The European Union’s executive branch has banned TikTok from phones used by employees as a cybersecurity measure, reflecting widening worries over the Chinese-owned video app.
The post TikTok Banned From EU Commission Phones Over Cybersecurity appeared first on SecurityWeek.
Samsung’s Message Guard provides a sandbox designed to protect phones and tablets against zero-click exploits.
The post New Samsung Message Guard Protects Mobile Devices Against Zero-Click Exploits appeared first on SecurityWeek.
Google this week announced the availability of the first Android 14 developer preview and also shared details on some of the security and privacy improvements the platform update will bring.
Expected to arrive on devices sometime in fall, Android 14 brings new features and APIs, as well as behavioral changes that might impact applications. The purpose of the developer preview is to help application developers learn about these changes and test their applications for compatibility issues.
One of the security enhancements the platform update is set to bring is related to runtime receivers and builds on changes introduced in Android 13, when Google instructed developers to specify whether their application’s registered broadcast receiver should be visible to other apps on the device.
Before Android 13, any application could send unprotected broadcasts to dynamically-registered receivers that were not protected by a signature permission.
To help protect apps from security vulnerabilities, “apps and services that target Android 14 and use context-registered receivers are required to specify a flag to indicate whether or not the receiver should be exported to all other apps on the device,” Google says.
Android 14 also attempts to protect applications from malicious software that might intercept intents, by restricting apps from sending intents internally that do not specify a package.
Additionally, apps can now send implicit intents to exported components only and “must either use an explicit intent to deliver to unexported components, or mark the component as exported”, the internet giant explains.
To prevent malicious use of dynamic code loading (DCL), applications built for Android 14 will have to mark dynamically loaded files as read-only. According to Google, developers should avoid dynamically loading code, as this exposes applications to code injection or code tampering.
Because some malware versions use an API level of 22 (to avoid the runtime permission model introduced in Android 6.0), Android 14 will also prevent the installation of applications that target an API level lower than 23. However, applications with a targetSdkVersion lower than 23 will remain installed.
Android 14 also arrives with Credential Manager, a new Jetpack API that includes support for multiple sign-in methods, including federated sign-in solutions and passkeys, along with the classic username and password pair.
Currently available in alpha, Credential Manager allows users to create passkeys and save them in Google Password Manager, for passwordless authentication across devices, in both Android and Chrome.
Related: Google Migrating Android to Memory-Safe Programming Languages
Related: Google Brings Passkey Support to Android and Chrome
Related: Google Ready to Roll Out Android Privacy Sandbox in Beta
The post Google Describes Privacy, Security Improvements in Android 14 appeared first on SecurityWeek.
Google this week announced the release of patches for 40 vulnerabilities as part of the February 2023 security updates for the Android operating system.
The first part of the update arrives on devices as a 2023-02-01 security patch level and resolves a total of 17 high-severity vulnerabilities impacting components such as Framework, Media Framework, and System.
“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory.
While most of the vulnerabilities addressed with this patch level could lead to escalation of privilege, several information disclosure and denial-of-service (DoS) bugs were also resolved.
The second part of the update arrives on devices as the 2023-02-05 security patch level and resolves 23 security defects in Kernel, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source components.
This month, Google also announced fixes for three vulnerabilities specific to Pixel devices. All Pixels running a patch level of 2023-02-05 will be patched against these three bugs and all the issues resolved with Android’s February 2023 security update.
The internet giant also announced the release of one patch as part of this month’s Android Automotive OS (AAOS) update, in addition to the fixes described in the February 2023 Android security bulletin.
As usual, Google notified manufacturers of the addressed issues at least a month before publishing the security bulletins. The company also released source code patches to the Android Open Source Project (AOSP) repository.
While Pixel users can already manually grab the latest security fixes, users of other devices will have to wait for their phone makers to release the necessary updates for them.
Related: Android’s First Security Updates for 2023 Patch 60 Vulnerabilities
Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates
Related: Google Patches High-Severity Privilege Escalation Vulnerabilities in Android
The post Android’s February 2023 Updates Patch 40 Vulnerabilities appeared first on SecurityWeek.
A critical vulnerability affecting wireless communication base stations from Baicells Technologies can be exploited to cause disruption in telecom networks or take complete control of data and voice traffic, according to a researcher.
Baicells Technologies is a US-based telecommunications equipment provider for 4G and 5G networks. The company says more than 100,000 of its base stations are deployed across 64 countries around the world.
Cyber offensive researcher Rustam Amin discovered that at least some of Baicells’ Nova base station products are affected by a critical command injection vulnerability that can be exploited remotely without authentication by sending specially crafted HTTP requests to the targeted device.
