Tag Archive for: discovered

New strain of the Phobos ransomware discovered in VBA script

/in


A new variant of the Phobos ransomware called “FAUST” was discovered, one that’s a concern because it can maintain persistence in a network environment and creates multiple threads for efficient execution.

In a Jan. 25 blog post, FortiGuard Labs researchers said they found this by uncovering an Office document that contained a Visual Basic (VBA) script aimed at propagating the FAUST ransomware.

The researchers said the attackers used the Gitea service to store several files encoded in Base64, each carrying a malicious binary. FortiGuard Labs said when these files are injected into a system’s memory, they initiate a file encryption attack.

FortiGuard Labs researchers said the Phobos ransomware family emerged in 2019 and has since been involved in numerous cyberattacks. Phobos ransomware typically appends encrypted files with a unique extension and demands a ransom payment in cryptocurrency for the decryption key. The researchers said they have captured and reported on several ransomware variants from the Phobos family, including EKING and 8Base.

The Fortinet research on the FAUST variant of Phobos ransomware reveals it as a sophisticated threat, particularly because of its fileless attack method and ability to persistently embed itself within a network, said Anurga Gurtu, chief product officer at StrikeReady.

“While advising users not to click on suspicious links is a basic defense, it’s clear that more robust measures are needed,” said Gurtu. “Businesses should consider advanced cybersecurity strategies, including regular software updates, employee cybersecurity training, and employing comprehensive security systems to detect and mitigate such threats.”

John Bambenek, president at Bambenek Consulting, added that macros remain a dangerous part of malware delivery because VBAs offer functionality that many companies use for day-to-day applications.

“The safest way to deal with this threat is to disable VBA in Office entirely,” explained Bambenek. “However, if that’s not an option, organizations can at least disable ‘high-risk’ functionality in VBAs using Windows Defense Attack Surface Reduction, such as, preventing Office applications from creating child…

Source…

Google OAuth secrets exposed as account-hijacking MultiLogin vulnerability discovered

/in


Facepalm: OAuth is an open standard designed to share account information with third-party services, providing users with a simple way to access apps and websites. Google, one of the companies offering OAuth authentication to its users, is seemingly hiding some dangerous “secrets” in the protocol.

A malware developer was recently able to discover one of Google’s OAuth secrets, a previously unknown feature named “MultiLogin” that is responsible for synchronizing Google accounts across different services. MultiLogin accepts a vector of account ID and auth-login tokens, using such data for managing simultaneous sessions or seamlessly switching between user profiles.

MultiLogin is a Chromium feature that can be abused to compromise a user’s Google account. The “bug” was unveiled by a malware developer known as PRISMA in October 2023. The cyber-criminal shared details about a critical exploit designed to generate persistent cookies for “continuous” access to Google services, even after a user’s password reset.

The exploit was first revealed on PRISMA’s Telegram channel, and it was soon adapted by various malware groups as a new, potent tool to steal access credentials on users’ PCs. As highlighted by CloudSEK analysts, the 0-day exploit provided two key features for infostealer creators: session persistence, and valid cookie generation.

Cyber-criminals quickly adapted the new exploit, integrating even more advanced features to bypass Google’s security restrictions for token regeneration. Recent infostealer malware can infect a user’s PC, scan the machine for Chromium session cookies, then exfiltrate and send the data to remote servers controlled by cyber-criminals.

Thanks to MultiLogin, the stolen tokens can be used to log in with an OAuth identity even if the user changes their Google password. The exploit can be countered by completely logging out from the Google account, invalidating the session tokens and thus preventing further exploitation.

CloudSEK said that the MultiLogin exploit underscores the “complexity and stealth” of modern security threats. Google confirmed the session-stealing attack, saying that such kind of malware is not new. The company routinely upgrades its…

Source…

Hackers have discovered a loophole to ‘jailbreak’ Tesla’s paywall-blocked driving features, saving them thousands

/in


Tesla has been at the forefront of the electric vehicle movement. But has also pioneered another aspect of the car industry — software-defined vehicles, or SDVs — that has not been quite as universally popular.

SDVs basically mean that some Tesla features, which are already built into the cars, are locked behind a paywall, requiring customers to pay extra if they want to use them. Some features in this category include a heated steering wheel, footwell lights, an “acceleration boost,” or the brand’s $15,000 Full Self-Driving feature.

Now, a group of hackers has discovered a way to “jailbreak” those paywalled features, and it looks like Tesla can’t do anything about it.

The team of hackers from Germany — a security researcher and three Ph.D. students — figured out a way to trick Tesla’s Media Control Unit (MCU) into thinking that certain purchases had already been made.

The reason that Tesla is powerless to stop it is that the MCU operates using a computer processor made by another company, called AMD. The hack targets AMD’s technology instead of Tesla’s proprietary tech.

In order for Tesla to stop this hack from spreading, it would have to physically swap out the MCUs in its cars with a new type of processor. That said, it’s possible the practice could invalidate warranties or other software updates if ever detected by Tesla, as is often the case with mobile phone and video game hardware.

The German team of hackers will soon present their findings at the BlackHat 2023 cyber security event, where they may give more details about how they accomplished the feat, potentially allowing other tech-savvy Tesla drivers to jailbreak features on their own.

For customers who have had issues with Tesla’s SDVs in the past — the company has been forced to settle multiple lawsuits around its automatic software updates, which customers have alleged have violated their consumer rights — this news could be taken as a bit of schadenfreude.

For Tesla, though, the news is surely worrying, as getting customers to make what are essentially in-app purchases after they have already bought a car is a big part of the EV maker’s business model.

But the company also has other things…

Source…

Microsoft reveals details about how it discovered a security flaw in macOS Gatekeeper

/in


Microsoft has revealed how it discovered a security flaw in macOS Gatekeeper. The vulnerability has been termed as Achilles.

Microsoft reveals details about how it discovered a security flaw in macOS Gatekeeper

For those unaware, Gatekeeper is a security feature that protects your Mac, it does so by only allowing trusted software to run on it, it’s sort of like an antivirus. The security issue has been referenced as CVE-2022-42821. It has a severity rating of 5.5, which means it is a medium level threat.

Microsoft says that it analyzed the threat, and shared its findings with Apple in July through Microsoft Security Vulnerability Research, in order to help protect macOS users from potential attacks.

Apple patched the Achilles heel security flaw in macOS Ventura that was released on October 24th, and later in macOS Monterey 12.6.2 and macOS Big Sur 11.7.2, which were rolled out on December 13th. In its security notes, the Cupertino company had mentioned that the vulnerability could allow an app to bypass Gatekeeper checks, and that it a logic issue had been addressed with improved checks.

Achilles vulnerability in macOS Gatekeeper

 

How Microsoft discovered the Achilles vulnerability in macOS

That doesn’t explain much, but an article on Microsoft’s security blog goes into the details. It is a bit on the technical side, so I’ll try to simplify it here. Microsoft says that macOS devices usually get infected as a result of users running fake apps that they may have downloaded from third-party sources, i.e. outside the App Store.

When a user downloads a file through their web browser, macOS assigns an extended attribute to it called com.apple.quarantine. The browser saves the metadata of a downloaded file in the above-mentioned attribute, and it contains some information such as flag;date;agent_name;UUID.

This is used by Gatekeeper to enforce some security policies. macOS usually warns you when you are trying to install something downloaded from the internet, that’s because Gatekeeper read its extended attribute, and recognized it as an app from an unknown source. After analyzing past security vulnerabilities that were present in macOS, Microsoft security researchers identified a specific one, referenced as CVE-2021-1810. The loophole, which was patched a year ago, would create a symbolic link to an app…

Source…