Making sure that your iPhone can't be tracked is virtually impossible once someone has access to your Apple account

On iOS and iPadOS, location services are typically turned on when you first set up your device. However, there may be reasons why you don’t want your device to be located, perhaps because you don’t want to be found but need to keep the device with you.

There are a few options to hide your location from prying eyes.

_Please note: I will only mention iOS from here on, but the instructions are almost the same for iPadOS._

**Turn off location services by app**

Some apps will not work properly without location services, but it’s certainly worth checking which ones are actually using them.

*   Go to **Settings** > **Privacy & Security** > **Location Services**.
*   If **Location Services** is on, you will see a list of apps with permissions.

*   Scroll down to select an app.
*   Now you can tap the app and select an option of **Never**, **Ask Next Time Or When I Share**, **While Using the App**, or **Always**.
*   From here, apps should provide an explanation of how they will use your location information. Some apps might offer only two options.

**Turn location services off entirely**

You can turn Location Services on or off at **Settings** > **Privacy & Security** > **Location Services**. Move the slider control to the left to turn Location Services off.

Note that turning Location Services of will also disable the Find My feature for the device.

**Turn off Find My iPhone**

Find My iPhone allows a user to track their devices. It allows you to locate the device from another device, make it play a sound if you are close, and even remotely erase your device if you suspect it has fallen in the wrong hands.

To disable Find My iPhone:

*   Go to **Settings**
*   Select your account name.
*   Choose **Find My**
*   Turn the feature off. You will need to enter your iCloud password.

An iPhone can still be tracked in some cases, even if it is in Airplane Mode. The only way tracking is not possible is to turn the iPhone off completely.  And even then, since iOS 15, iPhone models 11 and up will transmit their location even when powered off if the **Find My Network** is enabled in your settings.

To turn off **Find My network:**

*   Go to **Settings**
*   Select your account name.
*   Choose **Find My**
*   Turn **Find My network** off.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to turn off location tracking on iOS and iPadOS 

This post explains how to disable various location services on Android devices.

Android devices come with location services. Some apps need access to location services to function properly. However, there may be reasons why you don’t want your device to be located, often because you don’t want to be found and the device is always with you.

Depending on who you are trying to hide your location from, there are several levels of hiding your location.

_Disclaimer: the exact instructions for your make and model of Android device may look a bit different._

**Turn off location for particular apps**

There are apps active on most Android devices that could give away the location of the device. To check which apps have access to your device’s location:

*   Swipe down from the top of the screen.
*   Find the Location icon 
*   Touch and hold Location.
*   Tap App location permissions.
*   Under **Allowed all the time**, **Allowed only while in use**, and **Not allowed**, find the apps that can use your device’s location.
*   To change the app’s permissions, tap it. Then, choose the location access for the app.
*   If you see any apps that you don’t recognize, be sure to turn the permission off.

**Turn off location entirely**

Alternatively, you can turn Location off entirely:

*   Swipe down from the top of the screen.
*   Find the location icon 
*   If it’s highlighted, tap it to turn it off.
*   You’ll see a warning that some apps may not function properly. Confirm by tapping **Close**.

**Turn off Find My Device**

Find My Device is a service which makes your device’s most recent location available to the first account activated on the device. Find My Device is included with most Android phones, and it’s automatically turned on once you add a Google account to your device.

How to turn off **Find My Device:**

*   Open **Settings**.
*   Tap (**Biometrics &**) **Security**.
*   Tap **Find My Device**, then tap the switch to turn it off.

Turning off Find My Device may backfire if you ever truly need to find your device because you lost it. But if someone may have the login credentials for the Google account associated with the phone, you may want to turn it off.

The last resort is to turn your phone off.

Even in airplane mode, GPS on your phone is still working. As long as a phone isn’t turned off, it’s possible to track the location because the device sends signals to nearby cell towers. Even when it’s turned off, the service provider or internet provider can show the last location once it’s switched back on.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to turn off location tracking on Android 

Stalkerware app pcTattleWare had its websites defaced and databases leaked after researchers found several security flaws.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattleTale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattleTale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

> “pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

**Removing stalkerware**

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1.  Open your Malwarebytes dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

*   **Uninstall**. The threat will be deleted from your device.
*   **Ignore Always**. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
*   **Ignore Once**: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 pcTattleTale spyware leaks database containing victim screenshots, gets website defaced 

By Cyber Newswire
Cary, United States, 28th May 2024, CyberNewsWire
This is a post from HackRead.com Read the original post: INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

If there is a single theme circulating among Chief Information Security Officers (CISOs) right now, it is the question of how to get stakeholders on board with more robust cybersecurity training protocols.

