Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apple’s geolocation system.
Apple’s Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.
How Apple Exposes Global APs
Have you ever wondered how your phone knows where it is in the world?
The Global Positioning System (GPS) is one tool it uses, of course, but it’s not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn’t ideal for such a persistent task.
That’s where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).
Ensuring the security of your organization’s information systems is crucial in today’s digital landscape.
Access Control is a fundamental aspect of cybersecurity that safeguards sensitive data and protects against unauthorized access. To assist you in establishing robust access control measures, we are pleased to offer a comprehensive Access Control Policy Template, available for download.
What does the Access Control Policy template include?
Our Access Control Policy template is designed to provide a clear, structured framework for managing access to your organization’s information systems.
Here are some of the key components included in the template:
Document Control;
Purpose and Scope;
Policy Statement;
Roles & Responsibilities;
Access Control Principles;
Access Control Measures;
Access Control Technologies;
Monitoring and Auditing;
Incident Management;
Policy Compliance;
Policy Review.
Benefits of using our Access Control Policy template
Implementing an effective access control policy offers several key benefits:
Enhanced security: Protects sensitive data and systems from unauthorized access and potential breaches.
Regulatory compliance: Helps ensure compliance with relevant regulations and standards.
Operational efficiency: Clearly defined roles and responsibilities streamline access management processes.
Risk mitigation: Regular monitoring and auditing identify and address vulnerabilities proactively.
To take advantage of our comprehensive Access Control Policy Template, simply click on the links at the top of the article to download them. The download will start automatically.
You can then customize the template to fit the specific needs and context of your organization.
By doing so, you’ll be taking a significant step towards securing your information systems and safeguarding your valuable data.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company’s social media channels. Her contributions amplify the brand’s voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
A critical vulnerability in Facebook could have allowed threat actors to hijack any Facebook account, researcher warns.
Meta addressed a critical Facebook vulnerability that could have allowed attackers to take control of any account.
The Nepalese researcher Samip Aryal described the flaw as a rate-limiting issue in a specific endpoint of Facebook’s password reset flow. An attacker could have exploited the flaw to takeover any Facebook account by brute-forcing a particular type of nonce.
Meta awarded the researchers for reporting the security issue as part of Facebook’s bug bounty program.
The researchers discovered that the issue impacts Facebook’s password reset procedure when the user selects “Send Code via Facebook Notification.”
Analyzing the vulnerable endpoint the researcher discovered that three conditions opened the door for a brute-force attack:
The nonce sent to the user is active for longer than I expected (≈ 2 hrs)
The same nonce code was sent every time for the period.
I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality).
Choosing the option “Send Code via Facebook Notification” will send a POST request to:
POST /ajax/recover/initiate/ HTTP/1.1
with the parameter; recover_method=send_push_to_session_login
Then the researchers attempted to send a 6-digit code ‘000000’ to analyze the POST request sent to the vulnerable endpoint:
POST /recover/code/rm=send_push_to_session_login&spc=0&fl=default_recover&wsr=0 HTTP/1.1
where “n” parameter holds the nonce.
At this stage, bruteforcing this 6-digit value had become a trivial task for the expert.
“there was no rate limiting on this endpoint, thus the matching code was responded back with a 302 status code. Use this code to log in/reset the FB account password for the user account.” reads the analysis published by Aryal.
The researcher noticed that upon exploiting this vulnerability, Facebook would notify the targeted user. The notification would either display the six-digit code directly or prompt the user to tap the notification to reveal the code.
The researcher reported the flaw to Meta on January 30, 2024, and the company addressed the issue on February 2nd, 2024. This vulnerability had a huge impact, Meta recognized it as a zero-click account takeover exploit. Aryal is currently ranked in first place in Facebook’s Hall of Fame 2024.
China-backed hackers have had access to some major U.S. critical infrastructure for “at least five years,” according to an intelligence advisory released Wednesday.
Why it matters: The hacking campaign laid out in the report marks a sharp escalation in China’s willingness to seize U.S. infrastructure — going beyond the typical effort to steal state secrets.
The advisory provides the fullest picture to-date of how a key China hacking group has gained and maintained access to some U.S. critical infrastructure.
Details: The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation released an advisory Wednesday to warn critical infrastructure operators about China’s ongoing hacking interests.
According to the advisory, China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country.
The group has relied heavily on stolen administrator credentials to maintain access to the systems — and in some cases it has maintained access for “at least five years,” per the advisory.
