iPhone flaw exploited by second Israeli spy firm
A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter. QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients. The two rival businesses gained the same ability last year to remotely break into iPhones, according to the five sources, meaning that both firms could compromise Apple phones without an owner needing to open a malicious link.
(Reuters)
Target shares its own web skimming detection tool Merry Maker with the world
Web skimming, sometimes referred to as Magecart attacks, have become the leading cause of card-not-present (CNP) fraud and have impacted small and big brands alike, as well as different types of ecommerce platforms. As one of the world’s top online retailers, Target started looking for solutions a few years ago to combat this threat and keep its own customers protected while shopping on its platform. Since there were no ready-made detection tools for such attacks at the time, two of the company’s security engineers decided to develop their own. After being in active use on Target.com for over three years, the company’s client-side scanner has now been released as an open-source project dubbed Merry Maker.
MFA adoption pushes phishing actors to reverse-proxy solutions
The increasing use of MFA has pushed phishing actors to use transparent reverse proxy solutions, and to cover this rising demand, reverse proxy phish kits are being made available. A reverse proxy is a server that sits between the Internet user and web servers behind a firewall. The reverse proxy then forwards visitors’ requests to the appropriate servers and sends back the resulting response. This allows a webserver to serve requests without making itself directly available on the Internet. As detailed in a report published yesterday by Proofpoint, new phishing kits have emerged that offer templates to create convincing login web pages that mimic popular sites. These newer kits are more advanced because they now integrate an MFA snatching system, which enables threat actors to steal login credentials and MFA codes that would normally protect the account. One way to tackle the problem is to identify the man-in-the-middle pages used in these attacks. However, as the findings of a recent study have shown, only about half of those are blocklisted at any given time. The constant refresh of domains and IP addresses used for reverse proxy attacks reduces the effectiveness of blocklists, as most of these last between 24 and 72 hours. As such, the only method that may fight the problem is to add client-side TLS fingerprinting, which could help identify and filter MITM requests.
Wormhole cryptocurrency platform hacked
Wormhole, one of the most popular bridges that links the Ethereum and Solana blockchains, lost about $325 million in an attack that took place on Wednesday. This is the second-biggest hack of a decentralized finance DeFi platform ever, just after the $600 million Poly Network security breach. Experts pointed out that this is largest attack to date on Solana, which is a high-performance blockchain like Ethereum and that is increasing its popularity thanks to the interest in the non-fungible token (NFT) and DeFi ecosystems.
Thanks to our episode sponsor, Pentera
State hackers’ new malware helped them stay undetected for 250 days
A state-backed Chinese APT actor tracked as ‘Antlion’ has been using a new custom backdoor called ‘xPack’ against financial organizations and manufacturing companies. The malware has been used in a campaign against targets in Taiwan that researchers believe spanned for more than 18 months, between 2020 and 2021, allowing the adversaries to run stealthy cyber-espionage operations. Details from one attack show that the threat actor spent 175 days on the compromised network. However, Symantec researchers analyzing two other attacks determined that the adversary went undetected on the network for as long as 250 days.
FBI says more cyberattacks come from China than everywhere else combined
In a Monday speech titled Countering Threats Posed by the Chinese Government Inside the US, FBI director Christopher Wray said his bureau is probing over 2,000 investigations of incidents assessed as attempts by China’s government “to steal our information and technology.” He states that the volume is so great, “bigger than those of every other major nation combined, we’re constantly opening new cases to counter their intelligence operations, about every 12 hours or so.” He highlights that this large scale hacking also is causing indiscriminate damage, citing the recent Microsoft Exchange hack, which compromised the networks of more than 10,000 American companies in a single campaign alone.
PowerPoint files abused to take over computers
Attackers are using socially engineered emails with .ppam file attachments that hide malware that can rewrite Windows registry settings on targeted machines. This is an under-the-radar PowerPoint file – a little-known add-on” in PowerPoint that according to Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, has bonus commands and custom macros, among other functions. The payload executed a number of functions on the end user’s machine that were not authorized by the user, including installing new programs that create and open new processes, changing file attributes, and dynamically calling imported functions.
Critical flaws discovered in Cisco Small Business RV series routers
Cisco has patched multiple critical security vulnerabilities impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs. Three of the 15 flaws, carry the highest CVSS rating of 10.0, and affect its Small Business RV160, RV260, RV340, and RV345 Series routers. Additionally, the flaws could be exploited to bypass authentication and authorization protections, retrieve and run unsigned software, and even cause denial-of-service (DoS) conditions.