There are key points debated about why you should provide cybersecurity training to your IT professionals, like the alarming increase in cyberattacks (an increase of 72% over the all-time high in 2021, according to the Identity Theft Research Center’s 2023 Data Breach Report), or the rapid evolution in technology, creating a constant game of catch-up.

But it isn’t a question of ”if” an organization will be targeted, but “when.” CISOs are increasingly anxious because while they realize the axe will fall on them when the inevitable breach occurs, securing boardroom support for heavy investment in preventative measures, like training, is challenging in a world where revenue is demanded each dollar spent.

“The path to securing the boardroom’s buy-in is more complex than simply having the right statistics and studies on paper,” says Dara Warn, the CEO of INE Security, a global cybersecurity training and certification provider. “To bridge the gap between CISOs and stakeholders, CISOs must adopt a strategic approach that combines financial impact data, relevant case studies, and compelling narratives. Framing cybersecurity training as an essential investment rather than an optional expense is critical.”

****The Human Factor in Cybersecurity****

Cybersecurity is not just about technology; it’s about people. Human error remains one of the leading causes of security breaches. A study by Verizon in their 2023 Data Breach Investigations Report found that 68% of breaches involved a human element, such as social engineering, misuse of privileges, or simple mistakes. This highlights the importance of equipping employees with the knowledge and skills to recognize and respond to potential threats.

****Case Study: Capital One Data Breach****

In 2019, Capital One experienced a data breach that exposed the personal information of over 100 million customers. The breach was caused by a misconfigured web application firewall, which allowed an attacker to access sensitive data stored on Amazon Web Services (AWS). This incident underscores the importance of training employees on cloud security practices and the proper configuration of security tools. In response, Capital One enhanced its cybersecurity training programs to include cloud security, emphasizing the need for regular audits and configuration checks. This case illustrates how specialized training can prevent costly breaches and protect sensitive data.

****The ROI of Cybersecurity Training****

Investing in cybersecurity training is not just a defensive measure; it’s a strategic investment that can yield significant returns. A well-trained workforce, not just security awareness but the SOC and networking teams, can serve as the first line of defense against cyber threats, reducing the likelihood of breaches and minimizing potential damages. According to the Ponemon Institute’s 2023 Cost of Data Breach Report, organizations with extensive incident response planning and testing programs saved $1.49 million compared to those with lower levels.

****Case Study: Maersk NotPetya Attack****

In 2017, shipping giant Maersk was hit by the NotPetya malware, which spread rapidly through its global network, causing a complete shutdown of its IT systems. The attack was initiated by a compromised software update, exploiting poor cybersecurity hygiene and a lack of employee training on identifying malicious software. The incident cost Maersk over $300 million in losses.

In response, Maersk implemented a comprehensive cybersecurity training program focusing on recognizing malicious software, securing software updates, and responding to cyber incidents. This case highlights the necessity of training employees on the latest cyber threats and best practices.

****Crafting a Compelling Narrative for the Boardroom****

The company’s financial data and case studies are important to secure, but communicating that to the boardroom remains a challenge for CISOs. To get the message across, CISOs must also craft a compelling narrative that resonates with the board members. Here are some key strategies:

****1\. Speak the Board’s Language****

Board members are often more attuned to financial metrics and business outcomes than technical jargon. CISOs should frame cybersecurity training as a business enabler that protects the organization’s bottom line. Highlighting the potential financial losses from breaches and the ROI of training programs can make a compelling case.

****2\. Use Real-World Examples****

Real-world case studies, like the attacks on Maersk NotPetya and Capital One, can illustrate the tangible impact of cybersecurity training. These examples provide relatable scenarios that underscore the importance of investing in employee education.

****3\. Leverage Data and Statistics****

Presenting data from reputable sources can lend credibility to the argument. Statistics that demonstrate the prevalence of human error in breaches and the financial benefits of training can be powerful tools in persuading the board.

