🔒
There are new articles available, click to refresh the page.
Before yesterdaySecurity Affairs

Italy announced its National Cybersecurity Strategy 2022/26

26 May 2022 at 09:13

Italy announced its National Cybersecurity Strategy for 2022/26, a crucial document to address cyber threats and increase the resilience of the country.

Italy presented its National Cybersecurity Strategy for 2022/26 and reinforce the government’s commitment to addressing cyber threats and increasing the resilience of the country to cyber attacks.

The strategy is aligned with the commitments undertaken within international organizations of which Italy is a member party.

The threat landscape rapidly changes and urges the government to review its strategy and propose a series of objectives to achieve in the next four years.

The strategy, developed by the National Cybersecurity Agency, includes 82 objectives and aims to address the following challenges:

  • To ensure a cyber resilient digital transition of the Public Administration (PA) and of the productive system;
  • To predict the evolution of the cyber threats to reduce their impact on national infrastructure and organizations.
  • Preventing online disinformation in a broader context of the hybrid threat;
  • Management of cyber crises;
  • National and European strategic digital sector autonomy.

The strategy recognizes the duty of the State in implementing measures to increase the security of the state, organizations, and its citizens in the digital domain.
The document remarks that cybersecurity is an essential investment and an enabling factor for the
development of the national economy and industry. A secure country is a more competitive country.

“The ongoing evolution of technology that has shaped our current society keeps raising new risks as it continues to develop, along with most sophisticated attack techniques. However, such a scenario doesn’t always match with the society’s cybersecurity awareness level.” reads the strategy. “Given those risks, this strategy aims to target the strengthening of our resilience in the digital transition, by fostering the safe use of technologies essentials for our present and future economic prosperity, the achievement of cybersecurity strategic autonomy, the cyber crises management in complex geopolitical scenarios, as well as anticipating the evolution of cyber threats and tackling the spread of online disinformation, while respecting human rights, our values and principles.”

The strategy promotes a cyber “security-oriented” approach that stresses the importance of collaboration between public and private entities.

The macro-goals of the Italian National Cybersecurity Strategy are:

  • The protection of national strategic assets;
  • The response to cyber threats and the management of incidents and crises;
  • The development of new digital technologies to secure digital assets.
National Cybersecurity Strategy

Below is the link to the strategy:

Italian cybersecurity agency ACN also published the implementation plan which provides for each goal defined in the National Cybersecurity Strategy the measures to implement:

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, National Cybersecurity Strategy)

The post Italy announced its National Cybersecurity Strategy 2022/26 appeared first on Security Affairs.

Do not use Tails OS until a flaw in the bundled Tor Browser will be fixed

26 May 2022 at 10:31

The maintainers of the Tails project (The Amnesic Incognito Live System) warn users that the Tor Browser bundled with the OS could expose their sensitive information.

The maintainers confirmed that Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).” reads the advisory published by project maintainers.

Tails is a security and privacy-oriented Linux distribution, it is a portable operating system that protects against surveillance and censorship.

The root cause of the alert is a couple of critical zero-day issues, tracked as CVE-2022-1802 and CVE-2022-1529, in the Firefox browser that was addressed by Mozilla in May. The vulnerabilities were reported by Manfred Paul during the Pwn2Own 2022 hacking contest that took place in Vancouver last week:

The Tor browser is based on the Firefox browser and is developed as part of the Tor Project.

The CVE-2022-1802 vulnerability can allow an attacker to set up a rogue website to bypass some of the security built in Tor Browser and access information from other websites.

“If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context.” reads the advisory.

The Tails team pointed out that the flaw doesn’t break the anonymity and encryption of Tor connections, this means that it is still safe and anonymous to access websites from Tails if the users don’t share sensitive information with them.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.” reads the alert published by project maintainers.

tails os

The maintainers’ alert states that other applications in OS are not affected by the flaw. Thunderbird, for example, is not affected because JavaScript is disabled.

The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.

This vulnerability will be addressed with the release of Tails 5.1 on May 31.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

The post Do not use Tails OS until a flaw in the bundled Tor Browser will be fixed appeared first on Security Affairs.

