Two serious vulnerabilities in Qualcomm’s Snapdragon system-on-a-chip (SoC) WLAN firmware could be leveraged to compromise the modem and the Android kernel over the air.

The flaws were found in Qualcomm’s Snapdragon 835 and 845 WLAN component. The tests were made on Google Pixel 2 and 3 but any unpatched phone running one of the two SoCs is vulnerable.

Critical and high-severity bugs

Security researchers from Tencent’s Blade team found that one one of the vulnerabilities (CVE-2019-10538, with a high severity rating)  allows attackers to compromise the WLAN and the chip’s modem over-the-air.

The second one is a buffer overflow tracked as CVE-2019-10540; it received a critical severity rating and an attacker can exploit it to compromise the Android Kernel from the WLAN component.

The researchers informed both Google and Qualcomm about the flaws and exploitation is currently possible only on Android phones that have not been patched with the latest security updates that rolled out today.

Qualcomm on June 3 published a security bulletin to original equipment manufacturers (OEMs) to allow them to prepare the Android update for their devices.

The chip maker advises “end users to update their devices as patches become available from OEMs.”

Despite patches being available, a high number of phones is likely to remain vulnerable for a long time as the devices may no longer be eligible for updates from the vendor.

Also, not all makers are ready to push the Android update when Google releases it. It is common to see security updates for phones still supported by their maker reach devices with weeks of delay.

Read more »

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America and former Soviet bloc nations.

2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” (aka Sunchoke – the Jerusalem artichoke) and its related modules. We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves.

The new modules were used in an active campaign that started at the beginning of 2019. As usual, the actor targeted governmental entities. The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan. Moreover, this actor now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak. Among the control servers there are several legitimate but compromised WordPress websites with the actor’s .php scripts on them.

This time, the developers left some Easter eggs for the targets and researchers. The .NET modules include amusing strings such as “TrumpTower” as an initial vector for RC4 encryption. “RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and “MiamiBeach” serve as the first beacon messages from the victim to the control server.

Read more »

Security researchers have illustrated a new app-in-the-middle attack that could allow a malicious app installed on your iOS device to steal sensitive information from other apps by exploiting certain implementations of Custom URL Scheme.

By default on Apple’s iOS operating system, every app runs inside a sandbox of its own, which prevent all apps installed on the same device from accessing each other’s data.

However, Apple offers some methods that facilitate sending and receiving very limited data between applications.

One such mechanism is called URL Scheme, also known as Deep Linking, that allows developers to let users launch their apps through URLs, like facetime://whatsapp://fb-messenger://.

For example, when you click “Sign in with Facebook” within an e-commerce app, it directly launches the Facebook app installed on your device and automatically process the authentication.

In the background, that e-commerce app actually triggers the URL Scheme for the Facebook app (fb://) and passes some context information required to process your login.

Researchers at Trend Micro noticed that since Apple does not explicitly define which app can use what keywords for their Custom URL Scheme, multiple apps on an iOS device can use single URL Scheme—which eventually could trigger and pass sensitive data to a completely different app unexpectedly or maliciously.

“This vulnerability is particularly critical if the login process of app A is associated with app B,” the researchers said.

To demonstrate this, researchers illustrated an attack scenario, as shown in the image above, using an example of a Chinese retailer app “Suning” and its implementation of “Login with WeChat” feature, explaining how it is susceptible to hacking.

Read more »

FBI has released the master decryption keys for the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Using these keys, any individual or organization can create and release their very own GandCrab decryptor.

On June 1st, 2019, the developers behind the wildly successful GandCrab Ransomware announced that they were closing shop after allegedly amassing $2 billion in ransom payments and personally earning $150 million.

Read more »

A mysterious group of hackers carried out a series of cyber attacks against a European government agencies, infecting employees with a new piece of malware tracked as SilentTrinity. The SilentTrinity malware can take control over an infected computer, it allows attackers to execute arbitrary commands.

Between February and April, allegedly state-sponsored hackers have launched a spear-phishing campaign against government agencies.

The attack was discovered by researchers at Positive Technologies while hunting for new and cyber threats, the attackers used excel weaponized documents.

The phishing messages posed as delivery notifications from retail services, they included a Microsoft Excel saved in the old .xls format and compiled the previous day.

The document included a malicious macro that borrows code from various projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.

Once the victim has enabled the macro, the malicious code will download and execute the malware on the victim’s machine. Experts observed attackers using the Empire backdoor and the SilentTrinity malware.

Read more »