Microsoft on Thursday warned of a “massive email campaign” that’s pushing a Java-based STRRAT malware to steal confidential data from infected systems while disguising itself as a ransomware infection.

“This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them,” the Microsoft Security Intelligence team said in a series of tweets.

The new wave of attacks, which the company spotted last week, commences with spam emails sent from compromised email accounts with “Outgoing Payments” in the subject line, luring the recipients into opening malicious PDF documents that claim to be remittances, but in reality, connect to a rogue domain to download the STRRAT malware.

Besides establishing connections to a command-and-control server during execution, the malware comes with a range of features that allow it to collect browser passwords, log keystrokes, and run remote commands and PowerShell scripts.

images from Hacker News

Misconfigurations in multiple Android apps leaked sensitive data of more than 100 million users, potentially making them a lucrative target for malicious actors.

“By not following best-practices when configuring and integrating third-party cloud-services into applications, millions of users’ private data was exposed,” Check Point researchers said in an analysis published today and shared with The Hacker News.

“In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfigurations put users’ personal data and developer’s internal resources, such as access to update mechanisms, storage, and more at risk.”

The findings come from an examination of 23 Android apps available in the official Google Play Store, some of which have downloads ranging from 10,000 to 10 million, such as Astro Guru, iFax, Logo Maker, Screen Recorder, and T’Leva.

According to Check Point, the issues stem from misconfiguring real-time databases, push notification, and cloud storage keys, resulting in spillage of emails, phone numbers, chat messages, location, passwords, backups, browser histories, and photos.

images from Hacker News

If there’s one thing all great SaaS platforms share in common, it’s their focus on simplifying the lives of their end-users. Removing friction for users in a safe way is the mission of single sign-on (SSO) providers.

With SSO at the helm, users don’t have to remember separate passwords for each app or hide the digital copies of the credentials in plain sight.

SSO also frees up the IT’s bandwidth from handling recurring password reset requests while improving productivity for everyone in your organization. However, there is also a level of risk that comes with SSO capability.

How to protect against SSO fails

Real-Life Risks Involved in SSO

images from Hacker News

An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what’s known as a watering hole attack.

“This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event,” Dragos researcher Kent Backman said in a write-up published on Tuesday.

The site, which belongs to a Florida-based general contractor involved in building water and wastewater treatment facilities, had no bearing on the intrusion, the American industrial cybersecurity firm said.

Watering hole attacks typically allow an adversary to compromise a specific group of end-users by compromising a carefully selected website, which members of that group are known to visit, with an intention to gain access to the victim’s system and infect it with malware.

In this specific case, however, the infected website didn’t deliver exploit code or attempt to achieve access to visitors’ systems. Instead, the injected code functioned as a browser enumeration and fingerprinting script that harvested various details about the website’s visitors, including operating system, CPU, browser (and plugins), input methods, presence of a camera, accelerometer, microphone, time zone, locations, video codecs, and screen dimensions.

images from Hacker News

Google on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days.

“There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,” the search giant said in an updated alert.

The four flaws impact Qualcomm Graphics and Arm Mali GPU Driver modules —

• CVE-2021-1905 (CVSS score: 8.4) – A use-after-free flaw in Qualcomm’s graphics component due to improper handling of memory mapping of multiple processes simultaneously.
• CVE-2021-1906 (CVSS score: 6.2) – A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure.

images from Hacker News