This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in November 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
373 Comments
Tomi Engdahl says:
Malware now trying to exploit new Windows Installer zero-day https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/
Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend.
“Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability, ” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group. However, as Cisco Talos’ Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts are part of low volume attacks likely focused on testing and tweaking exploits for full-blown campaigns. “During our investigation, we looked at recent malware samples and were able to identify several that were already attempting to leverage the exploit, ” Biasini told BleepingComputer.
“Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns. This is just more evidence on how quickly adversaries work to weaponize a publicly available exploit.”
Tomi Engdahl says:
More than 9 million smartphones infected with Cynos malware https://therecord.media/more-than-9-million-smartphones-infected-with-cynos-malware/
Chinese smartphone vendor Huawei has temporarily removed 190 Android games from its official AppGallery app store after it received a report from Russian security firm Dr.Web that the apps contained an overly aggressive monetization library that was collecting extensive details from users’ devices. Huawei said it is now working with the app developers to investigate if the data collection has been taking place behind their backs and find replacement monetization libraries.
More than 9.3 million users have installed one of these 190 Android games, according to download stats listed on the AppGallery store.
Tomi Engdahl says:
Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds https://www.bleepingcomputer.com/news/security/hackers-exploit-microsoft-mshtml-bug-to-steal-google-instagram-creds/
A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide using a new PowerShell-based stealer dubbed PowerShortShell by security researchers at SafeBreach Labs. The info stealer is also used for Telegram surveillance and collecting system information from compromised devices that get sent to attacker-controlled servers together with the stolen credentials. As SafeBreach Labs discovered, the attacks (publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails. They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.
Tomi Engdahl says:
New JavaScript malware works as a “RAT dispenser”
https://therecord.media/new-javascript-malware-works-as-a-rat-dispenser/
Cybersecurity experts from HP said they discovered a new strain of JavaScript malware that criminals are using as a way to infect systems and then deploy dangerous remote access trojans (RATs). Cleverly named RATDispenser, the malware has been distributed in the wild for at least three months in the form of email messages carrying malicious file attachments. These files abuse the classic double-extension trick
(filename.txt.js) to pose as text files but run JavaScript code when users try to open them. Once this happens, HP says the RATDispenser malware decodes itself and runs a self-contained VBScript file that then installs a commodity remote access trojan on the infected device.
Over the past three months, HP said the malware had been used to drop at least eight different RAT strains, such as STTRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty.
Tomi Engdahl says:
Instagramissa leviää ärhäkkä huijaus Dyson varoittaa suomalaisia
https://www.iltalehti.fi/tietoturva/a/244e720c-1c29-4caa-a815-afcccb773797
Iltalehti kertoi viime viikolla, miten huijarit ovat häirinneet suomalaisia Instagramissa. Huijarit merkitsevät käyttäjiä julkaisuun, jossa väitetään, että nämä olisivat voittaneet Dysonin hiustenkuivaajan. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen tietoturva-asiantuntija Ville Kontinen kertoi Iltalehdelle, että kyseessä on tuttu ilmiö, jossa bottitilejä käytetään huijauksen levittämiseen. Huijarit yrittävät saada siirtymään toiselle valetilille ja sen kautta valesivustolle.
Tarkoitus on saada uhri tilausansaan. Kyseessä on arvontateemainen huijaus, jossa väitetään, että henkilö on voittanut jotain. Tällä yritetään saada henkilö avaamaan nopeasti linkkejä. Kun näitä avaa tarpeeksi, törmää lopulta pyyntöön hyväksyä luottokortilla pienimuotoinen tilaus. Kyse on siis tilausansasta, joka johtaa tavallisesti 50100 euron hintaiseen kuukausitilaukseen, Kontinen kertoi.
