If you use a mix of Apple, Android, and Windows gadgets, you're in luck: The security tool is now available to any Microsoft 365 subscriber.

Microsoft Defender, the company’s security app, is now available to any individual who has a subscription to Microsoft 365, the online productivity suite that includes Word, Excel, and more. Different from the previously released Microsoft Defender software that was built exclusively into Windows computers, this version is available on Windows, Android, macOS, and iOS devices.

Owners of Windows computers without Microsoft 365 don’t need to sweat; Microsoft is still preinstalling software on Windows to protect against viruses and other malware. That software is now simply branded as Windows Security. Beyond accessing a security dashboard where all your connected devices are visible, there’s not a lot of extra incentive for Windows owners to download the new Microsoft Defender app.

Microsoft is extending protection options to Mac and smartphone owners who use Microsoft 365. Not all devices receive the same protections, however. For example, on the Mac, anti-malware protection is provided by Microsoft Defender, while web protection is not.

On the other hand, iPhones and Android devices are able to use web protection from Microsoft Defender. The web protection runs a virtual private network on your smartphone in the background and tries to intervene if any dangerous hyperlinks appear. Microsoft claims that the data from your browsing history is stored on-device and not shared with the company. Learn even more about VPNs and boosting your digital privacy with WIRED senior writer and reviewer Scott Gilbertson’s guide to the best VPNs. In addition to web protection, the anti-malware protection from Microsoft Defender is supported for Android phones.

The new Microsoft Defender app is designed to be used specifically by consumers—as in families and individuals. Although the names are similar, Microsoft Defender for Endpoint is a separate security suite for businesses. Microsoft has guidance on its website to help you understand the Endpoint version and how to switch between accounts.

If you aren’t a Microsoft 365 subscriber but want to get Microsoft Defender, a personal plan costs $70 a year, and a family plan for up to six people costs $100 a year. With a subscription to Microsoft 365, you get OneDrive cloud storage access, in addition to both online and downloadable versions of popular software like Microsoft Word, Excel, and Powerpoint. (Check out this article from WIRED contributor David Nield if you’re on the hunt for a free version of Microsoft Word.)

So who will benefit from the new Microsoft Defender? The features offered are slim at the moment, and it might not be as involved as software from Norton or McAfee, but that may be a good thing considering Defender is more lightweight than either of those options. Keeping that in mind, the large quantity of devices tracked from a single dashboard could be a boon for family leaders trying to keep an eye on the whole crew’s security across multiple devices.

Subscribers to the Microsoft 365 individual plan can get Microsoft Defender to protect five devices at once. For those on the family plan, you can simultaneously shield up to 30 devices. The suite will send you alerts whenever Grandma downloads malware onto her computer (again) or the teens on their smartphones click a malicious link.

Searching for even more strategies to beef up your digital security? WIRED has helpful advice on everything from password protecting your files to keeping those spicy pics private. You wouldn’t leave your front door unlocked while running errands, and with so much of our lives experienced online, taking protective measures on your computer and smartphone makes just as much sense.

How to Use Microsoft Defender on All Your Devices

It's never been easier to switch between iPhone and Android—and to get your messages out of the Meta ecosystem entirely.

Since early 2016, WhatsApp has protected messages and conversations sent in its app with end-to-end encryption. This means that nobody other than the sender and receiver of messages can read their content—not even Meta can read or snoop on the contents of your conversations.

Despite WhatsApp being omnipresent—more than 2 billion people use it each month—securely moving your encrypted chats and photos to different platforms or apps has been a challenge. Transferring your WhatsApp chats from Android to iPhone and from iPhone to Android has historically only been possible using third-party apps. These apps are often fiddly and don’t necessarily protect your data at the level offered by WhatsApp’s ecosystem.

But in recent months WhatsApp has made it possible to officially switch between iPhones and Android (and vice versa), rolling out processes to securely move data between operating systems and working with phone manufacturers to enable the move.

If you’re fed up with Meta’s ecosystem, it’s also possible to move your groups and some chat data to other messaging apps. Here’s how to move all of your WhatsApp chats and backups.

Android to iPhone

Moving your WhatsApp account from Android to an iPhone involves a few steps. But it should be possible to bring most of your information with you: Your profile photo, individual and group chats, history, photos, videos, and settings can all make the jump from one device to another. Your call history and display name can’t be moved across, however, WhatsApp says.

