Google this week announced the release of patches for 40 vulnerabilities as part of the February 2023 security updates for the Android operating system.
The first part of the update arrives on devices as a 2023-02-01 security patch level and resolves a total of 17 high-severity vulnerabilities impacting components such as Framework, Media Framework, and System.
“The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory.
While most of the vulnerabilities addressed with this patch level could lead to escalation of privilege, several information disclosure and denial-of-service (DoS) bugs were also resolved.
The second part of the update arrives on devices as the 2023-02-05 security patch level and resolves 23 security defects in Kernel, MediaTek, Unisoc, Qualcomm, and Qualcomm closed-source components.
This month, Google also announced fixes for three vulnerabilities specific to Pixel devices. All Pixels running a patch level of 2023-02-05 will be patched against these three bugs and all the issues resolved with Android’s February 2023 security update.
The internet giant also announced the release of one patch as part of this month’s Android Automotive OS (AAOS) update, in addition to the fixes described in the February 2023 Android security bulletin.
As usual, Google notified manufacturers of the addressed issues at least a month before publishing the security bulletins. The company also released source code patches to the Android Open Source Project (AOSP) repository.
While Pixel users can already manually grab the latest security fixes, users of other devices will have to wait for their phone makers to release the necessary updates for them.
A critical vulnerability affecting wireless communication base stations from Baicells Technologies can be exploited to cause disruption in telecom networks or take complete control of data and voice traffic, according to a researcher.
Baicells Technologies is a US-based telecommunications equipment provider for 4G and 5G networks. The company says more than 100,000 of its base stations are deployed across 64 countries around the world.
Cyber offensive researcher Rustam Amin discovered that at least some of Baicells’ Nova base station products are affected by a critical command injection vulnerability that can be exploited remotely without authentication by sending specially crafted HTTP requests to the targeted device.
Exploitation of the vulnerability, tracked as CVE-2023-24508, can allow an attacker to run shell commands with root privileges and take complete control of a device, Amin told SecurityWeek.
The researcher explained that an attacker could, for instance, easily shut down a device to cause disruption. In addition, they could take full control over the traffic and phone calls going over a targeted network. A hacker could obtain information such as phone numbers, IMEI, and location data.
However, conducting such an attack is not an easy task and it requires specific knowledge of the targeted network.
Amin told SecurityWeek that there are more than 1,150 devices exposed to the internet, mostly located in the United States.
Baicells published an advisory to inform customers about the vulnerability on January 24. The researcher said the vendor was quick to respond to his notification and quick to issue a patch.
Nova 227, 233, 243 and 246 base stations are affected. The security hole has been patched with the release of version 3.7.11.3.
The vendor’s advisory only mentions Nova products as being impacted, but the researcher believes other products could be impacted as well.
Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam. It is not new. What is new is that apps perpetrating the scam can be downloaded from the official Apple and Android app stores – giving them greater apparent validity to targets.
The scam is a version of romance scam, where targets are befriended, lured in, persuaded to download a disguised malicious app, drawn into false cryptocurrency dealing, and defrauded. It’s a long game social engineering scam built on trust rather than fear, greed, or urgency.
It originated in China. When the Chinese authorities clamped down, the gangs decamped to places like Cambodia. Now, according to an analysis from Sophos, the gangs are well organized but as ugly as the scam. At the top of the hierarchy is the ‘head office’ which does supervision and money laundering.
The scam itself is subcontracted to affiliates, which have a front desk handling staffing, a tech team handling the technology involved, and a finance team looking after the money. Profits tend to be divided 60-40 – with 40% going to the head office.
At the bottom of the pile are the keyboarders who liaise with, and trick the targets. These are often victims themselves, sometimes foreigners lured into the process by the promise of earning money, and kept in the process by the threat of violence.
The new danger exposed by Sophos is not the scam (that’s not new) but the criminals’ success in getting malicious apps into the official app stores (Ace Pro and MBM_BitScan into the App Store, and BitScan into Google Play). This is not uncommon with Google Play, but unusual with Apple. In two separate examples that by-passed Apple’s App Store review, a legitimate-looking app initially communicates with a benign back end. Nothing malicious can be seen, so the apps passed Apple’s review.
Only after the app is accepted, downloaded, and launched does the developer switch domains, from the benign back end to a malicious server that delivers the malicious content.
