One-Click Remote Code Execution Vulnerabilities Found in Multiple Popular Apps

Security researchers have identified several vulnerabilities in how apps open and handle URLs, leading to 1-click code execution actions that don’t require user input.

It’s easy to think that a simple action like opening an URL in an application doesn’t pose much of a security problem, but that’s not really the case. Apps opening up URLs without proper precautions is a problem that affects all operating systems.

No matter the OS, the danger is pretty much the same. Attackers can manipulate URLs in such a way that allows them to run code on the targeted device. If the message is crafted to take advantage of existing vulnerabilities, one-click code execution is no longer out of reach.

“For any given software, [we] check all features where user-supplied values are opened as URLs (e.g. hyperlinks),” said the researchers from Positive Security. “If the feature, under the hood, uses the OS to handle the opening and allows arbitrary schemes without comprehensive warning messages, there is likely a way to exploit the feature on certain platforms.”

The researchers looked at multiple operating systems and popular apps in their effort to identify the misbehaving ones. Telegram Desktop Application for Windows/Linux/Mac OS was among the apps they checked out, and they discovered a number of problems, one of which was already sort of reported back in 2015 but remained unfixed until a few months ago.

The team also discovered a problem in VLC and reported the vulnerability in January, and fixed it in a subsequent patch, but the one in Wireshark was much more straightforward.

“The QT based Wireshark packet analyzer application makes some fields which contain URLs double-clickable,” said the team. “These URLs were simply passed to QDesktopServices::openUrl, allowing for exploitation via malicious capture files or the live capture of maliciously crafted traffic.”

Other investigated apps included Bitcoin/Dogecoin wallets, Mumble, LibreOffice, OpenOffice and even the famous WinSCP, all of which had security issues regarding the use of external URLs. Since this is a multifaceted problem, it needs to be addressed from multiple sides, the OS, frameworks and apps themselves.

Swedish Authorities Say Russia Is to Blame for Sports Confederation Hack

The Swedish authorities have decided to halt an investigation into a data breach supposedly perpetrated by the Russian military intelligence, GRU, over the course of a few months in 2017 and 2018.

From December 2017 until May 2018, the Swedish Sports Confederation was under attack from a then-unknown entity. Following the investigation, authorities in Sweden determined the attack came from Russia and was likely part of a more extensive campaign directed at the World Anti-Doping Agency (WADA) and The United States Anti-Doping Agency.

As it turns out, the investigation didn’t stop because the authorities hit a dead end. On the contrary, the investigators named the entities involved in the attacks but decided to stop because they couldn’t take any punitive measures.

”The investigation shows that the Russian military intelligence, GRU who, via its 85th Center, also known as unit 26165, has planned and carried out the serious breaches of data secrecy against the Swedish Sports Confederation,” said public prosecutor Mats Ljungqvist. “We can further state that the breaches have been a part of a Russian campaign directed against national and international anti-doping organisations such as WADA and USADA. The campaign has also been directed against FIFA.”

The data breach targeted the private data the agencies had on Swedish athletes, such as their medical records.

The prosecutor said his office reached the difficult conclusion that the necessary preconditions for taking legal action abroad or extradition to Sweden are lacking. This means they can’t actually do anything against the attackers, beyond publicly identifying them.

In 2016, WADA recommended that the Russian Olympic team be banned from participating in Brazil’s 2016 Summer Olympics. The cyberattacks in the following years are regarded as retaliation for that ban.

White House Blames Russian Foreign Intelligence for SolarWinds, Imposes Sanctions on Rival Nation

The Biden administration this week has issued a statement blaming the Russian government for the SolarWinds supply chain attack, imposing costs on the rival nation for its actions.

A lengthy press release from the White House issued April 15 points the finger at Russian intelligence for several actions against U.S. sovereignty and U.S. partners. Chief among them: the large-scale supply chain attack leveraging the SolarWinds Orion platform affecting tens of thousands of entities across the United States and other parts of the world.

“Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures,” the White House states. “The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.”

“The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide,” the statement continues. “The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.”

The National Security Agency (NSA), the Cybersecurity & Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have also issued a joint cybersecurity advisory that provides details on software vulnerabilities the SVR allegedly uses to gain access to victim devices and networks. The advisory tells IT administrators what steps to take to identify and defend against the alleged malicious cyber activity.

In light of these developments (and other accusations listed in the press release), the Biden administration advises organizations – albeit indirectly – to consider opting out of information and communications technology and services (ICTS) supplied by Russia:

“Additionally, the SVR’s compromise of SolarWinds and other companies highlights the risks posed by Russia’s efforts to target companies worldwide through supply chain exploitation,” it states. “Those efforts should serve as a warning about the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia.  The U.S. government is evaluating whether to take action under Executive Order 13873 to better protect our ICTS supply chain from further exploitation by Russia.”