Tomi Engdahl says:
Ukraine arrests Phoenix’ hackers behind Apple phishing attacks https://www.bleepingcomputer.com/news/security/ukraine-arrests-phoenix-hackers-behind-apple-phishing-attacks/
The Security Service of Ukraine (SSU) has arrested five members of the international ‘Phoenix’ hacking group who specialize in the remote hacking of mobile devices. The SSU’s announcement states that all five suspects live in Kyiv or Kharkiv and are higher technical education institutes graduates. The goal of ‘Phoenix’ was to gain remote access to the accounts of mobile device users and then monetize them by hijacking their e-payment or bank accounts or selling their private information to third parties. To steal mobile accounts of mobile device users, the actors used phishing sites that were clones of Apple’s and Samsung’s login portals. This activity went on for at least two years, during which Phoenix hacked several hundred people’s accounts. The hackers also offered remote mobile phone hacking services to others, charging between $100 and $200.
Tomi Engdahl says:
Eavesdropping bug impacts roughly a third of the world’s smartphones https://therecord.media/eavesdropping-bug-impacts-roughly-a-third-of-the-worlds-smartphones/
MediaTek, a Taiwanese company that manufactures a wide array of chips for smartphones and other smart devices, has released security updates last month to address severe vulnerabilities that could allow malicious Android apps to record audio and spy on phone owners. Three issues were patched in October (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663), and a fourth (CVE-2021-0673) will be fixed next month, in December, according to security firm Check Point, whose researchers found the issues earlier this year. “MediaTek chips contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage, ” a Check Point spokesperson said in an email this week. “Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research. Check Point grew curious around the degree to which MediaTek DSP could be used as an attack vector for threat actors, ” the company added. “For the first time, CPR was able to reverse engineer the MediaTek audio processor, revealing several security flaws, ” it added.
Tomi Engdahl says:
Industrial Cybersecurity Firm Applied Risk Acquired by DNV
https://www.securityweek.com/industrial-cybersecurity-firm-applied-risk-acquired-dnv
Norway-based assurance and risk management solutions provider DNV is acquiring industrial cybersecurity company Applied Risk in an effort to create an “industrial cybersecurity powerhouse.”
The companies will merge under the DNV brand. Financial terms of the deal have not been disclosed.
Founded in 2012 and based in Amsterdam, the Netherlands, Applied Risk provides industrial security, certification and compliance, incident response and forensics, and training services to organizations in a wide range of industries.
DNV provides advisory, certification, classification, data and analytics, inspection, software, testing, training, and verification and assurance services to organizations in the maritime, oil and gas, power, cybersecurity, aerospace, automotive, food and beverage, healthcare and other industries.
Tomi Engdahl says:
Researcher Awarded $10,000 for Google Cloud Platform Vulnerability
https://www.securityweek.com/researcher-awarded-10000-google-cloud-platform-vulnerability
Security researcher David Schütz says he received over $10,000 in bug bounty payouts from Google after reporting a Google Cloud project vulnerability and subsequent bypasses to rolled-out fixes.
In March, Schütz discovered that a URL allow-list bypass could be used to leak the access token for the internal Google Cloud Platform (GCP) project “cxl-services.”
Tomi Engdahl says:
GoDaddy Says Several Brands Hit by Recent WordPress Hosting Breach
https://www.securityweek.com/godaddy-says-several-brands-hit-recent-wordpress-hosting-breach
Domain registrar and web hosting giant GoDaddy says the recently disclosed data breach impacts several of its brands, including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.
GoDaddy revealed on November 22 that it had identified unauthorized access to its managed WordPress hosting environment. The incident resulted in the exposure of email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress users.
Other information exposed in the breach included WordPress admin passwords set during provisioning, sFTP and database usernames and passwords, and SSL private keys.
GoDaddy systems were apparently first accessed by the hackers on September 6, but the intrusion was only discovered on November 17.
Tomi Engdahl says:
VMware Patches File Read, SSRF Vulnerabilities in vCenter Server
https://www.securityweek.com/vmware-patches-file-read-ssrf-vulnerabilities-vcenter-server
VMware on Tuesday informed customers about the availability of patches for arbitrary file read and server-side request forgery (SSRF) vulnerabilities affecting its vCenter Server product.
The arbitrary file read issue, tracked as CVE-2021-21980 and rated “high severity” (important), affects the vSphere Web Client and it could be exploited to obtain sensitive information by an attacker who has network access to port 443 on vCenter Server.
