The Android patch-gap continues, beware of corrupted VPN apps and more.
Welcome to Cyber Security Today. It’s Friday, November 25th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
If you have a certain model of an Android phone from Google Pixel, Samsung and other manufacturers it may have vulnerabilities hackers can take advantage of. ARM, the company that makes the graphics processor with the problems, has patched the holes. However, many handset manufacturers and cellphone carriers have been slow to distribute a fix to the devices. According to Google’s Project Zero group, which found the vulnerabilities, ARM issued patches to close the five holes by the end of August. But as of Tuesday of this week a bunch of phones Project Zero tested still hadn’t been patched. This is a common problem with smartphones: Cellphone companies don’t automatically push patches to all the devices they sell. It’s something you could mention to your wireless provider.
Threat actors are using the open Docker Hub image repository for containers to hide malware. Docker Hub reviews some images and verified software developers can add content. But researchers at Sysdig say they recently found over 1,600 images with malicious content out of 250,000 Linux images they examined. The problem containers include links to malicious internet websites and domains, embedded SSH and API keys, cryptominers and corrupt versions of legitimate open-source software. The lesson is to carefully scan everything downloaded from Docker Hub, just as you should with content from open-source repositories like GitHub and PyPI.
Targeted people are being tricked into downloading corrupted versions of two legitimate Android VPN apps by an advanced hacking group. The apps, supposedly real versions of SoftVPN or OpenVPN, are really spyware that captures text messages when victims use WhatsApp, Facebook, Signal, Viber and Telegram. Researchers at ESET believe the attackers are hacking-for-hire group researchers call Ba-ha-mut. Usually it goes after targets in the Middle East and South Asia. But the lesson for anyone around the world is only download apps from websites approved by your IT department.
ConnectWise RMM, a remote monitoring management tool used by a number of IT departments and managed service providers, had a stored cross-site scripting vulnerability that could have been exploited by threat actors. That’s according to researchers at Guardio. They notified the company in June, which quietly issued a patch for the hole in August. News is only coming out now because Guardio agreed to give time for customers to install the update. The thing is, attackers didn’t need to compromise installations of ConnectWise RMM to take advantage of the hole: All they had to do was register for a free 14-day trial version of ConnectWise RMM, set up a fake customer support page for a company they wanted to hit and start luring victims to log in. Malware could be sent to the victim’s computer. You see, the trial version allowed the creation of customized pages, just like the paid version. So an attacker could have set up a fake IT support page with any company’s logo, send out emails to the company’s staff and trick them into logging into the fake support page. After being notified ConnectWise removed the ability to customize pages in the trial version and fixed the cross-site scripting vulnerability. Two lessons here: First, it’s important that application developers rigorously scrutinize their code for bugs. Second, don’t enable all features in trial versions of software.
Remember later today the Week in Review podcast will be available.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.