Categories: News
A list of topics we covered in the week of June 26 to July 2 of 2023



(Read more...)




The post A week in security (June 26 - July 2) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (June 26 - July 2)

Plus: Hackers knock out Russian military satellite communications, a spyware maker gets breached, and the SEC targets a victim company's CISO.

Amid exploding AI usage, the United States Senate is mulling legislation to regulate the development of artificial intelligence, but lawmakers' comments to WIRED this week indicate that Congress' abysmal track record on tech regulation may be doomed to repeat itself. Meanwhile, in the European Union, challenges filed under the EU's GDPR data law on Thursday allege that Pornhub has been collecting user data illegally.

We looked at a common air travel booking scam that can turn real—but not ticketed—flight reservations into cash grabs for cybercriminals. And tech companies have recently released an array of critical software updates that you should install on your devices right now. Some patches published in recent weeks from the company Progress Software patch flaws in the popular file transfer service MOVEit, which has been exploited by ransomware actors to spread malware and steal data from international companies, universities, and the US government.

If you want a digital hygiene project for the weekend, we have tips on how to make your chats and messaging more secure. And if you're craving a long read, WIRED went in-depth on the 1973 US National Personnel Records Center fire that destroyed 17 million military records and prompted a massive restoration effort.

And there's more. Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

On Tuesday, a 7-2 decision by the US Supreme Court reversed the conviction of a man who repeatedly threatened a stranger online. Justice Elena Kagan wrote in the majority opinion that First Amendment free speech protections require such cases to show that online harassers or cyberstalkers were aware that their digital abuse could be construed as threatening. Threats of violence are not protected by the First Amendment, but the court said prosecutors must show that a defendant “consciously disregarded a substantial risk that his communications would be viewed as threatening violence.” The offender in the case the court looked at, Billy Counterman of Colorado, had “moved to dismiss the charge on First Amendment grounds, arguing that his messages were not ‘true threats’ and therefore could not form the basis of a criminal prosecution.”

Counterman had persistently and repeatedly messaged a local singer he didn't know on Facebook over two years, and when she would block him he made new accounts to continue messaging her. Victims of online harassment and digital rights advocates warned following the decision that it creates a dangerous precedent to empower cyberstalkers. “The Court just handed stalkers and harassers, including of politicians, journalists, climate scientists, doctors advocating for vaccines, you name it, a new weapon,” Soraya Chemaly, director of the Women’s Media Center Speech Project, told the _Washington Post_.

A cyberattack caused a multiday outage this week of a Russian satellite communication system from Dozor-Teleport. The platform is broadly used, including by the Russian military. Ukrainian satellite communication infrastructure suffered a similar outage more than a year ago. Dozor’s parent company, Amtel Svyaz, also grappled with significant system outages this week. Multiple hackers claimed responsibility for the attacks, including some purporting to be hacktivists and others who said they were affiliated with the Russian private mercenary army Wagner Group. In addition to the outage, one of the entities claiming responsibility for the attack said it had stolen data from Dozor and published 700 files, including documents and images, to a leak site and Telegram.

The invasive phone monitoring app LetMeSpy said on June 21 that it was itself hacked. Attackers stole names, messages, call logs, and location data collected by the service, the company said. LetMeSpy is a Polish Android app that's used around the world to monitor thousands of people. The company's notice said that “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

Years after a Russian espionage campaign launched a devastating supply chain attack against software firm SolarWinds, the US Securities and Exchange Commission sent legal notices—known as “Wells notices”—to certain current and former Solarwinds employees. Such notices warn of potential securities law violations that could lead to civil enforcement action, but they rarely relate to cybersecurity incidents. Notably, one of the SolarWinds employees who received a notice is the company's current chief information security officer, Tim Brown, who was Solarwinds' head of security architecture at the time of the attack. Company CFO Barton Kalsu also received a notice. The situation is potentially significant as the US and other countries attempt to develop appropriate accountability mechanisms for high-ranking executives who preside over breaches and other security lapses. The fear among security professionals is often that individual penalties will simply discourage talented practitioners from taking top roles.

US Supreme Court Hands Cyberstalkers a First Amendment Victory

An Open Redirect vulnerability exists prior to version 1.52.117, where the built-in QR scanner in Brave Browser Android navigated to scanned URLs automatically without showing the URL first. Now the user must manually navigate to the URL.

