week 14

Good news for chrome users.

Starting next year, Chrome extensions will show what data they collect from users.

Google will add a "Privacy practices" section on each Chrome extension's Web Store page listing what data they collect from users and what the developer plans to do with it.Google said today it plans to add a new section on the Chrome Web Store where extension developers will be able to disclose what user data they're collecting from users and what they plan to do with the information.

The new section is set to go into effect on January 18, 2021, and will appear as a "Privacy practices" button on each extension's Web Store listing.

To aid the process, Google has added a new section today in the Web Store dashboard where extension developers will be able to disclose what data they collect from their users and for what purposes.

Google's new "data usage" dashboard will ship with a limited set of preset options, which will effectively prohibit Chrome developers from certain data practices, such as:

The bulk sale of user data by ensuring the use or transfer of user data is for the primary benefit of the user and in accordance with the stated purpose of the extension.

The use or transfer of user data for personalized advertising.

The use or transfer of user data for creditworthiness or any form of lending qualification and to data brokers or other information resellers.

Google's new "data disclosure" policy is not unique. At the WWDC 2020 developer conference in June this year, Apple announced that all App Store app listings will soon be required to include a "privacy prompt (label)" that will list all the data points apps collect from users and which data points are used to track users across apps.

Apple's privacy labels are scheduled to go live on December 8, next month.

Google said it plans to show notices to all developers in the Web Store developer dashboards and prompt extension makers to set up a "privacy practices" section.

week 12

Play Store identified as main distribution vector for most Android malware

The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analyzed could be described as malicious or unwanted applications.But the researchers focused specifically on the "who-installs-who relationships between installers and child apps" to discover the path malicious apps take to reach user devices.The research team said it looked at 12 major categories that result in app installations, which included:Apps installed from the official Play StoreApps installed from alternative markets (aka third-party app stores),Apps downloaded via web browsersApps installed via commercial PPI (pay-per-install) programsApps installed via backup and restore operationsApps installed from an instant message (IM)Apps installed via phone theme storesApp installed loaded on disk and installed via the local file managerApps installed from file sharing appsApps preloaded on the device (bloatware)Apps installed via mobile device management (MDM) servers (apps installed by enterprises on their employee's devices)Apps installed via package installersThe results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.In a distant second, with 10%, came alternative markets, dispelling a pretty common assumption that most Android malware these days comes from third-party app stores.

week 11

Linux version of RansomEXX ransomware discovered

This marks the first time a major Windows ransomware strain has been ported to Linux to aid hackers in their targeted intrusions.

Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ).

RansomEXX is what security researchers call a "big-game hunter" or "human-operated ransomware." These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can't afford to stay down while they recover their systems.

In recent months, in many incidents, some ransomware gangs haven't bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company's network, knowing that by taking down these systems first, companies wouldn't be able to access their centralized data troves, even if workstations were unaffected.

The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.

A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms.

What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.

And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.

But Linux ransomware is also not unique. In the past years, other ransomware gangs have created Linux ransomware strains as well, such as the Snatch group. However, those groups were small-time operations that relied on spam campaigns to infect victims, were rarely successful, and did not engage in targeted intrusions like the current generation of ransomware groups we see today.

Emsisoft says the RansomEXX Linux variants they've detected were seen as far back as July. Configuring systems to detect RansomEXX Linux variants isn't a solid strategy because of the way big-game hunter ransomware crews operate. By the time attackers deploy the ransomware, they already own most of a company's network. The best strategy companies can take against these types of intrusions is to secure network perimeters by applying security patches to gateway devices and by making sure they are not misconfigured with weak or default credentials.

These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy their ransomware binary as a final payload to cripple as much of the target's infrastructure as possible.

But over the past year, there has been a paradigm shift into how these groups operate.

Many ransomware gangs have realized that attacking workstations first isn't a lucrative deal, as companies will tend to re-image affected systems and move on without paying ransoms.

week 10 

Russian Espionage Group Updates Custom Malware Suite

Turla has outfitted a trio of backdoors with new C2 tricks and increased interop, as seen in an attack on a European government.

