Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Android

Tags:  2023-07-05

Tags:  CVE2021-29256

Tags:  CVE-2023-26083

Tags:  CVE-2023-2136

Tags:  CVE-2023-21250

Tags:  ARM

Tags:  Skia

Google has patched 43 vulnerabilities in Android, three of which are actively exploited zero-day vulnerabilities. 



(Read more...)




The post Update Android now! Google patches three actively exploited zero-days appeared first on Malwarebytes Labs.

In July’s update for the Android operating system (OS), Google has patched 43 vulnerabilities, three of which are actively exploited zero-day vulnerabilities.

The security bulletin notes that there are indications that these three vulnerabilities may be under limited, targeted exploitation.

If your Android phone is at patch level 2023-07-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device's Android version number, security update level, and Google Play system level in your Settings app. You'll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs listed as actively exploited are:

CVE-2023-26083: a memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from r0p0 - r42p0, Valhall GPU Kernel Driver all versions from r19p0 - r42p0, and Avalon GPU Kernel Driver all versions from r41p0 - r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

ARM was warned about this vulnerability on March 31, 2023 and stated:

> “There is evidence that this vulnerability may be under limited, targeted exploitation.”

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r28p0 through r30p0.

Both of the above vulnerabilities are present in the ARM Mali GPU, which is the graphics processor of many Android phones. A patch for both vulnerabilities had been issued by ARM, but Google has decided to include them in this month’s Android update.

CVE-2023-2136: An integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

This vulnerability is affecting the Skia 2D graphics library used in Android systems. Skia is an open source 2D graphics library for drawing Text, Geometries, and Images.

It is likely that attackers would use the vulnerability in Skia as a first stage and then use one of the Mali vulnerabilities to complete a device takeover.

Another vulnerability that caught our eye was CVE-2023-21250: a critical vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed and no user interaction is needed for exploitation. Further details were not revealed to give users a chance to install the patch first.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update Android now! Google patches three actively exploited zero-days

By Deeba Ahmed
The researchers believe that the SmugX attack is an extension of a previously discovered campaign linked to Mustang Panda.
This is a post from HackRead.com Read the original post: SmugX: Chinese Hackers Targeting Embassies in Europe

**The attack method of the SmugX campaign includes attackers using HTML smuggling to target victims.**

Check Point Research’s (CPR) cyber threat intelligence researchers have discovered a disturbing attack trend. According to CPR’s report published on July 3, 2023, Chinese threat actors have become increasingly interested in targeting European governments, embassies, and foreign local policy-making entities. Eastern Europe is among their preferred targets, with prime targets being Slovakia, the Czech Republic, and Hungary.

This newly discovered campaign is dubbed SmugX. Researchers claim that this campaign has been active since December 2022, but they believe that it is an extension of a previously discovered campaign linked to Mustang Panda and RedDelta. Interestingly, both groups are Chinese.

As far as the attack method is concerned, research revealed that in SmugX, attackers are using HTML smuggling to target European embassies. In this method, the modular PlugX malware implant is smuggled (hidden) inside HTML documents.

Hackers use this technique to trick web security systems and evade antivirus mechanisms or security defences. HTML smuggling exploits HTML features to conceal malicious data documents from automated content filters, including them as JavaScript blobs that reassemble on the targeted device.

It is worth noting that PluxX is a commonly used tool for HTML smuggling. Multiple Chinese threat actors have used this malware previously, such as the group that targeted the Vatican in 2020 or the one that targeted the Indonesian Intelligence Service in 2021. The malware was also used to target users in Mongolia, Ghana, Papua New Guinea, Nigeria, and Zimbabwe in a USB drive-based campaign.

CPR researchers agree that SmugX’s primary objective is to obtain sensitive data on the foreign policies of the targeted countries. This analysis is based on the lure samples posted to the malware repository on VirusTotal. The filenames of these samples were self-explanatory.

Researchers wrote that the names strongly suggested that the attackers wanted to target diplomats and government entities, whereas the content contained mainly diplomatic-related content related to China. The attack utilizes several .docx and .pdf files containing diplomatic content.

CPR researchers obtained a letter from the Serbian embassy in Budapest, a document revealing the Swedish Presidency of the Council of the European Union’s priorities, and an invitation from the Hungarian foreign ministry for a diplomatic conference.

