Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security Alert. Show all posts
Technology
CocoaPods Critical Bugs iOS Security Alert Technology

CocoaPods Security Alert: Critical Bugs Expose Millions of Apps


A recent security analysis discovered critical vulnerabilities in CocoaPods, the widely used dependency management platform for Apple developers. These vulnerabilities pose significant risks to iOS and macOS apps, potentially allowing attackers to compromise user data and system integrity.

Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

CocoaPods is a platform allowing Apple developers to add and manage other libraries (called "pods"). It has 100,000+ libraries that are utilized by over three million apps, including the most popular worldwide. 

A brief scan of its website finds bundles for Instagram, X, Slack, AirBnB, Tinder, and Uber, to name a few. This makes the pods excellent targets for hackers, and the CocoaPods platform, if it contains an underlying, platform-wide vulnerability, a veritable money pit.

According to research released recently by E.V.A Information Security, the CocoaPods platform has a trio of significant vulnerabilities. The most serious of them, CVE-2024-38366, a remote code execution (RCE) opportunity, received a critical 10 out of 10 CVSS rating. CVE-2024-38368, another notable fault caused by pods without owners, received a critical 9.3, while CVE-2024-38367, a session verification hijacking vulnerability, received an 8.2 rating.

1. Remote Code Execution (CVE-2024-38366)

A severe flaw in CocoaPods enabled attackers to inject malicious code into app builds during the dependency resolution process. The impact: Apps relying on compromised dependencies could execute arbitrary code, leading to serious security breaches.

2. Unowned Pods (CVE-2024-38368)

Some CocoaPods lacked proper ownership, making them susceptible to unauthorized modifications. The risk- Attackers could replace legitimate pods with malicious versions, compromising app functionality and user trust.

3. Session Verification Hijacking (CVE-2024-38367)

CocoaPods failed to adequately verify session tokens during package installation. The consequence? Apps unintentionally using compromised libraries could suffer security breaches.

How to Stay Safe?

Regular Dependency Updates

  • Developers must consistently update their CocoaPods dependencies to receive security patches promptly.
  • Tools like pod outdated help identify outdated libraries.

Ownership Verification

  • Before integrating third-party pods, verify their ownership and integrity.
  • Consider using signed pods or checksums to ensure authenticity.

Code Signing and Notarization

  • Code signing ensures that only trusted code runs on users’ devices.
  • Apple’s notarization process adds an extra layer of security by verifying app binaries.

Finding Exploit A Long Shot

There is no convincing evidence that attackers exploited any of the vulnerabilities discovered by the researchers and patched by CocoaPods in October.

It's worth mentioning, however, that the easily concealable nature of software supply chain flaws, along with the enormous number of pods at danger for so long, would provide adequate cover for anyone who did.

Finding a CocoaPods exploit during the last decade would appear to be simple, but this has not been the case. Instead, E.V.A. suggests that all developers of apps that relied on pods prior to last October (i.e., almost all Apple apps) take six remedial steps, including checking for orphaned pods and extensively evaluating all third-party code dependencies.
Read more »
Security Alert
CUHK Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach Security Alert

Major Data Breach at CUHK Affects Over 20,000 Students and Staff

 


Over 20,000 individuals from the Chinese University of Hong Kong (CUHK) were impacted by a data breach at one of the institution's schools in the city that resulted in their personal information being stolen. This is just the latest in a string of data breaches in this city. According to a statement released by the School of Continuing and Professional Studies (CUSCS) on Thursday, the server of an online learning system that the school uses was hacked on June 3. A statement was released by the School of Continuing and Professional Studies (CUSCS) on Thursday notifying us that the server for an online learning system they use has been hacked, as announced by the school. 

There were 20,870 Moodle accounts involved in the study, including employees, part-time tutors, students, graduates and some visitors, who provided names, email addresses and student numbers. As a result of the three unsuccessful login attempts, the college stated that it had deactivated the related account, reset the password, moved the online learning platform away from the responsible server, and strengthened security measures to block the account. 

There was a hacking attack on the school's name and email address, but an investigation by cybersecurity professionals showed that their information had not been leaked to any public websites or dark websites. It has been reported to the police and the Office of the Privacy Commissioner for Personal Data (PCPD), the city’s privacy watchdog, that the incident happened. A report sent by CUHK on Wednesday and a complaint regarding the data breach were received by the PCPD on Thursday. 

