Apple updated its location-tracking system in an attempt to cut down on AirTag abuse while still preserving privacy. Researchers think they’ve found a better balance.
Security Latest – Read More
Chinese hackers exploited a zero-day tracked as CVE-2023-7102 to deliver malware to Barracuda Email Security Gateway (ESG) appliances.
The post Chinese Hackers Deliver Malware to Barracuda Email Security Appliances via New Zero-Day appeared first on SecurityWeek.
SecurityWeek – Read More
Linux SSH servers with poor security are being targeted by cybercriminals to install port scanners and dictionary attack tools. The attackers aim to compromise other vulnerable servers and use them for cryptocurrency mining and DDoS attacks.
Cyware News – Latest Cyber News – Read More
The LockBit ransomware group has targeted Xeinadin, an accountancy firm with over 60,000 clients, and threatens to leak 1.5 terabytes of stolen customer data if not contacted by the company.
Cyware News – Latest Cyber News – Read More
Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.
“Threat actors can also choose to install only scanners and sell the breached IP and account credentials on
The Hacker News – Read More
By Waqas
ParkMobile, a globally-used parking app, is the same platform that suffered a massive data breach in 2021 when hackers leaked the data of 21 million customers.
This is a post from HackRead.com Read the original post: RingGo, ParkMobile Owner EasyPark Suffers Data Breach, User Data Stolen
Hackread – Latest Cybersecurity News, Press Releases & Technology Today – Read More
Many Apple users believe the macOS operating system is so secure that no cyberthreats can harm them, so they don’t need to worry about protecting their devices. However, this is far from the case: while there is less malware for macOS, it’s still much more common than Apple device owners would like to think.
In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.
In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.
The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.
Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source
Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.
In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.
As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.
Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.
Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.
The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.
A site with fake Safari browser updates that actually contain the Atomic stealer. Source
Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:
cookies
logins, passwords, and bank card details stored in the browser
passwords from the macOS password storage system (Keychain)
files stored on the hard drive
stored data from over 50 popular cryptocurrency extensions
Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.
Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.
This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.
A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.
Zero-day vulnerabilities in macOS, iOS, and iPadOS discovered in 2023, which were actively exploited by cybercriminals
What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:
Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.
To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.
Kaspersky official blog – Read More
A severe vulnerability has been found in the implementations of the Bluetooth protocol across several popular operating systems: Android, macOS, iOS, iPadOS, and Linux. This bug potentially allows remote hacking of vulnerable devices without any particular actions required on the part the user. Let’s dive into the details.
The essence of the problem is that a vulnerable device can be forced to connect to a fake Bluetooth keyboard without requiring user confirmation — bypassing the operating system’s checks responsible for the Bluetooth protocol. The unauthenticated connection feature is specified in the Bluetooth protocol, and issues with certain implementations of the Bluetooth stack in popular operating systems provide attackers with the opportunity to exploit this mechanism.
The attackers can then use this connection to input commands, allowing them to execute any action as if they were the user — without requiring additional authentication such as a password or biometrics (like a fingerprint or face scan). According to the security researcher Marc Newlin who discovered this vulnerability, no special equipment is needed for a successful attack — just a Linux laptop and a standard Bluetooth adapter.
As you might guess, the attack is inherently limited by the Bluetooth interface: an attacker needs to be in close proximity to the victim. This naturally rules out mass exploitation of the vulnerability in question. However, malicious actors exploiting this vulnerability could still be a worry for specific individuals of special interest to those actors.
This vulnerability affects a range of operating systems and several classes of devices based on them — albeit with some variations. Depending on the OS used, devices may be more or less vulnerable.
Android devices were the most thoroughly examined for the presence of the aforementioned vulnerability. Marc Newlin tested seven smartphones with different OS versions — Android 4.2.2, Android 6.0.1, Android 10, Android 11, Android 13, and Android 14 — and found that all of them were vulnerable to the Bluetooth hack. Furthermore, concerning Android, all that’s required for this hack is for Bluetooth to be enabled on the device.
The researcher informed Google of the discovered vulnerability in early August. The company has already released patches for Android versions 11 through 14, and sent them to manufacturers of smartphones and tablets based on this OS. These manufacturers now have the task of creating and distributing the necessary security updates to their customers’ devices.
Of course, these patches must be installed as soon as they become available for devices running on Android 11/12/13/14. Until then, to protect against hacking, it’s advisable to keep Bluetooth turned off. For devices running older Android versions, there’ll be no updates — they’ll remain vulnerable to this attack indefinitely. Thus, the advice to turn Bluetooth off will remain relevant for them until the end of their service life.
As for Apple’s operating systems, the researcher didn’t have such a wide range of test devices. Nonetheless, he was able to confirm that the vulnerability is present in iOS 16.6, as well as in two versions of macOS — Monterey 12.6.7 (x86) and Ventura 13.3.3 (ARM). It’s safe to assume that in fact a wider range of macOS and iOS versions — as well as related systems like iPadOS, tvOS, and watchOS — are vulnerable to the Bluetooth attack.
Another piece of bad news is that the enhanced security mode introduced by Apple this year — the so-called “Lockdown Mode” — doesn’t protect against attacks exploiting this Bluetooth vulnerability. This applies to both iOS and macOS.
