Alerts

Security researchers have illustrated a new app-in-the-middle attack that could allow a malicious app installed on your iOS device to steal sensitive information from other apps by exploiting certain implementations of Custom URL Scheme.

By default on Apple’s iOS operating system, every app runs inside a sandbox of its own, which prevent all apps installed on the same device from accessing each other’s data.

However, Apple offers some methods that facilitate sending and receiving very limited data between applications.

One such mechanism is called URL Scheme, also known as Deep Linking, that allows developers to let users launch their apps through URLs, like facetime://whatsapp://fb-messenger://.

For example, when you click “Sign in with Facebook” within an e-commerce app, it directly launches the Facebook app installed on your device and automatically process the authentication.

In the background, that e-commerce app actually triggers the URL Scheme for the Facebook app (fb://) and passes some context information required to process your login.

Researchers at Trend Micro noticed that since Apple does not explicitly define which app can use what keywords for their Custom URL Scheme, multiple apps on an iOS device can use single URL Scheme—which eventually could trigger and pass sensitive data to a completely different app unexpectedly or maliciously.

“This vulnerability is particularly critical if the login process of app A is associated with app B,” the researchers said.

To demonstrate this, researchers illustrated an attack scenario, as shown in the image above, using an example of a Chinese retailer app “Suning” and its implementation of “Login with WeChat” feature, explaining how it is susceptible to hacking.

Read more »

FBI has released the master decryption keys for the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Using these keys, any individual or organization can create and release their very own GandCrab decryptor.

On June 1st, 2019, the developers behind the wildly successful GandCrab Ransomware announced that they were closing shop after allegedly amassing $2 billion in ransom payments and personally earning $150 million.

Read more »

A mysterious group of hackers carried out a series of cyber attacks against a European government agencies, infecting employees with a new piece of malware tracked as SilentTrinity. The SilentTrinity malware can take control over an infected computer, it allows attackers to execute arbitrary commands.

Between February and April, allegedly state-sponsored hackers have launched a spear-phishing campaign against government agencies.

The attack was discovered by researchers at Positive Technologies while hunting for new and cyber threats, the attackers used excel weaponized documents.

The phishing messages posed as delivery notifications from retail services, they included a Microsoft Excel saved in the old .xls format and compiled the previous day.

The document included a malicious macro that borrows code from various projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.

Once the victim has enabled the macro, the malicious code will download and execute the malware on the victim’s machine. Experts observed attackers using the Empire backdoor and the SilentTrinity malware.

Read more »

After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after they published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, they discovered a new DNS hijacking technique that they assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. They also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.

Read more »

The Sodinokibi ransomware is looking to increase its privileges on a victim machine by exploiting a vulnerability in the Win32k component present on Windows 7 through 10 and Server editions.

The file-encrypting malware stepped into the limelight in April when it started to exploit a critical vulnerability in Oracle WebLogic.

Global spread

Sodinokibi, a.k.a. REvil, also exploits CVE-2018-8453, security researchers found, a vulnerability discovered and reported by Kaspersky, that Microsoft patched in October 2018.

Kaspersky uses the name Sodin to refer to this strain of ransomware and telemetry data shows detections in small areas on the globe, most of them recorded in the Asia-Pacific region: Taiwan (17.56%), Hong Kong, and South Korea (8.78%).

Other countries where Sodinokibi was detected are Japan (8.05%), Germany (8.05%), Italy (5.12%), Spain (4.88%), Vietnam (2.93), the U.S. (2.44%), and Malaysia (2.20%).

Read more »