RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.

�4�rb�YtT՝��\_1���TP�6 U� �5�b䗬"�d�M�#3��yo& �54�Flt����ʞÞ�-g�=t�n(X���l9\[��ݢ4�M�E�h�����$���\_�=� �}��������~��{ߐ�oR���ys���ͭ��UW?{N���ٵ7ף~^���ʘ�Y�O���i�P���ݟj�?�IC\\1;n�5q��,Ơ�7�����gϩ�\]���9ʨ�,��?��/0�Az�IGʹ�\]ψ9i�u�v��#�������+̴i�;#n7NԎ��e|t�����ό�\]c��k��wl'�F��#�J/WȘ��k�e��cq�^.�"N��L�ՎG#�t�5��(��̈�f�K����g�^�x3�<ͷ��I�����ڞ�$�Hą��M:%�^�2�ܳ�i�g�@:烮1V��&��N&1~:ẅ́q�N���D�7�\_p=�7��kch��\`�|��at#�v"��Q���92�p�.fǈ�i3�9�3,B�,ݸ4?�vJ&β˰,aD�J�=�#b:Q��'e�Ü�\[����|�%an����aj��J���ZN&��i'��+�i6e��@���ܰc����f~��y\_�ǑA��:?��'S�Iޅ�f�4 �њ���

CVE-2022-30333

Three tech giants used World Password Day to announce their commitment to a passwordless future using FIDO Alliance standards.
The post Google, Apple, and Microsoft step hand in hand into a passwordless future appeared first on Malwarebytes Labs.

While we recently “celebrated” World Password Day, almost every security outlet keeps telling us that passwords alone are not enough.

In practice, in the last few years this has meant pairing passwords with something else, such as a one-time code from an app or an SMS message, in a scheme called two-factor authentication (2FA).

But while pairing passwords with a second factor is much better than using a password by itself, it is just a way of working around some very serious, inherent flaws in password authentication. Which begs the question: If passwords are such a problem, why use them at all?

Now Apple, Google and Microsoft have announced that you don’t have to.

The trio of tech giants all used World Password Day to declare increased support for FIDO Alliance standards like FIDO2, a globally-recognized standard for passwordless authentication.

According to the alliance:

> In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

**Microsoft, Google, and Apple**

Last year, Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and services.

On May 5, 2022, Google announced it will implement passwordless support in Android and Chrome, and Apple announced its support for new authentication capabilities enabled by the adoption of FIDO’s latest standard.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

With all three tech giants on board, we can expect passwordless FIDO sign-in across macOS and Safari; Android and Chrome; and Windows and Edge. This means that, for example, users will be able to sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

**FIDO2**

Instead of using a password, which can be intercepted as it passes over the Internet, and has to be processed and stored by each service you use, FIDO2 uses public-key encryption. It performs the cryptographic operation that verifies who you are on a device you own, using a private key that never leaves your possession. This means that nothing of value is shared with or stored on the website or service you’re using, and the information sent back and forth during authentication is of no use to an attacker.

FIDO2 combines two standards: WebAuthn and CTAP. WebAuthn does the important job of setting out how web browsers authenticate to websites, but the real magic of FIDO2 is CTAP, the Client to Authenticator Protocol.

CTAP is what allows that crucial cryptographic operation to happen on a wide variety of devices (referred to as “roaming authenticators”), including hardware keys, phones, and laptops. These roaming authenticators are expected to have a mechanism to obtain a “user gesture” which authorises the cryptographic operation, such as a consent button, a password, a PIN, a fingerprint, or face recognition. And this is what allows you to approve your authentication to a website using your iPhone’s Touch ID or Windows Hello.

Devices that act as roaming authenticators can also communicate with other devices, so you can do things like signing in to websites you’re visiting on your laptop by using Touch ID on your iPhone or drawing a pattern on your Android tablet.

