Advisory ID: NCC-CSIRT-301123-043
Summary: Significant number of Google Drive users have reported the loss of recent files and folder structure changes, dating back to around April-May 2023. This issue has resulted in the disappearance of critical data stored in the cloud.
Threat Type(s): Data Loss, Service DisruptionData Loss, Service Disruption
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Google Drive
Platform(s): Web-based Cloud Storage Service
Version(s): All Versions
Description: Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in thesynchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet. Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in the synchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet.
Consequences: Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services. Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services.
Solution:
- Do not make changes to the root/data folder in cloud storage.
- Back up important files locally or use an alternative cloud service.
- Monitor for official updates from Google.
References:
https://www.bleepingcomputer.com/news/google/google-drive-users-angry-over-losing-months-of-stored-data/
https://www.digitaltrends.com/computing/google-drive-data-loss/
https://www.spiceworks.com/tech/data-management/news/google-drive-loses-user-data/amp/
Advisory ID: NCC-CSIRT-291123-042
Summary: Researchers at ThreatFabric, an online fraud detection company, have identified a dropper-as-a-service (DaaS) malware known as SecuriDropper. This malware employs an innovative method to bypass Android's security restrictions during payload delivery. SecuriDropper facilitates the infiltration of devices, enabling malicious actors to distribute spyware and banking Trojans. The deployment of these malicious payloads poses a threat to users' privacy and financial security.
Threat Type(s): Malware, Spyware and Banking Trojans
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Android
Platform(s): Android Operating System
Version(s): Android 13
Description: The researchers revealed that the threat employs a 'session-based' installer to load malware, effectively evading Android 13's Restricted Settings feature introduced by Google. Restricted settings act as a safeguard against sideloaded applications seeking accessibility and notification listener permissions, commonly exploited by malware. In the case of apps obtained from a marketplace, a session-based package installer is utilized, distinguishing them from sideloaded counterparts. To overcome these restrictions, SecuriDropper employs a two-step infection process. It initially distributes a seemingly harmless application, functioning as a dropper for the actual malware payload. SecuriDropper utilizes an Android API to emulate the installation process of a marketplace, preventing the operating system from recognizing the payload as sideloaded and thus bypassing Restricted Settings. The dropper requests permissions for external storage access, package installation and deletion, then checks for the payload's presence. If installed, the dropper launches it; otherwise, it prompts the user to 'reinstall' the application, triggering payload delivery.
Consequences: SecuriDropper bypass Android's 'Restricted Settings' feature, allowing it to install malware on devices and gain access to accessibility services.
Solution:
- Caution is advised for Android users against downloading APK files from unfamiliar or untrusted sources or publishers.
- Android users should be mindful of the permissions granted to apps, as they have control over which permissions an app receives.
Pay attention to warnings from Google Play Protect and agree to block any apps flagged by Google Play Services for displaying malicious behavior.
References:
https://www.securityweek.com/dropper-service-bypassing-android-security-restrictions-to-install-malware/
https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions
https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-android-security-to-install-malware/
https://www.noypigeeks.com/tech-news/securidropper-bypass-android-security/
https://thehackernews.com/2023/11/securidropper-new-android-dropper-as.html
Advisory ID: NCC-CSIRT-241123-041
Summary: A study led by Blackwing Intelligence researchers Jesse D'Aguanno and Timo Teräs, supported by Microsoft's Offensive Research and Security Engineering group, indicates a potential vulnerability in Windows Hello's fingerprint authentication. If successfully exploited, this could enable a hacker to log in as the device owner, provided they can steal or have access to the device without supervision.
Threat Type(s): Vulnerability, System Unlocking
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Laptop Computers
Platform(s): Goodix, Synaptics, and ELAN fingerprint sensors
Version(s): Dell Inspiron 15, Lenovo ThinkPad T14, Microsoft Surface Pro Type Cover with Fingerprint ID (for Surface Pro 8 / X)
Description: According to the researchers, the security flaw exists in the Windows Hello fingerprint feature. Windows Hello, a biometric authentication interface in Windows, allows users to log in through facial recognition or fingerprint scanning. For fingerprint authentication, users set up their fingerprints on compatible devices. Windows Hello uses a secure enclave to store and verify the fingerprint data during login, providing enhanced security compared to traditional password-based methods.
In the Windows Hello system, fingerprints are stored in the sensor chipset. During setup, the operating system (OS) generates an ID linked to the user's fingerprint by the sensor chip. This ID is then associated with the user's account. In the login process, the sensor reads the fingerprint, and if it matches a known print, the chip sends the corresponding ID to the OS for account access. Despite cryptographic measures, vulnerabilities in this system make devices susceptible to unlocking if a hacker gains physical access to the device to connect certain electronics.
The researchers outline the specific steps for exploiting the three affected systems as follows:
- Dell Inspiron 15:If hackers can boot the laptop into Linux, they can use the sensor's Linux driver to enumerate the ID numbers associated with known fingerprints. The attacker can then store their own fingerprint with an ID identical to the Windows user they want to impersonate. By using a man-in-the-middle device during Windows boot, the chip is directed to use the Linux database for fingerprints, allowing the attacker to log in as the Windows user.
- Lenovo ThinkPad T14:Similar to the Dell Inspiron 15, the ThinkPad attack involves using Linux to add a fingerprint with an ID associated with a Windows user. TLS is used to secure the connection, but this can be undermined to add a new fingerprint and log in as the targeted Windows user.
