Plus: The FCC cracks down on car warranty robocalls, Thai activists get targeted by NSO's Pegasus, and the Russia-Ukraine cyberwar continues.

As the United States midterm elections near, lawmakers and law enforcement officials are on high alert about violent threats targeted at election officials across the country—domestic threats that have taken first billing over foreign influence operations and meddling as the primary concern for the 2022 elections. In another arena, though, Congress is making progress on generating bipartisan support for sorely needed and overdue privacy legislation in the form of the American Data Privacy and Protection Act.

Iranian women’s rights activists sounded the alarm this week that Meta has not been responsive to their concerns about targeted bot campaigns flooding their Instagram accounts during a crucial moment for the country’s feminist movement. And investigators looking at attacks on internet cables in Paris have still not determined who was behind the vandalism or what their motive was, but new details have emerged about the extent of the sabotage, making the situation all the more concerning and intriguing. 

The ACLU released documents this week that detail the Department of Homeland Security’s contracts with phone-tracking data brokers who peddle location information. And if you’re worried about Big Brother snooping on your reproductive data, we have a ranking of the most popular period-tracking apps by their data privacy protections. 

And there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

The Department of Homeland Security Inspector General told the Secret Service on Thursday to halt its investigation into the deletion of January 6 insurrection-related text messages because of an “ongoing criminal investigation” into the situation. Secret Service spokespeople have said conflicting things: that data on the phones was erased during a planned phone migration or factory reset, and that the erased messages were not relevant to the January 6 investigation. The Secret Service said it provided agents with a guide to backing up their data before initiating the overhaul process, but noted that it was up to the individuals to complete this backup. 

Zero Day spoke to Robert Osgood, director of the forensics and telecommunications program at George Mason University and a former FBI digital forensics examiner, about the situation. “Osgood said that telling agents to back up their own phones ‘makes absolutely no sense’— particularly for a government agency engaged in the kind of work the Secret Service does and required to retain records. The agency is not only charged with protecting the president, vice president and others, it also investigates financial crimes and cybercrime,” reports Zero Day author Kim Zetter. “I’m pro-government, and \[telling agents to back up their own phones\] sounds strange,” Osgood told Zetter. “If that did happen, the IT manager that’s responsible for that should be censured. Something should happen to that person because that’s one of the dumbest things I’ve ever heard in my life.'”

The Federal Communications Commission’s Robocall Response Team said on Thursday that it is ordering phone companies to block robocalls that warn about expiring car warranties and offer renewal deals. The FCC said that the calls, which are familiar to people around the US, have come from “Roy Cox Jr., Aaron Michael Jones, their Sumco Panama companies, and international associates.” Since 2018 or possibly earlier, their operations have resulted in more than 8 billion prerecorded message calls to Americans, the FCC said. “We are not going to tolerate robocall scammers or those that help make their scams possible," FCC chairperson Jessica Rosenworcel said in a statement. “Consumers are out of patience and I’m right there with them.”

After Apple warned a number of Thai activists and their associates in November that their devices might have been targeted with NSO Group’s notorious Pegasus spyware, a number of them reached out to human rights groups and researchers who established a broader picture of a campaign in Thailand. In all, more than 30 Thai victims have been identified. The targets worked with the local human rights group iLaw, which found that two of its own members had been victims of the campaign, as well as University of Toronto’s Citizen Lab and Amnesty International. The researchers did not provide attribution for who was behind the Pegasus campaigns, but found that a lot of the targeting occurred in the same general time when the targets were participating in protests against government policies.

Google’s Threat Analysis Group reported this week that it has seen Russia’s digital meddling continue apace, both in Ukraine as the Kremlin’s invasion rages on and in Eastern Europe more broadly. TAG detected the Russia-linked hacking group Turla attempting to spread two different malicious Android apps through sites that masqueraded as being Ukrainian. The group tried to market the apps by claiming that downloading them would play a role in launching denial of service attacks on Russian websites, an interesting twist given the civilian efforts in Ukraine to mount cyberattacks against Russia. TAG also detected activity from other known Russian hacking groups that were exploiting vulnerabilities to target Ukrainian systems and launching disinformation campaigns in the region.

