INTERPOL with global law enforcement and Group-IB, successfully dismantled a vast network of malicious IP addresses and servers.…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
The requirements set by online services for user verification — whether it’s password length, a mandatory phone number, or biometric checks with blinking — are often governed by industry standards. One of the most important documents in this field are the NIST SP 800-63 Digital Identity Guidelines, developed by the US National Institute of Standards and Technology (NIST). This standard is mandatory for all US government agencies and their contractors; in practice, this means that all the world’s largest IT companies adhere to this standard, with consequences reaching far beyond the borders of the United States.
Even organizations that aren’t strictly required to comply with NIST SP 800-63 would still benefit from familiarizing themselves with these updated guidelines, as they often serve as a blueprint for regulators in other countries and industries. The recent update, developed through four rounds of public revisions with industry experts, reflects the latest understanding of digital identification and authentication. It covers security and privacy requirements, and considers a possible distributed (federated) approach. The standard is practical, and factors in human considerations — how users respond to various authentication requirements.
This new edition formalizes concepts, and outlines requirements for:
So — how to authenticate users in 2024?
The standard defines three Authentication Assurance Levels (AALs). AAL1 allows the least restrictions and minimal confidence that the user is indeed who they claim to be, while AAL3 offers the strongest guarantees and requires more stringent authentication. Only AAL1 permits single-factor authentication — such as just a single password.
The requirements for passwords are as follows:
These are PINs and local passwords that restrict access to the on-device key storage. They can be numeric, with a recommended minimum length of six digits— though four digits are permissible. For AAL3, the primary cryptographic secret (for example, a passkey) must be stored in a tamper-resistant chip, and decrypted using the activation secret. For AAL1 and AAL2, it’s enough that the key restricts access from outsiders, with a limit on input attempts — no more than 10 tries. After exceeding the limit, the storage is locked, requiring an alternative authentication method.
It’s recommended to implement MFA at all AAL levels, but while this is only a suggestion for AAL1, it’s mandatory for AAL2, and only phishing-resistant MFA methods are acceptable for AAL3.
Only cryptographic authentication methods are considered phishing-resistant: USB tokens, passkeys, and cryptographic keys stored in digital wallets conforming to SP 800-63C (distributed identification and authentication services). All cryptographic secrets must be stored in tamper-resistant systems (such as TPM or Secure Enclave). Synchronizing keys across devices and storing them in the cloud is permitted, provided each device meets the standard’s requirements. These provisions enable the use of passkeys across Android and iOS ecosystems.
To ensure resistance to phishing, authentication must be tied to the communication channel (channel binding) or verifier service name (verifier name binding). Examples of these approaches include client-authenticated TLS connections and the WebAuthn protocol from the FIDO2 specification. In simple terms, the client uses cryptography to confirm they’re connecting with the legitimate server rather than a fake one set up for AitM attacks.
Time-based one-time passwords (TOTP) from authenticator apps, SMS codes, and one-time codes from scratch cards or envelopes are not phishing-resistant but are permitted for AAL1 and AAL2 services. The standard specifies which methods for handling one-time codes don’t qualify as MFA and must be avoided. One-time codes should not be sent through email or VoIP — they must be delivered over a communication channel that’s separate from the primary authentication process. OTPs sent through SMS and traditional telephone lines are acceptable — even if both connections (for example, internet and SMS) are on the same device.
The standard restricts the use of biometrics — they may serve as an authentication factor, but are prohibited for identification. Biometric checks must be used only as a supplemental factor combined with proof of possession (for example, a smartphone or token — something you physically possess).
Biometric equipment and algorithms must ensure a false match rate (FMR) no greater than 1 in 10,000, and a false non-match rate (FNMR) no greater than 5%. These accuracy rates must be consistent across all demographics. The verification algorithm must also be resistant to presentation attacks in which the sensor is shown a photo or video instead of a live person.
After generating and verifying a cryptographic “fingerprint” from biometric data, the standard mandates immediate deletion (zeroing out) of collected biometric data.
Like other authentication methods, biometric checks must include limits on input rate and the number of unsuccessful attempts.
Kaspersky official blog – Read More
Starting this month, Google Cloud will be rolling out mandatory MFA for all users who sign in with a password.
The post Google Cloud Rolling Out Mandatory MFA for All Users appeared first on SecurityWeek.
SecurityWeek – Read More
In its latest security bulletin, Google has patched two actively exploited zero-day vulnerabilities in Android, marking a crucial step toward protecting users from likely spyware attacks.`
The November update addresses a total of 51 vulnerabilities, including a critical issue in Qualcomm components. Android users are strongly advised to install these updates to secure their devices against potential exploitation.
