Cyber Hunter

Israel warns of BiBi wiper attacks targeting Linux and Windows: Security researchers found a Windows equivalent for the recently discovered BiBi-Linux, a data-wiping malware used in attacks to destroy data on systems at Israeli companies.

Microsoft still unsure how hackers stole Azure AD signing key: Microsoft says it still doesn't know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.  

Hackers can break into cars through their headlights using a device that costs just £2,000! Automotive security experts Ian Tabor and Ken Tindell said that hackers are ripping off bumpers and headlights to gain access to wiring, allowing them to plug in widely available electronics used to hack cars’ internal computer networks. Once connected, the devices automatically disable engine immobilisers and can be used to open windows or even activate door locks, the experts said. Such hacking devices can be bought online for prices ranging between three and four figures, according to Mr Tabor and Mr Tindell. Illicit vendors selling these devices claim they give instant access to high-value cars including Ferraris, Rolls-Royces, Lamborghinis and more. The car expert said the hacking device was designed to be plugged into a socket typically concealed underneath a car’s headlights or bumpers. From there the device accesses the vehicle’s CAN bus, an internal computer network used to control its sensors and systems. A Toyota spokesman said: “While it is, unfortunately, very difficult for any auto manufacturer to completely eliminate the risk from people and organisations acting with criminal intent, we regularly collaborate and share information with insurance associations and police authorities throughout the world to help reduce this risk.”


www.cybersecguardians.com

U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals.

In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground.

"All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks," the law enforcement agency said.

"However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators."

The effort is part of an ongoing international joint effort called Operation PowerOFF in collaboration with authorities from the U.S., the Netherlands, Germany, Poland, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware.

"All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up.

While masquerading as innocuous apps, their primary goal is to request permissions to show windows over other apps and run in the background in order to serve intrusive ads.

To make it difficult for the victims to detect and uninstall the apps, the adware trojans hide their icons from the list of installed apps in the home screen or replace the icons with others that are likely to be less noticed (e.g., SIM Toolkit).
Some of these apps also offer the advertised features, as observed in the case of two apps: "Water Reminder- Tracker & Reminder" and "Yoga- For Beginner to Advanced." However, they also covertly load various websites in WebView, and simulate user actions to click on banners and ads.

Also uncovered are another set of apps distributing the Joker malware in the form of launcher, camera, and emoji stickers apps that, when installed, subscribe users to paid mobile services without their knowledge and consent
list of malicious Apps:
Photo Editor: Retouch & Cutout
Photo Editor: Art Filters
Photo Editor - Design Maker
Photo Editor & Background Eraser
Photo & Exif Editor
Photo Editor - Filters Effects
Photo Filters & Effects
Photo Editor : Blur Image
Photo Editor : Cut, Paste
Emoji Keyboard: Stickers & GIF
Neon Theme Keyboard
Neon Theme - Android Keyboard
Cashe Cleaner
Fancy Charging
FastCleaner: Cashe Cleaner
Call Skins - Caller Themes
Funny Caller
CallMe Phone Themes
InCall: Contact Background
MyCall - Call Personalization
Caller Theme
Caller Theme
Funny Wallpapers - Live Screen
4K Wallpapers Auto Changer
NewScrean: 4D Wallpapers
Sock Wallpapers & Backgrounds
Notes - reminders and lists

Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change.

"Based on our review of customer feedback, we've made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios," the company said in an update on July 20.

Earlier this February, Microsoft publicized its plans to disable macros by default in Office applications such as Access, Excel, PowerPoint, Visio, and Word as a way to prevent threat actors from abusing the feature to deliver malware.

It's a known fact that a majority of the damaging cyberattacks today leverage email-based phishing lures to spread bogus documents containing malicious macros as a primary vector for initial access.

"Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to distribute malware to unsuspecting victims," the company notes in its documentation.

By disabling the option by default for any Office file downloaded from the internet or received as an email attachment, the idea is to eliminate an entire class of attack vector and disrupt the activities of malware such as Emotet, IcedID, Qakbot, and Bumblebee.
However, Microsoft backtracked on the change in the first week of July, telling The Hacker News that it's pausing the rollout of the feature to make additional usability improvements.

In the intervening months since it began previewing the tweaks in April, the tech giant's decision to block macros has had a ripple effect of its own, leading adversaries to adapt their campaigns to resort to alternative distribution methods such as .LNK and .ISO files.

That said, using malicious macros as an entry point to trigger the infection chain is not limited to Microsoft Office alone.

Last week, HP Wolf Security flagged an "unusually stealthy malware campaign" that makes use of OpenDocument text (.odt) files to distribute malware targeting the hotel industry in Latin America.

A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits.

This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems.

"The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration," Intezer researcher Ryan Robinson said in a new report published today.

Central to the malware is a downloader ("kbioset") and a core ("kkdmflush") module, the former of which is engineered to retrieve at least seven different plugins from a remote server that are subsequently invoked by the core component.

In addition, the downloader is also responsible for establishing the persistence of the framework's main module. "The main function of the downloader module is to fetch the other components and execute the core module," Robinson noted.
The core module, for its part, establishes contact with the command-and-control (C2) server to fetch necessary commands required to execute the plugins, while also taking care to hide its own presence in the compromised machine.

