*** The Security News Thread ***

[harrybarracuda]

I love the euphemism: "Dr. Web AV, who notified Huawei and helped them remove the identified apps from their store"

which translates to "Caught the chinky spying bastards at it and watched to make sure they removed the identified apps from their store".

A large-scale malware campaign on Huawei's AppGallery has led to approximately 9,300,000 installs of Android trojans masquerading as over 190 different apps.

The trojan is detected by Dr.Web as 'Android.Cynos.7.origin' and is a modified version of the Cynos malware designed to collect sensitive user data.

The discovery and report come from researchers at Dr. Web AV, who notified Huawei and helped them remove the identified apps from their store.

However, those who installed the apps on their devices will still have to remove them from their Android devices manually.

Trojan disguised as game apps

The threat actors hid their malware in Android apps pretending to be simulators, platformers, arcades, RTS strategy, and shooting games for Russian-speaking, Chinese, or international (English) users.

As they all offered the advertised functionality, users were unlikely to remove them if they enjoyed the game.

Over nine million Android devices infected by info-stealing trojan

[harrybarracuda]

Convicts being a bit nosey ....

A man who was forced to hand over his phone and passcode to Australian Border Force after returning to Sydney from holiday has labelled the tactic “an absolute gross violation of privacy”, as tech advocates call for transparency and stronger privacy protections for people’s devices as they enter the country.

Software developer James and his partner returned from a 10-day holiday in Fiji earlier this month and were stopped by border force officials at Sydney airport. They were taken aside, and after emptying their suitcases, an official asked them to write their phone passcodes on a piece of paper, before taking their phones into another room.

It was half an hour before their phones were returned, and they were allowed to leave. James initially posted about his ordeal on Reddit.

“We weren’t informed why they wanted to look at the phones. We were told nothing,” he told Guardian Australia.
“Who knows what they’re taking out of it? With your phone and your passcode they have everything, access to your entire email history, saved passwords, banking, Medicare, myGov. There’s just so much scope.”

James said he has no idea what officials looked at, whether a copy of any of the data was made, where it would be stored and who would have access to it.

“It’s an absolute gross violation of privacy.”

Under the Customs Act, ABF officers can force people to hand over their passcodes to allow a phone search, as part of their powers to examine people’s belongings at the border, including documents and photos on mobile phones.

A spokesperson for ABF did not respond to specific questions about James’ case, nor questions on how often the power is used or where the data is stored.

The spokesperson said people can be questioned and their phone searched “if they suspect the person may be of interest for immigration, customs, biosecurity, health, law-enforcement or national security reasons”.

“The ABF exercises these powers in order to protect the Australian community from harm and deliver upon its mission to protect Australia’s border and enable legitimate travel and trade. Information seized from passengers phones has contributed to the success of many domestic law enforcement operations targeting illegal activities,” the spokesperson said.

“If an individual refuses to comply with a request for an examination of their electronic device, they may be referred for further law enforcement action.”

Within Australia’s borders, there are more hurdles for law enforcement to access devices, including needing a warrant before people can be compelled to unlock their phones.

In 2016, Nine newspapers reported a man sued ABF after text messages were sent and then deleted from his phone by an official while they had possession of his phone at the border in 2014.

A freedom of information request in 2016 revealed the department had apologised to the man in 2015, and had determined the counter-terrorism unit officer breached ABF’s code of conduct.

Electronic Frontiers Australia chair Justin Warren said it is impossible to determine how common such searches of phones are because the department doesn’t release any data on it – unlike data on warrants obtained under other domestic surveillance laws.

“There is no transparency, and the authorities prefer it that way. Anecdotally, it seems to happen quite a lot,” Warren said, adding it showed the need for stronger privacy rights in Australia.

“This is just another example of how few rights Australians actually have. We need a Bill of Rights in Australia to prevent abuses like this, and real consequences for abuse when it happens.”

Samantha Floreani, program lead at Digital Rights Watch, agreed.

“This is a prime example of the kind of privacy violations that can occur when you don’t have fundamental human rights,” she said. “A federal charter of human rights is long overdue in Australia.

