Security news weekly round-up - 9th August 2024

Habdul Hazeez - Aug 9 - - Dev Community

I apologize. I wrote last week's edition of this review but forgot to publish What's more, I am trying to include it under an HTML <details> and <summary> tag so that you expand or close it before reading this week's edition, but I could not get it render on DEV (although it rendered fine in my Markdown editor).

Introduction

Welcome everyone, in this week's edition, we'll review articles from different aspects of cyber security that should leave you on the edge of your seat. Some articles will leave you wondering: How is that even possible? And some will make you think: I never thought of that.

To get you started, here is a general overview of the articles that we'll review:

  • Flaws in Windows (Two to be precise)
  • DNS poisoning via a hacked ISP
  • 18-year-old browser vulnerability
  • 5G baseband flaws (now fixed by some)
  • Ransomware gangs getting owned
  • Phishing (no surprises on this one, we've covered similar articles in the past, but this one is crafty)

With that out of the way, let's go!


Researchers Uncover Flaws in Windows Smart App Control and SmartScreen

The way these mentioned Windows features were designed is what led to the flaws. The interesting (and scary) part of the flaw is that it allows an initial system compromise with no security warnings.

In the excerpt below, you can read one of the ways to bypass the protections offered by Smart App Control and SmartScreen. This shows one ramifications of exploiting these flaws: malware delivery to a system.

One of the easiest ways to bypass these protections is get the app signed with a legitimate Extended Validation (EV) certificate, a technique already exploited by malicious actors to distribute malware

Mac and Windows users infected by software updates delivered over hacked ISP

What made this possible? Two things (among others). First, the update mechanism of the affected applications where delivered without TLS. Second, the attackers control over the ISP allowed them to perform a man-in-the-middle attack (MitM).

The excerpt below describes one situation of one affected application:

As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config.

StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server.

Windows Update Flaws Allow Undetectable Downgrade Attacks

The thought that your system was fully patched with the latest updates, only to find out that someone downgraded it to an earlier version that contained vulnerability, is scary. That's what this attack is all about. At the time of writing, Microsoft is working on a fix.

Here is how the flaw works:

“I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days,” Leviev said.

The Israeli researcher said he found a way to manipulate an action list XML file to push a ‘Windows Downdate’ tool that bypasses all verification steps, including integrity verification and Trusted Installer enforcement.

0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices

This is a type of vulnerability that you'll call: It's been a long time coming. The bug was initially reported over 18 years ago and now browser vendors are trying to fix it after a security company what's possible if the vulnerability is exploited.

Here is how the vulnerability works:

The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices,"

By using 0.0.0.0 together with mode 'no-cors,' attackers can use public domains to attack services running on localhost and even gain arbitrary code execution (RCE), all using a single HTTP request

Hackers could spy on cell phone users by abusing 5G baseband flaws, researchers say

As stated in the introduction, some providers (e.g. Google) have fixed these flaws. But it's interesting to know that such an attack was possible.

The following excerpt highlights how the fleas could be exploited. Mind you, "Tu" is one of the researchers.

Tu explained that by taking advantage of the vulnerabilities they found, a malicious hacker could pretend to be one of the victim’s friends and send a credible phishing message.

Or by directing the victim’s phone to a malicious website, the hacker could trick the victim into providing their credentials on a fake Gmail or Facebook login page, for example

Security bugs in ransomware leak sites helped save six companies from paying hefty ransoms

Do you remember the part in the introduction about ransomware gangs getting owned? Well, it's this article. A researcher went after the gang, he discovered what he called "simple" on the web dashboards used by these gangs. This was enough to know the inner workings of the ransomware operations and ultimately get decryption keys.

The following excerpt sums up, the entire article:

The research shows that ransomware gangs can be susceptible to much of the same simple security issues as big companies, providing a potential avenue for law enforcement to target criminal hackers that are far out of jurisdictional reach.

New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

It's no surprise that threat actors abuse legitimate services to pull off their attacks. But the combination of Google and WhatsApp is what got me intrigued about this article.

The excerpt below briefly explains the attack and how it can start:

The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim's information

The starting point of the attack is a phishing email that directs the recipients to a graphic that appears to be an Amazon account verification link. This graphic, for its part, is hosted on Google Drawings, in an apparent effort to evade detection.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .