Security news weekly round-up - 5th November 2021

Habdul Hazeez - Nov 5 '21 - - Dev Community

Introduction

Hello! I welcome you all to this week's review, and I hope you all had a nice week 🤗.

In case you are reading for the first time, I am Habdul Hazeez, and the author of this weekly series of articles where we review some security news that is worthy of your time. This has been the case for over a year now.

Do you like what I do? You can buy me a Coffee.

Moving on.

This week's review is about malware, vulnerabilities, hacking, and social engineering. The latter resulted in someone losing half a million dollars.

Let's get on with it.


Shrootless: macOS Vulnerability Found by Microsoft Allows Rootkit Installation

Remember this: No System Is Safe.

The title might make this sounds like a "simple" vulnerability, but it's not. A rootkit is among the most dangerous malware to get rid of on a system.

Excerpt from the article:

Tracked as CVE-2021-30892 and named “Shrootless” by Microsoft, the vulnerability exists in the method used to install Apple-signed packages with post-install scripts.

To successfully exploit the vulnerability, an attacker needs to create a specially crafted file that would allow them to hijack the installation process of said packages.

Tens of Thousands Download "AbstractEmu" Android Rooting Malware

By now, you should know that , not everything that looks good is good for you, also, something that is good might not look good.

The bottom line, not everything is what it appears to be.

That is the summary of this story in which the said malware was part of applications with thousands of downloads on the Google Play Store.

Excerpt from the article:

The security researchers have identified 19 applications related to the distribution of AbstractEmu, including utility apps and system tools, such as password managers, app launchers, and data saving software, all of which appeared functional to their users.

The most popular of these programs was Lite Launcher, which had over 10,000 downloads in Google Play at the time it was discovered. Other applications include All Passwords, Anti-ads Browser, Data Saver, My Phone, Night Light, and Phone Plus.

Researchers Uncover 'Pink' Botnet Malware That Infected Over 1.6 Million Devices

When I read 'Pink' botnet, my first thought was beauty and the beast.

A botnet can be commandeered by its operators to do all sorts of malicious think you can think of. But the notable one is Distributed Denial of Service attacks also called DDoS.

Do you remember Mirai or Anna Senpai?

Excerpt from the article:

Mainly targeting MIPS-based fiber routers, the botnet leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications, not to mention completely encrypting the transmission channels to prevent the victimized devices from being taken over

'Trojan Source' Attack Abuses Unicode to Inject Vulnerabilities Into Code

Hat tip to the most awesome creature on earth: Humans.

Why? We always find the most creative way to make something do what it's not meant for.

Excerpt from the article:

Unicode provides a feature — named the Bidirectional (Bidi) Algorithm — for when two types of writing need to be mixed. For example, writing a single word from a right-to-left language in a sentence written in a left-to-right language.

The Cambridge researchers discovered that Bidi can be abused to create code that would be displayed one way in code editors, but be interpreted differently by the compiler.

Threat actors could leverage this method to submit malicious code to widely used open source software — the individual reviewing the code might see what appears to be harmless code that in reality introduces a vulnerability.

The attack impacts many of the compilers, interpreters, code editors, and code repository frontend services used by software developers.

Man charged with hacking major US sports leagues to illegally stream games

For the love of money 🙄.

Excerpt from the article:

One of the leagues that fell victim to the illegal streaming scheme estimated that it sustained losses of at least $3 million.

Joshua Streit, going by the moniker ‘Josh Brody’ online, is thought to have gained access to the computer systems of Major League Baseball (MLB), National Basketball Association (NBA), the National Football League (NFL), and the National Hockey League (NHL) before illegally streaming their content on a website he operated for profit.

Crypto investors lose $500,000 to Google Ads pushing fake wallets

This is a classical tale of malicious ads and social engineering.

Excerpt from the article:

These advertisements promote sites that install fake Phantom and MetaMask wallets used for Solana and Ethereum, and fake decentralized exchange (DEX) platforms, such as PancakeSwap and Uniswap.

The deceptive operation is supported by cloned websites that look just like the real ones, so the visitors are convinced they are installing the legitimate wallet or using the correct platform.

Popular 'coa' NPM library hijacked to steal user passwords

Stay safe and don't put so much trust in that "popular" library.

You never can tell, it might be compromised.

Excerpt from the article:

The 'coa' library, short for Command-Option-Argument, receives about 9 million weekly downloads on npm, and is used by almost 5 million open source repositories on GitHub.

Hours after this discovery, another commonly used npm component 'rc' was also found to have been hijacked. The 'rc' library nets 14 million downloads a week on average.

Support Me

Writing makes me thirsty. I'll appreciate a cup of coffee 😉.

Buy Me A Coffee

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, I'll see you next Friday.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .