Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.
The high-severity zero-day vulnerabilities are as follows –
CVE-2024-29745 – An information disclosure flaw in the bootloader component
CVE-2024-29748 – A privilege escalation flaw in the firmware component
Google stated in an advisory released on April 2, 2024, that there are signs suggesting that the vulnerabilities might be experiencing selective and restricted exploitation.
While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they “are being actively exploited in the wild by forensic companies.”
In a series of posts on X (formerly Twitter), it was mentioned that “CVE-2024-29745 pertains to a vulnerability found in the fastboot firmware utilized for supporting unlocking, flashing, and locking functionalities.”
GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.
The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.
It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.

Source – https://thehackernews.com/2024/04/google-warns-android-zero-day-flaws-in.html

SurveyLama data breach exposes info of 4.4 million users

Data breach alerting service Have I Been Pwned (HIBP) warns that SurveyLama suffered a data breach in February 2024, which exposed the sensitive data of 4.4 million users.
SurveyLama is an online platform that rewards registered users for completing surveys. Owned by French firm Globe Media, the platform is praised for high payouts (up to $20), fast payments, and multiple withdrawal options.
In early February, HIBP’s creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including:
• Dates of birth
• Email addresses
• IP addresses
• Full Names
• Passwords
• Phone numbers
• Physical addresses
When contacted by HIBP inquiring about the authenticity of the data, SurveyLama said that they had already notified impacted users via email, confirming the security incident.
The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification.
The platform said the exposed passwords were stored either in salted SHA-1, bcrypt, or argon2 hashes form, so they are not in directly usable cleartext.
Though hashing adds some resistance to cracking, it is not impervious to brute-forcing, especially the passwords protected with salted SHA-1, which carries known vulnerabilities, making it susceptible to collision attacks.
That said, SurveyLama account holders should reset their passwords on the service immediately and on other platforms where they might use the same credentials.

Source – https://www.bleepingcomputer.com/news/security/surveylama-data-breach-exposes-info-of-44-million-users/

Ransomware cartel claims Leicester City, shares data

Attackers posted Leicester City Council on INC Ransom‘s dark web blog, which the gang employs to showcase and threaten its latest victims. Cybercrooks claim they‘ve siphoned three terabytes of data from the Council‘s systems.
The post includes a supposed “proof pack,” which contains 32 scanned documents. Those include passport copies, rent statements, bank statements, a driver’s license, and other sensitive documents.
Last month, Leicester City Council suffered a significant cyberattack, forcing it to shut down many municipal services and disconnect phone lines. According to the Council’s statement, published on March 28th, or three weeks after the attack, it was still recovering, albeit “most” of the services were already recovered at that time.
Leicester is the tenth largest city in England, the largest in the nation’s East Midlands region, and home of the internationally known Leicester City Football Club. The city has a population of more than 350,000 within its borders, and another 550,000 live in the city’s outlying urban areas, according to census reports.
INC Ransom was first noted in July 2023. The gang is considered a multi-extortion operation – which means it not only encrypts and steals its target’s data but then threatens to publish it online if the victim doesn’t pay up. It appears to target a varied number of industry sectors at random, including attacks on the healthcare, education, and government sectors.
Most recently, the gang claimed to have breached NHS Scotland, taking three terabytes of the healthcare provider’s data. However, the gang actually breached NHS Scotland’s Dumfries and Galloway health board, one of fourteen boards that make up NHS Scotland.
According to Ransomlooker, Cybernews’ ransomware monitoring tool, INC Ransom has victimized at least 76 organizations over the last 12 months.