“It is completely unreasonable that people should be subject to such an invasion of privacy without so much as an explanation.”

Warren advised people flying into Australia not to have anything on their device that they don’t want authorities accessing, and to ensure their device is encrypted with a strong passcode.

“Once they take your device out of your sight, you should assume it’s completely compromised and they have a copy of everything that was on it, and act accordingly,” he said.

Warren stressed that people in such a situation should also seek legal advice.

James said the incident made him rethink what he would do next time he travels out of Australia.

“I think what I’ll just do next time is as we fly into Sydney, I’ll just press the factory reset button on the phone and when they pull me up again, I’ll be handing them a fresh clean factory reset.”

Returning travellers made to hand over phones and passcodes to Australian Border Force | Privacy | The Guardian

[harrybarracuda]

If you own one of these pitiful devices, best to get on this straight away.

Apple has announced the discovery of a serious security vulnerability for iPhones, iPads and Macs which could potentially allow attackers to take complete control of a victim's devices.

Fortunately the announcement came as Apple released a security update that would prevent the attack from taking place.

To install this security update, you can go to the Settings App, then General, then Software Updates.
The latest version of iOS and iPadOS is 15.6.1, while macOS is on 12.5.1.

According to Apple the vulnerability could have been exploited by "processing web content", meaning accessing a web page which contained malicious code.

Any attackers that knew about the vulnerability - and how to exploit it - could, by directing a victim to such a web page, be able to execute any code they wanted on the victim's device.

Usually devices restrict the kinds of code that can be run on them to users with particular levels of privileges - but this vulnerability allowed the code to be executed with kernel privilege.

What is the new serious Apple vulnerability and how do you protect yourself from it? | Science & Tech News | Sky News

[harrybarracuda]

If you're using Chrome, and are stupid enough not have updates turned on, then check for updates - and turn on automatic updates.

Google Confirms Chrome Zero-Day #5 As CVE-2022-2856 Attacks Begin

[harrybarracuda]

Netgear warns users to patch recently fixed WiFi router bug
Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible.
The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models.
Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability.
The impact of a successful bufferoverflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack.
Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction.
In a security advisory published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible."
The list of vulnerable routers and the patched firmware versions can be found in the table below.

Vulnerable Netgear router	Patched firmware version
RAX40	Firmware version 1.0.2.60
RAX35	Firmware version 1.0.2.60
R6400v2	Firmware version 1.0.4.122
R6700v3	Firmware version 1.0.4.122
R6900P	Firmware version 1.3.3.152
R7000P	Firmware version 1.3.3.152
R7000P	Firmware version 1.0.11.136
R7960P	Firmware version 1.4.4.94
R8000P	Firmware version 1.4.4.94

https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-recently-fixed-wifi-router-bug/

[harrybarracuda]

The U.S. National Security Agency (NSA) has issued guidance to help remote workers secure their home networks and defend their devices from attacks.

The guide published by the Defense Department's intelligence agency on Wednesday includes a long list of recommendations, including a short list of highlights urging teleworkers to ensure their devices and software are up to date.

Remote workers are also advised to back up their data regularly to prevent data loss and to disconnect equipment they're not using if it doesn't require an active Internet connection at all times.

To remove non-persistent malware if one of your devices gets infected, you should also reboot them frequently or schedule a restart to further minimize this risk.

"At a minimum, you should schedule weekly reboots of your routing device, smartphones, and computers. Regular reboots help to remove implants and ensure security," the NSA said.

Other best practices include using a non-privileged user account on your computer, enabling automatic updates whenever possible, and covering webcams and disabling microphones when not using them to block eavesdropping attempts via compromised devices or malware.

Use your own router and keep it updated

The NSA also recommends using a personal router that should be kept up-to-date over the standard ISP-provided modem or router, which might not receive regular security updates.

"Your router is the gateway into your home network. Without proper security and patching, it is more likely to be compromised, which can lead to the compromise of other devices on the network as well," the NSA said.

"To minimize vulnerabilities and improve security, the routing devices on your home network should be updated to the latest patches, preferably through automatic updates."