Experts warn of a new malvertising campaign spreading the ChromeLoader

26 May 2022 at 14:38

Researchers warn of a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

Researchers from Red Canary observed a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. Threat actors spread the malware via an ISO file masqueraded as a cracked video game or pirated movie or TV show.

“However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.” reads the analysis published by the experts.

The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser.

Upon running the executable included in the mounted .ISO image file, the ChromeLoader is installed, along with a .NET wrapper for the Windows Task Scheduler used by the threat to achieve the persistence.

“Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe). Notably, ChromeLoader does not call the Windows Task Scheduler (schtasks.exe) to add this scheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API, along with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).” continues the analysis.

chromeloader

In April, the researcher Colin Cowie also published an analysis of the macOS version of ChromeLoader, the malicious code is able to install malicious extensions into both the Chrome and Safari web browsers.

The report published by the experts includes the following detection opportunities for this threat:

  • Detection opportunity 1: PowerShell containing a shortened version of the encodedCommand flag in its command line;
  • Detection opportunity 2: PowerShell spawning chrome.exe containing load-extension and AppData\Local within the command line;
  • Detection opportunity 3: Shell process spawning process loading a Chrome extension within the command line;
  • Detection opportunity 4: Redirected Base64 encoded commands into a shell process

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, chromeloader)

The post Experts warn of a new malvertising campaign spreading the ChromeLoader appeared first on Security Affairs.

Zyxel addresses four flaws affecting APs, AP controllers, and firewalls

26 May 2022 at 19:28

Zyxel addressed multiple vulnerabilities impacting many of its products, including APs, AP controllers, and firewalls.

Zyxel has released security updates to address multiple vulnerabilities affecting multiple products, including firewall, AP, and AP controller products.

Below is the list of the four vulnerabilities, the most severe one is a command injection flaw in some CLI commands tracked as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability was identified in the CGI program of some firewall versions that could allow an attacker to obtain some information stored in the user’s browser, such as cookies or session tokens, via a malicious script.
  • CVE-2022-26531: Multiple improper input validation flaws were identified in some CLI commands of some firewall, AP controller, and AP versions that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.
  • CVE-2022-26532: A command injection vulnerability in the “packet-trace” CLI command of some firewall, AP controller, and AP versions could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the command.
  • CVE-2022-0910: An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

According to the advisory published by the vendor, the issues affect USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 AP controllers, and NAP, NWA, WAC, and WAX Access Point families.

The vendor has already released security patched to address the flaws for most of the affected models.

The hotfix for NXC2500 AP controllers affected by CVE-2022-26531 and CVE-2022-26532 must be requested from a local service representative.

Experts urge admins to upgrade their installs to avoid cyber attacks exploiting the above flaws.

This advice is especially important for US companies as we head into a holiday weekend when it is common for threat actors to conduct attacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Zyxel addresses four flaws affecting APs, AP controllers, and firewalls appeared first on Security Affairs.

Exposed: the threat actors who are poisoning Facebook

26 May 2022 at 20:40

An investigation of the infamous “Is That You?” video scam led Cybernews researchers into exposing threat actors who are poisoning Facebook

Original post @ https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day. At least five suspects, thought to be residing in the Dominican Republic, have been identified.

Facebook has long been a happy hunting ground for online crooks, who take great pleasure in turning unwary members of the internet community into their prey.

It can start with something as seemingly innocuous as a message from a “friend” – in fact a cybercriminal pretending to be such – inviting you to click on a juicy link to the next big share-fest, be it a music clip, funny video, or anything else you might be interested in.

Is that you scam infographic
Screenshot of the original Is That You? scam uncovered on Facebook.

The only thing that’s juicy about such bogus links is the bundle of personal details you are giving up by clicking on them, because it won’t be the latest hot clip you’re sharing when you do – just your name, address, and passwords, which are then harvested for profit by the threat actor who has fooled you.

Given its likelihood of being used as a platform for such scams, Facebook has been on the Cybernews radar for some time – in February last year, we exposed the “Is That You?” phishing scam on its Messenger service that had been doing the rounds since at least 2017.

