An unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection.

The malware has been named “AbstractEmu” owing to its use of code abstraction and anti-emulation checks to avoid running while under analysis. Notably, the global mobile campaign is engineered to target users and infect as many devices as possible indiscriminately.

Lookout Threat Labs said it found a total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps, seven of which contained the rooting functionality. Only one of the rogue apps, called Lite Launcher, made its way to the official Google Play Store, attracting a total of 10,000 downloads before it was purged.

The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.

images from Hacker News

Microsoft on Thursday disclosed details of a new vulnerability that could allow an attacker to bypass security restrictions in macOS and take complete control of the device to perform arbitrary operations on the device without getting flagged by traditional security solutions.

Dubbed “Shrootless” and tracked as CVE-2021-30892, the “vulnerability lies in how Apple-signed packages with post-install scripts are installed,” Microsoft 365 Defender Research Team’s Jonathan Bar Or said in a technical write-up. “A malicious actor could create a specially crafted file that would hijack the installation process.”

System Integrity Protection (SIP) aka “rootless” is a security feature introduced in OS X El Capitan that’s designed to protect the macOS operating system by restricting a root user from executing unauthorized code or performing operations that may compromise system integrity.

Specifically, SIP allows modification of protected parts of the system — such as /System, /usr, /bin, /sbin, and /var — only by processes that are signed by Apple or those that have special entitlements to write to system files, like Apple software updates and Apple installers, while also automatically authorizing apps that are downloaded from the Mac App Store.

images from Hacker News

Winter is Coming for CentOS 8—but here is how you can enjoy your holidays after all.

The server environment is complex and if you’re managing thousands of Linux servers, the last thing you want is for an operating system vendor to do something completely unexpected.

That is exactly what Red Hat, the parent company of the CentOS Project, did when it suddenly announced a curtailment of support for CentOS 8 – sending thousands of organizations scrambling for an alternative.

In this article, we’ll review what happened with CentOS 8 and what it means for users who have already upgraded from CentOS release 7 to release 8. We’ll also look at your alternatives for replacing CentOS 8.

Finally, we’ll do a review of your other option: choosing extended support. Extended lifecycle support (ELS) can reduce the pressure to decide on alternative distribution and it may well be the most practical route for many CentOS 8 users.

Official support is critical

The difficulties around CentOS 8 involve the sudden withdrawal of official support. Official support window timeframes matter because it gives Linux users certainty that they will continue to receive bug fixes as well as patches for CVEs and security vulnerabilities that emerge.

A fixed end date for support gives users the ability to plan – either upgrading ahead of the end date, or migrating workloads to an alternative if upgrading isn’t a viable option.

While this is an important consideration for people who run a single CentOS instance and for small teams, official support windows become critical for those who depend on CentOS to support large-scale workloads involving big server fleets.

A single user or small team can quickly shift distributions, but planning for any changes that involve thousands of machines is a whole different story.

A free Linux distribution – with rock-solid official support

CentOS had its origins in 2002. The project, a 1:1 fork of Red Hat Enterprise Linux, went through various changes over time. In 2014, Red Hat announced that it would officially sponsor the CentOS project – but in doing so, Red Hat took full control of CentOS, including intellectual assets, and the governing board.

Red Hat invested a lot of effort into the CentOS project, and CentOS enjoyed a fixed release schedule with equally fixed, reliable support windows. As of late, the CentOS project was quoting 10-year maintenance support windows which was fantastic news for enterprise users who could adopt new releases at a pace that suited them, with long time frames for planning and testing.

And, of course, CentOS is entirely free – saving companies thousands in licensing fees. For example, when CentOS 7 was released in 2014, users were told that they will continue to enjoy support through June 2024. With CentOS 8 coming out in September 2019, it gave enterprise users a long time frame to test and switch to CentOS 8.

Some CentOS 6 and CentOS 7 users moved quickly and adopted CentOS 8, but these users were in for a surprise.

What changed with CentOS 8?

When CentOS 8 was released, the CentOS project (and by that we really mean Red Hat) promised that it would continue to support CentOS 8 for about ten years officially – just like it did for CentOS 7. The original end of life date for CentOS 8 was May 31, 2029.

That’s an excellent support window for a free-to-use, enterprise-grade Linux OS which is also 1:1 binary compatible with RHEL. It meant that enterprise users could essentially avoid paying RHEL license fees, while still working with a trusted distribution.

Unfortunately, the good news ended rather suddenly in December 2020 when Red Hat unexpectedly announced that it will no longer release CentOS as a stable release at regular intervals, instead focusing on CentOS Stream – a rolling release model, which is delivered differently and whose suitability for enterprise application is still unknown.

Products come and go and a change of direction can be somewhat understandable, but the real sting in the announcement was that official support for CentOS 8 will be curtailed by almost eight years – with end-of-life now on Dec 31, 2021 rather than the originally promised May 31, 2029.

