There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.

Permalink

Browse files

KVM: x86: avoid calling x86 emulator without a decoded instruction

Whenever x86\_decode\_emulated\_instruction() detects a breakpoint, it
returns the value that kvm\_vcpu\_check\_breakpoint() writes into its
pass-by-reference second argument.  Unfortunately this is completely
bogus because the expected outcome of x86\_decode\_emulated\_instruction
is an EMULATION\_\* value.

Then, if kvm\_vcpu\_check\_breakpoint() does "\*r = 0" (corresponding to
a KVM\_EXIT\_DEBUG userspace exit), it is misunderstood as EMULATION\_OK
and x86\_emulate\_instruction() is called without having decoded the
instruction.  This causes various havoc from running with a stale
emulation context.

The fix is to move the call to kvm\_vcpu\_check\_breakpoint() where it was
before commit 4aa2691 ("KVM: x86: Factor out x86 instruction
emulation with decoding") introduced x86\_decode\_emulated\_instruction().
The other caller of the function does not need breakpoint checks,
because it is invoked as part of a vmexit and the processor has already
checked those before executing the instruction that #GP'd.

This fixes CVE-2022-1852.

Reported-by: Qiuhao Li <qiuhao@sysec.org>
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Fixes: 4aa2691 ("KVM: x86: Factor out x86 instruction emulation with decoding")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220311032801.3467418-2-seanjc@google.com>
\[Rewrote commit message according to Qiuhao's report, since a patch
 already existed to fix the bug. - Paolo\]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

*   Loading branch information

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded instruction · torvalds/linux@fee060c

Researchers say the remote-access Trojan ZuoRAT is likely the work of a nation-state and has infected at least 80 different targets.

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

A High Level of Sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

"While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

ZuoRAT can pivot infections to connected devices using one of two methods:

*   DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
*   HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

Intentionally Complex

Black Lotus Labs said the command-and-control infrastructure used in the campaign is intentionally complex in an attempt to conceal what's happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they're later infected.

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker's infrastructure.

The researchers wrote:

_Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection._

The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018. Routers are often overlooked, particularly in the work-from-home era. While organizations often have strict requirements for what devices are allowed to connect, few mandate patching or other safeguards for the devices' routers.

Like most router malware, ZuoRAT can't survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can't be disinfected so easily.

_This story originally appeared on_ _Ars Technica__._

A New, Remarkably Sophisticated Malware Is Attacking Routers

One of the commissioners of the U.S. Federal Communications Commission (FCC) has renewed calls asking for Apple and Google to boot the popular video-sharing platform TikTok from their app stores citing "its pattern of surreptitious data practices."
"It is clear that TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing's apparently

One of the commissioners of the U.S. Federal Communications Commission (FCC) has renewed calls asking for Apple and Google to boot the popular video-sharing platform TikTok from their app stores citing "its pattern of surreptitious data practices."

"It is clear that TikTok poses an unacceptable **national security risk** due to its extensive data harvesting being combined with Beijing's apparently unchecked access to that sensitive data," Brendan Carr, a Republican member of the FCC, wrote in a letter to Apple and Google's chief executives.

TikTok, in September 2021, disclosed that there are one billion people who use its app every month, making it one of the largest social media platforms after Facebook, YouTube, WhatsApp, Instagram, and WeChat.

Carr further emphasized that the short-form video service is far from just an app for sharing funny videos or memes, calling out its features as "sheep's clothing" intended to mask its core function as a "sophisticated surveillance tool" for amassing users' personal information.

The letter also references a litany of controversies that TikTok found itself in over the years, including skirting Android safeguards to track users online, accessing iOS clipboard information, and settling a class-action lawsuit for $92 million over allegations that it captured biometric and personal data from users in the U.S. without prior consent.

TikTok, which is owned by Beijing-based ByteDance and has denied ever sharing user data with the Chinese government, is back in the spotlight close on the heels of revelations from BuzzFeed News that U.S. users' data had been repeatedly accessed by employees based in China between September 2021 and January 2022 despite its assurances to the contrary.

"Everything is seen in China," a member of TikTok's Trust and Safety department was quoted as saying in a September 2021 meeting, while in another meeting held that month, a director referred to a Beijing-based engineer as a "Master Admin" who "has access to everything."

