A new zero-day vulnerability has been disclosed in Palo Alto Networks GlobalProtect VPN that could be abused by an unauthenticated network-based attacker to execute arbitrary code on affected devices with root user privileges.

Tracked as CVE-2021-3064 (CVSS score: 9.8), the security weakness impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Massachusetts-based cybersecurity firm Randori has been credited with discovering and reporting the issue.

“The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow,” Randori researchers said. “Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products.”

Technical details related to CVE-2021-3064 have been withheld for 30 days to prevent threat actors from abusing the vulnerability to stage real-world attacks.

The security bug stems from a buffer overflow that occurs while parsing user-supplied input. Successful exploitation of the flaw necessitates that the attacker strings it with a technique known as HTTP smuggling to achieve remote code execution on the VPN installations, not to mention have network access to the device on the GlobalProtect service default port 443.

“A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges,” Palo Alto Networks said in an independent advisory. “The attacker must have network access to the GlobalProtect interface to exploit this issue.”

In light of the fact that VPN devices are lucrative targets for malicious actors, it’s highly recommended that users move quickly to patch the vulnerability. As a workaround, Palo Alto Networks is advising affected organizations to enable threat signatures for identifiers 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces to prevent any potential attacks against CVE-2021-3064.

The post Palo Alto Warns of Zero-Day Bug in Firewalls Using GlobalProtect Portal VPN appeared first on Technology News.

A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal.

The intrusions, staged by a group tracked as Lyceum, are believed to have occurred between July and October 2021, researchers from Accenture Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT) said in a technical report. The names of the victims were not disclosed.

The latest revelations throw light on the web-based infrastructure used by Lyceum, over 20 of them, enabling the identification of “additional victims and provide further visibility into Lyceum’s targeting methodology,” the researchers noted, adding “at least two of the identified compromises are assessed to be ongoing despite prior public disclosure of indicators of compromise.”

Believed to be active since 2017, Lyceum (aka Hexane or Spirlin) is known to target sectors of strategic national importance for purposes of cyber espionage, while also retooling its arsenal with new implants, and expanding its sights to include ISPs and government agencies. The new and updated malware and TTPs have enabled the hacking group to mount attacks against two entities in Tunisia, Russian cybersecurity firm Kaspersky disclosed last month.

The threat actor has been traditionally observed using credential stuffing and brute-force attacks as initial attack vectors to obtain account credentials and gain foothold into targeted organizations, leveraging the access as a springboard to drop and execute post-exploitation tools.

Two distinct malware families — called Shark and Milan (named “James” by Kaspersky) — are the primary implants deployed by the threat actor, each allowing for the execution of arbitrary commands and exfiltration of sensitive data from the compromised systems to a remote attacker-controlled server.

ACTI and PACT also said it located beaconing from a reconfigured or potentially a new Lyceum backdoor in late October 2021 originating from a telecommunications company in Tunisia and an MFA in Africa, indicating that the operators are actively updating their backdoors in light of recent public disclosures and attempting to bypass detection by security software.

“Lyceum will likely continue to use the Shark and Milan backdoors, albeit with some modifications, as the group has likely been able to maintain footholds in victims’ networks despite public disclosure of [indicators of compromise] associated with its operations,” the researchers said.

The post Iran’s Lyceum Hackers Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa appeared first on Technology News.

Though we are recovering from the worst pandemic, cyber threats have shown no sign of downshifting, and cybercriminals are still not short of malicious and advanced ways to achieve their goals.

The Global Threat Landscape Report indicates a drastic rise in sophisticated cyberattacks targeting digital infrastructures, organizations, and individuals in 2021. Threats can take different forms with the intent to commit fraud and damage businesses and people. Ransomware, DDoS attacks, phishing, malware, and man-in-the-middle attacks represent the greatest threat to businesses today.

When new threats emerge, attackers take advantage of them – however, most businesses are only aware of the current threats.

Organizations struggle to address these threats due to their resource sophistication and their lack of understanding of evolving threat landscapes. For these reasons, organizations need visibility on the advanced threats especially targeting their infrastructure. This article will outline the evolution in the cyber threat landscape 2021.

