exploiting Archives

Winsage

November 8, 2024

Windows PCs targeted by new malware hitting a vulnerable driver

Researchers have identified a new threat campaign called SteelFox, which uses counterfeit software activators and cracks to infiltrate Windows systems. The campaign deploys a vulnerable driver, information-stealing malware, and a cryptocurrency miner, compromising sensitive data and exploiting system resources for illicit mining. Victims are reported globally, including regions from Brazil to China, affecting users of commercial software like Foxit PDF Editor, JetBrains, and AutoCAD. Cybercriminals continue to advertise these fake software solutions, increasing the potential for further infections.

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.

AppWizard

November 7, 2024

Uninstall these 12 Android apps that record your conversations

Twelve malicious Android applications have been identified that can take control of devices to record audio and perform other harmful activities. These apps include: 1. Rafaqat 2. Privee Talk 3. MeetMe 4. Let’s Chat 5. Quick Chat 6. Chit Chat 7. YohooTalk 8. TikTalk 9. Hello Cha 10. Nidus 11. GlowChat 12. Wave Chat The first six were available on the Google Play Store and were downloaded over 1,400 times before removal. Users are advised to uninstall these apps immediately and remain cautious about downloading unfamiliar applications or clicking on suspicious links.

Winsage

November 1, 2024

Take action now to plug Windows Themes vulnerability, says expert

A significant security vulnerability has been discovered in Windows operating systems due to the use of the outdated NTLM password hashing method. This vulnerability affects all Windows client versions starting from Windows 7, leaving a large number of users at risk. Exploiting the vulnerability does not require special privileges, allowing a wide range of attackers to capture NTLM authentication hashes, which can lead to further security breaches. The vulnerability can be triggered easily by viewing a malicious theme file in Windows Explorer, and users may unknowingly activate it through automatic downloads.

Tech Optimizer

October 31, 2024

Beyond antivirus: Other essential tools to protect your Mac

Macs are facing an increasing number of cybersecurity threats, with malware targeting macOS rising from eight families in 2021 to 21 in 2023. To protect against these threats, users are advised to implement antivirus software, maintain regular backups using tools like Apple's Time Machine and cloud services, enable the built-in firewall, use password managers for secure password storage, and utilize a VPN for secure internet connections, especially on public Wi-Fi.

AppWizard

October 31, 2024

New Android Spyware Warning—Do Not Install These Apps

Android users are being warned about a new variant of the FakeCall malware, which can intercept calls, live-stream device screens, and manipulate text messages and camera functions. This updated spyware prompts users to set it as the default call handler, granting it control over all calls. Users are advised not to designate unfamiliar apps as default call handlers, avoid sideloading apps, and ensure Play Protect is activated. The FakeCall app can redirect users to malicious lines that mimic legitimate banking interfaces, risking unauthorized access to sensitive information. Google is enhancing Play Protect to monitor apps from outside the Play Store and plans to introduce live threat detection in the upcoming Android 15 update. Zimperium offers resources to help identify FakeCall apps and encourages users to check their default call handler settings and permissions.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 26, 2024

Russia’s APT29 Mimics AWS to Steal Windows Credentials

APT29, a Russian advanced persistent threat group, has been targeting military, governmental, and corporate organizations through phishing campaigns. This group, associated with the Russian Federation's Foreign Intelligence Service (SVR), is known for significant breaches, including those involving SolarWinds and the Democratic National Committee. Recently, APT29 breached Microsoft's codebase and targeted political entities across Europe and Africa. The Computer Emergency Response Team of Ukraine (CERT-UA) discovered APT29's phishing attempts aimed at extracting Windows credentials from various sectors in Ukraine. The phishing campaign, which began in August, used malicious domain names resembling Amazon Web Services (AWS) to send emails with attachments that contained configuration files for Remote Desktop, enabling attackers to establish connections to compromised systems. Although APT29 did not use legitimate AWS domains, Amazon disrupted the campaign by taking down the malicious imitations. CERT-UA recommends organizations monitor network logs for APT29-related IP addresses and block RDP files at email gateways to mitigate risks.

AppWizard

October 23, 2024

Delete These 12 Android Apps That Record Your Conversations – Jason Deegan

Security researchers at ESET have identified twelve malicious Android apps capable of recording audio in the background and other intrusive actions. Six of these apps were distributed through the Google Play Store, while the other six were disseminated through less direct means. One tactic used by hackers involves posing as romantic interests on messaging platforms to persuade targets to download infected apps containing the VajraSpy Trojan. The malicious apps fall into three categories: 1. Infected messaging apps that steal personal information and run a Trojan in the background. 2. Apps that exploit accessibility features to intercept communications on WhatsApp and Signal, with one app, Wave Chat, capable of recording phone calls and ambient sounds. 3. A disguised news app that requests personal information and can intercept contacts and files. The identified malicious apps to uninstall include Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat. The first six were downloaded over 1,400 times from the Google Play Store before being removed.

Winsage

October 23, 2024

Critical OPA Vulnerability Exposes Windows Credentials

A significant security flaw, designated CVE-2024-8260, was discovered in Styra’s Open Policy Agent (OPA) by researchers at Tenable. This vulnerability, with a CVSS score of 6.1, can expose the credentials of millions of Windows users. It allows attackers to exploit OPA by sending a malicious command that deceives the system into authenticating with a remote server controlled by the attacker, leading to the leakage of NTLM credentials. Organizations using the OPA CLI or OPA Go package on Windows are advised to update to OPA v0.68.0 to address this issue. Exploitation can occur through social engineering, where attackers persuade users to execute OPA via malicious file attachments. Attackers can manipulate the environment to connect to their server using a Universal Naming Convention (UNC) path and can use Rego rules to redirect OPA communications. When a user accesses a remote share on Windows, the NTLM hash is transmitted, allowing attackers to relay the leaked authentication or use the credentials to access other systems. The risk increases if the vulnerable OPA server accepts inputs from users or third parties, especially in cloud-native applications that require dynamic input.