**Will it work?**

The idea of passwordless authentication is to create a login method that is secure and easy-to-use, and that eliminates the risks of phishing, password guessing, password reuse, and credential stuffing.

As with all security innovations, we don’t expect attackers to respond by giving up and going home, just to shift their attention to (hopefully) more difficult and expensive forms of attack.

When Microsoft announced in September that you no longer needed a password, we spoke to Per Thorsheim, one of the world’s leading experts on passwords. He had some major concerns about situations when people lose access to their choice of authenticator, and with that lose access to their Microsoft account.

> \[I am concerned about\] when people lose access to their choice of authenticator, and by that lose access to their Microsoft account. I’ve attempted account recovery with Microsoft before, and I know others who have tried and failed miserably. Account recovery is hard, usually to avoid making the process a prime target for hackers.

FIDO2 puts a heavy burden on the account recovery process. Will there be a backup method similar to a “forgot my password” procedure, or do I have to create a new account which can then be linked to my online persona? Either way, such a method could create create a backdoor for attackers to target instead of FIDO-protected authentication.

Passwordless authentication could also multiply the stress caused by a stolen or lost device. If an attacker can guess your PIN or pattern they have access to all of your accounts.

Fortunately, rate-limits on phones makes that very difficult. Even if you secure your device with a 4-digit PIN or a pattern, an attacker finding or stealing your device will have to be very lucky to guess it correctly before the device shuts them out altogether.

However, trusting someone with the access code to your phone will become the equivalent of handing them the key to your entire online life.

If the importance of device access increases, this could lead to more stringent authentication requirements on our pohnes. For example, PINs with 10 digits instead of four or six, or more complicated patterns. And perhaps we’ll say goodbye to default PINs as well.

Nevertheless, we look forward to the passwordless future, even if we may have to work out some details along the way. Passwords have outlived their use for important resources: Victims have been made despite doing everything right; and threat actors have made an industry out of phishing our passwords, keyphrases, and security questions, and from brute-force guessing our passwords.

It is time for something new and three tech giants working together with an established industry association on a passwordless future looks promising.

Stay safe, everyone!

Google, Apple, and Microsoft step hand in hand into a passwordless future

By Deeba Ahmed
The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.…
This is a post from HackRead.com Read the original post: USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.

Red Canary’s Detection Engineering team has discovered a new worm-like Windows malware being distributed via removable USB drives. The malware was detected in several customer networks, mainly in the manufacturing and technology sectors.

**About Raspberry Robin**

Red Canary intelligence analysts attributed the malware to the Raspberry Robin cluster, noting that the worm leverages “Windows Installer” to access QNAP-linked domains and download a malicious DLL.

Raspberry Robin’s activity was first documented in September 2021. The operator’s objective is unclear, and researchers are also clueless about when and how the external drives get infected. They suspect that this infection occurs offline.

**Attack Chain Details**

> Raspberry Robin’s attack chain starts with connecting an infected external/USB drive to a Windows device. Researchers noted that adversaries use msiexec.exe to deliver malware while “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.
> 
> Lauren Podber and Stef Rand  
> Red Canary

The external drive is equipped with the worm payload that appears as a .LNK shortcut file in a legit folder. The worm creates a new process using cmd.exe to read/execute the malicious file on the USB drive.

According to Red Canary’s blog post, once this is done, the worm launches explorer.exe and msiexec.exe. The latter is used to establish network communication with a rogue domain and for downloading/installing the DLL library file.

Raspberry Robin event outline (Red Canary)

This DLL file is loaded and executed using legitimate Windows utilities like rundll32.exe, fodhelper.exe, and odbcconf.exe to bypass the UAC (User Account Control). Researchers also detected an outbound C2 contact involving regsvr32.exe, dllhost.exe, and rundll32.exe processes to IP addresses linked with Tor nodes.

Regarding why the worm installs a malicious DLL, the researchers were unclear. They hypothesized that it could be done to maintain persistence on the infected machine.

