A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.
"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.

"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.

Variston, which has a bare-bones website, claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by \[law enforcement agencies\]," among other services.

The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.

Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.

Noise is designed to take advantage of a security flaw in the Chrome V8 engine JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called "chrome-sbx-gen" to enable the final payload (aka "agent") to be installed on targeted devices.

However, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.

Heliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.

Soft is a web framework that's engineered to deliver a decoy PDF document featuring an exploit for CVE-2021-42298, a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entailed the user visiting a malicious URL, which then served the weaponized PDF file.

The Files package – the third framework – contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 (CVE-2022-26485). However, it's suspected that the bug was likely abused since at least 2019.

Google TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there's no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.

The development arrives more than five months after the tech giant's cybersecurity division linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.

"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the Schoolyard Bully Trojan.
Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.
The apps, which were available for download from the official Google Play Store, have now been

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the **Schoolyard Bully Trojan**.

Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.

The apps, which were available for download from the official Google Play Store, have now been taken down. That said, they still continue to be available on third-party app stores.

"This trojan uses JavaScript injection to steal the Facebook credentials," Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant said in a report shared with The Hacker News.

It achieves this by launching Facebook's login page in a WebView, which also embeds within it malicious JavasCript code to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server.

The Schoolyard Bully Trojan further makes use of native libraries such as "libabc.so" so as to avoid detection by antivirus solutions.

While the malware singles out Vietnamese language applications, it has also been discovered in several other apps available in over 70 countries, underscoring the scale of the attacks.

The findings come more than a year after Zimperium unearthed similar activity aimed at compromising Facebook accounts through rogue Android apps as part of a campaign codenamed FlyTrap.

"Attackers can cause a lot of havoc by stealing Facebook passwords," Richard Melick, director of mobile threat intelligence at Zimperium, said. "If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information."

"It's also very concerning how many people reuse the same passwords. If an attacker steals someone's Facebook password, there's a high probability that same email and password will work with banking or financial apps, corporate accounts and so much more."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Schoolyard Bully Trojan Apps Stole Facebook Credentials from Over 300,000 Android Users

By Habiba Rashid
Currently, hackers are targeting public and private entities in Southeast Asia, the Asia-Pacific region, Europe, and the U.S., with a focus on the Philippines.
This is a post from HackRead.com Read the original post: Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, **USB drives** are being used to hack targets in Southeast Asia. The threat actor behind this activity, referred to as UNC4191 is targeting public and private entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines. 

This new campaign began as far back as September 2021, according to Mandiant’s report. The researchers assess that this operation is being conducted as a **cyberespionage operation** related to China’s political and commercial interests. 

**Google-owned Mandiant** states that their observations suggest the Philippines is the main target of this operation, due to the number of affected systems located in the country. They also added that, even when the targeted organizations were based in other locations, the specific systems targeted were found to be physically located in the Philippines.

After the initial infection via Universal Serial Bus drives, the hackers then deployed legitimately-signed binaries while side-loading malware. The malware families used in the cyberespionage have been identified by Mandiant as Mistcloak Launcher, Darkdew Dropper, and Bluehaze Launcher.

Mandiant splits the overall infection cycle from the UNC4191 campaign into three distinct phases. 

Mistcloak is the first malware to be side-loaded because the execution of a version of the USB Network Gate application is triggered as soon as an infected USB is plugged into the machine. 

This piece of malware loads an INI file containing Darkdew, which is designed to achieve persistence and **infect USB drives** when they are connected to the system. 

Bluehaze, which is executed at the third phase of the infection chain, was designed to execute a renamed NCAT executable, which creates a reverse shell to a hardcoded command-and-control (C&C) server.

UNC4191 malware infection cycle (Image: Mandiant)

In their **blog post**, Mandiant researchers noted that these viruses are known to provide a reverse shell on the victim’s system, giving the UNC4191 hackers backdoor access. The malware then self-replicates by infecting any new removable devices plugged into the compromised systems. Due to this, the malware is even able to spread through air-gapped systems.

