Cybersecurity cannot be ensured if threat actors remain adamant about finding new ways of getting through ransomware protection and other such cybersecurity tools. There isn’t any stopping to these perennial cyber threats, and that’s why we bring you the latest news from the cyber realm. For, what is better than reading about cyberattacks and rectifying similar errors within our organizations? Here are the top headlines from this past week.
Play Store Removes 9 Android Apps Spreading Alienbot Banker And MRAT
Three cybersecurity researchers at Check Point have recently discovered a new malware dropper in 9 Google Play Store Android apps. These apps use a second stage malware which slowly makes its way into the victims’ financial accounts. The adversaries spreading this dropper called Clast82 use malicious techniques to evade Google Play Protect detection and even complete the evaluation period. The transition happens from a non-malicious payload to the MRAT and AlienBot Banker.
The nine android apps include Pacific VPN, Cake VPN, eVPN, Qrecorder, BeatPlayer, tooltip nation library, Music Player, and QR/Barcode Scanner MAX. The malicious apps were detected on 28th January and removed from Google Play Store on 9th February.
The adversaries created a new developer user for each of the nine apps and a repository on their own GitHub account. Resultantly, different payloads were delivered to devices with different apps.
All the attackers did to bypass Google Play’s protections is manipulate the readily available 3rd party resources such as a FireBase or a GitHub account. With the kind of trust users have on Play Store’s cybersecurity tools, nobody would have guessed that they are downloading trojans that get into their financial accounts in the name of a utility app.
Is Offline Finding Exposing Apple Users’ Identity?
Apple’s crowd-sourced location tracking system is arguably the largest but is using Apple’s offline finding (OF) network safe for users? Academic researchers from the Technical University of Darmstadt, Germany, have identified vulnerabilities with the OF network, which lets adversaries access the last seven days’ location history of both finder and owner devices, leading to location correlation attacks.
The bug known as CVE-2020-9986 has been fixed, but its existence questions the claims of anonymity Apple makes. A malicious macOS application can decrypt and retrieve the users’ location history using the cached rolling advertisement keys retained on the file system. The vulnerability can only be exploited if the victims request their device location using the Find My application. In simple words, finder and owner identities get revealed every time a location report is uploaded or downloaded.
The cybersecurity researchers found another flaw in the OF network, which enables threat actors to access all owner devices’ location, which is without their awareness or consent.
Whatsapp To Introduce Password Protection For Cloud
Although WhatsApp chats are end-to-end encrypted, this protection isn’t extended to online backups on iCloud and GDrive. Even WABetaInfo has confirmed the WhatsApp initiative to provide cloud backups encryption.
Serious Anomaly Detected In Authenticated GitHub Sessions
These days, most cybersecurity incidents are triggered by adversaries; however, this latest incident at GitHub stands out for its rarity. GitHub discovered a severe bug in some of its authenticated sessions recently, which routes one user’s session to another user’s browser and provides the second user an authenticated session cookie to the first user’s account. This is caused by improper handling of authenticated sessions and cannot be triggered by a malicious user.
After discovering the issue on 2nd March, GitHub quickly released a patch on 5th March, followed by a second patch on 8th March. Github has invalidated all authenticated sessions created before 12:03 UTC on 8th March to ensure further ransomware protection. The silver lining in all this fiasco is that less than 0.001% of authenticated GitHub sessions were affected by this anomaly.
New Phishing Scam Targets Coinbase Users
The adversaries are using the cryptocurrency Coinbase to steal sensitive user information of over 25k users. The majority of the attacks originated in India, followed by Brazil, the US, and Japan. The affected users belong to South Korea, Sweden, Ireland, Japan, the US, Britain, and Canada. Bitdefender Antispam Lab first reported the cybersecurity incident, who said that the attackers are trying to steal user credentials and loot their cryptocurrency wallets.
The adversaries follow the same old strategy of asking users to verify their account credentials by filling a form immediately, lest their accounts get suspended because of ‘unusual activity.’ Such phishing emails from seemingly genuine addresses have time and again conned people into giving away their usernames, passwords, and other personally identifiable information.
In case a similar email popped in your mailbox, and you responded to it, then consider changing your password for all accounts with the same password. Victims are advised to go to the official Coinbase page and use the options they have provided for security incidents like this – MFA, password change, disabling account temporarily, etc. Further, it’s advised to use email security as a service to make sure your digital assets remain secure for a breach like this in the future.
Will Supply Chain Attacks Increase?
After the barcode scanner app went all grey and malicious last month, it is difficult for users to believe every update notification on their phone to be genuine. This is a relatively new attack scheme where adversaries buy software and its source code and then spread its malicious version based on the existing goodwill. Chances are, there will be more utilization of this attack scheme among cybercriminals.
Such supply chain attacks are a great way to evade the stringent scrutiny process and, hence, benefit the attackers. What’s more concerning for us end-users is that such scams are on the rise. Several malicious apps manage to fool people with their fake ratings and reviews.