OS 2024 2023 2022 2020 ANDROID 2022 2021 2020
Android Users Urged to Install Latest Security Updates to Fix Actively Exploited Flaw
5.9.24 OS The Hacker News
Google has released its monthly security updates for the Android operating system to address a known security flaw that it said has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-32896 (CVSS score: 7.8), relates to a case of privilege escalation in the Android Framework component.
According to the description of the bug in the NIST National Vulnerability Database (NVD), it concerns a logic error that could lead to local escalation of privileges without requiring any additional execution privileges.
"There are indications that CVE-2024-32896 may be under limited, targeted exploitation," Google said in its Android Security Bulletin for September 2024.
It's worth noting that CVE-2024-32896 was first disclosed in June 2024 as impacting only the Google-owned Pixel lineup.
There are currently no details on how the vulnerability is being exploited in the wild, although GrapheneOS maintainers revealed that CVE-2024-32896 plugs a partial solution for CVE-2024-29748, another Android flaw that has been weaponized by forensic companies.
Google later confirmed to The Hacker News that the impact of CVE-2024-32896 goes beyond Pixel devices to include the entire Android ecosystem and that it's working with original equipment manufacturers (OEMs) to apply the fixes where applicable.
"This vulnerability requires physical access to the device to exploit and interrupts the factory reset process," Google noted at the time. "Additional exploits would be needed to compromise the device."
"We are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available. As a best security practice, users should always update their devices whenever there are new security updates available."
Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data
22.8.24 OS The Hacker News
Cybersecurity researchers have disclosed a critical security flaw impacting Microsoft's Copilot Studio that could be exploited to access sensitive information.
Tracked as CVE-2024-38206 (CVSS score: 8.5), the vulnerability has been described as an information disclosure bug stemming from a server-side request forgery (SSRF) attack.
"An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network," Microsoft said in an advisory released on August 6, 2024.
The tech giant further said the vulnerability has been addressed and that it requires no customer action.
Tenable security researcher Evan Grant, who is credited with discovering and reporting the shortcoming, said it takes advantage of Copilot's ability to make external web requests.
"Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft's internal infrastructure for Copilot Studio, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances," Grant said.
Put differently, the attack technique made it possible to retrieve the instance metadata in a Copilot chat message, using it to obtain managed identity access tokens, which could then be abused to access other internal resources, including gaining read/write access to a Cosmos DB instance.
The cybersecurity company further noted that while the approach does not allow access to cross-tenant information, the infrastructure powering the Copilot Studio service is shared among tenants, potentially affecting multiple customers when having elevated access to Microsoft's internal infrastructure.
The disclosure comes as Tenable detailed two now-patched security flaws in Microsoft's Azure Health Bot Service (CVE-2024-38109, CVSS score: 9.1), that, if exploited, could permit a malicious actor to achieve lateral movement within customer environments and access sensitive patient data.
It also follows an announcement from Microsoft that it will require all Microsoft Azure customers to have enabled multi-factor authentication (MFA) on their accounts starting October 2024 as part of its Secure Future Initiative (SFI).
"MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide," Redmond said.
"Beginning in early 2025, gradual enforcement for MFA at sign-in for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence."
FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability
13.8.24 OS The Hacker News
The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges.
The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity.
"A signal handler in sshd(8) may call a logging function that is not async-signal-safe," according to an advisory released last week.
"The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges."
OpenSSH is an implementation of the secure shell (SSH) protocol suite, providing encrypted and authenticated transport for a variety of services, including remote shell access.
CVE-2024-7589 has been described as "another instance" of a problem that's referred to as regreSSHion (CVE-2024-6387), which came to light early last month.
"The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD," the project maintainers said.
"As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root."
Users of FreeBSD are strongly advised to update to a supported version and restart sshd to mitigate potential threats.
In cases where sshd(8) cannot be updated, the race condition issue can be resolved by setting LoginGraceTime to 0 in /etc/ssh/sshd_config and restarting sshd(8). While this change makes the daemon vulnerable to a denial-of-service, it safeguards it against remote code execution.
Apple's New macOS Sequoia Tightens Gatekeeper Controls to Block Unauthorized Software
7.8.24 OS The Hacker News
Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections.
Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the software is from an identified developer.
It also runs checks to ensure that the app is notarized and has not been tampered with to install malware on macOS systems. Furthermore, it requires user approval before allowing any such third-party app to be run.
It's this user approval mechanism that Apple has now tightened further with macOS Sequoia, the next iteration of the Mac operating system that's expected to be released next month.
"In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or notarized," Apple said.
"They'll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run."
The move is seen as a way to counter stealer malware and backdoors targeting macOS that are often unsigned and trick users into bypassing Gatekeeper protections.
In July 2023, North Korean threat actors were observed propagating an unsigned disk image (DMG) file that impersonated a legitimate video call service named MiroTalk and unleashed its malicious behavior after a victim control-clicks and selects "Open" and ignores the security warning from Apple.
Google Patches New Android Kernel Vulnerability Exploited in the Wild
6.8.24 OS The Hacker News
Google has addressed a high-severity security flaw impacting the Android kernel that it said has been actively exploited in the wild.
The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel.
"There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security bulletin for August 2024.
As is typically the case, the company did not share any additional specifics on the nature of the cyber attacks exploiting the flaw or attribute the activity to a particular threat actor or group. It's currently not known if Pixel devices are also impacted by the bug.
That said, Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw, suggesting that it's likely being exploited by commercial spyware vendors to infiltrate Android devices in narrowly targeted attacks.
The August patch addresses a total of 47 flaws, including those identified in components associated with Arm, Imagination Technologies, MediaTek, and Qualcomm.
Also resolved by Google are 12 privilege escalation flaws, one information disclosure bug, and one denial-of-service (DoS) flaw impacting the Android Framework.
In June 2024, the search company revealed that an elevation of privilege issue in Pixel Firmware (CVE-2024-32896) has been exploited as part of limited and targeted attacks.
Google subsequently told The Hacker News that the issue's impact goes beyond Pixel devices to include the broader Android platform and that it's working with OEM partners to apply the fixes where applicable.
Previously, the company also closed out two security flaws in the bootloader and firmware components (CVE-2024-29745 and CVE-2024-29748) that were weaponized by forensic companies to steal sensitive data.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-0824, a remote code execution flaw impacting Microsoft COM for Windows to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by August 26, 2024.
The addition follows a report from Cisco Talos that the flaw was weaponized by a Chinese nation-state threat actor named APT41 in a cyber attack aimed at an unnamed Taiwanese government-affiliated research institute to achieve local privilege escalation.
Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited
10.7.24 OS The Hacker News
Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild.
Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month.
The two security shortcomings that have come under exploitation are below -
CVE-2024-38080 (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2024-38112 (CVSS score: 7.5) - Windows MSHTML Platform Spoofing Vulnerability
"Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment," Microsoft said of CVE-2024-38112. "An attacker would have to send the victim a malicious file that the victim would have to execute."
