By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Chinese hackers are targeting Android phones with a new piece of malware that attempts to fool people into clicking on a “missed delivery” text — the kind of text that’s no doubt become especially familiar to people during the coronavirus pandemic as they spend more time at home and ordering items for delivery. The text is actually a phishing scam that enables everything from stealing bank details to a user’s contact list.It’s being perpetrated, according to cybersecurity researchers, by a group of hackers operating under the “Roaming Mantis” collective. Another day, another nasty new piece of Android malware to be aware of — this time, according to cybersecurity researchers at Cybereason, it’s malware that uses a “missed delivery” text to phish its unsuspecting recipients. There has been a spate of these incidents lately, involving everything from sketchy apps found in the Google Play Store to the presence of undeletable, malicious files and apps inside Android phones. After investigating this latest malfeasance, Cybereason’s team found that it’s a Chinese-speaking group of hackers operating under the banner of “Roaming Mantis” that’s behind this so-called FakeSpy malware campaign. “FakeSpy has been in the wild since 2017; this latest campaign indicates that it has become more powerful,” the Cybereason team notes. “Code improvements, new capabilities, anti-emulation techniques, and new, global targets all suggest that this malware is well-maintained by its authors and continues to evolve.” According to this research, FakeSpy can exfiltrate and send SMS messages, in addition to stealing financial data, reading account information, and contact lists, among other nefarious acts. Users are tricked into clicking a text message informing them of a missed delivery, which steers them to download an Android application package. This is being used to target Android users all over the world, including in the US thanks to the malware’s ability to send messages that purport to be from the US Postal Service. “Roaming Mantis” sounds the name of a villain from a movie, but it’s actually the moniker of a Chinese threat actor group that’s been around for a few years now and has continued to evolve. They used to mostly target Asian countries but have since expanded to strike at victims across the world. What can you do to protect yourself? Cybereason senior director and head of threat research Assaf Dahan told ZDNet that people should be suspicious of SMS messages that contain links. “If they do click on a link,” Dahan said, “they need to check the authenticity of the webpage, look for typos or wrong website name, and most of all — avoid downloading apps from unofficial stores.” These practices can protect you from inadvertently downloading malicious apps, getting phished by clicking on dodgy text message links, and more. For more on this topic visit OUR FORUM often.

Phone signals may cut out for days if networks are forced to remove Huawei equipment, executives from operators informed Members of Parliament. Representatives from Vodafone and BT told the Science and Technology Select Committee they would need at least five years to completely remove the Chinese firm's equipment without causing disruption. The government is currently reviewing a report from the National Cyber Security Centre (NCSC) and the potential security risk Huawei poses by being a part of 5G networks. A government decision in January permitted the Chinese firm limited access, but there is continued pressure to remove Huawei from communication networks entirely, and new US sanctions aimed at the firm's supply chain has sparked a review of the decision. Currently, Government policy permits Huawei to be in up to 35 percent of a 5G network, but as a “high-risk vendor”, it can not be present in the core parts of a network. When asked about the impact of being told to completely remove Huawei equipment from their networks should Government policy change, both Vodafone and BT warned that it would cost “billions of pounds” and could lead to some customers losing phone signal for several days. “Should the guidance become stricter it will have an effect, it will delay the rollout of our 5G, it will have cost implications and focus our investment in the removal of the existing equipment,” Andrea Dona, Vodafone UK's head of networks said. If the current guidelines were to be tightened and further restrictions were to be imposed, we would need to spend in the order of billions to change our current infrastructure.” Dona also said it would be “highly disruptive” for customers if the Government asked the firm to remove Huawei within two years and any swap would see customers “lose their signal”, in some cases for “a couple of days”. To avoid such a scenario, the Vodafone executive told MPs “a five-year transition plan” would be the minimum required. Vodafone had made similar warnings last year, saying that the cost of banning Huawei equipment would run into the “hundreds of millions”. BT's chief technology and information officer, Howard Watson added: “It is logically impossible to get to zero (Huawei presence) in a three-year period. “That would literally mean blackouts for customers on 4G and 2G, as well as 5G, throughout the country as we were to build that in. So we would definitely not recommend that we go down that route.” Earlier in the session, Huawei defended its security record and denied that it would be compelled to follow any orders given to it by the Chinese government. Huawei vice president Victor Zhang told MPs that it was independent of any government and it would always follow UK law. Zhang also urged the Government to give Huawei time to understand the implication of US sanctions before choosing to ban the company from digital infrastructure. He called the sanctions “unjustified” and said allegations about security were not true, adding that Huawei believed it could still successfully operate in the UK in the short term. “We have already submitted our initial assessment to our customers and to the NCSC and the initial solution is that in the short term there is Huawei's capability to supply to the UK's 5G and fiber solution, and we have already prepared for the next five years to make sure the UK's existing network will not be impacted by the sanctions,” he said. You want to learn more, please visit OUR FORUM.

