There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.

Thursday, January 18, 2024 14:00

Welcome to 2024! 

The Threat Source newsletter is back after our winter break. 

When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck. 

This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network. 

Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home. 

And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.  

There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey. 

*   Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.  
*   Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop. 
*   Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol. 
*   Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up. 
*   Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
*   Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns. 

**The one big thing **

Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant. 

**Why do I care? **

Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.  

**So now what? **

The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware. 

**Top security headlines of the week **

**Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN** that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek) 

**Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year.** The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times) 

**Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country.** AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government's justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users' phone numbers and email addresses. (Ars Technica, CBS) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #142: Talos Speed Dating (the episode we never set out to make but did anyway) 
*   Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware 
*   Microsoft starts off new year with relatively light Patch Tuesday, no zero-days 
*   Video series discussing the major threat actor trends from 2023 
*   Year in Malware 2023: Recapping the major cybersecurity stories of the past year 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31   
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7   
**Typical Filename:** KMSAuto Net.exe   
**Claimed Product:** KMSAuto Net   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431   
**MD5:** 147c7241371d840787f388e202f4fdc1   
**Typical Filename:** EKSPLORASI.EXE   
**Claimed Product:** N/A    
**Detection Name:** Win32.Generic.497796 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 39b0d4bad98713924775595834f1e07598a12c2622977578739222e09766066c   
**MD5:** a543017b4fa809e9f6b7251e7c14a5b0   
**Typical Filename:** a543017b4fa809e9f6b7251e7c14a5b0   
**Claimed Product:** N/A     
**Detection Name:** Auto.39B0D4BAD9.232061.in07.Talos

What to do with that fancy new internet-connected device you got as a holiday gift

By Waqas
Kaspersky has recently launched a tool called iShutdown, designed not only to detect the notorious Pegasus spyware but also to identify other malware threats on iOS devices.
This is a post from HackRead.com Read the original post: Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

The iShutdown tool has been launched a few weeks after Kaspersky cybersecurity researchers revealed significant insights into Operation Triangulation. This investigation delves into how spyware threats compromise iPhones.

Kaspersky’s Global Research and Analysis Team (GReAT) has introduced a new tool that lets users detect Pegasus, a popular iOS spyware known for targeting journalists and activists. This lightweight method called iShutdown will identify signs of spyware on Apple iOS devices, including three prominent spyware families Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

The iShutdown tool is now available to the public, seven months after Kaspersky Labs initially reported the hacking of its employees’ iPhones, referred to as Operation Triangulation. In December 2023, the company released an update disclosing that hackers likely exploited an obscure hardware feature during spyware attacks against iPhone users.

The method was tested on a set of Pegasus-compromised iPhones. However, it must be noted that this method/tool is different from the iShutdown iOS application that allows Mac devices to shut down/sleep/restart/log out.

According to the cybersecurity firm, traces of Pegasus-related processes were discovered in a text-based system log file called “Shutdown.log” on iPhones compromised with the spyware. 

The log file is stored within the sysdiagnose archive of iOS devices. It records every reboot event with its environmental characteristics and is a generally overlooked forensic artefact. It can have entries dating back several years, providing valuable information. When a user initiates a reboot, the operating system terminates running processes, flushing memory buffers, and waiting for a normal reboot.

Its analysis revealed “sticky” processes that hinder reboots. Pegasus-related processes were found in over four reboot delay notices. These anomalies during reboot procedures allowed the tool to flag potential infections with high accuracy. Further analysis revealed a similar filesystem path used by all three spyware families, “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator, as an indicator of compromise.

Kaspersky GReAT’s lead security researcher, Maher Yamout, has confirmed the log’s consistency with other Pegasus infections, making it a reliable forensic artefact for infection analysis. The tool offers enhanced protection to a broader user base.

“Compared to more time-consuming acquisition methods such as forensic device imaging or a full iOS backup, Shutdown.log file recovery is pretty simple,” explained Yamout.

Kaspersky has developed a Python3 utility on GitHub for macOS, Windows, and Linux users to detect spyware. The tool extracts, analyzes, and parses Shutdown.log artifacts. It simplifies detection and raises awareness, empowering users to take control of their digital security.

However, Kaspersky suggests users adopt a holistic approach towards data and device security. The company recommends users perform daily reboots, use lockdown mode, disable iMessage and FaceTime, timely iOS updates, and regular check backups.

The announcement comes after SentinelOne’s report revealing that information stealers targeting macOS like KeySteal, Atomic, and JaskaGo are quickly adapting to circumvent Apple’s built-in antivirus technology called XProtect.

