Author: Charley Nash

Researchers have discovered a critical vulnerability in the TikTok Android app which could allow hackers to hijack user accounts remotely.

The vulnerability, CVE-2022-28799, was reported to the ByteDance owned company by Microsoft in February 2022. Tiktok quickly fixed the issue. It is estimated that the app has around 1.5billion downloads on the Play Store, however, Microsoft added, the bug has not yet been exploited in the wild.

Microsoft further explained: “The vulnerability allowed the app’s deeplink verification to be bypassed. Attackers could force the app to load an arbitrary URL to the app’s WebView, allowing the URL to then access the WebView’s attached JavaScript bridges and grant functionality to attackers.”

Microsoft also identified more than 70 exposed JavaScript methods which could be used to grant functionality to the attackers, if paired with an exploit to hijack WebView such as the TikTok bug.

If an attacker did that, they could retrieve the user’s authentication tokens by triggering a request to a controlled server and logging the cookie and the request headers. They would also be able to retreieve or modify the user’s TikTok account data by triggering a request to the app’s endpoint and retrieving the reply via the JavaScript callback.

In their proof of concept, Microsoft wrote: “Once the attacker’s specially crafted malicious link is clicked by the targeted TikTok user, the attacker’s server is granted full access to the JavaScript bridge and can invoke any exposed functionality.”

“The attacker’s server returns an HTML page containing JavaScript code to send video upload tokens back to the attacker as well as change the user’s profile biography.”

Attackers could, with full control over users’ accounts, change the victim’s profile details, send messages, publish private videos and upload content.

This comes not long after concerns in the US over the safeguarding of user data from Chinese staff in July.

The post TikTok Vulnerability Discovered on Android appeared first on IT Security Guru.

DESFA, Greece’s largest natural gas supplier, said, on Saturday 20th August, that it was hit by a cyberattack that impacted the availability of some of its systems.

Ragnar Locker, a hacking group, claimed responsibility for the ransomware attack. They added that they had allegedly published more than 350 GB of data stolen from the DESFA.

Security researchers from Cybereason have written a report describing details of the attack

The Threat Analysis Report report says: “Ragnar Locker is a ransomware that has been in use since at least December 2019 and is generally aimed at English-speaking users. The Ragnar Locker ransomware has been on the FBI’s radar since the gang breached more than fifty organizations across ten critical infrastructure sectors.”

The advisory suggests that the first thing Ragnar Locker performs after infecting a system is to check the machine’s locale. Should the device find a match with certain countries, including Ukraine, Russia and Belarus, the malware does not execute and the process is terminated.

The report says: “Ragnar Locker avoids being executed from countries since the group is located in the Commonwealth of Independent States (CIS).”

If a match is not found, the ransomware starts extracting information about the infected machine and attempts to identify the existing file volumes on the host. Once the identification phase is complete, Ragnar Locker starts encrypting files and a ransom note is displayed to victims. 

Cybereason adds that Ragnar Locker is able to check if specific products are installed, particularly virtual-based software, security software like antivirus, IT remote management solutions, and backup solutions. This is to circumvent their defences and avoid detection.

DESFA suffered another ransomware attack in May 2021, when Colonial Pipeline suffered an attack.

In recent times critical national infrastructure (CNI) providers have been asked to step up their security efforts by the UK, US and Australian governments. This is due to a surge in ransomware attacks.

The post DESFA Suffer Another Cyberattack appeared first on IT Security Guru.

India’s newest commercial airline, Akasa Air, exposed personal data belonging to its customers. The company blamed these data leaks on technical configuration errors.

Ashutosh Barot, a security researcher, added that this issue originated in the account registration process, leading to the exposure of personal information such as gender, email addresses, names, and phone numbers.

The bug was identified on 7th August 2022, the same day that the airline commenced its operations in the country.

Barot wrote in a report that: “[he] found an HTTP request which gave [his] name, email, phone number, gender, etc. in JSON format. [He] immediately changed some parameters in [the] request and was able to see other user’s PII. It took around ~30 minutes to find this issue.”

Once the company had received the report, they temporarily shut down parts of its system to incorporate additional security guardrails. The low-budget airline also reported the incident to the Indian Computer Emergency Response Team (CERT-In).

Akasa Air emphasised that no payment or travel-related details were left accessible. There is also no evidence that the glitch was exploited in the wild whilst exposed.

The airline said that it has directly affected users on the incident, although the scale of the leak remains unclear. Akasa Air added that it “advised users to be conscious of possible phishing attempts.”

The post Akasa Air Suffers Data Leak on First Day of Operation appeared first on IT Security Guru.

According to the Mid-Year Cyberthreat Report, published on August 24th, by Acronis, a Switzerland-based cybersecurity company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, this “continue to be the number one threat to large and medium-sized businesses, including government organizations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% of the emails were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cybercriminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

“Ransomware is worsening, even more so than we predicted,” warns the cybersecurity firm. Conti and Lapsus gangs are the prime targets for international security services. It is expected that global ransomware damages will exceed $30bn by 2023.

The reported stated, “increasing complexity in IT continues to lead to breaches and compromises highlighting the need for more holistic approaches to cyber-protection. […] The current cybersecurity threat landscape requires a multi-layered solution that combines anti-malware, EDR, DLP, email security, vulnerability assessment, patch management, RMM, and backup capabilities all in one place.

The post Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials appeared first on IT Security Guru.

The EU’s Justice and Home Affairs Agencies’ Network (JHAAN) has released new details of its continued work to monitor and contain cyber-threats since Russia’s invasion of Ukraine.