A healthy percentage of Android users targeted by mobile malware or mobile adware last year suffered a system partition infection, making the malicious files virtually undeletable. That’s according to research from Kaspersky, which found that 14.8 percent of its users who suffered such attacks were left with undeletable files. These range from trojans that can install and run apps without the user’s knowledge, to less threatening, but nevertheless intrusive, advertising apps. “A system partition infection entails a high level of risk for the users of infected devices, as a security solution cannot access the system directories, meaning it cannot remove the malicious files,” the firm explained, in a posting on Monday. Moreover, the research found that most devices harbor pre-installed default applications that are also undeletable – the number of those affected varies from 1 to 5 percent of users with low-cost devices and reaches 27 percent in extreme cases. “Infection can happen via two paths: The threat gains root access on a device and installs adware in the system partition, or the code for displaying ads gets into the firmware of the device before it even ends up in the hands of the consumer,” according to the firm. In the latter scenario, this could lead to potentially undesired and unplanned consequences. For instance, many smartphones have functions providing remote access to the device. If abused, such a feature could lead to a data compromise of a user’s device. Among the most common types of malware that Kaspersky has found installed in the system partition of Android smartphones are two older threats: The Lezok and Triada trojans. “The latter is notable for its ad code embedded not just anywhere, but directly in libandroid_runtime — a key library used by almost all apps on the device,” according to the analysis. However, examining victims’ system apps revealed a wide range of threats. The Agent trojan for instance is an obfuscated malware that usually hides in the app that handles the graphical interface of the system, or in the Settings utility, without which the smartphone cannot function properly. The malware delivers its payload, which in turn can download and run arbitrary files on the device. Then there’s the Sivu trojan, which is a dropper masquerading as an HTMLViewer app. “The malware consists of two modules and can use root permissions on the device,” according to Kaspersky. “The first module displays ads on top of other windows, and in notifications. The second module is a backdoor allowing remote control of the smartphone. Its capabilities include installing, uninstalling, and running apps, which can be used to covertly install both legitimate and malicious apps, depending on the intruder’s goals.” The Plague adware app is another common threat that Kaspersky found installed in the system partition. It pretends to be a legitimate system service, calling itself Android Services – but in reality, it can download and install apps behind the user’s back, as well as display ads in notifications. “What’s more, Plague.f can display ads in SYSTEM_ALERT_WINDOW — a pop-up window that sits on top of all apps,” explained the researchers. The Necro.d trojan is unusual because it’s a native library located in the system directory. Its launch mechanism is built into another system library, libandroid_servers.so, which handles the operation of Android services. “At the command of the command-and-control (C2), Necro.d can download, install, uninstall and run apps,” explained the researchers. “In addition, the developers decided to leave themselves a backdoor for executing arbitrary shell commands. On top of that, Necro.d can download Kingroot superuser rights utility — seemingly so that the OS security system does not interfere with delivering ‘very important’ content for the user.” Further details can be found on OUR FORUM.

Chinese manufacturing giant, Huawei, is doing quite well in the smartphone market. Oh yes, you read that right, the Chinese manufacturer’s smartphone business is growing. Despite the ban by the U.S. Huawei somehow managed to hold on to its own. Since the beginning of last year, the company had to manage American restrictions. Its devices can not use Google Play Services which means that its sales outside China would drop. However, for 2019, Huawei shipped about 240 million smartphones, its record high. Furthermore, the Chinese manufacturer also toppled Samsung in April. For April and May, Huawei is the number one smartphone manufacturer globally. However, there are forecasts that it may lose this position in June. Now, Huawei’s new tablet just got 3C certification. This is coming after two of its high-end chargers (66W & 65 GaN) got the certification. According to the certification, the new tablet comes with model number SCMR-W09. Furthermore, the certification also shows that Huawei’s new tablet supports 22.5W fast charging. Of course, its a tablet and we don’t expect it to come with Huawei’s high-end chargers. According to the listing, the applicant, and manufacturer of this Huawei tablet is Huawei Terminal Co., Ltd. The production plant is Xike Communication Technology Equipment (Heyuan) Co., Ltd while the certification date is June 22. The tablet manufacturing market is not as lucrative as the smartphone business. Presently, there are not many 5G tablets in the market. However, since the beginning of last year, Huawei has released two 5G tablets in the Chinese market – Huawei MatePad Pro 5G and Huawei MatePad. These tablets target different user markets. Among them, Huawei MatePad Pro 5G comes with a Kirin 990 5G SoC, supports 40W super-fast charging, 27W wireless fast charging, and 3D graphene cooling technology. As for the Huawei MatePad, it uses a Kirin 810 chip. It also comes with a built-in 7250 mAh battery that supports 18W fast charge. Turn to OUR FORUM to learn more.