Most of the work in moving your WhatsApp data comes before you make the shift. To move between devices, you need to ensure you have the same phone number on each. Before you start the process, make sure you have a recently updated version of WhatsApp on your Android phone. You also need to be running at least Android 5 on the device you’re moving from and iOS 15.5 on the iPhone you’re moving to. (The iPhone needs to be a new device or have been recently reset to its factory settings.)

Next, download and install the “Move to iOS” app from Google’s Play Store—this Apple-owned app will do all the heavy lifting. When you’re ready to migrate your data, plug both devices into a power source and connect both phones to the same Wi-Fi network. (If you don’t have a Wi-Fi network, it’s possible to use a hotspot to connect your Android phone to the iPhone.)

When both phones are on the same network, open up the “Move to iOS” app on the Android phone and follow the instructions to connect the two phones. Then select WhatsApp as the data source you want to transfer from, and the app will prepare your chats to be moved across—final prompts will confirm you want to make the switch.

This process will log you out of WhatsApp on your Android phone, and you’ll need to download the app on the iPhone you are moving to. When you first use WhatsApp on this iPhone, it’ll ask you to use the same number as on the Android device and prompt you to complete the transfer process. When the process is complete, if you are getting rid of your old phone, make sure to do a factory reset and wipe all your data.

iPhone to Android

It’s been possible to transfer your WhatsApp chat history from iPhones to Android devices since October 2021. This transfer process includes your photos, messages, voice messages, and group conversations.

The compatibility was first rolled out for Samsung phones but has since expanded to include Google Pixel phones and all devices running Android 12. To make the move, you’ll need a USB-C-to-Lightning cable to physically connect the two devices, Google explains. “When prompted while setting up your new Android device, scan a QR code on your iPhone to launch WhatsApp,” the company says in a blog post. Alternatively, in WhatsApp you can go to **Settings** > **Chats** > **Move Chats to Android** and follow the transfer prompts.

WhatsApp’s guide to moving your chats between iPhones and Samsung devices says you will need the Samsung SmartSwitch app installed on the new phone and the same phone number on both devices. As with moving from Android to an iPhone, make sure you delete or wipe your old phone if you’re getting rid of it.

WhatsApp to Signal

Signal is widely considered the best messaging app for security and privacy. Check out our guide to switching your text messages to Signal and moving your messages between devices. While you can’t directly move your WhatsApp chat history to Signal, there are some things you can do to make the switch more straightforward.

It’s possible to easily recreate your WhatsApp groups on Signal—although getting all your family and friends to ditch the Meta-owned app may be more of a challenge. To recreate your groups, open the Signal app and start a new group by tapping the **pencil icon**. When you are asked to add people from your contacts, **tap on Skip** and instead pick the option to get a link to invite people to the group (a QR code is also available). From here, you can share this link with your WhatsApp chats and allow people to move over.

WhatsApp to Telegram

Unlike Signal and WhatsApp, Telegram is not end-to-end encrypted by default. As a result, security experts often warn against using Telegram. However, if you still want to use Telegram, it’s possible to move your chat history from one app to the other.

On both iOS and Android, open the chat you want to move to Telegram and click on the chat’s name or details (using _⋮_ on Android). From here, tap **Export Chat** and when you get the choice of where to **share** the chat, pick Telegram. When exporting chats from WhatsApp to Telegram, you have the choice to take photos and videos with you, or just chat messages.

Back up your WhatsApp chats

You can also back up your WhatsApp conversations in the cloud. This allows you to keep your messages and photos safe if you’re moving from one iPhone to another iPhone or Android to Android—for instance, if you upgrade or break your device and replace it with one using the same operating system.

Until September 2021, WhatsApp didn’t end-to-end encrypt backups, creating a potential security risk and exposing people’s chats to requests from law enforcement. However, the company has since closed that loophole, so it’s now much less of a risk to have your chats backed up to iCloud or Google’s Cloud. To back up to either platform, you will need a Google Drive account or an iCloud account.

On Android, in WhatsApp go to **More options** > **Settings** > **Chats** > **Chat backup** > **Back up to Google Drive**. While on iOS go to WhatsApp **Settings** > **Chats** > **Chat Backup** > **Back Up Now**. You’ll then be able to set the frequency of your backups and elect whether data-heavy videos are included.

