Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

The Hacker News - 21 Březen, 2024 - 12:30
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the SaaS supply chain snowball quickly. That’s why effective vendor risk management (VRM) is a The Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Severe X.Org Memory Safety, Code Execution Vulns Fixed

LinuxSecurity.com - 21 Březen, 2024 - 12:00
After recent heap overflow, out-of-bounds write, and privilege escalation flaws brought X.Org into the spotlight, more severe memory safety and code execution vulnerabilities have been identified in the popular X server. These issues affect the X.Org X11 server.
Kategorie: Hacking & Security

Multiple Chromium DoS, Info Disclosure Vulns Fixed

LinuxSecurity.com - 21 Březen, 2024 - 12:00
Multiple severe security issues were discovered in Chromium before version 122.0.6261.128, which could result in arbitrary code execution, denial of service, or information disclosure. Let's examine these vulnerabilities, their impact, and how to protect against them.
Kategorie: Hacking & Security

GitHub Launches AI-Powered Autofix Tool to Assist Devs in Patching Security Flaws

The Hacker News - 21 Březen, 2024 - 11:30
GitHub on Wednesday announced that it's making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues. "Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and
Kategorie: Hacking & Security

GitHub Launches AI-Powered Autofix Tool to Assist Devs in Patching Security Flaws

The Hacker News - 21 Březen, 2024 - 11:30
GitHub on Wednesday announced that it's making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues. "Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Making Sense of Operational Technology Attacks: The Past, Present, and Future

The Hacker News - 21 Březen, 2024 - 10:23
When you read reports about cyber-attacks affecting operational technology (OT), it’s easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the
Kategorie: Hacking & Security

Making Sense of Operational Technology Attacks: The Past, Present, and Future

The Hacker News - 21 Březen, 2024 - 10:23
When you read reports about cyber-attacks affecting operational technology (OT), it’s easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the The Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

U.S. Sanctions Russians Behind 'Doppelganger' Cyber Influence Campaign

The Hacker News - 21 Březen, 2024 - 09:07
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sanctions against two 46-year-old Russian nationals and the respective companies they own for engaging in cyber influence operations. Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and
Kategorie: Hacking & Security

U.S. Sanctions Russians Behind 'Doppelganger' Cyber Influence Campaign

The Hacker News - 21 Březen, 2024 - 09:07
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sanctions against two 46-year-old Russian nationals and the respective companies they own for engaging in cyber influence operations. Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

The Hacker News - 21 Březen, 2024 - 04:55
Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats. Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6. "An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance
Kategorie: Hacking & Security

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

The Hacker News - 21 Březen, 2024 - 04:55
Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats. Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6. "An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug

The Hacker News - 21 Březen, 2024 - 04:34
Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction. Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity. Described as an SQL injection flaw, it's rooted in a dependency called org.postgresql:
Kategorie: Hacking & Security

Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug

The Hacker News - 21 Březen, 2024 - 04:34
Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction. Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity. Described as an SQL injection flaw, it's rooted in a dependency called org.postgresql:Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

New 'Loop DoS' Attack Impacts Hundreds of Thousands of Systems

The Hacker News - 20 Březen, 2024 - 15:51
A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk. Called Loop DoS attacks, the approach pairs "servers of these protocols in such a way that they communicate with each other indefinitely," researchers from the CISPA Helmholtz-Center for
Kategorie: Hacking & Security

New 'Loop DoS' Attack Impacts Hundreds of Thousands of Systems

The Hacker News - 20 Březen, 2024 - 15:51
A novel denial-of-service (DoS) attack vector has been found to target application-layer protocols based on User Datagram Protocol (UDP), putting hundreds of thousands of hosts likely at risk. Called Loop DoS attacks, the approach pairs "servers of these protocols in such a way that they communicate with each other indefinitely," researchers from the CISPA Helmholtz-Center for Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Generative AI Security - Secure Your Business in a World Powered by LLMs

The Hacker News - 20 Březen, 2024 - 12:27
Did you know that 79% of organizations are already leveraging Generative AI technologies? Much like the internet defined the 90s and the cloud revolutionized the 2010s, we are now in the era of Large Language Models (LLMs) and Generative AI. The potential of Generative AI is immense, yet it brings significant challenges, especially in security integration. Despite their powerful capabilities,
Kategorie: Hacking & Security

Generative AI Security - Secure Your Business in a World Powered by LLMs

The Hacker News - 20 Březen, 2024 - 12:27
Did you know that 79% of organizations are already leveraging Generative AI technologies? Much like the internet defined the 90s and the cloud revolutionized the 2010s, we are now in the era of Large Language Models (LLMs) and Generative AI. The potential of Generative AI is immense, yet it brings significant challenges, especially in security integration. Despite their powerful capabilities, The Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks

The Hacker News - 20 Březen, 2024 - 12:26
Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT. The attacks entail the exploitation of CVE-2024-27198 (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrative
Kategorie: Hacking & Security

TeamCity Flaw Leads to Surge in Ransomware, Cryptomining, and RAT Attacks

The Hacker News - 20 Březen, 2024 - 12:26
Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT. The attacks entail the exploitation of CVE-2024-27198 (CVSS score: 9.8) that enables an adversary to bypass authentication measures and gain administrativeNewsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Android malware, Android malware and more Android malware

Kaspersky Securelist - 20 Březen, 2024 - 12:00

Introduction

Malware for mobile devices is something we come across very often. In 2023, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023’s most resonant attacks was Operation Triangulation, targeting iOS, but that was rather a unique case. Among the mobile platforms, Android remains the most popular target operating system for cybercriminals. Last month, we wrote a total of four private crimeware reports on Android malware, three of which are summarized below.

