Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.

It appears no user interaction is required: if Samsung’s messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will trigger a vulnerability in the Skia graphics library, used by the app to decode the message’s embedded Qmage image. The end result is code execution on the device, allowing the miscreant who sent it to potentially snoop on their victim and come up with other mischief.

The remote-code execution flaw, labeled SVE-2020-16747, was discovered and reported by Google Project Zero’s Mateusz Jurczyk. You can find an in-depth explanation of the bug here.

Today I’m happy to release new research I’ve been working on for a while: 0-click RCE via MMS in all modern Samsung phones (released 2015+), due to numerous bugs in a little-known custom “Qmage” image codec supported by Skia on Samsung devices. Demo: https://t.co/8KRIhy4Fpk

— j00ru//vx (@j00ru) May 6, 2020

Samsung has pushed out updates to supported phones to squash the bug, which should be installed ASAP before someone weaponizes an exploit for this programming blunder. If you are still waiting for a patch, switching your default message app to another messaging application, and not Samsung’s, and disabling automatic MMS parsing, may help.

The patch coincides with Android’s monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May’s patch batch.

This latest wedge includes fixes for a remote code execution flaw in the Android AAC decoder (CVE-2020-0103) and a critical Android framework elevation-of-privilege bug (CVE-2020-0096) that together can be exploited to gain total control of the device.

The other vulnerabilities at the 01 patch level are as follows. For the Android framework, two additional elevation-of-privilege bugs (CVE-2020-0097, CVE-2020-0098) that grant malware already on the device not-quite-total control over a device, and for the media framework, one EoP flaw (CVE-2020-0094) and three information disclosure bugs (CVE-2020-0093, CVE-2020-0100, CVE-2020-0101).

The Android system patches cover the aforementioned AAC remote code bug as well as four EoP (CVE-2020-0102, CVE-2020-0109, CVE-2020-0105, CVE-2020-0024) and three information disclosure bugs (CVE-2020-0092, CVE-2020-0106, CVE-2020-0104) holes.

At the 05 level, patches for components outside of the core Android package, fixes were posted for two kernel flaws allowing EoP (CVE-2020-0110) and information disclosure (CVE-2019-19536). Four fixes were posted for information disclosure bugs in MediaTek components (CVE-2020-0064, CVE-2020-0065, CVE-2020-0090, CVE-2020-0091).

A total of 18 patches were posted for flaws in Qualcomm components, though the details on those bugs were not given.

Those with supported Google-branded devices should get the May fixes directly from the Chocolate Factory, while other Android devices should see the fixes come from their respective vendors and carriers. This can happen anywhere from immediately to several weeks from now, to never, depending on the supplier.

Source: One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch • The Register

GitHub has made its automated code-scanning tools available to all open-source projects free of charge.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects.

The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub senior product manager Justin Hutchings told The Register that a key component of the Semmle (and now GitHub) scanning was CodeQL, the query language that graphs and then checks code for mistakes.

“It turns out that capability is extremely useful in security,” said Hutchings. “Most security problems are bad data flow or bad data usage in one way or another.”

While the feature itself will be new to GitHub, the underlying Semmle tools have been in use for years, which is why GitHub believes they’ll hit the ground running when they launch for free with open-source projects and as an add-on for the paid (enterprise), closed-source part of GitHub.

Although the code-scanning feature could be seen as most beneficial to smaller projects without enough work hours needed to thoroughly check for bugs, Hutchings noted that by making the feature cloud-based, bigger developers are also getting something on their wishlist.

“A lot of our commercial customers are excited about being able to run this at scale on our cloud,” he told us.

“Security analysis is compute intensive, you are dealing with millions of lines of code. You want to do this rapidly and we are finally bringing this capability into a hosted cloud environment, so they can scale up more quickly than they could previously.”

In addition to scanning for security bugs, GitHub is also adding the option for commercial developers to scan offline repositories and for exposed secrets (keys, credentials, etc) that could lead to network breaches and data leaks if let out onto the public internet. Previously limited to public repositories (such as AWS or Google Cloud), the secret-scanning feature will now be able to run on private GitHub repositories.

This addition, Hutchings said, is not just a security feature but also a stability feature, as it helps developers keep up with security policies that require changing keys at regular intervals by tracking and logging the changes. In this way, developers can avert outages and downtime that might otherwise occur when keys changes don’t get properly reported and handled.