**More Windows Malware News**

1.  Beware of Fake Windows 11 Update Delivering Malware
2.  LodaRAT Windows malware now hunting Android devices
3.  New malware tool can steal files from air-gapped PCs using USBs
4.  PyMICROPSIA Windows malware steals browsing data, records audio
5.  Fake Windows website dropped Redline malware as Windows 11 upgrade

USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

Sites offering premium apps are popping up all over YouTube comments and elsewhere. Are they legit?
The post Steer clear of fake premium mobile app unlockers appeared first on Malwarebytes Labs.

A site has been bouncing around YouTube comments for the past couple of weeks. The site sometimes changes, the messages alter slightly, but the essence remains the same: In all cases, people acting in suspiciously automated fashion ask if everyone is using this “glitch” or generator without ever clarifying what, exactly, either of them are, or do.

The site offers “tweaked apps”, apparently available with a single click and requiring “no jailbreak, no root.” (Jailbreaking is the practice of breaking out of the iPhone’s default, highly-restricted mode, and getting “root” is the rough equivalent on an Android device.) That’s what they _claim_, anyway. There’s an OnlyFans Premium, Netflix Premium, a Pokemon Go Spoofer Injector, and many more.

Get your premium content here…

No matter which app you select though, the outcome is the same.

A page informs you of the last time the app was updated, your IP address, whether the app is compatible with your device, and “no injection detected”.

They go on to say the following:

> App injection required!
> 
> Follow the steps on the next page. To get started, we first need to inject the content into this app. This is a simple process and you will only have to do this once to get access.

Despite claiming that this process will “only work” on mobile, they’re being somewhat liberal with the truth. You absolutely can start the so-called injection process on a desktop, because there is no injection process, it’s all fake.

Here’s a supposed “Premium Unlocker” for OnlyFans.

Fake OnlyFans Premium Unlocker

When you start the “injection process” a message saying “Injecting: connecting with your phone” pops up, whether you’re using a phone or not.

It’s all a fraud. We’re redirected to a domain aimed at promoting ad offers / surveys / deals to mobile users. We are, rather nostalgically, in the land of the survey scams. At one point these seemed to be the only form of fakeout in town, made massively popular by gating non-existent unicorn deals behind walls of clickthrough ads.

**A stack of empty promises**

If you were promised a game, you’d get a demo version. Money off vouchers? You’d likely have to spend more signing up to deals to receive one in the first place. In other words, it was a massive scam factory for people up to no good. Note the desperation on the prompt urging to you to keep opening up new offers before receiving your non-existent reward:

“Please install more!”

All you’re likely to get from this is:

*   Surveys or popups
*   Malicious mobile downloads
*   Signup offers that require personal information or payment.

You could easily go into this thing expecting free premium content for your service of choice, and exit with spyware or monthly payments for subscription services you don’t actually need. As a rule, free versions of paid-for apps offered on random websites simply do not exist. Sites which claim to offer hacks or generators for titles like Roblox, FIFA, or GTAV, are simply making it up. They will almost certainly be a survey scam or something else you don’t want to get involved in.

If you’re really in need of premium versions of services you use, you’re better off paying for them. At the very least, it has to be better than spinning the wheel on sites like the above and hoping you don’t get burned.

Steer clear of fake premium mobile app unlockers

Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year.
Tracked as CVE-2021-22600 (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service.
The

Google has released monthly security patches for Android with fixes for 37 flaws across different components, one of which is a fix for an actively exploited Linux kernel vulnerability that came to light earlier this year.

Tracked as CVE-2021-22600 (CVSS score: 7.8), the vulnerability is ranked "High" for severity and could be exploited by a local user to escalate privileges or deny service.

The issue relates to a double-free vulnerability residing in the Packet network protocol implementation in the Linux kernel that could cause memory corruption, potentially leading to denial-of-service or execution of arbitrary code.