Source – https://cybernews.com/news/leicester-city-ransomware-attack-passports/

Jackson County in state of emergency after ransomware attack

Jackson County, Missouri, is in a state of emergency after a ransomware attack took down some county services on Tuesday.
“Jackson County has confirmed a ransomware attack was responsible for the disruption of several county services today,” the Missouri county said.
The Assessment, Collection, and Recorder of Deeds offices at all County locations will likely be closed until the end of the week as the IT department works on restoring tax payment, marriage license, and inmate search systems impacted in the incident.
However, according to a statement published on Tuesday, the Kansas City Board of Elections and Jackson County Board of Elections are not affected by this system outage.
Officials have alerted law enforcement, including the FBI and the Department of Homeland Security, and are working with external IT security experts to investigate the attack.
Jackson County Executive Frank White, Jr. declared a state of emergency on Tuesday to expedite IT orders, activate emergency workers, and protect against a ransomware attack.
County officials have also confirmed that the compromised systems did not store residents’ financial data. This is because Jackson County uses the Payit payment service provider, which stores all myjacksonCounty account data outside of the county’s network.
“In its commitment to protect residents, Jackson County prioritizes the security of sensitive financial information and does not keep any such data on its systems. Instead, these crucial details are securely handled and stored by our trusted partner, Payit,” they said in a statement.
“Jackson County works with Payit to offer resident engagement and payment services for property taxes, marriage licenses, and other various payable items,” said the service provider.
“The service is hosted completely outside Jackson County systems, and we have confirmed that the myjacksonCounty system has not been impacted by the incident. No customer data in myJacksonCounty has been compromised.”
Jackson County is one of 114 counties in Missouri, with a population of approximately 718,000 people living within 616 square miles.
The Missouri county includes most of Kansas City, the largest city in Missouri, and 17 other cities and towns.

Source – https://www.bleepingcomputer.com/news/security/jackson-county-in-state-of-emergency-after-ransomware-attack/

Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store.
The findings come from HUMAN’s Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user’s device into a proxy node without their knowledge.
The operation has been codenamed PROXYLIB by the company. The 29 apps in question have since been removed by Google.
Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server.
The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks.
Security researchers said that “when a threat actor utilizes a residential proxy, the assault traffic seems to originate from various residential IP addresses rather than an IP associated with a data center or other components of the threat actor’s infrastructure. These networks are often purchased by many threat actors to streamline their operations”.
Some of these networks can be created by malware operators tricking unsuspecting users into installing bogus apps that essentially corral the devices into a botnet that’s then monetized for profit by selling the access to other customers.
The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device to the network, and process any request from the proxy network.
Another notable aspect of these apps is that a subset of them identified between May and October 2023 incorporate a software development kit (SDK) from LumiApps, which contains the proxyware functionality. In both cases, the malicious capability is pulled off using a native Golang library.
LumiApps also offers a service that essentially permits users to upload any APK file of their choice, including legitimate applications, and bundle the SDK to it without having to create a user account, which can then be re-downloaded and shared with others.
“LumiApps, as described on its website, assists businesses in collecting publicly accessible internet data,” states the Israeli company. “It employs the user’s IP address to silently load multiple web pages from reputable websites in the background.”
These modified apps – called mods – are then distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to rendering ads.
There is evidence indicating that the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.

What’s more, in an effort to bake the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that gets routed through user devices that have installed their apps. The SDK service is also advertised on social media and black hat forums.
Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a “fragmented yet interconnected ecosystem,” in which proxyware services are advertised in various ways ranging from voluntary contributions to dedicated shops and reselling channels.
“The companies highlighted that proxyware is frequently integrated into a product or service, particularly in the case of SDKs. Users might not be aware that proxyware will be integrated when agreeing to the terms of use of the primary application it is bundled with. This lack of transparency results in users unknowingly sharing their internet connection without a full comprehension of the implications.”
The development comes as the Lumen Black Lotus Labs disclosed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.

Source – https://thehackernews.com/2024/04/malicious-apps-caught-secretly-turning.html

HALO hacked, private data stolen

According to a report to the Maine Attorney General, the attack happened on November 22nd, 2023. The notice to affected clients on March 28th states that threat actors had accessed HALO’s computer systems and stolen files with private data.
The company mentioned in a statement that “its network’s computer systems were infiltrated by a sophisticated threat actor who utilized methods to avoid detection by their information security defenses.”
Threat actors got their hands on the data provided to HALO Human Resources for tax or benefits purposes, including name, date of birth, and Social Security number.
The report to the Maine Attorney General states that, in total, 7,305 people were affected by the breach.
HALO claims to be working with external cybersecurity experts to investigate the incident and to monitor the Dark Web for data being leaked. The company will also provide credit and identity protection services to affected individuals for 12 months free of charge.
HALO has more than 40 offices worldwide and employs over 1,500 individuals.
The company provides branded merchandise, uniform programs, and employee recognition and incentive solutions.

Source – https://cybernews.com/news/halo-data-breach/

Yacht retailer MarineMax discloses data breach after cyberattack

MarineMax, self-described as one of the world’s largest recreational boat and yacht retailers, says attackers stole employee and customer data after breaching its systems in a March cyberattack.
The Florida-based yacht seller said in a March 12 SEC filing that it didn’t store sensitive data in the compromised systems. Still, on Monday, a new 8-K filing revealed that the malicious actors gained access and stole personal data belonging to an undisclosed number of individuals.
MarineMax disclosed “that a cybercrime organization gained unauthorized access to a restricted area of our information environment connected to our retail operations.”
While the company didn’t attribute the attack to a specific threat group, the Rhysida ransomware gang claimed the attack and is now selling data allegedly stolen from MarineMax’s network for 15 BTC (just over $1 million).
Rhysida has also leaked screenshots of what appear to be MarineMax’s financial documents, along with employee driver’s licenses and passports, on its dark web leak site.
The group is still seeking a buyer for the data they stole from the company, indicating that the ransom has not yet been paid.
MarineMax operates over 130 locations worldwide, including 83 dealerships and 66 marina and storage facilities. The company reported a $2.39 billion revenue last year, with a $835.3 million gross profit.
The Rhysida ransomware-as-a-service (RaaS) operation emerged almost one year ago, in May 2023, and gained notoriety after breaching the British Library and the Chilean Army (Ejército de Chile).
The gang’s affiliates were also linked by the U.S. Department of Health and Human Services (HHS) to attacks against healthcare organizations in August.
Additionally, a joint advisory issued by CISA and the FBI warned that the Rhysida ransomware group has also carried out opportunistic attacks targeting organizations in various industry sectors.
One of the latest examples is the November attack against Sony subsidiary Insomniac Games when the ransomware gang stole over 1.3 million files, including employee personal information. Rhysida leaked 1,67 TB of documents on its leak site after the game studio refused to pay a $2 million ransom.

Source – https://www.bleepingcomputer.com/news/security/yacht-retailer-marinemax-discloses-data-breach-after-cyberattack/

Prudential Financial Data Breach Impacts 36,000

Initially disclosed in mid-February in a regulatory filing with the US Securities and Exchange Commission, the incident occurred on February 4 and was identified one day later.
At the time, Prudential said that the attackers accessed systems containing company administrative and user data, as well as employee and contractor accounts.
One week later, the Alphv/BlackCat ransomware group claimed responsibility for the attack, listing Prudential on its Tor-based leak site. The threat actor is also responsible for the major US health system outage last month, after disrupting Change Healthcare systems and services.
In a filing with the Maine Attorney General’s Office on Thursday, just before the Easter holiday, Prudential revealed that the hackers had stolen the information of more than 36,000 individuals, to whom it is sending written notifications about the incident.
The data breach notification was filed for Prudential Insurance Company of America, the Prudential Financial company that issues insurance products.
In its notification letter, Prudential says that it activated its incident response plan immediately after identifying the breach and that it engaged external cybersecurity experts to help with the investigation into the matter.
Prudential stated that “during the investigation, it was discovered that an unauthorized third party accessed their network on February 4, 2024, and extracted a small portion of personal information from their systems.”
Pertaining to the impacted individuals’ Prudential products and services, the stolen personal information includes names, addresses, driver’s license numbers, and non-driver identification card numbers.
The company says it has confirmed that the attackers no longer have access to its systems, and claims to have implemented additional security measures, including improved access controls, additional monitoring capabilities, and stronger authentication protocols.
Although it says that it is not aware of identity theft or fraud related to the stolen information, Prudential is providing the affected individuals with two years of complimentary credit monitoring services.