The second flaw, identified as CVE-2021-22049 and rated “medium severity” (moderate), affects the vSphere Web Client, specifically the vSAN Web Client plug-in.
“A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service,” VMware said in its advisory.
Patches have been released for affected vCenter Server versions and they are pending for Cloud Foundation. Workarounds are not available.
Tomi Engdahl says:
UK Cyber Firm Faces Investors Over Stock Turmoil
https://www.securityweek.com/uk-cyber-firm-faces-investors-over-stock-turmoil
British cyber security firm Darktrace came under investor scrutiny Wednesday over dramatic share price gyrations since its headline-grabbing London stock market float.
Darktrace, based in the English university city of Cambridge, held its annual general meeting amid growing unease over the stock.
The company, which uses cutting-edge artificial intelligence (AI) technology to combat cyber attacks, arrived on the London stock market in April.
The initial public offering launched at 250 pence per share, valuing Darktrace at £1.7 billion ($2.3 billion, 2.0 billion euros).
Shares then vaulted higher in subsequent weeks and months to hit a peak of almost 1,000 pence in September.
Darktrace also joined London’s prestigious FTSE 100 index of top companies last month.
But shares then tanked after brokerage Peel Hunt questioned its valuation and technology.
Tomi Engdahl says:
https://hackaday.com/2021/11/19/this-week-in-security-intel-atoms-spill-secrets-icmp-poisons-dns-and-the-blacksmith/
Intel has announced CVE-2021-0146, a vulnerability in certain processors based on the Atom architecture, and the Trusted Platform Module (TPM) is at the center of the problem. The goal of the system around the TPM is to maintain system integrity even in the case of physical access by an attacker, so the hard drive is encrypted using a key stored in a secure chip on the motherboard. The TPM chip holds this encryption key and provides it during the boot process. When combined with secure boot, this is a surprisingly effective way to prevent tampering or data access even in the case of physical access. It’s effective, at least, when nothing goes wrong.
Earlier this year, we covered a story where the encryption key could be sniffed directly from the motherboard, by tapping the traces connecting the TPM to the CPU. It was pointed out that TPM 2.0 can encrypt the disk encryption key on the traces, making this attack impossible.
The entire Trusted Compute Model is based on the premise that the CPU itself is trustworthy. This brings us back to Intel’s announcement that a debug mode could be enabled via physical access. In this debug mode, the CPU master key can be extracted, leading to complete compromise. The drive encryption key can be recovered, and unsigned firmware can be loaded to the Management Engine. This means data in the TPM enclave and the TPM-stored encryption key can be compromised. Updated firmware is rolling out through motherboard vendors to address the problem.
New secret-spilling hole in Intel CPUs sends company patching (again)
Researchers figure out how to obtain the “fuse encryption key” unique to each CPU.
https://arstechnica.com/gadgets/2021/11/intel-releases-patch-for-high-severity-bug-that-exposes-a-cpus-master-key/
Tomi Engdahl says:
https://hackaday.com/2021/11/19/this-week-in-security-intel-atoms-spill-secrets-icmp-poisons-dns-and-the-blacksmith/
In honor of the late Dan Kaminsky, we’re once again looking at DNS cache poisoning. This time it’s a quirk of the Linux network stack that enables the attack. This attack is detailed in a paper by a trio from the University of California, Riverside.
The original DNS attack used nonrandom query IDs, and always made DSN lookups from UDP port 53. It was simple to send a spoofed DNS response, and if the malicious response arrived before This attack abuses the ICMP fragmentation error. When such a message is received by a Linux machine, it is validated against the active UDP connections. The request must contain the correct source and destination IP and port. If this set of information matches an open UDP socket, an entry is added to the exception cache. If an attacker can detect the change of state of the exception cache, he can use ICMP packets to probe for opened UDP sockets — effectively allowing the randomized port of a DNS lookup to be discovered.
How exactly do you detect that state change? A DNS resolver like dnsmasq opens these temporary ports using sendto(), which has the unintentional side effect of accepting UDP packets from any IP address. An ICMP fragmentation error can update the exception cache for any IP, so long as it has the correct IP and port of a temporary connection. This makes the attack trivial. the valid one, the resolver accepted the bogus data.