****4\. Emphasize Regulatory Compliance****

Regulatory requirements, such as GDPR and CCPA, mandate stringent data protection measures. Failure to comply can result in hefty fines and reputational damage. Emphasizing how cybersecurity training can help meet these regulatory requirements can be an effective angle to secure board buy-in.

****5\. Highlight Competitive Advantage****

In an increasingly competitive market, robust cybersecurity measures can be a differentiator. Companies known for their strong security posture are more likely to attract and retain customers. CISOs can highlight how a comprehensive training program can enhance the organization’s reputation and competitive edge.

****Overcoming Common Objections****

Board members may raise objections regarding the cost and time required for cybersecurity training. CISOs should be prepared to address these concerns with data-driven arguments and strategic insights.

****Cost Concerns****

While the initial investment in training programs may seem significant, CISOs can emphasize the long-term cost savings from preventing breaches. According to the Ponemon Institute, the average cost of a data breach in 2023 was $4.45 million. Investing in training can mitigate these costs by reducing the likelihood and severity of breaches.

****Time Constraints****

Board members may worry about the time employees will spend on training. CISOs can advocate for flexible, modular training programs that allow employees to learn at their own pace without disrupting productivity. Additionally, emphasizing the efficiency of targeted training programs can alleviate concerns about time investment.

CISOs are key players in protecting their organizations from cyber threats. Getting the boardroom to buy into an investment in cybersecurity training is no easy task, but utilizing some of these strategies can make it more successful. Including these steps in the process of communicating your needs to stakeholders will help secure the support and resources needed to roll out effective training programs and ultimately better safeguard the organization’s digital and physical assets. The stakes are high, and having all stakeholders on the same team is critical to the long-term success and security of an organization.

****About INE Security****

INE Security is the premier provider of online technical training and cybersecurity certifications. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering advanced technical training, while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Press Team**  
**INE**  
**\[email protected\]**

INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

By Deeba Ahmed
Trellix research exposes the dangers of fake antivirus websites disguised as legitimate security software but harbouring malware. Learn…
This is a post from HackRead.com Read the original post: Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

Trellix research exposes the dangers of fake antivirus websites disguised as legitimate security software but harbouring malware. Learn how to identify these scams and protect yourself from threats like identity theft and ransomware attacks.

Imagine searching online for an antivirus program to protect your computer, only to stumble upon a website that infects your device with information stealers. This is the deceptive tactic employed by fake antivirus (AV) sites, a growing threat detailed in Trellix’s research titled “A Catalog of Hazardous AV Sites – A Tale of Malware Hosting.”

****Deception Disguised as Security****

In April 2024, Trellix Advanced Research Center team members discovered several fake antivirus sites hosting sophisticated malicious files like APK, EXE, and Inno setup installers. These sites are used to distribute SpyNote trojan, Lumma malware, and StealC malware. The malware hosts include avast-securedownload.com, bitdefender-app.com, and malwarebytes.pro.

****Avast-securedownload.com:****

It hosts a sophisticated APK called Avast.apk that delivers SpyNote Trojan, which can install and delete packages, read call logs, SMS, contacts, storage data, phone state, and more. It also has a recorder, touch activity tracker, and update capabilities.

****Bitdefender-app.com:****

This website delivers a zip file with an EXE named “setup-win-x86-x64.exe.zip” with a discreet TLS callback function. It delivers Lumma malware, targeting sensitive information like PC name, username, HWID, screen resolution, CPU, installed memory, running process, login data, history, cookies, tokens, and user profile information.

****Malwarebytes.pro:****

The website delivers RAR files containing legitimate DLLs, Inno Setup, and StealC infostealing malware. The contents are compressed in gzip and transferred to the attacker’s C2 server. The stolen information includes account tokens, Steam tokens, saved card details, system profiles, Telegram logins, running process names, installed browser lists, and common system information.

****Malicious Binaries****

According to Trellix’s blog post, researchers also discovered a binary called AMCoreDat.exe, which facilitates the deployment of stealer malware. The attacker uses a sophisticated method to obfuscate the payload, stealing victim information, including PC name, username, browsing history, cookies, tokens, etc., and sends it to a C2 server.

