• The study focuses on the Sierra Wireless AirLink cellular routers, crucial for connecting OT/IoT networks to the internet.
• These routers are used in various critical infrastructure sectors, including manufacturing, healthcare, government, energy, transportation, and emergency services.
• Sierra Wireless, OpenNDS, and Nodogsplash have patched several vulnerabilities, but challenges remain due to the abandonment of projects like TinyXML​​.

Flaws and Examples

The vulnerabilities are grouped into five impact categories​​:

1. Remote Code Execution (RCE): Attackers can take full control of a device by injecting malicious code.
2. Cross-Site Scripting (XSS): This allows for the injection of malicious code on clients browsing the ACEmanager application, potentially leading to credential theft.
3. Denial of Service (DoS): These vulnerabilities can be used to crash ACEmanager, rendering it unreachable or causing it to restart automatically.
4. Unauthorized Access: This involves design flaws like hardcoded credentials and private keys, which could allow attackers to perform man-in-the-middle attacks or recover passwords.
5. Authentication Bypasses: These allow attackers to bypass the authentication service of the captive portal and directly connect to the protected WiFi network.

Severity of Vulnerabilities: Among these 21 vulnerabilities, one is of critical severity, nine have high severity, and eleven have medium severity. These vulnerabilities could allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device, and use it as an initial access point into critical networks.

Affected Sectors: The affected devices are found in multiple critical infrastructure sectors. These include manufacturing, healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services, and vehicle tracking. Additionally, these routers are used to stream video for remote surveillance and connect police vehicles to internal networks.

Extent of Exposure: Over 86,000 vulnerable routers are exposed online. Notably, less than 10% of these exposed routers have been confirmed to be patched against known vulnerabilities found since 2019, which indicates a large attack surface. Moreover, 90% of devices exposing a specific management interface (AT commands over Telnet) have reached the end of their life, meaning they cannot receive further patches​​.

Specific examples include:

• CVE-2023-40458: ACEmanager enters an infinite loop when parsing malformed XML documents, leading to DoS.
• CVE-2023-40459: A NULL-pointer dereference in ACEmanager during user authentication, leading to limited DoS.
• CVE-2023-40460: Attackers can upload HTML documents to replace legitimate web pages in ACEmanager, leading to XSS attacks.
• CVE-2023-40461 and CVE-2023-40462: Issues with uploading client certificates and client TLS keys in ACEmanager, enabling JavaScript code injection.
• CVE-2023-40463: Hardcoded hash of the root password in ALEOS, allowing unauthorized root access.
• CVE-2023-40464: Default SSL private key and certificate in ALEOS, enabling impersonation and traffic sniffing/spoofing​​.

Mitigation or Workaround

• Patching is essential. Sierra Wireless has released updated ALEOS versions containing fixes.
• Change default SSL certificates.
• Disable unnecessary services like captive portals, Telnet, and SSH.
• Deploy web application firewalls to protect against web-based vulnerabilities.
• Use OT/IoT-aware intrusion detection systems to monitor network connections​​.

Conclusion

• Vulnerabilities in OT/IoT network infrastructure are a major concern and are often left unpatched.
• Less than 10% of routers exposed online are patched against known vulnerabilities.
• Embedded devices lag in addressing vulnerabilities and implementing exploit mitigations.
• Incomplete fixes can lead to new issues, as seen with CVE-2023-40460, originating from an incomplete fix for a previous vulnerability.
• Manufacturers need to understand and address the root causes of vulnerabilities for effective long-term solutions​​.

The post Over 86,000 Routers at Risk – Is Yours One of Them? Shocking Vulnerabilities in Widely Used OT/IoT Routers appeared first on Information Security Newspaper | Hacking News.

Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.

Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as ‘surveillance actors’ throughout this paper since they are interested in mobile geolocation surveillance.

Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.

The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a user’s position using mobile signalling networks. They may use numerous strategies to do this.

The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phone’s geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.

However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.

The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a user’s location.

