Select Page
Popular iOS SDK Caught Spying on Billions of Users and Committing Ad Fraud

Popular iOS SDK Caught Spying on Billions of Users and Committing Ad Fraud

A popular iOS software development kit (SDK) used by over 1,200 apps—with a total of more than a billion mobile users—is said to contain malicious code with the goal of perpetrating mobile ad-click fraud and capturing sensitive information.

According to a report published by cybersecurity firm Snyk, Mintegral — a mobile programmatic advertising platform owned by Chinese mobile ad tech company Mobvista — includes an SDK component that allows it to collect URLs, device identifiers, IP Address, operating system version, and other user sensitive data from compromised apps to a remote logging server.

The malicious iOS SDK has been named “SourMint” by Snyk researchers.

“The malicious code can spy on user activity by logging URL-based requests made through the app,” Snyk’s Alyssa Miller said in a Monday analysis. “This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information.”

“Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application,” Miller added.

Although the names of the compromised apps using the SDK have not been disclosed, the code was uncovered in the iOS version of the Mintegral SDK (6.3.5.0), with the first version of the malicious SDK dating back to July 17, 2019 (5.5.1). The Android version of the SDK, however, doesn’t appear to be affected.

images from Hacker News

Google Researcher Reported 3 Flaws in Apache Web Server Software

Google Researcher Reported 3 Flaws in Apache Web Server Software

If your web-server runs on Apache, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorised control over it.

Apache recently fixed multiple vulnerabilities in its web server software that could have potentially led to the execution of arbitrary code and, in specific scenarios, even could allow attackers to cause a crash and denial of service.

The flaws, tracked as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993, were uncovered by Felix Wilhelm of Google Project Zero, and have since been addressed by the Apache Foundation in the latest version of the software (2.4.46).

The first of the three issues involve a possible remote code execution vulnerability due to a buffer overflow with the “mod_uwsgi” module (CVE-2020-11984), potentially allowing an adversary to view, change, or delete sensitive data depending on the privileges associated with an application running on the server.

“[A] Malicious request may result in information disclosure or [remote code execution] of an existing file on the server running under a malicious process environment,” Apache noted.

A second flaw concerns a vulnerability that’s triggered when debugging is enabled in the “mod_http2” module (CVE-2020-11993), causing logging statements to be made on the wrong connection and therefore resulting in memory corruption due to the concurrent log pool usage.

CVE-2020-9490, the most severe of the three, also resides in the HTTP/2 module and uses a specially crafted ‘Cache-Digest’ header to cause a memory corruption to lead to a crash and denial of service.​

images from Hacker News

A Google Drive ‘Feature’ Could Let Attackers Trick You Into Installing Malware

A Google Drive ‘Feature’ Could Let Attackers Trick You Into Installing Malware

An unpatched security weakness in Google Drive could be exploited by malware attackers to distribute malicious files disguised as legitimate documents or images, enabling bad actors to perform spear-phishing attacks comparatively with a high success rate.

The latest security issue—of which Google is aware but, unfortunately, left unpatched—resides in the “manage versions” functionality offered by Google Drive that allows users to upload and manage different versions of a file, as well as in the way its interface provides a new version of the files to the users.

Logically, the manage versions functionally should allow Google Drive users to update an older version of a file with a new version having the same file extension, but it turns out that it’s not the case.

According to A. Nikoci, a system administrator by profession who reported the flaw to Google and later disclosed it to The Hacker News, the affected functionally allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable.

As shown in the demo videos—which Nikoci shared exclusively with The Hacker News—in doing so, a legitimate version of the file that’s already been shared among a group of users can be replaced by a malicious file, which when previewed online doesn’t indicate newly made changes or raise any alarm, but when downloaded can be employed to infect targeted systems.

“Google lets you change the file version without checking if it’s the same type,” Nikoci said. “They did not even force the same extension.”