The two zero-days—tracked as CVE-2024-43047 and CVE-2024-43093—have been identified as exploited in targeted attacks. “There are indications that the following may be under limited, targeted exploitation,” Google said in its November Android Security Bulletin.
These vulnerabilities have raised concerns due to their ability to circumvent Android’s built-in protections and potentially allow remote attackers to access sensitive user data. Although Google has withheld detailed exploitation techniques, the attribution of CVE-2024-43047’s findings to researchers from Amnesty International suggests that it may have been used in spyware attacks, typically deployed in espionage scenarios aimed at high-profile individuals or organizations.
1. CVE-2024-43047
Discovered by: Amnesty International researchers.
Impact: This vulnerability could enable attackers to escalate privileges or remotely execute commands on compromised devices. It has likely been used in targeted spyware attacks, allowing threat actors to monitor user activity, intercept communications, and access sensitive data on victims’ device without detection.
Targeted Attack Potential: With signs of exploitation in targeted attacks, CVE-2024-43047 is a potent tool for espionage, likely targeting journalists, activists, or individuals of interest.
2. CVE-2024-43093
Impact: While details remain sparse, this zero-day vulnerability is an elevation of privilege bug in the Android Framework and has also been actively exploited, possibly allowing attackers to gain unauthorized access to devices and control over critical functions. The exploitation may involve initial access through social engineering or phishing, with subsequent remote control of the device.
Risk of Backdoors and Surveillance: This flaw could be used to embed backdoors or spyware, posing a significant threat to user privacy and device integrity.
3. CVE-2024-38408
Impact: This critical flaw affects proprietary Qualcomm components, possibly targeting device hardware responsible for network communications. Hardware-level vulnerabilities are particularly concerning as they bypass OS-level protections, making detection and prevention challenging.
Severity: If exploited, CVE-2024-38408 could allow attackers to manipulate hardware-level functionalities, intercept communications, and even hijack network-based data transmissions.
The November security patches address these zero-days and 48 other vulnerabilities across different Android versions, ranging from 12 to 15. The fixes are rolled out through two patch levels:
– November 1 Patch: Focuses on core Android vulnerabilities, addressing 17 issues, including the two zero-days.
– November 5 Patch: Expands to include vendor-specific fixes, covering an additional 34 vulnerabilities affecting components from Qualcomm, MediaTek, and other hardware vendors.
For users, updating to the latest patch level is essential. Android 11 and older devices may no longer receive full support but could get selective patches for critical vulnerabilities through Google Play system updates, though coverage is not guaranteed.
Also read: OEMs Are Urged to Address Vulnerabilities in Device Communication
To ensure your device is protected, follow these steps to update your Android device:
– For System Update: Go to Settings > System > Software updates > System update.
– For Security Update: Navigate to Settings > Security & privacy > System & updates > Security update.
A device restart will be required to finalize the update.
The presence of actively exploited vulnerabilities calls for an urgency in applying these patches. Without updates, devices are at risk of:
– Remote Exploitation: Attackers could gain unauthorized access to data and device functions.
– Data Privacy Threats: Zero-days like CVE-2024-43047 and CVE-2024-43093 are often leveraged in highly targeted campaigns focusing on surveillance and data exfiltration.
– Device Integrity Risks: Hardware-based vulnerabilities (like those affecting Qualcomm components) expose users to potential device malfunctions and even physical security risks. With CVE-2024-38408 affecting Qualcomm components, attackers may gain deep-level control that bypasses typical OS-level protections, making such exploits more severe in their impact and harder to patch.
For Android 11 or older users, consider upgrading to a newer model or using a third-party Android distribution that includes the latest security patches.
Google’s November 2024 security update is a critical release for Android users, addressing zero-day vulnerabilities that could otherwise lead to severe data and privacy breaches. The targeted nature of these attacks suggests a focus on high-value individuals, but the risk extends to all users who remain unpatched.
Timely security updates are essential in defending against sophisticated cyberattacks. Android users should prioritize these patches to safeguard their data, privacy, and device integrity against current and future exploits.
Staying vigilant and promptly applying updates is the best defense against the growing wave of mobile threats, particularly for those in sensitive or high-profile roles. By understanding the nature of these vulnerabilities and their potential impact, users can better appreciate the importance of keeping their devices secure and up-to-date.
Source:
The post Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security Update appeared first on Cyble.
Blog – Cyble – Read More
Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities.
“Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute
The Hacker News – Read More
In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn’t enough.
darkreading – Read More
CrowdStrike is acquiring Israeli SaaS security firm Adaptive Shield to boost the capabilities of its Falcon cybersecurity platform.
The post CrowdStrike to Acquire Adaptive Shield in Reported $300 Million Deal appeared first on SecurityWeek.
SecurityWeek – Read More
Microchip Technology’s latest financial report reveals the company’s expenses due to the recent cybersecurity incident.
The post Microchip Technology Reports $21.4 Million Cost From Ransomware Attack appeared first on SecurityWeek.
SecurityWeek – Read More
SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report also looked at the most common types of attack vectors used against ICT/OT networks.
darkreading – Read More
Cyble Research and Intelligence Labs (CRIL) recently identified a phishing site, “mygov-au[.]app,” masquerading as the official MyGov website of the Australian Government. Upon further analysis, this site was found to be distributing a suspicious APK file linked to the GodFather Malware, known for its ability to steal banking application credentials.
The downloaded application, “MyGov.apk”, communicates with the URL “hxxps://az-inatv[.]com/.” This app is programmed to track the number of devices it is installed on, retrieve the device’s IP address, and store this information on the server in a text file. Figures 3 and 4 show the code of index.php and count.php responsible for getting the count and IP address.
Figure 2 – Malware loading URL, which maintains the counter
Figure 3 – Getting counts and IP addresses
Figure 4 – Getting the IP address of an infected device
The URL “hxxps://az-inatv[.]com/” hosted an open directory containing a file named counters.zip, which included the total count of infected devices and a list of IP addresses. Additionally, the directory featured a page labeled “down” that hosted another APK file called “lnat Tv Pro 2024.apk.” Upon analyzing this APK, it was identified as the GodFather Malware.
Figure 5 – Open directory hosting counters.zip and GodFather malware
Upon examining the counters.zip file, we found 151 counts in hit.txt and 59 unique IP addresses, reflecting the targeted device count. While the MyGov application collected this data, we suspect the TA may leverage this visitor information to identify potential victim counts and later use the same website to distribute the GodFather malware.
Figure 6 – Counters.zip content
Notably, we observed that the latest variant of the GodFather malware has moved from Java code to native code implementation. It is now targeting 500 banking and cryptocurrency applications and expanding its reach to Japan, Singapore, Azerbaijan, and Greece. Further details on this new variant of GodFather are provided in the following section.
In the latest version, the GodFather malware operates with minimal permissions, relying heavily on the Accessibility service to carry out its malicious activities.
Figure 7 – Manifest with limited permissions
Native Code Implementation
Starting our analysis with the classes specified in the manifest file, we observed that the malware calls numerous native methods, which were previously implemented in Java code.
Figure 8 – Calls to native methods
These native functions implement various malicious capabilities, including loading an injection URL into the WebView, executing automated gestures, establishing connections with the Command and Control (C&C) server, and keylogging.
Figure 9 – Native code implementation
C&C Server
Similar to the previous variant, the latest samples also connect to the Telegram URL “hxxps://t.me/gafaramotamer,” where the TA has embedded a Base64-encoded C&C URL. The malware retrieves and decodes this URL to “hxxps://akozamora[.]top/z.php.”
Figure 10 – Malware fetches C&C server URL from Telegram Profile
Targeting 500 Crypto and Banking Applications
After decoding the URL, the malware begins communication by sending data such as the list of installed application package names, the device’s default language, model name, and SIM name. In return, it receives a list of 500 targeted application package names associated with banking and cryptocurrency apps. In addition to previous targets in the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach, now including Japan, Singapore, Greece, and Azerbaijan.
Figure 11 – Receives the list of target application package names
When the user tries to interact with the target application, the malware closes the genuine application. Instead, it loads a fake banking or crypto login URL into the WebView or displays a blank screen. It constructs the injection URL using the C&C server “hxxps://akozamora[.]top/” and appends the endpoint “rx/f.php?f=” along with the device name, package name, and default language, then loads the assembled URL in the WebView.
Figure 12 – Loading fake login pages
The GodFather malware has successfully replaced the traditional overlay attack with this technique. Rather than launching the legitimate application, the malware activates itself and loads a phishing page to steal banking credentials.
The previous version included commands for USSD and SMS operations, which have been removed in the latest version. Additionally, this malware version lacks permission to collect or send SMS messages from the infected device. Instead, the newly added commands focus primarily on automating actions on the infected device. Below is a list of commands observed in the latest version of the GodFather malware.
| Command | Description |
| clickposition | Malware clicks on the position X and Y received from the server |
| backed | Take the user to the previous screen |
| home | Take the user to the home screen |
| recents | Take the user to the recent screen |
| scrollforward | Malware scrolls the page forward using the given parameter |
| scrollback | It scrolls the page backward till using the provided parameter |
| opencontrol | Perform gestures on the target app |
| setpattern | Receives some value from the server and saves it to a shared preference variable “pc” |
| screenlight | Manages the brightness of the screen |
| sl2 | Setting up a wake lock to keep the device awake |
| sl3 | Similar to sl2 |
| autopattern | The value received using “setpattern” command is used to insert on the device screen using the accessibility service. |
| csn | Set the timer to initiate the WebSocket connection |
| swpfull | Perform swipe operation |
| upswp | Perform swipe up |
| downswp | Perform swipe down |
| leftswp | Perform left swipe |
| rightswp | Perform right swipe |
| vncreset | Not Implemented |
| opnap | Open the application whose package name is received from the server |
| gif | Loads Gif from link “hxxps://s6.gifyu.com/images/S8uz3.gif” |
| opnsttings | Opens setting app |
| opnsound | Opens sound setting |
| opnmsc | Opens notification setting |
| opnpckg | Not Implemented |
| notifyopen | Opens notification using Accessibility service |
The latest version of the GodFather malware shows how dangerous and adaptable mobile threats have become. By moving to native code and using fewer permissions, the attackers have made GodFather harder to analyze and better at stealing sensitive information from banking and cryptocurrency apps. With its new automated actions and broader targeting of apps in more countries, this malware poses a growing risk to users worldwide. Staying alert and using strong security practices on mobile devices is essential to avoid falling victim to threats like GodFather.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
| Tactic | Technique ID | Procedure |
| Initial Access (TA0027) | Phishing (T1660) | Malware distributing via phishing site |
| Execution (TA0041) | Native API (T1575) | Malware using native code to drop final payload |
| Persistence (TA0028) | Scheduled Task/Job (T1603) | Uses timer to initiate WebSocket connection |
| Defense Evasion (TA0030) | Masquerading: Match Legitimate Name or Location (T1655.001) | Malware pretending to be a genuine Music application |
| Defense Evasion (TA0030) | Application Discovery (T1418) | Collects installed application package name list to identify target |
| Defense Evasion (TA0030) | Input Injection (T1516) | Malware can mimic user interaction, perform clicks and various gestures, and input data |
| Collection (TA0035) | Input Capture: Keylogging (T1417.001) | Malware can capture keystrokes |
| Discovery (TA0032) | System Information Discovery (T1426) | The malware collects basic device information. |
| Command and Control (TA0037) | Web Service: Dead Drop Resolver (T1481.001) | Malware communicates with Telegram to fetch C&C server |
| Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated data over C&C server |
| Indicators | Indicator Type | Description |
| d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e e789b03b60ad99727ea65b52ce931482fb70814e 87ccf62e07cf69c25a204bffdbc89630 | SHA256 SHA1 MD5 | Analyzed GodFather malware |
| hxxps://akozamora[.]top/ | URL | C&C server |
| hxxps://t.me/gafaramotamer | URL | Malware fetching C&C from Telegram URL |
| hxxps://az-inatv[.]com | URL | URL hosting new GodFather variant |
| mygov-au[.]app | Domain | Phishing domain distributing counter app |
| 8ae2fcc8bef4d9a0ae3d1ac5356dbd85a4f332ad497375cd217bd1e945e64692 d57ef894b53f804c97d40c3e365faf729ce2ea7386b280f9909ebc8432008eee d508078368d8775fcfff5a7886392da57fcf757c89687f22c0504c3df9075b00 b3d3019ed0a4602fb7e502e54ac12a59da1a0ed7b6736feb98ce7c417091b2e6 3aa7e2353c2de16734f612eba7b43a2538d96f73702a6c25283d6ef0c9300a4c 1ce2a392dd2c1df22dfeb080c7ad290d63e3afe983729927b2f15c6705861070 d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e 0c9e2ae9c699374f06a6d38cf2ea41232fc8a712e110be8069b08659fdf50514 19ed4f67710d455da42017de28688f5e55ed36809cc70252d825ac81713e95d1 7b4543cc4df1fc57af2cd9a892b2fab3647bdceb027d576217724a8c012a2065 2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc 2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc 72d40ff8ad114724b8d4e0350f81f797866c0f271844aeddc3b92f33faa6fbc0 | SHA256 | New GodFather variant hashes |
The post GodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto Applications Worldwide appeared first on Cyble.
Blog – Cyble – Read More