Last year, CNBC, citing former employees, similarly alleged that the social media app's Chinese parent company had access to TikTok's U.S. user data and that it's closely involved in the decision-making and product development.

In a statement shared with the business news publication, TikTok said engineers in locations outside of the U.S., including China, can be permitted access to U.S. user data on an "as-needed basis" under strict access controls.

TikTok has since announced that it's "changed the default storage location of U.S. user data" and that it's routing all information from its users in the country through infrastructure controlled by Oracle. However, Carr noted these efforts do not address the core concerns of data access.

"TikTok has long claimed that its U.S. user data has been stored on servers in the U.S. and yet those representations provided no protection against the data being accessed from Beijing." Carr said. "Indeed, TikTok's statement that '100% of U.S. user traffic is being routed to Oracle' says nothing about where that data can be accessed from."

It's worth noting that several U.S. military branches have already banned its members from using TikTok on government-issued devices due to possible security risks. In June 2020, the Indian government moved to block the app on similar grounds.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. FCC Commissioner Asks Apple and Google to Remove TikTok from App Stores

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0. Affected is an unknown function of the file /front/roomtype-details.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    # # # # # 
    # Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
    # Google Dork: N/A
    # Date: 27.01.2017
    # Vendor Homepage: http://www.bestsoftinc.com/
    # Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
    # Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
    # Version: 1.0
    # Tested on: Win7 x64, Kali Linux x64
    # # # # # 
    # Exploit Author: Ihsan Sencan
    # Author Web: http://ihsan.net
    # Author Mail : ihsan[beygir]ihsan[nokta]net
    # # # # #
    # SQL Injection/Exploit :
    # http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
    # E.t.c
    # # # # #

CVE-2017-20124: Offensive Security’s Exploit Database Archive

By Waqas
The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through…
This is a post from HackRead.com Read the original post: Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data

****The new phishing scam uses malicious and fake chatbots to steal login credentials of unsuspected Facebook users through Facebook Messenger.****

A new phishing campaign has been discovered by Trustwave security researchers, which involves using Facebook Messenger chatbots while the campaign’s objective is to steal user credentials.

According to Trustwave’s analysis of this new phishing campaign, the chatbots impersonate customer support staff of the social network. These bots then hijack pages by compelling page managers to enter credentials for that Facebook page. The malicious chatbots and websites were quickly taken down after Trustwave’s report.

Chatbots are basically specially designed programs that provide customer support and answer user queries as live support staff before the question is forwarded to a human employee. These bots are generally used by businesses that offer live chat or customer support services.

**Attack Scenario Explained**

This phishing attack started with an email informing the recipient that Facebook would delete their page after 48 hours for violating Meta community standards. When the recipient clicked on the Appeal Now link, they were redirected to a fake Messenger support page hosted by Google Firebase, where they had to interact with chatbots. 

Fake Support chatbot (Image: Trustwave)

Researchers noticed that the phony support chatbot profile was a fan/business page that didn’t have any followers or posts. However, the attackers used the official Messenger logo on the profile page to make the bot appear legit. In the Appeal form, the user entered their name, surname, email ID, page name, and mobile number. 

They were also prompted to complete 2FA authentication, and the OTP could be of any length. As soon as the user clicked on Submit button, the attackers received the form, and the credentials were compromised while the user was redirected to Meta’s official intellectual property and copyright guidelines page.

Password stealing and Fake OTP Page (Image: Trustwave)

**How was the Scam Exposed?**

Concerns were raised when researchers identified many errors in the email, which hinted at its malicious nature. Such as, a dot was missing after the third sentence, and there was incorrect capitalization of the word Page.

The email header also contained several errors pointing to the email’s illegitimacy. For instance, Policy Issues was written in the sender’s name, and the sender domain didn’t belong to Facebook/Meta.

> “The fact that the spammers are leveraging the platform that they are mimicking makes this campaign a perfect social engineering technique.”
> 
> Trustwave

In conclusion, it is imperative that social media users be cautious when opening such warning notices and always check for red flags before giving away sensitive information. Moreover, it is always best to be cautious when engaging with someone on Facebook or social media in general. If you are unsure about the legitimacy of a user or bot, do not provide any personal information and report them to Facebook.