The researchers also discovered an article about the two Chinese human rights lawyers who had received a ten-year sentence. Here are the titles of these documents:

*   202305 Indicative Planning RELEX
*   Draft Prague Process Action Plan\_SOM\_EN
*   2262\_3\_PrepCom\_Proposal\_next\_meeting\_26\_April
*   Comments FRANCE – EU-CELAC Summit – 4th May
*   China jails two human rights lawyers for Subversion

One of the phishing documents (left) – Targeted countries (right)

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” CPR researchers noted.

CPR is still investigating and monitoring SmugX activities and will share new details soon. Please continue to visit this platform for the latest updates on SmugX.

**RELATED ARTICLES**

1.  Killnet Hits European Parliament Website with DDoS Attack
2.  Research sector hit in new phishing attack using Google Drive
3.  Fake WHO Emails on COVID-19 Drop Nerbian RAT Across Europe
4.  European Spyware Vendor Offering Android & iOS Device Exploits
5.  Zimbra email platform flaw exploited to steal European govt emails

SmugX: Chinese Hackers Targeting Embassies in Europe

By Waqas
The arrests took place in Singapore over complaints from unsuspecting victims.
This is a post from HackRead.com Read the original post: Teen among suspects arrested in Android banking malware scheme

Singapore authorities have conducted a successful operation, resulting in the arrest of 13 individuals suspected of involvement in banking-related malware scams. Among those apprehended were a 16-year-old teenager and a group of 10 men and two women aged between 19 and 35.

Preliminary findings suggest that seven men, two women aged 19 to 27, and a 16-year-old facilitated the scam by providing their bank accounts, Internet banking credentials, and Singpass credentials to perpetrators for monetary gain. Three other men aged 20 and 35 are believed to have withdrawn funds from the accounts of some of the “money mules” and handed the money over to unknown individuals.

The number of victims is yet unknown. For your information, Singpass, which stands for Singapore Personal Access, is a digital identity that enables all Singapore citizens and residents to conveniently access businesses and government agencies and businesses.

Suspects and seized sim cards (Screenshot: SPF)

**Modus Operandi and Scam Techniques**

In a press release, the Singapore Police Force (SPF) revealed that since January 2023, they have received a rising number of reports involving malware used to compromise Android mobile devices, leading to unauthorized transactions from victims’ bank accounts. Remarkably, victims did not share their Internet banking credentials, One-Time Passwords (OTPs), or Singpass credentials with anyone.

The scam unfolded when victims responded to various advertisements on social media platforms for services such as cleaning, pet grooming, and the sale of food items like seafood and groceries. Subsequently, scammers instructed victims to download an Android Package Kit (APK) from unofficial app-store platforms to facilitate their purchases. However, these APKs contained malware that infected the victims’ mobile devices.

Once infected, scammers contacted victims via phone calls or text messages and convinced them to enable accessibility services on their Android phones. Enabling these services weakened the phones’ security and granted full control to the scammers. Keystrokes were logged, banking credentials were stolen, and scammers remotely accessed banking apps to add “money mules” as payees, increase payment limits, and transfer funds to them.

The scammers also deleted text messages and email notifications related to the fraudulent transfers to cover their tracks.

The act of benefiting from criminal conduct carries severe penalties under Section 54(5)(a) of the Corruption, Drug Trafficking, and Other Serious Crimes (Confiscation of Benefits) Act 1992. Offenders face imprisonment of up to 10 years, a fine of up to S$500,000, or both.

1.  Teen Charged in DraftKings Data Breach
2.  UK Teen Arrested Amid Uber and GTA 6 Hacking Saga
3.  Dark Web Hitman Paid with BTC to Murder Teen Victim
4.  Teen “Hackers” on Discord Selling Malware for Quick Cash
5.  Teen arrested for 8 DDoS attacks that disrupted school’s classes
6.  Data breach: SingHealth users affected including Singapore’s PM

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Teen among suspects arrested in Android banking malware scheme

An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023.
The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware

Cyber Crime / Mobile Security

An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023.

The activity is being attributed to an actor codenamed **Neo\_Net**, according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground.

"Despite using relatively unsophisticated tools, Neo\_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill said.

Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING.

Neo\_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as a seasoned cybercriminal, engaging in the sales of phishing panels, compromised victim data to third-parties, and a smishing-as-a-service offering called Ankarex that's designed to target a number of countries across the world.

The initial entry point for the multi-stage attack is SMS phishing, in which the threat actor employs various scare tactics to trick unwitting recipients into clicking on bogus landing pages to harvest and exfiltrate their credentials via a Telegram bot.