The advanced persistent threat (APT) known as Turla is targeting government organizations using custom malware, including an updated trio of implants that give the group persistence through overlapping backdoor access.

Russia-tied Turla (a.k.a. Ouroboros, Snake, Venomous Bear or Waterbug) is a cyber-espionage group that’s been around for more than a decade. It’s known for its complex collection of malware and interesting command-and-control (C2) implementations. It targets governmental, military and diplomatic targets.

Accenture researchers observed a recent campaign against a foreign government in Europe that ran between June and October, which featured three legacy weapons, all with significant updates. They worked together as a kind of multi-layered threat toolkit.

One of the updated tools is the HyperStack remote procedure call (RPC)-based backdoor (named after the filename that its authors gave it). Accenture has tied it to the group for the first time, thanks to its use alongside the other two tools seen in the campaign: Known Turla second-stage remote-access trojans (RATs), Kazuar and Carbon.

“The RATs transmit the command-execution results and exfiltrate data from the victim’s network, while the RPC-based backdoors [including HyperStack] use the RPC protocol to perform lateral movement and issue and receive commands on other machines in the local network,” according to an Accenture analysis, released on Wednesday. “These tools often include several layers of obfuscation and defense-evasion techniques.”

The upgrades seen in the campaign largely revolved around creating built-in redundancies for remote communication. Turla used disparate C2 configurations, to allow different re-entry points should one of them be blocked.

“[These included] novel [C2] configurations for Turla’s Carbon and Kazuar [RATs] on the same victim network,” according to the analysis. “The Kazuar instances varied in configuration between using external C2 nodes off the victim network and internal nodes on the affected network, and the Carbon instance had been updated to include a Pastebin project to receive encrypted tasks alongside its traditional HTTP C2 infrastructure.”

HyperStack Backdoor

The HyperStack backdoor began life in 2018, but it received a major update in September that allowed Accenture researchers to tie it back to Turla.

“The updated functionality…appears to be inspired by the RPC backdoors previously publicly disclosed by ESET and Symantec researchers, as well as with the Carbon backdoor,” they explained. “Based on these similarities, we assess with high confidence that HyperStack is a custom Turla backdoor.”

The new version of HyperStack uses named pipes to execute RPC calls from a controller to a device hosting the HyperStack client. It leverages IPC$, which is a share function that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from.

“To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials,” explained Accenture researchers. “If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device.”

Kazuar Updates

Meanwhile, a Kazuar sample used in the observed European campaign that Accenture analyzed in mid-September was configured to receive commands via Uniform Resource Identifiers (URI). These pointed to internal C2 nodes in the victim government’s network.

This Kazuar configuration acted alongside another sample, analyzed in early October.

“Based on references to the internal C2 node, the October sample likely acts as a transfer agent used to proxy commands from the remote Turla operators to the Kazuar instances on internal nodes in the network, via an internet-facing shared network location,” according to Accenture. “This set-up allows Turla operators to communicate with Kazuar-infected machines in the victim network that are not accessible remotely.”

Yet another Kazuar sample found on the victim network was configured to communicate directly with a C2 server located outside the victim network, hosted on a compromised legitimate website. This was used by Turla to proxy commands and exfiltrate data to Turla backend infrastructure, researchers said.

Kazuar is a multiplatform trojan discovered in 2017 that allows Turla to remotely load additional plugins to increase its capabilities. It exposes these through an Application Programming Interface (API) to a built-in web server, and it has code lineage that can be traced back to at least 2005, researchers have said. For a while it was believed to have been the successor to Carbon.

Carbon Updates

The aforementioned legacy tool Carbon was also updated for the observed campaign. Carbon is a modular backdoor framework with advanced peer-to-peer capability that Turla has used for several years, well before Kazuar hit the scene.