Volt Typhoon has been seen controlling some victims’ surveillance camera systems, and its access could have allowed the group to disrupt critical energy and water controls.
Of note: Volt Typhoon uses so-called “living off the land” techniques that limit any trace of their activities on a network — making the actors more difficult to detect.
CNN first reported details from the advisory earlier today.
Between the lines: U.S. officials are increasingly worried China will launch destructive cyberattacks either during or in the lead up to a possible Chinese invasion of Taiwan.
Authorities in Canada, Australia and New Zealand contributed to today’s advisory, citing concerns that China is also targeting organizations in their countries.
Catch up quick: Intelligence officials have been ringing alarm bells about Volt Typhoon for nearly a year.
Last May, Microsoft and the U.S. government warned that Volt Typhoon had been positioning itself to launch attacks on infrastructure across the country, including water utilities and ports.
This month, officials said they had successfully thwarted Volt Typhoon’s access to these networks — but warned that the group had shown a willingness to keep looking for new ways in.
The big picture: U.S. critical infrastructure is riddled with security problems, including poor password management and a lack of procedures to install security updates.
Some critical infrastructure, including water systems, lack the funds to hire security personnel or upgrade equipment.
Government attempts to require basic cybersecurity audits have also hit legalhurdles.
Be smart: U.S. cyber defenders are urging infrastructure operators to apply available software updates to all internet-facing systems, implement multi-factor authentication and turn on activity logs to track for any suspicious user behavior.
Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access
Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike Falcon® platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.
This integration signifies a significant leap in Aembit’s mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable.
Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach.
Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.
With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:
Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembit’s solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.
This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leader’s commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.
It was recently reported that Chinese researchers had made a breakthrough in the field of quantum computing. A quantum computer with around the same power as what will soon be available to the general public has been designed to break the RSA public-key encryption system.
The breaking of 2048-bit RSA encryption would have a major impact on the security of the system.
Basically, what Chinese experts are looking for is a method of finding the secret prime numbers that underpin the algorithm in a consistent and quick manner.
There is no doubt that the RSA algorithm itself has been largely replaced by others in consumer-facing protocols like:-
Transport Layer Security
Older enterprise
Operational technology software
Code-signing certificates
Researchers stated that breaking the widely used RSA-2048 algorithm is possible using a “universal quantum algorithm for integer factorization by combining the classical lattice reduction with a quantum approximate optimization algorithm (QAOA). The number of qubits required is O(logN/loglogN), which is sublinear in the bit length of the integer N, making it the most qubit-saving factorization algorithm to date.”
Chinese Researchers Claim
There is a possibility that malicious adversaries could generate these signing keys or decrypt messages that are protected by RSA encryption. If they managed to generate these keys or decrypt the messages, they could also observe internet traffic as well.
Some of these attacks have even been known to pass off malicious code as genuine software updates, which would allow them to seize control of third-party devices by posing as legitimate updates.
There are several key components that pose a significant threat to traditional cryptography that are raised by quantum computing.
It is claimed that a 372-qubit quantum computer can be utilized to break the 2048-bit algorithm. Although there are some caveats to this statement, it is still worth noting.
In order to demonstrate their hypothesis, they were only able to use a device with 10 qubits to practice on, and they were unable to use any device with more than 48 bits to demonstrate it.
The findings of these studies have been questioned by many experts. Without any meaningful peer review, the paper was published on the preprint service ArXiv by the authors.
An acceptable minimum standard for evaluating a research paper’s scientific merit would be considered by many to be an essential part of the scientific procedure.
A computer security expert named Bruce Schneier said in a paper published in October that there was still much to be decided about whether the technique can be applied in a real-world setting.
There are several prestigious universities in China that the authors are affiliated with. Schneier argued that even if the claims of the research are proven untrue, they point to a race between researchers to develop a way to break encryption in the near future using quantum computing.
We find that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 even in the simplest 1D-chain system. Such a scale of quantum resources is most likely to be achieved on NISQ devices in the near future, researchers stated.
A Vulnerability Scanning Tool is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.
The Vulnerability scanning tools help in detecting security loopholes in the application, operating systems, hardware, and network systems.
Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.
What does a Vulnerability Scanner do?
Vulnerability scanners are one right way to do this, with their continuous and automated scanning procedures they can scan the network for potential loopholes.
It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.
Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.
In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.