Evolving Threat Landscape – Find Out What You Don’t Know

1 — Ransomware

Ransomware is still a common and evolving cyber security threat with several highly publicized incidents. Ransomware incidents affect organizations, businesses, and individuals resulting in financial loss, operational disruptions, and data exfiltration. Compromise through internet-facing vulnerabilities & misconfigurations, third parties & managed service providers, Remote Desktop Protocol (RDP) and phishing emails remain the most common infection vectors.

The occurrence of extortion schemes has increased from single to multiple schemes during 2021. After initially encrypting sensitive information from the victim and threatening to reveal it publicly unless a ransom is paid, attackers are now targeting the victim’s partners and customers for ransom to maximize their profits.

New research from Coalition revealed that there was a 170% increase in the average ransom demand in the first half of 2021 compared to last year.

Image source: venturebeat

It is likely to hit $100 million in 2022 – according to the ENISA Threat Landscape 2021.

Moreover, cryptocurrency becomes the choice of pay-out method because it promises a secure, fast, and anonymous channel for money transactions. Also, attackers shifted from Bitcoin to Monero as their choice due to its enhanced anonymity.

Recommendations to prevent being a victim:

• Security awareness training
• Use secure websites
• Defense-in-depth cybersecurity strategy
• Vulnerability assessment & penetration testing

2 — Cryptojacking

Another attack trend in 2021 is cryptojacking, which is associated with the expanding instability in the cryptocurrency market. Given the anonymity of cryptocurrencies, it has become a convenient and attractive means of exchange by attackers. In this attack, cybercriminals deploy hidden cryptojacking software onto the target’s devices, which steals from a cryptocurrency wallet. Siloscape, a new malware, which emerged in June 2021 targets Windows containers and creates malicious containers, loads cryptocurrency miners, which identify and steal cryptocurrency.

Recommendations to counteract cryptojacking:

• Implement web filters and blacklist IP addresses from cryptomining IP pools
• Develop patches against well-known exploits
• Implement a robust vulnerability management program

3 — Data Breaches

Sensitive data being stolen from organizations or users is nothing new, but how threat actors approach it has evolved. Just as organizations embrace new technologies to survive in the digital landscape, threat actors also harness sophisticated methods to exploit attacks – Deepfake technology, for example.

Though it’s not a new concept, it has evolved significantly. With MI and AI, Deepfake technology enables the digital creation of an individual’s likeness, which can then be used to impersonate the victim. AI and ML tools make it possible to make artificial versions of any voice or any video.

Cybercube’s security researchers alerted that deep fake audio and video content could become a major cyber threat to businesses worldwide. Also, the widespread damage associated with this pretended content is expected to increase in the coming years. It is also expected that the enhanced dependence on video-based communication is the major factor that motivates attackers to focus more on Deepfake technology.

Recommendations for Deepfake Monitoring and Removal:

• Improved digital archiving to identify the fake video and fake voice clips
• Implement Content Authenticity Initiative to validate the creator as well as origin of data

4 — Botnets

Newer botnets continue to emerge as old ones keep transforming to sidestep the current security solutions. This is because cyber-criminals see a new paradigm with botnets-as-a-service where bonnets can be leased/sold to corporations or individuals for nefarious uses and financial benefits.

Furthermore, the existence of botnets in the cloud and mobile environment proposes a new possibility that they may soon be able to learn and exploit the weakness on their own in the patterns of user interactions. The increased adoption of IoT and the lack of security when they are developed as well as deployed presents another feasible frontier for botnet proliferation.

A recent report revealed there is a 500% rise in overall IoT attacks by prominent IoT botnets like Mirai and Mozi.

Image source: Security Intelligence

In 2020, the Mozi botnet attackaccounted for 89% of the IoT attacks – according to X-Force research. In addition to Mozi, several other botnets continue to target the IoT landscape. Ecobot, Zeroshell, Gafgyt, and Loli are four notable botnets impacting businesses all over the world.

Image source: Security Intelligence

Recommendations to fight back:

• Employ penetration testing
• Change your default IoT setting when installing any new device
• Implement a powerful patch management program
• Practice effective bot protection and mitigation strategy

The Big Picture

New cyber threats are being detected all the time, and they possess the potential to affect any operating system, including Linux, Windows, iOS, Mac OS, and Android. Additionally, new threats vectors are evolving due to potential vulnerabilities in the continuous adoption of remote working and a growing number of IoT devices being connected.