Make a request for somerandomsubdomain.google.com, and then start spamming ICMP fragmentation errors for all the UDP ports on the target system. When one of these packets matches the opened UDP port, the MTU for the specified IP is changed. Then ping the system from the IPs indicated in the ICMP errors. When one of your ping responses is fragmented, you’ve found a collision. Now that you know the port that the DNS resolver has opened, you could brute-force the transaction ID. Since it’s only 16 bits of keyspace, this is very doable.
The problem is a bit harder for other DNS resolvers, like BIND, that use connect() to open temporary UDP sockets. The same trick applies, but you can only trigger an MTU change on the specific IP the socket is connected to. Is there any way to detect this change? There is. The key here is that the exception cache is a hash table with a limited depth.
It’s a complicated attack, but the potential payoff is quite high, so expect to see patches addressing this in the very near future.
DNS Cache Poisoning Attack: Resurrections with Side Channels
https://www.cs.ucr.edu/~zhiyunq/pub/ccs21_dns_poisoning.pdf
Tomi Engdahl says:
Haavoittuvuus Mediatekin piireissä uhkasi miljoonia Android-käyttäjiä
https://etn.fi/index.php/13-news/12865-haavoittuvuus-mediatekin-piireissae-uhkasi-miljoonia-android-kaeyttaejiae
Tietoturvayritys Check Pointin tutkimusosasto löysi jokin aika sitten haavoittuvuuden taiwanilaisen Mediatekin valmistamassa älypuhelimen sirussa. Haavoittuvuus löytyi piirien audioprosessorin sisältä. Jos haavoittuvuuksia ei olisi korjattu, ne olisivat saattaneet antaa hakkerin salakuunnella Android-käyttäjää tai piilottaa laitteeseen haitallista koodia.
MediaTekin piirillä oli erityinen AI-prosessointiyksikön (APU) ja digitaalisen signaaliprosessori eli DSP-piiri, joka prosessoi audiodataa. Sekä APU:ssa että audio-DSP:ssä on mukautetut mikroprosessoriarkkitehtuurit, mikä tekee piiristä ainutlaatuisen ja haastavan kohteen tietoturvatutkimukselle.
Tietoturva-aukkojen hyödyntämiseksi olisi pitänyt tapahtua seuraavaa: Käyttäjä asentaa haitallisen sovelluksen Googlen Play-aupasta ja käynnistää sen. Sovellus käyttää Mediatekin omaa rajapintaa hyökätäkseen kirjastoon, jolla on lupa keskustella ääniohjaimen kanssa. Sovellus, jolla on järjestelmäoikeudet, lähettää viestejä ääniohjaimelle suorittaakseen koodin ääniprosessorin laiteohjelmistossa. Vasta tämän jälkeen sovellus pystyisi kuuntelemaan audiota.
CPR ilmoitti vastuullisesti havaintonsa Mediatekille. Löydetyt kolme haavoittuvuutta korjattiin ja julkaistiin lokakuun 2021 Mediatekin tietoturvatiedotteessa.
Mediatekin mukaan ei ole todisteita siitä, että haavoittuvuuksia hyödynnettäisiin tällä hetkellä.
Tomi Engdahl says:
Nathaniel Mott / PCMag:
Check Point details MediaTek DSP firmware vulnerabilities in some Android smartphones that could be exploited to eavesdrop; MediaTek released patches in October — Check Point Research discovers a vulnerability in the digital signal processor found in MediaTek’s system-on-chip offerings.
Researchers Finds Security Flaw Affecting 37% of Smartphones
https://uk.pcmag.com/security/137307/researchers-finds-security-flaw-affecting-37-of-smartphones
Check Point Research discovers a vulnerability in the digital signal processor found in MediaTek’s system-on-chip offerings.
Check Point Research (CPR) has revealed a vulnerability in the audio digital signal processor (DSP) used in MediaTek’s system-on-chip offerings, which are in roughly 37% of all smartphones and Internet of Things devices.
The bug can be exploited to eavesdrop on unsuspecting Android users. Researchers say they found three vulnerabilities (CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663) in the DSP firmware and one vulnerability (CVE-2021-0673) in the audio Hardware Abstraction Layer. MediaTek released patches for all of the security flaws in October.
“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware,” CPR says. “Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user.”
The researchers say those flaws could be chained with vulnerabilities in original equipment manufacturer (OEM) libraries to enable local privilege escalation from an Android app. That privilege escalation means the app “may be able to send messages to the audio DSP firmware.”
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
A Windows 10 and Windows 11 exploit allows an attacker with physical access to gain SYSTEM privileges, bypassing Microsoft’s patch from earlier this month
Malware now trying to exploit new Windows Installer zero-day
https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/
Malware creators have already started testing a proof-of-concept exploit targeting a new Microsoft Windows Installer zero-day publicly disclosed by security researcher Abdelhamid Naceri over the weekend.
“Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability,” said Jaeson Schultz, Technical Leader for Cisco’s Talos Security Intelligence & Research Group.
However, as Cisco Talos’ Head of Outreach Nick Biasini told BleepingComputer, these exploitation attempts are part of low volume attacks likely focused on testing and tweaking exploits for full-blown campaigns.
Attackers exploiting zero-day vulnerability in Windows Installer — Here’s what you need to know and Talos’ coverage
https://blog.talosintelligence.com/2021/11/attackers-exploiting-zero-day.html
Cisco Talos is releasing new SNORTⓇ rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer. This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.
Microsoft released an update that was intended to fix CVE-2021-41379 on Nov. 9 as part of its monthly security update. Security researcher Abdelhamid Naceri initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. However, the patch released by Microsoft was not sufficient to remediate the vulnerability, andNaceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft. The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator.
Tomi Engdahl says:
Nicole Perlroth / New York Times:
Apple sues NSO Group in US federal court, seeking to ban NSO from using Apple products and alleging NSO illegally targeted Apple users with surveillance tools
https://www.nytimes.com/2021/11/23/technology/apple-nso-group-lawsuit.html
Tomi Engdahl says:
Demetri Sevastopulo / Financial Times:
The US places a dozen Chinese groups developing quantum computing, semiconductor, and aerospace technologies on an entity list, blocking exports to them
https://t.co/f85qJftXqB?amp=1
Tomi Engdahl says:
Saitko oudon tekstiviestin? Älä avaa linkkiä pankkitunnuksesi voivat vuotaa https://www.iltalehti.fi/tietoturva/a/5df48e85-7b1c-4985-86bc-aca1205d359b
Huijausviestejä lähettävä Flubot-kampanja oli erittäin aktiivinen viime kesänä Suomessa. Nyt näitä viestejä on jälleen alettu lähettää suomalaisille. Tekstiviestinä saapuvassa viestissä voidaan väittä, että vastaanottaja on saanut esimerkiksi ääniviestin, joka pyydetään kuuntelemaan viestissä olevan linkin kautta. Tätä linkkiä ei tule avata, sillä se johtaa huijaussivustolle, jonka yläkulmaan on sijoitettu logo, joka muuttuu vierailevan liittymän operaattorin perusteella.
Tomi Engdahl says:
Check Point Research discover vulnerabilities in smartphones chips embedded in 37% of smartphones around the world https://blog.checkpoint.com/2021/11/24/check-point-research-discover-vulnerabilities-in-smartphones-chips-embedded-in-37-of-smartphones-around-the-world/
Taiwan’s MediaTek has been the global smartphone chip leader since Q3 2020. MediaTek Systems on a chip (SoCs) are embedded in approximately 37% of all smartphones and IoT devices in the world, including high-end phones from Xiaomi, Oppo, Realme, Vivo and more. In this study, we reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android user space. The goal of our research was to find a way to attack the audio DSP from an Android phone.
Tomi Engdahl says:
Warning Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html
Attackers are actively making efforts to exploit a new variant of a recently disclosed privilege escalation vulnerability to potentially execute arbitrary code on fully-patched systems, once again demonstrating how adversaries move quickly to weaponize a publicly available exploit. Cisco Talos disclosed that it “detected malware samples in the wild that are attempting to take advantage of this vulnerability.”