How to Move Your WhatsApp Chats Across Devices and Apps

By Deeba Ahmed
According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute…
This is a post from HackRead.com Read the original post: ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

****According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy.****

Google Threat Analysis Group published its findings on the highly sophisticated Hermit spyware. Report authors Benoit Sevens and Clement Lecigne wrote that an Italian spyware provider, RCS Labs, received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy using commercially available surveillance tools. 

**Drive-By-Downloads to Infect Target Devices**

Researchers state that this campaign, which mainly relies on drive-by-downloads, proves threat actors may not always rely on exploits to get extensive permissions on a device. Through drive-by-downloads, they can fulfill their malicious goals just as effectively with the help of ISPs.

**Attack Scenario**

The attackers get their victim’s internet connection disrupted with the support of ISPs. In some cases, the target’s ISP disabled their mobile data connection. The victims are then requested to install a malicious application to get back online through an SMS message containing a URL. The victim is asked to install the application and resume their data connection.

Since the campaign involves ISPs, these apps are disguised as legit mobile carrier apps. In scenarios where attackers couldn’t directly influence the target’s ISP, they embedded the spyware in apps disguised as messaging applications.

The victim is redirected to a fake support page where they are promised to recover their suspended social media (Facebook and Instagram) and WhatsApp accounts. Though the social media links let the user install the official apps, the WhatsApp link leads the victim to a fake version of the WhatsApp app.

A screenshot shared by Google shows one of the malicious sites involved in the attack (fb-techsupportcom

**Malicious iOS Apps used by 6 Different Exploits**

According to a blog post published by Google’s Threat Analysis Group, these malicious apps were unavailable on Google Play and Apple App Store. The threat actors sideloaded the iOS version, which was signed with an enterprise certificate.

The target was asked to enable installation for these apps through unknown sources. The iOS apps used in the attack contain a “generic privilege escalation exploit wrapper” used by 6 different exploits. It also includes a “minimalist agent” that can exfiltrate device data, including the WhatsApp database. Details of these exploits are as follows:

*   **CVE-2021-30883 known as Clicked2**
*   **CVE-2021-30983 known as Clicked3**
*   **CVE-2020-9907 known as AveCesare**
*   **CVE-2020-3837 known as TimeWaste**
*   **CVE-2018-4344 known as LightSpeed**
*   **CVE-2019-8605 known as SockPort2/SockPuppet**

**Android Version Details**

The drive-by attacks on Android phones require the victims to enable a setting for installing third-party apps from unknown sources, after which fake apps disguised as legit brand apps like Samsung request extensive permissions. Besides rooting the device for rooted access, the apps are designed to fetch/execute arbitrary remote components, which communicate with the main application.

**Hermit Capabilities**

Hermit boasts a modular feature set and can steal sensitive data from smartphones, including location, contacts, call logs, and SMS messages. The spyware’s modularity allows it to become fully customizable.

Once installed on the device, it can record audio and even make/redirect phone calls, apart from abusing accessibility services permissions. However, researchers didn’t specify the RCS Labs clients involved in this campaign or its targets. For your information, RCS Labs is among the 30 spyware providers currently tracked by Google.

*   Edward Snowden urges users to stop using ExpressVPN
*   How a Woman’ Fitbit Fitness Tracker Helped Solve Her Murder Case
*   Pics of IDF women soldiers helped hackers to breach Israeli Military Servers
*   Cloud video platform abused in web skimmer attack against real estate sites
*   Cybercrime Syndicate Leader Behind Phishing, BEC Scams Arrested in Nigeria

ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

By Deeba Ahmed
This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper. Cybersecurity researchers at…
This is a post from HackRead.com Read the original post: Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

****This newly discovered malware campaign is attributed to a Chinese hacking group called Tropic Trooper.****

Cybersecurity researchers at Check Point have shared details of a new malware campaign suspected to be launched by a Chinese hacking group Tropic Trooper.

The malware operators are using a unique loader Nimbda, written in Nim language, and a new variant of Yahoyah trojan.

Researchers state that the hackers possess extensive cryptographic knowledge as they have extended the AES specification in a customized implementation.

