Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Source newsletter (Aug. 18, 2022) — Why aren't Lockdown modes the default setting on phones?

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in.

Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.

With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass.

In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “…we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced. Android has its own version of this released in 2018 that only allows users to turn on a Lockdown Mode to disable their device’s fingerprint reader and facial ID scan, only allowing users to log in using only a PIN, password or pattern. However, this feature is turned off immediately after the user successfully logs in again and must be manually re-enabled every time.

Some individual apps have taken their own steps, like the menstrual cycle-tracking app Flo, which recently announced a new Anonymous Mode that allows users to completely remove their personal data from the app.

These features should become not only the norm, but the opposite. Much like browser cookies are now thanks to the GDPR, users should have to opt out of these types of modes rather than opting in. I’m skeptical that will ever happen, but if device and app manufacturers are serious about protecting users’ data, users should instead have to tell the device “Yes, I want to use the fingerprint reader and take on the inherent risk” or “yes, I don’t care if you sell my data to third-party advertisers.”

Right now, these features are buried in a few layers of settings menus, and in the case of Android, it’s not even a permanent change.

Some startups are trying to solve this problem by going back to the era of “dumb” phones, like The Light Phone, which doesn’t have any web browsing features, or the Mudita Minimalist phone that pretty much only sends calls and text messages and plays music.

I’m a hypocrite here. Because if one day I was suddenly told I couldn’t check my fantasy football lineups on my phone or didn’t have streaming access to podcasts, I’d probably click whatever big red button there was to turn those features back on. But at the very least, that option should be presented as a big red button and not something you have to Google to figure out how to turn it on.

The one big thing

While not necessarily the most discussed aspect of Russia’s invasion of Ukraine, it’s important to look at how vital Ukrainian farming is to the world’s food supply chain. And as state-sponsored cyber attacks continue against Ukraine, the potential for grain and food shortages in Europe continues to rise. As Joe Marshall points out in our latest blog post, there are several knock-on effects that could happen if Ukraine’s food production and transportation system were to be disrupted by a major security event.

Why do I care? The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. Potential cyber attacks on this industry could induce things like a slowdown in production, shipping delays, loss of economic value or supply shortages.
So now what? For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency in your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber attack.

Top security headlines from the week

As many as 1,900 users of encrypted messaging app Signal could have had their login authentication codes stolen as part of a recent data breach against Twilio. Twilio is a popular gateway other web platforms use to send SMS or voice messages. Signal began notifying users this week of the issue, with one victim saying the attackers used the Twilio access to re-register a new device associated with the user’s phone number, allowing them to send and receive messages from their Signal app. Cloudflare was also a target of the phishing attack, with actors sending users phony text messages warning them their login had been changed, sometimes even contacting the target’s family members. (The Verge, Ars Technica) Some of the world’s top security experts, hackers and defenders unveiled new research at the Black Hat and DEF CON conferences last week. The slate of talks, presentations and exhibits brought to light several high-profile vulnerabilities, including two severe issues in the Zoom video conferencing app. Other heavily discussed topics include the spread of disinformation and election security. In a more lighthearted demonstration, one researcher even showed a way to jailbreak the Linux system on a John Deere tractor to play the video game “Doom” on its center console. (Politico, The Guardian, The Verge) The U.S. Cybersecurity and Infrastructure Security Agency is warning of an uptick in attacks from the Zeppelin ransomware, specifically against critical infrastructure. Threat actors are buying into the ransomware-as-a-service to spread the malware, using SonicWall firewall and remote desktop protocol vulnerabilities to initially breach targeted networks, according to a new CISA advisory. Zeppelin has a new multi-encryption tactic. Once the malware is on a victim’s network, it executes the ransomware multiple times and creates different IDs and encrypted file extensions so the victim can’t simply use one decryption key to return their files. (ThreatPost, CISA)

Can’t get enough Talos?

Cisco Talos Warns of Small-Time Cybercrime Ramp Up Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass Talos Takes Ep. #108 (XL Edition): On Air with Cisco Talos Incident Response Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution Threat Roundup for Aug. 5 - 12

Upcoming events where you can find Talos

Ukraine Independence Day: A Talos livestream (Aug. 24, 2022) Livestreamed on Talos’ LinkedIn and Twitter

Security Insights 101 Knowledge Series (Aug. 25, 2022) Virtual

Cisco Security Solution Expert Sessions (Oct. 11 & 13)

Virtual

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7 MD5: 0e4c49327e3be816022a233f844a5731 Typical Filename: aact.exe Claimed Product: AAct x86 Detection Name: PUA.Win.Tool.Kmsauto::in03.talos

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 MD5: f1fe671bcefd4630e5ed8b87c9283534 Typical Filename: KMSAuto Net.exe Claimed Product: KMSAuto Net
Detection Name: PUA.Win.Tool.Hackkms::1201

TALOS
#vulnerability#web#ios#android#apple#google#linux#cisco#rce#asus#auth

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

As the data privacy landscape gets increasingly murky, app developers and device manufacturers are finding new ways to sure up users’ personal information. Of course, all users have to do is go out of their way to opt-in.

Apple recently announced a new Lockdown Mode for the iOS operating system that powers the company’s iPhones. When enabled, it turns off many of the features that attackers will exploit when targeting a mobile device with spyware. Spyware is a growing concern across the world, especially the NSO Group’s Pegasus tool.