Tomi Engdahl says:
New Linux malware hides in cron jobs with invalid dates https://www.bleepingcomputer.com/news/security/new-linux-malware-hides-in-cron-jobs-with-invalid-dates/
Security researchers have discovered a new remote access trojan (RAT) for Linux that keeps an almost invisible profile by hiding in tasks scheduled for execution on a non-existent day, February 31st. Dubbed CronRAT, the malware is currently targeting web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.
Tomi Engdahl says:
Hackers target biomanufacturing with stealthy Tardigrade malware https://www.bleepingcomputer.com/news/security/hackers-target-biomanufacturing-with-stealthy-tardigrade-malware/
An advanced hacking group is actively targeting biomanufacturing facilities with a new custom malware called ‘Tardigrade.’. The actor uses the custom malware to spread in compromised networks and exfiltrates data for extensive periods without being noticed.
According to an advisory published by Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) today, the actor has been actively targeting entities in the field since the Spring of 2021.
Tomi Engdahl says:
How cybercriminals adjusted their scams for Black Friday 2021 https://www.bleepingcomputer.com/news/security/how-cybercriminals-adjusted-their-scams-for-black-friday-2021/
Black Friday is approaching, and cybercriminals are honing their malware droppers, phishing lures, and fake sites while shoppers prepare to open their wallets. As researchers at Kaspersky point out, scammers are already targeting people with fake tickets for the FIFA World Cup 2022. The security firm shared a detailed report highlighting the most common threats expected to surface during this year’s Black Friday, as well as the Christmas shopping season.
Tomi Engdahl says:
Apple sues NSO Group to curb the abuse of state-sponsored spyware https://www.apple.com/newsroom/2021/11/apple-sues-nso-group-to-curb-the-abuse-of-state-sponsored-spyware/
Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.
Tomi Engdahl says:
Apple Details How It Will Warn Victims Of State-Sponsored Attacks https://www.forbes.com/sites/emmawoollacott/2021/11/25/apple-details-how-it-will-warn-victims-of-state-sponsored-attacks/
After filing suit against Israel’s NSO group, responsible for the Pegasus spyware used in state-sponsored surveillance schemes, Apple has released details of how it will alert users to the fact that they’ve been targeted. The alerts are aimed at individuals who may have been specifically picked out for anti-government activities.
“These users are individually targeted because of who they are or what they do, ” the company warns.
Tomi Engdahl says:
CISA, FBI Warn of Potential Critical Infrastructure Attacks on Holidays
https://www.securityweek.com/cisa-fbi-warn-potential-critical-infrastructure-attacks-holidays
Tomi Engdahl says:
https://www.securityweek.com/uk-cyber-firm-faces-investors-over-stock-turmoil
British cyber security firm Darktrace came under investor scrutiny Wednesday over dramatic share price gyrations since its headline-grabbing London stock market float.
Darktrace, based in the English university city of Cambridge, held its annual general meeting amid growing unease over the stock.
Tomi Engdahl says:
VMware Patches File Read, SSRF Vulnerabilities in vCenter Server
https://www.securityweek.com/vmware-patches-file-read-ssrf-vulnerabilities-vcenter-server
Tomi Engdahl says:
GoDaddy Says Several Brands Hit by Recent WordPress Hosting Breach
https://www.securityweek.com/godaddy-says-several-brands-hit-recent-wordpress-hosting-breach
Tomi Engdahl says:
Huawein AppGallery jakoi troijalaisen yli 9 miljoonaan puhelimeen
https://etn.fi/index.php/13-news/12875-huawein-appgallery-jakoi-troijalaisen-yli-9-miljoonaan-puhelimeen
Sovelluskauppojen tietoturva on yritysten jatkuva panostuksen kohde. Aina tiukatkaan toimet eivät ysty estämään verkkorikollisia. Näin on käynyt Huawein AppGallerylle, jossa oli jaossa 190 Android-troijalaisella terästetty peliä.