The White House also announced plans to promote a framework of responsible state behavior in cyberspace and cooperation with allies and partners to counter malign cyber activities. The Department of Defense is also taking steps to incorporate additional allies, including the UK, France, Denmark and Estonia, into the planning for CYBER FLAG 21-1 – an exercise designed to improve defensive capabilities and resiliency in cyberspace.

LinkedIn Data Leak: Hundreds of Thousands of Spam Emails Flood Users’ Inboxes

Users of the employment-oriented online service are being targeted with an assortment of phishing emails and scams in an attempt to hijack their LinkedIn accounts or promote fake LinkedIn email leads.

According to Bitdefender Antispam Lab telemetry, ramifications of the LinkedIn data leak incident seem to have already manifested through new spam campaigns targeting inboxes of hundreds of thousands of users.

Although the recent uptick in LinkedIn-themed spam can’t be directly associated with the leaked information of 500 million platform users, the overwhelming number of deceptive and fraudulent emails suggests otherwise.

Spammers and scammers and fraud, oh my!

The Bitdefender Antispam Lab has spotted over 500 million scam emails selling premium LinkedIn leads from the US, UAE, Middle East and Canada.

Despite the sheer number of legitimate companies that provide such email marketing services, fraudsters often pose as lead-generation specialists to promote bogus sales leads to digital marketers. They advertise the delivery of “verified and 100% accurate LinkedIn leads” but rarely stick to their word, swindling their targets out of thousands of dollars. If they do deliver, recipients are likely to receive fake, recycled or stolen user information.

The scammers don’t ask for your personally identifiable information or include any malicious attachments.

At the end of each email, the unsubscribe button leads users to suspicious domains that may inform the scammers when recipients hit the unsubscribe button. It verifies if the email was viewed and confirms that the recipient’s email address is valid – so it can be used in future spam campaigns.

Samples of these unsolicited emails can be seen below:

Sample 1.

Sample 2.

Sample 3.

Hi, I’d like to join your LinkedIn Network

Some threat actors stick to classic phishing tactics to steal LinkedIn login credentials by sending out bogus connection requests to users. In one version of the scam, recipients receive a seemingly valid connection request from a Sales Manager named Kate.

However, upon close inspection of the email, you immediately see the red flags.

The perps did put some effort into creating the email by not using a standard email template. They deliberately generated an image mimicking a LinkedIn invite with which users cannot interact with. Maxim efficiency is ensured, as targets are forced to access the attachment for more information.

When recipients click on the Linkedin.html, a fake LinkedIn page opens.

The green window asks for the account password and conveniently has the recipient’s email addresses filled in.

Amanda would also want to join your LinkedIn network to pitch a business offer you can’t resist. She’s also a Sales Manager working for a US-based company.

Crooks phish for your credentials via LinkedIn business inquiries

Other cybercrooks send fake LinkedIn business inquiries to targets.

Recipients interested in what Molly has to say who click on the Accept Business button will open a separate window that asks for the user’s password.

Even if the above scam and phishing emails don’t ask you to act immediately due to a security alert or account termination, they may still fool unsuspecting LinkedIn users into giving their account passwords to cybercriminals.

The most recent LinkedIn-themed spam campaigns may differ from brick-and-mortar-style ruses, but their purpose remains the same. Before you realize it, your account password is in the hands of the bad guys, and they can now take over all of your online accounts that use the same email and password combination.

Check if your personal info has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool. 

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab.

Criminals Use Collaboration Platforms to Spread Malware, Research Finds

Collaboration platforms used by employees have become a prime target for attackers seeking to take advantage of telework and the security risks this new paradigm entails, according to new research.

People — and employees especially — need to stay in touch with friends and coworkers while staying at home. The available collaboration platforms can fill that void, but they also come with security issues that can be difficult to mitigate.

We think of malware as transmitted via back channels or fraudulent messages, but that’s not really the case. Abusing existing collaboration platforms to spread malware is just one of the known methods, and it usually comes with some advantages for attackers.

“Attackers are increasingly abusing the communications platforms that many organizations use to facilitate employee communications,” says Talos in its research. “This allows them to circumvent perimeter security controls and maximize infection capabilities. Over the past year, adversaries are increasingly relying on these platforms as part of the infection process.”

Since these are well-established platforms, it gives an attack more credence and allows attackers to bypass or trick some of the existing security solutions. Criminals don’t limit their use of this platform to just spreading malware, but for component retrieval and C2 and data exfiltration as well.

“The use of applications like Discord and Slack may also provide an additional means to perform the social engineering required to convince potential victims to open malicious attachments,” the researchers also explain.

Victims are more likely to click on links or open attachments if they see messages from colleagues or an established platform. Moreover, rooms controlled by threat actors are also used for communications. For example, Discord has been used to spread some threats, including Thanatos, LimeRAT, Remcos and many others.

