnerabilities have a remediation date of February 1 and four of them have a remediation date of July 18.
Tomi Engdahl says:
Log4J: Attackers continue targeting VMware Horizon servers https://www.zdnet.com/article/log4j-attackers-continue-targeting-vmware-horizon-servers/
According to several cybersecurity companies monitoring the situation, attackers are still targeting VMware Horizon servers through Log4J vulnerabilities.
Tomi Engdahl says:
Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadian-critical-infrastructure-operators-raise
The Canadian Centre for Cyber Security encourages the Canadian cybersecurity communityespecially critical infrastructure network defendersto bolster their awareness of and protection against Russian state-sponsored cyber threats. The Cyber Centre joins our partners in the US and the UK in recommending proactive network monitoring and mitigations. Myös:
https://www.reuters.com/world/americas/canada-agency-says-russian-backed-actors-targeting-infrastructure-2022-01-20/
Tomi Engdahl says:
Experts Find Strategic Similarities b/w NotPetya and WhisperGate Attacks on Ukraine https://thehackernews.com/2022/01/experts-find-strategic-similarities-bw.html
Latest analysis into the wiper malware that targeted dozens of Ukrainian agencies earlier this month has revealed “strategic similarities” to NotPetya malware that was unleashed against the country’s infrastructure and elsewhere in 2017. The malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the destructive cyber campaign targeting government, non-profit, and information technology entities in the nation, attributing the intrusions to an emerging threat cluster codenamed “DEV-0586.”
Tomi Engdahl says:
Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks https://thehackernews.com/2022/01/critical-bugs-in-control-web-panel.html
Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers. Control Web Panel, previously CentOS Web Panel, is an open-source Linux control panel software used for deploying web hosting environments.
Tomi Engdahl says:
Venäjän keskuspankki: kryptovaluutat kiellettävä kokonaan
https://www.tivi.fi/uutiset/tv/659a28c7-71bd-465c-b4da-3798f9d15d56
Kielto koskisi kryptovaluuttojen käyttöä ja louhimista Venäjällä.
Bloombergin mukaan taustavaikuttajana on turvallisuuspalvelu FSB, joka pelkää kryptovaluuttojen voivan rahoittaa oppositiota tai sitä tukevia toimijoita.
Tomi Engdahl says:
Apple preps fix for Safari’s web-history-leaking IndexedDB privacy bug https://www.theregister.com/2022/01/21/apple_safari_webkit_indexeddb/
Apple is preparing to repair a bug in its WebKit browser engine that has been leaking data from its Safari 15 browser at least since the problem was reported last November.
Tomi Engdahl says:
Dutch cybersecurity agency warns of lingering Log4j risks https://www.bleepingcomputer.com/news/security/dutch-cybersecurity-agency-warns-of-lingering-log4j-risks/
In a warning issued on Thursday, the Dutch National Cybersecurity Centre (NCSC) says organizations should still be aware of risks connected to Log4j attacks and remain vigilant for ongoing threats.
Even though the aftermath of recent incidents connected to Log4Shell exploitation was “not too bad” because many organizations have acted quickly to mitigate these critical vulnerabilities, the NCSC says that threat actors are most likely still planning to breach new targets.
Tomi Engdahl says:
Microsoft turns off Excel 4.0 macros by default, because they’re mostly used for malware https://www.xda-developers.com/microsoft-excel-4-0-macros-disabled/
XLM macros are disabled by default in Excel version 16.0.14527.20000 and newer, which rolled out in October in the Current Channel and December in the Monthly Enterprise Channel. The Semi-Annual Enterprise Channel (Preview) and Semi-Annual Enterprise Channel will receive the change in March and July, respectively.
Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
https://isc.sans.edu/diary/Mixed+VBA+%26+Excel4+Macro+In+a+Targeted+Excel+Sheet/28264
Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. The Excel sheet contains details of a real-estate project. The Excel sheet is called “Penthouse_8271.xls” and, once opened, you see this..
