Android Dropper-as-a-Service bypasses Google’s defenses
Named SecuriDropper, by researchers at ThreatFabric this Android malware appears able to bypass the Restricted Settings security measure of Android 13 by disguising itself as an app. One example has the name com.appd.instll.load. The researchers described its sophistication by saying, “”Unlike its predecessors, this family uses a different Android API to install the new payload, mimicking the process used by marketplaces to install new applications.” This is followed up by a message to human users to click on a reinstall button pretending that it needs to correct an installation error. When reached for comment by The Hacker News, Google stated, “restricted settings add an extra layer of protection on top of the user confirmation that is required for apps to access Android settings/permissions… Android users are always in control of which permissions they grant to an app and are also protected by Google Play Protect.”
Increase in zero-day exploits worries CISA
Michael Duffy, associate director for capacity building within CISA’s cybersecurity division, speaking at a cybersecurity governance conference in Hershey, PA, described the increase as “really high” and which has affected networks throughout the federal government. Despite an overall decline in in-the-wild zero-days, the number of exploits is the second highest in almost a decade. Duffy also stated that ransomware increased DDoS activity is also causing disruption within the federal government.
Google Calendar as a C2 infrastructure
Google itself has issued a warning regarding “multiple threat actors sharing a public proof-of-concept exploit named Google Calendar RAT, that relies on Calendar service to host command-and-control (C2) infrastructure.” Developed by red teaming activities, the description of the PoC, published on GitHub, says that only a gmail account is required. “The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar. The target will connect directly to Google.” Google has not seen use of GCR in the wild so far, although “Mandiant has seen multiple actors sharing the public proof of concept on underground forums.”
QNAP fixes two critical vulnerabilities
Tracked as CVE-2023-23368 and CVE-2023-23369, the vulnerabilities affect the QTS operating system and applications on its (NAS) storage devices. The first of these vulnerabilities carries a CVSS score of 9.8 and the second 9.0 and both could be exploited by a remote attacker to execute commands. Network admins are of course urged to address both vulnerabilities.
Thanks to today’s episode sponsor, Offsec
Apache ActiveMQ RCE attacks now include TellYouThePass ransomware
Following up on the ongoing ApacheHQ story, in which Apache patched the Active MQ vulnerability, and in which attackers were attempting to deploy HelloKitty on vulnerable networks, Arctic Wolf Labs has revealed that this same 2023-46604 flaw is being used in attacks targeting Linux systems and pushing TellYouThePass ransomware. The researchers noted many similarities between HelloKitty and TellYouThePass ransomware, sharing “email address, infrastructure, as well as bitcoin wallet addresses.” According to Bleeping Computer, “TellYouThePass ransomware has seen a massive and sudden spike in activity after Log4Shell proof-of-concept exploits were released online two years ago.”
AI bot capable of insider trading and lying, say researchers
According to the BBC, “in a demonstration at the UK’s AI safety summit, a bot used made-up insider information to make an “illegal” purchase of stocks without telling the firm. When asked if it had used insider trading, it denied the fact.” This demonstration was a project carried out by Apollo Research, an AI safety organization, and the “demonstration was given by members of the government’s Frontier AI Taskforce, which researches the potential risks of AI.” The demonstration was done in a sandboxed environment. In a video demonstrating how the experiment unfolded, the researchers stated, “this is a demonstration of a real AI model deceiving its users, on its own, without being instructed to do so.”
(BBC News)
Data brokers selling US service members’ secrets
A new report from the Sanford School of Public Policy at Duke University says that “vast amounts of highly sensitive data on American military service members are up for sale by data brokers. The Duke researchers describe how they observed brokers transfer “private data about active-duty service members, veterans, and their families, including sensitive health and financial information….They also sold bulk data for people within geofenced military facilities such as Fort Bragg and Quantico.” Lead researcher Justin Sherman stated, “because the data for sale includes information about an individual’s mental health conditions, personal debts, and other highly sensitive information, it could theoretically be used to blackmail or otherwise compromise active-duty military personnel.” A link to the study is available in the show notes to this episode.
(The Record and Duke University)
Singapore public health services hit by DDoS attacks
Wednesday’s attack hit public healthcare clusters across the country. According to The Record, the organization that manages operations of 46 public healthcare institutions in Singapore and around 1,400 community partners such as nursing homes and general practitioners, named Synapxe, stated there was “no evidence that public healthcare or patient data, [or] internal networks, have been compromised.” Access to hospital websites was limited, of course, and according to the agency, the attacks are ongoing as of this recording.