CVE-2023-28364

By Waqas
According to Amazon, it has already taken significant action against 94 fraudsters operating in the United States, China, and Europe in May 2023.
This is a post from HackRead.com Read the original post: Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews

**Amazon’s action should come as no surprise that, just like the proliferation of fake news, fake reviews have also become a significant aspect of the underground scam market.**

In a determined effort to protect its customers and sellers from the growing menace of fake reviews, e-commerce giant **Amazon** has recently launched a series of lawsuits against fraudulent individuals and organizations.

These perpetrators, operating within an underground network known as the “fake review broker” industry, have been exploiting unsuspecting consumers and tarnishing the reputation of Amazon’s marketplace.

Amazon has invested substantial resources in advanced technologies, including machine learning models and expert investigators, to proactively combat fake reviews before they reach the eyes of customers.

In 2022 alone, the company successfully blocked over 200 million suspected fake reviews from appearing on its platform. Now, by targeting the facilitators of these fraudulent practices, Amazon aims to strike at the root of the problem and hold those responsible accountable.

Amazon announced significant actions taken against 94 fraudsters operating in the United States, China, and Europe. These actions were implemented as of May 2023, showcasing the technology giant’s proactive approach to tackling the issue at hand.

It should come as no surprise that, just like the proliferation of fake news, fake reviews have also become a significant aspect of the underground scam market. In fact, as of March 2020, fake reviews accounted for **50% of the threats** faced by Android-based devices, among other issues.

The seriousness of the issue is further exemplified by a notable incident in May 2021. During this incident, a misconfigured server inadvertently **exposed a staggering 7GB of well-organized schemes** employed by Amazon vendors to generate fake reviews for their products on the website.

According to a **press release** issued on June 28th, 2023, the legal actions filed by Amazon include four notable lawsuits against prominent perpetrators. Here is an overview of each case:

**Amazon v. Nice Discount:**

The owners and operators of Nice Discount have been accused of orchestrating a scheme to generate fake positive reviews and feedback through their “Product Tester Club.” Reviewers are enticed to leave fabricated positive reviews or feedback in exchange for refunds or monetary rewards. By connecting bad actors operating Amazon selling accounts with reviewers, the defendants have guided these individuals on when and how to post fake reviews, creating an illusion of authenticity. **Case No. 23-2-10603-2 SEA**.

**Amazon v. Littlesmm:**

The website Littlesmm has allegedly been selling packages of fake reviews to unscrupulous individuals operating Amazon selling accounts across Australia, Canada, and the U.S. Ranging in price from $20 to $440, these packages offer both positive and negative reviews. By employing Amazon customer accounts under their control, the defendants have orchestrated the posting of counterfeit positive reviews while simultaneously undermining their competitors’ product listings through fake negative reviews. **Case No. 23-2-10452-8 SEA.**

**Amazon v. MangoCity:**

The owners and operators of MangoCity have been accused of selling fake reviews for prices ranging from $50 to $4,000. Utilizing their website, video chats, and email correspondence, the defendants accept payments and subsequently deploy Amazon customer accounts to leave fabricated 5-star reviews on product listing pages. Additionally, they have targeted competitors by offering fake negative reviews on their products. Case No. 23-2-11278-4 SEA.

**Amazon v. Reddit Marketing Pro:**

The owners and operators of Reddit Marketing Pro have allegedly provided fraudulent services, including fake positive and negative reviews, to bad actors with Amazon selling accounts. In exchange for fees ranging from $99 for five fake reviews to $6,999 for 500 fake reviews, the defendants have employed Amazon customer accounts under their control to populate product listing pages with counterfeit reviews. They have also marketed fake “Questions and Answers” to manipulate the content displayed. Case No. 23-2-11265-2 SEA.

In a comment to Hackread.com, Chris Downie, CEO of Edinburgh, Scotland-based anti-fraud platform **Pasabi** said, “Fake review brokers play a central role in poisoning consumer decision-making, destroying businesses and inflicting untold damage on the wider economy.”

Downie added that “Whilst it’s encouraging to see Amazon taking these fraudsters to task via the legal system, so much more needs to be done to tackle the growing fake review epidemic which influences around £4bn in UK consumer spending every year.”

“By harnessing the power of AI and the latest fraud detection anti-fraud technology, review aggregators and business owners need to work together to identify and block fraudulent reviews, stamping out the problem before it gets any worse,” added Downie.

Amazon chief **David Montague**, vice president of Selling Partner Risk, said, “Our goal is to ensure that every review in Amazon’s stores is trustworthy and reflects customers’ actual experiences. Amazon welcomes authentic reviews—whether positive or negative —but strictly prohibits fake reviews that intentionally mislead customers.”

