An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023.
The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware

Cyber Crime / Mobile Security

An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023.

The activity is being attributed to an actor codenamed **Neo\_Net**, according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground.

"Despite using relatively unsophisticated tools, Neo\_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill said.

Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING.

Neo\_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as a seasoned cybercriminal, engaging in the sales of phishing panels, compromised victim data to third-parties, and a smishing-as-a-service offering called Ankarex that's designed to target a number of countries across the world.

The initial entry point for the multi-stage attack is SMS phishing, in which the threat actor employs various scare tactics to trick unwitting recipients into clicking on bogus landing pages to harvest and exfiltrate their credentials via a Telegram bot.

"The phishing pages were meticulously set up using Neo\_Net's panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners," Thill explained.

"These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade."

The threat actors have also been observed duping bank customers into installing rogue Android apps under the guise of security software that, once installed, requests SMS permissions to capture SMS-based two-factor authentication (2FA) codes sent by the bank.

The Ankarex platform, for its part, has been active since May 2022. It's actively promoted on a Telegram channel that has about 1,700 subscribers.

"The service itself is accessible at ankarex\[.\]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers," Thill said.

The development comes as ThreatFabric detailed a new Anatsa (aka TeaBot) banking trojan campaign that has been targeting banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mexico-Based Hacker Targets Global Banks with Android Malware

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07978760; Issue ID: ALPS07363410.

**July 2023 Product Security Bulletin**

Published 2023-07-03

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and Wi-Fi chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2023-20754, CVE-2023-20755

Medium

CVE-2023-20753, CVE-2023-20756, CVE-2023-20757, CVE-2023-20758, CVE-2023-20759, CVE-2023-20760, CVE-2023-20761, CVE-2023-20766, CVE-2023-20767, CVE-2023-20768, CVE-2023-20771, CVE-2023-20772, CVE-2023-20773, CVE-2023-20774, CVE-2023-20775, CVE-2023-20689, CVE-2023-20690, CVE-2023-20691, CVE-2023-20692, CVE-2023-20693, CVE-2022-32666, CVE-2023-20748

****Details****

CVE

**CVE-2023-20754**

Title

Integer overflow or wraparound in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20755**

Title

Improper input validation in keyinstall

Severity

High

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20753**

Title

Out-of-bounds write in rpmb

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In rpmb, there is a possible out of bounds write due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20756**

Title

Integer overflow or wraparound in keyinstall

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In keyinstall, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20757**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20758**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20759**

Title

Improper input validation in cmdq

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In cmdq, there is a possible memory corruption due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6768, MT6771, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8786, MT8789, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20760**

Title

Improper input validation in apu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In apu, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983, MT8195

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20761**

Title

Improper input validation in ril

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ril, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20766**

Title

Improper input validation in gps

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In gps, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6753, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6886, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0, 13.0

CVE

**CVE-2023-20767**

Title

Improper input validation in pqframework

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In pqframework, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8167, MT8168, MT8195, MT8673

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20768**

Title

Access of resource using incompatible type ('type confusion') in ion

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In ion, there is a possible out of bounds read due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8195, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791T, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2023-20771**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-662 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In display, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6785, MT8168, MT8781

Affected Software Versions

Android 12.0

CVE

**CVE-2023-20772**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20773**

Title

Improper authentication in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-287 Improper Authentication

Description

In vow, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8781, MT8791, MT8791T, MT8797

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20774**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6789, MT6835, MT6855, MT6886, MT6895, MT6983, MT6985, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

CVE

**CVE-2023-20775**

Title

Buffer copy without checking size of input ('classic buffer overflow') in display

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6877, MT6879, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6983, MT6985, MT6990, MT8168, MT8183, MT8195, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0 / OpenWrt 21.02 / RDKB 2022Q3

CVE

**CVE-2023-20689**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20690**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20691**

Title

Integer overflow to buffer overflow in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-680 Integer Overflow to Buffer Overflow

Description

In wlan firmware, there is possible system crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20692**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-476 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT8167, MT8168, MT8321, MT8365, MT8385, MT8666, MT8765, MT8788

Affected Software Versions

Android 11.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20693**

Title

Null pointer dereference in wlan

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-477 NULL Pointer Dereference

Description

In wlan firmware, there is possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6895, MT6983, MT8167, MT8168, MT8195, MT8321, MT8365, MT8385, MT8666, MT8765, MT8781, MT8788