In June, an updated sample made an appearance which combined the Turla-owned C2 infrastructure with tasks served from Pastebin, researchers found. The installer for the sample contained a configuration file with URLs for compromised web servers hosting a web shell that transmits commands and exfiltrates data from the victim network – as expected. But researchers noted that it also contained a parameter labeled [RENDEZVOUS_POINT], with a URL for a Pastebin project.

“When accessing the Pastebin URL, an encrypted blob is downloaded that requires a corresponding RSA private key from the configuration file,” researchers explained. “The configuration file analyzed did not contain the RSA private key and therefore we were unable to decrypt the contents of the Pastebin link. We assess the decrypted blob was likely a task for the Carbon instance.”

The use of a legitimate web service like Pastebin for C2 activities is an ongoing trend among APTs, the researchers noted, for a few different reasons.

“[For one], web services allow cyber-espionage groups’ malicious network traffic to blend easily with legitimate network traffic,” according to researchers. “Also, threat groups can easily change or create new infrastructure which makes it difficult for defenders to shut down or sinkhole their infrastructure. [And], using web services complicates attribution since the C2 infrastructure is not owned by the threat group.”

Turla will likely continue to use its legacy tools, with upgrades, to compromise and maintain long term access to its victims, researchers said.

“This combination of tools has served Turla well, as some of their current backdoors use code that dates back to 2005,” Accenture researchers noted. “The threat group will likely continue to maintain and rely on this ecosystem, and iterations of it, as long as the group targets Windows-based networks.”

week 9 

Malicious SharePoint and OneDrive links are a phishing scammer’s dream

Attackers are exploiting the rapid adoption of cloud-based collaboration services such as Microsoft’s SharePoint Online and OneDrive by leveraging them as a social engineering tool to trick users into clicking on malicious links, often for the purpose of wire fraud or supply chain fraud.

In an analysis this week, cybersecurity firm Proofpoint revealed that in the first half of 2020, it collected approximately 5.9 million email messages featuring malicious SharePoint Online and OneDrive links. While these emails constituted only about one percent of all messages containing malicious URLs, they represented more than 13 percent of all user clicks.

This report comes on top of another report this week that warned of similar tactics to steal a corporate user’s login credentials using Microsoft Teams.

Users were found to be seven times more likely to click on a malicious SharePoint or OneDrive link that’s hosted on a legitimate Microsoft domain. Recipients were four times more likely to click on a SharePoint phishing link, and 11 times more likely to click on a malicious OneDrive link.

Experts say could-based collaboration services are ideal tools for adversaries to abuse for social engineering because if the bad actors can compromise a person’s actual cloud-based account, they can then reach out to their contacts and fool them into thinking the email contains an invoice, voicemail or similar legitimate communication from a partner or colleague. “These attacks mimic the way people do business,” Itir Clarke, senior product marketing manager at Proofpoint, told SC Media.

Proofpoint observed about 5,500 compromised Microsoft tenants, “which represent a large portion of Microsoft’s enterprise customer base,” the company said in a blog post.

Oliver Tavakoli, CTO at Vectra, agreed that these kind of phishing scams tend to be more successful “since the email is sourced by an internal party, rather than being from an external party pretending to be internal, and the links to SharePoint or OneDrive files reinforce to the victim that this is an internal communication.”

Tom Pendergast, chief learning officer at MediaPRO, noted that attackers are simply jumping on the same bandwagon as their targets.

“Document-sharing and collaboration links are now eclipsing attachments for document sharing, so it’s natural that cybercriminals are moving in the same direction,” said Tom Pendergast, chief learning officer at MediaPRO.

“These links, especially from SharePoint, can look pretty obscure and complicated even when they are legit. So people get used to clicking on strange-looking but real links, thinking they have the context to validate it’s real. That itself is a problem, but if you’re co-worker’s email account gets hijacked and that’s where the link comes from? Now you’ve got a known sender and an expected form of link. It’s the perfect setup for a scam.”

The COVID-19 pandemic and its resulting remote-workforce culture has only accelerated cloud adoption and the malicious targeting that has followed.

“Employees and organizations are using collaboration platforms more and more, especially with the increase in remote workers,” said Hillary Baron, program manager, research, with the Cloud Security Alliance.