Check Point security researcher Haifei Li, who has been credited with discovering and reporting the flaw in May 2024, said that threat actors are leveraging specially-crafted Windows Internet Shortcut files (.URL) that, upon clicking, redirects victims to a malicious URL by invoking the retired Internet Explorer (IE) browser.
"An additional trick on IE is used to hide the malicious .HTA extension name," Li explained. "By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim's computer, although the computer is running the modern Windows 10/11 operating system."
"CVE-2024-38080 is an elevation of privilege flaw in Windows Hyper-V," Satnam Narang, senior staff research engineer at Tenable, said. "A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise of a targeted system."
While the exact specifics surrounding the abuse of CVE-2024-38080 is currently unknown, Narang noted that this is the first of the 44 Hyper-V flaws to come under exploitation in the wild since 2022.
Two other security flaws patched by Microsoft have been listed as publicly known at the time of the release. This includes a side-channel attack called FetchBench (CVE-2024-37985, CVSS score: 5.9) that could enable an adversary to view heap memory from a privileged process running on Arm-based systems.
The second publicly disclosed vulnerability in question is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug impacting .NET and Visual Studio.
"An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition," Redmond said in an advisory. "This could result in remote code execution."
Also resolved as part of Patch Tuesday updates are 37 remote code execution flaws affecting the SQL Server Native Client OLE DB Provider, 20 Secure Boot security feature bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).
"[The SQL Server flaws] specifically affect the OLE DB Provider, so not only do SQL Server instances need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed," Rapid7's Lead Product Manager Greg Wiseman said.
"For example, an attacker could use social engineering tactics to dupe an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client."
Rounding off the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could permit an attacker to gain high privileges, including read, write, and delete functionality.
Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a severe risk due to its zero-click nature.
"Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction," Michael Gorelik said. "The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation."
The fixes come as Microsoft announced late last month that it will begin issuing CVE identifiers for cloud-related security vulnerabilities going forward in an attempt to improve transparency.
Apple Removes VPN Apps from Russian App Store Amid Government Pressure
8.7.24 OS The Hacker News
Apple removed a number of virtual private network (VPN) apps in Russia from its App Store on July 4, 2024, following a request by Russia's state communications watchdog Roskomnadzor, Russian news media reported.
This includes the mobile apps of 25 VPN service providers, including ProtonVPN, Red Shield VPN, NordVPN and Le VPN, according to MediaZona. It's worth noting that NordVPN previously shut down all its Russian servers in March 2019.
"Apple's actions, motivated by a desire to retain revenue from the Russian market, actively support an authoritarian regime," Red Shield VPN said in a statement. "This is not just reckless but a crime against civil society."
In a similar notice, Le VPN said the takedown was carried out in accordance with No. 7 of Article 15.1 of the Federal Law dated July 27, 2006, No. 149-FZ "On Information, Information Technologies and Information Protection" and that its app was removed even before it received the official notice from the watchdog.
To that end, the VPN services have been included in the "Unified register" of internet resources prohibited for public distribution in Russia.
"This event marks a significant step in Roskomnadzor's ongoing efforts to control internet access and content within Russian territory," it said.
To counter the widespread crackdown, Le VPN has since launched an alternative service called Le VPN Give that it says "allows you to connect to our secret servers using third-party open-source software and obfuscated VPN connections."
The development is part of a series of censorship moves Kremlin has announced since the start of the Russo-Ukrainian war in February 2022 that has resulted in the blockade of several media outlets as well as social media apps such as Facebook, Instagram, and X.
Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping
27.6.24 OS The Hacker News
Apple has released a firmware update for AirPods that could allow a malicious actor to gain access to the headphones in an unauthorized manner.
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.
"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory.
In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been addressed with improved state management.
Jonas Dreßler has been credited with discovering and reporting the flaw. It has been patched as part of AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8.
The development comes two weeks after the iPhone maker rolled out updates for visionOS (version 1.2) to close out 21 shortcomings, including seven flaws in the WebKit browser engine.
One of the issues pertains to a logic flaw (CVE-2024-27812) that could result in a denial-of-service (DoS) when processing web content. The problem has been fixed with improved file handling, it said.
Security researcher Ryan Pickren, who reported the vulnerability, described it as the "world's first spatial computing hack" that could be weaponized to "bypass all warnings and forcefully fill your room with an arbitrary number of animated 3D objects" sans user interaction.
The vulnerability takes advantage of Apple's failure to apply the permissions model when using the ARKit Quick Look feature to spawn 3D objects in a victim's room. Making matters worse, these animated objects continue to persist even after exiting Safari as they are handled by a separate application.
"Furthermore, it does not even require this anchor tag to have been 'clicked' by the human," Pickren said. "So programmatic JavaScript clicking (i.e., document.querySelector('a').click()) works no problem! This means that we can launch an arbitrary number of 3D, animated, sound-creating, objects without any user interaction whatsoever."
Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023
30.4.24 OS The Hacker News
Google on Monday revealed that almost 200,000 app submissions to its Play Store for Android were either rejected or remediated to address issues with access to sensitive data such as location or SMS messages over the past year.
The tech giant also said it blocked 333,000 bad accounts from the app storefront in 2023 for attempting to distribute malware or for repeated policy violations.
"In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes," Google's Steve Kafka, Khawaja Shams, and Mohet Saxena said.
"To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps."
In comparison, Google fended off 1.43 million bad apps from being published to the Play Store in 2022, alongside banning 173,000 bad accounts over the same time period.
In addition, the Mountain View-based firm said it strengthened its developer onboarding and review processes, requiring them to furnish more identity information and complete a verification process when setting up their Play Console developer accounts.
This, the company noted, enables it to better understand the developer community and root out bad actors from gaming the system to propagate malicious apps.
The development comes as Google is taking a series of steps to secure the Android ecosystem. Last November, it moved the App Defense Alliance (ADA), which it launched in November 2019, under the Linux Foundation umbrella, with Meta and Microsoft joining as the founding steering members.
Around the same time, the company also rolled out real-time scanning at the code level to tackle novel Android malware and an "Independent security review" badge in the Play Store's Data safety section for VPN apps that have undergone a Mobile Application Security Assessment (MASA) audit.
On the user-facing side of things, Google has also taken the step of taking down approximately 1.5 million applications from the Play Store that do not target the most recent APIs.
Google's ongoing fight to tackle malicious actors on Android coincides with a lawsuit filed by the company in the U.S. against two China-based fraudsters who are alleged to have engaged in an international online consumer investment fraud scheme and tricked users into downloading fake apps from the Play Store and other sources and ultimately stealing their funds.
New 'Brokewell' Android Malware Spread Through Fake Browser Updates
27.4.24 OS The Hacker News
Fake browser updates are being used to push a previously undocumented Android malware called Brokewell.
"Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric said in an analysis published Thursday.
The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches.
The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows -
jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
zRFxj.ieubP.lWZzwlluca (ID Austria)
com.brkwl.upstracking (Klarna)
Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting accessibility service permissions.