After that date, the CentOS Project will no longer publish updates for CentOS 8. Bugs won’t be fixed but, more critically, new vulnerabilities won’t receive patches. In other words, if a major flaw in – for example – the Linux kernel emerges, you simply won’t get an automatic patch for CentOS 8.

That is in contrast to what organizations were originally promised for CentOS 8 – a matching patch within 72 hours of the patch being released for RHEL 8, right through the middle of 2029. It creates an enormous headache for tech teams that must now act fast to replace CentOS 8.

Why doing nothing isn’t an option

You might think that your workloads are running just fine, and that there’s no need to update your CentOS 8 instances to apply bug fixes. Or, that you can simply apply internally coded patches or other remediation measures should a threat arise.

In reality, the risks of running an unsupported OS are significant. You can use this calculator to estimate the costs and get a rough figure for your particular infrastructure. We’ve published an in-depth article here, but let’s do a quick recap of the potential problems you face when your OS is no longer enjoying official maintenance support.

• Breaking compatibility and reliability. An OS is surrounded by other software components and if you fail to update your OS with bug fixes, you may find that updates to other components break compatibility — you end up with updated software and services, but an OS that was never updated with the feature change.

• Security risks. This is the big one: if you don’t receive regular updates to your OS you will rapidly accumulate a growing number of security holes in your workload as more and more vulnerabilities get published in public – but never fixed on your systems. All it takes is one entry point for a hacker to gain entry and potential catastrophe to occur.

• Compliance problems. Compliance requirements such as PCI require that systems are patched against vulnerabilities within a specific time frame. When your OS is unsupported you are at risk of breaching compliance requirements which can lead to stiff penalties, the loss of customers – or indeed losing the right to do business altogether.

That’s just a brief insight into the potential problems of running CentOS 8 past the end of this year. It’s an enormous risk which is no wonder that companies are rushing to try and come up with alternatives.

The problem with CentOS stream

Red Hat isn’t discontinuing the CentOS Project altogether – CentOS will continue to exist in the form of CentOS Stream, which will always be one step ahead of the latest RHEL release. While Red Hat is suggesting that CentOS Stream is a drop-in replacement, that’s only true for a limited number of use cases.

Many Linux OS use cases – particularly in the enterprise environment – depend on stable releases: fixed functionality that can be tested, and the assurance that nothing of substance will change until the next release. Indeed, Red Hat’s own CTO has said that CentOS Stream is not a replacement for CentOS 8.

The move to the new CentOS Stream may affect the release stability. It will no longer have exactly the same package versions as RHEL – in fact, packages will land in CentOS Stream before making it into a fixed RHEL release. Binary compatibility may suffer, and some organizations’ workloads cannot easily accommodate this.

CentOS Stream would be a perfectly acceptable replacement for some users – some scientific teams, for example. However, most large-scale user cases involving more than a handful of machines will need to examine alternative operating systems – or alternative support options. And there’s not much time left given CentOS 8 is end-of-life in just a few months.

images from Hacker News

A Russian national, who was arrested in South Korea last month and extradited to the U.S. on October 20, appeared in a federal court in the state of Ohio on Thursday to face charges for his alleged role as a member of the infamous TrickBot group.

Court documents showed that Vladimir Dunaev, 38, along with other members of the transnational, cybercriminal organization, stole money and confidential information from unsuspecting victims, including individuals, financial institutions, school districts, utility companies, government entities, and private businesses.

Starting its roots as a banking trojan in 2016, TrickBot has evolved into a modular, multi-stage Windows-based crimeware solution capable of pilfering valuable personal and financial information, and even dropping ransomware and post-exploitation toolkits on compromised devices. The malware is also notorious for its resilience, having survived at least two takedowns spearheaded by Microsoft and the U.S. Cyber Command a year ago.

However, on the legal front, the U.S. government earlier this year charged a 55-year-old Latvian woman, named Alla Witte, who the prosecutors said worked as a programmer “overseeing the creation of code related to the monitoring and tracking of authorized users of the Trickbot malware.” Dunaev is the second Trickbot defendant to be arrested in 2021.

Dunaev, specifically, is said to have worked as a developer for the group, in charge of creating, deploying, and managing the Trickbot malware beginning in November 2015, while also overseeing the malware’s execution, as well as designing Firefox web browser modifications and helping to hide the malware from detection by security software.

images from Hacker News

Cybersecurity researchers on Wednesday took the wraps off a “simple yet remarkable” malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East.

Codenamed “Wslink” by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are no specifics available on the initial compromise vector and there are no code or operational overlaps that tie this tool to a known threat actor group.

The Slovak cybersecurity firm noted that it has seen only a handful of detections in the past two years, suggesting that it could be used in highly-targeted cyber infiltrations.

Wslink is designed to run as a service and can accept encrypted portal executable (PE) files from a specific IP address, which is then decrypted and loaded into memory prior to the execution. To achieve this, the client (i.e., the victim) and the server perform a handshake that involves the exchange of cryptographic keys necessary to encrypt the modules using AES.

images from Hacker News