With Lockdown Mode enabled, a hypothetical attacker would not have access to certain functions on the phone, and it blocks access to important APIs such as speech and facial recognition, which research has shown are relatively easy to bypass.

In a review of Lockdown Mode, Zack Whittaker of TechCrunch said, “…we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced. Android has its own version of this released in 2018 that only allows users to turn on a Lockdown Mode to disable their device’s fingerprint reader and facial ID scan, only allowing users to log in using only a PIN, password or pattern. However, this feature is turned off immediately after the user successfully logs in again and must be manually re-enabled every time.

Some individual apps have taken their own steps, like the menstrual cycle-tracking app Flo, which recently announced a new Anonymous Mode that allows users to completely remove their personal data from the app.

These features should become not only the norm, but the opposite. Much like browser cookies are now thanks to the GDPR, users should have to opt out of these types of modes rather than opting in. I’m skeptical that will ever happen, but if device and app manufacturers are serious about protecting users’ data, users should instead have to tell the device “Yes, I want to use the fingerprint reader and take on the inherent risk” or “yes, I don’t care if you sell my data to third-party advertisers.”

Right now, these features are buried in a few layers of settings menus, and in the case of Android, it’s not even a permanent change.

Some startups are trying to solve this problem by going back to the era of “dumb” phones, like The Light Phone, which doesn’t have any web browsing features, or the Mudita Minimalist phone that pretty much only sends calls and text messages and plays music.

I’m a hypocrite here. Because if one day I was suddenly told I couldn’t check my fantasy football lineups on my phone or didn’t have streaming access to podcasts, I’d probably click whatever big red button there was to turn those features back on. But at the very least, that option should be presented as a big red button and not something you have to Google to figure out how to turn it on.

**The one big thing **

While not necessarily the most discussed aspect of Russia’s invasion of Ukraine, it’s important to look at how vital Ukrainian farming is to the world’s food supply chain. And as state-sponsored cyber attacks continue against Ukraine, the potential for grain and food shortages in Europe continues to rise. As Joe Marshall points out in our latest blog post, there are several knock-on effects that could happen if Ukraine’s food production and transportation system were to be disrupted by a major security event.

**Why do I care? **The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. Potential cyber attacks on this industry could induce things like a slowdown in production, shipping delays, loss of economic value or supply shortages. **So now what? **For executive leadership, now is an opportune time to evaluate your accepted business risks. That means taking the time to understand how interconnected your agriculture operations are to your corporate offices. Could you function as a business should a ransomware attack affect you? What investments have you made to build resiliency in your operations? These are incredibly difficult questions to answer. Use the catalyst of global events to invest in technology and more importantly, people, to help you find those answers. Be proactive, and train for climatic events like a cyber attack.

Top security headlines from the week

As many as 1,900 users of encrypted messaging app Signal could have had their login authentication codes stolen as part of a recent data breach against Twilio. Twilio is a popular gateway other web platforms use to send SMS or voice messages. Signal began notifying users this week of the issue, with one victim saying the attackers used the Twilio access to re-register a new device associated with the user’s phone number, allowing them to send and receive messages from their Signal app. Cloudflare was also a target of the phishing attack, with actors sending users phony text messages warning them their login had been changed, sometimes even contacting the target’s family members. (The Verge, Ars Technica)

Some of the world’s top security experts, hackers and defenders unveiled new research at the Black Hat and DEF CON conferences last week. The slate of talks, presentations and exhibits brought to light several high-profile vulnerabilities, including two severe issues in the Zoom video conferencing app. Other heavily discussed topics include the spread of disinformation and election security. In a more lighthearted demonstration, one researcher even showed a way to jailbreak the Linux system on a John Deere tractor to play the video game “Doom” on its center console. (Politico, The Guardian, The Verge)

The U.S. Cybersecurity and Infrastructure Security Agency is warning of an uptick in attacks from the Zeppelin ransomware, specifically against critical infrastructure. Threat actors are buying into the ransomware-as-a-service to spread the malware, using SonicWall firewall and remote desktop protocol vulnerabilities to initially breach targeted networks, according to a new CISA advisory. Zeppelin has a new multi-encryption tactic. Once the malware is on a victim’s network, it executes the ransomware multiple times and creates different IDs and encrypted file extensions so the victim can’t simply use one decryption key to return their files. (ThreatPost, CISA)

**Can’t get enough Talos? **

  • Cisco Talos Warns of Small-Time Cybercrime Ramp Up
  • Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass
  • Talos Takes Ep. #108 (XL Edition): On Air with Cisco Talos Incident Response
  • Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution
  • Threat Roundup for Aug. 5 - 12

**Upcoming events where you can find Talos **

Livestreamed on Talos’ LinkedIn and Twitter

**Most prevalent malware files from Talos telemetry over the past week **

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201

MD5: 8c69830a50fb85d8a794fa46643493b2

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201

MD5: 0e4c49327e3be816022a233f844a5731

Typical Filename: aact.exe

Claimed Product: AAct x86

Detection Name: PUA.Win.Tool.Kmsauto::in03.talos

MD5: f1fe671bcefd4630e5ed8b87c9283534

Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information