Since then, the research team has remained vigilant, keeping tabs on suspect activities on Facebook. Recently, that vigilance was rewarded when we received a tip-off from fellow cyber investigator Aidan Raney – who first reached out to us after our original findings were published – that malicious links were being distributed to users.

Upon further examination, it turned out that thousands of these phishing links had been distributed, through a devious network sprawling across the back channels of the social media platform.

Left unchecked, this could result in hundreds of thousands of unwary social media users falling foul of the dodgy links – the “Is That You?” scam was thought to have hooked in around half a million victims before we uncovered it.

That campaign was initiated by sending the potential mark a message from one of their Facebook contacts. The message contained what appears to be a video link with a text in German suggesting that they are featured in the clip.

Is that you infograph
Mind map of a devious cybercriminal enterprise.

The game is afoot!

Hot for the chase, our cyber detectives began their inquiry by scrutinizing a malicious link sent to one victim, to learn how the scam had been put together.

“I figured out what servers did what, where code was hosted, and how I could identify other servers,” said Raney. “I then used this information and urlscan.io [a website that allows one to scan URLs] to look for more phishing links matching the same characteristics as this one.”

A thorough search of servers connected to the phishing links turned up a page that was sending credentials to a site called devsbrp.app. Further scrutiny revealed a banner thought to be attached to a control panel, with the text “panelfps by braunnypr” written on it.

Using these as keywords in a subsequent search led the research team straight to the panel and banner creator, whose email address and password combinations were also discovered – neatly turning the tables on cybercriminals used to stealing credentials of unsuspecting web users.

Inside a criminal stronghold

Using the threat actor’s own details, Cybernews accessed a website that turned out to be the command and control center for most of the phishing attacks linked to the gang, thought to number at least five threat actors but possibly many more. This provided our intrepid investigators with a trove of information on the crooks behind the Facebook phishing scam, including their likely country of residence – the Dominican Republic.

“We were able to export the user list for everybody registered to this panel,” said the Cybernews researcher. “Using the usernames on the list, we started uncovering the identities of as many people on the list as people, but there is still more work to be done.”

One of the suspects that Raney identified is likely the same threat actor that the Cybernews research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there.

At the time of writing, all relevant information has been handed over to the authorities pending further investigation.

If you want to know how to protect yourself, give a look at this post:

https://cybernews.com/security/exposed-the-threat-actors-who-are-poisoning-facebook/

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

The post Exposed: the threat actors who are poisoning Facebook appeared first on Security Affairs.

Yesterday — 27 May 2022Security Affairs

Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw

27 May 2022 at 05:58

Security researchers released PoC exploit code for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

Horizon3 security researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

The virtualization giant recently warned that a threat actor can exploit the CVE-2022-22972 flaw (CVSSv3 base score of 9.8) to obtain admin privileges and urges customers to install patches immediately.

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014. The ramifications of this vulnerability are serious.” states VMware.

The CVE-2022-22972 flaw affects Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

“VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.” reads the advisory published by the company. “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.”

The company acknowledged Bruno López of Innotec Security for the discovery of the flaw.

VMware addressed the flaw and also provided workarounds for admins who cannot immediately install security patches.

VMware did not provide technical details about the flaw, then Horizon3 researchers performed an analysis of the patch. 

“Our POC sends requests starting at the /vcac endpoint the same way a browser would and parses the login page to extract these hidden fields. These hidden fields are then encoded into the body of the final POST with the Host header set to our custom login server. The POC then parses the response to extract the authentication cookies. These cookies can be used to execute actions as the chosen user.” reads the analysis published by the researchers. “This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972. Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same.”

The experts pointed out that the CVE-2022-22972 issue is a relatively simple Host header manipulation vulnerability.

cve-2022-22972

Threat actors could easily exploit this issue. Searching on Shodan.io for the affected VMware applications we can find organizations in the healthcare and education industries, and state government potentially vulnerable.

The Cybersecurity and Infrastructure Security Agency (CISA) issued the Emergency Directive 22-03 to order federal agencies to fix VMware CVE-2022-22972 and CVE-2022-22973 flaws or to remove the affected products from their networks by May 23, 2022.