This cyber threat landscape evolution has forced enterprises to upgrade their vulnerability management program, security tools, processes, and skills to stay ahead. Indusface AppTrana, a fully managed Web Application and API protection (WAAP)addresses these challenges and speeds up threat detection and response.

If you want to be proactive and actionable in protecting your information, stay aware of the recent cyber security threat landscape!

The post Navigating The Threat Landscape 2021 – From Ransomware to Botnets appeared first on Technology News.

Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads.

Microsoft 365 Defender Threat Intelligence Team, in a new report published Thursday, disclosed that it identified infiltrations distributing the Mekotio banking Trojan, backdoors such as AsyncRAT and NjRAT, and the infamous TrickBot malware. The multi-staged attacks — dubbed ISOMorph — were also publicly documented by Menlo Security in July 2021.

HTML smuggling is an approach that allows an attacker to “smuggle” first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachment or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in modern web browsers.

By doing so, it enables the threat actor to construct the payloads programmatically on the HTML page using JavaScript, instead of having to make an HTTP request to fetch a resource on a web server, while also simultaneously evading perimeter security solutions. The HTML droppers are then used to fetch the primary malware to be executed on the compromised endpoints.

Threat behavior observed in the Mekotio campaign

“When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device,” the researchers said. “Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall.”

HTTP Smuggling’s ability to bypass web proxies and email gateways have made it a lucrative method among state-sponsored actors and cybercriminal groups to deliver malware in real-world attacks, Microsoft noted.

Nobelium, the threat group behind the SolarWinds supply chain hack, was found leveraging this very tactic to deliver a Cobalt Strike Beacon as part of a sophisticated email-based attack aimed at government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S., earlier this May.

Beyond espionage operations, HTML smuggling has also been embraced for banking malware attacks involving the Mekotio trojan, what with the adversaries sending spam emails containing a malicious link that, when clicked, triggers the download of a ZIP file, which, in turn, contains a JavaScript file downloader to retrieve binaries capable of credential theft and keylogging.

HTML smuggling attack chain in the Trickbot spear-phishing campaign

But in a sign that other actors are taking notice and incorporating HTML smuggling in their arsenal, a September email campaign undertaken by DEV-0193 was uncovered, abusing the same method to deliver TrickBot. The attacks entail a malicious HTML attachment, which, when opened on a web browser, creates a password-protected JavaScript file on the recipient’s system, prompting the victim to supply the password from the original HTML attachment.

Doing so initiates the execution of the JavaScript code, which subsequently launches a Base64-encoded PowerShell command to contact an attacker-controlled server to download the TrickBot malware, ultimately paving the way for follow-on ransomware attacks.

“The surge in the use of HTML smuggling in email campaigns is another example of how attackers keep refining specific components of their attacks by integrating highly evasive techniques,” Microsoft noted. “Such adoption shows how tactics, techniques, and procedures (TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa. It also reinforces the current state of the underground economy, where such TTPs get commoditized when deemed effective.”

The post Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks appeared first on Technology News.

Researchers from Qihoo 360’s Netlab security team have released details of a new evolving botnet called “Abcbot” that has been observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets.

While the earliest version of the botnet dates back to July 2021, new variants observed as recently as October 30 have been equipped with additional updates to strike Linux web servers with weak passwords and are susceptible to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is under continuous development.

Netlab’s findings also build on a report from Trend Micro early last month, which publicized attacks targeting Huawei Cloud with cryptocurrency-mining and cryptojacking malware. The intrusions were also notable for the fact that the malicious shell scripts specifically disabled a process designed to monitor and scan the servers for security issues as well as reset users’ passwords to the Elastic cloud service.

Now according to the Chinese internet security company, these shell scripts are being used to spread Abcbot. A total of six versions of the botnet have been observed to date.

Once installed on a compromised host, the malware triggers the execution of a series of steps that results in the infected device being repurposed as a web server, in addition to reporting the system information to a command-and-control (C2) server, spreading the malware to new devices by scanning for open ports, and self-updating itself as and when new features are made available by its operators.

“Interesting thing is that the sample [updated] on October 21 uses the open-source ATK Rootkit to implement the DDoS function,” a mechanism which the researchers said “requires Abcbot to download the source code, compile, and load the rootkit module before performing [a] DDoS attack.”

