image
Imagine someone hacking into an Amazon Alexa device using a laser beam and then doing some online shopping using that person account. This is a scenario presented by a group of researchers who are exploring why digital home assistants and other sensing systems that use sound commands to perform functions can be hacked by light. The same team that last year mounted a signal-injection attack against a range of smart speakers merely by using a laser pointer are still unraveling the mystery of why the microelectro-mechanical systems (MEMS) microphones in the products turn the light signals into sound. Researchers at the time said that they were able to launch inaudible commands by shining lasers – from as far as 110 meters, or 360 feet – at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant. “[B]y modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio,” said researchers at the time. Now, the team– Sara Rampazzi, an assistant professor at the University of Florida; and Benjamin Cyr and Daniel Genkin, a PhD student and an assistant professor, respectively, at the University of Michigan — has expanded these light-based attacks beyond the digital assistants into other aspects of the connected home. They broadened their research to show how light can be used to manipulate a wider range of…

Source

image
Event-discovery application Peatix has disclosed a data breach, after ads for stolen user-account information were reportedly being circulated on Instagram and Telegram. In a data breach notice to affected users, Peatix said it learned on Nov. 9 that user account data had been improperly accessed. Upon further investigation, the company found that user names, email addresses,salted and hashed passwords, nicknames, preferred languages, countries and time zones had been compromised. “As part of our immediate recovery measures, we blocked unauthorized access to the database and are continuing to investigate with assistance from external security firms,” according to the data-breach notification. Peatix is an events application that connects people to various events and social-based communities. Since it first started in 2011, the application has grown to serve more than 50,000 interest groups worldwide – with a user base of 5 million. It’s unclear how many of those users were affected by the data breach or how the breach initially occurred; Threatpost has reached out to Peatix for further information. While Peatix uses payment processors such as PayPal and Stripe for managing user payments, full credit-card details are not stored on their databases, and Peatix said there is no evidence that this information has been compromised. “In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any…

Source

image
Scammers are taking advantage of the Minecraft sandbox video game’s wild success by developing Google Play apps which appear to be Minecraft modpacks, but instead deliver abusive ads, according to researchers. Since July, Kaspersky researchers have found more than 20 of these apps and determined that they have been downloaded on more than a million Android devices. Minecraft is a problem-solving game aimed at kids and teens where players create their own worlds. Its original version, called Java Edition, was first released by Mojang Studios in 2009. The skills players build playing Minecraft have been touted by parents and educators as beneficial for kids, which has likely contributed to the game’s success. According to PC Games, more than 200 million copies of Minecraft were sold as of May. Because Minecraft was designed in Java, it was easy for third-party developers to create compatible applications or “modpacks” to enhance and customize the gaming experience for players. Gamepedia said that today, there are more than 15,000 modpacks for Minecraft available. Among those 15,000 Minecraft mods lurk at least 20 that Kaspersky researchers were able to identify as malicious. Google Play has removed all but five of the malicious titles, Kaspersky said: Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE and Darcy Minecraft Mod are still up and available. Google has not responded to Threatpost’s request for comment. Malicious…

Source

image
Researchers have found serious security and privacy issues in 11 different smart doorbells, distributed via online marketplaces like Amazon and eBay, which could be exploited by attackers to physically switch off the devices. Smart doorbells, which connect to a smartphone and alert users when someone approaches their home, along with video footage, have been increasingly popular over the years. Matt Lewis, research director at NCC Group, told Threatpost during this week’s Threatpost podcast episode that these smart doorbells were discovered to have a slew of issues, including weak password policies, lack of data encryption and excessive collection of customer information. Listen to the full podcast, below, or download here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/16935908/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Also, check out our podcast microsite, where we go beyond the headlines on the latest news. “Our findings could cause issues for consumers and are indicative of a wider culture that favors shortcuts over security in the manufacturing process,” Lewis said. “However, we are hopeful that the much-anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the…

Source

image
Multiple Android mobile apps found in Google Play, including Baidu Search Box and Baidu Maps, were found by researchers to be leaking data that could be used to track users – even if they switch devices. The apps have each been downloaded millions of times, according to Palo Alto Unit 42 researchers. They’ve been removed from Google Play, but anyone with one of the offending apps still installed is at risk. Researchers found the apps in question to expose a range of information, including: Phone model; screen resolution; phone MAC address; wireless carrier; network (Wi-Fi, 2G, 3G, 4G, 5G); Android ID; International Mobile Subscriber Identity (IMSI); and International Mobile Equipment Identity (IMEI). Cybercriminals in turn can use a variety of sniffing tools – such as active and passive IMSI catchers — to “overhear” this information from cell phone users. “While some of this information, such as screen resolution, is rather harmless, data such as the IMSI can be used to uniquely identify and track a user, even if that user switches to a different phone and takes the number,” said researchers with Palo Alto Networks Unit 42, in a Tuesday posting. The IMEI is a unique identifier of the physical device and denotes information such as the manufacturing date and hardware specifications. The IMSI meanwhile uniquely identifies a subscriber to a cellular network and is typically associated with a phone’s SIM card, which can be transferred between devices. Both identifiers can be…