Just in case, we remind you how to properly turn off Bluetooth in iOS and iPadOS: this should be done not through the Control Center but through the Settings
Fortunately, a successful attack on Apple’s operating systems requires an additional condition besides having Bluetooth enabled: the device must be paired with an Apple Magic Keyboard.
This means that Bluetooth attacks primarily pose a threat to Macs and iPads used with a wireless keyboard. The likelihood of an iPhone being hacked through this vulnerability appears to be negligible.
The researcher reported the discovered bug to Apple around the same time as Google, but so far there’s been no information from the company regarding security updates, or a detailed list of vulnerable OS versions.
This attack also works for BlueZ — the Bluetooth stack included in the official Linux kernel. Mark Newlin confirmed the presence of the Bluetooth vulnerability in Ubuntu Linux versions 18.04, 20.04, 22.04, and 23.10. The bug that made the attack possible was discovered and fixed back in 2020 (CVE-2020-0556). However, this fix was, by default, disabled in most popular Linux distributions, and is only enabled in ChromeOS (according to Google).
The Linux vulnerability discovered by the researcher was assigned the number CVE-2023-45866, and a CVSS v3 score of 7.1 out of 10, according to Red Hat. For successful exploitation of this vulnerability, only one condition needs to be met: the Linux device must be discoverable and connectable through Bluetooth.
The good news is that a patch for this vulnerability in Linux is already available, and we recommend installing it as soon as possible.
Kaspersky official blog – Read More
Corporate information security specialists usually know quite a few confident employees who say that they don’t click on dangerous links and are therefore not susceptible to cyberthreats. Sometimes those employees use this argument when asking to have corporate security measures turned off, which somehow interfere with work. But attackers often disguise malicious and phishing links, trying to confuse both mail filters and human observers. What they want is to make victims (even if they are examining URLs as we repeatedly advise) click on an address that actually takes them to a different one. Here are the most common methods used by cybercriminals to hide malicious or phishing URLs.
The simplest way to hide the real domain in the address is to use the @ symbol in the URL. This is a completely legitimate symbol that can be used to integrate a login and a password into the website address — HTTP allows to pass credentials to the web server via the URL simply by using login:password@domain.com format. If the data before the @ symbol is incorrect and not suitable for authentication, the browser simply discards it, redirecting the user to the address located after the @ symbol. So cybercriminals use this: they come up with a convincing page name, use the name of a legitimate site in it, and place the real address after the @ symbol. For example, look at our blog’s address disguised in this way:
It looks like a page with many words in the name hosted somewhere on the Google domain, but the browser will take you to http://kaspersky.com/blog/.
In the previous method, attackers often try to confuse the user with a long page name in order to distract them from the real address — because it still remains in the URL. But there’s a way to hide it completely — by converting the IP-address of a site into an integer. As you may know, IP addresses are not very conveniently stored in databases. Therefore, at some point, a mechanism was invented to convert IP addresses into integers (which are much more convenient to store) and vice versa. And these days, when modern browsers see a number in an URL they automatically convert it into an IP address. In combination with the same @ symbol, it effectively hides the real domain. This is how a link to our corporate website can look like:
In using this trick, cybercriminals try to focus attention on the domain before the @ symbol, and make everything else look like some kind of parameter — various marketing tools often insert all sorts of alphanumeric tags into web links.
Another fairly simple way to hide the real URL is to use one of the legitimate link shortening services. You can include absolutely anything inside a short link — and it’s impossible to check what hides there without clicking.
Several years ago, Google and some partners created the Google AMP framework — a service that was intended to help webpages load faster on mobile devices. In 2017, Google claimed that AMPed pages load in less than a second and use 10 times less data than the same pages without AMP. Now attackers have learned how to use this mechanism for phishing. An email contains a link starting with “google.com/amp/s/”, but if the user clicks it, they’ll be redirected to a site that doesn’t belong to Google. Even some anti-phishing filters often fall for this trick: due to Google’s reputation, they consider such a link to be sufficiently reliable.
Another way to hide your page behind someone else’s URL is to use an ESP; that is, a service for creating legitimate newsletters and other mailouts. We’ve already written in detail about this method in one of our previous posts. In short, criminals employ one of these services, create a mailing campaign, input a phishing URL, and as a result get a ready-made clean address, which has the reputation of an ESP company. ESP companies of course try to fight such misuse of their service, but it doesn’t always work out.
The Chinese search engine Baidu has quite an interesting approach to showing search results. Unlike Google, it doesn’t give you links to the sites, but instead makes links to itself with a redirect to the site searched for. That is, in order to disguise a malicious URL as Baidu, all cybercriminals need do is search for the page (and that is quite simple if you enter the exact address), copy the link and paste it in the phishing email.
And by and large, we don’t know just how many other services there are that can redirect URLs or even cache pages on their side (be it for their own needs or in the name of convenience of content delivery).
No matter how confident your employees are, we doubt that they really can understand whether a link is dangerous or not. We therefore recommend backing them up with protective solutions. Moreover, we recommend to use such solutions both at the corporate mail server level, and at the level of internet-enabled working devices.
Kaspersky official blog – Read More