Source: GitHub blasts code-scanning tool into all open-source projects • The Register

Very cloudy indeed!

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.

[…]

There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.

Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:

…to far more compromising data, which he described to InsideEVs:

“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”

That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.

Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:

The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.

When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $1,000 fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.

Source: Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found.

TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.

Building on earlier research into the bare-bones concept [PDF], PTP said it had figured out how to shape and control airliners’ automatic TCAS responses so they moved up or down at precisely known points.

In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”

[…]

The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely.

Source: Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers • The Register

Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced.

Organizations with extreme security needs may keep certain computer hardware disconnected from any network, a practice known as air-gapping, to preclude the possibility of miscreants hacking in from compromised systems on the network, or from across internet. Attacks on such systems generally require some manner of physical access to introduce malware: an unauthorized person has to get their hands on the machine, typically briefly and unnoticed, to install malicious software, thus getting around the air-gap.

Perhaps the most widely reported air gap attack of this sort is said to have involved the covert introduction of the Stuxnet centrifuge-knackering malware around 2007, after three years of planning, to the nuclear fuel enrichment lab in Natanz, Iran, apparently from a USB stick.

Guri, head of research and development at Ben-Gurion University of the Negev, Israel’s Cyber-Security Research Center, told The Register in an email that air-gapped networks are not just for sensitive military facilities. They are used, he said, by many regulated industries to protect sensitive private data, intellectual property, and critical infrastructure.

In previous work, Guri and colleagues have explored various ways to attack air-gapped systems. Two years ago, for example, he and several other researchers developed a technique dubbed MOSQUITO to exfiltrate data from air-gapped systems using ultrasonic transmissions between speakers.

An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping.

But Guri’s latest research shows that’s not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.

He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.

“We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities,” a paper [PDF] detailing the technique explained. “The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers.”

Source: OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit… • The Register

De Universiteit Antwerpen verbiedt het gebruik van videobelapp Zoom. De applicatie zou niet veilig genoeg en de universiteit wil geen risico’s nemen nadat men vorig jaar al eens het slachtoffer is geworden van een cyberaanval.

Ook Google en de Amerikaanse ruimtevaartorganisatie NASA namen onlangs het besluit om Zoom niet meer te gebruiken.

Bij de stad Antwerpen wordt Zoom nog volop gebruikt. ‘Door het nemen van gepaste veiligheidsmaatregelen en gebruikmakend van de beveiligingsopties van Zoom zelf werden onnodige risico’s vermeden’, zegt woordvoerder Dirk Delechambre.

Source: Universiteit Antwerpen verbiedt videobelapp Zoom – Emerce

Sorry Dirk, you’re wrong. There is no “safe” way to use the app.

Netsweeper’s internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now.

For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It’s aimed at parents, schools, government offices, and companies. It has a lot of customers in the Middle East, where it’s used to prevent access to content not meant for the local populace, according to investigative Canadian non-profit Citizen Lab.

The flaw, yet to be given a CVE number, was discovered by an anonymous researcher, and documented this week by SecuriTeam Secure Disclosure team leader Noam Rathaus. The bug is present in the web-based Netsweeper administration tool versions 6.4.3 and earlier. It doesn’t require any authentication to exploit: if you can reach the software over the local network or public internet, you can compromise it.

What Rathaus’s source found was that the control panel’s login script, /webadmin/tools/unixlogin.php, fails to fully sanitize user-supplied data, allowing miscreants to commandeer the machine. The login script accepts three parameters: timeout, login, and password. If you set the HTTP request referer header to a specific string, such as webadmin/admin/service_manager_data.php, the login script will execute a shell script that ultimately uses the password parameter unsafely in a Python invocation.

The second parameter, $2, below is derived from the original user-supplied password, in this line in the wonky shell script:

password=$($PYTHON -c "import crypt; print crypt.crypt('$2','\$$algo\$$salt\$')")

If you supply a password that causes $2 to contain, for example…

($P>YTHON -c "import crypt; print crypt.crypt('g','');import os;os.system('id >/tmp/pwnd')#','\$$algo\$$salt\$')")

…you inject and execute a command that stores the Netsweeper software’s user ID to the file /tmp/pwnd. It’s left as an exercise for the reader to turn this remote-code execution into something malicious.

