A CYBER-SECURITY expert has revealed the warning signs you need to check on your Android phone that show whether an app is secretly malicious.
The clues are often plain as day if you know where to look, according to the pro.
There are two warning signs that you definitely need to watch out for.
And if you see either, it’s worth deleting the app right away.
The U.S. Sun spoke to Zane Bond, Head of Product at Keeper Security, who revealed when you should be concerned about an app.
“One way is to check the app’s privacy policy,” Zane told us.
“A reputable app will have a clear and concise privacy policy that outlines how it uses your data and what kind of information it collects.
“If an app’s privacy policy seems vague or doesn’t exist, it’s best to err on the side of caution and avoid using the app altogether.”
Any time that an Android app conceals what it’s doing, that should be cause for concern.
Another area where you might want to worry is if an app is “abusing its security permissions”.
“Some apps may request access to sensitive information such as your location, contacts, camera and microphone as part of their vague terms and conditions,” Zane warned.
Often apps will need to access sensitive parts of your phone to work properly.
Imagine trying to use Uber without offering up your location, or Skype with no microphone access.
That’s perfectly normal so that you can take advantage of all the app’s features.
But some apps might go too far and access permissions it doesn’t need – and this is a red flag.
“When you download an app, it will typically ask for permission to access certain features or data on your device,” Zane said.
“For example, a social media app may request access to your camera and microphone to allow you to take pictures and record videos.
“However, if an app requests access to sensitive information that it doesn’t need to function properly, this is a red flag that it may be abusing its security permissions.
“These permissions can typically be changed in your phone’s settings.”
It’s important to keep track of apps and the permissions they’re using.
https://spinsafe.com/wp-content/uploads/2023/05/SC-Malicious-Apps-Off-Plat-copy.jpg10801920SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2023-05-28 20:00:082023-05-28 20:00:08I’m a security expert – two ‘malicious’ Android apps to delete from your phone right away
Shortcuts aren’t just for keyboards. Digital browsers use various online shortcuts regularly — like web extensions — which can help them surf the web quickly.
Unfortunately, not all shortcuts are safe and secure. Our list of malicious Chrome extensions reveals the dangers lurking behind unlisted, poorly scanned and third-party downloads freely available across the web.
Premium protective services from Panda Security can help keep your browsers and devices safe — even from malicious extensions. Pairing these protections with knowledge about dangerous add-ons, how to detect them and ways to remove them can help online users navigate the web without compromising privacy and security.
What Is a Browser Extension?
A browser extension is software that does exactly as the name suggests: it extends your browser — or specific browser tools — to other webpages. These extensions can analyze information, modify or edit user actions and provide additional functionality across various browsing sites.
Some of the most common browser extensions are Grammarly, AdBlock, LastPass, Google Calendar and Scribe. While most browser extensions are harmless and can be incredibly useful, users are still able to unknowingly download malicious software that can access personal information or cause damage to devices.
Popular Malicious Chrome Extensions
Google’s Chrome is the most popular web browser across the globe, supporting more than 130,000 unique browser extensions. Most of these unique extensions are safe and supported by Chrome itself, but a few popular extensions have been identified as malicious.
These malicious Chrome extensions can contain malware, insert affiliate links into webpages and internally damage systems. This list includes some of the most notorious extensions Chrome users should be aware of.
Netflix Party
Designed to allow synchronized media viewing, the Netflix Party extension was actually used for affiliate links. This add-on would track a user’s digital footprint and inject affiliate links into appropriate pages. The owners of this extension can then make a profit based on the user’s browsing history.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023.
According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.
This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.
Download the PDF version of this report:
TECHNICAL DETAILS
Vulnerability Overview
CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:[1]
Version 8.0.0 to 19.2.7
Version 20.0.0 to 20.1.6
Version 21.0.0 to 21.2.10
Version 22.0.0 to 22.0.8
PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE). There are currently two publicly known proofs of concept for achieving RCE in vulnerable PaperCut software:
Using the print scripting interface to execute shell commands.
Using the User/Group Sync interface to execute a living-off-the-land-style attack.
FBI and CISA note that actors may develop other methods for RCE.
The PaperCut server process pc-app.exe runs with SYSTEM- or root-level privileges. When the software is exploited to execute other processes such as cmd.exe or powershell.exe, these child processes are created with the same privileges. Commands supplied with the execution of these processes will also run with the same privileges. As a result, a wide range of post-exploitation activity is possible following initial access and compromise.
Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files (see Figure 1).
According to FBI information, legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface. External network communications through Tor and/or other proxies from inside victim networks helped Bl00dy Gang ransomware actors mask their malicious network traffic. The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
DETECTION METHODS
Network defenders should focus detection efforts on three key areas:
Network traffic signatures – Look for network traffic attempting to access the SetupCompleted page of an exposed and vulnerable PaperCut server.
System monitoring – Look for child processes spawned from a PaperCut server’s pc-app.exe process.
Server settings and log files – Look for evidence of malicious activity in PaperCut server settings and log files.
Network Traffic Signatures
To exploit CVE-2023-27350, a malicious actor must first visit the SetupCompleted page of the intended target, which will provide the adversary with authentication to the targeted PaperCut server. Deploy the following Emerging Threat Suricata signatures to detect when GET requests are sent to the SetupCompleted page. (Be careful of improperly formatted double-quotation marks if copying and pasting signatures from this advisory.)
Note that some of the techniques identified in this section can affect the availability or stability of a system. Defenders should follow organizational policies and incident response best practices to minimize the risk to operations while threat hunting.