Affected Software Versions

Android 11.0, 12.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2022-32666**

Title

User interface (ui) misrepresentation of critical information in Wi-Fi

Severity

Medium

Vulnerability Type

DoS

CWE

CW3-451 User Interface (UI) Misrepresentation of Critical Information

Description

In Wi-Fi, there is a possible low throughput due to misrepresentation of critical information. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7613, MT7615, MT7622, MT7628, MT7629, MT7915, MT7916, MT7981, MT7986, MT8365

Affected Software Versions

7.6.6.0 / IOT-v23.0 (Yocto 4.0)

CVE

**CVE-2023-20748**

Title

Improper input validation in display

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6886, MT6895, MT6983, MT6985, MT8673, MT8781

Affected Software Versions

Android 12.0, 13.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

July 3, 2023

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2023-20775: July 2023

Categories: News
A list of topics we covered in the week of June 26 to July 2 of 2023



(Read more...)




The post A week in security (June 26 - July 2) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (June 26 - July 2)

Plus: Hackers knock out Russian military satellite communications, a spyware maker gets breached, and the SEC targets a victim company's CISO.

Amid exploding AI usage, the United States Senate is mulling legislation to regulate the development of artificial intelligence, but lawmakers' comments to WIRED this week indicate that Congress' abysmal track record on tech regulation may be doomed to repeat itself. Meanwhile, in the European Union, challenges filed under the EU's GDPR data law on Thursday allege that Pornhub has been collecting user data illegally.

We looked at a common air travel booking scam that can turn real—but not ticketed—flight reservations into cash grabs for cybercriminals. And tech companies have recently released an array of critical software updates that you should install on your devices right now. Some patches published in recent weeks from the company Progress Software patch flaws in the popular file transfer service MOVEit, which has been exploited by ransomware actors to spread malware and steal data from international companies, universities, and the US government.

If you want a digital hygiene project for the weekend, we have tips on how to make your chats and messaging more secure. And if you're craving a long read, WIRED went in-depth on the 1973 US National Personnel Records Center fire that destroyed 17 million military records and prompted a massive restoration effort.

And there's more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

On Tuesday, a 7-2 decision by the US Supreme Court reversed the conviction of a man who repeatedly threatened a stranger online. Justice Elena Kagan wrote in the majority opinion that First Amendment free speech protections require such cases to show that online harassers or cyberstalkers were aware that their digital abuse could be construed as threatening. Threats of violence are not protected by the First Amendment, but the court said prosecutors must show that a defendant “consciously disregarded a substantial risk that his communications would be viewed as threatening violence.” The offender in the case the court looked at, Billy Counterman of Colorado, had “moved to dismiss the charge on First Amendment grounds, arguing that his messages were not ‘true threats’ and therefore could not form the basis of a criminal prosecution.”

Counterman had persistently and repeatedly messaged a local singer he didn't know on Facebook over two years, and when she would block him he made new accounts to continue messaging her. Victims of online harassment and digital rights advocates warned following the decision that it creates a dangerous precedent to empower cyberstalkers. “The Court just handed stalkers and harassers, including of politicians, journalists, climate scientists, doctors advocating for vaccines, you name it, a new weapon,” Soraya Chemaly, director of the Women’s Media Center Speech Project, told the _Washington Post_.

A cyberattack caused a multiday outage this week of a Russian satellite communication system from Dozor-Teleport. The platform is broadly used, including by the Russian military. Ukrainian satellite communication infrastructure suffered a similar outage more than a year ago. Dozor’s parent company, Amtel Svyaz, also grappled with significant system outages this week. Multiple hackers claimed responsibility for the attacks, including some purporting to be hacktivists and others who said they were affiliated with the Russian private mercenary army Wagner Group. In addition to the outage, one of the entities claiming responsibility for the attack said it had stolen data from Dozor and published 700 files, including documents and images, to a leak site and Telegram.

