Cybersecurity News: WinRAR exploitation, Five Eyes warns about China, ServiceNow data exposure

State-backed attackers exploit WinRAR zero-day

Security researchers at Google found evidence that state-sponsored threat actors linked to China and Russia began exploiting a vulnerability in the Windows archive utility WinRAR. Group-IB previously discovered this vulnerability and found signs of exploitation since April. Its developer, Rarlab issued a patch on August 2nd. Google researchers say many users did not yet apply the update, opening the door to attacks from these APTs, including Sandworm and Fancy Bear. 

(TechCrunch)

Five Eyes warns of Chinese IP theft

Intelligence chiefs from the Five Eyes countries issued a warning of Chinese attempts to steal intellectual property, as well as attempts to use AI systems for spying. IP under threat includes AI research, biotechnology, and quantum computing. While Five Eye member countries have previously voiced claims about Chinese IP stealing, this is the first joint statement by the group. U.S. FBI Director Christopher Wray said China uses a variety of tools and techniques “deployed in tandem, at a scale the likes of which we’ve never seen.” The Chinese government denied the allegations. 

(Reuters)

ServiceNow data exposure issue identified

Security researcher Aaron Costello released a report identifying a data exposure issue with the popular digital business platform ServiceNow. Costello estimates roughly 70% of instances contain a misconfiguration in a component within the platform’s Simple List feature. The issue could exposure information in Simple List tables, like names, emails, and internal documents. This issue isn’t new, apparently in Simple List since it launched in 2015. Another researcher looking into the exposure, Daniel Miessler, saw no signs threat actors exploited this issue in the wild yet. 

(Cybernews)

Ukrainian hacktivists take down ransomware site

The pro-Ukrainian hacktivist group known as the Ukrainian Cyber Alliance claims it shut down the leak site operated by the Trigona ransomware organization. The group’s spokesperson said it took 10 of Trigona’s servers offline, exfiltrated data, and defaced its website. The damage extended to taking down the Trigona admin panel, landing page, and crypto wallets. The UCA said it will review exfiltrated data and may share some with researchers. Trend Micro reported that Trigona came online back in June 2022, targeting healthcare, tech and banking organizations in Brazil, the U.S., India, Israel, Italy, and Turkey.

(The Record)

Huge thanks to our sponsor, Vanta

Amazon and WhatsApp launch passkey support

The inevitable march toward passkey adoption continues. WhatsApp added support on Android where it can replace two-factor authentication to let users unlock the messaging app with the biometrics or a PIN. No word when iOS support will arrive. Not to be left out, Amazon added passkey support as a login option. Bleeping Computer’s Lawrence Abrams noted the feature didn’t work across all browsers and security keys yet, and only allowed for bulk deleting of all passkeys rather than individual ones. 

(TechCrunch, Bleeping Computer)

CIA leaves information channel open to hijacking

In late September, the US Central Intelligence Agency added a Telegram link to its profile on X. The agency meant for this as a means for potential informants to contact the agency with information. However security researcher Kevin McSheehan noticed that X truncated the visible URL on the CIA profile to an unused Telegram username. McSheehan registered the username to redirect users to a page warning them not to share any sensitive information there. BBC News did not receive a response from the agency, but it fixed the issue within an hour of the outreach. 

(BBC)

ASIC eyes to crack encryption

2048-bit encryption is considered very secure from brute force in classical computing. With technology as it stands today, it would take longer than the age of the universe to factor a 2048-bit RSA key. The startup MemComputing thinks it can do better. It claims that in simulation, its in-memory processing ASIC could solve difficult factoring problems polynomially with size, rather than exponentially as is tradition in von Neumann computing. So far its tested up to 150 bits, and tests show its current chips could handle up to 300. The company said it would need to customize its designs specifically for larger factorization problems. It claims its R&D forecasts the ability to handle a 2048-bit factorization problem in as little as ten minutes. A big improvement over “more than all of conceivable time.”

(Security Week)

Google Play Protect adds real-time malware scanning

Google began offering Play Protect for Android in 2017. This offers on-device scans for malware on apps downloaded from the Google Play store, third-party app stores, and sideloaded APKs. Previously this scan happened at the point of download and installation. The problem is that many malicious apps now use means like polymorphic code or calls to a C2 server after installation to download things that would get flagged as malicious. Google updated the feature to now perform real-time scans at the code level, as well as prompting users to proactively scan any apps not already scanned. This will extract signals from the app, with code analysis done on Google’s backend, not on-device. Google will use insights to further train its systems. Google already rolled out the systems to India a select markets, with a global rollout over the next few months. 

(Bleeping Computer)

X tests subscription to post

The social network formerly known as Twitter published a post on its help center, detailing a Beta for a new “Not a Bot” subscription program. X began the test in New Zealand and the Philippines. The subscription costs $1 a year for new users, allowing users to to post, report, and like content. Reading X content remains free. Currently signups remain limited to the web, although the help post indicates mobile app signup will be available at some point.  

(Fortune)