“This process requires too many steps, and any step that is faulty will result in the failure of the DDoS function,” the researchers noted, leading the adversary to replace the off-the-shelf code with a custom attack module in a subsequent version released on October 30 that completely abandons the ATK rootkit.

The findings come a little over a week after the Netlab security team disclosed details of a “Pink” botnet that’s believed to have infected over 1.6 million devices primarily located in China with the goal of launching DDoS attacks and inserting advertisements into HTTP websites visited by unsuspecting users. In a related development, AT&T Alien Labs took the wraps off a new Golang malware dubbed “BotenaGo” that has been discovered using over thirty exploits to attack millions of routers and IoT devices potentially.

“The update process in these six months is not so much a continuous upgrade of features as a trade-off between different technologies,” the researchers concluded. “Abcbot is slowly moving from infancy to maturity. We do not consider this stage to be the final form, there are obviously many areas of improvement or features to be developed at this stage.”

The post Abcbot — A New Evolving Wormable Botnet Malware Targeting Linux appeared first on Technology News.

Google researchers on Thursday disclosed that it found a watering hole attack in late August exploiting a now-parched zero-day in macOS operating system and targeting Hong Kong websites related to a media outlet and a prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines.

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code,” Google Threat Analysis Group (TAG) researcher Erye Hernandez said in a report.

Tracked as CVE-2021-30869 (CVSS score: 7.8), the security shortcoming concerns a type confusion vulnerability affecting the XNU kernel component that could cause a malicious application to execute arbitrary code with the highest privileges. Apple addressed the issue on September 23.

The attacks observed by TAG involved an exploit chain that strung together CVE-2021-1789, a remote code execution bug in WebKit that was fixed in February 2021, and the aforementioned CVE-2021-30869 to break out of the Safari sandbox, elevate privileges, and download and execute a second stage payload dubbed “MACMA” from a remote server.

This previously undocumented malware, a fully-featured implant, is marked by “extensive software engineering” with capabilities to record audio and keystrokes, fingerprint the device, capture the screen, download and upload arbitrary files, and execute malicious terminal commands, Google TAG said. Samples of the backdoor uploaded to VirusTotal reveal that none of the anti-malware engines currently detect the files as malicious.

According to security researcher Patrick Wardle, a 2019 variant of MACMA masquerades as Adobe Flash Player, with the binary displaying an error message in Chinese language post-installation, suggesting that “the malware is geared towards Chinese users” and that “this version of the malware is designed to be deployed via socially engineering methods.” The 2021 version, on the other hand, is designed for remote exploitation.

The websites, which contained malicious code to serve exploits from an attacker-controlled server, also acted as a watering hole to target iOS users, albeit using a different exploit chain delivered to the victims’ browser. Google TAG said it was only able to recover a part of the infection flow, where a type confusion bug (CVE-2019-8506) was used to gain code execution in Safari.

Additional indicators of compromise (IoCs) associated with the campaign can be accessed here.

The post Hackers Exploit macOS Zero-Day to Hack Hong Kong Users with new Implant appeared first on Technology News.

A new cyber mercenary hacker-for-hire group dubbed “Void Balaur” has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since 2015 for financial gain while lurking in the shadows.

Named after a many-headed dragon from Romanian folklore, the adversary has been unmasked advertising its services in Russian-speaking underground forums dating all the way back to 2017 and selling troves of sensitive information such as cell tower phone logs, passenger flight records, credit reports, banking data, SMS messages, and passport details. The threat actor calls itself “Rockethack.”

“This hacker-for-hire group does not operate out of a physical building, nor does it have a shiny prospectus that describes its services,” Trend Micro researcher Feike Hacquebord said in a newly published profile of the collective.

“The group does not try to wriggle out of a difficult position by justifying its business, nor is it involved in lawsuits against anybody attempting to report on their activities. Instead, this group is quite open about what it does: breaking into email accounts and social media accounts for money,” Hacquebord added.

Besides gaining near unanimous positive reviews on the forums for its ability to offer quality information, Void Balaur is also believed to have focused on cryptocurrency exchanges by creating numerous phishing sites to trick cryptocurrency exchange users in order to gain unauthorized access to their wallets. What’s more, the mercenary collective has deployed an information stealer named Z*Stealer and Android malware such as DroidWatcher against its targets.