Patches were released by different Linux distributions, including Debian, Red Hat, SUSE, and Ubuntu in January 2022.

"There are indications that CVE-2021-22600 may be under limited, targeted exploitation," Google noted in its Android Security Bulletin for May 2022. Specifics about the nature of the attacks are unknown as yet.

It's worth noting that the vulnerability has also been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog as of last month based on evidence of active exploitation.

Also fixed as part of this month's patches are three other bugs in the kernel as well as 18 high-severity and one critical-severity flaw in MediaTek and Qualcomm components.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Releases Android Update to Patch Actively Exploited Vulnerability

The passwordless future just became closer to reality, as Microsoft, Apple, and Google pledge to make the standard possible across operating systems and browsers.

Apple, Google, and Microsoft will expand support for FIDO Alliance's passwordless standard to make logins easier across mobile devices and desktops.

By expanding support for the password-free sign-in standard from the FIDO Alliance and the World Wide Web (W3) Consortium, Google, Microsoft, and Apple will make it possible for anyone to use their mobile device to sign into an app or website on a nearby device. More importantly, users will be able to access passkeys – their FIDO sign-in credentials – across multiple devices without having to re-enroll every account on each device. This will be a key change from the current reality, where users have to sign into each website or app with each device before they can take advantage of the passwordless feature.

"We plan to implement passwordless support for FIDO Sign-in standards in Android & Chrome. Apple and Microsoft have also announced that they will offer support for their platforms," writes Sampath Srinivas, a product management director for secure authentication at Google and the president of the FIDO Alliance. "This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year."

**Case for No More Passwords**  
Passwords do not provide sufficient security – they can be stolen or guessed if the password itself isn't very good. Weak passwords accounted for more than 80% of all data breaches, according to Verizon's annual Data Breach Investigations Report. Passwords are the single largest attack vector and the root cause of most attacks -- including account takeovers, advanced persistent threats, and ransomware, says Jasson Casey, CTO of Beyond Identity. Four out of five times adversaries rely on stolen credentials for initial access and lateral movement, he says.

"Password-based authentication has failed us. Full stop," Casey says.  

There are more than 921 password attacks every second, writes Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft. That represents more than double the figure over the past 12 months.

A new Google/Ipsos survey found that one in three Americans share passwords with someone else or have access to someone else's passwords, and 65% of respondents say they reuse passwords. One in five use common words or easy-to-guess terms for passwords, and 52% say they incorporate personal information such as name and birthday into the password.

"The alternatives \[to passwords\] often are unworkable, unwieldy, or just not likely to be adopted by consumers, especially the non-tech-savvy ones or those who are on the lower end of the socio-economic scale," says John Bambenek, principal threat hunter at Netenrich.  

Passwords are still ubiquitous despite the issues because they are relatively easy to implement and people know how to use them, which is why passwords still haven't gone away. Instead, security teams rely on technologies such as multifactor authentication and password managers to provide additional protection to strengthen the security around accounts, platforms, and data. 

However, these controls have made "marginal security gains," Casey says, mainly because they still rely on passwords and the second factors can be intercepted via social engineering methods (such as one-time passwords sent over SMS).

**Cross-Platform Passwordless**  
The good news is that technology is now in place to make passwordless authentication a reality, Casey says. Secure enclaves are prevalent (and resident in nearly every device), and almost all enterprise and consumer apps can leverage secure enclaves to easily delegate passwordless authentication.

The announcement from Google, Microsoft, and Apple indicates the expanded support will be implemented in macOS and Safari, Android and Chrome, and Windows and Edge. The actions used to unlock the mobile device — such as fingerprint, face scan, and device PIN — will give access to the passkey stored on the device. Signing in with the passkey is more secure because it's based on public key cryptography, Srinivas says. Even if the device is lost, the passkeys will sync back to the mobile device from cloud backup, he says.