Some of the notable commands received from the server enable the malware to fingerprint the machine, run shell commands, upload files to the C2 server, write arbitrary data to file, and even update and remove itself from the infected host.

Threat actors offer victims what appear to be investment services from legitimate companies to lure them into downloading malicious apps aimed at defrauding them.

Threat actors have defrauded 244 U.S. investors of about $42 million through fake cryptocurrency apps that exploit people’s legitimate investments in digital currency, the FBI has revealed.

The agency observed a number of cybercriminal campaigns that duped people into downloading malicious apps through which threat actors extorted money from victims, the FBI said in a Private Industry Notification published Monday.

Threat actors used the names, logos and other identifying info of legitimate U.S. financial institutions to gain the trust of and fool investors into thinking they were interacting with an actual cryptocurrency-related firm, the agency said. They even went so far as to create fake websites using the info as part of their ruse to gain the trust of investors, according to the FBI.
The FBI is urging both institutions and individuals alike to take some basic precautions to avoid being defrauded when dealing with cryptocurrency transactions.

Institutions should proactively warn customers about the potential for such activity and provide a way for their customers to report it. They also should inform customers about the specifics of their own cryptocurrency-related services—such as if the company actually has a cryptocurrency app–so clients can identify legitimate communications and transactions, the FBI said.

Following heightened worries that U.S. users' data had been accessed by TikTok engineers in China between September 2021 and January 2022, the company sought to assuage U.S. lawmakers that it's taking steps to "strengthen data security."

The admission that some China-based employees can access information from U.S. users came in a letter sent to nine senators, which further noted that the procedure requires the individuals to clear numerous internal security protocols.

The contents of the letter, first reported by The New York Times, shares more details about TikTok's plans to address data security concerns through a multi-pronged initiative codenamed "Project Texas."

"Employees outside the U.S., including China-based employees, can have access to TikTok U.S. user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team," TikTok CEO Shou Zi Chew wrote in the memo.

This includes what it calls a narrow set of non-sensitive TikTok U.S. user data, such as public videos and comments, to meet interoperability requirements, while emphasizing that this access will be "very limited" in scope and pursuant to protocols developed in collaboration with the U.S. government.

TikTok, a popular social video-sharing service from Beijing-based ByteDance, has long remained in the crosshairs of U.S. lawmakers over national security risks that could arise from the Chinese government requesting data belonging to U.S. users directly from its parent firm.

But in the letter, the company aimed to reassure that it has never been asked to provide data to the Chinese authorities and that it would not accede to such government inquiries.

TikTok further reiterated that 100% of U.S. user data is routed to Oracle cloud infrastructure located in the U.S., and that it's working with the enterprise software firm on more advanced data security controls that it hopes to finalize "in the near future."

Twitter went down for around 40 minutes this morning, in a major outage for the social network. Issues started with the service at around 8:05AM ET, with many users reporting “over capacity” error messages, and even errors saying “this page is down.” The issues affected Twitter web, mobile, and even the company’s TweetDeck app.

Downdetector had thousands of reports of issues with Twitter, but Twitter’s own status page claimed “all systems operational.” While the main Twitter.com domain loaded, many users weren’t able to log into the service or access tweets. Twitter started to come back to life at around 8:40AM ET, with many able to tweet and access the service again.
This is the first major Twitter outage since a series of problems for the social network in February. Twitter was down twice in a week in February, with users unable to access the service in parts of the US due to a “technical bug that was preventing timelines from loading and Tweets from posting.”

These latest Twitter service issues come just days after the social network filed a lawsuit against Elon Musk, the world’s richest man. Musk is trying to exit a $44 billion acquisition deal based on claims Twitter has failed to satisfy requests for information on bot and spam activity on the platform.

Google on Thursday announced a slew of improvements to its password manager service aimed at creating a more consistent look and feel across different platforms.

Central to the changes is a "simplified and unified management experience that's the same in Chrome and Android settings," Ali Sarraf, Google Chrome product manager, said in a blog post.
The updates are also expected to automatically group multiple passwords for the same sites as well as introduce an option to manually add passwords. Although Google appears to be not ready yet to make Password Manager as a standalone app, users on Android can now add a shortcut to it on the homescreen.

In a related change on iOS, should users opt for Chrome as the default autofill provider, Password Manager now comes with the ability to generate unique, strong passwords.
The built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems.

Last but not least, Google is bringing a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2.

Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models.

"The vulnerabilities can be exploited to achieve arbitrary code ex*****on in the early phases of the platform boot, possibly allowing the attackers to hijack the OS ex*****on flow and disable some important security features," Slovak cybersecurity firm ESET said in a series of tweets.
Tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892, all three bugs relate to buffer overflow vulnerabilities that have been described by Lenovo as leading to privilege escalation on affected systems. Martin Smolár from ESET has been credited with reporting the flaws.

The bugs stem from an insufficient validation of an NVRAM variable called "DataSize" in three different drivers ReadyBootDxe, SystemLoadDefaultDxe, and SystemBootManagerDxe, leading to a buffer overflow that could be weaponized to achieve code ex*****on.

This is the second time Lenovo has moved to address UEFI security vulnerabilities since the start of the year. In April, the company resolved three flaws (CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972) — also discovered by Smolár — that could have been abused to deploy and execute firmware implants.

Users of impacted devices are highly recommended to update their firmware to the latest version to mitigate potential threats.

Cyber Hunter updated their phone number.