Fake Avast, Malwarebytes and Bitdefender sites reported by Trellix

****Possible Dangers****

Unaware users, seeking to safeguard their devices, get easily tricked into downloading malicious software disguised as antivirus programs because these sites appear professional, complete with logos, fake testimonials, and urgency-inducing language about potential threats.

The consequences of falling victim to these scams can be severe, including identity theft, financial loss, sensitive data breaches, ransomware attacks and potentially hefty ransom demands.

Researchers suspect these website addresses are distributed by malicious advertising and SEO poisoning strategies. To mitigate risks, it is recommended to follow security measures like using strong cybersecurity solutions, avoiding pirated software, and verifying software legitimacy with your end-point provider.

1.  Malicious Android Apps Masked as Anti-virus Software
2.  Fake Popular Software Ads Deliver MadMxShell Backdoor
3.  Fake Skype, Zoom, Google Meet Sites Spread Multiple RATs
4.  Hackers steal source code of top anti-virus firms to sell online
5.  Fake LastPass Password Manager App Lurks on iOS App Store

Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

Plus: US surveillance reportedly targets pro-Palestinian protesters, the FBI arrests a man for AI-generated CSAM, and stalkerware targets hotel computers.

Sex, drugs, and … Eventbrite? A WIRED investigation published this week uncovered a network of spammers and scammers pushing the illegal sale of controlled substances like Xanax and oxycodone, escort services, social media accounts, and personal information on the event management platform. Making matters worse, Eventbrite’s recommendation algorithm promoted posts for opioids alongside addiction recovery events. The good news is, the company appears to have removed most of the more than 7,400 illicit posts WIRED uncovered.

If you drive a Tesla Model 3, make sure to enable your PIN-to-drive feature or your car could be easily stolen within seconds. While the company has added new ultra-wideband radio tech to its keyless system, which can prevent “relay attacks,” researchers at Beijing-based security firm GoGoByte found that Model 3s (as well as other unnamed makes and models of vehicles) are still vulnerable. Relay attacks use inexpensive radios to transmit the signal from someone’s key fob or phone app that can then be used to unlock and start an impacted vehicle. Tesla says its adoption of ultra-wideband radio was not meant to stop relay attacks (even though it technically could), but it’s possible the automaker will add that protection in the future.

Police busting people for running illicit online markets is nearly as old a tale as the dark web itself. But this week’s takedown offered a new twist. The FBI recently arrested Lin Rui-siang, a 23-year-old accused of operating Incognito Market, which authorities claim facilitated $100 million in sales of narcotics on the dark web. US prosecutors claim Lin then extorted Incognito’s users by threatening to expose them unless they paid up. Curiously, Lin’s professional experience includes teaching police how to catch cybercriminals by tracing cryptocurrency on blockchains. If the US Justice Department is correct about his alleged involvement in Incognito Market, that would make him one of the most unusual cybercriminals we’ve ever encountered.

Leaks don’t just impact people on the wrong side of the law, of course. An unsecured database recently exposed biometric data of police officers in India, including face scans, fingerprints, and more. The incident reveals the dangers of collecting sensitive biometrics in the first place.

Finally, the saga of WikiLeaks founder Julian Assange inched forward again this week, with a British court ruling that he can appeal his extradition to the US, where he faces 18 charges under the Espionage Act for WikiLeaks’ publication of classified US military information. The judges said that Assange can appeal US prosecutors’ assurances about how his trial would be conducted and on First Amendment grounds. The appeals process will inevitably push back any final decision about his potential extradition for months.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Following the trend of tech companies in the AI race throwing privacy and caution to the wind, Microsoft unveiled plans this week to launch a tool on its forthcoming Copilot+ PCs called Recall that takes screenshots of its customers’ computers every few seconds. Microsoft says the tool is meant to give people the ability to “find the content you have viewed on your device.” The company also claims to have a range of protections in place and says the images are only stored locally in an encrypted drive, but the response has been roundly negative nonetheless, with some watchdogs reportedly calling it a possible “privacy nightmare.” The company notes that an intruder would need a password and physical access to the device to view any of the screenshots, which should rule out the possibility of anyone with legal concerns ever adopting the system. Ironically, Recall’s description sounds eerily reminiscent of computer monitoring software the FBI has used in the past. Microsoft even acknowledges that the system takes no steps to redact passwords or financial information.