The invasive phone monitoring app LetMeSpy said on June 21 that it was itself hacked. Attackers stole names, messages, call logs, and location data collected by the service, the company said. LetMeSpy is a Polish Android app that's used around the world to monitor thousands of people. The company's notice said that “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

Years after a Russian espionage campaign launched a devastating supply chain attack against software firm SolarWinds, the US Securities and Exchange Commission sent legal notices—known as “Wells notices”—to certain current and former Solarwinds employees. Such notices warn of potential securities law violations that could lead to civil enforcement action, but they rarely relate to cybersecurity incidents. Notably, one of the SolarWinds employees who received a notice is the company's current chief information security officer, Tim Brown, who was Solarwinds' head of security architecture at the time of the attack. Company CFO Barton Kalsu also received a notice. The situation is potentially significant as the US and other countries attempt to develop appropriate accountability mechanisms for high-ranking executives who preside over breaches and other security lapses. The fear among security professionals is often that individual penalties will simply discourage talented practitioners from taking top roles.

US Supreme Court Hands Cyberstalkers a First Amendment Victory

An Open Redirect vulnerability exists prior to version 1.52.117, where the built-in QR scanner in Brave Browser Android navigated to scanned URLs automatically without showing the URL first. Now the user must manually navigate to the URL.

CVE-2023-28364

By Waqas
According to Amazon, it has already taken significant action against 94 fraudsters operating in the United States, China, and Europe in May 2023.
This is a post from HackRead.com Read the original post: Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews

**Amazon’s action should come as no surprise that, just like the proliferation of fake news, fake reviews have also become a significant aspect of the underground scam market.**

In a determined effort to protect its customers and sellers from the growing menace of fake reviews, e-commerce giant **Amazon** has recently launched a series of lawsuits against fraudulent individuals and organizations.

These perpetrators, operating within an underground network known as the “fake review broker” industry, have been exploiting unsuspecting consumers and tarnishing the reputation of Amazon’s marketplace.

Amazon has invested substantial resources in advanced technologies, including machine learning models and expert investigators, to proactively combat fake reviews before they reach the eyes of customers.

In 2022 alone, the company successfully blocked over 200 million suspected fake reviews from appearing on its platform. Now, by targeting the facilitators of these fraudulent practices, Amazon aims to strike at the root of the problem and hold those responsible accountable.

Amazon announced significant actions taken against 94 fraudsters operating in the United States, China, and Europe. These actions were implemented as of May 2023, showcasing the technology giant’s proactive approach to tackling the issue at hand.

It should come as no surprise that, just like the proliferation of fake news, fake reviews have also become a significant aspect of the underground scam market. In fact, as of March 2020, fake reviews accounted for **50% of the threats** faced by Android-based devices, among other issues.

The seriousness of the issue is further exemplified by a notable incident in May 2021. During this incident, a misconfigured server inadvertently **exposed a staggering 7GB of well-organized schemes** employed by Amazon vendors to generate fake reviews for their products on the website.

According to a **press release** issued on June 28th, 2023, the legal actions filed by Amazon include four notable lawsuits against prominent perpetrators. Here is an overview of each case:

**Amazon v. Nice Discount:**

The owners and operators of Nice Discount have been accused of orchestrating a scheme to generate fake positive reviews and feedback through their “Product Tester Club.” Reviewers are enticed to leave fabricated positive reviews or feedback in exchange for refunds or monetary rewards. By connecting bad actors operating Amazon selling accounts with reviewers, the defendants have guided these individuals on when and how to post fake reviews, creating an illusion of authenticity. **Case No. 23-2-10603-2 SEA**.

**Amazon v. Littlesmm:**

The website Littlesmm has allegedly been selling packages of fake reviews to unscrupulous individuals operating Amazon selling accounts across Australia, Canada, and the U.S. Ranging in price from $20 to $440, these packages offer both positive and negative reviews. By employing Amazon customer accounts under their control, the defendants have orchestrated the posting of counterfeit positive reviews while simultaneously undermining their competitors’ product listings through fake negative reviews. **Case No. 23-2-10452-8 SEA.**

**Amazon v. MangoCity:**

The owners and operators of MangoCity have been accused of selling fake reviews for prices ranging from $50 to $4,000. Utilizing their website, video chats, and email correspondence, the defendants accept payments and subsequently deploy Amazon customer accounts to leave fabricated 5-star reviews on product listing pages. Additionally, they have targeted competitors by offering fake negative reviews on their products. Case No. 23-2-11278-4 SEA.

**Amazon v. Reddit Marketing Pro:**

The owners and operators of Reddit Marketing Pro have allegedly provided fraudulent services, including fake positive and negative reviews, to bad actors with Amazon selling accounts. In exchange for fees ranging from $99 for five fake reviews to $6,999 for 500 fake reviews, the defendants have employed Amazon customer accounts under their control to populate product listing pages with counterfeit reviews. They have also marketed fake “Questions and Answers” to manipulate the content displayed. Case No. 23-2-11265-2 SEA.