Active Surveillance:

• In active surveillance, actors use software to interact with mobile networks and get a response with the target phone’s location.
• Vulnerable networks without proper security controls are susceptible to active attacks.
• Actors can access networks through lease arrangements to carry out active surveillance.

Passive Surveillance:

• In passive surveillance, a collection device is used to obtain phone locations directly from the network.
• Surveillance actors might combine active and passive methods to access location information.

Active Attacks:

• Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
• They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.

Vulnerabilities in Home Location Register (HLR) Lookup:

• Commercial HLR lookup services can be used to check the status of mobile phone numbers.
• Surveillance actors can pay for these services to gather information about the target phone’s location, country, and network.
• Actors with access to the SS7 network can perform HLR lookups without intermediary services.

Domestic Threats:

• Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
• Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
• In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.

Passive Attacks:

• Passive location attacks involve collecting usage or location data using network-installed devices.
• Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
• Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.

Packet Capture Examples of Location Monitoring:

• Packet captures show examples of signaling messages used for location tracking.
• Location information, such as GPS coordinates and cell information, can be exposed through these messages.
• User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.

The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.

The post The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks appeared first on Information Security Newspaper | Hacking News.

The Android App Pin feature is where the vulnerability may be accessed once it has already been exploited.Android app pinning was first referred to as’screen pinning’ when it was first introduced with Android 5.0 Lollipop (API level 21) on November 12, 2014. On Android smartphones, this powerful security feature improves the user’s ability to regulate their privacy and protect their data.

Users are given the ability to restrict their mobile device to a single program via the use of a feature known as “app pinning,” which effectively restricts their access to other apps and sensitive data. This capability proved to be quite useful in situations where keeping a highly concentrated work environment, dealing with public terminals, or sharing a device were all necessary requirements. When this is done, it stops unauthorized users from accessing personal data, programs, and settings, which contributes to an overall more secure digital experience.

The following procedures are often included when implementing app pinning as a method of application management:

Users may enable this feature by going to the Settings menu on their smartphone and selecting the Security and Privacy menu followed by the More Security Settings menu and then selecting the App Pinning option. After it has been enabled, users will be able to choose whatever app they want to pin.

Launching the chosen application is the first step in the pinning process, which allows users to enter pinned mode. This operation will permanently lock the device within the user interface of the chosen app.

When using the pinned mode, you won’t be able to interact with any other applications since they will be momentarily hidden from view. If you try to move to another app, access notifications, or perform any other function while the pinned app is open, the device will remind you that you are in the wrong app and keep you there.

Exiting Pinned Mode Users often need to give an extra layer of authentication in order to quit this mode. This may take the form of inputting a pre-set PIN, pattern, or password, or it can be accomplished via the use of biometric recognition (such as fingerprints or face recognition). Because of this additional degree of security, only users who are permitted to do so are able to exit the pinned app environment.

Pinning an Android app has many advantages, including the following:

Pinned mode protects users’ privacy and security by preventing unwanted access to private information, data, and programs that are deemed particularly sensitive.

Public Terminals: App pinning is important in scenarios like kiosks or shared devices since it confines users to a single program, hence decreasing the danger of illegal access and data exposure. This may be accomplished by pinning the application to the home screen of the device.

Focus and Productivity: Users may establish focused work environments by restricting the capabilities of their device to a single application that is task-oriented. This can increase their level of productivity.

Pinning an app to the home screen allows parents to limit their children’s access to just those games and programs that are suitable for their age or those that are instructive.

In a nutshell, Android app pinning, which was formerly referred to as “screen pinning,” was launched with Android 5.0 Lollipop and offers comprehensive control over the functionality and access of the device. It provides increased security, privacy, and focused interaction with digital information by designating a certain app as the one that may be used and needing authentication in order to leave that mode.

There is a logic mistake in the code that makes it possible for a general purpose NFC reader to read the whole card number and expiration data even while the screen on the device is locked. This problem can be found in the HostEmulationManager.java file, which is located in the onHostEmulationData section. This might result in the leaking of local information without the need of any extra execution rights. Exploitation may occur without the participation of the user.

