FreshRSS

🔒
△ 🔃
☐ ☆ ✇ WIRED

Free Airline Miles, Hotel Points, and User Data Put at Risk by Flaws in Points Platform

By Lily Hay Newman — August 3rd 2023 at 19:57
Flaws in the Points.com platform, which is used to manage dozens of major travel rewards programs, exposed user data—and could have let an attacker snag some extra perks.
☐ ☆ ✇ The Register - Security

Old-school hacktivism is back because it never went away

August 3rd 2023 at 19:44

Mysterious Team Bangladesh has carried out 846 attacks since June 2022, mostly DDoS

Hacktivism may have dropped off of organization radars over the past few years, but it is now very visibly coming from what is believed to be Bangladesh, thanks to a group tracked by cybersecurity firm Group-IB.…

☐ ☆ ✇ Krebs on Security

How Malicious Android Apps Slip Into Disguise

By BrianKrebs — August 3rd 2023 at 11:22

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

At issue is a mobile malware obfuscation method identified by researchers at ThreatFabric, a security firm based in Amsterdam. Aleksandr Eremin, a senior malware analyst at the company, told KrebsOnSecurity they recently encountered a number of mobile banking trojans abusing a bug present in all Android OS versions that involves corrupting components of an app so that its new evil bits will be ignored as invalid by popular mobile security scanning tools, while the app as a whole gets accepted as valid by Android OS and successfully installed.

“There is malware that is patching the .apk file [the app installation file], so that the platform is still treating it as valid and runs all the malicious actions it’s designed to do, while at the same time a lot of tools designed to unpack and decompile these apps fail to process the code,” Eremin explained.

Eremin said ThreatFabric has seen this malware obfuscation method used a few times in the past, but in April 2023 it started finding many more variants of known mobile malware families leveraging it for stealth. The company has since attributed this increase to a semi-automated malware-as-a-service offering in the cybercrime underground that will obfuscate or “crypt” malicious mobile apps for a fee.

Eremin said Google flagged their initial May 9, 2023 report as “high” severity. More recently, Google awarded them a $5,000 bug bounty, even though it did not technically classify their finding as a security vulnerability.

“This was a unique situation in which the reported issue was not classified as a vulnerability and did not impact the Android Open Source Project (AOSP), but did result in an update to our malware detection mechanisms for apps that might try to abuse this issue,” Google said in a written statement.

Google also acknowledged that some of the tools it makes available to developers — including APK Analyzer — currently fail to parse such malicious applications and treat them as invalid, while still allowing them to be installed on user devices.

“We are investigating possible fixes for developer tools and plan to update our documentation accordingly,” Google’s statement continued.

Image: ThreatFabric.

According to ThreatFabric, there are a few telltale signs that app analyzers can look for that may indicate a malicious app is abusing the weakness to masquerade as benign. For starters, they found that apps modified in this way have Android Manifest files that contain newer timestamps than the rest of the files in the software package.

More critically, the Manifest file itself will be changed so that the number of “strings” — plain text in the code, such as comments — specified as present in the app does match the actual number of strings in the software.

One of the mobile malware families known to be abusing this obfuscation method has been dubbed Anatsa, which is a sophisticated Android-based banking trojan that typically is disguised as a harmless application for managing files. Last month, ThreatFabric detailed how the crooks behind Anatsa will purchase older, abandoned file managing apps, or create their own and let the apps build up a considerable user base before updating them with malicious components.

ThreatFabric says Anatsa poses as PDF viewers and other file managing applications because these types of apps already have advanced permissions to remove or modify other files on the host device. The company estimates the people behind Anatsa have delivered more than 30,000 installations of their banking trojan via ongoing Google Play Store malware campaigns.

Google has come under fire in recent months for failing to more proactively police its Play Store for malicious apps, or for once-legitimate applications that later go rogue. This May 2023 story from Ars Technica about a formerly benign screen recording app that turned malicious after garnering 50,000 users notes that Google doesn’t comment when malware is discovered on its platform, beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it.

“The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders,” Ars’ Dan Goodin wrote. “Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.”

The Ars story mentions one potentially positive change by Google of late: A preventive measure available in Android versions 11 and higher that implements “app hibernation,” which puts apps that have been dormant into a hibernation state that removes their previously granted runtime permissions.