Venäläisen tietoturvayritys Dr. Webin mukaan kyse oli Cynos-moduuliin perustuvasta Android.Cynos7.origin -haittaohjelmasta. Sen sisältämiä pelejä ehdittiin ladata yi 9,3 miljoonaan älypuhelimeen lähinnä Venäjän ja Kiinan kielialueilla.
Tomi Engdahl says:
New trojan detected on AppGallery app catalog
https://news.drweb.com/show/?i=14360&lng=en
Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an Android.Cynos.7.origin trojan built into them. This trojan is designed to collect users’ mobile phone numbers. At least 9.300.000 Android device owners have installed these dangerous games.
The Android.Cynos.7.origin is one of the modifications of the Cynos program module. This module can be integrated into Android apps to monetize them. This platform has been known since at least 2014. Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download and launch extra modules, and download and install other apps. The main functionality of the version discovered by our malware analysts is collecting the information about users and their devices and displaying ads.
Tomi Engdahl says:
Interpol arrests over 1,000 suspects linked to cyber crime
https://www.bleepingcomputer.com/news/legal/interpol-arrests-over-1-000-suspects-linked-to-cyber-crime/
Interpol has coordinated the arrest of 1,003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling.
This crackdown results from a four-month action codenamed ‘Operation HAEICHI-II,’ which took place in twenty countries between June and September 2021.
These were Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam.
intercepted nearly $27,000,000 and froze 2,350 banking accounts linked to various online crimes.
Colombian textiles company tricked by BEC (Business Email Compromise) actors.
The perpetrators impersonated a legal representative of the company and asked $16 million in two payments of $8,000,000 to be sent to two Chinese bank accounts.
Interpol’s intervention helped retrieve 94% of this amount, saving the firm from bankruptcy.
Tomi Engdahl says:
Criminal group dismantled after forcing victims to be money mules
https://www.bleepingcomputer.com/news/security/criminal-group-dismantled-after-forcing-victims-to-be-money-mules/
The Spanish police have arrested 45 people who are believed to be members of an online fraud group that operated twenty websites to defraud at least 200 people of 1,500,000 Euros ($1.73 million).
they offered various consumer electronic products at an alluringly low price.
When victims made purchases, the money went to bank accounts that belonged to other victims who were forced by the criminals to act as “money mules”.
Subsequently, they informed the victim that the only way to get their money back was to become “money mules” themselves.
The actors posed as French financiers and offered loans on the condition of receiving a small deposit that was supposedly required for covering loan application commissions and relevant expenses.
the victims were instructed to obtain a new credit card and send it to Benin, together with the matching online banking credentials.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
Tomi Engdahl says:
Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally
https://thehackernews.com/2021/11/eavesdropping-bugs-in-mediatek-chips.html
Tomi Engdahl says:
Code execution bug patched in Imunify360 Linux server security suite
Updated: The vulnerability could be used to hijack web servers.
https://www.zdnet.com/article/code-execution-bug-patched-in-imunity360-linux-security-suite/
Tomi Engdahl says:
Conti ransomware gang suffers security breach
https://therecord.media/conti-ransomware-gang-suffers-security-breach/
Tomi Engdahl says:
https://therecord.media/malicious-python-packages-caught-stealing-discord-tokens-installing-shells/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-in-internal-reply-chain-attacks/
Tomi Engdahl says:
Report: China May Steal Encrypted Government Data Now to Decrypt with Quantum Computers Later
https://www.nextgov.com/emerging-tech/2021/11/report-china-may-steal-encrypted-government-data-now-decrypt-quantum-computers-later/187020/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/over-nine-million-android-devices-infected-by-info-stealing-trojan/
Tomi Engdahl says:
ICYMI: GoDaddy says data breach exposed over a million user accounts
https://tcrn.ch/3p1s8Ei
Tomi Engdahl says:
https://www.livemint.com/industry/banking/pnb-customers-data-exposed-for-seven-months-due-to-server-vulnerability-report-11637486043143.html
Tomi Engdahl says:
New Side-Channel Vulnerability in the Linux Kernel Enabling DNS Cache Poisoning
https://www.infoq.com/news/2021/11/linux-dns-vulnerability/
A recent research paper by a team at University of California, Riverside, shows the existence of previously overlooked side channels in the Linux kernels that can be exploited to attack DNS servers.