According to Google’s calculations, the severity of this vulnerability is rather high.Along with his discoveries, the hacker was kind enough to submit a proof-of-concept attack, which brought attention to the seriousness of this high-severity vulnerability.

The post Exploiting Android App Pin feature to steal money from mobile wallets apps appeared first on Information Security Newspaper | Hacking News.

Nevertheless, researchers at Jamf Threat Labs have recently uncovered and successfully demonstrated an exploit approach that allows an attacker to retain persistence on their victim’s device even when the user thinks they are offline. This technique was developed in response to a vulnerability that was revealed in a previous exploit. The approach, which has not been seen being used in the wild, relies on the successful development of a fake airplane mode “experience” by a hypothetical threat actor. This “experience” causes the device to give the appearance of being offline while in reality it is still functioning normally.

The exploit chain that was put together by Jamf ultimately results in a scenario in which processes that are controlled by an attacker are able to operate in the background undetected and unseen, while the owner of the device is blissfully oblivious that anything is wrong.

SpringBoard, which handles visible changes to the user interface (UI), and CommCentre, which controls the underlying network interface and maintains a feature that enables users to limit mobile data access for certain applications, are the two daemons that are assigned with the process of converting iOS devices to airplane mode. SpringBoard handles visible changes to the UI, while CommCentre manages the functionality. When airplane mode is activated under typical circumstances, the mobile data interface will no longer show IPv4 or 6 IP addresses. Additionally, the mobile network will become disconnected and inaccessible to the user at the level of the user space.

The Jamf team, on the other hand, was able to pinpoint the pertinent area of the target device’s console log and, from that point on, utilize a certain string—”#N User airplane mode preference changing from kFalse to KTrue”—to locate the code that was referencing it. From there, they were able to successfully access the code of the device, at which point they hooked into the function and replaced it with an empty or inactive function. They were able to do this in order to construct a bogus airplane mode, in which the device does not truly get disconnected from the internet and they still have access to it.

After that, they went after the user interface by hooking two unique Objective-C methods to inject a tiny bit of code that changed the mobile connection indicator to make it seem dark, leading the user to believe that it is switched off, and highlighting the airplane mode icon, which is represented by a picture of an airplane.If the hypothetical victim were to open Safari at this point, they would have a good reason to believe that they would be prompted to disable airplane mode or connect to a Wi-Fi network in order to access data. This would be a reasonable assumption given that it seems that aircraft mode is enabled on their device.

They would receive a separate message asking them to authorize Safari to utilize wireless data through WLAN or mobile, or WLAN alone, which would be a hint that something was wrong. However, since they are really still connected to the internet, they would see this prompt.The Jamf team was aware that this problem needed to be fixed in order for the exploit chain to be successful. As a result, they devised a strategy that enabled them to give the impression to the user that they had been disconnected from mobile data services. This was accomplished by exploiting the CommCenter feature, which blocks mobile data access for specific applications, and then disguising this action as airplane mode by hooking yet another function.

They accomplished this by creating an environment in which the user was presented a prompt to switch off airplane mode, rather than the prompt that they should have seen.The team made use of a feature of SpringBoard that prompts the “turn off airplane mode” notification after being notified to do so by CommCenter. CommCenter, in turn, receives this notification from the device kernel via a registered observer/callback function. This allowed the team to disable Safari’s internet connection without actually turning on airplane mode.

The group then discovered that CommCenter also handles a SQL database file that records the mobile data access status of each program. If an application is prevented from accessing mobile data, that application is marked with a particular flag. They would then be able to selectively prohibit or enable an application’s access to mobile data or Wi-Fi by reading a list of application bundle IDs and obtaining their default settings from this information.