Void Balaur’s intrusion set has been observed deployed against a wide range of individuals and entities, including journalists, human rights activists, politicians, scientists, doctors working in IVF clinics, genomics and biotechnology companies, and telecom engineers. Trend Micro said it unearthed over 3,500 email addresses the group set its aim on.

Most of the group’s targets are said to be located in Russia and other neighboring countries like Ukraine, Slovakia, and Kazakhstan, with victims also located in the U.S., Israel, Japan, India, and European nations. Assaulted organizations run the gamut from telecom providers, satellite communication corporations, and fintech firms to ATM machine vendors, point-of-sale (PoS) vendors, and biotech companies.

“Void Balaur goes after the most private and personal data of businesses and individuals then sells that data to whomever wants to pay for it,” the researchers said. The reason why these individuals and entities were targeted remains unknown as yet.

It’s not immediately clear how sensitive phone and email records are acquired from the targets without interaction, although the researchers suspect that the threat actor could have either directly (or indirectly) involved rogue insiders at the concerned companies to sell the data or by compromising accounts of key employees with access to the targeted email mailboxes.

Trend Micro’s deep-dive analysis has also found some common ground with another Russia-based advanced persistent threat group named Pawn Storm (aka APT28, Sofacy, or Iron Twilight), with overlaps observed in the targeted email addresses between the two groups, while also significantly differing in a number of ways, including Void Balaur’s modus operandi of striking cryptocurrency users and their operational hours.

If anything, the development once again highlights the rampantly growing illicit mercenary-related activities in cyberspace and the demand for such services, what with a number of operations — BellTroX (aka Dark Basin), Bahamut, CostaRicto, and PowerPepper — that have been exposed as targeting financial institutions and government agencies in recent months.

To defend against the hacking attacks, it’s recommended to enable two-factor authentication (2FA) via an authenticator app or a hardware security key, rely on apps with end-to-end encryption (E2EE) for email and communications, and permanently delete old, unwanted messages to mitigate the risk of data exposure.

“The reality is that regular internet users cannot easily deter a determined cyber mercenary,” the researchers concluded. “While [advanced offensive tools in a cyber mercenary’s arsenal] might be meant to be used in the fight against terrorism and organized crime, the reality is that they — knowingly or unknowingly — end up in the hands of threat actors who use it against unwitting targets.”

The post Researchers Uncover Hacker-for-Hire Group That’s Active Since 2015 appeared first on Technology News.

The operators of TrickBot trojan are collaborating with the Shathak threat group to distribute their wares, ultimately leading to the deployment of Conti ransomware on infected machines.

“The implementation of TrickBot has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities,” Cybereason security analysts Aleksandar Milenkoski and Eli Salem said in a report analysing recent malware distribution campaigns undertaken by the group. “TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors.”

The latest report builds on a report from IBM X-Force last month, which revealed TrickBot’s partnerships with other cybercrime gangs, including Shathak, to deliver proprietary malware. Also tracked under the moniker TA551, Shathak is a sophisticated cybercrime actor targeting end-users on a global scale, acting as a malware distributor by leveraging password-protected ZIP archives containing macro-enabled Office documents.

The TrickBot gang, known as ITG23 or Wizard Spider, is also responsible for developing and maintaining the Conti ransomware, in addition to leasing access to the malicious software to affiliates via a ransomware-as-a-service (RaaS) model.

Infection chains involving Shathak typically involve sending phishing emails that come embedded with malware-laced Word documents that ultimately lead to the deployment of TrickBot or BazarBackdoor malware, which is then used as a conduit to deploy Cobalt Strike beacons as well as the ransomware, but not before conducting reconnaissance, lateral movement, credential theft, and data exfiltration activities.

Cybereason researchers said they observed an average Time-to-Ransom (TTR) of two days post the compromises, denoting the amount of time from when the threat actor gains initial access into a network to the time the threat actor actually deploys the ransomware.

The findings also come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) reported that no fewer than 400 Conti ransomware attacks had taken place targeting U.S. and international organizations as of September 2021.

To secure systems against Conti ransomware, the agencies recommend enforcing a variety of mitigation measures, including “requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.”