**Info-Stealing Trojan Embedded in SMS Bomber Tool**

According to Check Point’s analysis, the info stealing trojan is hidden inside a Chinese language greyware tool called SMS Bomber. This tool is used for targeting cellphones with Denial of Service attacks (DoS attacks).

SMS Bomber tool allows users to enter any phone number to flood their phones with a message, rendering the devices unusable. Novice hackers typically use such tools to compromise websites.

**Attack Scenario**

When the infected version of SMS Bomber (equipped with standard functionalities and the tool’s binary) is downloaded to the device, the attack sequence is immediately initiated. The downloaded tool also contains additional coding injected into a notepad.exe process. 

In a blog post, researchers explained that This executable is the Nimbda loader, which uses the SMS Bomber as an icon and an executable while the loader injects shellcode in the notepad process in the background. The process then reaches a GitHub repository, fetches an obfuscated executable, decodes it, and executes it through process hollowing in Dllhost.exe, the new Yahoyah variant. 

This variant collects host-related data and transmits it to the attacker-operated C2 server. The final payload that Yahoyah executable drops is encoded in a JPG file through steganography. Researchers identified it as TClient. It is a backdoor used in previous campaigns by Tropic Trooper.

The interface of SMS Bomber (left) – Infection chain of the malware (right)

**What Information is Collected**

Yahoyah can collect device names, local wireless networks’ SSIDs located within the target device’s vicinity, MAC address, antivirus products installed on the device, OS version, and presence of Tencent and WeChat files.

The encryption used for Yahoyah is a custom AES implementation to perform the inverted sequence of round operations twice. Therefore, Check Point named it AEES. Though it doesn’t make encryption any stronger, it makes analyzing it complicated for researchers.

**Potential Targets**

Tropic Trooper has mainly focused on espionage in their previously identified phishing campaigns targeting Russian entities. However, in this campaign, the hackers have trojanized the SMS Bomber tool; hence they have narrowed down their targets.

Researchers believe their target could be based on the intelligence information the group collected during past espionages. Tropic Trooper also uses KeyBoy, Earth Centaur, and Pirate Panda monikers.

The group has a history of targeting targets in Hong Kong, Taiwan, and the Philippines. Moreover, their prominent targets are linked to the government, transportation, healthcare, and technology sectors.

**More Chinese Hackers in Action News**

*   China’s insidious surveillance against Uyghurs with Android malware
*   Android malware HenBox hits Xiaomi devices & minority group in China
*   China arrests 11 hackers for infecting 250M devices with Fireball malware
*   Someone from China is Distributing Mirai Malware Through Windows Botnet
*   Unofficial Micropatch for Follina Issued as Chinese Hackers Exploit the 0-day

Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.
Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware's functionality to be extended or altered at will. It's not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide "law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years." More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

"Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable," Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It's suspected that the actors worked in collaboration with the targets' internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

"We believe this is the reason why most of the applications masqueraded as mobile carrier applications," the researchers said. "When ISP involvement is not possible, applications are masqueraded as messaging applications."

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

"As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too," Google Project Zero's Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

"This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need," the researchers noted. "Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs."

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it's tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What's more, Google TAG raised concerns that vendors like RCS Lab are "stockpiling zero-day vulnerabilities in secret" and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, "raising the specter that their stockpiles can be released publicly without warning."

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG said.

"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.

Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.

TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan government against domestic targets, and identified by Lookout research.

“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.

All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.

“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.

****Collaborating with ISPs****

One lure employed by threat actors is to work with the target’s ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.

Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.

“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,” Beer wrote.

Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.

In other cases when they can’t work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.

****iOS Campaign Revealed****

While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.

They also released details of the host of vulnerabilities—two of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. In fact, Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.

The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.

The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed;
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet;
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste;
*   CVE-2020-9907 internally referred to as AveCesare; and
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.

****Broader Implications****

The emergence of Hermit spyware shows how threat actors—often working as state-sponsored entities—are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.

Indeed, while use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” Google TAG researchers wrote.

The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.

In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they said.

Google Warns Spyware Being Deployed Against Android, iOS Users

The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found.

In hearings this week, the notorious spyware vendor NSO group told European legislators that at least five EU countries have used its powerful Pegasus surveillance malware. But as ever more comes to light about the reality of how NSO's products have been abused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes far beyond one company. On Thursday, Google's Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.

Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, the security firm Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption probe. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware for targeting in northeastern Syria.

“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that's why it's critical to share information about these vendors and their capabilities.”

TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.

In their analysis of the iOS version, Google researchers found that attackers distributed the iOS spyware using a fake app meant to look like the My Vodafone app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off a specific user's mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.

Attackers were able to distribute the malicious app because RCS Labs had registered with Apple's Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allows them to sideload apps without going through Apple's typical AppStore review process.

Apple tells WIRED that all of the known accounts and certificates associated with the spyware campaign have been revoked. 

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Project Zero member Ian Beer conducted a technical analysis of the exploits used in the RCS Labs iOS malware. He notes that the spyware uses a total of six exploits to gain access to surveil a victim's device. While five are known and publicly circulating exploits for older iOS versions, the sixth was an unknown vulnerability at the time it was discovered. (Apple patched that vulnerability in December.) That exploit took advantage of structural changes in how data flows across Apple's new generations of “coprocessors” as the company, and the industry overall, moves toward the all-in-one “system-on-a-chip” design.

The exploit isn't unprecedented in its sophistication, but Google researchers note that the RCS Labs spyware reflects a broader trend in which the surveillance-for-hire industry combines existing hacking techniques and exploits with more novel elements to gain the upper hand. 

“The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three out of six of the exploits are from public jailbreak exploits,” TAG member Benoit Sevens says. “We also see other surveillance vendors reusing techniques and infection vectors initially used and discovered by cyber crime groups. And like other attackers, surveillance vendors are not only using sophisticated exploits but are using social engineering attacks to lure their victims in.”

The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.

Google Warns of New Spyware Targeting iOS and Android Users

To prevent these attacks, businesses must have complete visibility into, and access and management over, disparate devices.

Most of the news about Internet of Things (IoT) attacks has been focused on botnets and cryptomining malware. However, these devices also offer an ideal target for staging more damaging attacks from inside a victim's network, similar to the methodology used by UNC3524. Described in a Mandiant report, UNC3524 is a clever new tactic that exploits the insecurity of network, IoT, and operational technology (OT) devices to achieve long-term persistence inside a network. This type of advanced persistent threat (APT) is likely to increase in the near future, so it's important for companies to understand the risks.

**A Critical Blind Spot**

Purpose-built IoT and OT devices that are network-connected and disallow the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company has found that more than 80% of organizations can't identify the majority of IoT and OT devices in their networks. There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?

Consequently, unmanaged devices regularly have high- and critical-level vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we've found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10. Further, we found, 50% use default passwords, and 25% are at end of life and no longer supported.

**Compromising and Maintaining Persistence on IoT, OT & Network Devices**

Taken collectively, all of these issues play directly into the hands of attackers. Because network, IoT, and OT devices don't support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and turn on services within these devices without being detected. They can then maintain persistence because vulnerabilities and credentials aren't being managed and firmware isn't being updated.

**Staging Attacks Within the Victim Environment**

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network.

To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.

Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

At this point, the attacker can remotely control victim devices to go after IT, cloud, or other IoT, OT, and network device assets. The attacker will likely use ordinary, expected network communication such as API calls and device management protocols to avoid detection.

**Surviving Incident Response**

The same problems that make network, IoT, and OT devices an ideal place for staging secondary attacks also make them well-suited for surviving incident response efforts.

One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It's very difficult to completely kill off attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most business networks — even if the attacker's malware and toolkits are completely removed from the company's IT network, command-and-control channels are disrupted, software versions are updated to eliminate previously exploitable vulnerabilities, and individual endpoints are physically replaced.

**How to Reduce Corporate Risk**

The only way for businesses to prevent these attacks is to have complete visibility into, and access and management over, their disparate IoT, OT, and network devices.

The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. With that said, companies with large numbers of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

The first step companies should take is to create an inventory of all purpose-built devices and identify vulnerabilities. Next, companies should remediate risks at scale related to weak passwords, outdated firmware, extraneous services, expired certificates, and high- to critical-level vulnerabilities. Finally, organizations must continuously monitor these devices for environmental drift to ensure that what's fixed stays fixed.

