Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI’s servers.

The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM, found that DJI’s Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.

“This mechanism is very similar to command and control servers encountered with malware,” Synacktiv said.

“Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user’s phone.”

The Android app has over one million installs via the Google Play Store. But the security vulnerabilities identified in the app don’t apply to its iOS version, which is not obfuscated, nor does it have the hidden update feature.

A “Shady” Self-Update Mechanism

GRIMM said the research was undertaken in response to a security audit requested by an unnamed defence and public safety technology vendor that sought to “investigate the privacy implications of DJI drones within the Android DJI GO 4 application.”

Reverse engineering the app, Synacktiv said it uncovered the existence of a URL (“hxxps://service-adhoc.dji.com/app/upgrade/public/check”) that it uses to download an application update and prompt the user to grant permission to “Install Unknown Apps.”

“We modified this request to trigger a forced update to an arbitrary application, which prompted the user first for allowing the installation of untrusted applications, then blocking him from using the application until the update was installed,” the researchers said.

images from Hacker News

Garmin, the maker of fitness trackers, smartwatches and GPS-based wearable devices, is currently dealing with a massive worldwide service interruption after getting hit by a targeted ransomware attack, an employee of the company told The Hacker News on condition of anonymity.

The company’s website and the Twitter account say, “We are currently experiencing an outage that affects Garmin.com and Garmin Connect.”

“This outage also affects our call centres, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologise for this inconvenience.”

As a result, the company yesterday was forced to temporarily shut down some of its connected services, including Garmin Express, Garmin Connect mobile, and the website—restricting millions of its users from accessing the cloud services or even syncing their watches locally to the app.

Though not much information is available on technicalities of the cyber attack, some local media reports claim hackers have managed to compromise the company’s application and database servers with ransomware.

It also says Garmin has sent announcements to its IT staff in Taiwan-based factories announcing the next two days of planned maintenance, i.e., July 24 and 25.

Multiple sources in the cybersecurity community suggest that the cyberattack may have involved WastedLocker, one of the targeted ransomware gang, known as the Evil Corp or Dridex.​

images from Hacker News

Lazarus Group, the notorious hacking group with ties to the North Korean regime, has unleashed a new multi-platform malware framework with an aim to infiltrate corporate entities around the world, steal customer databases, and distribute ransomware.

Capable of targeting Windows, Linux, and macOS operating systems, the MATA malware framework — so-called because of the authors’ reference to the infrastructure as “MataNet” — comes with a wide range of features designed to carry out a variety of malicious activities on infected machines.

The MATA campaign is said to have begun as early as April of 2018, with the victimology traced to unnamed companies in software development, e-commerce and internet service provider sectors situated in Poland, Germany, Turkey, Korea, Japan, and India, cybersecurity firm Kaspersky said in its Wednesday analysis.

The report offers a comprehensive look at the MATA framework, while also building on previous evidence gathered by researchers from Netlab 360, Jamf, and Malwarebytes over the past eight months.

Last December, Netlab 360 disclosed a fully functional remote administration Trojan (RAT) called Dacls targeting both Windows and Linux platforms that shared key infrastructure with that operated by the Lazarus Group.

Then in May, Jamf and Malwarebytes uncovered a macOS variant of Dacls RAT that was distributed via a trojanised two-factor authentication (2FA) app.

images from Hacker News

The U.S. Department of Justice (DoJ) yesterday revealed charges against two Chinese nationals for their alleged involvement in a decade-long hacking spree targeting dissidents, government agencies, and hundreds of organisations in as many as 11 countries.

The 11-count indictment, which was unsealed on Tuesday, alleges LI Xiaoyu (李啸宇) and DONG Jiazhi (董家志) stole terabytes of sensitive data, including from companies developing COVID-19 vaccines, testing technology, and treatments while operating both for private financial gain and behalf of China’s Ministry of State Security.

“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, [and] to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” said Assistant Attorney General John C. Demers, who leads the DoJ’s National Security Division.

The pair, who are currently wanted by the U.S. Federal Bureau of Investigation, came under the radar after they compromised a U.S. Department of Energy network in Hanford, which is home to a decommissioned nuclear production complex located in the state of Washington.

Aside from this breach, the individuals in questions have been accused of infiltrating the networks of companies spanning high tech manufacturing, industrial engineering, defence, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and other confidential business information.

Besides the U.S., a number of victim organisations are based in Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the U.K. In all, the targeted cyberattacks lasted over a period of more than ten years, starting around September 1, 2009, and continuing through July 7, 2020, the DoJ said.

images from Hacker News

An emerging threat actor out of China has been traced to a new hacking campaign aimed at government agencies in India and residents of Hong Kong intending to steal sensitive information, cybersecurity firm Malwarebytes revealed in the latest report shared with The Hacker News.

The attacks were observed during the first week of July, coinciding the passage of controversial security law in Hong Kong and India’s ban of 59 China-made apps over privacy concerns, weeks after a violent skirmish along the Indo-China border.

Attributing the attack with “moderate confidence” to a new Chinese APT group, Malwarebytes said they were able to track their activities based on the “unique phishing attempts” designed to compromise targets in India and Hong Kong.

The operators of the APT group have leveraged at least three different Tactics, Techniques, and Procedures (TTPs), using spear-phishing emails to drop variants of Cobalt Strike and MgBot malware, and bogus Android applications to gather call records, contacts, and SMS messages.

“The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China,” the firm said.

Using Spear-Phishing to Install MgBot Malware

The first variant, observed on July 2, alerted recipients with the “gov.in” domain stating some of their email addresses had been leaked and that they are to complete a security check before July 5.

The emails come attached with a “Mail security check.docx” purportedly from the Indian Government Information Security Center. Upon opening, it employs template injection to download a remote template and execute a heavily obfuscated variant of Cobalt Strike.

images from Hacker News