Ukrainian officials also said this week that Russia had conducted an attack on Ukraine’s TAVR Media, hacking nine popular radio stations to spread false information that Ukrainian President Volodymyr Zelensky was in intensive care because of a critical ailment. The broadcast further claimed that Ruslan Stefanchuk, chairperson of the Verkhovna Rada, was in command in Zelensky’s stead. TAVR put out a statement on Facebook saying that the broadcasts did “not correspond to reality.” And Zelensky posted a video on his Instagram attributing the attack to Russia and saying that he is in good health.

The January 6 Secret Service Text Scandal Turns Criminal

Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 100.0.4896.60 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2022-1129

Insufficient validation of trust input in WebOTP in Google Chrome on Android prior to 100.0.4896.60 allowed a remote attacker to send arbitrary intents from any app via a malicious app.

CVE-2022-1130

Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

Multiple Broken Access Control vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress.

CVE-2022-27235: Social Share Buttons by Supsystic

By Deeba Ahmed
The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims…
This is a post from HackRead.com Read the original post: Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

****The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims in Palestine, Turkey, and Yemen and Lebanese journalists.****

Antivirus firm Avast has identified a serious flaw in the Chrome browser. According to Avast’s report, the Chrome browser vulnerability, which Google patched earlier this month, is tracked as CVE-2022-2294.

The vulnerability is linked to Candiru aka Saito Tech, an Israel-based spyware vendor that offers governments hacking-for-hire services. It is worth noting that the flaw was identified by Avast and disclosed to Google on 1st July 2022, and a fix was released on 4th July with Chrome 103.

**Vulnerability Details**

Avast reported that someone exploited the zero-day flaw already to spy on Lebanese journalists. Like NSO Group’s Pegasus Spyware, Candiru’s spyware is also used by law enforcement agencies and governments to confront crime and terrorism.

However, as per Avast’s research, Candiru’s spyware was used to target political dissidents, journalists, and critics of authoritarian and repressive regimes. The US Commerce Department sanctioned Candiru for its involvement in anti-US activities.

**Who Were the Targets?**

According to Avast, Candiru used the Chrome zero-day in March 2022 to target people in Palestine, Turkey, and Yemen and Lebanese journalists. In Lebanon, Candiru also compromised a news agency website.

The screenshot shared by Avast shows the malicious code injected into the compromised website stylishblockcom

Avast malware researcher Jan Vojtěšek stated that it is currently unclear why the attackers targeted people in the Middle East, particularly journalists. However, the company is sure that its primary objective was to spy on them and collect sensitive data and information. Such an attack is a blatant violation of freedom of speech and press freedom.

**How Was Zero-Day Exploited?**

As per the Avast report, the attacker planted the Chrome zero-day exploit on the Lebanese news agency website to collect 50 data points from the target’s browser, which includes timezone, language, screen information, browser plugins, device type, and device memory.

Hence, the attacker ensured their target’s device was fully compromised before delivering the spyware payload, which Avast claims matches a Windows-based malware DevilsTongue and Microsoft uncovered it in a previous attack involving Candiru.

It is worth noting that this is government-grade spyware capable of stealing messages, call logs, and photos from the victim’s phone, as well as tracking their location in real-time. Users must quickly update the Chrome browser to stay protected. Separate patches have been released by Apple Safari and Microsoft Edge as these use WebRTC.

Your Chrome browser is likely one of the most important pieces of software on your computer. It’s where you do all your online work, so keeping it up-to-date is essential for your security and productivity. Here’s how to update Chrome on Windows, Mac, and Linux:

**Windows:** Open Chrome and go to the menu in the top right corner. Click “Help” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Mac:** Open Chrome and go to the menu in the top left corner. Click “Chrome” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Linux:** Open a terminal window and type “sudo apt update && sudo apt upgrade google-chrome-stable.