How fraudulent applications likely evaded the Apple review process. (Image Credit: Sophos)
“When we originally began investigating CryptoRom scams targeting iOS users, the scammers would have to persuade users to first install a configuration profile before they could install the fake trading app,” comments Jagadeesh Chandraiah, senior threat researcher at Sophos. “This obviously involves an additional level of social engineering—a level that’s hard to surmount.”
Many potential victims would be ‘alerted’ that something wasn’t right if they cannot directly download a supposedly legitimate app. But by getting an application into the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple.
“Both apps are also unaffected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering,” continued Chandraiah. “In fact, these CryptoRom scammers may be shifting their tactics – that is, focusing on bypassing the App Store review process – in light of the security features in Lockdown.”
The scam still requires extensive social engineering. The victim is typically approached via a dating app, and then invited to switch the conversation to WhatsApp. In one case, the victim was based in Switzerland. The scammer or scammers used a manufactured profile of a woman based in London, with a full and compelling Facebook profile complete with professional or stolen location and lifestyle photos.
“After establishing a rapport, the criminals behind the profile told the victim that ‘her’ uncle worked for a financial analysis firm, and invited the victim to do cryptocurrency trading together.” It was at this point that the victim was introduced to the fake application in the app store.
In such cases, a degree of patience is still demonstrated by the attackers. Crypto investment begins slowly, and the victim can even make withdrawals from the crypto account. But the investment goes straight to the criminals. By the time the victim realizes that something is wrong, both the money and the scammers are gone.
This scam, says the Sophos report, “is a well-organized, syndicated scam operation that uses a combination of romance-centered social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence.” The worrying possibility for the future is that emerging artificial intelligence such as ChatGPT will make such detailed and professional social engineering even more compelling – and widely available to criminals less sophisticated.
South Dakota Gov. Kristi Noem said Monday that her personal cell phone number has been hacked and blamed it on the release of her Social Security number amid hundreds of documents that the House Jan. 6 committee released last year.
The Republican governor, who is weighing a 2024 White House bid, said in a statement that her personal cell phone number had been linked to hoax calls. She has written letters urging U.S. Attorney General Merrick Garland and Congress to investigate the release of her family’s Social Security numbers after they were included in a list of personal information for thousands of people who visited the White House during then-President Donald Trump’s term.
“Callous mishandling of personal information has real world consequences,” Noem said in a statement. “If you get such a phone call from my number, know that I had no involvement.”
Noem said that South Dakota’s Fusion Center, a state agency that compiles criminal intelligence, has been notified of the cell phone hack. Her office did not offer further evidence that the release of her personal information led to the hack.
Apple on Monday announced the release of iOS 12.5.7, which brings a patch for an actively exploited vulnerability to old iPhones and iPads.
The tech giant released security updates for iOS, macOS and other products on Monday to patch many vulnerabilities, including a couple of WebKit flaws that can lead to arbitrary code execution.
In addition to updates for the latest versions of its operating systems, Apple announced the release of iOS 12.5.7, which patches CVE-2022-42856, a WebKit vulnerability that has been exploited by hackers against devices running iOS prior to version 15.1.
The vulnerability, whose exploitation was first seen by Google’s Threat Analysis Group (TAG), can be used for arbitrary code execution through specially crafted web content.
Apple rolled out its first round of patches for CVE-2022-42856 in December 2022, when it released iOS 16.1.2. The fix was also included at the time in macOS Ventura 13.1, tvOS 16.2, Safari 16.2, and iOS and iPadOS 15.7.2.
A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.
Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).
The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).
“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.
Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.
What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.
As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.
Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.
Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.
After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.
Apple’s product security response team on Monday rolled out patches to cover numerous serious security vulnerabilities affecting users of its flagship iOS and macOS platforms.
The most serious of the documented vulnerabilities affect WebKit and can expose both iOS and macOS devices to code execution attacks via booby-trapped web content, Apple warned in multiple advisories.
On the mobile side, Apple pushed out iOS and iPadOS 16.3 with fixes for more than a dozen documented security defects in a range of operating system components. These include a trio of WebKit rendering engine bugs that expose devices to arbitrary code execution.
The WebKit flaws also affect users of Apple’s macOS Ventura, Monterey and Big Sur operating systems.
The iOS and iPadOS 16.3 update also fixes privacy- and data-exposure vulnerabilities in AppleMobileFileIntegrity, ImageIO, kernel, Maps, Safari, Screen Time and Weather.