These tools are often sanctioned by their organization for use so they’re seen as credible. Hackers are then taking advantage of this by mimicking what is familiar and trusted by employees.

URLs are rewritten to protect users on any device or network as well as provide real-time sandboxing on every click

“Change is generally good for attackers and bad for defenders,” said Tavakoli. “A rapid migration from one mode of working to another creates uncertainty in the minds of general users as to what would be normal in this new world. And attackers who rely on duping users exploit that uncertainty.”

“Furthermore, an account takeover of days past, when your Exchange server was locally hosted in your network, was not as easy to leverage for this type of an attack, as it also required the attacker to have access to a system on the organization’s network,” Tavakoli continued. “Now an account which has been taken over can be directly utilized from the internet, thus reducing the level of scrutiny it receives.”

How the scam works… and how to prevent it.

According to Proofpoint, after a typical SharePoint or OneDrive account compromise, the attackers upload a malicious file and change the sharing permissions of the account to “public” so that anyone can access it. The malicious link is then shared with the compromised users’ contacts or other targeted individuals.

Sometimes the link is a unique redirect URL “and hence can be difficult to detect, as it would not appear on any URL reputation repository,” Proofpoint explained.

Other similarly abused cloud-based services include Sway, Dropbox, Googleapis, Google Docs, Google Drive, and Box.

Proofpoint also said that some attackers have strategically placed malicious content in one compromised account while using a second account – perhaps one belonging to an important or credible individual one might a communication from – to send the link. “In addition, even if the compromised account in the second tenant is discovered, the malicious file hosted in the first tenant would not be taken down. And so, the attack would persist,” Proofpoint noted.

Proofpoint said this particular phishing scam is difficult to detect “and even harder to block/mitigate if you lack visibility into both email and cloud environments.”

Suggestions from experts to reduce the overall threat included improving cloud visibility training, adopting a Cloud Access Security Broker solution

Chris Hazelton, director of security solutions at Lookout, said that organizations moving to the cloud should “move protections from phishing and social engineering attacks to all the endpoints used to access corporate cloud data. For instance, “privacy centric monitoring should take place on every endpoint accessing corporate data,” he added.

Hazelton also advised beefing up training to “help users understand that trusted websites can be used in phishing attacks. Users need to go beyond just inspecting web links. They need to make sure that the context in which a cloud service is being used makes sense.”

Baron also recommended installing “technical solutions for Zero Trust networking such as Software Defined Perimeters (SDP), Virtual Private Networks (VPN), and Network Access Control (NAC)” to protect remote workers.

Other experts and security companies recommended investing in Cloud Security Access Brokers, predictive sandboxing, employee/role-based risk assessments (to determine who is likely to be targeted), identity and access management, multi-factor authentication for endpoints and cloud-based services, and more.

SC Media also reached out to Microsoft to inquire how the company recommends users of its cloud-based collaboration services defend themselves against this trending threat.

WEEK 8 

Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions

Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.

The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals.

Tracked as CVE-2020-10138 (CVSS score 8.1), the first of the bugs affects Acronis Cyber Backup 12.5 and Cyber Protect 15 and resides in a privileged service that uses “an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\.”

Given that unprivileged Windows users are able to create subdirectories off of the system root, it is possible for a user to create the appropriate path to an openssl.cnf file that would allow them to run arbitrary code with SYSTEM privileges.

The second flaw, CVE-2020-10139 (CVSS score 8.1), was found in Acronis True Image 2021 and is similar to CVE-2020-10138: an unprivileged user can abuse the privileged service to execute a specially-crafted openssl.cnf file with SYSTEM privileges.

Identified in Acronis True Image 2021 and tracked as CVE-2020-10140 (CVSS score 8.7), the third vulnerability exists because the backup software fails to properly set access control lists (ACLs) for the C:\ProgramData\Acronis directory.