These are the same basic steps companies follow for traditional IT assets. It's time to show the same level of care to IoT, OT, and network devices.

How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

By Deeba Ahmed
The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to…
This is a post from HackRead.com Read the original post: Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users’ Data

****The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to remote malicious attackers.****

Researchers have identified vulnerabilities in Jacuzzi Brand LLC’s SmartTub app web interface that can reveal private data to attackers.

Security researcher and ethical hacker Eaton Zveare (EatonWorks) has identified a security flaw in the SmartTub feature of the app used in the hot tubs manufactured by the world-renowned Jacuzzi Brand.

The flaw exists in the app’s web interface, and as per the researcher, it allows a threat actor to view and abuse the personal data of hot tub users. The issue has been patched now, but Zveare claims he wasn’t notified about the fixes. Moreover, he stated that Jacuzzi didn’t reply to his emails.

**About the SmartTub App**

SmartTub is a Jacuzzi app available for iOS and Android systems. It has a SmartTub feature that users can use to connect to the tub via a module remotely and receive status updates or accepts users’ commands for various tasks. Such as, it can automatically set the water temperature, turn on lights and water jet, etc. It isn’t clear whether the vulnerability impacted these functions.

**Attack Scenario Explained**

According to a blog post, Zveare first accessed the Smarttub.io app’s admin panel using the wrong credentials, which were initially not accepted. He was then redirected to a display page where he could view data from multiple Jacuzzi brands in the US and elsewhere.

> “Right before that message appeared, I saw a header and table briefly flash on my screen. Blink and you’d miss it. I had to use a screen recorder to capture it. I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the US.”
> 
> Eaton Zveare

Furthermore, the app’s single-page-application (SPA) JavaScript bundle showed that usernames and passwords were sent to a third-party verification platform Auth0. Using the Fiddler tool, Zveare modified the HTTP response to masquerade in the admin status and obtain full access to the panel and a vast trove of data.

Hence, the issue identified was a poorly secured admin console in the web interface that allowed bypassing admin credentials.

**What was Data Exposed?**

The researcher claims that the bug could have exposed users’ first and last names, email addresses, and other sensitive data if abused. This issue could have impacted users all over the world.

According to Zveare, he could view details of “every spa,” check its owner, and remove their ownership. Furthermore, he could view user accounts and edit them as well. However, he didn’t test it as he feared the changes would be saved.

The researcher informed Jacuzzi Brands in early December, and the issue was resolved on 4 June.

**More IoT Vulnerability News**

*   Why Internet of Things is the world’s greatest cyber security threat
*   Bluetooth Signals Can Be Abused To Detect and Track Smartphones
*   Hackers attack Casino fish tank thermometer to obtain sensitive data
*   Hackers Can Disable House Arrest Ankle Bracelet without Raising Alert
*   Samsung Smart Refrigerator Hacked, Left Gmail Login Credentials Vulnerable

Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users’ Data

Europol, the Belgian police, and the Dutch police, have apprehended members of a cybercriminal gang involved in phishing and other fraud.
The post Police seize and dismantle massive phishing operation appeared first on Malwarebytes Labs.

Europol has coordinated a joint operation to arrest members of a cybercrime gang and effectively dismantle their campaigns that netted million in Euros. This operation also led the Belgian Police (Police Fédérale/Federale Politie) and the Dutch Police (Politie) to nine arrests, 24 house searches, and the seizure of firearms, ammunition, jewelry, electronic devices, cash, and cryptocurrency.

The group was involved in fraud, money laundering, phishing, and scams.

According to a Europol press release, the group’s modus operandi started with an email, text message, or private message containing a link to a phishing page.

Once recipients opened the link, they would be directed to a bogus bank website. Here, they were encouraged to enter their banking credentials. Money mules then used these credentials to cash out millions in Euros from victim accounts.

On top of fraud, the group was also involved in drug and possible firearms trafficking.

“Europol facilitated the information exchange, the operational coordination and provided analytical support for investigation,” reads the press release, revealing law enforcement involvement in the arrest operation. “During the operation, Europol deployed three experts to the Netherlands to provide real-time analytical support to investigators on the ground, forensics and technical expertise.”

The takedown of this phishing operation came months after Europol shut down the FluBot Android operation and the seizure of RaidForums, a hacking forum.

Tag

#android