All of this will be cross-platform. Ideally, a user would be able to sign into a website via Google Chrome on a Windows machine using a passkey on an Apple device.

"This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS," the FIDO Alliance said in a statement.  

Implementations that rely on secure enclaves, especially those already built into modern devices, such as the Trusted Platform Module on laptops and desktops, combined with the security posture of the device itself make passwordless authentication a reality, Casey says.

Jennifer Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), praises the announcement, calling it "the type of forward-leaning thinking that will ultimately keep the American people safer online."

Passwordless needs to be easy. "If you don’t consider usability, your users will create your next vulnerability," Casey warns.

Microsoft, Apple, and Google Promise to Expand Passwordless Features

Reproductive rights are still largely guaranteed in the United States. Here are some key privacy concepts to adopt in the event that they're not.

While it may be increasingly important for people in the US to consciously consider what they're posting when it comes to their own abortions or those of loved ones, Hayley McMahon, an independent public health researcher who studies abortion access, notes that the goal of this advice is not to chill speech, but to keep people safe.

“I don’t ever want to tell someone they shouldn’t talk about their experience or they can’t talk about their experience, because there’s tons of power in abortion storytelling,” McMahon says. “But I think people need to have all of the information and an understanding of the risks, and then they can make choices about what to say where.”

Know Your Rights

Researchers emphasize, too, that people in the US should know and feel secure in their rights when it comes to dealing with law enforcement. If you are being questioned by police, you can simply say, “I am exercising my right to remain silent and I want to speak with an attorney.” Resources like the Repro Legal Helpline can help connect you with specific legal advice. Additionally, lock your devices with a strong, unique PIN number, keep them locked, and simply ask for an attorney if a cop attempts to compel you to unlock your device. 

McMahon also adds that in the very rare case of a complication with a medication abortion, people should not feel pressure to disclose the treatment to clinicians in the emergency room or other health care settings. Simply saying, “I think I'm having a miscarriage” will suffice.

“People need to understand that it's impossible to tell the difference between spontaneous miscarriage and medication abortion,” McMahon says. “Medication abortion simply induces a miscarriage. And of course, we typically want everyone to disclose their health history to their clinician, but in this case, the treatment is the same, so nothing is lost by not disclosing that information.”

Deluge of Data

Using apps, browsing the web, and using search engines are all activities that can expose personal details, creating a major challenge in controlling the flow of personal information as people research or seek abortions. And often by the time someone is seeking an abortion, they have already generated data that could reveal their health status. Period-tracking apps, for example, gather data that may seem benign but is clearly sensitive in the context of potential abortion criminalization. In one recent case, the Federal Trade Commission investigated and sanctioned the fertility-tracking app Flo Health for sharing user health data with marketing and analytics firms, including Facebook and Google. And researchers have also found numerous examples of health websites sharing personal data with third parties or conducting targeted ad-tracking without adequately informing users and in violation of their privacy policies.

Using a search engine that doesn't track potentially sensitive user data, like DuckDuckGo, and browser extensions that block web trackers, like EFF's Privacy Badger, are all steps you can take to significantly cut down on how much of your browsing data ends up in tech companies' hands. And consider analog options, if possible, for recording and storing reproductive information, like a notebook or paper calendar where you log details of your menstrual cycle.

One of the most pernicious and complicated aspects of attempting to rein in your personal data as you research or seek an abortion is the question of how to mitigate the collection of your location data. Always turn off location services for as many apps as possible—iOS and Android both make this relatively easy now. And if you're traveling to receive an abortion, you might consider leaving your phone at home or keeping it in a faraday bag for as much of the trip as possible.

“A lot of those data-generating activities that you’ve already engaged in in the past are already out there,” says Andrea Downing, founder of the nonprofit Light Collective and a security and privacy researcher focused on patient populations and social media. “You can delete apps from here forward, turn off location services, stop using a fertility app, and those are all great steps. But it's also reasonable if people can't remember everything all the time. Patient populations are susceptible and vulnerable online, and we need to focus on protecting them.”