Chain of exploitation

 After putting all of this information together, the team had basically developed an attack chain in which their fake airplane mode seems to the victim to be running exactly as the genuine one does, with the exception that non-application programs are allowed to access mobile data.”This hack of the user interface disguises the attacker’s movement by placing the device into a state that is counterintuitive to what the user expects,” he added. “The user expects one thing, but the device behaves in a way that betrays their expectations.” “An adversary could use this to surveil the user and their surroundings at a time when no one would suspect video recording or a live microphone capturing audio,” says one researcher. “This could give an adversary an advantage in a fight.” This is feasible because to the fact that the mobile device in question is still connected to the internet, regardless of what the user interface is trying to convey to them.

According to Covington, the discovery does not fall under the normal responsible disclosure process because the exploit chain does not constitute a vulnerability in the traditional sense. Rather, it is a technique that enables an attacker to maintain connectivity once they have control of the device through another series of exploits. Researchers Did Notify Apple of the Research but no one has responded to request for comment.”

The new attack approach poses a danger, but if it were to be used in anger, it would more likely be used in a targeted attack scenario by a threat actor with very particular aims in mind than in a mass-exploitation event targeting the general public. If it were to be used in anger, however, it would be more likely to be used in anger by a threat actor with very specific goals in mind.As an example, exploitation for the purposes of espionage or surveillance by adversarial actors supported by the government against persons of interest is a scenario that is more likely than exploitation by financially driven cyber thieves.

Despite the fact that the technique is most likely to be used in a targeted attack, it is still important to raise awareness on how device user interfaces, particularly those built by trusted suppliers such as Apple, can be turned against their users. This is because of the inherent trust that people place in their mobile devices.The most crucial thing, according to him, is for consumers and security teams to better understand contemporary attack methods like those shown by the fake airplane mode study. In a sense, this is the next generation of social engineering, and it’s not too unlike to how artificial intelligence is being used to produce bogus testimonials that look to be from well-known celebrities.

The post Fake airplane mode attack allows to spy and hack iPhone users appeared first on Information Security Newspaper | Hacking News.

So without wasting too much time we will show you top 10 mobile patterns that are hard to break. Before we jump let us understand that pattern is combination of 9 dots in most of the cases. Below figure will help you understand the numbers used behind these patterns.

Now we understood the concept behind the pattern. The way it works is that whenever we draw any pattern its converted to the numbers for the mobile phone to unlock it. Mobile takes these numbers as password and unlocks your mobile phone. Let’s see which are the 10 most impossible mobile patterns to break.

1. FISH (2-5-8-4-6-9-3-1)

The is called fish pattern and the number written in brackets are the sequence of the patterns to be followed to create a pattern that resembles fish. Its starting with dot number 2 and then draw a line to dot 5 and then from dot 5 to dot and so on as shown below.

2. Love Angle (2-5-9-1-4-8-6-3-7)

Its is lovely angle pattern use it if you love someone but don’t want to tell her or him.

3. Ribbon (5-7-3-6-4-1-9)

4. Bird man mobile pattern (2-5-7-3-6-4-1-9)

5. Robo Head (2-5-4-6-3-9-8-7-2)

6. MKBHD (4-8-6-9-3-5-1-7)

7. Illusion (2-1-3-5-4-6-8-7-9)

8. Impossible (8-6-5-4-2-1-3-7-9)

9. MAZE (1-2-5-4-6-3-9-8-7)

10. Time Machine (8-6-5-4-2-3-1-9-7)

The only important is that whenever you use any of these just note down the number sequence. You can refer your number sequence if in case you get in your own trap.

The post 10 impossible mobile patterns to break appeared first on Information Security Newspaper | Hacking News.

Microsoft security experts said on Wednesday that a Russian state-sponsored hacking outfit named by Microsoft as “Midnight Blizzard,” but more generally known as APT29 or Cozy Bear, was responsible for the “highly targeted” social engineering attack.