Rathaus told The Register that, in the worst case scenario, a hacker could exploit the bug to not only take over the host server, but also manipulate how users have their content filtered and delivered by Netsweeper.

“[You can] control what data they receive when they access sites and download files,” he said. “This is the worst part – as they can be made to unintentionally download malware and viruses.”

Source: What’s worse than an annoying internet filter? How about one with a pre-auth remote-command execution hole and there’s no patch?

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.

The previously unreported news is a serious abuse of NSO’s products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as NSO’s can ultimately be abused by the humans who have access to it.

“There’s not [a] real way to protect against it. The technical people will always have access,” a former NSO employee aware of the incident told Motherboard. A second former NSO employee confirmed the first source’s account, another source familiar confirmed aspects of it, and a fourth source familiar with the company said an NSO employee abused the company’s system. Motherboard granted multiple sources in this story anonymity to speak about sensitive NSO deliberations and to protect them from retaliation from the company.

NSO sells a hacking product called Pegasus to government clients. With Pegasus, users can remotely break into fully up-to-date iPhone or Android devices with either an attack that requires the target to click on a malicious link once, or sometimes not even click on anything at all. Pegasus takes advantage of multiple so-called zero day exploits, which use vulnerabilities that manufacturers such as Apple are unaware of.

[…]

esearchers have previously tracked installations of Pegasus to Saudi Arabia, the United Arab Emirates, Mexico, and dozens of other countries. NSO says its tool should exclusively be used to fight terrorism or serious crime, but researchers, journalists, and tech companies have found multiple instances of NSO customers using the tool to spy on dissidents and political opponents. David Kaye, the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has noted that there is a “legacy of harm” caused by Pegasus.

This latest case of abuse is different though. Rather than a law enforcement body, intelligence agency, or government using the tool, an NSO employee abused it for their own personal ends.

[…]

“It’s nice to see evidence that NSO Group is committed to preventing unauthorized use of their surveillance products where ‘unauthorized’ means ‘unpaid for.’ I wish we had evidence that they cared anywhere near as much when their products are used to enable human rights violations.”

“You have to ask, who else may have been targeted by NSO using customer equipment?” John Scott Railton, a senior researcher from University of Toronto’s Citizen Lab, which has extensively researched NSO’s proliferation, told Motherboard. “It also suggests that NSO, like any organisation, struggles with unprofessional employees. It is terrifying that such people can wield NSA-style hacking tools,” he said.

Source: NSO Employee Abused Phone Hacking Tech to Target a Love Interest – VICE

A vulnerability existed in Microsoft’s Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.

The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated image file.

Although it was a responsibly disclosed theoretical vuln, and was not abused in the wild as far as is known, it illustrates that not all online collaboration platforms are as secure as one might hope.

“Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” mused Cyberark researcher Omer Tsarfati.

The Israeli infosec outfit said it had alerted Redmond to the two subdomains, resulting in their DNS entries being tweaked. The rest of the Teams vuln was patched last Monday, 20 April.

Source: We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit • The Register

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.

The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. No login details or authentication of any sort was needed to view and search the live system – which logs where and when vehicles, identified by their number plates, travel through Sheffield’s road network.

Britain’s Surveillance Camera Commissioner Tony Porter described the security lapse as “both astonishing and worrying,” and demanded a full probe into the snafu.

Source: Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard • The Register

Financial Times reporter Mark Di Stefano allegedly spied on Zoom meetings at rival newspapers the Independent and the Evening Standard to get scoops on staff cuts and furloughs due to the coronavirus pandemic, according to a report from the UK’s Independent. And Di Stefano he did a comedically bad job of covering his tracks.

Di Stefano reportedly logged in to a Zoom meeting being held by the Independent last week using his Financial Times email address, causing his name to appear for everyone else on the call, though his own video camera was disabled. Di Stefano logged out after “16 seconds,” according to the Independent, but a few minutes later, another login was recorded that was connected to Di Stefano’s phone number. That user stayed on the call until the end of the meeting, according to journalists in the Zoom meeting.