**More Facebook Phishing News**

*   URL Padding: Facebook Mobile Users Hit by Phishing Scam
*   Facebook ads used in spreading Facebook Messenger phishing scam
*   Facebook Last Warning Phishing Scam Stealing Login, Credit Card Data
*   “I think you appear in this video” phishing scam hijacks Facebook accounts
*   Microsoft, PayPal & Facebook most targeted brands in phishing scams: Report

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Facebook Phishing Scam: Crooks Using Messenger Chatbots to Steal Login Data

Hackers with Amazon users’ authentication tokens could’ve stolen or encrypted personal photos and documents.

Hackers with Amazon users’ authentication tokens could’ve stolen or encrypted personal photos and documents.

The Amazon Photos app for Android insufficiently protected user access tokens, according to a blog post published on Wednesday.

Theoretically, with exposed tokens, an attacker could’ve accessed users’ personal data from a number of different Amazon apps – not just Photos but also, for example, Amazon Drive. They also could have performed a ransomware attack, locking up or permanently deleting photos, documents and more.

The findings were first reported to Amazon’s Vulnerability Research Program on November 7th of last year. On December 18th, Amazon announced that the issues had been fully resolved.

**Loose Tokens**

To authenticate users across various apps within their ecosystem, like other software suite vendors, Amazon uses access tokens. It’s convenient for users, but also, potentially, for attackers.

In their report, researchers from Checkmarx described how access tokens naturally leaked through an Amazon application programming interface (API) through “a misconfiguration of the com\[.\]amazon\[.\]gallery\[.\]thor\[.\]app\[.\]activity\[.\]ThorViewActivity component, which is implicitly exported in the app’s manifest file” – manifest files describe critical application information to the Android OS and Google Play store – “thus allowing external applications to access it. Whenever this activity is launched, it triggers an HTTP request that carries a header with the customer’s access token.” In a video explainer, they put it in simpler terms:

“You can think of it as the password being sent to other apps in plaintext.”

In addition to third-party applications, the same unsecure token was also shared with Amazon Drive – used for file storage and sharing.

**Attackers Could’ve Stolen, Deleted Data**

There are any number of ways in which an attacker could’ve leveraged unsecured access tokens.

For example, with a malicious third-party app installed on the victim’s phone, they could’ve redirected the token in a way “that effectively launches the vulnerable activity and triggers the request to be sent to a server controlled by the attacker.” From there, the attacker could have accessed all kinds of personal information a victim had stored in Amazon Photos.

Because the tokens also leaked to Amazon Drive, attackers could’ve found, read, or even unrecoverably deleted files and folders in a victim’s Drive account.

And “with all these options available for an attacker,” the researchers speculated, “a ransomware scenario was easy to come up with as a likely attack vector. A malicious actor would simply need to read, encrypt, and re-write the customer’s files while erasing their history.”

It’s unclear just how many apps could’ve been targeted with such loose access tokens, as only a small number of Amazon APIs were analyzed for the report. The real scope could be quite a bit greater. Erez Yalon, vice president of security research at Checkmarx, reflected on the implications, in a statement to Threatpost via email:

“In an era where we all blindly trust our technology suppliers and gladly store all our private and most coveted secrets on someone’s cloud, a reminder is necessary that these incidents might happen even to the best (Amazon.)”

Leaky Access Tokens Exposed Amazon Photos of Users

Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.

**ebike-jammer**

Joy Ebike Wolf 2022 variant crash and deny key fob lock request

This is a report about a cyber security issue identified in Joy ebike wolf

Summary: Joy ebike Wolf variant manufactured in 2022 has a feature to lock or unlock/drive the vehicle via ebike key fob. In this vehicle, if the unlock/drive command is sniffed by Hackrf and replayed, vehicle will get unlock but it will deny lock request

Affected Product: Joy ebike Wolf, Manufacturing year 2022

Addition details URL: https://www.joyebike.com/product/wolf-bike/

Detailed report

Required Setup:

Joy ebike Wolf, Manufacturing year 2022 Joy ebike vehicle keys. Hackrf with antenna

Following steps shall be followed to achieve the Proof of concept:

1.  Activate Hackrf in rx mode on 433.92 MHz
2.  Press unlock/drive button on key fob
3.  Hackrf captures the unlock frame command.
4.  Lock the vehicle with a key.
5.  Now replay the command which is captured.
6.  Vehicle gets unlocked and is able to drive.
7.  Press lock button on key fob
8.  Vehicle deny lock button pressed from key fob and stay in unlock state.