In a comment to Hackread.com, Chris Downie, CEO of Edinburgh, Scotland-based anti-fraud platform **Pasabi** said, “Fake review brokers play a central role in poisoning consumer decision-making, destroying businesses and inflicting untold damage on the wider economy.”

Downie added that “Whilst it’s encouraging to see Amazon taking these fraudsters to task via the legal system, so much more needs to be done to tackle the growing fake review epidemic which influences around £4bn in UK consumer spending every year.”

“By harnessing the power of AI and the latest fraud detection anti-fraud technology, review aggregators and business owners need to work together to identify and block fraudulent reviews, stamping out the problem before it gets any worse,” added Downie.

Amazon chief **David Montague**, vice president of Selling Partner Risk, said, “Our goal is to ensure that every review in Amazon’s stores is trustworthy and reflects customers’ actual experiences. Amazon welcomes authentic reviews—whether positive or negative —but strictly prohibits fake reviews that intentionally mislead customers.”

“We continue to innovate on our proactive technology to detect fake reviews and other indications of unusual behaviour. Another way we fight fake reviews is through legal action. Not only are we targeting the source of the problem but we’re sending a clear message that there’s no place for abuse in our store and we will hold fraudsters accountable,” he added.

Despite Amazon’s aggressive stance against fake review brokers, the company recognizes that this is a pervasive global problem affecting multiple industries. To address this issue effectively, a collaborative effort between the public and private sectors is required.

By taking legal action against 94 fraudsters across the United States, China, and Europe, as of May 2023, Amazon is demonstrating its commitment to combatting this menace. However, the battle against fake review brokers demands ongoing vigilance and cooperation to ensure a safe and trustworthy online marketplace for consumers and sellers alike.

1.  Brand Protection is Essential for Cybersecurity
2.  42,000 phishing domains found posing as popular brands
3.  Microsoft pwns domains used by hackers for cyber attacks
4.  Memcyco Drops Real-Time Solution to Combat Brandjacking
5.  Indian call center seized over Amazon scam against US citizens

Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Mobile Cyberattacks Soar, Especially Against Android Users

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.

A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.

Apple

Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.

Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.

While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.

Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.

Microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.

The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges, nor does the user need to perform any action,” it added.

Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.

Google Android

It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.

One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.

Published:2023/06/30  Last Updated:2023/06/30

**Overview**

"NewsPicks" App uses a hard-coded API key for an external service.

**Products Affected**

*   "NewsPicks" App for Android versions 10.4.5 and earlier
*   "NewsPicks" App for iOS versions 10.4.2 and earlier

**Description**

"NewsPicks" App for Android and "NewsPicks" App for iOS provided by NewsPicks, Inc. use a hard-coded API key for an external service (CWE-798).

**Impact**

Data in the app may be analyzed and API key for an external service may be obtained.  
Note that the users of the app are not directly affected by this vulnerability.

**Solution**

**Update the Application**  
Update the application to the latest version according to the information provided by the developer.

According to the developer, the latest app does not hard-code the API key.  
Also the vulnerable API key has been deactivated, and therefore the information contained in the vulnerable app cannot be abused.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Sunagawa Masanori of BroadBand Security, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-28387: "NewsPicks" App uses a hard-coded API key for an external service

Categories: News
Categories: Personal
Stalkerware-type app LetMeSpy has been hacked, with the attacker taking user data with it, the service has announced.



(Read more...)




The post Spyware app LetMeSpy hacked, tracked user data posted online appeared first on Malwarebytes Labs.

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

> On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.
> 
> As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner's knowledge. That's because LetMeSpy is often invisible to the phone's owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can't tell it's there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner's movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

*   26,000+ email addresses of the tool's "operators" along with hashes of their passwords.
*   16,000+ text messages, including passwords and codes for various services
*   Telephone numbers of people who had contacted the tracked phones
*   Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
*   Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it's unlikely they're going to let the people they are spying on know that their data has been taken.

**How to prevent spyware and stalkerware-type apps**

*   Set a screen lock on your phone and don't let anyone else access it
*   Keep your phone up-to-date. Make sure you're always on the latest version of your phone's software.
*   Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you're sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

**Coalition Against Stalkerware**

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#android