DHS also orders federal agencies to report the status of all VMware installs on their networks into Cyberscope by May 24, 2022.

The Cybersecurity and Infrastructure Security Agency (CISA) further highlighted this security flaw’s severity lev

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VMWare)

The post Experts released PoC exploit code for critical VMware CVE-2022-22972 flaw appeared first on Security Affairs.

ERMAC 2.0 Android Banking Trojan targets over 400 apps

27 May 2022 at 09:56

A new version of the ERMAC Android banking trojan is able to target an increased number of apps.

The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.

According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.

ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.

ERMAC

A new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets 🇵🇱 Polish users.
Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch @LukasStefanko 1/3 pic.twitter.com/hGeD4ZSwve

— ESET research (@ESETresearch) May 18, 2022

ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.

The researchers also shared indicators of compromise (IoCs) for this version.

IoCs:
Distribution: bolt-food[.]site
Dropper: 301E2AB9707ABE193BB627C60F5E4B8736C86FE9
Payload: CCADCC836F3B6FC80FB3C49D507099846B5B71B3
C&C: 193.106.191[.]116, 193.106.191[.]148, 193.106.191[.]121, 185.215.113[.]100, 193.106.191[.]118#ESETresearch 3/3 pic.twitter.com/jY7maTyPxo

— ESET research (@ESETresearch) May 18, 2022

Researchers from Cyble analyzed the malware after the initial discovery made by ESET

ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.

Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device:  

Permission   Description  
REQUEST_INSTALL_PACKAGES  Allows an application to request installing    packages 
CALL_PHONE  Allows an application to initiate a phone call   without going through the Dialer user    interface for the user to confirm the call 
RECEIVE_SMS  Allows an application to receive SMS messages 
READ_SMS  Allows an application to read SMS messages 
SEND_SMS  Allows an application to send SMS    messages 
READ_CONTACTS  Allows an application to read the user’s    contacts data 
READ_PHONE_STATE  Allows read access to the device’s phone    number 
SYSTEM_ALERT_WINDOW  Allows an app to create windows shown on    top of all other apps. 
READ_EXTERNAL_STORAGE  Allows an application to read from external storage   
RECORD_AUDIO  Allows an application to record audio   
WRITE_EXTERNAL_STORAGE  Allows an application to write to external    storage 

while the list of commands supported by ERMAC 2.0 to execute malicious operations is:

Command  Description 
downloadingInjections  Sends the application list to download injections
logs  Sends injection logs to the server
checkAP Check the application status and send it to the server 
registration Sends device data 
updateBotParams Sends the updated bot parameters 
downloadInjection Used to receive the phishing HTML page 

“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ERMAC 2.0)

The post ERMAC 2.0 Android Banking Trojan targets over 400 apps appeared first on Security Affairs.

FBI: Compromised US academic credentials available on various cybercrime forums

27 May 2022 at 13:22

The FBI warns organizations in the higher education sector of credentials sold on cybercrime forums that can allow threat actors to access their networks.

The FBI issued an alert to inform the higher education sector about the availability of login credentials on dark web forums that can be used by threat actors to launch attacks against individuals and organizations in the industry. The availability of this data is the result of continued attacks conducted by threat actors against US colleges and universities. The alert also includes recommendations and mitigations for these attacks.

“The FBI is informing academic partners of identified US college and university credentials advertised for sale on online criminal marketplaces and publically accessible forums. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.” reads the alert published by the FBI.

Crooks obtain the information by conducting spear-phishing and ransomware attacks, or other means.

In 2017, crooks launched a phishing campaign against universities to compromise .edu accounts. The attackers set up fake university login pages and embedded a credential harvester link in phishing emails.

In late 2020, credentials for US-based universities were found for sale on the dark web. The seller listed approximately 2,000 unique credentials.

In May 2021, cybercriminals offered more than 36,000 login credentials for .edu email accounts and advertised the data on an instant messaging platform.

In May 2021, over 36,000 email and password combinations for .edu email accounts were offered for sale on a publically available instant messaging platform.