“We continue to innovate on our proactive technology to detect fake reviews and other indications of unusual behaviour. Another way we fight fake reviews is through legal action. Not only are we targeting the source of the problem but we’re sending a clear message that there’s no place for abuse in our store and we will hold fraudsters accountable,” he added.

Despite Amazon’s aggressive stance against fake review brokers, the company recognizes that this is a pervasive global problem affecting multiple industries. To address this issue effectively, a collaborative effort between the public and private sectors is required.

By taking legal action against 94 fraudsters across the United States, China, and Europe, as of May 2023, Amazon is demonstrating its commitment to combatting this menace. However, the battle against fake review brokers demands ongoing vigilance and cooperation to ensure a safe and trustworthy online marketplace for consumers and sellers alike.

1.  Brand Protection is Essential for Cybersecurity
2.  42,000 phishing domains found posing as popular brands
3.  Microsoft pwns domains used by hackers for cyber attacks
4.  Memcyco Drops Real-Time Solution to Combat Brandjacking
5.  Indian call center seized over Amazon scam against US citizens

Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

Attackers are increasingly targeting users through their mobile devices, attacking vulnerabilities in services that are built into applications and mounting increasing numbers of SMS phishing attacks.

That's according to mobile security firm Zimperium's 2023 "Global Mobile Threat Report," which also found that the average number of unique mobile malware samples grew 51% in 2022, totaling an average of 77,000 unique malware samples found every month. About a quarter of application samples submitted to public repositories — 23% of Android apps and 24% of iOS apps — were malicious, according to data in the report.

In total, that all contributed to the number of compromised devices nearly tripling (up 187%) in the time period, because the tactics are working: The company saw an average of four malicious phishing links clicked per device, for instance.

The trend comes as companies and their workers rely increasingly on mobile devices, with a majority of firms seeing more workers (58%) using mobile devices for business than in 2021 and most users (59%) doing more work with their mobile devices, according to the 2022 "Verizon Mobile Security Index" report. 

"Businesses and users need to mostly be concerned about mobile phishing and spyware today, and mobile ransomware will become increasingly concerning in the near future," says JT Keating, senior vice president of strategic initiatives at Zimperium. 

**Android, iOS Devices See Different Levels of Cyber Threats**

About 80% of phishing sites specifically target mobile devices with content suited to those platforms, Zimperium stated in its 2023 "Global Mobile Threat Report." But, as has been the case for many years, the Android platform tends to attract more threats. One of the reasons for that could be that the Android operating system has seen between about 500 and 900 vulnerabilities disclosed per year that threat actors can target; iOS meanwhile saw a little more than 300 vulnerabilities in five of the last eight years, according to Zimperium. 

Another reason that Android is a bigger target? App development mistakes. The firm found that there are more mistakes made in the process of developing apps when it comes to Android, particularly when it comes to how those apps interact with cloud storage instances. Only about 2% of iOS applications access unprotected cloud instances, while 10% of Android apps do so. These include database instances accessed through Google Firebase and Cloud Platform, Amazon Simple Storage Service (S3), and Microsoft Azure Cloud Storage, according to Zimperium's report. As a corollary, developers also tend to access the same poor resources, too: Only 1% of unprotected cloud instances accounted for 60% of applications at risk, the company said.

Georgy Kucherin, a security expert at Kaspersky's Global Research and Analysis Team (GReAT), says his firm's research bears out the finding that Android attracts more overall threats, though he notes that when it comes to spyware the targeting is evenly split between the two ecosystems; the recent Triangulation cyber espionage campaign for instance shows the value in targeting the iOS platform.

"Mobile users should worry about both cybercrime threats and nation-state espionage, \[but\] it is correct to say that Android faces more general threats," he says. "Android devices are more likely to become infected with malware distributed by cybercriminals. As for top-notch espionage spyware, both iOS and Android are vulnerable to it."

The lack of jailbreaking utilities for the latest version of iOS is also lowering the number of attacks for that platform, according to Zimperium. Jailbreaking allows users to add non-Apple-sanctioned software to their mobile devices, but it also removes significant security guardrails in the process. 

**Threats Up, or Leveling Off?**

In terms of the types of mobile malware that's circulating out there, Kaspersky saw fewer mobile malware installers and less ransomware in the past year, but more banking Trojans, it stated in "The Mobile Malware Threat Landscape in 2022" report.

"Cybercriminals are still working on improving both malware functionality and spread vectors," according to the report. "Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware."

To put all of this into perspective, it should be noted that traditional computing platforms still attract the lion's share of the cybercrime pie. Kaspersky, for example, blocked more than 20 million malicious installers, spyware, and adware attacks on mobile devices over the last four quarters, but blocked more than 20 times that number against more common work platforms, such as Windows. However, the mobile threat vector is not as well protected. 