Tomi Engdahl says:
Dark Souls 3 players risk having their PC bricked if they play online https://www.dexerto.com/gaming/dark-souls-3-players-risk-having-their-pc-bricked-if-they-play-online-1746144/
However, on January 22, 2022, it was discovered that a new exploit could potentially affect PC players who are connected to the internet while playing. Basically, it can turn DS 3 into a Trojan Horse virus vulnerable to malicious hackers.
Tomi Engdahl says:
Canada confirms cyber-attack on foreign affairs ministry https://therecord.media/canada-confirms-cyber-attack-on-foreign-affairs-ministry/
The Canadian government confirmed late last night that its foreign affairs ministry, Global Affairs Canada, was the victim of a cyber-attack, and it’s still dealing with its after-effects.
Tomi Engdahl says:
“Kyberpartisaanit” iskivät Venäjän joukkojenkuljetuksia vastaan https://www.is.fi/digitoday/tietoturva/art-2000008564395.html
Valkovenäläinen hakkeriryhmä vaatii poliittisten vankien vapauttamista ja venäläisiä joukkoja pois Valko-Venäjältä.
Tomi Engdahl says:
DHS warns of Russian cyberattack on US if it responds to Ukraine invasion
https://abcnews.go.com/Politics/dhs-warns-russian-cyberattack-us-responds-ukraine-invasion/story?id=82441727
As tensions rise in the standoff over Ukraine, the Department of Homeland Security has warned that the U.S. response to a possible Russian invasion could result in a cyberattack launched against the U.S. by the Russian government or its proxies.
Tomi Engdahl says:
Tesloja hakkeroinut teini löysi autoista lisää ongelmia
https://www.tivi.fi/uutiset/tv/043978e9-ad1d-4041-8ad0-61cb8f257730
Maailmanlaajuista huomiota kerännyt 19-vuotias kyberturvallisuusosaaja David Colombo on jälleen löytänyt uuden haavoittuvuuden Teslan autoista. Hän pystyi etsimään autojen tarkan sijainnin sekä kytkemään niiden turvajärjestelmät pois päältä. Lisäksi hän pystyi estoitta avaamaan ajopelien ovet ja ikkunat, käynnistämään ne sekä jumputtamaan musiikkia täysillä
volyymeillä.https://www.tivi.fi/uutiset/tv/3c3f501c-b40a-40ac-a78f-fe3d7c4d1ff5
Tomi Engdahl says:
Suomen keskuspankki varoittaa huijausyrityksistä tähän pankkiin ei yksityisillä tunnuksia juuri ole https://www.tivi.fi/uutiset/tv/9cfb5c59-024e-4e55-8f9e-3102cd292e4e
Suomen Pankin nimissä on lähetetty huijaus- ja kalasteluviestejä, pankin julkaisemassa tiedotteessa kerrotaan. Konnien lähettämillä viesteillä on pyritty kalastelemaan verkkopankkitunnuksia.
Tomi Engdahl says:
Tax scam emails are alive and well as US tax season starts https://nakedsecurity.sophos.com/2022/01/25/tax-scam-emails-are-alive-and-well-as-us-tax-season-starts/
Many countries have taxation forms with names that have entered the general vocabulary, notably the abbreviations of documents that employers are obliged to provide to their staff to show how much money they were paid and, most importantly, how much tax was already witheld and paid in on the employee’s behalf. Anyway, given that it’s the last week in January, and thus that US tax filing season is about to get underway, we weren’t surprised to receive a tax-related scam email today, and to see the W-2 form mentioned explicitly.
Tomi Engdahl says:
Tor Project appeals Russian court’s decision to block access to Tor https://www.bleepingcomputer.com/news/security/tor-project-appeals-russian-courts-decision-to-block-access-to-tor/
US-based Tor Project and Russian digital-rights protection org RosKomSvoboda are appealing a Russian court’s decision to block access to public Tor nodes and the project’s website.
Tomi Engdahl says:
Emotet Stops Using 0.0.0.0 in Spambot Traffic
https://isc.sans.edu/diary/rss/28270
Last week, I wrote a diary about Emotet using 0.0.0.0 in its spambot traffic instead of the actual IP address of the infected Windows host (link). Shortly after that diary, Emotet changed from using 0.0.0.0 to using the victim’s IP address, but with the octet values listed in reverse order.