☐ ☆ ✇ The Register - Security

Brit healthcare body rapped for WhatsApp chat sharing patient data

August 3rd 2023 at 09:26

Time for a proper secure clinical image transfer system, perhaps?

Staff at NHS Lanarkshire - which serves over half a million Scottish residents - used WhatsApp to swap photos and personal info about patients, including children's names and addresses.…

☐ ☆ ✇ WeLiveSecurity

Fingerprints all over: Can browser fingerprinting increase website security?

August 3rd 2023 at 09:25
Browser fingerprinting is supposedly a more privacy-conscious tracking method, replacing personal information with more general data. But is it a valid promise?
☐ ☆ ✇ The Register - Security

Prepare for plenty more pain from Ivanti's MDM flaws, warn cyber agencies

August 3rd 2023 at 07:38

Invaders already spent four or more months frolicking inside Norwegian government servers

Intruders who exploited a critical Ivanti bug to compromise 12 Norwegian government agencies spent at least four months looking around the organizations' systems and stealing data before the intrusion was discovered and stopped.…

☐ ☆ ✇ Naked Security

“Crocodile of Wall Street” and her husband plead guilty to giant-sized cryptocrimes

By Paul Ducklin — August 4th 2023 at 16:52
Sentences still to be decided, but she could get up to 10 years and he could get as many as 20.

☐ ☆ ✇ The Hacker News

NYC Couple Pleads Guilty to Money Laundering in $3.6 Billion Bitfinex Hack

By THN — August 4th 2023 at 12:13
A married couple from New York City has pleaded guilty to money laundering charges in connection with the 2016 hack of cryptocurrency stock exchange Bitfinex, resulting in the theft of about 120,000 bitcoin. The development comes more than a year after Ilya Lichtenstein, 35, and his wife, Heather Morgan, 33, were arrested in February 2022, following the seizure of roughly 95,000 of the stolen
☐ ☆ ✇ The Hacker News

Webinar - Making PAM Great Again: Solving the Top 5 Identity Team PAM Challenges

By The Hacker News — August 4th 2023 at 11:06
Privileged Access Management (PAM) solutions are widely acknowledged as the gold standard for securing critical privileged accounts. However, many security and identity teams face inherent obstacles during the PAM journey, hindering these solutions from reaching their full potential. These challenges deprive organizations of the resilience they seek, making it essential to address them
☐ ☆ ✇ The Hacker News

Malicious npm Packages Found Exfiltrating Sensitive Data from Developers

By THN — August 4th 2023 at 10:33
Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different
☐ ☆ ✇ The Hacker News

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

By THN — August 4th 2023 at 07:02
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
☐ ☆ ✇ Naked Security

S3 Ep146: Tell us about that breach! (If you want to.)

By Paul Ducklin — August 3rd 2023 at 17:56
Serious security stories explained clearly in plain English - listen now. (Full transcript available.)

☐ ☆ ✇ The Hacker News

Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners

By THN — August 3rd 2023 at 16:18
Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users. "Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT) said in its August 2023 Threat Horizons Report shared with The Hacker News. While versioning is not a new phenomenon, it's sneaky and hard
☐ ☆ ✇ The Hacker News

New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3

By THN — August 3rd 2023 at 14:33
Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency. "It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel
☐ ☆ ✇ The Hacker News

Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack

By THN — August 3rd 2023 at 14:20
Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The 
☐ ☆ ✇ The Hacker News

A Penetration Testing Buyer's Guide for IT Security Teams

By The Hacker News — August 3rd 2023 at 12:47
The frequency and complexity of cyber threats are constantly evolving. At the same time, organizations are now collecting sensitive data that, if compromised, could result in severe financial and reputational damage. According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. There is also increasing public and
☐ ☆ ✇ The Hacker News

Microsoft Flags Growing Cybersecurity Concerns for Major Sporting Events

By THN — August 3rd 2023 at 10:01
Microsoft is warning of the threat malicious cyber actors pose to stadium operations, warning that the cyber risk surface of live sporting events is "rapidly expanding." "Information on athletic performance, competitive advantage, and personal information is a lucrative target," the company said in a Cyber Signals report shared with The Hacker News. "Sports teams, major league and global
☐ ☆ ✇ The Hacker News

"Mysterious Team Bangladesh" Targeting India with DDoS Attacks and Data Breaches

By THN — August 3rd 2023 at 09:20
A hacktivist group known as Mysterious Team Bangladesh has been linked to over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022. "The group most frequently attacks logistics, government, and financial sector organizations in India and Israel," Singapore-headquartered cybersecurity firm Group-IB said in a report shared with The Hacker News. "The group is
☐ ☆ ✇ The Hacker News

Microsoft Exposes Russian Hackers' Sneaky Phishing Tactics via Microsoft Teams Chats

By THN — August 3rd 2023 at 06:38
Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats. The tech giant attributed the attacks to a group it tracks as Midnight Blizzard (previously Nobelium). It's also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.
☐ ☆ ✇ The Hacker News

Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability

By THN — August 3rd 2023 at 04:06
Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to urge users to update to the latest version of the software. Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue "allows unauthenticated attackers to access the API in older unsupported
☐ ☆ ✇ Naked Security

Performance and security clash yet again in “Collide+Power” attack

By Paul Ducklin — August 2nd 2023 at 23:36
It's a real vulnerability, but the data leakage rate can be as low as... let's just say that an IMAX-quality copy of the new "Oppenheimer" movie could take you 4 billion years to exfiltrate.

☐ ☆ ✇ WeLiveSecurity

The grand theft of Jake Moore’s voice: The concept of a virtual kidnap

August 2nd 2023 at 12:38
With powerful AI, it doesn’t take much to fake a person virtually, and while there are some limitations, voice-cloning can have some dangerous consequences.
☐ ☆ ✇ The Hacker News

Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures

By THN — August 2nd 2023 at 14:12
A Russia-nexus adversary has been linked to 94 new domains starting March 2023, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities. Cybersecurity firm Recorded Future linked the revamped infrastructure to a threat actor it tracks under the name BlueCharlie, a hacking crew that's broadly known by the names Blue Callisto,
☐ ☆ ✇ The Hacker News

Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023

By THN — August 2nd 2023 at 12:55
About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year. According to data compiled by SynSaber, a total of 670 ICS product flaws were reported via the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the first half of
☐ ☆ ✇ The Hacker News

Phishers Exploit Salesforce's Email Services Zero-Day in Targeted Facebook Campaign

By THN — August 2nd 2023 at 12:55
A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce's email services, allowing threat actors to craft targeted phishing messages using the company's domain and infrastructure. "Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook's Web Games platform,"
☐ ☆ ✇ The Hacker News

Top Industries Significantly Impacted by Illicit Telegram Networks

By The Hacker News — August 2nd 2023 at 11:52
In recent years the rise of illicit activities conducted within online messaging platforms has become a growing concern for countless industries. One of the most notable platforms that has been host to many malicious actors and nefarious activities has been Telegram. Thanks to its accessibility, popularity, and user anonymity, Telegram has attracted a large number of threat actors driven by
☐ ☆ ✇ The Hacker News

Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan

By THN — August 2nd 2023 at 11:50
Cybersecurity researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows the AWS Systems Manager Agent (SSM Agent) to be run as a remote access trojan on Windows and Linux environments "The SSM agent, a legitimate tool used by admins to manage their instances, can be re-purposed by an attacker who has achieved high privilege access on an endpoint with
☐ ☆ ✇ The Hacker News

Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers

By THN — August 2nd 2023 at 07:31
Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews. "Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name Hassan Nozari," Halcyon said in a new
☐ ☆ ✇ The Register - Security

Australian Senate committee recommends bans on Chinese social media apps

August 2nd 2023 at 06:30

WeChat accused of 'contempt for Parliament' as transparency rules floated for platforms

An Australian Senate Committee has recommended banning Chinese social media apps in the land down under, on grounds the Communist Party of China uses them to spread propaganda and misinformation.…

☐ ☆ ✇ The Hacker News

Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability

By THN — August 2nd 2023 at 03:41
Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network. The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian
☐ ☆ ✇ The Register - Security

Socket moves beyond JavaScript and Python and gets into Go

August 2nd 2023 at 01:58

CEO, fresh with funds, lays out the dependency dilemma

Interview Open source security biz Socket is extending its source code dependency checker, which previously addressed only JavaScript and Python, by adding support for checking Go code.…

☐ ☆ ✇ Naked Security

Firefox fixes a flurry of flaws in the first of two releases this month

By Paul Ducklin — August 1st 2023 at 19:28
No zero-days, but some interesting patches with their very own "teachable moments".

Firefox

❌