Additional Note: Further analysis is not conducted, but multiple commands can be replayed.

Video proof of concept:

https://drive.google.com/file/d/1XDDXC2q8ZZYeujjrw4f0mW2jMsYtSGLF/view?usp=sharing

**Credits : Nikhil Bogam, Krutarth Raut and Neelam Verma**

CVE-2022-30467: ebike-jammer/README.md at main · nsbogam/ebike-jammer

Results from phishing simulation campaigns highlight the five most effective types of phishing email.

**Woburn, MA – June 28, 2022 —** Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks.

According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.

To provide further insight into this type of threat, Kaspersky analyzed data gathered from a phishing simulator provided voluntarily by users\[1\]. Integrated into Kaspersky Security Awareness Platform, this tool helps companies check if their staff can distinguish a phishing email from a real one without putting corporate data at risk. An administrator chooses from the set of templates, mimicking common phishing scenarios or creates a custom template, then sends it to the group of employees without pre-warning them and tracks the results. A large number of users clicking the link is a clear indication that additional cybersecurity awareness training is required.

According to recent phishing simulation campaigns, the five most effective types of phishing email are:

*   Subject**:** Failed delivery attempt - Unfortunately, our courier was unable to deliver your item. Sender: Mail delivery service. Click conversion: 18.5%
*   Subject: Emails not delivered due to overloaded mail servers. Sender: The Google support team. Click conversion: 18%
*   Subject: Online employee survey: What would you improve about working at the company. Sender: HR Department. Click conversion: 18%
*   Subject: Reminder: New company-wide dress code. Sender: Human Resources. Click conversion: 17.5%
*   Subject: Attention all employees: new building evacuation plan. Sender: Safety Department. Click conversion: 16%

Other phishing emails that gained a significant number of clicks include reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%).

Alternatively, emails that threaten the recipient or offer instant benefits appeared to be less “successful.” A template with the subject “I hacked your computer and know your search history” gained 2% of clicks, while offers for free Netflix and $1,000 by clicking a link tricked just 1% of employees.

_“Phishing simulation is one of the simplest ways to track employees’ cyber-resilience and evaluate the efficiency of their cybersecurity training. However, there are significant aspects that must be considered when conducting this assessment to make it really impactful,”_ comments Elena Molchanova, head of security awareness business development at Kaspersky. _“Since the methods used by cybercriminals are constantly changing, the simulation has to reflect up-to-date social engineering trends, alongside common cybercrime scenarios. It is crucial that simulated attacks are carried out regularly and supplemented with appropriate training – so users will develop a strong vigilance skill that will allow them avoid falling for targeted attacks or so-called spear phishing.”_

To prevent data breaches, and any related financial and reputational losses caused by phishing attacks, Kaspersky recommends the following for businesses:

*   Remind your employees about the basic signs of phishing emails. A dramatic subject line, mistakes and typos, inconsistent sender addresses and suspicious links;
*   If there is any doubt about the received email, check the format of attachments before opening them and the link accuracy before clicking. This can be achieved by hovering over these elements - make sure the address looks authentic and the attached files are not in an executable format;
*   Always report phishing attacks. If you spot a phishing attack, report it to your IT security department and, if possible, avoid opening the malicious email. This will allow your cybersecurity team to reconfigure anti-spam policies and prevent an incident;
*   Supply your employees with basic cybersecurity knowledge. Education should be aimed at changing the behavior of learners and teaching them how to deal with threats. As a major cybersecurity vendor, Kaspersky possesses a relevant base of information on real attacks and continuously supplements its Security Awareness Trainings in accordance with the current threat landscape;
*   Since phishing attempts can be confusing, and there’s no guarantee of avoiding all accident clicks, protect your working devices with reliable security. Choose a solution that provides anti-spam capabilities, tracks suspicious behavior, and creates a backup copy of your files in case of ransomware attacks. Anti-phishing protection is included in some security solutions, even for small and very small businesses, such as Kaspersky Small Office Security.

Tag

#google