Note that these signatures and other rule-based detections, including YARA rules, may fail to detect more advanced iterations of CVE-2023-27350 exploits. Actors are known to adapt exploits to circumvent rule-based detections formulated for the original iterations of exploits observed in the wild. For example, the first rule above detected some of the first known exploits of CVE-2023-27350, but a slight modification of the exploit’s GET request can evade that rule. The second rule was designed to detect a broader range of activity than the first rule.
The following additional Emerging Threat Suricata signatures are designed to detect Domain Name System (DNS) lookups of known malicious domains associated with recent PaperCut exploitation:
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowcsupdates .com)"; dns_query; content:"windowcsupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowcsupdates\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdate .com)"; dns_query; content:"anydeskupdate.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)anydeskupdate\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdates .com)"; dns_query; content:"anydeskupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)anydeskupdates\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecemter .com)"; dns_query; content:"windowservicecemter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowservicecemter\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (winserverupdates .com)"; dns_query; content:"winserverupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)winserverupdates\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (netviewremote .com)"; dns_query; content:"netviewremote.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)netviewremote\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (updateservicecenter .com)"; dns_query; content:"updateservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)updateservicecenter\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecenter .com)"; dns_query; content:"windowservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowservicecenter\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecentar .com)"; dns_query; content:"windowservicecentar.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowservicecentar\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;)
Note that these signatures may also not work if the actor modified activity to evade detection by known rules.
System Monitoring
A child process is spawned under pc-app.exe when the vulnerable PaperCut software is used to execute another process, which is the PaperCut server process. Malicious activity against PaperCut servers in mid-April used the RCE to supply commands to a cmd.exe or powershell.exe child process, which were then used to conduct further network exploitation. The following YARA rule may detect malicious activity[2].
title: PaperCut MF/NG Vulnerability authors: Huntress DE&TH Team description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: “\\pc-app.exe” Image|endswith: - “\\cmd.exe” - “\\powershell.exe” condition: selection level: high falsepositives: - Expected admin activity
More advanced versions of the exploit can drop a backdoor executable, use living-off-the-land binaries, or attempt to evade the above YARA rule by spawning an additional child process in-between pc-app.exe and a command-line interpreter.
Server Settings and Log Files
Network defenders may be able to identify suspicious activity by reviewing the PaperCut server options to identify unfamiliar print scripts or User/Group Sync settings.
If the PaperCut Application Server logs have debug mode enabled, lines containing SetupCompleted at a time not correlating with the server installation or upgrade may be indicative of a compromise. Server logs can be found in [app-path]/server/logs/*.* where server.log is normally the most recent log file. Any of the following server log entries may be indicative of a compromise:
User "admin" updated the config key “print.script.sandboxed”
User "admin" updated the config key “device.script.sandboxed”
Admin user "admin" modified the print script on printer
User/Group Sync settings changed by "admin"
Indicators of Compromise
See Table 1 through Table 6 for IOCs obtained from FBI investigations and open-source information as of early May 2023.
If compromise is suspected or detected, organizations should:
Create a backup of the current PaperCut server(s).
Wipe the PaperCut Application Server and/or Site Server and rebuild it.
Restore the database from a “safe” backup point. Using a backup dated prior to April 2023 would be prudent, given that exploitation in-the-wild exploitation began around early April.
Execute additional security response procedures and carry out best practices around potential compromise.
Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. Regarding specific information that appears in this communication, the context and individual indicators, particularly those of a non-deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of an organization’s complete information security situation.
MITIGATIONS
FBI and CISA recommend organizations:
Upgrade PaperCut to the latest version.
If unable to immediately patch, ensure vulnerable PaperCut servers are not accessible over the internet and implement one of the following network controls:
Option 1: External controls: Block all inbound traffic from external IP addresses to the web management portal (port 9191 and 9192 by default).
Option 2: Internal and external controls: Block all traffic inbound to the web management portal. Note: The server cannot be managed remotely after this step.
Follow best cybersecurity practices in your production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs. Because the CPGs are a subset of best practices, CISA and FBI also recommend all organizations implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).
https://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svg00SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2023-05-12 08:00:062023-05-12 08:00:06Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
Bitdefender has unveiled App Anomaly Detection, the real-time, behavior-based protection layer available now in Bitdefender Mobile Security for Android, that continuously detects anomalous and malicious behavior in Android applications as it emerges.
The number of malicious and compromised Android applications available for download in popular app stores continues to grow as cybercriminal groups increasingly leverage the malware as a service (MaaS) model.
Bitdefender research identified dozens of Android applications totaling millions of downloads in the Google Play store in the last year alone that turned malicious after users installed them, with some acting as delivery mechanisms for mobile banking trojans that steal users’ login credentials.
Bitdefender App Anomaly Detection is a technology integrated into the Bitdefender Malware Scanner to provide an additional layer of protection by continuously monitoring and detecting any malicious behaviors and alerting the user if suspicious activities are identified.
Designed to help safeguard Android mobile users’ data, financial assets, and identities from fake or malicious applications, App Anomaly Detection protects users from known and unknown (zero-day) attacks that result in financial loss, account takeover, and identity fraud.
Other anti-malware solutions for Android, currently available on the market, use signature-based detection, that cybercriminals could evade by designing their mobile applications to only manifest malicious behaviors when certain conditions are met, or after a period of days or weeks after they are first downloaded.
Bitdefender App Anomaly Detection uses a combination of machine learning models, real-time behavior scanning, reputation systems, and other data points to continuously monitor and detect the moment an application turns from benign to malicious.
In this way, Bitdefender App Anomaly Detection protects users even when they have unknowingly installed a dangerous app that runs dormant for a period of time or a seemingly trusted app that breaks its functionality and turns rogue – all with minimal impact on battery life.
“Cybercriminals exploit users’ inherent trust of popular…