Cyber Security Headlines: Urgent iPhone update, ZIP password fault, Hacking decommissioned satellites

iPhone users urged to update to patch 2 zero-days

Apple is urging macOS, iPhone and iPad users to immediately install updates this week that includes fixes for two zero-days under active attack. The patches are for vulnerabilities that allow attackers to execute arbitrary code and ultimately take over devices. Patches are available for effected devices running iOS 15.6.1 and macOS Monterey 12.5.1. The patches address two flaws, which basically impact any Apple device that can run either iOS 15 or the Monterey version of its desktop OS. The vulnerability allows an application to execute arbitrary code with kernel privileges, according to Apple, which says there is a report that it “may have been actively exploited.”

(ThreatPost)

Encrypted ZIP files can have two correct passwords

Password-protected ZIP archives are common means of compressing and sharing sets of files, but Arseniy Sharoglazov, a cybersecurity researcher at Positive Technologies has demonstrated that it is possible for an encrypted ZIP file to have two correct passwords. This vulnerability comes about when passwords are set at more than 64 characters, in which case ZIP uses an algorithm to hash the password. Sharoglazov showed that by trying a different password of more than 64 characters results in ZIP creating the same hash and therefore accepting the second password as legitimate. A full report on this issue is available at Bleeping Computer, who, incidentally were able to replicate this procedure.

(Bleeping Computer)

White hat hackers broadcast through decommissioned satellite

A group of white hat hackers demonstrated at DEF CON how to take control of a satellite in geostationary orbit. The group used a satellite called Anik F1R, which had been decommissioned in 2020. The group was authorized to perform the hack and had also been given permission and access to an unused uplink facility which included the hardware to connect to a satellite. The group sought to demonstrate how easy it could be to physically take control of decommissioned satellites using software that costs just $300.

(Security Affairs)

Hackers target hotel and travel companies with fake reservations

A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space. Their email topics revolve around making a booking on the target organization, pretending to come from conference organizers, tourist office agents, and other sources that the recipients can’t easily dismiss. Victims who click on the URL in the message body, which is purported to be a reservation link, will receive an ISO file from a remote resource. The archive contains a batch file that launches a PowerShell script which eventually drops the RAT payload onto the victim’s computer and creates a scheduled task for persistence.

(Bleeping Computer)

Thanks to today’s episode sponsor, Code42

It’s not just about the data leaving your company – what about the data coming in? Along with departing employees, new talent is also actively joining your organization. This poses cybersecurity challenges since they could be knowingly or unknowingly bringing data from their former company into your network. Code42 Incydr is an Insider Risk Management SaaS that provides a comprehensive understanding of your data exposure and shows which activities require security intervention. Learn more at Code42.com/showme.

Grandoreiro banking malware targets Mexico and Spain

Zscaler ThreatLabz researchers have observed the malware targeting organizations in Mexico and Spain. It is is a modular backdoor that supports keylogging, command execution, guiding victim’s browsers to specific URLs, imitating mouse and keyboard movements, and more. The threat actors behind this campaign impersonate Mexican government officials, the malware uses multiple anti-analysis techniques along with implementation of Captcha for evading Sandboxes.

(Security Affairs)

Amazon quietly fixes Ring Android app bug

Amazon has resolved a vulnerability discovered in May that exposed the data and camera recordings of Ring app users on Android devices. The bug was reported to the Amazon Vulnerability Research Program by researchers with cybersecurity firm Checkmarx on May 1. In a report released on Thursday, the researchers showed how in a series of steps, they were able to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings. 

(The Record)

Fears over China’s access to genetic data of UK citizens

Rising political and security tensions between Beijing and the west have prompted calls for a review of the transfer of genetic data to China from a biomedical database containing the DNA of half a million UK citizens. The UK Biobank said it had about 300 projects under which researchers in China were accessing “detailed genetic information” or other health data on volunteers. The anonymized data is shared under an open-access policy for use in studies into diseases from cancer to depression. There is no suggestion it has been misused or participants’ privacy compromised. Data-sharing is facing scrutiny amid a shift in geopolitical relations, with analysts raising concerns about the challenges of monitoring usage beyond UK borders and a lack of reciprocal data-sharing by China.

(The Guardian)

Last week in ransomware 

Last week saw the return of the BlackByte ransomware operation, which launched a new data leak site using extortion tactics similar to LockBit 3.0. Last week’s attacks were on Argentina’s Judiciary of Córdoba, a UK water supplier (though Clop attributed to the wrong company), and LockBit claiming to be behind the attack on Entrust. Finally, researchers found a new variant of the SOVA Android malware that includes a ransomware feature to encrypt mobile devices.

(Bleeping Computer)