For malware delivery, files are transmitted between users by attaching them in channels. “Files are stored within the Content Delivery Network (CDN) that the platform provider operates, allowing server members to access these files as they appeared when they were originally attached,” says Talos.

Of course, because these attacks come from known and trustworthy services and the communication takes place over HTTPS, criminals can more easily obfuscate their content. Adding another layer of compression using known types, such as ACE, ISO, makes it even more difficult to investigate the payloads.

The fact that the same systems are used for content delivery and communication with command and control centers only make it more critical for companies to filter out malicious domains from their networks. Using collaboration platforms for malware distribution looks more and more like a game that’s just started.

Ransomware attack causes supermarket cheese shortage in the Netherlands

  • Company hit with ransomware was unable to deliver food to supermarkets
  • Firm’s director says he suspects hackers exploited Microsoft Exchange Server flaw

Shoppers at Dutch supermarkets may have noticed that some cheeses were in short supply last week, and it was cybercriminals who are to blame.

Branches of Albert Heijn, the largest supermarket chain in the Netherlands, suffered from food shortages after a ransomware attack hit food transportation and logistics firm Bakker Logistiek over the Easter holiday, causing the firm to shut off computer systems and resort to pen and paper.

Inevitably, this impacted shipments from Bakeer Logistiek’s warehouses, with deliveries from the company’s warehouses in Zeewolde, Tilburg and Heerenveen coming to a standstill, and shortages hitting branches of Albert Heijn.

Amongst the food types to be in short supply was prepackaged cheese, for which Albert Heijn apologised on its website.

With a little help from Google Translate, I’m able to decipher that statement from Albert Heijn as:

“Due to a technical malfunction, there is limited availability on prepackaged cheese. The logistics service provider is working hard to solve the problem as quickly as possible to quickly restore availability. We apologize for the inconvenience.”

Of course, the typical shopper isn’t likely to blame the transportation firm, or even the ransomware gang behind the attack. Foodies are most likely to be upset with the supermarket chain whose shelves aren’t fully stocked with cheeses, even though they’ve done nothing wrong.

One local media report, Bakker Logistiek director Toon Verhoeven suspected the attackers might have breached the company’s systems by exploiting the recently revealed flaw in Microsoft Exchange Server.

Verhoeven says that all of Bakker Logistiek’s IT systems are operational once more after six days of recovery, and that should mean that shops will begin to receive deliveries and shelves will be filled again in the coming days.

The company says that it has informed the authorities about the security breach, but is neither confirming or denying whether it paid any ransom to its attackers.

DOJ Charges Texas Resident for Allegedly Planning to ‘Kill About 70% of The Internet”

Last Thursday, a Wichita Falls resident was arrested for allegedly attempting to bomb an AWS data center in Virginia.

According to the US Department of Justice (DOJ), 28-year Seth Aaron Pendley was detained after a concerned citizen alerted authorities to disturbing statements posted on the MyMilitia.com forum.

On March 31, with the help of a confidential source, Pendley got in touch with an FBI agent posing as an explosives dealer.

After taking what he believed to be an explosive device from an undercover law enforcement agent, he was arrested, prosecutors explained. His main goal was to destroy Amazon data centers that, according to him, “run 70% of the internet,” including FBI and CIA services.

“The investigation began after a concerned citizen contacted the FBI on Jan. 8 about alarming statements posted on MyMilitia.com, a forum dedicated to organizing militia groups,” the DOJ said in a press release. “A user who went by the screenname ’Dionysus‘ stated he was planning to ’conduct a little experiment,’ that he said would ’draw a lot of heat‘ and could be ’dangerous.’ When another user asked what outcome Dionysus desired, he responded, ’death.’”

If found guilty, Pendley faces up to 20 years in federal prison.

“We are indebted to the concerned citizen who came forward to report the defendant’s alarming online rhetoric. In flagging his posts to the FBI, this individual may have saved the lives of a number of tech workers,” Acting US Attorney Prerak Shah said.

“We are also incredibly proud of our FBI partners, who ensured that the defendant was apprehended with an inert explosive device before he could inflict real harm. The Justice Department is determined to apprehend domestic extremists who intend to commit violence, no matter what political sentiment drives them to do so.”

Amazon also thanked the FBI in a statement:

“We would like to thank the FBI for their work in this investigation,” the tech giant said. “We take the safety and security of our staff and customer data incredibly seriously and constantly review various vectors for any potential threats. We will continue to retain this vigilance about our employees and customers.”

Security Researchers Find Critical Zero-Day Exploit in Zoom Messenger

SERT Points Russia as Leader in Exploit Kit Development

A couple of security researchers have identified a critical, zero-day vulnerability in Zoom that allowed them to take control of the remote devices without user interaction.