Exploitation of the vulnerability, tracked as CVE-2023-24508, can allow an attacker to run shell commands with root privileges and take complete control of a device, Amin told SecurityWeek.
The researcher explained that an attacker could, for instance, easily shut down a device to cause disruption. In addition, they could take full control over the traffic and phone calls going over a targeted network. A hacker could obtain information such as phone numbers, IMEI, and location data.
However, conducting such an attack is not an easy task and it requires specific knowledge of the targeted network.
Amin told SecurityWeek that there are more than 1,150 devices exposed to the internet, mostly located in the United States.
Baicells published an advisory to inform customers about the vulnerability on January 24. The researcher said the vendor was quick to respond to his notification and quick to issue a patch.
Nova 227, 233, 243 and 246 base stations are affected. The security hole has been patched with the release of version 3.7.11.3.
The vendor’s advisory only mentions Nova products as being impacted, but the researcher believes other products could be impacted as well.
The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory last week to inform organizations about CVE-2023-24508.
Amin recently also discovered serious vulnerabilities in Econolite EOS traffic controller software, which can be exploited to control traffic lights.
Related: OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities
Related: US Details Chinese Attacks Against Telecoms Providers
Related: Cisco Patches High-Severity Vulnerabilities in Communications, Networking Products
The post Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping appeared first on SecurityWeek.
Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam. It is not new. What is new is that apps perpetrating the scam can be downloaded from the official Apple and Android app stores – giving them greater apparent validity to targets.
The scam is a version of romance scam, where targets are befriended, lured in, persuaded to download a disguised malicious app, drawn into false cryptocurrency dealing, and defrauded. It’s a long game social engineering scam built on trust rather than fear, greed, or urgency.
It originated in China. When the Chinese authorities clamped down, the gangs decamped to places like Cambodia. Now, according to an analysis from Sophos, the gangs are well organized but as ugly as the scam. At the top of the hierarchy is the ‘head office’ which does supervision and money laundering.
The scam itself is subcontracted to affiliates, which have a front desk handling staffing, a tech team handling the technology involved, and a finance team looking after the money. Profits tend to be divided 60-40 – with 40% going to the head office.
At the bottom of the pile are the keyboarders who liaise with, and trick the targets. These are often victims themselves, sometimes foreigners lured into the process by the promise of earning money, and kept in the process by the threat of violence.
The new danger exposed by Sophos is not the scam (that’s not new) but the criminals’ success in getting malicious apps into the official app stores (Ace Pro and MBM_BitScan into the App Store, and BitScan into Google Play). This is not uncommon with Google Play, but unusual with Apple. In two separate examples that by-passed Apple’s App Store review, a legitimate-looking app initially communicates with a benign back end. Nothing malicious can be seen, so the apps passed Apple’s review.
Only after the app is accepted, downloaded, and launched does the developer switch domains, from the benign back end to a malicious server that delivers the malicious content.
“When we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app,” comments Jagadeesh Chandraiah, senior threat researcher at Sophos. “This obviously involves an additional level of social engineering—a level that’s hard to surmount.”
Many potential victims would be ‘alerted’ that something wasn’t right if they cannot directly download a supposedly legitimate app. But by getting an application into the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple.
“Both apps are also unaffected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering,” continued Chandraiah. “In fact, these CryptoRom scammers may be shifting their tactics – that is, focusing on bypassing the App Store review process – in light of the security features in Lockdown.”
The scam still requires extensive social engineering. The victim is typically approached via a dating app, and then invited to switch the conversation to WhatsApp. In one case, the victim was based in Switzerland. The scammer or scammers used a manufactured profile of a woman based in London, with a full and compelling Facebook profile complete with professional or stolen location and lifestyle photos.
“After establishing a rapport, the criminals behind the profile told the victim that ‘her’ uncle worked for a financial analysis firm, and invited the victim to do cryptocurrency trading together.” It was at this point that the victim was introduced to the fake application in the app store.
In such cases, a degree of patience is still demonstrated by the attackers. Crypto investment begins slowly, and the victim can even make withdrawals from the crypto account. But the investment goes straight to the criminals. By the time the victim realizes that something is wrong, both the money and the scammers are gone.
This scam, says the Sophos report, “is a well-organized, syndicated scam operation that uses a combination of romance-centered social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence.” The worrying possibility for the future is that emerging artificial intelligence such as ChatGPT will make such detailed and professional social engineering even more compelling – and widely available to criminals less sophisticated.
Related: 2,000 People Arrested Worldwide for Social Engineering Schemes
Related: Ongoing Bitcoin Scams Demonstrate Power of Social Engineering Triggers
Related: Meet Domen, a New and Sophisticated Social Engineering Toolkit
Related: Social Engineering: Attackers’ Reliable Weapon
The post Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process appeared first on SecurityWeek.
South Dakota Gov. Kristi Noem said Monday that her personal cell phone number has been hacked and blamed it on the release of her Social Security number amid hundreds of documents that the House Jan. 6 committee released last year.
The Republican governor, who is weighing a 2024 White House bid, said in a statement that her personal cell phone number had been linked to hoax calls. She has written letters urging U.S. Attorney General Merrick Garland and Congress to investigate the release of her family’s Social Security numbers after they were included in a list of personal information for thousands of people who visited the White House during then-President Donald Trump’s term.
“Callous mishandling of personal information has real world consequences,” Noem said in a statement. “If you get such a phone call from my number, know that I had no involvement.”
Noem said that South Dakota’s Fusion Center, a state agency that compiles criminal intelligence, has been notified of the cell phone hack. Her office did not offer further evidence that the release of her personal information led to the hack.
Related: Calls for UK to Probe Reported Hacking of Liz Truss’s Phone
Related: Catalan: Spain Spy Chief Admits Legally Hacking Some Phones
Related: Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers
The post South Dakota’s Noem Says Cell Phone Number Hacked appeared first on SecurityWeek.
Apple on Monday announced the release of iOS 12.5.7, which brings a patch for an actively exploited vulnerability to old iPhones and iPads.
The tech giant released security updates for iOS, macOS and other products on Monday to patch many vulnerabilities, including a couple of WebKit flaws that can lead to arbitrary code execution.
In addition to updates for the latest versions of its operating systems, Apple announced the release of iOS 12.5.7, which patches CVE-2022-42856, a WebKit vulnerability that has been exploited by hackers against devices running iOS prior to version 15.1.
The vulnerability, whose exploitation was first seen by Google’s Threat Analysis Group (TAG), can be used for arbitrary code execution through specially crafted web content.
Apple rolled out its first round of patches for CVE-2022-42856 in December 2022, when it released iOS 16.1.2. The fix was also included at the time in macOS Ventura 13.1, tvOS 16.2, Safari 16.2, and iOS and iPadOS 15.7.2.
Security updates for iOS 12 are increasingly rare, but Apple still releases patches when it needs to protect customers against exploited flaws.
There is still no public information on the attacks involving CVE-2022-42856, but Google’s TAG typically tracks exploits used by sophisticated state-sponsored threat actors or commercial spyware vendors.
According to data from Google, five of the iOS vulnerabilities discovered in 2022 were exploited in the wild.
Related: Apple Warns of macOS Kernel Zero-Day Exploitation
Related: Apple: WebKit Bugs Exploited to Hack Older iPhones
Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch
The post Apple Patches Exploited iOS Vulnerability in Old iPhones appeared first on SecurityWeek.
A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.
Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).
The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).
“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.
Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.
What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.
As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.
Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.
Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.
After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.
Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates
Related: Google Migrating Android to Memory-Safe Programming Languages
Related: Vulnerabilities in Popular Keyboard and Mouse Android Apps Expose User Data
The post Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones appeared first on SecurityWeek.
Apple’s product security response team on Monday rolled out patches to cover numerous serious security vulnerabilities affecting users of its flagship iOS and macOS platforms.
The most serious of the documented vulnerabilities affect WebKit and can expose both iOS and macOS devices to code execution attacks via booby-trapped web content, Apple warned in multiple advisories.
On the mobile side, Apple pushed out iOS and iPadOS 16.3 with fixes for more than a dozen documented security defects in a range of operating system components. These include a trio of WebKit rendering engine bugs that expose devices to arbitrary code execution.
The WebKit flaws also affect users of Apple’s macOS Ventura, Monterey and Big Sur operating systems.
The iOS and iPadOS 16.3 update also fixes privacy- and data-exposure vulnerabilities in AppleMobileFileIntegrity, ImageIO, kernel, Maps, Safari, Screen Time and Weather.
The company also rolled out macOS Ventura 13.2 with patches for about 25 documented vulnerabilities, some serious enough to cause code execution attacks.
Related: Researchers: Brace for Zoho ManageEngine ‘Spray and Pray’ Attacks
Related: Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day
Related: Zoom Patches High Risk Flaws on Windows, MacOS Platforms
The post Apple Patches WebKit Code Execution in iPhones, MacBooks appeared first on SecurityWeek.
Impostazioni privacy
Questo sito utilizza i cookie per migliorare la tua esperienza di navigazione su questo sito.