Source

image
Researchers have discovered a new backdoor written in the Go programming language (Golang), which turned their heads due to its heavy level of obfuscation. The backdoor, called Blackrota, was first discovered in a honeypot owned by researchers, attempting to exploit an unauthorized-access vulnerability in the Docker Remote API. What sets the backdoor apart is its use of extensive anti-detection techniques, which makes the malware extremely difficult to analyze – something that researchers said is not commonly seen with Golang-based malware. “Historically, we have seen malware written in Go that was at best stripped at compiling time, and at worst slightly obfuscated, without much difficulty in reverse-analysis,” said researchers with 360 Netlab, in a Tuesday posting. “Blackrota brings a new approach to obfuscation, and is the most obfuscated Go-written malware in ELF format that we have found to date.” Researchers named the malware Blackrota, due to its command-and-control (C2) domain name (blackrota.ga). Threatpost has reached out to 360 Netlab for further information regarding the specific vulnerability being targeted. The Malware The Blackrota backdoor is currently only available for Linux, in Executable and Linkable Format (ELF) file format, and supports both x86/x86-64 CPU architectures, said researchers. ELF is a common standard file format for executable files. Upon further investigation, researchers found that Blackrota is configured based on what they called a…

Source

image
Researchers have demonstrated for the third time how hacking into the key fob of a Tesla can allow someone to access and steal the car in minutes. The new attack again shows a security vulnerability in the keyless entry system of one of the most expensive electric vehicles (EVs) on the market. Researchers from the Computer Security and Industrial Cryptography (COIC), an Imec research group at the University of Leuven in Belgium, have “discovered major security flaws” in the key fob of the Tesla Model X, the small device that allows someone to automatically unlock the car by approaching the vehicle or pressing a button. The research team includes PhD student Lennert Wouters, who already has demonstrated two attacks on the keyless entry technology of the Tesla Model S that succeeded in unlocking and starting vehicles. Tesla sells some of the most state-of-the-art EVs available, ranging in cost from about $40,000 for the most basic models to more than $100,000 for a top-of-the-line Tesla Model X. The key fob for the Model X key uses Bluetooth Low Energy (BLE) to interface with a smartphone app to allow for keyless entry, which is where the vulnerabilities lie, researchers said in a press release published online about the hack. Indeed, the use of BLE is becoming more “prevalent” in key fobs so that the devices can communicate with people’s smartphones, researchers noted. The team detailed the two-stage proof-of-concept attack they staged using a self-made device built from…

Source

image
The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager. The critical unpatched bug is a command injection vulnerability. In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006, the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are “forthcoming” and that workarounds “for a temporary solution to prevent exploitation of CVE-2020-4006” are available. “A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote. The products impacted by the vulnerability are: VMware Workspace One Access (Access) VMware Workspace One Access Connector (Access Connector) VMware Identity Manager (vIDM) VMware Identity Manager Connector (vIDM Connector) VMware Cloud Foundation vRealize Suite Lifecycle Manager A total of 12 product versions are impacted. Workarounds outlined by VMware are “meant to be a temporary solution only, and customers are advised to follow VMSA-2020-0027 to be alerted when patches are available,” wrote the company. Versions impacted include: VMware Workspace One Access 20.10 (Linux) VMware Workspace One Access 20.01 (Linux) VMware Identity Manager…

Source

image
A recent social-engineering “vishing” attack on domain registrar GoDaddy temporarily handed over control of cryptocurrency service sites NiceHash and Liquid to fraudsters, exposing personal information of users. Vishing is a phishing scam that uses voice interactions over the phone to gain trust with victims and fool them into handing over their credentials. Both sites, as well as GoDaddy itself, have since recovered from the compromise. On Nov. 18, Liquid’s CEO Mike Kayamori announced the breach to its systems. “On the 13th of November 2020, a domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Kayamori’s statement said. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.” The statement went on to explain Liquid was able to regain control of the domain and confirm that all of its clients’ funds were still accounted for. However, the company said the malicious actor was able to access customer emails, names, addresses and encrypted passwords. “We are continuing to investigate whether the malicious actor also obtained access to personal documents provided for KYC such as ID, selfie and proof of address, and will provide an update once the investigation has concluded,” Liquid’s…

Source

image
The TA416 advanced persistent threat (APT) actor is back with a vengeance: After a month of inactivity, the group was spotted launching spear-phishing attacks with a never-before-seen Golang variant of its PlugX malware loader. TA416, which is also known as “Mustang Panda” and “RedDelta,” was spotted in recent campaigns targeting entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar (all of these are previously reported campaigns). The group was also spotted recently targeting organizations conducting diplomacy in Africa. In further analysis of these attacks, researchers found the group had updated its toolset — specifically, giving its PlugX malware variant a facelift. The PlugX remote access tool (RAT) has been previously used in attacks aimed at government institutions and allows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more. “As this group continues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset to frustrate analysis and evade detection,” said researchers with Proofpoint, in a Monday analysis. “While baseline changes to their payloads do not greatly increase the difficulty of attributing TA416 campaigns, they do make automated detection and execution…

Source