The National Security Agency issued a new cybersecurity advisory on Thursday, warning that virtual private networks, or VPNs, could be vulnerable to attacks if not properly secured. The agency's warning comes amid a surge in telework as organizations adapt to coronavirus-related office closures and other constraints. A VPN allows users to establish private, encrypted connections to another network over the internet. They are used widely by corporations and other organizations to protect proprietary data from hackers while employees work remotely. A senior NSA official who briefed reporters Wednesday said the increase in remote work had attracted the attention of potentially malicious cyber actors.  "We certainly see adversaries focused on telework infrastructure," the official said. "We've seen exploitation and as a result, have felt that this was a product that is particularly helpful now." VPN gateways in particular are "prone to network scanning, brute force attacks, and zero-day vulnerabilities," the NSA's advisory said. "[N]etwork administrators should implement strict traffic filtering rules to limit the ports, protocols, and IP addresses of network traffic to VPN devices." The senior official said the NSA, whose employees deal daily with highly classified materials and systems, had taken its own steps to adapt to the pandemic, reducing some of its workforce to "mission-essential" for several weeks and introducing social distancing measures within its outposts. The advisory was issued by the agency's Cybersecurity Directorate, which launched last October. Its mandate involves reinvigorating a set of missions the NSA has long had — protecting government and private sector systems — by accelerating, broadening, and "operationalizing" its dissemination of unclassified threat information, according to officials. The directorate has now issued over a dozen public advisories since its launch. In October, it warned that nation-state actors were targeting VPN devices. In January, it was behind the disclosure of a "critical vulnerability" in Microsoft's Windows 10 software — something the agency might have once exploited, instead, as a hacking tool. And in May, in another rare move, it named a Russian military hacking unit that was secretly accessing commonly used email software. "Attribution is always interesting," the senior NSA official said Wednesday. "We do it if we believe it creates a sense of urgency to address a vulnerability." The directorate's emphasis on information-sharing stems from a recognition that nation-states are getting more aggressive and more sophisticated in going after the government and non-government targets. Its leadership has said it is also a conscious effort to move away from stubborn perceptions that the agency is a secretive black box — or "No-Such-Agency," as the NSA has been labeled. (Its foreign intelligence mission — which involves intercepting signals and communications overseas — is likely to continue avoiding the public eye.) The agency has also broadened its presence on social media, launching an Instagram account, a dedicated Twitter account for the directorate, and even bringing its notoriously circumspect director to the platform. (Paul Nakasone has tweeted three times in three weeks.) For more turn to OUR FORUM for more complete details.

US Cyber Command said today that foreign state-sponsored hacking groups are likely to exploit a major security bug disclosed today in PAN-OS, the operating system running on firewalls and enterprise VPN appliances from Palo Alto Networks. "Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use," US Cyber Command said in a tweet today. "Foreign APTs will likely attempt [to] exploit soon," the agency added, referring to APT (advanced persistent threat), a term used by the cyber-security industry to describe nation-state hacker groups. US Cyber Command officials are right to be panicked. The CVE-2020-2021 vulnerability is one of those rare security bugs that received a 10 out of 10 scores on the CVSSv3 severity scale. A 10/10 CVSSv3 score means the vulnerability is both easy to exploit as it doesn't require advanced technical skills, and it's remotely exploitable via the internet, without requiring attackers to gain an initial foothold on the attacked device. In technical terms, vulnerability is an authentication bypass that allows threat actors to access the device without needing to provide valid credentials. Once exploited, the bug allows hackers to change PAN-OS settings and features. While changing OS features seems innocuous, and of little consequence, the bug is actually quite a major issue because it could be used to disable firewalls or VPN access-control policies, effectively disabling the entire PAN-OS devices. In a security advisory published today, Palo Alto Networks (PAN) said that mitigating factors include the fact that PAN-OS devices must be in a certain configuration for the bug to be exploitable. PAN engineers said the bug is only exploitable if the 'Validate Identity Provider Certificate' option is disabled and if SAML (Security Assertion Markup Language) is enabled. However, according to Will Dormann, vulnerability analyst for CERT/CC, several vendor manuals instruct PAN-OS owners to set up this exact particular configuration when using third-party identity providers -- such as using Duo authentication on PAN-OS devices, or third-party authentication solutions from Centrify, Trusona, or Okta. This means that while the vulnerability looks harmless at a first glance due to the complex configuration needed to be exploitable, there are likely quite a few devices configured in this vulnerable state, especially due to the widespread use of Duo authentication in the enterprise and government sector. At the time of writing, the number of vulnerable systems is estimated to be at most 4,200, according to Troy Mursch, co-founder of internet scanning and threat intel firm Bad Packets. "Of the 58,521 publicly accessible Palo Alto (PAN-OS) servers scanned by Bad Packets, 4,291 hosts were found using some type of SAML authentication," Mursch told ZDNet today. However, Mursch says that his company's scans can only tell if SAML authentication is enabled, but not if the second condition (Validate Identity Provider Certificate' option disabled) is also met. Owners of PAN-OS devices are advised to immediately review device configurations and apply the latest patches provided by Palo Alto Networks if their devices are running in a vulnerable state. For greater details visit OUR FORUM.