The banking trojan, once installed and launched for the first time, prompts the victim to grant permissions to the accessibility service, which it subsequently uses to automatically grant other permissions and carry out various malicious activities.
This includes displaying overlay screens on top of targeted apps to pilfer user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which the session cookies are intercepted and transmitted to an actor-controlled server.
Some of the other features of Brokewell include the ability to record audio, take screenshots, retrieve call logs, access device location, list installed apps, record every every event happening on the device, send SMS messages, do phone calls, install and uninstall apps, and even disable the accessibility service.
The threat actors can also leverage the malware's remote control functionality to see what's displayed on screen in real-time, as well as interact with the device through clicks, swipes, and touches.
Brokewell is said to be the work of a developer who goes by the name "Baron Samedit Marais" and manages the "Brokewell Cyber Labs" project, which also includes an Android Loader publicly hosted on Gitea.
The loader is designed to act as a dropper that bypasses accessibility permissions restrictions in Android versions 13, 14, and 15 using a technique previously adopted by dropper-as-a-service (DaaS) offerings like SecuriDropper and deploy the trojan implant.
By default, the loader apps generated through this process have the package name "com.brkwl.apkstore," although this can configured by the user by either providing a specific name or enabling the random package name generator.
The free availability of the loader means it could be embraced by other threat actors looking to sidestep Android's security protections.
"Second, existing 'Dropper-as-a-Service' offerings that currently provide this capability as a distinctive feature will likely either close their services or attempt to reorganize," ThreatFabric said.
"This further lowers the entry barrier for cybercriminals looking to distribute mobile malware on modern devices, making it easier for more actors to enter the field."
Update#
A Google spokesperson shared the below statement with The Hacker News -
"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks
18.4.24 OS The Hacker News
A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure.
The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis.
Every Android app comes with a manifest XML file ("AndroidManifest.xml") that's located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires.
Knowing that threat hunters typically commence their analysis by inspecting the app's manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to resist analysis.
The first method involves the use of an invalid Compression method value when unpacking the APK's manifest file using the libziparchive library, which treats any value other than 0x0000 or 0x0008 as uncompressed.
"This allows app developers to put any value except 8 into the Compression method and write uncompressed data," Kalinin explained.
"Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed."
It's worth pointing out here that the method has been adopted by threat actors associated with several Android banking trojans since April 2023.
Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the "uncompressed" file is directly copied, with the manifest parser ignoring the rest of the "overlay" data that takes up the rest of the available space.
"Stricter manifest parsers wouldn't be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors," Kalinin said.
The final technique has to do with utilizing long XML namespace names in the manifest file, thus making it difficult for analysis tools to allocate enough memory to process them. That said, the manifest parser is designed to ignore namespaces, and, as a result, no errors are raised when handling the file.
SoumniBot, once launched, requests its configuration information from a hard-coded server address to obtain the servers used to send the collected data and receive commands using the MQTT messaging protocol, respectively.
It's designed to launch a malicious service that restarts every 16 minutes if it terminates for some reason, and uploads the information every 15 seconds. This includes device metadata, contact lists, SMS messages, photos, videos, and a list of installed apps.
The malware is also capable of adding and deleting contacts, sending SMS messages, toggling silent mode, and enabling Android's debug mode, not to mention hiding the app icon to make it difficult to uninstall from the device.
One noteworthy feature of SoumniBot is its ability to search the external storage media for .key and .der files containing paths to "/NPKI/yessign," which refers to the digital signature certificate service offered by South Korea for governments (GPKI), banks, and online stock exchanges (NPKI).
"These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions," Kalinin said. "This technique is quite uncommon for Android banking malware."
Earlier this year, cybersecurity company S2W revealed details of a malware campaign undertaken by the North Korea-linked Kimusuky group that made use of a Golang-based information stealer called Troll Stealer to siphon GPKI certificates from Windows systems.
"Malware creators seek to maximize the number of devices they infect without being noticed," Kalinin concluded. "This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code."
Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users
15.4.24 OS The Hacker News
Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.
"The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last week.
There is evidence to suggest that the campaign may have targeted India based on VirusTotal submissions from within its borders.
First documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor that's distributed via watering hole attacks through compromised news sites.
A subsequent analysis from ThreatFabric in October 2023 uncovered infrastructure and functionality overlaps between the malware and an Android spyware known as DragonEgg, which is attributed to the Chinese nation-state group APT41 (aka Winnti).
The initial intrusion vector is presently not known, although it's suspected to be via news websites that have been breached and are known to be visited by the targets on a regular basis.
The starting point is a first-stage loader that acts as a launchpad for the core LightSpy backdoor and its assorted plugins that are retrieved from a remote server to pull off the data-gathering functions.
LightSpy is both fully-featured and modular, allowing threat actors to harvest sensitive information, including contacts, SMS messages, precise location data and sound recordings during VoIP calls.
The latest version discovered by the Canadian cybersecurity firm further expands on its capabilities to steal files as well as data from popular apps like Telegram, QQ, and WeChat, iCloud Keychain data, and web browser history from Safari and Google Chrome.
The complex espionage framework also features capabilities to gather a list of connected Wi-Fi networks, details about installed apps, take pictures using the device's camera, record audio, and execute shell commands received from the server, likely enabling it to hijack control of the infected devices.
"LightSpy employs certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server," Blackberry said. "Thus, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established."
A further examination of the implant's source code suggests the involvement of native Chinese speakers, raising the possibility of state-sponsored activity. What's more, LightSpy communicates with a server located at 103.27[.]109[.]217, which also hosts an administrator panel that displays an error message in Chinese when entering incorrect login credentials.
The development comes as Apple said it sent out threat notifications to users in 92 countries, counting India, that they may have been targeted by mercenary spyware attacks.
"The return of LightSpy, now equipped with the versatile 'F_Warehouse' framework, signals an escalation in mobile espionage threats," BlackBerry said.
"The expanded capabilities of the malware, including extensive data exfiltration, audio surveillance, and potential full device control, pose a severe risk to targeted individuals and organizations in Southern Asia."
Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks
11.4.24 OS The Hacker News
Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.
It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted attacks of such exceptional cost and complexity."
"Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global," Apple said.
"The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today."
The update marks a change in wording that previously said these "threat notifications" are designed to inform and assist users who may have been targeted by state-sponsored attackers.
According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m. PST on Wednesday coinciding with the revision to the support page.
It's worth noting that Apple began sending threat notifications to warn users it believes have been targeted by state-sponsored attackers starting November 2021.
However, the company also makes it a point to emphasize that it does not "attribute the attacks or resulting threat notifications" to any particular threat actor or geographical region.
The development comes amid continued efforts by governments around the world to counter the misuse and proliferation of commercial spyware.
Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland, and South Korea had joined an inaugural group of 11 countries working to develop safeguards against the abuse of invasive surveillance technology.
"Commercial spyware has been misused across the world by authoritarian regimes and in democracies [...] without proper legal authorization, safeguards, or oversight," the governments said in a joint statement.
