image
An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure. Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming. Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read. I mean this is still unpatched and allow LPE if shadow volume copies are enabled; But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO — Abdelhamid Naceri (@KLINIX5) November 15, 2021 The process for doing so is very similar to the LPE exploitation approach for the HiveNightmare bug, CVE-2021-36934, which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers. “As…

Source

image
An APT has attacked two separate vaccine manufacturers this year using a shape-shifting malware that appears at first to be a ransomware attack but later shows to be far more sophisticated, researchers have found. Dubbed Tardigrade by the Bioeconomy ​​Information Sharing and Analysis Center (BIO-ISAC), the attacks used malware that can adapt to its environment, conceal itself, and even operate autonomously when cut off from its command-and-control server (C2), according to a recent advisory released by BIO-ISAC. The first attack was detected at a “large biomanufacturing facility” in April, with investigators identifying a malware loader “that demonstrated a high degree of autonomy as well as metamorphic capabilities,” according to the advisory. In October 2021, the malware was detected at a second facility as well. However, for now, “biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures,” the center warned. Indeed, there have already been a number of attacks targeting the COVID-19 vaccine efforts since the pandemic began, and they are likely to continue, security researchers warned. In October 2020, Dr. Reddy’s, the contractor for Russia’s “Sputinik V” COVID-19 vaccine and a major generics producer, had to close plants and isolate its data centers after a cyberattack. Two months later, in December, threat actors broke into the European Medicines Agency (EMA)…

Source

image
A visualization of the Internet made using network routing data. Image: Barrett Lyon, opte.org. Imagine being able to disconnect or redirect Internet traffic destined for some of the world's biggest companies — just by spoofing an email. This is the nature of a threat vector recently removed by a Fortune 500 firm that operates one of the largest Internet backbones. Based in Monroe, La., Lumen Technologies Inc. [NYSE: LUMN] (formerly CenturyLink) is one of more than two dozen entities that operate what's known as an Internet Routing Registry (IRR). These IRRs maintain routing databases used by network operators to register their assigned network resources — i.e., the Internet addresses that have been allocated to their organization. The data maintained by the IRRs help keep track of which organizations have the right to access what Internet address space in the global routing system. Collectively, the information voluntarily submitted to the IRRs forms a distributed database of Internet routing instructions that helps connect a vast array of individual networks. There are about 70,000 distinct networks on the Internet today, ranging from huge broadband providers like AT&T, Comcast and Verizon to many thousands of enterprises that connect to the edge of the Internet for access. Each of these so-called "Autonomous Systems" (ASes) make their own decisions about how and with whom they will connect to the larger Internet. Regardless of how they get online, each AS uses the same…

Source

image
Black Friday cyber-pariahs have revamped gift-card scams to better target modern online shoppers hungry for deals post-Thanksgiving. Experts warn new tactics include bogus gift-card generators that install malware designed to sniff out a victim’s cryptocurrency wallet address. Internet-based Black Friday and Cyber Monday scams have become as common as the Macy’s Thanksgiving Day Parade. That’s why scammers save to trot out new ways to snare cyber-savvy shoppers. In a Tuesday-post, researchers at Malwarebytes Labs, outlined this year’s latest gift-card scams. One novel twist includes offering gift cards for significantly less than face value as a ploy to entice users to buy stolen gift-cards or download malware. “If you see websites offering all kinds of discounts on gift cards, you can be assured that these will turn out to be fakes or they have been acquired in an illegal way and you could be acting as a fence,” wrote Pieter Artnz, Malwarebytes malware intelligence researcher. Generating Scams, Not Gift Cards Researchers said they have been tracking a number of websites that claim to provide “gift card generators” that people can use to generate the code for all kinds of gift cards. These sites can be particularly deceptive because they use major brands such as Amazon, Roblox, Google, Xbox and PS5. The “lucky” people who fall victim to these scams will download gift-card generators and be informed just before trying to use them that they don’t actually generate valid…

Source

image
Why would a game about a cat’s “cute diary” need permission to make phone calls or suss out your location? It doesn’t: “Cat cute diary” is one of 190 trojanized games that Doctor Web malware analysts have found on AppGallery, the official app store for Huawei Android. They’re littering the Android landscape. In a report published on Tuesday, Doctor Web estimated that more than 9,300,000 Android device owners have installed the dangerous games. According to researchers, the main purpose of the slew of malware-laced apps – which includes loads of kid-enticing entries, including games, simulators, platformers, arcades, strategies and shooters – isn’t to satisfy users’ cute-kitty and shoot-the-bad-guys lust. Rather, they’re rigged with a new Android trojan, tracked by the analysts as Android.Cynos.7.origin, the main purpose of which is to lap up users’ phone numbers and device data and to make money by milking the data to inflict ads, according researchers. Fun and Games and Data Exfiltration Doctor Web provided a few examples of the trojan-containing games, some of which are targeting Russian-speaking users and which have Russian titles and descriptions, and some of which target Chinese or international audiences. “Cat game room” – 427,000+ installations. Source: Doctor Web. One of them – the “快点躲起来” game – which, according to Google Translator, means “Hurry up and hide” in English – has been downloaded over 2,000,000 times, according to the research. Here’s the full list of…