"In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises," Zimperium's Keating says. "No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical."

Mobile Cyberattacks Soar, Especially Against Android Users

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMWare, Cisco, Fortinet, and Progress Software’s MOVEit products.

A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can.

Apple

Hot on the heels of iOS 16.5, June saw the release of an emergency iPhone upgrade, iOS 16.5.1. The latest iPhone update fixes security vulnerabilities in WebKit, the engine that underpins Safari, and in the kernel at the heart of the iOS system.

Tracked as CVE-2023-32439 and CVE-2023-32434, both issues are code-execution bugs and have been used in real-life attacks, Apple said on its support page.

While details about the already exploited flaws are limited, security outfit Kaspersky revealed how the kernel issue was used to perform “iOS Triangulation” attacks against its staff. Impactful because they require no interaction from the user, the “zero click” attacks use an invisible iMessage with a malicious attachment to deliver spyware.

Apple has also issued iOS 15.7.7 for older iPhones fixing the Kernel and WebKit issues, as well as a second WebKit flaw tracked as CVE-2023-32435—which was also reported by Kaspersky as part of the iOS Triangulation attacks.

Meanwhile, Apple released Safari 16.5.1, macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8 , watchOS 9.5.2 and watchOS 8.8.1.

Microsoft

Microsoft’s mid-June Patch Tuesday includes security updates for 78 vulnerabilities, including 28 remote code execution (RCE) bugs. While some of the issues are serious, it is the first Patch Tuesday since March that doesn’t include any already exploited flaws.

The critical issues patched in the June update include CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server with a CVSS score of 9.8. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges, nor does the user need to perform any action,” it added.

Meanwhile, CVE-2023-32031 and CVE-2023-28310 are Microsoft Exchange Server remote code execution vulnerabilities that require an attacker to be authenticated to exploit.

Google Android

It’s time to update your Google Android device, as the tech giant has released its June Security Bulletin. The most serious issue fixed by Google is a critical security vulnerability in the System component, tracked as CVE-2023-21108, that could lead to RCE over Bluetooth with no additional execution privileges needed. Another flaw in the System tracked as CVE-2023-21130 is a RCE bug also marked as critical.

One of the flaws patched in June’s update is CVE-2022-22706, a vulnerability in Arm components that the chipmaker fixed in 2022 after it had already been used in attacks.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.

Published:2023/06/30  Last Updated:2023/06/30

**Overview**

"NewsPicks" App uses a hard-coded API key for an external service.

**Products Affected**

*   "NewsPicks" App for Android versions 10.4.5 and earlier
*   "NewsPicks" App for iOS versions 10.4.2 and earlier

**Description**

"NewsPicks" App for Android and "NewsPicks" App for iOS provided by NewsPicks, Inc. use a hard-coded API key for an external service (CWE-798).

**Impact**

Data in the app may be analyzed and API key for an external service may be obtained.  
Note that the users of the app are not directly affected by this vulnerability.

**Solution**

**Update the Application**  
Update the application to the latest version according to the information provided by the developer.

According to the developer, the latest app does not hard-code the API key.  
Also the vulnerable API key has been deactivated, and therefore the information contained in the vulnerable app cannot be abused.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Sunagawa Masanori of BroadBand Security, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-28387: "NewsPicks" App uses a hard-coded API key for an external service

Categories: News
Categories: Personal
Stalkerware-type app LetMeSpy has been hacked, with the attacker taking user data with it, the service has announced.



(Read more...)




The post Spyware app LetMeSpy hacked, tracked user data posted online appeared first on Malwarebytes Labs.

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

> On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.
> 
> As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner's knowledge. That's because LetMeSpy is often invisible to the phone's owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can't tell it's there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner's movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

*   26,000+ email addresses of the tool's "operators" along with hashes of their passwords.
*   16,000+ text messages, including passwords and codes for various services
*   Telephone numbers of people who had contacted the tracked phones
*   Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
*   Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it's unlikely they're going to let the people they are spying on know that their data has been taken.

**How to prevent spyware and stalkerware-type apps**

*   Set a screen lock on your phone and don't let anyone else access it
*   Keep your phone up-to-date. Make sure you're always on the latest version of your phone's software.
*   Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you're sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

**Coalition Against Stalkerware**

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Spyware app LetMeSpy hacked, tracked user data posted online

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

A possible out-of-bounds read and write (due to an improper length check of shared memory) was discovered in Arm NN Android-NN-Driver before 23.02.

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work

Tag

#android