Taking over a remote device, via network, with any input from the victim usually means that it’s a critical vulnerability. Since researchers just demonstrated the exploit chain, no information is available on how it works. We only know that DaanKeuper and Thijs Alkemade from Computest chained three bugs to exploit Zoom messenger.

The only details about the vulnerability appear in a short GIF posted on Twitter by the Zero Day Initiative, the organizers of Pwn2Own, a competition that gathered top white hat hackers from around the world. The researchers compromised a Windows 10 machine with the latest updates and ran the Calculator app.

While the exploit was shown running against Windows systems, MacOS machines are also affected. Zoom already works on a patch to fix the problems, especially since the company is a sponsor of the Pwn2Own Vancouver 2021 competition. Finding out about zero-day vulnerabilities in this type of competition is probably the best-case scenario.

“We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue,” said the company in a statement to Tom’s Guide. “The attack must also originate from an accepted external contact or be a part of the target’s same organizational account.”

“As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center,” they explained.

DaanKeuper and Thijs Alkemade received a $200,000 prize for their efforts.

It’s Never Too Late To Teach Your Kids About Good Digital Practices

Online habits have changed dramatically over the past year, and adults are not the only ones spending more time online. Since the pandemic hit, limits on screen time for kids were tossed out as they turned to online platforms for school classes, activities, games and entertainment.

This increased digital time helped spawn new cyber threats that put their online and physical safety at risk.

While you’re busy online grocery shopping online, banking, or working on a job project, your young ones have other fish to fry in the digital world. They connect with friends, play, and post on social media from the internet-enabled devices in your household.

So whether you’re working from home or heading to the office, it’s essential to teach your child about online threats and the importance of good cyber practices to protect them from online predators, cyberbullying, identity theft and malware:

Take the necessary precautions to ensure your child remains safe online:

  • Keep online accounts private – make the necessary privacy settings available on most online platforms. Doing so can ensure that his profile information can only be seen by close friends and family
  • Ensure they understand the importance of not accepting friend or message requests from strangers – you can never be sure if the individual contacting you has good intentions
  • Encourage limiting the information and photos they post online – you need to assume that any information you share or make public on the internet can be seen or intercepted by anyone
  • Help set up strong, unique passwords for all online accounts and maintain operating systems of smart devices up to date at all times
  • Advise children to always ask for assistance or advice when downloading new apps on their device
  • Urge them never to provide their phone number, home address, school name or other personal information
  • Underline the importance of openly communicating with you and reporting any suspicious activity on their accounts
  • Make sure they never respond to a threatening email, messages, posts, or text message
  • Teach them about email-based threats, phishing  and fake pop-ups that may appear on their screens
  • Watch for any warning signs that suspicious individuals may target your child, such as spending long hours online, phone calls from strangers and withdrawal from family activities
  • Use a security solution with advanced parental control that filters out any inappropriate content and offers the possibility to limit screen time

Profiles and Associated Info of Half a Billion LinkedIn Users For Sale on Hacking Forum

Fact: Half a billion LinkedIn users are in for an unpleasant surprise, as scraped datasets of their profile information are up for sale right now on an underground forum.

The database was auctioned for a four-digit sum (minimum), according to the cyber thief who advertised the trove of user information. To entice buyers, he even provided a leaked sample containing the information of 2 million LinkedIn users. Any prospective buyer can go through the data for a $2 payment in forum credit.

Check if your personal info has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool. 

What type of data was leaked?

According to Cybernews researchers who analyzed the samples, the data includes a combo of LinkedIn profiles and associated info, such as user IDs, full names, email addresses, phone numbers, gender, professional titles, job-related descriptions, profile and social media profile links.

A new breach or data-scraping venture?

The archive contains allegedly scraped user profile information from LinkedIn and is not part of a new data breach.

LinkedIn also confirmed the claims provided by the threat actor in a recent Corporate Communications message:

“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies,” the notification reads. “It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”

The online service has also made it clear that any misuse of user data, including web-scraping techniques, clearly violate the platform’s terms of services:

“Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service,” LinkedIn added. “When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”

What should victims expect?

Although no sensitive or financial data was included in the leaked files, the information can be exploited by scammers and threat actors to conduct targeted phishing and smishing attacks or even brute-force the password to take over accounts.

The best way to protect your account and professional identity is to keep an eye out for suspicious and unsolicited communications you may receive via email, text message, or the LinkedIn chat feature. Even if account passwords have not been exposed, it’s never a bad idea to change the password for online accounts and enable two-factor authentication.

Since the data leak has already made headlines, threat actors might try to send out phishing emails that urge you to access a fake link to make modifications to your account or change the password.

Don’t click on suspicious links you might receive in your Inbox. Head to the official website and look for notifications.

Posts navigation

1 2 3 4 93 94 95
Scroll to top