Routers should also be replaced as soon as or before they reach their end-of-life date to ensure they keep receiving security patches to address recently discovered vulnerabilities that attackers could exploit in network breach attempts.

Previously, the NSA also provided tips on securing wireless devices, voice or video communications, and IPsec Virtual Private Networks, as well as reducing location tracking risks.

"In the age of telework, your home network can be used as an access point for nation-state actors and cybercriminals to steal sensitive information. We can minimize this risk by securing our devices and networks, and through safe online behavior," NSA Cybersecurity Technical Director Neal Ziring said today.

https://www.bleepingcomputer.com/new...-home-network/

[harrybarracuda]

New Cuttlefish malware infects routers to monitor traffic for credentials

A new malware named 'Cuttlefish' has been spotted infecting enterprise-grade and small office/home office (SOHO) routers to monitor data that passes through them and steal authentication information.

Lumen Technologies' Black Lotus Labs examined the new malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins.

The malware can also perform DNS and HTTP hijacking within private IP spaces, interfering with internal communications and possibly introducing more payloads.

Although Cuttlefish has some code that overlaps with HiatusRat, which has been previously observed in campaigns that aligned with Chinese state interests, there are no concrete links between the two, and attribution was impossible.

Black Lotus Labs says the malware has been active since at least July 2023. It is currently running an active campaign concentrated in Turkey, with a few infections elsewhere impacting satellite phone and data center services.

The method for the initial infection of the routers has yet to be determined, but it could involve exploiting known vulnerabilities or brute-forcing credentials.

Once access is gained to a router, a bash script ("s.sh") is deployed and begins collecting host-based data, including details on directory listing, running processes, and active connections.

The script downloads and executes the primary Cuttlefish payload (".timezone"), which is loaded into memory to evade detection while the downloaded file is wiped from the file system.

Black Lotus Labs reports that Cuttlefish is available in various builds supporting ARM, i386, i386_i686, i386_x64, mips32, and mips64, covering most router architectures.

Upon execution, Cuttlefish uses a packet filter to monitor all connections through the device, and when it detects specific data, it performs a particular actions based on rulesets that are regularly updated from the attacker's command and control (C2) server.

The malware passively sniffs packets searching for "credential markers" within the traffic, such as usernames, passwords, and tokens especially associated with public cloud-based services like Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.

"This caught our attention as many of these services would be used to store data otherwise found within the network," explains the Black Lotus Labs report.

"Capturing credentials in transit could allow the threat actors to copy data from cloud resourcesthat do not have the same type of logging or controls in place as traditional network perimeters."

Data matching those parameters is logged locally, and once it reaches a certain size (1048576 bytes), it is exfiltrated to the C2 using a peer-to-peer VPN (n2n) or proxy tunnel (socks_proxy) created on the device.

For traffic destined to private IP addresses, DNS requests are redirected to a specified DNS server, and HTTP requests are manipulated to redirect traffic to actor-controlled infrastructure using HTTP 302 error codes.

"We suspect this capability enables Cuttlefish to hijack internal (a.k.a. "east-west") traffic through the router, or site-to-site traffic where there is a VPN connection established between routers," explain the researchers.

"The additional function opens the door to secured resources that are not accessible via the public internet."

Cuttlefish is a serious threat to organizations worldwide as it enables attackers to bypass security measures like network segmentation and endpoint monitoring and dwell undetected in cloud environments for extended periods.

Black Lotus Labs suggests that corporate network admins eliminate weak credentials, monitor for unusual logins from residential IPs, secure traffic with TLS/SSL, inspect devices for rogue iptables or other abnormal files, and routinely reboot them.

When establishing remote connections to high-value assets, it is advisable to use certificate pinning to prevent hijacking.

For SOHO router users, it is recommended to reboot the devices regularly, apply the latest available firmware updates, change default passwords, block remote access to the management interface, and replace them when they reach end-of-life (EoL).


New Cuttlefish malware infects routers to monitor traffic for credentials

[misskit]

Me no understan. English, please.

[misskit]

I’m using Wi-Fi at the Honda dealership right now because I left my phone home. I hate doing this.