**US Surveillance Reportedly Targets Pro-Palestinian Protesters**

Federal authorities are reportedly working quietly to establish ties between antiwar demonstrators on US campuses and any foreign groups or individuals overseas, according to journalist Ken Klippenstein, formerly of the Intercept, who says the National Counterterrorism Center is at the center of the effort. Evidence of overseas ties would lend further ammunition to politicians, university officials, and police, who’ve widely claimed “outside agitators” are to blame for the demonstrations—an allegation that’s routinely lobbed at protesters in the United States, often meant to imply that the protesters themselves are dupes. Incidentally, authorities may also overcome constitutional hurdles to surveillance by establishing a foreign target to spy on; someone unprotected by the country’s Fourth Amendment. Republicans in Congress—representatives Mark Green and August Pfluger—have, meanwhile, asked the FBI and Department of Homeland Security to supply congressional committees with records about the government’s surveillance of the protesters, including any efforts to infiltrate them using “online covert employees or confidential human sources.”

**FBI Arrests Man for AI-Generated CSAM**

The FBI has nabbed a 42-year-old Wisconsin man for using Stable Diffusion, the text-to-image generative AI software, to manufacture child sexual abuse material. The man was reportedly caught with “thousands of realistic images” of children, some featuring them nude or partially clothed with men. Court records indicate the evidence includes more than 13,000 gen-AI images as well as the prompts he used to create the images. “Using AI to produce sexually explicit depictions of children is illegal, and the Justice Department will not hesitate to hold accountable those who possess, produce, or distribute AI-generated child sexual abuse material,” Nicole Argentieri, head of the Justice Department’s Criminal Division, says in a statement. The arrest is part of Project Safe Childhood, a collaboration between the government and corporations reportedly targeting online offenders.

**Stalkerware Targets US Hotel Computer Systems**

Security researchers this week disclosed to TechCrunch that they’d discovered consumer-grade spyware—often known as “stalkerware”—on the computers of “at least three” Wyndham hotels in the United States, potentially exposing travelers’ personal details. The stalkerware, called pcTattletale, can be installed on Android and Windows devices, giving whoever has control of the sneaky app the ability to access data on the targeted machine and monitor users’ activity. The presence of pcTattletale was discovered thanks to a security flaw in the spyware that exposed screenshots of infected machines to the open internet, according to the researchers. Although the researchers found pcTattletale on Wyndham computers, the hotel company says each of its locations are franchises, suggesting that the spyware infection could be limited to just a few locations.

Microsoft’s New Recall AI Tool May Be a ‘Privacy Nightmare’