"The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems."
According to a recent report published by Google's Threat Analysis Group (TAG) and Mandiant, commercial surveillance vendors were behind the in-the-wild exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023.
All the vulnerabilities attributed to spyware companies targeted web browsers – particularly flaws in third-party libraries that affect more than one browser and substantially increase the attack surface – and mobile devices running Android and iOS.
"Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years," the tech giant said.
"Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don't expect this activity to decrease anytime soon."
Google also said that increased security investments into exploit mitigations are affecting the types of vulnerabilities threat actors can weaponize in their attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode and MiraclePtr) to infiltrate target devices.
'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan
11.4.24 OS The Hacker News
An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store.
Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It's tracking the group behind the operation under the name Virtual Invaders.
"Downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT," ESET security researcher Lukáš Štefanko said in a technical report released today.
The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down.
The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Approximately 380 victims are said to have downloaded the apps and created accounts to use them for messaging purposes.
Also employed as part of eXotic Visit are apps such as Sim Info and Telco DB, both of which claim to provide details about SIM owners simply by entering a Pakistan-based phone number. Other applications pass off as a food ordering service in Pakistan as well as a legitimate Indian hospital called Specialist Hospital (now rebranded as Trilife Hospital).
XploitSPY, uploaded to GitHub as early as April 2020 by a user named RaoMK, is associated with an Indian cyber security solutions company called XploitWizer. It has also been described as a fork of another open-source Android trojan called L3MON, which, in turn, draws inspiration from AhMyth.
It comes with a wide gamut of features that allows it to gather sensitive data from infected devices, such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content; extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail; download and upload files; view installed apps; and queue commands.
On top of that, the malicious apps are designed to take pictures and enumerate files in several directories related to screenshots, WhatApp, WhatsApp Business, Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.
"Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library," Štefanko said.
The main purpose of the native library ("defcome-lib.so") is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app makes use of a fake C2 server to evade detection.
Some of the apps have been propagated through websites specifically created for this purpose ("chitchat.ngrok[.]io") that provide a link to an Android package file ("ChitChat.apk") hosted on GitHub. It's presently not clear how victims are directed to these apps.
"Distribution started on dedicated websites and then even moved to the official Google Play store," Štefanko concluded. "The purpose of the campaign is espionage and probably is targeting victims in Pakistan and India."
Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included
10.4.24 OS The Hacker News
Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.
Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.
The two shortcomings that have come under active exploitation are below -
CVE-2024-26234 (CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability
CVE-2024-29988 (CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass Vulnerability
While Microsoft's own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable ("Catalog.exe" or "Catalog Authentication Client Service") that's signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.
Authenticode analysis of the binary has revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.
The latter is described as "a marketing software ... [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting."
Present within the purported authentication service is a component called 3proxy that's designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.
"We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application," Sophos researcher Andreas Klopsch said.
The cybersecurity company also said it discovered multiple other variants of the backdoor in the wild going all the way back to January 5, 2023, indicating that the campaign has been underway at least since then. Microsoft has since added the relevant files to its revocation list.
The other security flaw that has reportedly come under active attack is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows attackers to sidestep Microsoft Defender Smartscreen protections when opening a specially crafted file.
"To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown," Microsoft said.
"In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability."
The Zero Day Initiative revealed that there is evidence of the flaw being exploited in the wild, although Microsoft has tagged it with an "Exploitation More Likely" assessment.
Another vulnerability of importance is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.
"An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to," Redmond said.
In all, the release is notable for addressing as many as 68 remote code execution, 31 privilege escalation, 26 security feature bypass, and six denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.
"While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future," Satnam Narang, senior staff research engineer at Tenable, said in a statement.
The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the U.S. Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor tracked as Storm-0558 last year.
It also follows the company's decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it's worth noting that the changes are only in effect starting from advisories published since March 2024.
"The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability," Adam Barnett, lead software engineer at Rapid7, said in a statement shared with The Hacker News.
"The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment."
In a related development, cybersecurity firm Varonis detailed two methods that attackers could adopt to circumvent audit logs and avoid triggering download events while exfiltrating files from SharePoint.
The first approach takes advantage of SharePoint's "Open in App" feature to access and download files, whereas the second uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing such events as file syncs instead of downloads.
Microsoft, which was made aware of the issues in November 2023, has yet to release a fix, although they have been added to their patch backlog program. In the interim, organizations are recommended to closely monitor their audit logs for suspicious access events, specifically those that involve large volumes of file downloads within a short period.
"These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events," Eric Saraga said.
Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
4.4.24 OS The Hacker News
Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.
The high-severity zero-day vulnerabilities are as follows -
CVE-2024-29745 - An information disclosure flaw in the bootloader component
CVE-2024-29748 - A privilege escalation flaw in the firmware component
"There are indications that the [vulnerabilities] may be under limited, targeted exploitation," Google said in an advisory published April 2, 2024.
While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they "are being actively exploited in the wild by forensic companies."
"CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," they said in a series of posts on X (formerly Twitter).
"Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory."
GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.
The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.
It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.
Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals
1.4.24 OS The Hacker News
Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store.
The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user's device into a proxy node without their knowledge.
The operation has been codenamed PROXYLIB by the company. The 29 apps in question have since been removed by Google.
Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server.
The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks.
"When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor's infrastructure," security researchers said. "Many threat actors purchase access to these networks to facilitate their operations."
Some of these networks can be created by malware operators tricking unsuspecting users into installing bogus apps that essentially corral the devices into a botnet that's then monetized for profit by selling the access to other customers.
The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device to the network, and process any request from the proxy network.
Another notable aspect of these apps is that a subset of them identified between May and October 2023 incorporate a software development kit (SDK) from LumiApps, which contains the proxyware functionality. In both cases, the malicious capability is pulled off using a native Golang library.
LumiApps also offers a service that essentially permits users to upload any APK file of their choice, including legitimate applications, and bundle the SDK to it without having to create a user account, which can then be re-downloaded and shared with others.
"LumiApps helps companies gather information that is publicly available on the internet," the Israeli company says on its website. "It uses the user's IP address to load several web pages in the background from well-known websites."
"This is done in a way that never interrupts the user and fully complies with GDPR/CCPA. The web pages are then sent to companies, who use them to improve their databases, offering better products, services, and pricing."
These modified apps – called mods – are then distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to rendering ads.
There is evidence indicating that the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.
What's more, in an effort to bake the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that gets routed through user devices that have installed their apps. The SDK service is also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a "fragmented yet interconnected ecosystem," in which proxyware services are advertised in various ways ranging from voluntary contributions to dedicated shops and reselling channels.
"[In the case of SDKs], the proxyware is often embedded in a product or service," the companies noted. Users may not notice that proxyware will be installed when accepting the terms of use of the main application it is embedded with. This lack of transparency leads to users sharing their Internet connection without a clear understanding."
The development comes as the Lumen Black Lotus Labs disclosed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.
Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities
1.4.24 OS The Hacker News
The Android banking trojan known as Vultur has resurfaced with a suite of new features and improved anti-analysis and detection evasion techniques, enabling its operators to remotely interact with a mobile device and harvest sensitive data.
"Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions," NCC Group researcher Joshua Kamp said in a report published last week.
Vultur was first disclosed in early 2021, with the malware capable of leveraging Android's accessibility services APIs to execute its malicious actions.
The malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. These dropper apps are offered as part of a dropper-as-a-service (DaaS) operation called Brunhilda.
Other attack chains, as observed by NCC Group, involve the droppers being spread using a combination of SMS messages and phone calls – a technique called telephone-oriented attack delivery (TOAD) – to ultimately serve an updated version of the malware.
"The first SMS message guides the victim to a phone call," Kamp said. When the victim calls the number, the fraudster provides the victim with a second SMS that includes the link to the dropper: a modified version of the [legitimate] McAfee Security app."
The initial SMS message aims to induce a false sense of urgency by instructing the recipients to call a number to authorize a non-existent transaction that involves a large sum of money.
Upon installation, the malicious dropper executes three related payloads (two APKs and one DEX file) that register the bot with the C2 server, obtain accessibility services permissions for remote access via AlphaVNC and ngrok, and run commands fetched from the C2 server.
One of the prominent additions to Vultur is the ability to remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android's accessibility services, as well as download, upload, delete, install, and find files.
In addition, the malware is equipped to prevent the victims from interacting with a predefined list of apps, display custom notifications in the status bar, and even disable Keyguard to bypass lock screen security measures.
"Vultur's recent developments have shown a shift in focus towards maximizing remote control over infected devices," Kamp said.
"With the capability to issue commands for scrolling, swipe gestures, clicks, volume control, blocking apps from running, and even incorporating file manager functionality, it is clear that the primary objective is to gain total control over compromised devices."
The development comes as Team Cymru revealed the Octo (aka Coper) Android banking trojan's transition to a malware-as-a-service operation, offering its services to other threat actors for conducting information theft.
"The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen," the company said.
"It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities."
Octo campaigns are estimated to have compromised 45,000 devices, primarily spanning Portugal, Spain, Turkey, and the U.S. Some of the other victims are located in France, the Netherlands, Canada, India, and Japan.
The findings also follow the emergence of a new campaign targeting Android users in India that distributes malicious APK packages posing as online booking, billing, and courier services via a malware-as-a-service (MaaS) offering.
The malware "targets theft of banking information, SMS messages, and other confidential information from victims' devices," Broadcom-owned Symantec said in a bulletin.
McAfee Labs, which shed more light on the ongoing campaign, said the malware has been embedded in over 800 apps. More than 3,700 Android devices have been compromised. It attributed the MaaS service to an Indian cyber group named Elvia Infotech.
"[Scammers] typically contact victims via phone, text, email, or social applications to inform them that they need to reschedule services," security researchers ZePeng Chen and Wenfeng Yu said.
"This kind of fraud attack is a typical and effective fraud method. As a result, victims are asked to download a specific app, and submit personal information. Once this information falls into the hands of scammers, they can easily steal funds from the victim’s bank account."
Urgent: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws
6.3.24 OS The Hacker News
Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild.
The shortcomings are listed below -
CVE-2024-23225 - A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections
CVE-2024-23296 - A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections
It's currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.
The updates are available for the following devices -
iOS 16.7.6 and iPadOS 16.7.6 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
iOS 17.4 and iPadOS 17.4 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
With the latest development, Apple has addressed a total of three actively exploited zero-days in its software since the start of the year. In late January 2024, it plugged a type confusion flaw in WebKit (CVE-2024-23222) impacting iOS, iPadOS, macOS, tvOS, and Safari web browser that could result in arbitrary code execution.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply necessary updates by March 26, 2024.
The vulnerabilities concern an information disclosure flaw affecting Android Pixel devices (CVE-2023-21237) and an operating system command injection flaw in Sunhillo SureLine that could result in code execution with root privileges (CVE-2021-36380).
Google, in an advisory published in June 2023, acknowledged it found indications that "CVE-2023-21237 may be under limited, targeted exploitation." As for CVE-2021-36380, Fortinet revealed late last year that a Mirai botnet called IZ1H9 was leveraging the flaw to corral susceptible devices into a DDoS botnet.
New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers
22.2.24 OS The Hacker News
Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password.
The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of wpa_supplicant and Intel's iNet Wireless Daemon (IWD), respectively.
The flaws "allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password," Top10VPN said in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like KRACK, DragonBlood, and TunnelCrack.
CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing existing users and devices to potential attacks such as malware infections, data theft, and business email compromise (BEC). It impacts IWD versions 2.12 and lower.
On the other hand, CVE-2023-52160 affects wpa_supplicant versions 2.10 and prior. It's also the more pressing of the two flaws owing to the fact that it's the default software used in Android devices to handle login requests to wireless networks.
That said, it only impacts Wi-Fi clients that aren't properly configured to verify the certificate of the authentication server. CVE-2023-52161, however, affects any network that uses a Linux device as a wireless access point (WAP). Successful exploitation of CVE-2023-52160 banks on the prerequisite that the attacker is in possession of the SSID of a Wi-Fi network to which the victim has previously connected. It also requires the threat actor to be in physical proximity to the victim. "One possible such scenario might be where an attacker walks around a company's building scanning for networks before targeting an employee leaving the office," the researchers said. Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released advisories for the two flaws. The wpa_supplicant issue has also been addressed in ChromeOS from versions 118 and later, but fixes for Android are yet to be made available. "In the meantime, it's critical, therefore, that Android users manually configure the CA certificate of any saved enterprise networks to prevent the attack," Top10VPN said.
Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices
19.2.24 OS The Hacker News
Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry.
The findings are part of its Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices.
"Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps, and enable microphone,camera, and screenshot functionality," the company said.
The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.
These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.
Specifically, a network of fictitious personas linked to RCS Labs, which is owned by Cy4Gate, is said to have tricked users into providing their phone numbers and email addresses, in addition to clicking on bogus links for conducting reconnaisance.
Another set of now-removed Facebook and Instagram accounts associated with Spanish spyware vendor Variston IT was employed for exploit development and testing, including sharing of malicious links. Last week, reports emerged that the company is shutting down its operations.
Cybersecurity
Meta also said it identified accounts used by Negg Group to test the delivery of its spyware, as well as by Mollitiam Industries, a Spanish firm that advertises a data collection service and spyware targeting Windows, macOS, and Android, to scrape public information.
Elsewhere, the social media giant actioned on networks from China, Myanmar, and Ukraine exhibiting coordinated inauthentic behavior (CIB) by removing over 2,000 accounts, Pages, and Groups from Facebook and Instagram.
While the Chinese cluster targeted U.S. audiences with content related to criticism of U.S. foreign policy towards Taiwan and Israel and its support of Ukraine, the network originating from Myanmar targeted its own residents with original articles that praised the Burmese army and disparaged the ethnic armed organizations and minority groups.