"The phishing pages were meticulously set up using Neo\_Net's panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners," Thill explained.

"These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade."

The threat actors have also been observed duping bank customers into installing rogue Android apps under the guise of security software that, once installed, requests SMS permissions to capture SMS-based two-factor authentication (2FA) codes sent by the bank.

The Ankarex platform, for its part, has been active since May 2022. It's actively promoted on a Telegram channel that has about 1,700 subscribers.

"The service itself is accessible at ankarex\[.\]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers," Thill said.

The development comes as ThreatFabric detailed a new Anatsa (aka TeaBot) banking trojan campaign that has been targeting banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mexico-Based Hacker Targets Global Banks with Android Malware

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07978760; Issue ID: ALPS07363410.

**July 2023 Product Security Bulletin**

Published 2023-07-03

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and Wi-Fi chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2023-20754, CVE-2023-20755

Medium

CVE-2023-20753, CVE-2023-20756, CVE-2023-20757, CVE-2023-20758, CVE-2023-20759, CVE-2023-20760, CVE-2023-20761, CVE-2023-20766, CVE-2023-20767, CVE-2023-20768, CVE-2023-20771, CVE-2023-20772, CVE-2023-20773, CVE-2023-20774, CVE-2023-20775, CVE-2023-20689, CVE-2023-20690, CVE-2023-20691, CVE-2023-20692, CVE-2023-20693, CVE-2022-32666, CVE-2023-20748

****Details****

CVE

**CVE-2023-20754**

Title

Integer overflow or wraparound in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20755**

Title

Improper input validation in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20753**

Title

Out-of-bounds write in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In rpmb, there is a possible out of bounds write due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20756**

Title

Integer overflow or wraparound in keyinstall

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20757**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20758**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20759**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20760**

Title

Improper input validation in apu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In apu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983, MT8195

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20761**

Title

Improper input validation in ril

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20766**

Title

Improper input validation in gps

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6753, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6886, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20767**

Title

Improper input validation in pqframework

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In pqframework, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8167, MT8168, MT8195, MT8673

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20768**

Title

Access of resource using incompatible type ('type confusion') in ion

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In ion, there is a possible out of bounds read due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8195, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2023-20771**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In display, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6785, MT8168, MT8781

Affected Software Versions

Android 12.0

CVE

**CVE-2023-20772**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20773**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20774**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6835, MT6855, MT6886, MT6895, MT6983, MT6985, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20775**

Title

Buffer copy without checking size of input ('classic buffer overflow') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6983, MT6985, MT6990, MT8168, MT8183, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0 / OpenWrt 21.02 / RDKB 2022Q3

CVE

**CVE-2023-20689**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20690**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20691**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20692**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-476 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20693**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-477 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6895, MT6983, MT8167, MT8168, MT8195, MT8321, MT8365, MT8385, MT8666, MT8765, MT8781, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2022-32666**

Title

User interface (ui) misrepresentation of critical information in Wi-Fi

Severity

Medium

Vulnerability Type

DoS

CWE

CW3-451 User Interface (UI) Misrepresentation of Critical Information

Description

In Wi-Fi, there is a possible low throughput due to misrepresentation of critical information. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915, MT7916, MT7981, MT7986, MT8365

Affected Software Versions

7.6.6.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20748**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

July 3, 2023

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2023-20775: July 2023

Categories: News
A list of topics we covered in the week of June 26 to July 2 of 2023



(Read more...)




The post A week in security (June 26 - July 2) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (June 26 - July 2)

Plus: Hackers knock out Russian military satellite communications, a spyware maker gets breached, and the SEC targets a victim company's CISO.

Amid exploding AI usage, the United States Senate is mulling legislation to regulate the development of artificial intelligence, but lawmakers' comments to WIRED this week indicate that Congress' abysmal track record on tech regulation may be doomed to repeat itself. Meanwhile, in the European Union, challenges filed under the EU's GDPR data law on Thursday allege that Pornhub has been collecting user data illegally.

We looked at a common air travel booking scam that can turn real—but not ticketed—flight reservations into cash grabs for cybercriminals. And tech companies have recently released an array of critical software updates that you should install on your devices right now. Some patches published in recent weeks from the company Progress Software patch flaws in the popular file transfer service MOVEit, which has been exploited by ransomware actors to spread malware and steal data from international companies, universities, and the US government.

If you want a digital hygiene project for the weekend, we have tips on how to make your chats and messaging more secure. And if you're craving a long read, WIRED went in-depth on the 1973 US National Personnel Records Center fire that destroyed 17 million military records and prompted a massive restoration effort.