Recently, in January 2022, threat actors have been observed offering for sale network and VPN access credentials belonging to US-based universities and colleges on Russian cybercrime forums.

“The FBI has observed incidents of stolen higher education credential information posted on publically accessible online forums or listed for sale on criminal marketplaces. The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” concludes the alert. “If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

The post FBI: Compromised US academic credentials available on various cybercrime forums appeared first on Security Affairs.

GhostTouch: how to remotely control touchscreens with EMI

27 May 2022 at 14:45

Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.

A team of researchers from Zhejiang University and Technical University of Darmstadt devised a technique, dubbed GhostTouch, to remotely control capacitive touchscreens using electromagnetic signals.

According to the experts, GhostTouch is the first active contactless attack against capacitive touchscreens.

GhostTouch uses electromagnetic interference (EMI) to remotely inject fake touch points into a capacitive device. The researchers demonstrated how to inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen. The events allowed the researchers to control the devices (i.e. answering an eavesdropping phone call, pressing the button, swiping up to unlock), the attack technique was successful on nine smartphone models.

“We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.” reads the research paper published by the academics. “Finally, we discuss potential hardware and software countermeasures to mitigate the attack.”


The GhostTouch system consists of two components, a touch injector and a phone locator. The touch injector is used to inject touch events into the touchscreen and includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The phone locator is used to identify the position of the touchscreen and consists of a sensing antenna array, a data acquisition device, and a location calculator.

The experimental lab setup up by the researchers is composed of an electrostatic gun used to generate a strong pulse signal which is sent to an antenna to transmit an electromagnetic field to the touchscreen.

Below are a couple of video PoCs of attacks devised by the experts that show GhostTouch attack to answer the phone call and connect the malicious Bluetooth.

ghosttouch

ghosttouch

The experts tested the technique against nine different smartphone models, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020).

“We demonstrate the feasibility of this attack in the real world.” concludes the paper. “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table2. An attacker may embed the attack equipment under the table and launch attacks remotely. For example, an attacker may impersonate the victim to answer a phone call which would eavesdrop the private conversation, or visit a malicious website.”

The researchers provided a series of countermeasures to neutralize the attack, including adding electromagnetic shielding to block EMI, reinforcing the touchscreen, improving the detection algorithm of the touchscreen, and forcing some form of authentication for the execution of high-risk actions.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, GhostTouch)

The post GhostTouch: how to remotely control touchscreens with EMI appeared first on Security Affairs.

Android pre-installed apps are affected by high-severity vulnerabilities

27 May 2022 at 21:37

Microsoft found several high-severity vulnerabilities in a mobile framework used in pre-installed Android System apps.

The Microsoft 365 Defender Research Team discovered four vulnerabilities (CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601) in a mobile framework, owned by mce Systems, that is used by several mobile carriers in pre-installed Android System apps.

The researchers discovered the flaws in September 2021 and reported them to mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The experts pointed out that the vulnerabilities affected apps with millions of downloads, the good news is that the flaws have been fixed.

Threat actors could have abused these pre-installed apps to access system configuration and sensitive information.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues.” reads the post published by Microsoft.

The bad news is that some of the affected apps cannot be fully uninstalled or disabled without root access to the device. 

The experts discovered that the framework had a “BROWSABLE” service activity that can be remotely invoked to exploit several vulnerabilities. Threat actors could exploit these issues to implant a persistent backdoor or take substantial control over the device.

pre-installed apps flaws
BROWSABLE Activity with the “mcedigital://” scheme (source Microsoft)

The framework was designed to implement self-diagnostic mechanisms, for this reason it runs with permissions to valuable resources. Microsoft experts highlight that affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

“Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.” continues Microsoft. “As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.”

mce Systems has fixed the issues and provided framework update to the impacted providers. The good news is that at the time of publication, the researchers are not aware of attacks in the wild exploring these vulnerabilities.

“Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted.” concludes the report.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Android pre-installed apps)

The post Android pre-installed apps are affected by high-severity vulnerabilities appeared first on Security Affairs.

  • There are no more articles
❌