The third cluster is notable for its use of fake Pages and Groups to post content that supported Ukrainian politician Viktor Razvadovskyi, while also sharing "supportive commentary about the current government and critical commentary about the opposition" in Kazakhstan.
The development comes as a coalition of government and tech companies, counting Meta, have signed an agreement to curb the abuse of commercial spyware to commit human rights abuses.
As countermeasures, the company has introduced new features like enabled Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp in an effort to make exploitation harder and reduce the overall attack surface.
That said, the surveillance industry continues to thrive in myriad, unexpected forms. Last month, 404 Media — building off prior research from the Irish Council for Civil Liberties (ICCL) in November 2023 — unmasked a surveillance tool called Patternz that leverages real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.
"Patternz allows national security agencies utilize real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users' behavior, location patterns and mobile usage characteristics, ISA, the Israeli company behind the product claimed on its website.
Then last week, Enea took the wraps off a previously unknown mobile network attack known as MMS Fingerprint that's alleged to have been utilized by Pegasus-maker NSO Group. This information was included in a 2015 contract between the company and the telecom regulator of Ghana.
Cybersecurity
While the exact method used remains something of a mystery, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS that notifies the recipient device of an MMS that's waiting for retrieval from the Multimedia Messaging Service Center (MMSC).
The MMS is then fetched by means of MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.
What's notable about this approach is that user device information such as User-Agent (different from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, thereby acting as a fingerprint of sorts.
"The (MMS) User-Agent is a string that typically identifies the OS and device," Enea said. "x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset."
A threat actor looking to deploy spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even craft more effective phishing campaigns. That said, there is no evidence that this security hole has been exploited in the wild in recent months.
Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries
19.2.24 OS The Hacker News
The Android banking trojan known as Anatsa has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023.
"Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play's enhanced detection and protection mechanisms," ThreatFabric said in a report shared with The Hacker News.
"All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13." The campaign, in total, involves five droppers with more than 100,000 total installations.
Also known by the name TeaBot and Toddler, Anatsa is known to be distributed under the guise of seemingly innocuous apps on the Google Play Store. These apps, called droppers, facilitate the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions.
In June 2023, the Dutch mobile security firm disclosed an Anatsa campaign that targeted banking customers in the U.S., the U.K., Germany, Austria, and Switzerland at least since March 2023 using dropper apps that were collectively downloaded over 30,000 times on the Play Store.
Anatsa comes fitted with capabilities to gain full control over infected devices and execute actions on a victim's behalf. It can also steal credentials to initiate fraudulent transactions.
The latest iteration observed in November 2023 is no different in that one of the droppers masqueraded as a phone cleaner app named "Phone Cleaner - File Explorer" (package name "com.volabs.androidcleaner") and leveraged a technique called versioning to introduce its malicious behavior.
While the app is no longer available for download from the official storefront for Android, it can still be downloaded via other sketchy third-party sources.
According to statistics available on app intelligence platform AppBrain, the app is estimated to have been downloaded about 12,000 times during the time it was available on the Google Play Store between November 13 and November 27, when it was unpublished.
"Initially, the app appeared harmless, with no malicious code and its accessibility service not engaging in any harmful activities," ThreatFabric researchers said.
"However, a week after its release, an update introduced malicious code. This update altered the AccessibilityService functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the [command-and-control] server."
What makes the dropper notable is that its abuse of the accessibility service is tailored to Samsung devices, suggesting that it was designed to exclusively target the company-made handsets at some point, although other droppers used in the campaign have been found to be manufacturer agnostic.
The droppers are also capable of circumventing Android 13's restricted settings by mimicking the process used by marketplaces to install new applications without having their access to the accessibility service functionalities disabled, as previously observed in the case of dropper services like SecuriDropper.
"These actors prefer concentrated attacks on specific regions rather than a global spread, periodically shifting their focus," ThreatFabric said. "This targeted approach enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time."
The development comes as Fortinet FortiGuard Labs detailed another campaign that distributes the SpyNote remote access trojan by imitating a legitimate Singapore-based cryptocurrency wallet service known as imToken to replace destination wallet addresses and with actor-controlled ones and conduct illicit asset transfers.
"Like much Android malware today, this malware abuses the accessibility API," security researcher Axelle Apvrille said. "This SpyNote sample uses the Accessibility API to target famous crypto wallets."
Microsoft Introduces Linux-Like 'sudo' Command to Windows 11
12.2.24 OS The Hacker News
Microsoft said it's introducing Sudo for Windows 11 as part of an early preview version to help users execute commands with administrator privileges.
"Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session," Microsoft Product Manager Jordi Adoumie said.
"It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console."
Sudo, short for superuser do, is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, usually a user with elevated permissions (e.g., administrator).
The feature is available for Windows 11 builds 26045 and later. It can be enabled by heading to Settings > System > For Developers, and setting "Enable sudo" to On.
Sudo for Windows comes with three options: run applications in a new elevated console window, run the elevated process in the current window but with the input stream (stdin) closed, and in inline mode.
Sudo for Windows 11 "An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration." Microsoft said it's also in the process of open-sourcing the project on GitHub, urging other users to contribute to the initiative as well as report issues and file feature requests.
"The inline configuration option runs the elevated process in the current window and the process is able to receive input from the current console session," Redmond warns in its documentation.
Alert: New Stealthy "RustDoor" Backdoor Targeting Apple macOS Devices
10.2.24 OS The Hacker News
Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.
The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.
The exact initial access pathway used to propagate the implant is currently not known, although it's said to be distributed as FAT binaries that contain Mach-O files.
Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.
It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.
Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.
The captured information is then exfiltrated to a command-and-control (C2) server.
The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.
"ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model," security researcher Andrei Lapusneau said.
In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.
MoqHao Android Malware Evolves with Auto-Execution Capability
9.2.24 OS The Hacker News
Threat hunters have identified a new variant of Android malware called MoqHao that automatically executes on infected devices without requiring any user interaction.
"Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is installed, their malicious activity starts automatically."
The campaign's targets include Android users located in France, Germany, India, Japan, and South Korea.
MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat that's associated with a Chinese financially motivated cluster dubbed Roaming Mantis (aka Shaoye).
Typical attack chains commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware but redirect victims to credential harvesting pages impersonating Apple's iCloud login page when visited from an iPhone.
In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France. As of early last year, updated versions of MoqHao have been found to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking, revealing the adversary's commitment to innovating its arsenal.
The latest iteration of MoqHao continues to be distributed via smishing techniques, but what has changed is that the malicious payload is run automatically upon installation and prompts the victim to grant it risky permissions without launching the app, a behavior previously spotted with bogus apps containing the HiddenAds malware.
What's also received a facelift is that the links shared in the SMS messages themselves are hidden using URL shorteners to increase the likelihood of the attack's success. The content for these messages is extracted from the bio (or description) field from fraudulent Pinterest profiles set up for this purpose.
