NEWS: Fake Whatsapp App May Have Been Built to Spy on Iphone Users – What You Need to Know a Fake Version of the Whatsapp Mess

NEWS:

Fake WhatsApp app may have been built to spy on iPhone users – what you need to know A fake version of the WhatsApp messaging app is suspected of being created by an Italian spyware company to snoop upon individuals and steal sensitive data. The bogus app, uncovered by cybersecurity researchers at Citizen Lab and journalists at Motherboard, appears to be linked to an Italian firm called Cy4gate which develops “lawful interception” technology. https://hotforsecurity.bitdefender.com/blog/fake-whatsapp-app-may-have-been-built-to-spy-on-iphone- users-what-you-need-to-know-25270.html

SOC teams spend nearly a quarter of their day handling suspicious emails Security professionals know that responding to relentless, incoming streams of suspicious emails can be a labor-intensive task, but a new study shared exclusively with SC Media in advance indicates just how time- consuming it actually is. Researchers at email security firm Avanan claim to have authored the “first comprehensive research study” that quantifies the amount of time security operations center (SOC) employees spend preventing, responding to, and investigating emails that successfully bypassed default security and are flagged by end users or other reporting mechanisms. https://www.scmagazine.com/home/email-security/soc-teams-spend-nearly-a-quarter-of-their-day- handling-suspicious-emails/

How to motivate employees to take cybersecurity seriously How can we push employees / users to take cybersecurity to heart? Dr. Maria Bada, external behavioral scientist at AwareGO, has been working on the answer for years. After studying media psychology, focusing her Ph.D. on behavior change, and working towards the treatment of excessive internet use in children and adolescents, nearly ten years ago she opted to join Oxford University as a postdoctoral researcher on cyberculture and online behavior. https://www.helpnetsecurity.com/2021/02/02/how-to-motivate-employees-to-take-cybersecurity-seriously/

INCIDENTS: Report: American Cable and Internet Giant Comcast Exposed Development Database Online On December 1st, 2020 the WebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 1.5 billion records. There were references to Comcast throughout the database including multiple subdomains, urls, and internal IP addresses. The publicly visible records included dashboard permissions, logging, client IPs, @comcast email addresses, and hashed passwords. https://www.databreaches.net/report-american-cable-and-internet-giant-comcast-exposed-development- database-online/

Hackers steal StormShield firewall source code in data breach Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the company's support ticket system and steal source code for Stormshield Network Security firewall software. StormShield is a French cybersecurity firm that develops UTM (Unified Threat Management) firewall devices, endpoint protection solutions, and secure file management solutions. StormShield's SNi40 is the only industrial firewall to receive First Level Security Certification (CSPN) from France's Agence nationale de la sécurité des systèmes d'information (ANSSI). https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-firewall-source-code-in-data- breach/

US federal payroll agency hacked using SolarWinds software flaw

The FBI has discovered that the National Finance Center (NFC), a U.S. Department of Agriculture (USDA) federal payroll agency, was compromised by exploiting a SolarWinds Orion software flaw, according to a Reuters report. NFC provides human resources and payroll services to roughly 170 federal agencies and over 650,000 federal employees since 1973. The software vulnerability used to break into NFC's systems is different than the one used by suspected Russian nation-state hackers to compromise the update mechanism of the Orion software to deploy the Sunburst backdoor on SolarWinds customers' systems. https://www.bleepingcomputer.com/news/security/us-federal-payroll-agency-hacked-using-solarwinds- software-flaw/

Ransomware attack takes out UK Research and Innovation's Brussels networking office UK Research and Innovation, the British government's science and research organisation, has temporarily turned off a couple of its web-facing services after an apparent ransomware attack. In a statement issued last week while everyone was gazing goggle-eyed at the European Union's vaccine export struggles, UKRI said data from its Brussels-based UK Research Office (UKRO) and an extranet service had been "encrypted by a third party". "We have reported the incident to the National Crime Agency, the National Cyber Security Centre and Information Commissioner's Office," said UKRI, which apologised to all affected and added that analysis of the attack was ongoing. https://www.theregister.com/2021/02/01/ukri_ransomware_ukro_brussels/

MALWARE: Ransomware attacks increasingly destroy victims’ data by mistake More and more ransomware victims are resisting the extortionists and refuse to pay when they can recover from backups, despite hackers' threats to leak the data stolen before encryption. This stance resulted in Q4 of 2020 seeing a significant decline in the average ransom payments compared to the previous quarter, says ransomware remediation firm Coveware. But a more insidious phenomenon is prefiguring, where data is destroyed in the attack leaving companies no option to recover it, even if they pay the ransom. https://www.bleepingcomputer.com/news/security/ransomware-attacks-increasingly-destroy-victims-data- by-mistake/

Whitespace Steganography Conceals Web Shell in PHP Malware Last November, we wrote about how attackers are using JavaScript injections to load malicious code from legitimate CSS files. At first glance, these injections didn’t appear to contain anything except for some benign CSS rules. A more thorough analysis of the .CSS file revealed 56,964 seemingly empty lines containing combinations of invisible tab (0x09), space (0x20), and line feed (0x0A) characters, which were converted to binary representation of characters and then to the text of an executable JavaScript code. It didn’t take long before we found the same approach used in PHP malware. Here’s what our malware analyst Liam Smith discovered while recently working on a site containing multiple backdoors and webshells uploaded by hackers. https://blog.sucuri.net/2021/02/whitespace-steganography-conceals-web-shell-in-php-malware.html

VULNERABILITIES: Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module In a recent supply chain security assessment, Vdoo has analyzed multiple networking devices for security vulnerabilities and exposures. During the analysis we have discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on. An attacker that exploits the discovered vulnerabilities can gain remote root access to the Wi-Fi module, and from there very possibly hop to the application processor as well (as the attacker has complete control of the device’s wireless communications). https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered

Latest macOS Big Sur also has SUDO root privilege escalation flaw A recently discovered heap-based buffer overflow vulnerability in Linux SUDO also impacts the latest version of Apple macOS Big Sur, with no patch available yet. Last week, BleepingComputer had reported on CVE-2021-3156 aka Baron Samedit, a flaw in SUDO which lets local users gain root privileges. Sudo is a Unix program that enables system admins to provide limited root privileges to normal users listed in the sudoers file, while at the same time keeping a log of their activity. This helps limits the rights of standard users on an operating system by preventing them from executing high-risk commands and programs which may compromise the system's security. By exploiting Baron Samedit, standard non-root users on Linux, and now on macOS systems can execute applications with root privileges. https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege- escalation-flaw/

Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks At least one major ransomware gang is abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives. The attacks, first seen last October, have been linked to intrusions carried out by a criminal group that deployed the RansomExx ransomware. According to multiple security researchers who spoke with ZDNet, evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992, two vulnerabilities in VMware ESXi, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage. https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual- hard-disks/

Cisco Patches Critical Vulnerabilities in Small Business Routers, SD-WAN Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products. The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root. https://www.securityweek.com/cisco-patches-critical-vulnerabilities-small-business-routers-sd-wan

Cyber4Dev collates data from Open Source websites, any opinions or attributions expressed in the articles are not those of Cyber4Dev and are not endorsed by the project or the EU.