Thus, an unprivileged user could place a DLL in one of the multiple paths within that directory and achieve arbitrary code execution through privileged processes that are executed from C:\ProgramData\Acronis, the CERT/CC note reveals.

“By placing a specially-crafted openssl.cnf or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details,” CERT/CC explains.

Acronis True Image 2021 build 32010, Acronis Cyber Backup 12.5 build 16363, and Acronis Cyber Protect 15 build 24600 were released in early October 2020 with patches for these vulnerabilities.

week 7 

Credit card skimmer targets virtual conference platform

We’ve seen many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others.

In today’s case, the targeted websites all reside on the same server and sell video content from various conferences and conventions. The host control panel belongs to Playback Now, a company that provides its customers with an array of services to capture and deliver recorded material into an online conference experience.

Criminals decided to impersonate Playback Now by registering a malicious domain lexically close to their official website that could be used to discreetly serve a credit card skimmer as well as collect stolen data.

Their next move was to inject a malicious reference to this skimmer code into dozens of Magento sites hosted on the same IP address belonging to Playback Now. As a result, the financial details from customers shopping for conference material are now at risk.

Online conference sites compromised with Inter skimming kit

Playback Now provides organizations with an easy way to seamlessly convert an event into an online virtual experience. Conferences and seminars can be delivered via live streaming, on demand, or a hybrid of the two.

Their offering of a virtual conference expo hall seems like a timely solution during the pandemic for organizers and exhibitors to connect with customers just like at an in-person event.

Businesses or organizations that want to join the experience can get a dedicated website from where they will serve and promote their content. Take the following website built for the Association of Healthcare Internal auditors.

Once users have registered and purchased one of the packages, they can A closer look at the website’s source code reveals an external reference to a JavaScript file. It would be easy to overlook, thinking it is served from the legitimate Playback Now website (playbacknow.com), but there is an extra ‘s’ in that domain name (playbacknows[.]com) that gives it away.That domain was registered only a couple of weeks ago and its home page is void of any content.Domain name: playbacknows.com Creation Date: 2020-09-21T20:22:10.00Z Registrar: NAMECHEAP INC Registrant Name: WhoisGuard Protected Registrant Street: P.O. Box 0823-03411 Registrant City: PanamaIn total, we detected the reference to this domain in over 40 websites belonging to different organizations (see the IOCs section of this blogpost).This JavaScript is a skimmer that has been lightly obfuscated and contains a certain number of strings that are a common marking for the Inter skimming kit. recorded sessions online or save them onto a flash drive.

week 6 

5th week 

Minnesota Suffers Second-Largest Data Breach

Hundreds of thousands of Minnesotans are receiving letters warning them that their data may have been exposed in the second-largest healthcare data breach in state history.

The letters were sent to individuals who had donated to or been a patient of Allina Health hospitals and clinics or Children’s Minnesota, a two-hospital pediatric health system in the Twin Cities.

Breach notifications warned that personal data may have been exposed following a ransomware attack on third-party vendor Blackbaud in May 2020. The South Carolina company is one of the world's largest providers of education administration, fundraising, and financial management software.

To date, over 3 million people in the United States have been impacted by the attack on Blackbaud, which has also impacted a number of universities, charities, and organizations in the United Kingdom.

Attackers gained access to copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud computing systems. Individuals impacted by the breach have been warned to monitor their medical bills for any instances of fraud.

In a statement regarding the incident, Children's Minnesota shared: "Based on our investigation and review of the affected Blackbaud database, the incident involved limited patient information that the Foundation received in connection with its fundraising efforts, including: full names, addresses, phone numbers, age, dates of birth, gender, medical record numbers, dates of treatment, locations of treatment, names of treating clinicians, and health insurance status."

Allina Health has notified more than 200,000 patients and donors that their data may have been exposed as a result of the attack on Blackbaud.

A statement on Allina's website seeks to reassure customers by rather optimistically telling them: "Blackbaud did pay the cybercriminal’s demand with confirmation that the copy of the data that they removed had been destroyed."