How do we know it was probably Di Stefano? It’s not like he made his knowledge of the call’s contents secret. After the call, he tweeted about the changes at the two news outlets on April 23, including the fact that ad revenue is down between 30 and 50 percent. The FT reporter also tweeted that the Independent’s website had just experienced its biggest traffic month ever.

Di Stefano’s tweets were apparently going out before some people at the two news outlets even knew what was going on at their own workplaces, according to the Independent.

[…]

Di Stefano caught plenty of flak from Twitter users over the past two days, making fun of his less-than-perfect deception on Zoom, with plenty of Simpsons references—like the time that Mr. Burns put on a bad mustache to appear as “Mr. Snrub.”

Source: Journalist Allegedly Spied on Zoom Meetings of Rivals in Hilariously Dumb Ways

IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.

Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.

The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There’s also a Metasploit module for that attack chain.

The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM’s spokesperson did not respond.

IBM however did say that it had fumbled the report. “A process error resulted in an improper response to the researcher who reported this situation to IBM,” a company spokesperson told The Register. “We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

Ribeiro dismissed IBM’s response in an email to The Register. “Well, what can I say,” he said. “It’s a joke right? I think it’s pretty sad that I have to disclose a zero-day and shame them publicly to get them to patch critical vulnerabilities in a security product, while they sell themselves as an elite company providing security services.”

Source: IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report • The Register

One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.

[…] The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.

Source: Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox – Slashdot

Bitdefender researchers have recently found spearphishing campaigns, either impersonating a well-known Egyptian engineering contractor or a shipment company, dropping the Agent Tesla spyware Trojan. The impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others, based on Bitdefender telemetry. The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines.

Oil & gas has been under tremendous stress in recent weeks, as the global COVID-19 pandemic lowered oil demand. Oil prices per barrel have dropped by more than half to the lowest since 2002. However, a disruptive dispute over oil production between Russia and Saudi Arabia ended with an agreement at the recent meeting between the OPEC+ alliance and the Group of 20 nations, aiming to slash oil production output and balance prices.

While the malware payload itself is not as sophisticated as those used in more advanced and targeted attacks, the fact that they’ve been orchestrated and executed during this time, and before the “historic OPEC+ deal”, suggests motivation and interest in knowing how specific countries plan to address the issue.

Cybercriminals are often opportunistic and leverage popular media topics in spearphishing campaigns that usually target large numbers of victims. However, we recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31st. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.

The second campaign that impersonated a shipping company seems to have started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.

Carefully Crafted Spearphishing

The spearphishing email mimics Egyptian state oil company Engineering for Petroleum and Process Industries (Enppi) and claims to invite the recipient to submit a bid for equipment and materials, as part of a project (Rosetta Sharing Facilities Project) on behalf of a well-known gas company (Burullus).

[…]

The Agent Tesla spyware Trojan has reportedly been around since 2014, but has undergone constant improvements and updates. It reportedly operates under a malware-as-a-service offering, with its developers offering various pricing tiers based on different licensing models. Agent Tesla operators seem to have stayed in business for quite some time

Some of its most known and popular capabilities involve stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.

Security researchers have already documented the full extent of Agent Tesla’s capabilities in various pieces of research. What’s interesting is that, until now, it has not been associated with campaigns targeting the oil & gas vertical.

Source: Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal – Bitdefender Labs

Since it exploded onto the scene in January after a newspaper exposé, Clearview AI quickly became one of the most elusive, secretive and reviled companies in the tech startup scene.

The controversial facial recognition startup allows its law enforcement users to take a picture of a person, upload it and match it against its alleged database of 3 billion images, which the company scraped from public social media profiles.

But for a time, a misconfigured server exposed the company’s internal files, apps and source code for anyone on the internet to find.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

The repository also exposed Clearview’s Slack tokens, according to Hussein, which, if used, could have allowed password-less access to the company’s private messages and communications.

Clearview has been dogged by privacy concerns since it was forced out of stealth following a profile in The New York Times, but its technology has gone largely untested and the accuracy of its facial recognition tech unproven. Clearview claims it only allows law enforcement to use its technology, but reports show that the startup courted users from private businesses like Macy’s, Walmart and the NBA. But this latest security lapse is likely to invite greater scrutiny of the company’s security and privacy practices.