What are the Three types of Vulnerability Scanners?
This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.
Following are the types of vulnerability scanners
Discovery Scanning
Full Scanning
Compliance Scanning
What is an example of a Vulnerability Scanner?
The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online
In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.
Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.
As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:
Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.
Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…
…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.
Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.
This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.
Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.
The short but winding road
Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.
The scammers:
Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:
Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.
There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.
As a result, these devices offer extremely high-speed connectivity during flight trips for the following purposes:-
The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp.
The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.
That’s according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.
“Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations,” researchers said in a blog post today. “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio’s phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.
The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.
For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).
In Cloudflare’s case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.
Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB’s findings are still unknown, so additional victims could come to light.
“Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords,” he warns. “Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”
Time to Rethink IAM?
On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.
“The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack,” Yaari says. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta.”
The incident also points out that enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.
“From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access,” he wrote in an emailed statement.
Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.
Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.
Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.
“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.
The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.
The end goal is to hijack Facebook Business accounts managed by the victims.
The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.
WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.
The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external dependencies into a single executable and use Telegram channels as Command and Control (C&C).
“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.
In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.
The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation
Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.
“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.
Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.
“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”
Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.
The protocol for radio-controlled (RC) drones, named ExpressLRS, is affected by vulnerabilities that can allow device takeover.
Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.
ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.
According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.
Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.
Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.
“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”
The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.
The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.
“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.
The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid collision. Observation of a single sync packet therefor gives 75% of the bytes required to take over the link.
The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” reads the advisory.
The third weakness occurs in the FHSS sequence generation.
Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4 byte seed produce the same FHSS sequence as the first 128.“
The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.
Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.
Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.
A team of researchers from Zhejiang University and Technical University of Darmstadt devised a technique, dubbed GhostTouch, to remotely control capacitive touchscreens using electromagnetic signals.
According to the experts, GhostTouch is the first active contactless attack against capacitive touchscreens.
GhostTouch uses electromagnetic interference (EMI) to remotely inject fake touch points into a capacitive device. The researchers demonstrated how to inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen. The events allowed the researchers to control the devices (i.e. answering an eavesdropping phone call, pressing the button, swiping up to unlock), the attack technique was successful on nine smartphone models.
“We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.” reads the research paper published by the academics. “Finally, we discuss potential hardware and software countermeasures to mitigate the attack.”
The GhostTouch system consists of two components, a touch injector and a phone locator. The touch injector is used to inject touch events into the touchscreen and includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The phone locator is used to identify the position of the touchscreen and consists of a sensing antenna array, a data acquisition device, and a location calculator.
The experimental lab setup up by the researchers is composed of an electrostatic gun used to generate a strong pulse signal which is sent to an antenna to transmit an electromagnetic field to the touchscreen.
The experts tested the technique against nine different smartphone models, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020).
“We demonstrate the feasibility of this attack in the real world.” concludes the paper. “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table2. An attacker may embed the attack equipment under the table and launch attacks remotely. For example, an attacker may impersonate the victim to answer a phone call which would eavesdrop the private conversation, or visit a malicious website.”
The researchers provided a series of countermeasures to neutralize the attack, including adding electromagnetic shielding to block EMI, reinforcing the touchscreen, improving the detection algorithm of the touchscreen, and forcing some form of authentication for the execution of high-risk actions.
Researchers warn of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums.
Cybersecurity researchers from BlackBerry are warning of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums. The DCRat backdoor is very cheap, it appears to be the work of a lone threat actor that goes online with the monikers of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). Prices for the backdoor start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription.
“Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.” reads the report published by BlackBerry.
The author implemented an effective malware and continues to efficiently maintain it. The researchers pointed out that the price for this malware is a fraction of the standard price such RAT on Russian underground forums.
DCRat first appeared in the threat landscape in 2018, but a year later it was redesigned and relaunched.
DCRat is written in .NET and has a modular structure, affiliates could develop their own plugins by using a dedicated integrated development environment (IDE) called DCRat Studio.
The modular architecture of the malware allows to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.
The DCRat consists of three components:
A stealer/client executable
A single PHP page, serving as the command-and-control (C2) endpoint/interface
An administrator tool
“All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz.guru, which also handles some of the DCRat pre-sales queries. DCRat support topics are made available here to the wider public, while the main DCRat offering thread is restricted to registered users only.” continues the report.
The malware is under active development, the author announces any news and updates through a dedicated Telegram channel that had approximately 3k subscribers.
