Cyber Security Headlines – November 24, 2021

Over nine million Android devices infected by info-stealing trojan

A large-scale malware campaign on Huawei’s AppGallery has led to roughly 9,300,000 installs of trojans masquerading as over 190 different Android apps including simulators, platformers, arcades and shooting games. Researchers at Dr. Web AV, identified the trojan, which is a variant of the Cynos malware designed to collect sensitive user data. The researchers assisted Huawei with removing associated apps from their store, however, Android users who may have downloaded these apps from AppGallery are urged to run AV tools capable of detecting and removing Cynos trojan variants.

(Bleeping Computer)

Researcher discloses zero-day exploit due to low bounty payouts 

A security researcher has publicly disclosed an exploit for a new Windows zero-day vulnerability that can be exploited to gain admin privileges in Windows 10, Windows 11, and Windows Server. Researcher Abdelhamid Naceri discovered the bug while analyzing a patch for another Microsoft privilege escalation bug, tracked as CVE-2021-41379, which was released as part of the November Patch Tuesday. Naceri indicated that he publicly disclosed the zero-day because of Microsoft’s small bug bounty payouts. Naceri was also able to successfully bypass the patch which he was initially researching.

(Security Affairs)

Threat actors compromise exposed services in 24 hours

In a new study conducted by Palo Altos Networks’ Unit 42, researchers deployed 320 honeypots and found that 80% of them were compromised within the first 24 hours. The honeypots were deployed from July until August in North America, Asia Pacific and Europe and included remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB), and Postgres database services. SSH honeypots were the most targeted service while APAC was the most targeted region. Researchers observed a threat actor compromising 96% of Postgres honeypots in just 30 seconds. The researchers recommend that organizations keep privileged ports closed, monitor all exposed ports, create automated rules to fix misconfigurations, deploy next-generation application firewalls, and install security updates as they are made available.

(Bleeping Computer)

Apple sues NSO seeking to block its access to iPhones

On Tuesday, Apple sued Israeli surveillance company, NSO Group, in federal court for targeting its users. The lawsuit is the second of its kind after Facebook sued NSO in 2019 for targeting its WhatsApp users. Apple also wants to permanently prevent NSO from using any Apple software, services or devices, which could essentially render the company’s Pegasus spyware worthless. Apple is also seeking unspecified damages for the cost of dealing with NSO’s abuse of its products and plans to donate related proceeds to organizations impacted by the spyware. Director of Citizen Lab, Ron Deibert, said, “NSO is now poison. But it’s not just one company. This is an industry-wide problem.”

(New York Times)

Thanks to our episode sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

Researchers warn of ‘Printjack’ printer attacks

Italian researchers have compiled three attacks dubbed ‘Printjack,’ warning users of the consequences of over-trusting their printers. The attacks include enlisting printers in DDoS swarms, flooding the printers with bogus print jobs, and performing man-in-the-middle attacks. The researchers point out that modern printers remain vulnerable, lagging behind other IoT and electronic devices that have begun conforming to cybersecurity and data privacy requirements. The researchers found printers they analyzed to be in non-compliance with GDPR requirements and the ISO/IEC 27005:2018 cyber framework. These exploits once again highlight the lack of solid security frameworks for printers and that vendors need to upgrade their printer security and data handling processes at the hardware and software levels.

(Bleeping Computer)

Hackers targeting vaccine researchers and producers

BIO-ISAC issued a warning on Tuesday that since at least January 2020, the ‘Tardigrade’ hacking group has been targeting vaccine manufacturing and research centers using malware that spreads through compromised networks and exfiltrates data. Tardigrade uses phishing or USB sticks to deliver a custom version of ‘SmokeLoader’, which can recompile the loader from memory without leaving a consistent signature making it a lot harder to identify, trace, and remove. The malware can also operate autonomously without a C2 connection. BIO-ISAC has advised vaccine producers and researchers to bolster defenses including network segmentation, testing offline backups for critical systems, implementing behavior-based antivirus, and training users about phishing threats.

(Bleeping Computer)

Apple delays feature allowing addition of driver’s licenses to Wallet app

Apple has updated its website indicating that a new feature that allows users to add their driver’s license or state ID to their iPhone and Apple Watch has been delayed from late 2021 until early 2022. Apple indicated that Arizona and Georgia will be the first states to adopt the new feature followed by Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah. Apple said select U.S. airports will be the first locations to accept digital ID in the Wallet app, allowing users to tap their devices on an identity reader to present their ID to the TSA. Apple has emphasized the privacy and security of the new feature which will require users to securely submit a photo of their face to the issuing state for verification during the setup process. 

(MacRumors)

CISA and FBI issue holiday cyber warnings

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are reminding executives, leaders, and workers at critical infrastructure partners to proactively protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday season. 2021 has shown us that malicious actors like launching cyberattacks around holidays such as Independence Day and Mother’s Day. The agencies are reminding organizations to review and update their incident response plans, implement MFA for remote and admin accounts, mandate strong passwords, secure remote access protocols like RDP, and to remind employees not to click on suspicious links.

(Security Magazine)