Source

image
The GoDaddy breach affecting 1.2 million customers has widened – it turns out that various subsidiaries that resell GoDaddy Managed WordPress were also affected. The additional affected companies are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. The world’s largest domain registrar confirmed to researchers at Wordfence that several of these brands’ customers were affected by the security incident (and Wordfence provided breach-notification notices from two of them in a Tuesday posting). “The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost,” Dan Rice, vice president of corporate communications at GoDaddy, told Wordfence. “A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.” It’s unclear exactly how many additional users were affected by the widened breach. GoDaddy’s Managed WordPress hosting environment is a site-building service that allows companies and individuals to use the popular WordPress content management system (CMS) in a hosted environment without having to manage and update it themselves. On Monday, the web-hosting giant said in a public filing to the SEC that an “unauthorized third party” managed to infiltrate its Managed WordPress systems…

Source

image
In the wake of a zero-click zero-day exploit that was deployed against iPhone users, Apple has filed a lawsuit against NSO Group. The complaint alleges that the maker of the infamous Pegasus mobile spyware is responsible for the illegal surveillance of Apple users. The computing giant is looking for the court to issue a permanent injunction on the Israeli company, banning it from using any Apple software, services or devices – and also an unspecified amount in monetary damages. “In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of apple security engineering and architecture, in an Apple statement, issued Monday. NSO Group is also facing other lawsuits – notably a complaint brought by Facebook subsidiary WhatsApp that aimed to hold NSO Group accountable for distributing Pegasus via the messaging service to at least 1,400 targets. That suit has sparked legions of amicus briefs from Cisco, Electronic Frontier Foundation (EFF), GitHub, Google, the Internet Association, LinkedIn, Microsoft and VMware, among others. Earlier this month, a U.S. appeals court rejected NSO Group’s argument that it’s protected from the suit under sovereign immunity laws, which will allow the suit to move forward and which will make it necessary for the company to respond to discovery efforts. That verdict likely acted as a green light for Apple’s decision to file its own suit, researchers…

Source

image
Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem. Over the weekend, security researcher Abdelhamid Naceri discovered a Windows Installer elevation-of-privilege vulnerability tracked as CVE-2021-41379 that Microsoft patched a couple of weeks ago as part of its November Patch Tuesday updates. However, after examining the fix, Naceri found a bypass as well as an even more concerning zero-day privilege-elevation bug. The researcher posted a proof of concept (POC) exploit Tuesday on GitHub for the newly discovered bug that he said works on all currently-supported versions of Windows. If exploited, the POC, called InstallerFileTakeOver, gives an actor administration privileges in Windows 10, Windows 11 and Windows Server when logged onto a Windows machine with Edge installed. Peer Research Confirms Exploit and Active Attacks Researchers at Cisco Talos Security Intelligence and Research Group as well as others confirmed the POC can be reproduced as well as corroborating evidence that threat actors were already exploiting the bug. “This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022,” according to a post on the Cisco Talos blog by Jaeson Schultz, technical leader for Cisco Talos. “Talos has already detected malware samples in the wild that are attempting to take…

Source

image
Ransomware is on the rise, and attackers are massing in never-before-seen numbers, lining up to find victims. Could the new year possibly get any worse? According to FortiGuard Labs, the answer is yes. According to its 2022 predictions, upcoming threats will target an expanding attack surface, meaning that 2022 is “shaping up to be a banner year for cybercriminals. … Attacks will continue to span the entire attack surface, leaving IT teams scrambling to cover every possible avenue of attack.” The author of that report is Derek Manky: chief, security insights & global threat alliances, for FortiGuard Labs. He recently visited the Threatpost podcast to discuss what FortiGuard Labs is seeing, be it more Mirai – the No. 1 botnet listed in the company’s threat landscape report (PDF) for the first half of 2021 – to more Linux-based botnets and more. “We’re going to fully expect to see more of [Mirai],” Manky predicted. “More Linux-based botnets. A lot of these targets, we’re not talking about Windows, but MacOS, we’ve already seen more and more … code written for Linux itself, and that is a majority of the [internet of things, or IoT] space.” Fortinet is also predicting that attacks will continue to span the network, including an increase in attacks targeting Operational Technology (OT) systems, Manky said. It makes sense, he said, given that “That’s where the bigger dollars are.” _Fortinet’s full report, Predictions for 2022: Tomorrow’s Threats Will Target the Expanding Attack…

Source

image
Most users who install applications through legitimate channels such as the Google Play Store or the Apple Store do so with complete trust that their information is safe from malicious attacks. This makes sense, because they’re the official app stores for across the globe. However, despite tight security measures by Google and Apple, cybercriminals still find ways to bypass these checks. They do this through app impersonation. For instance, since Android lets users side-load and install apps downloaded from non-store sources, cyberattackers take advantage by creating clone apps that mimic legitimate ones. They then use the fake apps to collect data or credentials for malicious use. An example was when India banned TikTok. A clone called TikTok Pro came up immediately with malicious intentions to steal data from users’ devices. Attackers also took advantage of COVID-19 fears to collect user data through fake tracking apps. Cybercriminals are capitalizing on the remote-work trend as more companies allow employees to access business applications through mobile devices. Additionally, personal internet networks rarely have the kind of security measures available within an office environment, such as firewalls, which creates ample room for attackers to scrape business data. Below we look at ways to identify app impersonation, tools to defend yourself from attacks and measures to put in place for better security. 2 Types of App Impersonation In addition to the examples given…

Source