- Microsoft Surface Pro 8 / X Type Cover with Fingerprint ID:This is the most dangerous of all. In this case, there is no security between the chip and OS. Any device that can mimic the chip can send a message to Windows, allowing an attacker to log in without presenting a fingerprint.
Consequences: Laptop hardware may be physically insecure and allow fingerprint authentication to be bypassed if the equipment falls into the wrong hands.
Solution:
- Use a password instead of a fingerprint for BIOS boot authentication.
- Users of the impacted computers should ensure they have the latest updates installed, as vendors have addressed the identified issues.
References:
https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/
https://www.theregister.com/2023/11/22/windows_hello_fingerprint_bypass/
Advisory ID: ngCERT-2023-0040
Summary: The end of year holiday season has hitherto witnessed an increase in the number of Black Friday adverts providing attractive discounts for cheaper purchases of goods and services. However, it is pertinent to note that unsuspecting on-line shoppers could be targets of Cyber-attacks disguised as genuine retail brands, offering mouth-watering Black Friday deals. Cybercriminals take advantage of the Black Friday frenzy by setting up fake websites in order to trick unsuspecting customers into sharing sensitive information. Reports by Trend Micro, disclosed that the month of October alone, witnessed nearly 35,000 Black Friday scam-related sites seeking to lure victims, for further exploitation. Accordingly, it is advised that on-line shoppers and retailers alike should emplace necessary security measures to mitigate against Black Friday Cyber-scams.
Threat Type(s): Malware
Damage/Probability: HIGH/HIGH
Description: Black Friday Cyber attacks are usually phishing attempts that target online shoppers by using fake or counterfeit websites, emails, and text messages. Notably, scammers take advantage of increased e-commerce activity by impersonating popular marketplaces, premium brands, and gadget stores using fake URLs. By advertising big discounts on products, buyers are enticed to click on these fake URLs and share sensitive information, such as account passwords, payment details, or personal information that can be exploited for identity theft. Furthermore, some of these fraudulent websites can be used to infect the victim's device with malware or ransomware, while duping customers into purchasing non-existent or fictitious things. Threat actors may also use an account verification scam in which the victim receives a text or email informing them that their account has been compromised and that they must act quickly to secure it. The email will contain a clickable link or a phone number that will ostensibly assist in speeding the process of verifying and securing the account. However, if the target clicks the link in the text or email, malware may be deployed.
Consequences: A successful Black Friday scam could result to the following:
- Accounts and devicecompromise.
- Installation of malicious software.
- Non delivery of purchased items.
- Banking and personal information theft.
- Financial loss.
- Identity theft.
Solution:
The following measures should be adopted:
- Always verify links, websites, and email addresses, and be wary of a false sense of urgency.
- Be wary of deals that are too good to be true and advertised or linked through social media.
- Always double-check on the official brands' sites for information instead of following the sketchy links through.
- Avoid clicking on sponsored advertisements. Some scammers use "malvertising" to target customers, luring them to click on ads that then install malware that compromises their devices.
- Never send payment information via email, and avoid off-platform transactions to ensure refund options.
- To avoid the threat of credit card skimming, use virtual credit cards or third party processing sites which will help protect your cards.
- Don't be swayed by positive reviews; they can be faked or purchased.
- Resolve issues on the brand's website rather than via email.
- If you provided login information to any website, change your username and password right away. Also, if necessary, change your phone or bank card PIN.
- Use Two-Factor Authentication (2FA) for bank and credit card access.
- When visiting retailers via links in emails or social media posts, be cautious—only click if you trust the source and can verify that the message is genuine.
- If you receive an email or text message about a delivery issue, do not click any links or call any numbers provided.
References:
https://cybernews.com/editorial/cyberattacks-black-friday-cyber-monday/
Advisory ID: ngCERT-2023-0039
Summary: Users of the Google Chrome browser and Apple systems have lately been reported as vulnerable to malicious hackers who may exploit flaws discovered on the platforms. Vulnerabilities discovered recently in Google Chrome and Apple systems, particularly in the operating systems (OS) of the iPhone, iPad, Mac computers, Apple Watch, Apple TV, and Safari internet browser, may allow hackers to acquire control of the devices. As a result, individuals and organizations must take proactive actions to defend themselves from potential threats.
Threat Type(s): Malware
Damage/Probability: HIGH/HIGH
Description: Vulnerabilities in an IT system are flaws, features, or user error that can be exploited by an attacker to compromise IT infrastructure. Cybercriminals use a variety of hacking techniques to exploit flaws in web browsers and devices. Hackers find a flaw or weakness that allows them to download and execute malicious malware (typically after a user visits or clicks on a compromised URL or file). Following that, the code can automatically download and run other malicious code or steal vital corporate information. Phishing is another prevalent tactic used by hackers. In this case, attackers send phishing emails with exploit kits targeting at web browsers. Victim clicks on a link or attachment in the email, which opens a malicious page in their web browser, which can subsequently exploit an unpatched vulnerability to deploy malware packages or steal browser data.
Consequences: The exploitation of vulnerabilities in the aforementioned systems could result in:
i. Denial of services.
ii. Data exfiltration
iii. Identity theft.
iv. Financial losses
Solution: Service providers have issued security patches to reduce the dangers. Regardless, all users are encouraged to immediately:
- Update their devices, software, and systems to the latest versions.
- Clear browser history to erase stored credentials or passwords.
- Clear cookies, as they can allow hackers to access email services without a user’s
- Avoid clicking on malicious links that could compromise their browsers.
References:
https://fastcompanyme.com/news/uae-issues-security-warning-fo r-google-chrome-and-apple-users