Threat actors continue to target both individuals and large corporations alike. From WhatsApp’s GDPR violation, Cisco’s vulnerable routers, the Riot games security breach, the new Hook Android malware, and vulnerabilities in the Galaxy App Store, here are the top cybersecurity news of this week.
GDPR Violation by WhatsApp leads to a $5.96 million Fine
The Irish DPC (Data Protection Commission) has fined messaging giant WhatsApp $5.96 million for violating the GDPR (General Data Protection Regulation).
The DPC ordered WhatsApp to alter its data processing operations within six months to comply with the GDPR or face another fine. The DPC initiated an inquiry in 2018 regarding a potential violation when a German citizen complained. WhatsApp prompted all EU-based users to accept new changes and update its Terms of Service the same day if they wanted to keep accessing the application.
The DPC complaint outlined that WhatsApp forced its users to accept its updated policy to continue using its application, an approach that included a clause that the users had to consent to the processing of their data at the app launch. WhatsApp thus violated GDPR’s Article 7 recital 32, which requires users to give their content freely and on any specific, informed, unambiguous basis, without pressure, influence, or elements introducing imbalance. The DPC has reached the following conclusion following its investigation:
- WhatsApp Ireland failed to specify the legal basis or justification for processing user data, contravening Articles 12 and 13 of GDPR.
- However, it didn’t breach Article 7 regarding forced consent since its service wasn’t based on user consent or using it as a lawful reason for processing personal data.
DPC has plans to launch a new investigation on WhatsApp’s operations to determine if it violates Article 9 of the GDPR, whereas WhatsApp plans to appeal the decision.
Cisco Routers Exposed to RCE Attacks
Cisco’s end-of-life VPN routers numbering over 19,000, are now exposed to remote command execution attacks. Threat actors can now bypass authentication leveraging the CVE-2023-20025 and execute arbitrary commands using the CVE-2023-2002 on Cisco’s small business routers.
Threat actors can exploit the VPN (Virtual Private Network) routers RV016, RV042, RV042G, and RV082 to bypass severity auth using specially crafted HTTP (Hyper Text Transfer Protocol) requests to the web management interface of these routers. Cisco has outlined that the CVE-2023-20025 is critical, but there is no evidence to suggest that the exploit chain is being abused yet.
Censys, on the other hand, has revealed that nearly 20,000 of these routers are online, with the RV042 dominating the count with over 12,000 hosts, all of which are exposed on the Internet.
Cisco says there are no workarounds, but disabling the web management interface and blocking access to ports can reduce the threat actor’s exploitation attempts. You can block ports 443 and 60443 and uncheck the Remote Management box by navigating to Firewall > General to implement these.
Security Breach at Riot Games, Organization Unable to Release Content
The video game developer and publisher of global hit titles like League of Legends and Valorant, Riot Games, has been hacked, rendering the organization unable to release game patches and updates.
Riot games initiated a Twitter thread describing to its users how their development environment was compromised due to a social engineering attack. The organization does not know the details of the attack, but the cyberattack has affected the ability of the organization to publish patches for its games.
Riot Games revealed that the threat actors obtained no personal information or data during the attack, and Patch 13.2 for League of Legends has been delayed. The organization shared the news, outlining that no new features in the patch will be canceled, and the studio will release it later.
Riot games are investigating the attack and will update its customers accordingly. This is not the first attack as 2K games were also hacked when its customers got malware, and a month following the attack; their personal data was put up for sale by the threat actors.
Novel Hook Android Malware letting Hackers Take Control of Mobile Devices
A new Android malware, named Hook, has hit the digital space, and it is sold by cybercriminals who are boasting that it can be used to take over mobile devices.
The creator of Ermac, an infamous Android banking trojan, is promoting this Hook Android malware, claiming the malware has been written from scratch but contains much of Ermac’s code. Hook has an extensive set of capabilities and allows threat actors to
- Start/stop RAT
- Perform a specific swipe gesture
- Take a screenshot
- Simulate clicking a specific text item
- Simulate a key press (HOME/BACK/RECENTS/LOCK/POWERDIALOG)
- Unlock the device
- Scroll up/down
- Simulate a long press event
- Simulate clicking at a specific coordinate
- Simulate clicking on a UI element with a specific text value
- Set a UI element value to a specific text
Hook is more dangerous and capable than Ermac as it includes a VNC (Virtual Network Computing) module enabling threat actors to interact with the infected device’s UI in real-time.
Hook is a global Android threat impacting multiple individuals in the US, Australia, Poland, Spain, Portugal, Italy, France, Turkey, and the UK. It would be best to stick to Google Play apps and steer clear of third-party applications since the malware is distributed under Google Chrome APKs.
Galaxy App Store Vulnerabilities allowing Hackers to Install Apps without Knowledge
Samsung’s official repository, the Galaxy App Store, has two vulnerabilities that could allow threat actors to install any application on victim devices without their knowledge or direct them to malicious URLs (Uniform Resource Locators).
The NCC group discovered the two flaws last year, and Samsung released the patches for the two on 1 Jan 2023 via the Galaxy App Store update 4.5.49.8. The first flaw, CVE-2023-21433, was an improper access control that allowed threat actors to install malicious applications on the Galaxy App Store as the store did not handle incoming intents adequately, allowing applications to send app installation requests arbitrarily.
On the other hand, the second vulnerability, CVE-2023-21434, was an improper input validation that allowed threat actors to execute JavaScript on the target devices, as the web views in the Galaxy App Store contained filters with a limit on the number of domains shown, which could be bypassed to force it to access malicious domains.
The vulnerabilities were severe and could allow threat actors to install and launch malicious applications, leading to data or privacy breaches. The latest update is a fix for individuals, keeping them safe. However, older devices remain attackable since much older models are not supported by Samsung and do not receive updates.
Vice Society Ransomware Leaks University of Duisburg-Essen’s Data
The Vice Society ransomware gang recently claimed responsibility for the November 2022 cyber incident on the UDE (University of Duisburg-Essen) that forced the reconstruction of the university’s IT infrastructure.
The threat actors leaked files they claim they stole from the university during the breach, exposing sensitive details about the university’s students, operations, and personnel.
UDE confirmed they knew the cybercriminals published the stolen data and refused to pay the ransom. “After targeting the University of Duisburg-Essen (UDE) with a cyber in November end, the criminal group now published data on the Darknet,” reads the UDE statement.
BleepingComputer reviewed some leaked files, including backup archives, student spreadsheets, financial documents, and research papers. While they look genuine, there is no way to confirm their authenticity.