The post TrickBot Operators Partner with Shathak Attackers for Conti Ransomware appeared first on Technology News.

Cybersecurity researchers on Tuesday disclosed 14 critical vulnerabilities in the BusyBox Linux utility that could be exploited to result in a denial-of-service (DoS) condition and, in select cases, even lead to information leaks and remote code execution.

The security weaknesses, tracked from CVE-2021-42373 through CVE-2021-42386, affect multiple versions of the tool ranging from 1.16-1.33.1, DevOps company JFrog and industrial cybersecurity company Claroty said in a joint report.

Dubbed “the Swiss Army Knife of Embedded Linux,” BusyBox is a widely used software suite combining a variety of common Unix utilities or applets (e.g., cp, ls, grep) into a single executable file that can run on Linux systems such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs).

A quick list of the flaws and the applets they impact is below —

• man – CVE-2021-42373
• lzma/unlzma – CVE-2021-42374
• ash – CVE-2021-42375
• hush – CVE-2021-42376, CVE-2021-42377
• awk – CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386

Triggered by supplying untrusted data via command line to the vulnerable applets, successful exploitation of the flaws could result in denial-of-service, inadvertent disclosure of sensitive information, and potentially code execution. The weaknesses have since been addressed in BusyBox version 1.34.0, which was released on August 19, following responsible disclosure.

“These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” said Shachar Menashe, senior director of security research at JFrog. “The proliferation of BusyBox makes this an issue that needs to be addressed by security teams. As such, we encourage companies to upgrade their BusyBox version, or make sure they are not using any of the affected applets.”

The post 14 New Security Flaws Found in BusyBox Linux Utility for Embedded Devices appeared first on Technology News.

An ongoing mobile spyware campaign has been uncovered snooping on South Korean residents using a family of 23 malicious Android apps to siphon sensitive information and gain remote control of the devices.

“With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices,” Zimperium researcher Aazim Yaswant said. “The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss.”

The Dallas-based mobile security company dubbed the campaign “PhoneSpy.”

Zimperium did not attribute the spyware to a known threat actor. “The evidence surrounding PhoneSpy shows a familiar framework that has been passed around for years, updated by individuals and shared within private communities and back channels until assembled into what we see in this variation today,” Richard Melick, the company’s director of product strategy for endpoint security, told The Hacker News.

The rogue apps have been found to masquerade as seemingly innocuous lifestyle utilities with purposes ranging from learning Yoga and browsing photos to watching TV and videos, with the malware artifacts not relying on Google Play Store or other third-party unofficial app marketplaces, implying a social engineering or web traffic redirection method to trick users into downloading the apps.

Post installation, the application requests for a wide range of permissions before opening a phishing site that’s designed to resemble the login pages of popular apps such as Facebook, Instagram, Google, and Kakao Talk. Users who attempt to sign in, however, are greeted by a HTTP 404 Not Found message, but in reality, have their credentials stolen and exfiltrated to a remote command-and-control (C2) server.

“Many of the applications are facades of a real app with none of the advertised user-based functionality,” Yaswant explained. “In a few other cases, like simpler apps that advertise as photo viewers, the app will work as advertised all while the PhoneSpy spyware is working in the background.”

Like other trojans, PhoneSpy abuses its entrenched permissions, enabling the threat actor to access the camera to take pictures, record video and audio, get precise GPS location, view pictures from the device, as well as extract SMS messages, contacts, call logs, and even send SMS messages to the phone with attacker-controlled text. The amassed data is then shared with the C2 server.

“Mobile spyware is an incredibly powerful and effective weapon against the data we hold in our hands. As our phones and tablets continue to become the digital wallets and IDs, forms of multi factor authentication, and the keys to the data kingdom for our professional and personal lives, the malicious actors wanting that exact data will find new ways to steal it,” Melick said.

“PhoneSpy and other examples of mobile spyware show that these toolsets and frameworks can be broken down and rebuilt over and over again with updated code and capabilities, giving the attackers the upper hand. And it’s only increasing in popularity for everyone from nation states targeting dissidents to corporations spying on competition due to the lack of advanced security surrounding most of these critical devices.”

The post Researchers Discover PhoneSpy Malware Spying on South Korean Citizens appeared first on Technology News.