A recently published paper, Contributing to the EU’s Solidarity with Ukraine, outlines the work of nine EU agencies in this area.

The list includes the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA). It has been helping member states improve cyber-monitoring and protection of their border management systems since the beginning of the invasion.

Another agency outlined in the report is The European Union Agency for Law Enforcement Training (CEPOL). Their capacity-building TOPCOP project has been lending support to Moldova in the areas of cyber-investigations utilising OSINT tools, ATM hacking and the dark web.

The reports help to inform the European Commission policy-makers regarding cyber-threat levels across large scale IT systems.

The document states: “eu-LISA has been vigilantly monitoring cyber-threats to the central systems managed by the agency: the Schengen Information System (SIS), the Visa Information System (VIS) and Eurodac. Permanent monitoring is ongoing and pertinent information is communicated to relevant parties,” the document explained.

Europol has played an active role in the space, via its European Cybercrime Centre (EC3) and Financial and Economic Crime Centre. Reportedly, they are:

• Actively engaging with Ukrainian law enforcement through a Europol Ukrainian liaison officer
• following a Law Enforcement Response Protocol (LE ERP) for major cross-body cyber-attacks
• Carrying out enhanced monitoring of cyber-threats through continuous contact with member states, open source monitoring, and the Cybercrime Action Taskforce (J-CAT).

Many of these coordinated activities appear to be deterring both potential state-based threats and organised crime groups attempting to capitalise on the war.

The post EU Report Outlines Cyber Response to Ukraine Invasion appeared first on IT Security Guru.

According to a new study by BlueVoyant, the percentage of media companies susceptible to compromise is double the figure across all other sectors.

The vendor performed a cybersecurity posture analysis on 485 organisations from the media industry. The findings were compiled in its Media Industry Cybersecurity Challenges report.

Prompt patching appeared a challenge for media companies, with 60% of identified systems still unprotected six weeks after a patch.

30% of the media companies analysed are exposed to compromise via vulnerabilities in their internet-facing, publicly accessible footprints. Exploitation of these vulnerabilities could lead to serious problems, such as operational disruption and/or content theft.

Another challenge for the sector is the complexity of supply chains, according to the report.

50% of the top vendors providing content management solutions to the media industry were also found to have vulnerabilities in their products.

Dan Vasile, BlueVoyant’s Vice President of Strategic Development and Former Vice President of Information Security at Paramount, added “the digital supply chain is a common attack vector not only for the media, but all industries.”

“In order to improve their cyber-defence posture, media companies should continuously monitor their extended vendor ecosystem, using analysis to prioritize mitigation of the most critical findings.”

To improve supply-chain security, the vendor recommended that media companies scrutinised vendors. It is also reccommended that companies monitor the supply chain continually and, if available, use dedicated platforms to track vendors and their vulnerabilities.

The post Media Companies Found Most Susceptible to Compromise appeared first on IT Security Guru.

Budget Android device models that are counterfeit versions associated with popular smartphone brands contain multiple hidden trojans designed to target WhatsApp and WhatsApp Business messaging app.

Doctor Web first came across the malware in July 2022. It was discovered in the system partition of at least four different smartphones: radmi note 8, P48pro, Note30u, and Mate40.

The cybersecurity firm published a report earlier this week. It stated: “These incidents are united by the fact that the attacked devices were copycats of famous brand-name models.”

“Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version.”

The tampering concerns two files, “/system/lib/libcutils.so” and “/system/lib/libmtd.so”, that are modified specifically so that when the libcutils.so system library is used by any app, it triggers the execution of a trojan incorporated in libmtd.so.

If the apps using said libraries are WhatsApp or WhatsApp Business, libmtd.so proceeds to launch a third backdoor which downloads and installs additional plugins from a remote server onto the compromised devices.

“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps.”

“As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules,” the researchers added.

Conversely, if the app using the libraries turns out to be wpa_supplicant  (system daemon that’s used to manage network connections) libmtd.so is configured to start a local server which allows connections from a remote or local client via the “mysh” console.

The cybersecurity specialists theorised that the system partition implants could be part of the FakeUpdates (or SocGolish, as it is sometimes known) malware family based on the discovery of another trojan embedded into the system application responsible for over-the-air (OTA) firmware updates.

The malicious app is engineered to exfiltrate detailed metadata about the infected device. It also downloads and installs other software without user knowledge via Lua scripts.

It is recommended that users purchase mobile devices from official stores and legitimate distributors to reduce these risks.

The post Counterfeit Phones Found to Contain Backdoor to Hack WhatsApp appeared first on IT Security Guru.

General Bytes, the Bitcoin ATM manufacturer, confirmed that it was the victim of a cyberattack that exploited a previously unknown flaw in its software to steal cryptocurrency from its users.

The company issued an advisory last week. It stated: “The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version 2020-12-08.”

It is not yet clear how many servers were breached using this flaw and how much cryptocurrency was plundered.

CAS is short for Crypto Application Server, which is a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM (BATM) machines from a central location via a browser on a desktop or a mobile device.

The zero-day flaw, which concerned a bug in the CAS admin interface, has been patched in two new releases, 20220531.38 and 20220725.22.

General Bytes said the unnamed threat actor identified running CAS services on ports 443 and 7777 by scanning the DigitalOcean cloud hosting IP address space, followed by abusing the flaw to add a new default admin user named “gb” to the CAS.

“The attacker modified the crypto settings of two-way machines with his wallet settings and the ‘invalid payment address’ setting,” it said. “Two-way ATMs started to forward coins to the attacker’s wallet when customers sent coins to [the] ATM.”

The post General Bytes Suffer Cyberattack appeared first on IT Security Guru.