Tomi Engdahl says:
This sneaky ransomware is now targeting Linux servers, too https://www.zdnet.com/article/this-sneaky-ransomware-is-now-targeting-linux-servers-too/
One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months. Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware which was by far the most active ransomware family at one point last year was focused on Windows.
Tomi Engdahl says:
Linux kernel bug can let hackers escape Kubernetes containers https://www.bleepingcomputer.com/news/security/linux-kernel-bug-can-let-hackers-escape-kubernetes-containers/
A vulnerability affecting Linux kernel and tracked as CVE-2022-0185 can be used to escape containers in Kubernetes, giving access to resources on the host system. Security researchers warn that exploiting this security issue is easier and more promising than initially estimated, and that patching is an urgent matter since the exploit code will soon become public.
Tomi Engdahl says:
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
Tomi Engdahl says:
Xerox vulnerability allows unauthenticated network users to remotely brick printers https://neosmart.net/blog/2022/xerox-vulnerability-allows-unauthenticated-network-users-to-remotely-brick-printers/
[..] To the best of my knowledge, this vulnerability remains unpatched and continues to affect a number of Xerox printers across different product/model lines. This full, public disclosure is being made given the egregious amount of time that has elapsed since this issue was brought to Xerox’s attention. [..] Given that it has now been not 90 days but closer to two-and-a-half years since this issue was disclosed to Xerox Corp and I have not received any updates regarding the matter, I have decided to disclose this publicly (which I probably should have done much sooner but kept putting off for $reasons that make me put a lot of things off).
Tomi Engdahl says:
Microsoft warns of phishy OAuth apps
https://blog.malwarebytes.com/privacy-2/2022/01/microsoft-warns-of-phishy-oauth-apps/
Microsoft is warning Office 365 users to watch out for a phishy emails asking you to install an app called Upgrade. [..] According to Microsoft Security Intelligence, the campaign has “targeted hundreds of organisations”. The researcher who first brought the bogus app to their attention has discovered another one. This time around, it’s also called “Upgrade” but with a new verified publisher.
Tomi Engdahl says:
New DeadBolt ransomware targets QNAP devices, asks 50 BTC for master key https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/
A new DeadBolt ransomware group is encrypting QNAP NAS devices worldwide using what they claim is a zero-day vulnerability in the device’s software. The attacks started today, January 25th, with QNAP devices suddenly finding their files encrypted and file names appended with a.deadbolt file extension. Alkup.
https://www.qnap.com/en/security-news/2022/take-immediate-actions-to-stop-your-nas-from-exposing-to-the-internet-and-fight-against-ransomware-together
Tomi Engdahl says:
Trickbot will now try to crash researcher PCs to stop reverse engineering attempts https://www.zdnet.com/article/trickbot-will-now-try-to-crash-researcher-pcs-to-stop-reverse-engineering-attempts/
The Trickbot Trojan has been revised with a new set of anti-reverse engineering features including the capability to crash computers if analysis tools are detected. [..] The third line of defense, however, is the most interesting update. An anti-debugging script has been added to code that can trigger a memory overload if a security researcher performs “code beautifying, ” a technique use to make large swathes of code more readable and easier to analyze.
Tomi Engdahl says:
GitHub enables two-factor authentication mechanism through iOS, Android app https://www.zdnet.com/article/github-enables-two-factor-authentication-mechanism-through-ios-android-app/
GitHub Mobile 2FA will be available to all GitHub users in the App Store and Play Store this week.
Tomi Engdahl says:
New FluBot and TeaBot campaigns target Android devices worldwide https://www.bleepingcomputer.com/news/security/new-flubot-and-teabot-campaigns-target-android-devices-worldwide/
New FluBot and TeaBot malware distribution campaigns have been spotted, using typical smishing lures or laced apps against Android users in Australia, Germany, Poland, Spain, and Romania. The SMS topics used for spreading the FluBot malware include fake courier messages, “Is this you in this video?” coaxes, phony browser updates, and fake voicemail notifications.