During recent months, the researchers ofter observed DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system).
DCRat also implements a kill switch, which would render all instances of the DCRat administrator tool unusable, irrespective of subscriber license validity.
The Administrator tool allows subscribers to sign in to an active C2 server, configure (and generate) builds of the DCRat client executable, execute commands on infected systems
Experts concluded that the RAT is maintained daily, which means that the author is working on this project full-time.
“There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible.” concludes the report that also includes Indicators of Compromise (IoCs). “While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity. More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”
The ImControllerService service of Lenovo laptops is affected by a privilege elevation bug that can allow to execute commands with admin privileges.
Lenovo laptops, including ThinkPad and Yoga families, are affected by a privilege elevation issues that resides in the ImControllerService service allowing attackers to execute commands with admin privileges.
The vulnerabilities, tracked as CVE-2021-3922 and CVE-2021-3969, are a race condition vulnerability and a Time of Check Time of Use (TOCTOU) vulnerability respectively.
The flaws affect the ImControllerService service (“System Interface Foundation Service”) of all Lenovo System Interface Foundation versions below 1.1.20.3.
The Lenovo System Interface Foundation Service provides interfaces for multiple features, including system power management, system optimization, driver and application updates, for this reason it is not recommended to disable it.
The vulnerability was reported to Lenovo by researchers at NCC Group on October 29, 2021, and the vendor addressed it with the release of security updates on November 17, 2021. This week the company publicly disclosed the vulnerability.
“The following vulnerabilities were reported in the IMController component of Lenovo System Interface Foundation used by Lenovo Vantage.” reads the advisory published by the company.
“CVE-2021-3922: A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to connect and interact with the IMController child process’ named pipe.
CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to elevate privileges.”
According to NCC Group, the ImController service comes installed on certain Lenovo devices, it runs as the SYSTEM user and periodically executes child processes that perform system configuration and maintenance tasks.
An attacker can exploit the vulnerabilities to elevate its privileges to SYSTEM and take over the vulnerable device.
The vulnerability resides in the way the ImControllerService handles the execution of highly privileged child processes which allows an unprivileged attacker with local access to the system to elevate their privileges.
The flawed vulnerable component periodically starts child processes to perform tasks and each of them opens a named pipe server to which any user on the system can connect.
“The parent process establishes a connection to the child’s server as soon as possible in order to send XML serialised commands over the named pipe. The child does not validate the source of the connection and parses the XML serialized commands. One of the commands that the parent process can send instructs the child to load a ‘plugin’ from an arbitrary location on the filesystem. The child process validates the digital signature of the plugin DLL file before loading the file into its address space and yielding execution to it.” reads the post published by NCC Group.“Successful exploitation of two vulnerabilities required to get the child to load a payload of the attacker’s choosing.”
The researchers noticed that the child process does not validate the source of the connection, this means it will begin accepting commands from the attacker using high-performance filesystem synchronization routines after the race condition has been exploited.
NCC Group researchers developed a proof of concept code that never failed to connect to the named pipe before the parent service could do so.
The second issue, the time-of-check to time-of-use (TOCTOU) vulnerability, is exploited to stall the loading process and replace the validated plugin with a malicious DLL file. The DLL is executed with high privileges.
Experts warn of the availability in the cybercrime underground of offers for initial access to networks of players in global supply chains.
Researchers from threat intelligence firm Intel 471 published an analysis of current cybercrime underground trends online, warning that initial access brokers are offering credentials or other forms of access to shipping and logistics organizations.
These organizations provide essential services to the global supply chain in multiple industries, they operate air, ground and maritime cargo transport on several continents.
Experts believe threat actors selling initial access to the organizations have obtained these credentials by expliting well-known vulnerabilities in remote access solutions, including Remote Desktop Protocol (RDP), VPN, Citrix, and SonicWall.
Intel 471 experts monitored the activities on the Dark Web over the past few months and observed a prevalence in the listing of offers for initial access to organizations operating in the global supply chain are.
Disrupting Logistics: Startups, Technologies, and Investors Building Future Supply Chains – “This book presents readers with a straightforward and comprehensive assessment of supply chain innovation and trends and their impact on the industry. With contributions from several industry leaders, it provides critical knowledge and insight that supply chain and logistics managers need to implement disruptive technologies strategically.”
Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside of the organization.
“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”
However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.
But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.
“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”
Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.