[…]

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Hussein, who has previously reported security issues at several startups, including MoviePass, Remine and Blind, said he reported the exposure to Clearview but declined to accept a bounty, which he said if signed would have barred him from publicly disclosing the security lapse.

It’s not uncommon for companies to use bug bounty terms and conditions or non-disclosure agreements to prevent the disclosure of security lapses once they are fixed. But experts told TechCrunch that researchers are not obligated to accept a bounty or agree to disclosure rules.

Ton-That said that Clearview has “done a full forensic audit of the host to confirm no other unauthorized access occurred.” He also confirmed that the secret keys have been changed and no longer work.

Hussein’s findings offer a rare glimpse into the operations of the secretive company. One screenshot shared by Hussein showed code and apps referencing the company’s Insight Camera, which Ton-That described as a “prototype” camera, since discontinued.

A screenshot of Clearview AI’s app for macOS. It connects to Clearview’s database through an API. The app also references Clearview’s former prototype camera hardware, Insight Camera.

According to BuzzFeed News, one of the firms that tested the cameras is New York City real estate firm Rudin Management, which trialed use of a camera at two of its city residential buildings.

Hussein said that he found some 70,000 videos in one of Clearview’s cloud storage buckets, taken from a camera installed at face-height in the lobby of a residential building. The videos show residents entering and leaving the building.

Source: Security lapse exposed Clearview AI source code | TechCrunch

A critical vulnerability in VMware’s vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.

The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.

Admins in charge of VMware estates should probably patch this one immediately, if they haven’t already.

Guardicore researcher JJ Lehman told The Register: “You have to be network accessible but you don’t have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts.”

The virtualization vendor issued an advisory note and patch on 9 April that explained that a “malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract highly sensitive information such as administrative account credentials”.

“It’s very unique,” Guardicore head of research Ofri Ziv told The Reg, explaining that the 10.0 CVSS impact rating on an enterprise virtualization product caught his enterprise security team’s eye. “This is why this is such a critical issue and this is why we believe it’s important for people to understand and mitigate it as fast as possible.”

He added that Guardicore had not seen evidence of the vuln being abused in the wild, though Lehman explained that by its nature, it would be difficult to see traces of its use.

Source: That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed • The Register

In February, a researcher detailed a widely circulating Android backdoor that’s so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn’t know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.

[…]

Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights.

[…]

Last week, Kaspersky Lab researcher Igor Golovin published a post that filled in some of the gaps. The reinfections, he said, were the result of files that were downloaded and installed by a notorious trojan known as Triada, which ran once the xHelper app was installed. Triada roots the devices and then uses its powerful system rights to install a series of malicious files directly into the system partition. It does this by remounting the system partition in write mode. To make the files even more persistent, Triada gives them an immutable attribute, which prevents deleting, even by superusers. (Interestingly, the attribute can be deleted using the chattr command.)

A file named install-recovery.sh makes calls to files added to the /system/xbin folder. That allows the malware to run each time the device is rebooted. The result is what Golovin described as an “unkillable” infection that has extraordinary control over a device.

[…]

The researcher initially thought that it might be possible to remove xHelper by remounting the system partition in write mode to delete the malicious files stored there. He eventually abandoned that theory.

“Triada’s creators also contemplated this question, and duly applied another protection technique that involved modifying the system library /system/lib/libc.so,” Golovin explained. “This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.”

Fortunately, the reinfection method divined in last week’s report works only on devices running older Android versions with known rooting vulnerabilities. Golovin, however, held out the possibility that, in some cases, xHelper may maintain persistence through malicious files that come preinstalled on phones or tablets.

People can disinfect devices by using their recovery mode, when available, to replace the infected libc.so file with the legitimate one included with the original firmware. Users can then either remove all malware from the system partition or, simpler still, reflash the device.

Source: The secret behind “unkillable” Android backdoor called xHelper has been revealed | Ars Technica

Router biz Linksys has reset all its customers’ Smart Wi-Fi account passwords after cybercrims accessed a bunch and redirected hapless users to COVID-19 themed malware.

The mass reset took place after all user accounts were locked on 2 April, following infosec firm Bitdefender revealing that malicious persons were pwning Linksys devices through cred-stuffing attacks.