****_RELATED ARTICLES_****

1.  **QuaDream, Israeli iPhone hacking spyware firm, to shut down**
2.  **European Spyware Vendor Offering Android, iOS Device Exploits**
3.  **iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers**
4.  **Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India**
5.  **NSO zero-click iMessage exploit hacks iPhone without need to click links**

Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices

Cybersecurity researchers have identified a "lightweight method" called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group's Pegasus, QuaDream's Reign, and Intellexa's Predator. 
Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file

Spyware / Forensic Analysis

Cybersecurity researchers have identified a "lightweight method" called **iShutdown** for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group's Pegasus, QuaDream's Reign, and Intellexa's Predator.

Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file named "Shutdown.log," a text-based system log file available on all iOS devices and which records every reboot event alongside its environment characteristics.

"Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward," security researcher Maher Yamout said. "The log file is stored in a sysdiagnose (sysdiag) archive."

The Russian cybersecurity firm said it identified entries in the log file that recorded instances where "sticky" processes, such as those associated with the spyware, caused a reboot delay, in some cases observing Pegasus-related processes in over four reboot delay notices.

What's more, the investigation revealed a the presence of a similar filesystem path that's used by all the three spyware families – "/private/var/db/" for Pegasus and Reign, and "/private/var/tmp/" for Predator – thereby acting as an indicator of compromise.

That said, the success of this approach hinges on a caveat that the target user reboots their device as often as possible, the frequency for which varies according to their threat profile.

Kaspersky has also published a collection of Python scripts to extract, analyze, and parse the Shutdown.log in order to extract the reboot stats.

"The lightweight nature of this method makes it readily available and accessible," Yamout said. "Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries."

The disclosure comes as SentinelOne revealed information stealers targeting macOS such as KeySteal, Atomic, and JaskaGo (aka CherryPie or Gary Stealer) are quickly adapting to circumvent Apple's built-in antivirus technology called XProtect.

"Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade," security researcher Phil Stokes said. "Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New iShutdown Method Exposes Hidden Spyware Like Pegasus on Your iPhone

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

Almost seven years after alleged FruitFly author Phillip Durachinsky’s arrest, judge Solomon Oliver has ruled he's incompetent to stand trial.

On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.

CWRU began working with the FBI, who determined that the systems had been infected for several years. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky.

On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware “FruitFly” internally.

On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. On December 7, 2023 – nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial.

****Who is Phillip Durachinsky?****

Durachinsky, a resident of northeast Ohio, was seen by his peers as “awkward and eccentric” throughout grade school and college. Despite this, he was active in extracurricular activities. In high school, he participated in a computer club. As a member of the club, he competed in a local programming competition, helping the team to win in both 2005 and 2006. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, “It’s about teamwork, knowing your strengths and weaknesses to help the team.”

In college at CWRU, he participated in a philosophy club, where he was “interested in the philosophy behind mathematics.” In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D.

However, Durachinsky was frequently in trouble for his other computing activities. He was rumored to have hacked into his high school’s computer system, although those rumors were never confirmed. While at CWRU, he was accused of “cracking passwords” on a CWRU network. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was “not unknown to the authorities.”

Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. (This led to Malwarebytes initially using the name “Quimitchin” for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. This name did not catch on.)

FruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky’s home.

According to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. (The latter is referred to as “credential stuffing.”)

> “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.”
> 
> FBI Flash

In this manner, thousands of computers were infected over more than a decade.

****Arrest and arraignment****

Apple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. On January 18, 2017, all three organizations took simultaneous actions. Apple released a security update to protect users against FruitFly, Malwarebytes published a blog post with technical details about the malware, and the FBI knocked on the door of the house linked to the IP address used by the malware. (The IP address was linked to the malware using data collected by CWRU, Malwarebytes, and AT&T.)

The house, as it turned out, was the home of Durachinsky’s parents, who allowed the agents to enter and mentioned that Durachinsky had been in trouble in high school for breaking into his high school’s website and hacking into teachers’ email.

The FBI found a laptop in Durachinsky’s room. When they entered the room, the laptop lid was slightly ajar, and agents were able to see that the cursor was moving – indicating that it was being remotely accessed – and that the control panel for the malware was visible on the screen. Agents disconnected the network router to prevent further remote access, which could have resulted in deletion of evidence. Also found were numerous hard drives.

On January 19, a judge signed a warrant allowing the FBI to examine the contents of the laptop and hard drives. As a result of the evidence found, Durachinsky was arrested on January 25. Following numerous requests by the defense and changes in Durachinsky’s legal representation, he was finally arraigned nearly a year later, on January 19, 2018.

Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.

During the lengthy trial, it was the child pornography charge that seemed to be of most concern to the defense. Repeated attempts were made to evade it, including an attempt to suppress evidence due to claims of improper seizure, an attempt to suppress a confession made by Durachinsky, and an attempt to separate that charge from all the others and try it separately.

****Ruling****

Almost seven years after Durachinsky’s arrest, judge Solomon Oliver ruled that Durachinsky was incompetent to stand trial, by reason of being unable to assist in his own defense due to autism spectrum disorder (ASD). If psychologists determine that his “condition” can be treated to restore his competency, the trial will continue. Otherwise, he will be civilly committed.