4BRO versions prior to 2024-04-17 suffer from insecure direct object reference and API information disclosure vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >=======================================================================               title: Broken access control & API Information Exposure             product: 4BRO App  vulnerable version: before 2024-04-17       fixed version: 2024-04-17          CVE number: -              impact: Critical            homepage: https://www.4bro.de               found: 2023-05-07                  by: Max Rull (Office Bochum)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"4BRO is a German company known for producing iced tea beverages. The brand offersa variety of flavors, including unique combinations such as peach, bubblegum,and watermelon mint. 4BRO emphasizes modern and appealing packaging, targetinga younger demographic. The company promotes its products through various platformsand incentivizes customer loyalty with their app, which allows users to collectpoints for rewards. The company's headquarters is located in Germany, and theirproducts are widely available both online and in retail stores."Source: https://www.4bro.deBusiness recommendation:------------------------The vendor has fixed the security issues in the API server as of 2024-04-17.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Broken access control via IDOR in 4BRO app APIAn IDOR vulnerability (Insecure Direct Object Reference) allows an attackerto change the username in the Bearer token used for authentication in the 4BRO app.This leads to account takeover as a result of broken access control (poor Bearertoken verification). Attackers are able to access all data or Bro points ("broins")from other users.2) API Information ExposureWhen opening the app as an unauthenticated user, the 4BRO app loads JSON datafrom a publicly available API endpoint containing sensitive data like e-mailaddresses of employees, internal invoices, a CV including personal information,a gift card etc.Proof of concept:-----------------1) Broken access control via IDOR in 4BRO app APIWhen logging in into the 4BRO app, the server returns a JWT (JSON Web Token).The "login" HTTP request looks like this:--------------------------------------------------------------------------------POST /api/user/signin HTTP/2Host: adminpanel.4bro.deContent-Type: application/json[...]{"email":"<login email>","password":"<login password>"}--------------------------------------------------------------------------------The server responds with a JWT used for authentication and additionalaccount-related data:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8[...]{     "token": "<JWT here>",     "userData": {         "isBlocked": false,         "_id": "[...]",         "userType": "USER",         "email": "<login email>",         "broins": 0,         "deviceId": null,         "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",         "address": [{                 "_id": "[...]",                 "streetName": "[...]",                 "streetNumber": "[...]",                 "postalcode": "[...]",                 "city": "[...]",                 "firstName": "[...]",                 "lastName": "[...]",                 "country": "at"             }         ],         "ratings": [],         "__v": 0,         "pushToken": "[...]",         "telekomUUID": "[...]"     }}--------------------------------------------------------------------------------Because the JWT is only base64-encoded, it is easy to decode the JWT'sheader and payload as clear text using JWT decoders like https://token.dev/:--------------------------------------------------------------------------------Header:{   "kid": "[...]",   "alg": "RS256"}--------------------------------------------------------------------------------Payload:{   "sub": "[...]",   "event_id": "[...]",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 1683565567,   "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",   "exp": 1683569167,   "iat": 1683565567,   "jti": "[...]",   "client_id": "[...]",   "username": "<login email>"}--------------------------------------------------------------------------------The payload of the JWT contains multiple values indicating that AWS Cognito is in use.By changing the "username" value of the JWT payload to a victim email, it is possibleto use the modified JWT for authenticating as the victim. The victim should alreadyhave a normally registered account in the 4BRO app. By trial and error, it turns outthat even the following modified JWT payload gets accepted by the server:--------------------------------------------------------------------------------{   "sub": "0",   "event_id": "0",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 0,   "iss": "",   "exp": 0,   "iat": 0,   "jti": "0",   "client_id": "0",   "username": "<login email>"}--------------------------------------------------------------------------------Meanwhile, the "kid" property in the JWT header must be a valid value, but can belongto any other already existing 4BRO app account. The JWT signature can be the sameand does not get verified at all.Using the modified JWT, all API methods supported by the 4BRO app can be executed.Because the server only checks the "username" property in the JWT payload and doesslim to none JWT verification, the server thinks that the request came from theaccount associated with the login email contained in the "username" property.This way, sensitive data such as the current "broin" balance, full user data as seenin the login response, previous transactions, redeemed vouchers and goodies etc.can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"action can be performed so that earned "broins" could be transferred to an attacker'saccount balance.2) API Information ExposureBy monitoring the 4BRO app's requests over a proxy, it can be observed thatthe following HTTP request is made when opening the "Goodies" section of the app:--------------------------------------------------------------------------------GET /api/goodies?pageSize=1000 HTTP/2Host: adminpanel.4bro.de[...]--------------------------------------------------------------------------------The response is a JSON object containing all goodies that are or were at some pointavailable in the 4BRO app:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8Content-Length: 327138[...]{     "goodiesList": [{             "_id": "61950603005c650530b63aac",             "name": "1x 4BRO Getränk Imbiss",             "longDescription": "[...]",             "shortDescription": "Auf unseren Nacken!",             "imagePath":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",             "category": "Food",             "quantity": 999999999999808,             "costOfGoodie": 250,             "supplier": "<email removed>",             "totalGoodies": 999999999999861,             "goodieAvailableTime": "Unlimited",             "deliveryMethod": "partnerCoupon",             "isNewGoodie": false,             "inhouseAppVoucherUrl":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",             "__v": 1,             "rating": {                 "value": 3.991869918699184,                 "total": 123             },             "forceGoodie": "true",             "goodieAvailableEndTime": null,             "goodieAvailableStartTime": null,             "restriction": [],             "hidden": false,             "slashedCostOfGoodie": null         },{    [...]    },    [...]    }     ],     "goodieCount": 371}--------------------------------------------------------------------------------This JSON object contains already sensitive data such as the goodie supplier's emailaddresses. Out of the 371 goodies, 36 of those have a URL to a PDF file containedwithin the "inhouseAppVoucherUrl" property. Because these files are hosted on anAWS S3 bucket, everyone can access these documents without authentication.These documents seem to contain various sensitive company internal and personalinformation.While discovering vulnerability 1), we found that old gift codes were also stored asPDF files on the AWS S3 bucket. The names of the gift code PDF files indicate thatthere may be more similarly named documents (IDOR) which could be detected in anautomated way. This could be leveraged to find additional gift code PDF files storedon the AWS S3 bucket.Vulnerable / tested versions:-----------------------------The following app version has been tested and downloaded through Google Play store,which was the most recent version available at the time of the test:* 3.14.7Because the vulnerability is actually server-side within the API, the iOS app wasalso affected at the time the vulnerabilities were discovered.Vendor contact timeline:------------------------2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com             (developers according to Google Play store)2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which             parts of the application are affected and whether any costs would arise             before they provide us with a security contact.2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and             that no costs are involved.2023-06-19: Vendor requests a phone conference, scheduled for 21st June.2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next             steps in phone call. Providing security advisory to vendor.2023-06-29: Vendor has sent the advisory to the developer team for evaluation             and will notify SEC Consult about the release of the security patch.2023-08-18: Asking for a status update.2023-08-31: It is planned to release an Android/iOS app update end of September2023-09-18: Vendor needs to postpone update, no new date available.2023-11-08: Asking for a status update; no response.2023-11-21: Asking for a status update.2023-12-11: Vendor response, fix is available in test environment, production             will be fixed by end of this year.2024-01-24: Asking for a status update; no response.2024-02-12: Asking for a status update.2024-02-12: Vendor is still waiting for a response from their IT.2024-04-17: Asking for a status update.2024-04-17: Vendor states that the vulnerabilities have been fixed.2024-04-17: Asking for the fix date, whether an app update was needed for applying             the fix, and the fixed app version. No response.2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release             date to 2024-05-21. No response.2024-05-22: Release of security advisorySolution:---------The vendor implemented a fix in the affected API server as of 2024-04-17.An app update on Android or iOS is not required to apply the fix.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF M. Rull / @2024