Hackers with access to Linksys Smart Wi-Fi accounts were changing home routers’ DNS server settings. Compromised users’ attempts to reach domains ranging from Disney, pornography, and Amazon AWS were redirected to a webpage peddling a coronavirus-themed app “that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19.”

The app was hosted on Bitbucket, a Git-style collaboration tool. Instead of health advice it dispensed the Oski info-stealing malware, which helps itself to one’s login credentials for various services, including cryptocurrency wallets.

Linksys customers were told of the password reset by the firm earlier this week, along with cryptic and confusing references to “the COVID-19 malware”. Affected users must now change their passwords the next time they log into the Linksys Smart Wi-Fi app.

Source: Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware • The Register

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.

These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.

In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.

BleepingComputer has contacted random email addresses exposed in these lists and has confirmed that some of the credentials were correct.

One exposed user told BleepingComputer that the listed password was an old one, which indicates that some of these credentials are likely from older credential stuffing attacks.

Accounts sold in bulk

After seeing a seller posting accounts on a hacker forum, Cyble reached out to purchase a large number of accounts in bulk so that they could be used to warn their customers of the potential breach.

Cyble was able to purchase approximately 530,000 Zoom credentials for less than a penny each at $0.0020 per account.

The purchased accounts include a victim’s email address, password, personal meeting URL, and their HostKey.

Source: Over 500,000 Zoom accounts sold on hacker forums, the dark web

As much of the world works from home, an explosion of video conference calls has provided a playground not just for Zoombombers, phishermen and cybercriminals, but also for spies. Everyone from top business executives to government officials and scientists are using conferencing apps to stay in touch during the new coronavirus lockdowns and U.S. counterintelligence agencies have observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats, three U.S. intelligence officials tell TIME.

But the cyberspies that have moved fastest and most aggressively during the pandemic, the intelligence officials say, have been China’s. “More than anyone else, the Chinese are interested in what American companies are doing,” said one of the three. And that, in turn, has some U.S. counterintelligence officials worrying about one video conference platform in particular: Zoom. While the Chinese, Russians, and others are targeting virtually every tool Americans and others are using now that they’re forced to work from home, Zoom is an attractive target, especially for China, the intelligence officials and internet security researchers say.

Source: Foreign Spies Target Zoom, U.S. Intel Officials Say | Time

US senators have been advised not to use videoconferencing platform Zoom over security concerns, the Financial Times reports.

According to three people briefed on the matter, the Senate sergeant-at-arms – whose job it is to run law enforcement and security on the Capitol – told senators to find alternative methods for remote working, although he did not implement an outright ban.

With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

This week the company admitted to “mistakenly” routing data through China in a bid to secure more server space to deal with skyrocketing demand. “We failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect,” Yuan said.

The news sparked outrage among some senators, and Senate Democrat Richard Blumenthal called for the FTC to launch an investigation into the company.

“As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy and security,” the senator tweeted.

The slew of privacy issues has also prompted the Taiwanese government to ban its officials from using Zoom, and Google banned use of the app on work computers due to its “security vulnerabilities.”

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported.

Source: The US Senate reportedly advised members to stop using Zoom

Singapore has suspended the use of video-conferencing tool Zoom by teachers after “very serious incidents” in the first week of a coronavirus lockdown that has seen schools move to home-based learning.

FILE PHOTO: FILE PHOTO: Zoom logo is seen in front of diplayed coronavirus disease (COVID-19) in this illustration taken March 19, 2020. REUTERS/Dado Ruvic/Illustration

One incident involved obscene images appearing on screens and strange men making lewd comments during the streaming of a geography lesson with teenage girls, media said.

Zoom Video Communications Inc (ZM.O) has faced safety and privacy concerns over its conferencing app, use of which has surged in offices and schools worldwide after they shut to try and curb virus infections.

“These are very serious incidents,” Aaron Loh of the education ministry’s technology division said on Friday, without giving details.

“The Ministry of Education (MOE) is currently investigating both breaches and will lodge a police report if warranted.

“As a precautionary measure, our teachers will suspend their use of Zoom until these security issues are ironed out.”

Loh said they ministry would further advise teachers on security protocols, such as requiring secure log-ins and not sharing the meeting link beyond the students in the class.

Source: Singapore stops teachers using Zoom app after ‘very serious incidents’ – Reuters