And there's more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

On Tuesday, a 7-2 decision by the US Supreme Court reversed the conviction of a man who repeatedly threatened a stranger online. Justice Elena Kagan wrote in the majority opinion that First Amendment free speech protections require such cases to show that online harassers or cyberstalkers were aware that their digital abuse could be construed as threatening. Threats of violence are not protected by the First Amendment, but the court said prosecutors must show that a defendant “consciously disregarded a substantial risk that his communications would be viewed as threatening violence.” The offender in the case the court looked at, Billy Counterman of Colorado, had “moved to dismiss the charge on First Amendment grounds, arguing that his messages were not ‘true threats’ and therefore could not form the basis of a criminal prosecution.”

Counterman had persistently and repeatedly messaged a local singer he didn't know on Facebook over two years, and when she would block him he made new accounts to continue messaging her. Victims of online harassment and digital rights advocates warned following the decision that it creates a dangerous precedent to empower cyberstalkers. “The Court just handed stalkers and harassers, including of politicians, journalists, climate scientists, doctors advocating for vaccines, you name it, a new weapon,” Soraya Chemaly, director of the Women’s Media Center Speech Project, told the _Washington Post_.

A cyberattack caused a multiday outage this week of a Russian satellite communication system from Dozor-Teleport. The platform is broadly used, including by the Russian military. Ukrainian satellite communication infrastructure suffered a similar outage more than a year ago. Dozor’s parent company, Amtel Svyaz, also grappled with significant system outages this week. Multiple hackers claimed responsibility for the attacks, including some purporting to be hacktivists and others who said they were affiliated with the Russian private mercenary army Wagner Group. In addition to the outage, one of the entities claiming responsibility for the attack said it had stolen data from Dozor and published 700 files, including documents and images, to a leak site and Telegram.

The invasive phone monitoring app LetMeSpy said on June 21 that it was itself hacked. Attackers stole names, messages, call logs, and location data collected by the service, the company said. LetMeSpy is a Polish Android app that's used around the world to monitor thousands of people. The company's notice said that “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

Years after a Russian espionage campaign launched a devastating supply chain attack against software firm SolarWinds, the US Securities and Exchange Commission sent legal notices—known as “Wells notices”—to certain current and former Solarwinds employees. Such notices warn of potential securities law violations that could lead to civil enforcement action, but they rarely relate to cybersecurity incidents. Notably, one of the SolarWinds employees who received a notice is the company's current chief information security officer, Tim Brown, who was Solarwinds' head of security architecture at the time of the attack. Company CFO Barton Kalsu also received a notice. The situation is potentially significant as the US and other countries attempt to develop appropriate accountability mechanisms for high-ranking executives who preside over breaches and other security lapses. The fear among security professionals is often that individual penalties will simply discourage talented practitioners from taking top roles.

US Supreme Court Hands Cyberstalkers a First Amendment Victory

An Open Redirect vulnerability exists prior to version 1.52.117, where the built-in QR scanner in Brave Browser Android navigated to scanned URLs automatically without showing the URL first. Now the user must manually navigate to the URL.

CVE-2023-28364

By Waqas
According to Amazon, it has already taken significant action against 94 fraudsters operating in the United States, China, and Europe in May 2023.
This is a post from HackRead.com Read the original post: Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews

**Amazon’s action should come as no surprise that, just like the proliferation of fake news, fake reviews have also become a significant aspect of the underground scam market.**

In a determined effort to protect its customers and sellers from the growing menace of fake reviews, e-commerce giant **Amazon** has recently launched a series of lawsuits against fraudulent individuals and organizations.

These perpetrators, operating within an underground network known as the “fake review broker” industry, have been exploiting unsuspecting consumers and tarnishing the reputation of Amazon’s marketplace.

Amazon has invested substantial resources in advanced technologies, including machine learning models and expert investigators, to proactively combat fake reviews before they reach the eyes of customers.

In 2022 alone, the company successfully blocked over 200 million suspected fake reviews from appearing on its platform. Now, by targeting the facilitators of these fraudulent practices, Amazon aims to strike at the root of the problem and hold those responsible accountable.

Amazon announced significant actions taken against 94 fraudsters operating in the United States, China, and Europe. These actions were implemented as of May 2023, showcasing the technology giant’s proactive approach to tackling the issue at hand.