APT29 hackers started attacking sites at the end of May, and they created new domains with a technical help theme by using accounts for Microsoft 365 that had been hijacked in earlier attacks. By using these domains, the cybercriminals sent messages via Microsoft Teams that were designed to trick users into giving acceptance for multifactor authentication prompts. The hackers’ ultimate goal was to get access to user accounts and steal critical information.

The actor utilizes Microsoft 365 tenants that belong to small companies that they have previously infiltrated in other attacks in order to host and launch their social engineering attack. This helps the actor carry out their attack more easily. The malicious actor first renames the compromised tenancy, then establishes a new onmicrosoft.com subdomain, and then installs a new user linked with that domain from which to deliver the outbound message to the target tenant. In order to provide the impression that the communications are legitimate, the bad actor creates a new subdomain and a new tenant name by using keywords with a product name or security-related topic. Their investigation is still continuing, and it includes looking at these precursory attacks that were aimed at compromising legal Azure tenants as well as the use of homoglyph domain names in social engineering lures. Microsoft has taken precautions to prevent the perpetrator from making use of the domains.

Chain of attacks using social engineering

Within the context of this activity, Midnight Blizzard has either obtained valid account credentials for the users they are targeting or they are targeting users who have passwordless authentication configured on their account. In either case, it is necessary for the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app that is installed on their mobile device.

When a user tries to log in to an account that requires this kind of MFA, they are shown a code that they must input into their authenticator app. This happens after the user has already attempted to authenticate themselves to the account. The user is presented with a popup on their device asking them to enter a code. After that, the actor will send a message to the user who is being targeted using Microsoft Teams, requesting that the user input the code into the prompt that is shown on their device.

The first step is for teams to request to speak.

It’s possible that an external user posing as a member of the security or technical support team will send a message request via Microsoft Teams to the user who is the target.

The second step is to request authentication from the app.

If the target user accepts the message request, they will then get a message from the attacker in Microsoft Teams. In this message, the attacker will try to persuade the user to input a code into the Microsoft Authenticator app that is installed on their mobile device.

Third Step is Authentication with the MFA Completed Successfully

The threat actor will be provided a token to authenticate as the targeted user if the targeted user accepts the message request and inputs the code into the Microsoft Authenticator app. Following successful completion of the authentication process, the actor is granted access to the user’s Microsoft 365 account.

After that, the actor will continue to perform post-compromise behavior, which will often entail the theft of information from the Microsoft 365 tenant that was hacked. It is probable that the actor is attempting to overcome conditional access controls that have been defined to limit access to certain resources to managed devices only by adding a device to the organization as a managed device through Microsoft Entra ID (previously Azure Active Directory). This occurs in some instances.

The post Phishing attack over Microsoft Teams allows getting MFA from victim appeared first on Information Security Newspaper | Hacking News.

This side-channel attack affects almost all cellular networks across the world since it generally targets GSMA. Despite the availability of other communication options, such as 3G and 4G, the researchers were interested in studying SMS because of its prevalence as a way of 2G communication among the general public. The researchers made the observation that the SMS Delivery Reports that are inevitably created after receiving an SMS message cause a timing-attack vector to be triggered. Knowing the timings of message delivery and estimating the time gap between message sending and receiving might assist a sender establish the location of the receiver if the sender has enabled SMS Delivery Reports. since of the way the SMS Delivery Reports feature operates, the user of the recipient cannot prohibit harmful use of this tool since it is outside of the recipient’s control. The approach, in its most basic form, makes use of the temporal signatures associated with a particular site.

The more exact the data that the attacker has on the whereabouts of their targets, the more accurate the location classification results that the ML model will provide for its predictions when it comes to the attack phase.

The data can only be obtained by the attacker sending several SMS messages to the target, either by disguising them as marketing communications that the target would ignore or discard as spam or by utilizing quiet SMS messages. A silent SMS is a “type 0” message that has no content and does not create any alerts on the screen of the target device; nonetheless, its receipt is still confirmed by the device on the SMSC. The authors of the research conducted their studies by using ADB to send bursts of 20 silent SMSes every hour for three days to several test devices located in the United States, the United Arab Emirates, and seven European nations. This experiment covered ten different operators and a wide range of communication technologies and generational differences.