McMahon, the independent public health researcher, echoes this sentiment, noting that any small steps a person can take to defend their data are positive and should be celebrated.

“I want to emphasize, it is definitely not someone's fault if they forget to do any of these things and then get criminalized,” she says. “People may feel like they made a mistake if they reach out to others for help, but no! You did a normal human thing and the system is criminalizing you.”

While issues of digital privacy are extremely salient to people seeking abortions, they impact every marginalized and disenfranchised group. And as the Light Collective's Downing points out, they ultimately affect everyone.

_“Roe v. Wade_ is about privacy, it was always the core thing underlying that case,” she says. “So even if you are not a person seeking an abortion, you need to be thinking in terms of how your rights may be next.”

How to Protect Your Digital Privacy if Roe v. Wade Falls

On F5 Access for Android 3.x versions prior to 3.0.8, a Task Hijacking vulnerability exists in the F5 Access for Android application, which may allow an attacker to steal sensitive user information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2022-27875

Researcher to reveal fresh details at Black Hat Asia on a tenacious cyber-espionage group attacking specific military, law enforcement, aviation, and other entities in Central and South Asia.

It's one of the more prolific yet lesser-known nation-state hacking groups in the world, and it's not out of China or Russia. The so-called SideWinder (aka Rattlesnake or T-APT4) group has been on a tear over the past two years, launching more than 1,000 targeted attacks.

Noushin Shabab, senior security researcher with Kaspersky, has been tracking SideWinder since 2017 and will share her latest findings on this cyber-espionage team at Black Hat Europe in Singapore this month.

"They have been very persistent in their attacks in terms of targeting specific victims over and over, with new malware and newly registered domains," Shabab says. "So even if the target has suspected that a previous attempt had malicious intentions — like with spear-phishing emails and so on — the threat actor has tried to use a new infection vector and use a new domain to try their luck, over and over."

SideWinder also has upped its game when it comes to hiding its tracks and deflecting detection — as well as in thwarting researchers. The threat group now executes a more complex attack chain that uses multiple layers of malware, additional obfuscation, and memory-resident malware that leaves no evidence of its presence, she says. Although other well-oiled and advanced threat groups also continue to add new methods of camouflaging their activity, Noushin says, SideWinder stands apart for her with its dogged persistence and high volume of activity.

"I think what truly makes them stand out among other APT \[advanced persistent threat\] actors is the large toolset they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure," she says. "I haven't seen 1,000 attacks from a single APT" from another group thus far, she adds. 

Shabab has tracked SideWinder's activity since April 2020, but Kaspersky first reported on SideWinder in January 2018 and believes it's been around since at least 2012. The security firm traditionally avoids attributing threat actors to specific nation-states, but Shabab says her firm's initial research into SideWinder showed the group is tied to an India-based company that was advertising malware analysis and penetration testing services on its website. 

"We found some context between that company and that threat actor," she says. However, she notes that "over the years, \[SideWinder\] attribution became more challenging."

SideWinder mostly targets military and law enforcement entities in Central and South Asia, but it's also hit foreign affairs, defense, aviation, IT, and legal firms in Asia. Pakistan and Sri Lanka are its main focus of late, according to Kaspersky's research, and it's recently targeted government and related organizations in Afghanistan, China, and Nepal, according to previous research from Trend Micro and from Anomaly.

Kaspersky also follows another cyber-spying threat group, dubbed Sidecopy, that copies SideWinder's tactics and techniques on occasion, often pivoting to the newest infection vector SideWinder has adopted. Unlike some other security research teams, Kaspersky considers Sidecopy separate from SideWinder. It's seen Sidecopy target organizations mainly in India and Afghanistan.