Moodle is an open-source learning management system that allows teachers, administrators, and students to create individualized learning environments for online projects in schools, colleges and workplaces. The PCPD has said that they received a report and complaint regarding the data breach on Thursday. A custom website can be created with Moodle containing an online course as well as community-sourced plugins that can be added to the website as well. 

In addition to establishing a crisis management team containing the dean, deputy dean, director of information technology services, director of administration, and director of communications and public relations, the college has established a crisis management team to assess the risks that may arise. CUSCS said the incident has also been reported to CUHK. It was the responsibility of the college to hire a security consultant who conducted an immediate investigation into the matter and discovered that there were no large amounts of data that had been exposed, and the relevant information was not found on the dark web. 

It has also been reported to the police, as well as to the Office of the Privacy Commissioner for Personal Data (PCPD) for the university, which follows established procedures, to notify them of this incident. There was a complaint received by the PCPD regarding the incident on Thursday, the police department announced. The CUSCS stated that through the leak of data, 22,873 Moodle accounts of tutors, students, graduates, and visitors including their names, emails, and student numbers were compromised. In the recent past, there has been a massive theft of personal information from one of the institution's schools after a server had been breached. 

It was discovered on the dark web domain BreachForums that the breached information was readily available on a dark web domain known as BreachForums despite statements made by the university management that they were unaware of any leaks on public platforms. There was a post on the dark web posted by a Threat Actor (TA) who went by the alias "Valerie," in which she claimed to be a hacker who was willing to sell their data to a buyer. "Approximately 75 per cent of the stolen information was sold to a private party, and the breach was financed in this way by the private party," TA stated.  There was no sharing of the rest of the data. 

Following multiple offers, it was decided to take the initiative and make a public sale." This is the third educational institute in Hong Kong this year to have been struck by a cyber attack as a result of multiple offers. It has been reported that the Hong Kong Institute of Contemporary Culture, Lee Shau Kee School of Creativity, was hit by a ransomware attack in May when data belonging to more than 600 students and faculty members were compromised. 

In April, Union Hospital, a private medical facility, experienced a ransomware attack that compromised its servers and reportedly resulted in operational paralysis. Similarly, in February, the Hong Kong College of Technology faced a ransomware attack, leading to a data breach affecting approximately 8,100 students.
Read more »
Security Risk
Cyber Attacks Cybersecurity Agencies IT Service Security Alert Security Risk

Five Eyes Agencies Warn Managed Service Providers of Cyber Attacks

 

The Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand, and Canada last week published a joint advisory warning of threats targeting managed service providers (MSPs) and their customers. 

The advisory recommends customers of MSPs in the member nations on how to guard sensitive details and reassess security posture and contractual agreements with their service providers based on individual risk tolerance. MSPs are a prime target for cybercriminals and nation-state actors–because attacking an MSP can lead to additional downstream victims (as we witnessed with Kaseya and the SolarWinds assaults.)

"As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA) stated. 

"We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain," she added. 

The alert is the result of a collaborative effort among the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security. 

Mitigation tips 

In the advisory issued on the second day of the NCSC's Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the issue of global cyber threats, the authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls: 

• To counter initial assault, enhance the security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attacks. 
• Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer. 
• Enable multifactor authentication across all customer services and products. 
• Periodically erase obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary. 
• Develop incident response and recovery plans. 
• Understand and proactively manage supply chain risk. 
• Adopt transparent processes and, at the same time, manage account authentication and authorization.
Read more »
War
Cyber Fraud Fraud Fraud Email Hacked Accounts phishing Security Alert Ukraine War

Ukrainian CERT Alerts Citizens of Phishing Attacks Using Hacked Accounts

 

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of new phishing attacks directed at Ukrainian citizens, which use hijacked email accounts belonging to three separate Indian businesses to infiltrate their inboxes and steal sensitive data. 

The emails arrive with the subject line "" (meaning "Attention") and pretend to be from a domestic email service named Ukr.net, but the sender's email address is "muthuprakash.b@tvsrubber[.]com," according to the agency. The messages allegedly alert recipients of an unauthorised attempt to log in to their accounts from an IP address based in Donetsk, Ukraine, and urge them to change their passwords immediately by clicking on a link. 