It should come as no surprise that, just like the proliferation of fake news, fake reviews have also become a significant aspect of the underground scam market. In fact, as of March 2020, fake reviews accounted for **50% of the threats** faced by Android-based devices, among other issues.

The seriousness of the issue is further exemplified by a notable incident in May 2021. During this incident, a misconfigured server inadvertently **exposed a staggering 7GB of well-organized schemes** employed by Amazon vendors to generate fake reviews for their products on the website.

According to a **press release** issued on June 28th, 2023, the legal actions filed by Amazon include four notable lawsuits against prominent perpetrators. Here is an overview of each case:

**Amazon v. Nice Discount:**

The owners and operators of Nice Discount have been accused of orchestrating a scheme to generate fake positive reviews and feedback through their “Product Tester Club.” Reviewers are enticed to leave fabricated positive reviews or feedback in exchange for refunds or monetary rewards. By connecting bad actors operating Amazon selling accounts with reviewers, the defendants have guided these individuals on when and how to post fake reviews, creating an illusion of authenticity. **Case No. 23-2-10603-2 SEA**.

**Amazon v. Littlesmm:**

The website Littlesmm has allegedly been selling packages of fake reviews to unscrupulous individuals operating Amazon selling accounts across Australia, Canada, and the U.S. Ranging in price from $20 to $440, these packages offer both positive and negative reviews. By employing Amazon customer accounts under their control, the defendants have orchestrated the posting of counterfeit positive reviews while simultaneously undermining their competitors’ product listings through fake negative reviews. **Case No. 23-2-10452-8 SEA.**

**Amazon v. MangoCity:**

The owners and operators of MangoCity have been accused of selling fake reviews for prices ranging from $50 to $4,000. Utilizing their website, video chats, and email correspondence, the defendants accept payments and subsequently deploy Amazon customer accounts to leave fabricated 5-star reviews on product listing pages. Additionally, they have targeted competitors by offering fake negative reviews on their products. Case No. 23-2-11278-4 SEA.

**Amazon v. Reddit Marketing Pro:**

The owners and operators of Reddit Marketing Pro have allegedly provided fraudulent services, including fake positive and negative reviews, to bad actors with Amazon selling accounts. In exchange for fees ranging from $99 for five fake reviews to $6,999 for 500 fake reviews, the defendants have employed Amazon customer accounts under their control to populate product listing pages with counterfeit reviews. They have also marketed fake “Questions and Answers” to manipulate the content displayed. Case No. 23-2-11265-2 SEA.

In a comment to Hackread.com, Chris Downie, CEO of Edinburgh, Scotland-based anti-fraud platform **Pasabi** said, “Fake review brokers play a central role in poisoning consumer decision-making, destroying businesses and inflicting untold damage on the wider economy.”

Downie added that “Whilst it’s encouraging to see Amazon taking these fraudsters to task via the legal system, so much more needs to be done to tackle the growing fake review epidemic which influences around £4bn in UK consumer spending every year.”

“By harnessing the power of AI and the latest fraud detection anti-fraud technology, review aggregators and business owners need to work together to identify and block fraudulent reviews, stamping out the problem before it gets any worse,” added Downie.

Amazon chief **David Montague**, vice president of Selling Partner Risk, said, “Our goal is to ensure that every review in Amazon’s stores is trustworthy and reflects customers’ actual experiences. Amazon welcomes authentic reviews—whether positive or negative —but strictly prohibits fake reviews that intentionally mislead customers.”

“We continue to innovate on our proactive technology to detect fake reviews and other indications of unusual behaviour. Another way we fight fake reviews is through legal action. Not only are we targeting the source of the problem but we’re sending a clear message that there’s no place for abuse in our store and we will hold fraudsters accountable,” he added.

Despite Amazon’s aggressive stance against fake review brokers, the company recognizes that this is a pervasive global problem affecting multiple industries. To address this issue effectively, a collaborative effort between the public and private sectors is required.

By taking legal action against 94 fraudsters across the United States, China, and Europe, as of May 2023, Amazon is demonstrating its commitment to combatting this menace. However, the battle against fake review brokers demands ongoing vigilance and cooperation to ensure a safe and trustworthy online marketplace for consumers and sellers alike.

1.  Brand Protection is Essential for Cybersecurity
2.  42,000 phishing domains found posing as popular brands
3.  Microsoft pwns domains used by hackers for cyber attacks
4.  Memcyco Drops Real-Time Solution to Combat Brandjacking
5.  Indian call center seized over Amazon scam against US citizens

Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Tag

#android