By sending SMS messages to the target user at a variety of different times and places, an adversary may acquire numerous timing signatures associated with the person. The sender may be able to determine the location of the recipient by analyzing them at a later time. To carry out this attack, the adversary need only be in possession of the cell phone number of the victim they are targeting. Even though it is a time-consuming process, collecting and analyzing the timing signatures of the target user might provide an adversary the ability to discover a previously unknown or new location of the individual they are targeting. This operates correctly regardless of the user’s location, whether it in the United States or elsewhere in the world. The amount of time that passes between when an SMS is sent and when it is received might be helpful here.

Even while the researchers were able to reach a high level of precision when carrying out their side-channel attack, it does have a few drawbacks. This is due to the fact that there are a variety of variables that might influence the empirical measurements in a real-world exploit. Even in a hypothetical situation in which the globe is locked off, the still-unachievable accuracy of more than 90 percent presents a risk to individuals’ privacy. In terms of the countermeasures, the researchers noted that the current ones to avoid similar attacks do not apply to this unique side-channel attack. This is because the novel attack uses a side-channel that does not present in the related attacks. Not delivering Delivery Reports or altering them with a random delay are also potential tactics that might be used in the fight against delays in UE processing. As for the delays that are caused by the network itself, modifying the SMS timings, installing spamming filters on the core network, or at the very least turning off quiet messages will help reduce the likelihood of an attack of this kind happening. Nevertheless, turning off the component that generates delivery reports may be the only practical preventative action. Before making this study available to the general public, the researchers acted appropriately and informed the GSMA about the situation. In response, the GSMA accepted their results (which were given the identifier CVD-2023-0072) and evaluated a variety of preventative actions.

The post How to hack & track anybody’s phone location via silent SMS messages appeared first on Information Security Newspaper | Hacking News.

The United States targeted iOS devices using malware that had not been seen before, according to a statement that was released by the FSB on Thursday. The Russian cybersecurity firm Kaspersky published a report on iOS malware that originated from an unknown source on Thursday as well. Initially, a spokesperson for Kaspersky indicated that the business was unable to verify whether or not the two attacks were related. However, an hour later, she gave an amended reply in which she noted that Russia’s computer security agency has previously officially acknowledged that the signs of breach in both reports are the same.

According to allegations from Russian media, in March the administration of the Russian president reportedly gave its personnel the instruction to dispose of any Apple devices they may have. There will be no more iPhones. According to the article, one of the administration’s staffers advised the individuals to “either throw them away or give them to your kids.” The Federal Bureau of Investigation did not disclose any specific information on the suspected victims or the malware’s technical aspects.

“due to the absence of technical details reported by them,” the representative for Kaspersky said, the company was unable to validate all of the FSB’s conclusions. According to the FSB, the virus did not just affect users located inside Russia; it also targeted international numbers and wireless customers located outside of the country who use SIM cards registered with diplomatic missions and embassies located within Russia. On the list were nations from both the post-Soviet area and the NATO alliance, in addition to China, Israel, and Syria.

According to reports from Russian intelligence, the inquiry allegedly uncovered evidence that Apple is working along with the National Security Agency (NSA) of the United States. The Financial Services Board (FSB) noted that this demonstrates that Apple’s declared commitment to preserving the privacy of user data is, in reality, dishonest.

The NSA did not want to comment on the matter. Reporters have received an email from Apple with a declaration to the effect that the company does not collaborate with governments in order to include backdoors into its devices. The Federal Bureau of Investigation did not disclose any specific information on the suspected victims or the malware’s technical aspects.

The post Throw away your iPhones Says Putin to Russians & claims NSA has a backdoor in iPhones appeared first on Information Security Newspaper | Hacking News.