Interestingly, although both prosecuting and defense attorneys agree on the competency ruling, Durachinsky himself does not. He has been cited as saying, “I don’t challenge the autism disorder diagnosis, but I disagree with the way this has been prosecuted.”

This ruling has caused some concerns in the information security community. ASD is not something that can be “cured,” though therapy can help to teach people on the spectrum how to improve social and communication skills. This can take years, however.

Some have expressed skepticism about the ruling, arguing that Durachinsky’s activities and public statements suggest that, like many affected by high-functioning ASD, he appears to be fully capable of understanding his situation and knowing the difference between right and wrong.

Others have expressed concerns about how this case has proceeded. Seven years of jail time without ever having been found guilty in a court of law is concerning. Although the evidence seems pretty damning, and it has been fully expected that Durachinsky would be found guilty, the US justice system is supposed to presume a defendant to be innocent until proven guilty.

****What next?****

It’s unclear what’s next for Mr. Durachinsky, but it would seem the saga is not yet over. Presumably he will be – or has been – released from jail, but there’s still the question of civil commitment. It’s unclear exactly what that will mean – whether this would require time in an institution and, if so, for how long. It’s also unclear whether there will be any kind of treatment that the court deems successful at restoring his competency, in which case the trial could resume.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alleged FruitFly malware creator ruled incompetent to stand trial 

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.
The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it

Vulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

"This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser's security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called "Opera Touch Background," which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally\_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns "\*.flow.opera.com" and ".flow.op-test.net" – both controlled by the browser vendor itself.

"This exposes the messaging API to any page that matches the URL patterns you specify," Google notes in its documentation. "The URL pattern must contain at least a second-level domain."

Guardio Labs said it was able to unearth a "long-forgotten" version of the My Flow landing page hosted on the domain "web.flow.opera.com" using the urlscan.io website scanner tool.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the \[content security policy\] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim's computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

"Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries," the company told The Hacker News.

"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera."

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it's taking steps to prevent such issues from happening again.

"Our current structure uses an HTML standard, and is the safest option that does not break key functionality," the company said. "After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future."

"We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

By Waqas
If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed…
This is a post from HackRead.com Read the original post: HelloFresh Fined £140,000 for 80 Million Spam Messages

If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed by the UK’s Information Commissioner’s Office (ICO).

****_Key Points_****

*   **Customers were bombarded with unwanted emails and texts.**
*   **HelloFresh fined £140,000 for sending 80 million spam messages.**
*   **ICO found HelloFresh’s opt-in processes were misleading and confusing.**
*   **Case highlights the importance of data protection and obtaining informed consent.**

Recipe kit delivery service HelloFresh has been slapped with a hefty £140,000 fine by the UK’s Information Commissioner’s Office (ICO) for bombarding customers with a staggering 80 million spam messages.

The fine follows a year-long investigation triggered by a flood of complaints from customers who were fed up with the constant barrage of unwanted marketing emails and texts.

The ICO found that HelloFresh’s marketing practices were a clear violation of UK data protection regulations. Between August 2022 and February 2023, the company sent out a mind-boggling 79 million emails and 1 million text messages without obtaining proper consent from its customers. This included bombarding customers who had signed up for the service solely to receive recipe kits, with irrelevant offers and promotions.

“This was a clear case of a company putting its own commercial interests ahead of the privacy and rights of its customers,” said Andy Curry, Head of Investigations at the ICO. “Customers were not given a clear choice about receiving marketing messages, and many were left feeling harassed and frustrated by the constant bombardment.”

The ICO’s investigation revealed that HelloFresh’s opt-in processes were designed to be confusing and misleading. Customers were often pre-checked into marketing lists without their knowledge, and the wording of opt-in boxes was unclear, making it difficult for customers to understand what they were agreeing to.

“We take our data protection obligations very seriously and have made changes to our email and text marketing policy in response to the ICO’s findings,” said a spokesperson for HelloFresh. However, the company’s apology and belated changes to its marketing practices may not be enough to appease customers who feel they have been taken advantage of.

The HelloFresh case highlights the importance of data protection and the need for businesses to obtain clear and informed consent from customers before sending them marketing messages. Companies that fail to comply with data protection regulations face not only hefty fines but also reputational damage and the potential loss of customer trust.

****_RELATED ARTICLES_****

1.  **Unreleased Music Stolen and Sold on Dark Web: Hacker Fined**
2.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
3.  **Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data**
4.  **Apple, Samsung fined for intentionally slowing down old smartphones**
5.  **Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps**

HelloFresh Fined £140,000 for 80 Million Spam Messages

Plus: Chinese officials tracked people using AirDrop, Stuxnet mole’s identity revealed, AI chatbot hacking, and more.

“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication _Volkskrant_ claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

Tag

#apple