> “Mandiant has not observed evidence of reverse shell interaction; however, based on the age of the activity, this may be a result of visibility gaps or short log retention periods.”
> 
> Mandiant

1.  **Schneider Electric Shipped USB Drives Loaded with Malware**
2.  **VictoryGate cryptominer infected 35,000 devices via USB drives**
3.  **New malware tool can steal files from airgapped PCs using USBs**
4.  **Hackers sending malware infected USBs with Best Buy Gift Cards**
5.  **China’s insidious surveillance against Uyghurs with Android malware**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hackers using USB drives to spread malware in ongoing attack

By Habiba Rashid
Meet XRAI Glass, an AI-powered augmented reality smart glasses that gives deaf people the power to see conversations.
This is a post from HackRead.com Read the original post: AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new **artificial intelligence (AI)** powered smart glasses that allow deaf people to listen in on real-time conversations by reading subtitles. 

Branded XRAI Glass has developed these glasses using ordinary **augmented reality (AR)** glasses synchronized to a smartphone app with AI-powered software. This latest technology also has the feature to rewind the chat and acts as a personal assistant that remembers what the person might have forgotten. 

Image credit: XRAI Glass

Not only this, but the live captioning app can also translate over nine languages and there are soon more to come in the next few months. The translation takes place near-real time, allowing the wearer to keep up with the conversation. 

**XRAI Glass** co-founder and chief marketing officer Mitchell Feldman referred to it as “Alexa in front of your eyes” which is quite a fitting analogy. 

The idea for this product was inspired by co-founder Dan Scarfe’s 97-year-old grandfather who experienced hearing loss and found it increasingly difficult to participate in family gatherings. 

​​“Where his grandfather came to life the most was watching television and using subtitles,” Feldman said.

He added, “If he enjoys captioning, why can’t we caption his life? And that was the genesis of how this product started.”

1.  **AI-based Model to Predict Extreme Wildfire Danger**
2.  **This AI Can Generate Unique and Free Bored Ape NFTs**
3.  **IRpair & Phantom; powerful anti-facial recognition glasses**
4.  **Anti-facial recognition glasses protect privacy from CCTV cams**
5.  **Apple Glass may feature 3D Audio and Self-Cleaning in new patent**

The standard live captioning app is currently free to download with the assistant on fourteen android smartphone models however, it is not yet compatible with the iPhone. A free version of the app is expected to soon be made available on Apple smartphones, but users will have to pay for premium features themselves. The translation services have to be paid via subscription while the glasses separately cost $484. 

Aside from this, there are some other improvements that are required before the glasses can be fully incorporated into daily life. For example, understanding group conversations can be a struggle with people speaking over each other. Moreover, a fairly quiet environment is a prerequisite for interpreting speech accurately. 

As this exciting innovation advances, we look forward to seeing it enable engagement and participation for those with hearing loss. 

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

AI-Powered Smart Glasses Give Deaf People the Power of Speech

Signal messaging app zero-day vulnerabilities have sparked a $1.5M bidding match, as gray-market exploit brokers flourish in today's geopolitical climate.

Gray-market exploit brokers are alive and kicking, with the latest sign of this flourishing market coming in the form of a bidding war for Signal messaging app zero-days from a relatively new entrant. 

Russia-based OpZero went on the record recently with a $1.5 million offer for Signal remote code execution (RCE) exploits, more than tripling the relatively stable high-water mark for that app offered by American firm Zerodium.

Cybersecurity experts say that this particular bidding war indicates the Russian government's desperation to gain surveillance capabilities over Ukrainians utilizing Signal to communicate. But the price movement on this front also offers a microcosmic look into the broader reliance of gray-market customers (most typically governments) on intermediary brokers.

**The Shadowy "Gray Hat" World of Cybersecurity Exploit Brokers

These brokers are sometimes independent dealers, other times thinly cloaked fronts for nation-state intelligence agencies, who buy from security researchers interested in cashing in on their exploit work. 

The market works on an "ask me no questions, and I'll tell you no lies" basis, researchers say. Brokers have no scruples in working with both white- and black-hat security experts — and exploit developers don't ask how or by whom their exploits will be used. The arrangements put this market in a swampy middle ground between the vendor-oriented, highly structured vulnerability bug-bounty market and the chaotic and overtly criminal dealings of the Dark Web, dominated by black hats.

"Exploit brokers function as market makers by contracting with suppliers (security researchers) managing an inventory of exploits, and selling to buyers (actors who deploy offensive cyber-operations)," according to a recent paper on the gray-market exploit world presented at the 21st Workshop on the Economics of Information Security (WEIS’22) in Tulsa, Okla., earlier this year. 