According to the researchers, the issue with DNS roots in its design, that never really took security as a key concern and that made it extremely hard to retrofit strong security features into it.
Despite its critical role, DNS has been a fragile part of the security chain. Historically, efficiency was the primary consideration of DNS, leading to the design of a single query and response over UDP, which is still the primary mechanism used today.
While DNS security features are available, including DNSSEC and DNS cookies, they are not widely deployed due to backward compatibility, say the researchers. Instead, the only approach to make DNS more secure has been the randomization of UDP ports, known as ephemeral ports, with the aim to makes it harder for an attacker to discover them.
More recently, some of the researchers who first disclosed SAD DNS have uncovered side channels vulnerabilities that had gone undetected inside the Linux kernel for over a decade. Those vulnerabilities enable the use of ICMP probes to scan UDP ephemeral ports and allowed the researchers to develop new DNS cache poisoning attacks.
Specifically, the research focused on two types of ICMP error messages, ICMP fragment needed (or ICMP packet too big in IPv6) and ICMP redirect. As the researchers show, the Linux kernel processes those messages using shared resources that form side channels. What this means, roughly, is that an attacker can target a specific port where they send ICMP probes.
The newly discovered side channels affect the most popular DNS software, say the researchers, including BIND, Unbound, and dnsmasq running on top of Linux. An estimated 13.85% of open resolvers are affected. Additionally, the researchers show an end-to-end attack against the latest BIND resolver and a home router only taking minutes to succeed.
This novel attack can be prevented by setting proper socket options, e.g. by instructing the OS not to accept the ICMP frag needed messages, which will eliminate the side-channel altogether; by randomizing the kernel shared caching structure itself; and by rejecting ICMP redirects.
Tomi Engdahl says:
More than 300,000 Play Store users infected with Android banking trojans
https://therecord.media/more-than-300000-play-store-users-infected-with-android-banking-trojans/
More than 300,000 Android users were infected with banking trojans after installing apps from the official Google Play Store over the past few months, mobile security firm ThreatFabric said today.
The malicious code was hidden inside fully functional apps that operated as QR code scanners, PDF scanners, security tools, fitness apps, and two-factor authenticators.
But besides the legitimate functionality they offered, these apps also included a special module called a “loader.”
Loaders are still the best way to deploy malware on the Play Store
In the cybersecurity field, loaders are small pieces of malware that are hidden inside an app. They typically contain very little and very benign functionality, such as the ability to connect to a remote server to download and run additional code.
This lightweight design allows them to bypass checks performed by security software. However, while loaders contain the same functionality of any in-app update module, they are typically used to connect to an attacker’s remote server and download and run a more potent payload, which might not get scrutinized as much as the initial app install.
Tomi Engdahl says:
TrickBot phishing checks screen resolution to evade researchers
https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-screen-resolution-to-evade-researchers/
The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers.
Last year, the TrickBot gang added a new feature to their malware that terminated the infection chain if a device was using non-standard screen resolutions of 800×600 and 1024×768.
Researchers usually analyze malware in virtual machines that come with certain particularities – especially on default configurations – such as running services, name of the machine, network card, CPU features, and screen resolution.
Malware developers are aware of these characteristics and take advantage of implementing methods that stop the infection process on systems identified as virtual machines.
In TrickBot malware samples found last year, the executable included JavaScript code that verified the screen resolution of the system it was running on.
Tomi Engdahl says:
Panasonic confirms cyberattack and data breach
On Friday, the tech giant said its network was illegally accessed on November 11.
https://www.zdnet.com/article/panasonic-confirms-cyberattack-and-data-breach/
Tech manufacturing giant Panasonic has confirmed that its network was accessed illegally this month during a cyberattack.
In a statement released on Friday, the Japanese company said it was attacked on November 11 and determined that “some data on a file server had been accessed during the intrusion.”
“After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network,” Panasonic said in a statement.