This approach sidesteps user authentication, therefore providing unauthorized access and complete control over the device that is the focus of the attack.Researchers from China were able to undertake brute-force attacks and acquire unauthorized access to accounts, systems, and networks by effectively circumventing the current security mechanisms on smartphones, such as attempt limitations and liveness detection, by exploiting two zero-day vulnerabilities. This enabled the researchers to gain unauthorized access to accounts, systems, and networks.The following zero-day vulnerabilities have been exploited, and we have listed them below:

Cancel-After-Match-Fail (CAMF)
Match-After-Lock (MAL)

In addition, researchers found a potential vulnerability in the protection of biometric data that was being communicated by fingerprint sensors via the Serial Peripheral Interface (SPI).In order to analyze the efficacy of BrutePrint and SPI MITM attacks, a thorough test was run on 10 different types of smartphones that are quite popular.

The findings showed that these attacks were effective in allowing an infinite number of tries on any Huawei device running Android or HarmonyOS; however, iOS devices indicated a restricted vulnerability, allowing for just an extra 10 attempts to be made.
The primary idea of BrutePrint is to send an unconstrained series of fingerprint image submissions to the device that is being targeted. This process is repeated until a match is discovered with the user-defined fingerprint, and there are no restrictions placed on the number of times the process may be carried out.

An attacker can launch a BrutePrint attack on a target device by first gaining physical access to the device, then gaining access to a fingerprint database, and finally using equipment that costs around $15. This allows the attacker to manipulate the False Acceptance Rate (FAR) in order to increase the acceptance threshold for fingerprint matches and achieve easier unauthorized access.

By exploiting the CAMF issue, BrutePrint injects a checksum mistake into the fingerprint data. This enables it to circumvent security mechanisms and gives attackers the ability to try an endless number of fingerprint matches on smartphones without being discovered.By exploiting the MAL vulnerability, attackers get the ability to determine the authentication results of the fingerprint photographs they test on the target device, even while the device is in a “lockout mode” state of operation.The BrutePrint attack sidesteps the lockout mode by exploiting a process known as MAL. It also makes use of a method known as “neural style transfer” to change fingerprint pictures in the database so that they more closely match sensor scans taken by the target device. This increases the probability that the authentication will be successful.

The researchers found that every Android and iOS device they tested had a vulnerability to at least one known vulnerability after running a series of tests on those devices. The tests were carried out on a selection of 10 different mobile devices.

The researchers found that certain iPhone models are susceptible to CAMF, but due to the limited number of fingerprint attempts (up to 15), it is impractical to brute-force the owner’s fingerprint. Additionally, the researchers found that all tested Android devices are susceptible to the SPI MITM attack, with the exception of iPhones, which encrypt fingerprint data on the SPI, rendering any interception ineffective.

BrutePrint may appear to have limitations due to the requirement that it must have prolonged access to the device it is targeting; however, its potential for enabling thieves to unlock stolen devices and extract private data, as well as the ethical concerns and privacy rights implications for law enforcement during investigations, raise significant issues regarding rights violations and the safety of individuals in countries with a dominant political or economic position.

The post Unlock any Android Smartphone with this fingerprint hack appeared first on Information Security Newspaper | Hacking News.

Android 11, Android 12, Android 13

CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Android’s address space layout randomization (ASLR) protection while carrying out targeted attacks.

Randomization of the memory locations at which important app and operating system components are loaded into the device’s memory is made possible thanks to Android’s Address Space Layout Randomization (ASLR), which is a fundamental component of Android’s security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.

According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.

Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.

These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests.
While this is going on, security researchers working for Google’s Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISA’s list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.

In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISA’s KEV list.

The post This vulnerability allows hacking any Samsung smartphone model appeared first on Information Security Newspaper | Hacking News.

It would seem that those who commit crimes online are constantly able to one-up themselves and surprise everyone with innovative new strategies. You are already familiar with methods such as phishing, frauds, and the use of malware to infect devices. However, researchers from the Zhejiang University in China and the Darmstadt University of Technology in Germany have now uncovered a new hardware-based way that cybercriminals may use to get their hands on your smartphone.