**More Chrome and Spyware News**

1.  5 Ways to Protect Your Privacy on Google Chrome
2.  Predator Spyware Using Zero-day to Target Android Devices
3.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
4.  Pakistani Android users hit by spyware campaign with malicious apps
5.  ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

Google on Thursday said it's backtracking on a recent change that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web.
"Privacy and transparency are core values in the Android community," the Android Developers team said in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and

Google on Thursday said it's backtracking on a recent change that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web.

"Privacy and transparency are core values in the Android community," the Android Developers team said in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and we've decided to reinstate it. The app permissions section will be back shortly."

To that end, in addition to showcasing the new Data safety section that offers users a simplified summary of an app's data collection, processing, and security practices, Google also intends to highlight all the permissions required by the app to make sense of its "ability to access specific restricted data and actions."

The reinstatement comes as the internet giant moved to swap out the apps permission section with the newer Data safety labels last week ahead of the enforcement deadline on July 20, 2022, which requires developers to provide information about "how they collect and handle user data for the apps they publish on Google Play."

A quick check, however, shows that apps like Tor Browser, Discord and those from Amazon, including its namesake app, Kindle, Alexa, Amazon Music, and Amazon Photos, continue to not include a Data safety section.

The new system also comes with its own set of problems in that it completely relies on the developers to make "complete and accurate declarations," potentially leading to scenarios where it could be misleading or flat-out inaccurate.

In contrast, the apps permission list is derived from the permissions declared by the developer in an app's manifest file.

It's worth noting that the Apple App Store has a similar policy in place for its privacy "nutrition" labels that allows developers to highlight "self‑reported summaries of some of their privacy practices," a method that, as a report from The Washington Post found, "falls short of being helpful."

Google, however, states in its support documentation that it may take appropriate enforcement action if it runs into cases where there is a discrepancy between app's behavior and its declaration.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Bringing the Android App Permissions Section Back to the Play Store

Use after free in Blink Layout in Google Chrome on Android prior to 99.0.4844.74 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-0971

By Deeba Ahmed
Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its…
This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report

****Research reveals that around 80% of all malware attacks used MS Office flaws.****

Atlas VPN has shared its findings for Q1 2022, in which the company revealed startling stats about Microsoft Office. Reportedly, Microsoft Office has become the most commonly exploited software in malware attacks.

It is a fact that most Microsoft Office security flaws are publicly known which makes it easy for cybercriminals to exploit them. On the other hand, because most users ignore essential software updates, scammers can easily inject malicious code after exploiting security loopholes.

According to researchers, some Microsoft Office vulnerabilities are being exploited more than others. These include the following:

1.  CVE-2018-0802
2.  CVE-2017-8570
3.  CVE-2017-11882

These flaws allow system infection, execute commands autonomically, and spread malware infection including the nasty Cobalt Strike one. Despite that security updates are available for these vulnerabilities, these still top the list of most exploited flaws. This indicates that users need to ramp up software security to stay protected.

Atlas VPN wrote that around 78.5% of all malware attacks are launched by targeting Microsoft Office vulnerabilities. Per the Q4 2021 data shared by Kaspersky’s malware research platform Securelist, Microsoft was targeted in 61% of the attacks last year.

Therefore, it can be assumed that hackers are increasingly abusing MS Office, and there’s been a rise in software exploitation since last year.

*   Hackers are using Microsoft Teams chat to spread malware
*   Threat actors using Google Docs exploit to spread phishing links
*   Google, Microsoft and Oracle generated most vulnerabilities in 2021
*   Google Drive accounted for 50% of malicious Office document downloads

In contrast, browser exploits have become rare as they are updated automatically. Android (4.1%), Java (3.48%), Adobe Flash (3.49%), and PDF (2.79%) exploits didn’t show any drastic changes in percentages in Q1 2022.

MS Office is a widely used software. Today, over 1.2 billion individuals and companies across 140 countries and 107 languages use Microsoft Office. For this reason alone, ensuring that the software is properly patched and updated is essential. It is also necessary to follow basic cybersecurity practices and always patch the software as soon as an update is available.

Microsoft Office Most Exploited Software in Malware Attacks – Report

Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress.

Tag

#android