"In doing so, brokers can more efficiently manage transaction costs relative to suppliers and buyers directly contracting with each other. Additionally brokers provide a layer of insulation against reputation and legal fallout," the paper explained, adding that the price of exploits has grown by 1,240% over the last six years in the gray market.

****War in Ukraine Sparks Signal Exploit Bidding War**

Perhaps one of the most public and prolific players in the market is Zerodium, an American firm with an obscured customer list of "government institutions mainly from Europe and North America," according to the company's FAQ. 

The firm offers as much as $2 million for iOS flaws and presents many public offers for exploits in a range of operating systems and applications. The company has had a standing offer since 2017 of "up to" $500,000 for exploits of Signal and other social messaging apps, including Facebook Messenger, WhatsApp, and Telegram.

The entrance of OpZero into this mix with an offer of three times that amount, which has experts such as security researcher The Grugq postulating that the company is a stand-in for Russian intelligence services that are "desperate" for Android and Signal exploits.

"Android has an almost 80% market share in Ukraine, and Signal has over 2 million daily active users," The Grugq recently wrote. "Android phones with Signal are robust security platforms. They’re not military equipment, but they’re perfectly capable of providing protection against a wide range of security threats. Including nation state level threat actors. Russia appears to be lacking an Android or Signal capability."

New Exploit Broker on the Scene Pays Premium for Signal App Zero-Days

A malicious Android SMS application found on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp.
The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.

A malicious Android SMS application found on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp.

The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.

This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that's typically sent to verify the user when setting up new accounts.

"The malware asks the phone number of the user in the first screen," security researcher Maxime Ingrao, who discovered the malware, said, while also requesting for SMS permissions.

"Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the various services."

Some of the major services illegally signed up using the phone numbers include Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp, among others.

Additionally, the data collected by the malware is exfiltrated to a domain named "goomy\[.\]fun," which was previously used in another malicious application called Virtual Number (com.programmatics.virtualnumber) that has since been removed from the Play store.

The app's developer, Walven, has also been linked to another Android app known as ActivationPW - Virtual numbers (com.programmatics.activation) that claims to offer "virtual numbers to receive SMS verification" from more than 200 countries for less than 50 cents.

According to Ingrao, Symoo and ActivationPW represent the two ends of the fraudulent scheme, wherein the phone numbers of the hacked devices that have the former installed are employed to help users buy accounts through the latter.

Google told The Hacker News that the two apps have been removed from the Play Store and that the developer has been banned.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

This Malicious App Abused Hacked Devices to Create Fake Accounts on Multiple Platforms

A malicious Android SMS application discovered on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp.

The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.

This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that's typically sent to verify the user when setting up new accounts.

"The malware asks the phone number of the user in the first screen," security researcher Maxime Ingrao, who discovered the malware, said, while also requesting for SMS permissions.

"Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the various services."

Some of the major services illegally signed up using the phone numbers include Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp, among others.

Additionally, the data collected by the malware is exfiltrated to a domain named "goomy\[.\]fun," which was previously used in another malicious application called Virtual Number (com.programmatics.virtualnumber) that has since been taken down from the Play Store.

The app's developer, Walven, has also been linked to another Android app known as ActivationPW - Virtual numbers (com.programmatics.activation) that claims to offer "virtual numbers to receive SMS verification" from more than 200 countries for less than 50 cents.

According to Ingrao, Symoo and ActivationPW represent the two ends of the fraudulent scheme, wherein the phone numbers of the hacked devices that have the former installed are employed to help users buy accounts through the latter.

Google told The Hacker News that the two apps have been removed from the Play Store and that the developer has been banned.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Plus: Major patches dropped this month for Chrome, Firefox, VMware, Cisco, Citrix, and SAP.

November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. 

Here’s what you need to know about all the important updates released in the past month.

Apple iOS and iPadOS 16.1.1

Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. 

For Mac users, the flaws were addressed by macOS Ventura 13.0.1.

The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible. 

Microsoft Windows

Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. 

Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.

Google Android

More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.

The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices.

The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings. 

Google Chrome 

The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”

Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad. 

Mozilla Firefox

November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. 

One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.

VMWare

Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.

A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate.

Tag

#android