**No Zero-Days Required  
**SideWinder's main initial attack vector consists of sending convincing-looking spear-phishing emails with malware-rigged document attachments to its carefully curated targets. The hacking group doesn't deploy any zero-day exploits, but instead mostly weaponizes known Windows or Android vulnerabilities, including old Microsoft Office flaws, according to Shabab.

That said, in January 2020, researchers at Trend Micro revealed that they had discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability that affected hundreds of millions of Android phones when it was first published (CVE-2019-2215).

SideWinder often switches gears if its first attempts don't infect its victims. Shabab has seen the APT abuse the Windows file shortcut feature to mask the malware, for example.

"The interesting thing is we have seen them be quite careful and innovative in the way they approach victims," she says. 

On at least two occasions, she says, SideWinder sent empty document attachments with the spear-phishing emails. The document had no content, but a malicious payload was inside. "After a short while, they send a letter \[in an email\] that apologizes for the empty document they had sent earlier. But that second email had a different malicious payload inside the document," she says. "They were trying everything to make sure they get a foothold into the victim's system."

SideWinder also swaps domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well.

Kaspersky's research shows that SideWinder mainly targets Windows for now, but it did find some malicious mobile apps last year when the firm investigated the group's infrastructure domains and servers. 

"But looking at their large attack infrastructure and large malware family sets they have for Windows, it doesn't seem mobile is their main focus," Shabab says.  

**Black Hat Talk  
**Shabab will share technical details in her session at Black Hat Asia next week, entitled "SideWinder Uncoils to Strike." Those will include how the hacking team has evolved its obfuscation methods for hiding its malware, and folding it into multistage infection chains. She says that investigating SideWinder's attack methods required her to decrypt several layers of encryption and thousands of obfuscation scripts. And "for each one, the decryption key was different," she says.

Shabab plans to provide recommendations on how to use SideWinder indicators of compromise along with specific security defense advice on defending against this APT group. Because it mostly achieves initial infections via known vulns and legitimate features in Windows (such as Microsoft Office), patching and the usual best security practices are key. That means hardening applications with whitelisting or firewall rules, which can help halt additional malicious malware modules from SideWinder's servers, she says.

"It's not very difficult to stop the attack" initially, she says. But if SideWinder gets past that first hurdle and infects the machine in the first phase of the attack, eradicating the attack gets exponentially harder. She adds: "They have lots of techniques to stay undetected longer and stay persistent."

1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin

Google has released updates for Android and its Pixel phone. We discuss the three vulnerabilities that were classified as critical.
The post Google fixes two critical Pixel vulnerabilities: Get your updates when you can! appeared first on Malwarebytes Labs.

Google has made updates available for Android 10, 11, 12 and 12L. The May Android Security Bulletin contains details of security vulnerabilities affecting Android devices.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. Pixel phones are Google’s “pure Android” phones.

In total, these two bulletins mention three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below we will discuss the CVEs that were rated as critical.

**Bootloader**

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader. On Android, the bootloader is a piece of software that loads the OS every time you boot your phone. By default, it will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has (not yet) been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.

**Titan-M**

CVE-2022-20117: An information disclosure (ID) vulnerability in Titan M. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. Again, details about the issue have (not yet) been disclosed. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.

**Qualcomm**

Qualcomm’s chipsets are the most common ones in the Android smartphone space. The severity assessment of their issues is provided directly by Qualcomm.

CVE-2021-35090: CVSS 9.3 out of 10. Listed by Qualcomm as a Time-of-check Time-of-use (TOC TOU)  Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

**Mitigation**

None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed, but does not tell us which of the four candidates that is.

For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins. To learn how to check a device’s security patch level, see Check and update your Android version. We encourage all users to update to the latest version of Android where possible.

The Pixel 3a and Pixel 3a XL series will receive security updates for the last time this month. Then they reach the End-of-Life (EOL) stage when it comes to support. For the Pixel 4 and Pixel 4 XL, this will be the case in October 2022.

Stay safe, everyone!

Tag

#android