These are known as Ghost Touch, and they may be used to unlock a mobile device, allowing the user to get access to sensitive information like passwords or banking apps, and even install malware. According to their explanation, the attack makes advantage of “electromagnetic interference (EMI) to inject fake touch points into a touch screen without physically touching it.”

Make note of the fact that this latest attack is aimed. To put it another way, in order to adjust the gadget, it is essential to have knowledge on the make and model of the cell phone belonging to the victim. The attacker may additionally need extra knowledge about it, such as the access code, which has to be obtained via social engineering. This might be a need for the attack. The attack is effective from a distance of up to 40 mm and makes use of the sensitivity of the touch screen to electromagnetic interference (EMI). Attackers have the ability to inject electromagnetic impulses into the implanted electrodes of the screen, which will cause the screen to record these signals as touch events (a touch, exchange, press, or hold).

On a total of nine different smartphone models, including the iPhone SE (2020), the Samsung Galaxy S20 FE 5G, the Redmi 8, and the Nokia 7.2, its efficacy has been shown. If a user’s screen has been hacked, it will begin operating on its own without the user’s intervention. For instance, it will begin answering calls on the user’s behalf or it will become unblocked.

When a mobile device begins visiting arbitrary web sites, entering into the user’s bank account, opening files, playing a movie, or typing on Google without the user’s interaction, this is another clear indication that the device has been compromised.

“You can protect yourself against touchscreen attacks in a number of different ways, including adding more security to your phone and being more vigilant in public places,” the article states. They recommend that you keep your phone in your possession at all times, since this will significantly lower the likelihood that it will be hacked.

The post How to hack Samsung Galaxy and iPhone SE without physically touching appeared first on Information Security Newspaper | Hacking News.

Over a thousand web addresses that appear to be promising ChatGPT-like tools but are actually traps set by hackers have been discovered and blocked by the security team at Meta. Although the company has not yet witnessed hackers using generative AI for any purpose other than as bait, He warned that preparations are being made for the inevitability that it will be used as a weapon. “Generative AI holds great promise, and bad actors know it, so we should all be very vigilant to stay safe,” he added. Security researchers working for the industry leader in social media uncovered malicious malware masquerading as ChatGPT or other artificial intelligence applications. Hackers are using attention-grabbing advancements to lure victims into their traps, where they will be tricked into clicking on booby-trapped web links or installing apps that steal data.

According to the most recent results of Guy Rosen, the company’s chief information security officer, the social media giant discovered malicious malware masquerading as ChatGPT or other similar AI tools during the previous month. . The most recent wave of malware operations has taken note of generative AI technology, which has been catching people’s imaginations and everyone’s enthusiasm, according to the researcher.

Nathaniel Gleicher, who is in charge of security policy at Meta, stated that the company’s teams are working on methods to utilize generative AI to protect itself against hackers and fraudulent internet influence efforts. “We have teams that are already thinking through how (generative AI) could be abused, and the defenses we need to put in place to counter that,” he added. “We have teams that are already thinking through how (generative AI) could be abused.” “We are getting ready for that right now.”

In recent years, a wide variety of business sectors have been increasingly adopting generative AI technology, which has applications ranging from the automation of product design to the generation of creative writing. However, as the technology becomes more widespread, hackers have started to focus their attention on it as a target. He made the analogy between the current scenario with crypto frauds, which have become more prevalent due to the widespread interest in digital money. He said, “From the perspective of a bad actor, ChatGPT is the new cryptocurrency.”

It is essential for people and organizations to maintain a high level of vigilance about possible dangers in light of the growing number of businesses that are using generative AI. They may better defend themselves against the ever-increasing risk of cyber attacks if they keep themselves apprised of the most recent advancements in the field of cybersecurity and routinely update the security measures they have in place.

The post Installed ChatGPT or similar AI app in your device? Surely your data was hacked by fake AI appeared first on Information Security Newspaper | Hacking News.