Patients and donors at Regions Hospital and Gillette Children's Specialty Healthcare in Minnesota have also received data breach notifications this month as a result of the attack on Blackbaud.

The Blackbaud-related breach of hundreds of thousands of records is the second-largest health data breach ever to have been reported in Minnesota. The largest breach, of 11,500,000 records, was reported in July last year by Optum360, LLC.

TikTok Fixes Flaws That Opened Android App to Compromise

he flaws are disclosed as Oracle reportedly partners with TikTok as concerns in the U.S. over spying continue.

Researchers have disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app. If successful, an attacker could fully compromise the target’s TikTok account. Public disclosure of the vulnerabilities was Friday and all bugs have been patched in version 17.4.4 of the app.

Oversecured researchers said they found the arbitrary code execution flaws and one arbitrary file theft vulnerability in TikTok. Disclosure of the flaws come just as the owner of social-media platform have reportedly chosen Oracle as an American tech partner that could help keep the app running in the U.S.,on the heels of U.S. president Donald Trump threatening to ban the app over spying concerns.If exploited, the arbitrary code execution flaws could allow attackers to access victims’ private messages and videos within the app. They could also gain control over the app’s permissions – giving them access to victims’ pictures and videos stored on the device, web browser downloads, audio and video record functions and contacts.“All these vulnerabilities could have been exploited by a hacker if a user had installed a malicious app onto their Android device,” according to researchers with Oversecured, who discovered the flaws, in a Friday post. “All the vulnerabilities have been removed. Users should update to the latest version on Google Play to enjoy the best experience.”TikTok Android FlawsResearchers scanned the app and found several vulnerabilities in the way that files are loaded into the app. All arbitrary code execution flaws were discovered in different Android components in the AndroidManifest.xml file, which is a manifest file for app projects that describes essential information about apps to the Android build tools, the Android operating system, and Google Play.The Android components in question are: DetailActivity, NotificationBroadcastReceiver, and the IndependentProcessDownloadService AIDL (Android Interface Definition Language) interface. The issue with these components is that they lack certain security checks, allowing a third-party app or anyone to load malicious arbitrary files into them.“The initial vulnerability is that all of them were ‘exposed’ (or unprotected by default Android permission model),” Sergey Toshin, founder of Oversecured, told Threatpost. “That allowed third-party apps to reach them.”In order to exploit the flaws, an attacker would first need to convince a target to download an app (such as a calculator app, for instance). Once downloaded, the app can create a library file in the TikTok’s private directory and automatically load it.“The vulnerability could have been exploited by an app that was only run once and then, say, deleted,” researchers explained. “The library would have been written to the app’s private directory and could have been loaded by the app even after the phone was rebooted or the app restarted. All vulnerabilities relating to arbitrary code execution would have lead to the app and its users becoming thoroughly compromised.”The three arbitrary code execution flaws were reported on Jan 27, 2020 and fixed between June and August, according to researchers.Researchers also found a flaw enabling arbitrary file theft in the activity com.ss.android.ugc.aweme.livewallpaper.ui.LiveWallPaperPreviewActivity.“This flaw required user interaction but led to access to arbitrary protected app files,” according to researchers. “An attacker could access private user in-app data such as history, private messages, or session token, leading to access to the user’s account.”This arbitrary file theft bug was reported on Feb. 16, 2020 to TikTok; versions 8.4.0 (September 12, 2018) to 15.2.10 (March 21, 2020) of the app are vulnerable.“As part of our ongoing efforts to build the safest and most secure platform in the industry, we constantly work with third parties to find and fix bugs,” a TikTok spokesperson told Threatpost. “While the bugs in question would only pose a risk if a user had also downloaded a malicious application onto their Android device, we have fixed them. We appreciate the researcher reporting this issue to us so that we could fix it, and we encourage all of our users to download the latest version of the app.”Ongoing TikTok Security WoesOver the past year TikTok has exploded in popularity, with over 500 million monthly active users globally – but has also drawn controversy around its privacy and security policies. The flaws have since been fixed.TikTok has also come under ongoing scrutiny for its privacy and security policies over the past few months. In June, a new privacy feature in Apple iOS 14 shed light on TikTok’s practice of reading iPhone users’ cut-and-paste data, even though the company said in March it would stop.In August, researchers found that TikTok has been collecting unique identifiers from millions of Android devices without their users’ knowledge using a tactic previously prohibited by Google because it violated people’s privacy.Earlier this year, in January, researchers found a vulnerability in TikTok’s platform that could allow attackers to remotely take control over parts of victims’ TikTok account, such as uploading or deleting videos and changing settings on videos to make “hidden” videos public.