Tomi Engdahl says:
WhatsApp Ordered To Help U.S. Agents Spy On Chinese PhonesNo Explanation Required https://www.forbes.com/sites/thomasbrewster/2022/01/17/whatsapp-ordered-to-spy-on-chinese-phones-by-america-no-explanation-given/
U.S. federal agencies have been using a 35-year-old American surveillance law to secretly track WhatsApp users with no explanation as to why and without knowing whom they are targeting.
Tomi Engdahl says:
2022.01.25 Issue with TLS-ALPN-01 Validation Method
(Letsencrypt-varmenteet)
https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450
All active certificates that were issued and validated with the
TLS-ALPN-01 challenge before 00:48 UTC on 26 January 2022 when our fix was deployed are considered mis-issued. In compliance with the Let’s Encrypt CP, we have 5-days to revoke and will begin to revoke certificates at 16:00 UTC on 28 January 2022. We estimate <1% of active certificates are affected. Subscribers affected by revocations will receive e-mail notifications if their ACME account contains a valid e-mail address.
Tomi Engdahl says:
Palvelunestohyökkäys kaatoi koko valtion internetyhteydet https://www.tivi.fi/uutiset/tv/75eb3a21-8111-480d-a4ce-bd33e7ca6ddd
Espanjan ja Ranskan rajalla sijaitsevan kääpiövaltio Andorran internetyhteydet menivät käytännössä kokonaan poikki palvelunestohyökkäysten takia. Asiasta uutisoivan Tom’s Hardwaren mukaan hyökkäykset kohdistuivat maan ainoaan teleoperaattoriin Andorra Telecomiin.
Tomi Engdahl says:
Venäjä-arvio Ruotsista: “Viimeisin kyberhyökkäys vain vahvistaa kuvaa valmistautumisesta laajamittaiseen aggressioon”
https://www.tivi.fi/uutiset/tv/ad226232-8278-412b-8968-a671c8f4f6a3
Kansainvälisen politiikan asiantuntija, Ruotsin entinen pää- ja ulkoministeri Carl Bildt pitää Ukrainan valtionhallintoa vastaan tehtyä kyberiskua merkkinä tulevasta hyökkäyksestä.
Tomi Engdahl says:
US threatens use of novel export control to damage Russia’s strategic industries if Moscow invades Ukraine https://www.stripes.com/theaters/us/2022-01-23/us-russia-export-control-ukraine-4391336.html
The Biden administration is threatening to use a novel export control to damage strategic Russian industries, from artificial intelligence and quantum computing to civilian aerospace, if Moscow invades Ukraine, administration officials say.
Tomi Engdahl says:
Hackers say they encrypted Belarusian Railway servers in protest https://www.bleepingcomputer.com/news/security/hackers-say-they-encrypted-belarusian-railway-servers-in-protest/
A group of hackers (known as Belarusian Cyber-Partisans) claim they breached and encrypted servers belonging to the Belarusian Railway, Belarus’s national state-owned railway company. They say their attack was prompted by Russia using Belarusian Railway’s rail transport network to move military units and equipment into the country
Tomi Engdahl says:
China accused of hijacking Australia Prime Minister Scott Morrison’s WeChat account https://www.zdnet.com/article/china-accused-of-hijacking-australia-prime-minister-scott-morrisons-wechat-account/
The Australian Prime Minister is still yet to retrieve access to his WeChat despite making contact with the ‘Chinese community’ hours ago.
Tomi Engdahl says:
Android malware BRATA wipes your device after stealing data https://www.bleepingcomputer.com/news/security/android-malware-brata-wipes-your-device-after-stealing-data/
The Android malware known as BRATA has added new and dangerous features to its latest version, including GPS tracking, the capacity to use multiple communication channels, and a function that performs a factory reset on the device to wipe all traces of malicious activity.
BRATA was first spotted by Kaspersky back in 2019 as an Android RAT (remote access tool) that mainly targeted Brazilian users.