MoqHao is equipped with several features that allow it to stealthily harvest sensitive information like device metadata, contacts, SMS messages, and photos, call specific numbers with silent mode, and enable/disable Wi-Fi, among others.
McAfee said it has reported the findings to Google, which is said to be "already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version."
The development comes as Chinese cybersecurity firm QiAnXin revealed that a previously unknown cybercrime syndicate named Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs) in order to corral them into a botnet for conducting distributed denial-of-service (DDoS) attacks.
The operation, active since at least 2015, is estimated to control a botnet comprising 170,000 daily active bots, most of which are located in Brazil. However, 1.3 million distinct Brazilian IP addresses have been associated with Bigpanzi since August 2023.
The infections are made possible by tricking users into installing booby-trapped apps for streaming pirated movies and TV shows through sketchy websites. The campaign was first disclosed by Russian antivirus vendor Doctor Web in September 2023.
"Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic," QiAnXin researchers said.
"The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability."
Google Starts Blocking Sideloading of Potentially Dangerous Android Apps in Singapore
8.2.24 OS The Hacker News
Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data.
"This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers)," the company said.
The feature is designed to examine the permissions declared by a third-party app in real-time and look for those that seek to gain access to sensitive permissions associated with reading SMS messages, deciphering or dismissing notifications from legitimate apps, and accessibility services that have been routinely abused by Android-based malware for extracting valuable information.
As part of the test, users in Singapore who attempt to sideload such apps (or APK files) will be blocked from doing so via Google Play Protect and displayed a pop-up message that reads: "This app can request access to sensitive data. This can increase the risk of identity theft or financial fraud."
"These permissions are frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on-screen content," Eugene Liderman, director of the mobile security strategy at Google, said.
The change is part of a collaborative effort to combat mobile fraud, the tech giant said, urging app developers to follow best practices and review their apps' device permissions to ensure it does not violate the Mobile Unwanted Software principles.
Google, which launched Google Play Protect real-time scanning at the code level to detect novel Android malware in select markets like India, Thailand, Singapore, and Brazil, said the effort allowed it to detect 515,000 new malicious apps and that it issued no less than 3.1 million warnings or blocks of those apps.
The development also comes as Apple announced sweeping changes to the App Store in the European Union to comply with the Digital Markets Act (DMA) ahead of the March 6, 2024, deadline. The changes, including Notarization for iOS apps, are expected to go live with iOS 17.4.
The iPhone maker, however, repeatedly emphasized that distributing iOS apps from alternative app marketplaces exposes E.U. users to "increased privacy and security threats," and that it does not intend to bring them to other regions.
"This includes new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats," Apple said. "These changes also compromise Apple's ability to detect, prevent, and take action against malicious apps on iOS and to support users impacted by issues with apps downloaded outside of the App Store."
Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware
5.2.24 OS The Hacker News
The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.
Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.
"VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said. "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera."
As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.
Privee Talk (com.priv.talk)
MeetMe (com.meeete.org)
Let's Chat (com.letsm.chat)
Quick Chat (com.qqc.chat)
Rafaqat رفاق (com.rafaqat.news)
Chit Chat (com.chit.chat)
YohooTalk (com.yoho.talk)
TikTalk (com.tik.talk)
Hello Chat (com.hello.chat)
Nidus (com.nidus.no or com.nionio.org)
GlowChat (com.glow.glow)
Wave Chat (com.wave.chat)
Rafaqat رفاق is notable for the fact that it's the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.
The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.
This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
It's also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.
Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).
Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another group that has been flagged as operating with Indian interests in mind.
The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or "com.moneyfine.fine") as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.
"These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money," Cyfirma said in an analysis late last month.
It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.
According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.
"Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz," NCRI said.
Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it's "not aware of any successful extortion attempts that occurred while communicating on the Wizz app."
Pegasus Spyware Targeted iPhones of Journalists and Activists in Jordan
5.2.24 OS The Hacker News
The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group's Pegasus spyware, according to joint findings from Access Now and the Citizen Lab.
Nine of the 35 individuals have been publicly confirmed as targeted, out of whom six had their devices compromised with the mercenary surveillanceware tool. The infections are estimated to have taken place from at least 2019 until September 2023.
"In some cases, perpetrators posed as journalists, seeking an interview or a quote from victims, while embedding malicious links to Pegasus spyware amid and in between their messages," Access Now said.
"A number of victims were reinfected with Pegasus spyware multiple times — demonstrating the relentless nature of this targeted surveillance campaign."
The Israeli company has been under the radar for failing to implement rigorous human rights safeguards prior to selling its cyber intelligence technology to government clients and law enforcement agencies for "preventing and investigating terrorism and serious crimes."
NSO Group, in its 2023 Transparency and Responsibility Report, touted a "significant decrease" in reports of product misuse during 2022 and 2023, attributing the downturn to its due diligence and review process.
"Cyber intelligence technology enables government intelligence and law enforcement agencies to carry out their basic duties to prevent violence and safeguard the public," the company noted.
"Importantly, it allows them to counter the widespread deployment of end-to-end encryption applications by terrorists and criminals without engaging in mass surveillance or obtaining backdoor access to the devices of all users."
It further sought to "dispel falsehoods" about Pegasus, stating it is not a mass surveillance tool, that it's licensed to legitimate, vetted intelligence and law enforcement agencies, and that it cannot take control of a device or penetrate computer networks, desktop or laptop operating systems.
"It is technologically impossible for Pegasus to add, alter, delete, or otherwise manipulate data on targeted mobile devices, or perform any other activities beyond viewing and/or extracting certain data," NSO Group said.
Despite these assurances, the invasive spyware attacks targeting Jordan civil society members underscores the continued pattern of abuse that run counter to the company's claims.
Access Now said the victims' devices were infiltrated with both zero-click and one-click attacks using Apple iOS exploits like FORCEDENTRY, FINDMYPWN, PWNYOURHOME, and BLASTPASS to breach security guardrails and deliver Pegasus via social engineering attacks.
The attacks were characterized by the propagation of malicious links to victims via WhatsApp and SMS, with the attackers posing as journalists to increase the likelihood of success of the campaign.
The non-profit further said that enabling Lockdown Mode on the iPhones likely prevented some of the devices from being re-infected again with the spyware. It also called on world governments, including Jordan's, to halt the use of such tools and enforce a moratorium on their sale until adequate countermeasures are adopted.
"Surveillance technologies and cyberweapons such as NSO Group's Pegasus spyware are used to target human rights defenders and journalists, to intimidate and dissuade them from their work, to infiltrate their networks, and to gather information for use against other targets," Access Now said.
"The targeted surveillance of individuals violates their right to privacy, freedom of expression, association, and peaceful assembly. It also creates a chilling effect, forcing individuals to self-censor and cease their activism or journalistic work, for fear of reprisal."
Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software
19.1.24 OS The Hacker News
Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.
"These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.
"Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim's machine."
The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called "dylib" that's executed every time the application is opened.
The dropper then acts as a conduit to fetch a backdoor ("bd.log") as well as a downloader ("fl01.log") from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.