United Airlines’ website bug exposed traveler ticket data

A bug in United Airlines’ website let anyone access the ticket information for travelers who requested a refund.

The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number.

IT security expert Oliver Linow, who found the bug, told TechCrunch that he could see traveler surnames, the payment type and currency used to buy the ticket, and the refund amount.

United, like most other airlines, lets passengers access and modify their upcoming flights using only a passenger’s ticket number and last name.

Linow reported the issue to United on July 6. It took the airline a month to fix. But Linow did not hear back again from the airline.

It’s not known how long the bug was present. United did not respond to our emails with questions about whether the airline informed data protection authorities about the incident.

Companies found in violation of European data protection rules can be fined up to 4% of their annual revenue.

Airlines have withheld billions of dollars‘ worth of refunds during the pandemic amid a sharp decline in passenger numbers. United later received a $5 billion share of a $25 billion U.S. federal aid package aimed at keeping the airline industry afloat.

Earlier this month, United said it would furlough about 20% of its staff — some 16,370 employees

Facebook announced Thursday its first formal policy on how it will disclose bugs security researchers find in other companies’ products.

. The policy also details how long Facebook will give them to respond, repair and distribute the patch. “Sharing our policy publicly helps everyone understand the right expectations about reporting/disclosure,” said Nathaniel Gleicher, head of security policy at Facebook, in a written statement. “We are releasing the policy to make the process of helping people fix these issues and become safer as smooth as possible.” The Facebook policy codifies how it will interact with vendors across several industries. In the past, Facebook claims it has notified makers of vulnerabilities in VPN clients, VPN servers, optical switches, virtualization software, file storage appliances, email clients, and other items. Developing a policy to warn third parties about vulnerabilities is the next logical evolution for firms like Facebook with a mature policy to accept vulnerabilities from outside researchers, said Katie Moussouris, CEO of LutaSecurity and a long-time leader in developing disclosure programs. “If you’re doing things right with a disclosure program, you aren’t just waiting for people to report to you,” she said. “You’re getting better at finding them on your own.” That includes finding bugs in the components that make up products, whether developed in house or purchased externally. The policy states that Facebook will give third-party vendors 21 days to respond to the social media giant after divulging a vulnerability, and 90 days to make reasonable efforts to mitigate the vulnerability. If the third party misses either deadline, Facebook may decide to publicly disclose the vulnerability they’ve discovered. These types of deadlines are standard in disclosure policies to ensure that vulnerabilities are taken seriously. Facebook says it may modify its deadlines if it knows a patch is available but not being distributed; if product release cycles don’t align with other requirements; or if a vulnerability is “actively” being exploited. Moussouris notes that the last condition will be best defined in practice – whether that means Facebook will release a vulnerability if any attacker uses a vulnerability or if it becomes more common. 

Apple Accidentally Approved Malware to Run on MacOS

FOR DECADES, MAC users had to worry less about malware than their Windows-using counterparts, but over the last few years that's begun to change. In an attempt to crack down on growing threats like adware and ransomware, in February Apple began "notarizing" all macOS applications, a vetting process designed to weed out illegitimate or malicious apps. Even software distributed outside of the Mac App Store now needs notarization, or users wouldn't be able to run them without special workarounds. Seven months later, though, researchers have found an active adware campaign attacking Mac users with the same old payloads—and the malware has been fully notarized by Apple.

https://cyware.com/category/malware-and-vulnerabilities-news