4BRO Insecure Direct Object Reference / API Information Exposure

Plus, SS7 vulnerabilities are being exploited and BreachForums is taken down again.

Thursday, May 23, 2024 14:00

Since the advent of products like the Tile and Apple AirTag, both used to keep track of easily lost items like wallets, keys and purses, bad actors and criminals have found ways to abuse them. 

These adversaries can range from criminals just looking to do something illegal for a range of reasons, but maybe just looking to steal a physical object, to just a jealous or suspicious spouse or partner who wants to keep tags on their significant other. 

Apple and other manufacturers who make these devices have since taken several steps to curb the abuse of these devices and make them more secure. Most recently, Google and Apple announced new alerts that would hit Android and iOS devices and alert users that their devices’ location is being connected to any location-tracking device.  

“With this new capability, users will now get an ‘\[Item\] Found Moving With You’ alert on their device if an unknown Bluetooth tracking device is seen moving with them over time, regardless of the platform the device is paired with,” Apple stated in its announcement. 

Companies Motorola, Jio and Eufy also announced that they would be adhering to these new standards and should release compliant products soon.  

Certainly, products like the AirTag and Samsung trackers that these companies have direct control over will now be more secure, and hopefully less ripe for abuse by a bad actor, but it’s far from a total solution to the problem that these types of products pose. 

As I’ve pointed out in the past with security cameras and any other range of internet-connected devices, online stores are filled with these types of products, promising to track users’ personal items with an app so they don’t lose common household items like their phones, wallets and keys.  

Amazon has countless listings under “location tag” for a range of AirTag-like products made by unknown manufacturers. Some of these products are slim enough to fit right into the credit card pocket of a wallet or purse,  and others are smaller than the average AirTag and even advertise that they can remain hidden inside a car.  

I admittedly haven’t been able to dive into these individual devices, but some of them come with their own third-party apps, which come with their own set of security caveats and completely take it out of platform developers’ hands.  

There are also other “find my device”-type services that pose additional security concerns outside of just buying a small tag. Android’s new, enhanced “Find My Device” network is a crowdsourced solution to help users potentially find their lost devices, similar to iOS’ Find My network.  

The Find My Device network works by using other Android devices to silently relay the registered device’s approximate location, even if the device being searched for is offline or turned off. In the wrong hands, there are a range of ways that can be abused on its own.  

So, rather than relying on developers and manufacturers to make these services more secure, I have a few tips for how to use AirTag-like devices safely, if you really can’t come up with a better solution for not losing your keys. 

*   Check for suspicious tracking devices. On iOS, this means opening the “Find My” app and navigating to Items > Items Detected Near You. Any unfamiliar AirTags will be listed here. On Android, you can do the same thing by going to Settings > Safety & Emergency > Unknown Tracker Alerts > Scan Now. 
*   Remove yourself from any “Sharing Groups” unless it’s a trusted contact in your phone using the Find My app on iOS. 
*   If location tracking is your primary concern (especially for parents and their children) using the Find My app on iOS and Android is generally a more secure option than trusting a third-party app downloaded from the app store or relying on a Bluetooth connection.  
*   Manage individual apps’ settings to ensure only the services that \*really\* need to track your device’s physical location are using it. (Ex., you probably don’t need Facebook tracking that information.) 
*   Since AirTags are connected to your Apple ID, ensure that login is secured with multi-factor authentication (MFA) or using a passkey.  

**The one big thing **

Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. New data from Talos found that popular brands like PayPal, Microsoft, NortonLifeLock and McAfee are among some of the most-impersonated brands in these types of phishing emails.  

**Why do I care? **

Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands. 

**So now what? **

Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. And users who want to learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools can visit this site. 

**Top security headlines of the week **

**Adversaries have been quietly exploiting the backbone of cellular communications to track Americans’ location for years,** according to a U.S. Cybersecurity and Infrastructure Security Agency (CISA). The official broke ranks with their agency and reportedly shared this information with the Federal Communications Commission (FCC). The official said that attackers have used vulnerabilities in the SS7 protocol to steal location data, monitor voice and text messages, and deliver spyware. Other targets have received text messages containing fake news or disinformation. SS7 is the protocol used across the globe that routes text messages and calls to different devices but has often been a target for attackers. In the past, other vulnerabilities in SS7 have been used to gain access to telecommunications providers’ networks. In their written comments to the FCC, the official said that these vulnerabilities are the “tip of the proverbial iceberg” of SS7-related exploits used against U.S. citizens. (404 Media, The Economist) 

**The FBI once again seized the main site belonging to BreachForums,** a popular platform for buying and selling stolen personal information. Last year, international law enforcement agencies took down a previous version of the cybercrime site and arrested its administrator, but the new pages quickly emerged, using three different domains since the last disruption. American law enforcement agencies also took control of the forum’s official Telegram account, and a channel belonging to the newest BreachForums administrator, “Baphomet.” However, the FBI has yet to publicly state anything about the takedown or any potential arrests. BreachForums isn’t expected to be gone for long, as another admin named “ShinyHunters” claims the site will be back with a new Onion domain soon. ShinyHunters claims they’ve retried access to the seized clearnet domain for BreachForums, though they did not provide specific methods. BreachForums is infamous for being a site where attackers can buy and sell stolen data, offer their hacking services or share recent TTPs. (TechCruch, HackRead) 

**The U.S. Department of Justice charged three North Koreans with crimes related to impersonating others to obtain remote employment in the U.S., which in turn generated funding for North Korea’s military.** The three men, and another U.S. citizen, were charged with what the DOJ called “staggering fraud” in which they secured illicit work with several U.S. companies and government agencies using fraudulent identities from 60 real Americans. The U.S. citizen was allegedly placed laptops belonging to U.S. companies at various residences so the North Koreans could hide their true location. North Korean state-sponsored actors have used these types of tactics for years, often relying on social media networks like LinkedIn to fake their personal information and obtain jobs or steal sensitive information from companies. More than 300 companies may have been affected, with the perpetrators earning more than $6.8 million, most of which was used to “raise revenue for the North Korean government and its illicit nuclear program,” according to the DOJ. (ABC News, Bloomberg) 

**Can’t get enough Talos? **

*   Proactive Threat Hunting in Duo Data 
*   Talos Takes Ep. #184: Recapping RSA  
*   You have to look out for these hacks in 2024! 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Tag

#ios