CERT-UA noted in a Facebook post over the weekend, "After following the link and entering the password, it gets to the attackers. In this way, they gain access to the email inboxes of Ukrainian citizens." 

The fact that TVS Rubber is an automotive company situated in the Indian city of Madurai suggests that the phishing emails were distributed through an already compromised email account. In a further update, CERT-UA stated that it had discovered an additional 20 email addresses used in the attacks, some of which belonged to sysadmins and faculty members at the Ramaiah University of Applied Sciences, an academic institution in Bengaluru, India. 

An email address from Hodek Vibration Technologies Pvt. Ltd., an India-based automotive company that designs and manufactures dampers for cars, light and heavy commercial vehicles, and other industrial equipment, is also featured in the list. 

"All these mailboxes have been compromised and are being used by the Russian Federation's special services to carry out cyberattacks on Ukrainian citizens," the agency said. 

The news comes as NATO states unanimously approved to admit Ukraine as a "Contributing Participant" to the Cooperative Cyber Defence Centre of Excellence (CCDCOE), as Russia's military invasion of the country entered its second week and cyber strikes poured down on government and commercial targets. 

"Ukraine's presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations. Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises and training," Col Jaak Tarien, director of CCDCOE, said in a statement.
Read more »
Security Alert
Cyber Data Cyber Security Frauds Phishing scam Scam SEC Security Alert

US SEC Alerts Investors of Ongoing Fraud

 

The Securities and Exchange Commission (SEC) is alerting investors about scammers posing as SEC officials and attempting to mislead them. 

Fraudsters are contacting investors via phone calls, voicemails, emаils, and letters, according to the SEC's Office of Investor Educаtion and Advocаcy (OIE). 

The alert stated, “We аre аwаre thаt severаl individuаls recently received phone cаlls or voicemаil messаges thаt аppeаred to be from аn SEC phone number. The cаlls аnd messаges rаised purported concerns аbout unаuthorized trаnsаctions or other suspicious аctivity in the recipients’ checking or cryptocurrency аccounts. These phone cаlls аnd voicemаil messаges аre in no wаy connected to the Securities аnd Exchаnge Commission.” 

The SEC warned it never asks for payments linked to enforcement activities, offer to confirm trades, or seek sensitive personal and financial information in unsolicited communication, including emails and letters. It further stated that SEC officials will not inquire about shareholdings, account numbers, PINs, passwords, or other personal information. 

Scammers appear to be employing a growing number of strategies in order to boost their chances of success. Investors should not disclose any personal information if they get communication that seems to be from the Securities and Exchange Commission, as per the notice. They are encouraged to contact the commission directly.

Investors can use the SEC's personnel locаtor at (202) 551-6000, call (800) SEC-0330, or emаil help@SEC.gov to confirm the identity of people behind calls or messages. Investors can also register a complaint with the Securities and Exchange Commission's Office of Inspector General by visiting www.sec.gov/oig or calling (833) SEC-OIG1 (732-6441). 

Further, the alert stated, “Bewаre of government impersonаtor schemes. Con аrtists hаve used the nаmes of reаl SEC employees аnd emаil messаges thаt fаlsely аppeаr to be from the Securities аnd Exchаnge Commission to trick victims into sending the frаudster’s money. Impersonаtion of US Government аgencies аnd employees (аs well аs of legitimаte finаnciаl services entities) is one common feаture of аdvаnce fee solicitаtions аnd other frаudulent schemes. Even where the frаudsters do not request thаt funds be sent directly to them, they mаy use personаl informаtion they obtаin to steаl аn individuаl’s identity or misаppropriаte their finаnciаl аssets.”
Read more »
Security Alert
Android Malware Android Users Joker malware malware Security Alert

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.
Read more »
Trojans
malware password stealing trojans Security Alert Trojans

CISA Released A New Advisory on LokiBot Trojan


LokiBot, a trojan-type malware first identified in 2015 is popular amid cybercriminals as a means of creating a backdoor into compromised Windows systems to allow the attacker to install additional payloads.

It is an information stealer that uses a stealthy trick to evade detection from security software and steal personal data of victims including their usernames, passwords, bank details, and contents of cryptocurrency wallets – using a keyblogger that would monitor browser and desktop activities.