Needless to say, the issue leaves the door open for highly effective spear-phishing campaigns that take advantage of the widespread prevalence of cloud services such as Google Drive to distribute malware.

images from Hacker News

Former Uber Security Chief Charged Over Covering Up 2016 Data Breach

Former Uber Security Chief Charged Over Covering Up 2016 Data Breach

The federal prosecutors in the United States have charged Uber’s former chief security officer, Joe Sullivan, for covering up a massive data breach that the ride-hailing company suffered in 2016.

According to the press release published by the U.S. Department of Justice, Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach” that also involved paying hackers $100,000 ransom to keep the incident secret.

“A criminal complaint was filed today in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies,” it says.

The 2016 Uber’s data breach exposed names, email addresses, phone numbers of 57 million Uber riders and drivers, and driver license numbers of around 600,000 drivers.

The company revealed this information to the public almost a year later in 2017, immediately after Sullivan left his job at Uber in November.

Later it was reported that two hackers, Brandon Charles Glover of Florida and Vasile Mereacre of Toronto, were behind the incident to whom Sullivan approved paying money in exchange for promises to delete data of customers they had stolen.

All this started when Sullivan, as a representative for Uber, in 2016 was responding to FTC inquiries regarding a previous data breach incident in 2014, and during the same time, Brandon and Vasile contacted him regarding the new data breach.

images from Hacker News

Hackers Target Defense Contractors’ Employees By Posing as Recruiters

Hackers Target Defense Contractors’ Employees By Posing as Recruiters

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies.

Dubbed ‘BLINDINGCAN,’ the advanced remote access trojan acts as a backdoor when installed on compromised computers.

According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group, also known as Hidden Cobra, are spreading BLINDINGCAN to “gather intelligence surrounding key military and energy technologies.”

To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings.

However, such employment scams and social engineering strategies are not new and were recently spotted being used in another similar cyber espionage campaign by North Korean hackers against Israel’s defence sector.

“They built fake profiles on Linkedin, a social network that is used primarily for job searches in the high-tech sector,” the Israel Ministry of Foreign Affairs said.

“The attackers impersonated managers, CEOs and leading officials in HR departments, as well as representatives of international companies, and contacted employees of leading defence industries in Israel, with the aim of developing discussions and tempting them with various job opportunities.

“In the process of sending the job offers, the attackers attempted to compromise the computers of these employees, to infiltrate their networks and gather sensitive security information. The attackers also attempted to use the official websites of several companies in order to hack their systems.”

The CISA report says that attackers are remotely controlling BLINDINGCAN malware through compromised infrastructure from multiple countries, allowing them to:

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • Create, start, and terminate a new process and its primary thread
  • Search, read, write, move, and execute files
  • Get and modify file or directory timestamps
  • Change the current directory for a process or file
  • Delete malware and artefacts associated with the malware from the infected system.

images from Hacker News

Experian South Africa Suffers Data Breach Affecting Millions; Attacker Identified

Experian South Africa Suffers Data Breach Affecting Millions; Attacker Identified

The South African arm of one of the world’s largest credit check companies Experian yesterday announced a data breach incident that exposed personal information of millions of its customers.

While Experian itself didn’t mention the number of affect customers, in a report, the South African Banking Risk Information Centre—an anti-fraud and banking non-profit organisation who worked with Experian to investigate the breach—disclosed that the attacker had reportedly stolen data of 24 million South Africans and 793,749 business entities.

Notably, according to the company, the suspected attacker behind this breach had already been identified, and the stolen data of its customers had successfully been deleted from his/her computing devices.

“We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”

Experian South Africa has already reported the breach to law enforcement and the appropriate regulatory authorities.

The company claims there is no evidence indicating whether the stolen data includes consumers’ credit or financial information or used for fraudulent purposes before authorities had it deleted.

“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

“The compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts. However, criminals can use this information to trick you into disclosing your confidential banking details,” says SABRIC CEO, Nischal Mewalall.

images from Hacker News