Search This Blog

Latest News

Security Experts listed who responsible for leaking your data to scammers

"There are three most common types of data leakage," said Vseslav Solenik, Director of the R-Vision Center of Expertise. Personal ...

All the recent news you need to know

Attackers Denied of Full Control Over 'Wire' Users' Accounts

 

The developers of the Wire secure messaging app have patched the software against two critical security flaws, one of which could allow an attacker to takeover target users’ accounts. Specifically, the first of the two includes a cross-site scripting (XSS) vulnerability that allowed an attacker to fully control user accounts. The flaw tracked as, CVE-2021-32683, typically impacted the web app version 2021-05-10 and earlier.

According to security experts, threat actors often execute an XSS attack by sending a malicious link to a user and prompting the user to click it. If the app or website lacks proper security protocols, the malicious link executes the attacker’s chosen code on the user’s device. As a result, the attacker can steal the user’s active session cookie. 

Kane Gamble, an independent security researcher discovered two security issues in Wire Messenger versions for web and iOS. Headquartered in Germany with branches in the US, Sweden, and Switzerland, Wire is a popular messaging platform featuring audio, video, and text communications secured via end-to-end encryption with more than 500,000 users. 

The second flaw discovered by the researcher was a less critical denial of service (DoS) issue (CVE-2021-32666) in the iOS version of Wire.

“When we schedule the request to fetch the invalid asset, it’s not possible to create the URL object since the path contains an illegal URL character. This will in turn trigger an assertion which crashes the app,” the security researcher explained. 

Both flaws were subject to a coordinated disclosure process between Gamble and the Wire security team. “The DoS was fixed in version 3.81 and the stored XSS was patched in version 2021-06-01-production.0 [released June 1]. No update is required by the user other than updating your Wire on your iOS device if it hasn’t done so automatically,” Gamble further added.

A Wire spokesperson showed that there is no evidence of active exploitation of any of these bugs in the wild.

“The vulnerabilities were responsibly disclosed to us by a vulnerability researcher and after confirming their validity we fixed and released them as quickly as possible. We also proactively published the vulnerabilities as CVEs for full transparency,” the spokesperson said.

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Malware Sload Aiming Europe Again

 

Sload (also termed as Starslord loader) has proven to be one of the most destructive malware variants in recent years. It usually acts as a downloader, which is a computer virus that accumulates and exfiltrates data from an infected system in order to analyze the target and drop a more significant payload if the target is profitable. 

Sload has been active in Europe since at least 2018, with numerous vendors reporting assaults on targets in the United Kingdom and Italy. Instead of employing an executable or a malicious document to invade devices, the malware's developers have chosen to use scripts that are intrinsic to Windows operating systems such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing. 

The downloader is undergoing development and has gone through several iterations; the creator is continuously changing the first stage script but the main module remains basically unchanged. 

According to early reports, this virus downloads a PowerShell script, which then downloads and executes Sload, using a rogue LNK file (Windows shortcut). Later editions start with obfuscated WSF/VBS scripts that are frequently mutated to avoid detection by anti-virus software. The initial script used in attacks has a low VirusTotal score and is meant to get beyond complex security technologies like EDRs. 

This year, Minerva Labs has noticed Sload infections arriving from Italian endpoints. The script they found is an obfuscated WSF script that decodes a sequence of malicious commands and then secretly downloads and runs a remote payload in memory after being executed. 

The script does this by renaming legal Windows binaries, which is a straightforward evasion method. Both "bitsadmin.exe" and "Powershell.exe" are copied and renamed, with the former being used to download a malicious PowerShell script and the latter loading it into memory and executing it. 

The downloader's final payload varies, but it has been known to drop the Ramnit and Trickbot banking trojans, both of which are extremely dangerous malware that can lead to ransomware attacks.