Recently, the U.S. government's cybersecurity and Infrastructure Security Agency (CISA) observed a significant increase in malicious infections via LokiBot malware starting from July 2020. During this period, CISA's EINSTEIN Detection System, responsible for protecting federal, civilian executive branch networks, noticed continuous malicious activity by LokiBot. Credited for being simple yet effective, the malware is often sent out as an infected attachment via email, malicious websites, texts, or personal messages to target Windows and Android operating systems.

Although LokiBot has been in cyberspace for a while now, attackers still often use it to illicitly access sensitive information. In a recent attack that was carried out in July, 14 different campaigns distributing payloads of LokiBot were launched by a group of threat actors popularly known as 'RATicate'. In another malspam campaign, attackers were found to be distributing payload of LokiBot in a spear-phishing attack on a U.S based manufacturing organization.

“LokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients,” as per the alert issued on Tuesday.

Giving insights on the matter, Saryu Nayyar, CEO at Gurucul told via email, "The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space."
Read more »
Security Alert
Bank fraud Bank Information Security Cyber Crime Security Alert

Fraudsters claiming to be from Bank and offers to assist you via TeamViewer


In Russia, a new way of telephone fraud is gaining momentum. Attackers disguised as a bank employee calls to Bank’s client to suspend a financial transaction but do not require to tell confidential data of Bank cards. They claim that the credit institution identified an attempt to the unauthorized withdrawal of funds from an account in another region.

As a result, the scammers report that they blocked the attempt to withdraw money, and offer to verify the devices that have access to the personal account of the client. Then attackers will find out if the client uses the Android or IOS operating system. Subsequently, the attackers offer to help disable the system, which is not used by the client, using the TeamViewer access delegation program.

The TeamViewer access delegation program allows an outsider to connect and perform any operation on your behalf. Fraudsters need to find out from the Bank's client their user id so that attackers can easily connect and take possession of confidential smartphone information. In this case, it will be extremely difficult, if not impossible to prove an attempt at unauthorized hacking. After all, the Bank's client voluntarily provided access.

It is worth noting that previously a number of large credit organizations recorded a sharp increase in fraudulent calls to customers from banks using the technology of number substitution. In some banks, the activity of fraudsters has increased tenfold.

The banks indicate that telecom operators are not effectively detecting and blocking such schemes. The solution to the problem came to the level of the Central Bank.

It is interesting to note that on August 10, the Central Bank of Russia recommended banks to inform payment systems of the number of the Bank card, account or mobile phone of the recipient. This should help identify fraudsters and block transactions. The requirements relate to P2P transfers and transfers, where a third Bank is involved, as well as payment systems.

If banks and payment systems follow the Central Bank's recommendations, data on the recipient of funds will be sent to the FinCERT (center for monitoring and responding to computer attacks in the financial sphere of the General Directorate of protection and information security at the Bank of Russia).

According to the leading anti-virus expert of Kaspersky Lab Sergey Golovanov, indicating the phone number will track cases when one person has issued many accounts for his number and uses them to transfer funds using social engineering.
Read more »
Security Alert
IT Security News Malware Report Security Alert

Malicious emails purportedly from Chinese Ministry of Defense targets Asian, European Governments

TrendMicro researchers have come across a new spam mail claimed to be from Chinese Ministry of Defense that targets European and Asian Government.

However, it is not that much hard to find the real address of the email.  According to TrendMicro report, the emails come from a gmail account which didn't use Chinese name.

"We value Your Feedback very much and have carefully studied the suggestions and advices given back by the attaches and spouses in the feedback." The spam mail reads "China is still a developing country and we are ready to make progress together with our attach?? friends in all the fields of our work"

The attached document attempts to exploit the old Microsoft office vulnerability.  The successful exploitation will drop the backdoor in the victim's machine.

Spam mails targeting European &Asian Govts -Image Credits: TrendMicro

The malware is capable of stealing login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook.  To make the victims believe that nothing malicious happened, it displays a legitimate dummy document.

The stolen information is then uploaded to two Hong Kong server.  The researcher says that message has been sent to 16 European officials and Chinese media organizations.
Read more »
Subscribe to: Posts (Atom)