To learn more about our crimeware reporting service, you can contact us at [email protected].

Tambir

Tambir is an Android backdoor that targets users in Turkey. It disguises itself as an IPTV app, but does not manifest any such functionality. Instead, it is a full-fledged spyware application that collects SMS messages, keystrokes, etc.

Upon starting, the application shows a screen that asks the user in Turkish to enable the accessibility service. Once it is granted all the permissions, the app obtains a C2 address from a public source, such as Telegram, ICQ or Twitter/X. Next, the application shapeshifts by changing its icon to that of YouTube.

Encrypted C2 address in a chat invitation

Tambir supports more then 30 commands that it can retrieve from the C2. These include starting and stopping the keylogger, running an application specified by the attacker, sending SMS messages, dialing a number and so on.

We found certain similarities between Tambir and the GodFather malware. They both target users in Turkey and both support Telegram for retrieving a C2 server address. However, Tambir has a much richer feature set.

Dwphon

In November 2023, we stumbled upon an Android malware variant targeting mobile phones by various Chinese OEM manufacturers. Their products were primarily intended for the Russian market. The same malware earlier had been found in the firmware of a kids’ smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East.

Dwphon comes as a component of the system update application and exhibits many characteristics of pre-installed Android malware. For example, it collects device and personal information, as well as information about third-party applications installed on the device. The exact infection path is unclear, but there is an assumption that the infected application was incorporated into the firmware as a result of a possible supply chain attack.

The malware itself consists of a number of modules that provide a range of functions:

  • Main module. Collects system information (e.g. IMSI, system language, etc.) and sends it to the C2. Commands that can be received are related to installing, downloading and deleting apps on the device, downloading files, and showing popups, among others.
  • DsSdk module. Another module that collects device information. The module has its own C2 and is unable to receive commands.
  • ExtEnabler module. This module starts and monitors other applications. Part of the module’s functionality is sending a broadcast message when an application is started. Some of the samples we investigated did not contain any receiver code. We did, however, find one sample that contained it. This sample includes the Triada Trojan, which suggests a link between Dwphon and Triada, although there is insufficient evidence to support this.
Gigabud

Gigabud is an Android RAT (Remote Access Trojan), active since at least mid-2022 and first discovered in January 2023. Focused on stealing banking credentials from individuals in Southeast Asia, it initially mimicked a local airline app, but later crossed borders into other countries, such as Peru, and also changed functionality to fake loan malware.

Gigabud is written in Kotlin, and obfuscated with Dexguard and later Virbox. Its various versions mimic apps created by companies in Thailand and Peru among others. Upon starting, the application shows the login screen of the app it mimics and subsequently sends the credentials, along with device information, to the C2. Next, it shows a virtual assistant, which guides the victim to apply for a loan.

It then continues by requesting the accessibility feature to be enabled – if it isn’t already. It needs this to steal credentials and mimic touch events for bypassing 2FA.

Scheme of the captured data

Apart from stealing credentials, Gigabud embeds a screen recording module. The main functionality is stealing credentials from the infected device. It does this by streaming the screen to the C2 over WebSocket or RTMP.

Gigabud contains various Chinese language artifacts. For example, the log messages are written in Chinese, the APK signature is in Chinese, and the C2 servers are located in China.

Conclusion

In 2023, we detected more than 1.3 million unique malicious installation packages targeting the Android platform and distributed in various ways. Users can protect themselves by not downloading apps from unofficial app marketplaces and by carefully reviewing the permissions that apps request. Frequently, apps do not embed any exploitation functionality and thus solely rely on the user giving them permissions. Additionally, antimalware tools help to keep your Android device clean.

If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at [email protected].

Indicators of compromise

Gigabud
043020302ea8d134afbd5bd37c05d2a8
0960de9d425b5157720f59c2901d4e3b
0677a090eb28837b1bbf3e6ab1822fdd

Dwphon
042f041108a79ac07d7b3165531faa9a
1796e678498bf9a067c43769f4096488
274b8d86042d94a6ca6823841fec6d2c

Tambir
04807757a54ce0fbc8326ea8b11f8169
06148a2e5828e6844c2a1a74030d22b6
098dac0668497d9707045bc1e10ced93

Syndikovat obsah