The backdoor – written to the path "/tmp/.test" – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the "/tmp" directory means it will be deleted when the system shuts down.
That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.
On the other hand, the downloader is written to the hidden path "/Users/Shared/.fseventsd," following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.
While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.
Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.
"It's possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure," the researchers said.
New iShutdown Method Exposes Hidden Spyware Like Pegasus on Your iPhone
18.1.24 OS The Hacker News
Cybersecurity researchers have identified a "lightweight method" called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group's Pegasus, QuaDream's Reign, and Intellexa's Predator.
Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file named "Shutdown.log," a text-based system log file available on all iOS devices and which records every reboot event alongside its environment characteristics.
"Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward," security researcher Maher Yamout said. "The log file is stored in a sysdiagnose (sysdiag) archive."
The Russian cybersecurity firm said it identified entries in the log file that recorded instances where "sticky" processes, such as those associated with the spyware, caused a reboot delay, in some cases observing Pegasus-related processes in over four reboot delay notices.
What's more, the investigation revealed the presence of a similar filesystem path that's used by all the three spyware families – "/private/var/db/" for Pegasus and Reign, and "/private/var/tmp/" for Predator – thereby acting as an indicator of compromise.
That said, the success of this approach hinges on a caveat that the target user reboots their device as often as possible, the frequency for which varies according to their threat profile.
Kaspersky has also published a collection of Python scripts to extract, analyze, and parse the Shutdown.log in order to extract the reboot stats.
"The lightweight nature of this method makes it readily available and accessible," Yamout said. "Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries."
The disclosure comes as SentinelOne revealed information stealers targeting macOS such as KeySteal, Atomic, and JaskaGo (aka CherryPie or Gary Stealer) are quickly adapting to circumvent Apple's built-in antivirus technology called XProtect.
"Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade," security researcher Phil Stokes said. "Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed."
Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload
11.1.24 OS The Hacker News
Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities.
"It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules," Malwarebytes' Jérôme Segura said in a Wednesday report.
Atomic Stealer first emerged in April 2023 for a monthly subscription of $1,000. It's capable of harvesting sensitive information from a compromised host, including Keychain passwords, session cookies, files, crypto wallets, system metadata, and the machine's password via a fake prompt.
Over the past several months, the malware has been observed propagated via malvertising and compromised sites under the guise of legitimate software and web browser updates.
Malwarebytes' latest analysis shows that Atomic Stealer is now being sold for a hefty $3,000/month rental fee, with the actors running a promotion coinciding with Christmas, offering the malware for a discounted price of $2,000.
Besides incorporating encryption to thwart detection by security software, campaigns distributing Atomic Stealer have undergone a slight shift, wherein Google search ads impersonating Slack are used as conduits to deploy Atomic Stealer or a malware loader called EugenLoader (aka FakeBat) depending on the operating system.
It's worth noting that a malvertising campaign spotted in September 2023 leveraged a fraudulent site for the TradingView charting platform to deliver NetSupport RAT, if visited from Windows, and Atomic Stealer, if the operating system is macOS.
The rogue Slack disk image (DMG) file, upon opening, prompts the victim to enter their system password, thereby allowing threat actors to gather sensitive information that are access-restricted. Another crucial aspect of the new version is the use of obfuscation to conceal the command-and-control server that receives the stolen information.
"As stealers continue to be a top threat for Mac users, it is important to download software from trusted locations," Segura said. "Malicious ads and decoy sites can be very misleading though and it only takes a single mistake (entering your password) for the malware to collect and exfiltrate your data."
Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities
10.1.24 OS The Hacker News
Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024.
Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days.
The fixes are in addition to nine security vulnerabilities that have been resolved in the Chromium-based Edge browser since the release of December 2023 Patch Tuesday updates. This also includes a fix for a zero-day (CVE-2023-7024, CVSS score: 8.8) that Google said has been actively exploited in the wild.
The most critical among the flaws patched this month are as follows -
CVE-2024-20674 (CVSS score: 9.0) - Windows Kerberos Security Feature Bypass Vulnerability
CVE-2024-20700 (CVSS score: 7.5) - Windows Hyper-V Remote Code Execution Vulnerability
"The authentication feature could be bypassed as this vulnerability allows impersonation," Microsoft said in an advisory for CVE-2024-20674.
"An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MitM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server."
However, the company noted that successful exploitation requires an attacker to gain access to the restricted network first. Security researcher ldwilmore34 has been credited with discovering and reporting the flaw.
CVE-2024-20700, on the other hand, neither requires authentication nor user interaction to achieve remote code execution, although winning a race condition is a prerequisite to staging an attack.
"It isn't clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur," Adam Barnett, lead software engineer at Rapid7, told The Hacker News.
Other notable flaws include CVE-2024-20653 (CVSS score: 7.8), a privilege escalation flaw impacting the Common Log File System (CLFS) driver, and CVE-2024-0056 (CVSS score: 8.7), a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient.
"An attacker who successfully exploited this vulnerability could carry out a machine-in-the-middle (MitM) attack and could decrypt and read or modify TLS traffic between the client and server," Redmond said about CVE-2024-0056.
Microsoft further noted that it's disabling the ability to insert FBX files in Word, Excel, PowerPoint, and Outlook in Windows by default due to a security flaw (CVE-2024-20677, CVSS score: 7.8) that could lead to remote code execution.
"3D models in Office documents that were previously inserted from an FBX file will continue to work as expected unless the 'Link to File' option was chosen at the insert time," Microsoft said in a separate alert. "GLB (Binary GL Transmission Format) is the recommended substitute 3D file format for use in Office."
It's worth noting that Microsoft took a similar step of disabling the SketchUp (SKP) file format in Office last year following Zscaler's discovery of 117 security flaws in Microsoft 365 applications.
SpectralBlur: New macOS Backdoor Threat from North Korean Hackers
5.1.24 OS The Hacker News
Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors.
"SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control] server," security researcher Greg Lesnewich said.
The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host.
It's worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz.
In recent months, the threat actor has been observed combining disparate pieces of these two infection chains, leveraging RustBucket droppers to deliver KANDYKORN.
The latest findings are another sign that North Korean threat actors are increasingly setting their sights on macOS to infiltrate high-value targets, particularly those within the cryptocurrency and the blockchain industries.
"TA444 keeps running fast and furious with these new macOS malware families," Lesnewich said.
Security researcher Patrick Wardle, who shared additional insights into the inner workings of SpectralBlur, said the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia.
The functional similarities between KANDYKORN and SpectralBlur have raised the possibility that they may have been built by different developers keeping the same requirements in mind.
What makes the malware stand out are its attempts to hinder analysis and evade detection while using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.
The disclosure comes as a total of 21 new malware families designed to target macOS systems, including ransomware, information stealers, remote access trojans, and nation-state-backed malware, were discovered in 2023, up from 13 identified in 2022.
"With the continued growth and popularity of macOS (especially in the enterprise!), 2024 will surely bring a bevy of new macOS malware," Wardle noted.