Source – https://www.securityweek.com/36000-impacted-by-prudential-financial-data-breach/

OWASP discloses data breach caused by wiki misconfiguration

The OWASP Foundation has disclosed a data breach after some members’ resumes were exposed online due to a misconfiguration of its old Wiki web server.
Short for Open Worldwide Application Security Project, OWASP is a nonprofit foundation launched in December 2001 and focuses on software security.
It now has tens of thousands of members and more than 250 chapters that organize educational and training conferences worldwide.
OWASP says it discovered the Media Wiki misconfiguration in late February following several support requests.
The incident only affected members who joined the foundation between 2006 and 2014 and provided resumes as part of the old membership process.
The foundation will email affected individuals to notify them of the incident even though many of them are no longer members and the exposed personal details are, in many cases, out of date.
OWASP also took several measures to address the data breach, disabling directory browsing and reviewing the web server and Media Wiki configuration for other security issues.
To prevent further access, they removed all resumes from the wiki site and purged the Cloudflare cache. Additionally, OWASP reached out to the Web Archive and requested that the exposed resume information be removed.

Source – https://www.bleepingcomputer.com/news/security/owasp-discloses-data-breach-caused-by-wiki-misconfiguration/

Wendy’s franchise exposed via payroll breach

Fashion Food, operating multiple Wendy‘s outfits around Massachusetts, has contacted individuals affected in the March 11th breach. According to the company, someone accessed its Paycor account.
The Wendy’s operator said that it used Paycor, an HR software provider, for payroll management services. A subsequent investigation revealed unauthorized access to the Paycor account between March 11th and March 12th.
“While in our Paycor account, the unauthorized users accessed your personally identifiable information (“PII”),” reads the company’s letter to affected individuals.
The company did not reveal which details the attackers may have accessed. We’ve reached out for clarification but have yet to receive a reply before publishing.
However, at the very least, PII includes names and surnames. Given that the company employed Paycor for payroll management, individuals’ Social Security numbers and home addresses could also be exposed.
To mitigate potential risks, Fashion Foods said it would provide impacted individuals with two years of complimentary credit monitoring services.
Fashion Foods is a franchise of Wendy‘s, among the world‘s largest fast food chains, with over 7,000 locations globally.

Source – https://cybernews.com/news/wendys-franchise-paycor-breach/

Cyber Threat Intelligence Report – XZ Utils Backdoor: Impact on Major Linux Distributions

This document is prepared as a part of the latest threat intelligence research conducted by the Smarttech247 team. This report delves into a significant supply chain threat affecting major Linux distributions through compromised versions of the XZ Utils data compression library. This threat has raised alarms within the cybersecurity community due to its sophisticated nature and far-reaching implications. By examining the discovery, impact, response efforts, and implications for the industry, this report aims to provide a comprehensive understanding of the attack.

Full Report – https://www.smarttech247.com/news/cyber-threat-intelligence-report-xz-utils-backdoor-impact-on-major-linux-distributions/

Cyber Threat Intelligence Report – R00TK1T Allegedly Hacked Unilever PLC

This document was prepared as a part of the latest threat intelligence research conducted by the Smarttech247 team. This report delves into the alleged infiltration of the global corporation Unilever’s systems, gaining access to the source code of their critical systems.

Full Report – https://www.smarttech247.com/news/cyber-threat-intelligence-report-r00tk1t-allegedly-hacked-unilever-plc/

Smarttech247