The company also rolled out macOS Ventura 13.2 with patches for about 25 documented vulnerabilities, some serious enough to cause code execution attacks.
Cybersecurity firm NCC Group has shared details on two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.
An alternative app marketplace, the Galaxy Store comes pre-installed on Samsung’s Android devices and can be used alongside Google Play to download and install software.
Tracked as CVE-2023-21433, the first of the vulnerabilities that NCC Group has identified could allow rogue applications on a device to download and install additional software from the Galaxy Store, without the user’s knowledge.
The issue is described as an improper access control flaw, where the app store contained an exported activity that failed to safely handle incoming intents. The bug, NCC explains, only impacted devices running Android 12 and older.
The second vulnerability, CVE-2023-21434, is described as an improper input validation issue that could allow a local attacker to execute JavaScript code by launching a web page.
“It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker-controlled domain,” NCC Group explains.
The vulnerability can be exploited by tapping a malicious URL in Chrome or a pre-installed rogue application, which would bypass existing URL filtering.
A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says.
Dubbed VastFlux, the scheme relied on JavaScript code injected into digital ad creatives, which resulted in fake ads being stacked behind one another to generate revenue for the fraudsters. More than 11 million devices were impacted in the scheme.
The JavaScript code used by the fraudsters allowed them to stack multiple video players on top of one another, generating ad revenue when, in fact, the user was never shown the ads.
VastFlux, Human says, was an adaptation of an ad fraud scheme identified in 2020, targeting in-app environments that run ads, especially on iOS, and deploying code that allowed the fraudsters to evade ad verification tags.
At the first step of the fraudulent operation, an application would contact its primary supply-side partner (SSP) network to request a banner ad to be displayed.
Demand-side partners (DSPs) would place bids for the slot and, if the winner was VastFlux-connected, several scripts would be injected while a static banner image was placed in the slot.
The injected scripts would decrypt the ad configurations, which included a player hidden behind the banner and parameters for additional video players to be stacked. The script would also call to the command-and-control (C&C) server to request details on what to be displayed behind the banner.
The received instructions include both a publisher ID and an app ID that VastFlux would spoof. The size of the ads would also be spoofed and only certain third-party advertising tags were allowed to run inside the hidden video player stack.
What Human discovered was that as many as 25 ads could be stacked on top of one another, with the fraudsters receiving payment for all of them, although none would be shown to the user.
Additionally, the cybersecurity firm noticed that new ads would be loaded until the ad slot with the malicious ad code was closed.
“It’s in this capacity that VastFlux behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with,” Human notes.
From late June into July 2022, Human attempted to take down the scheme using three mitigation actions, which eventually resulted in the VastFlux traffic being reduced by more than 92%.
The cybersecurity firm says it has identified the fraudsters and worked with the victim organizations to mitigate the fraud, which resulted in the threat actors shutting down their C&C servers.
“As of December 6th, bid requests associated with VastFlux, which reached a peak of 12 billion requests per day, are now at zero,” Human says.
Cybersecurity firm NCC Group has shared details on two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.
Google Analytics è un servizio di analisi web fornito da Google Ireland Limited (“Google”). Google utilizza i dati personali raccolti per tracciare ed esaminare l’uso di questo sito web, compilare report sulle sue attività e condividerli con gli altri servizi sviluppati da Google. Google può utilizzare i tuoi dati personali per contestualizzare e personalizzare gli annunci del proprio network pubblicitario. Questa integrazione di Google Analytics rende anonimo il tuo indirizzo IP. I dati inviati vengono collezionati per gli scopi di personalizzazione dell'esperienza e il tracciamento statistico. Trovi maggiori informazioni alla pagina "Ulteriori informazioni sulla modalità di trattamento delle informazioni personali da parte di Google".
Cloudflare Web Analytics è un servizio di statistica anonimizzata fornito da Cloudflare Inc. che permette al Titolare di ottenere informazioni sull’utilizzo di questo sito web.
Google Maps è un servizio di visualizzazione di mappe gestito da Google Ireland Limited. Questo servizio serve ad integrare tali contenuti all’interno delle proprie pagine.
Gravatar è un servizio di visualizzazione di immagini gestito da Automattic Inc. che permette a Automattic Inc. di integrare tali contenuti all’interno delle proprie pagine.
