Cyber Security Headlines: Urgent iPhone update, ZIP password fault, Hacking decommissioned satellites

iPhone users urged to update to patch 2 zero-days

An urgent alert from Apple this week, urging macOS, iPhone and iPad users to install updates to fix two zero-days under active attack, and which could allow attackers to execute arbitrary code with kernel privileges, and ultimately take over devices. Patches are now available for effected devices running iOS 15.6.1 and macOS Monterey 12.5.1. Apple says there is a report that it the zero-days “may have been actively exploited.”

(ThreatPost)

Encrypted ZIP files can have two correct passwords

Although password-protected ZIP archives are used frequently to compress and share sets of files, research from Arseniy Sharoglazov at Positive Technologies has demonstrated that it is possible for an encrypted ZIP file to have two correct passwords. This vulnerability comes about when passwords are set at more than 64 characters, in which case ZIP uses an algorithm to hash the password. Sharoglazov showed that by trying a different password of more than 64 characters results in ZIP creating the same hash and therefore accepting the second password as legitimate. A full report on this issue is available at Bleeping Computer, who, incidentally were able to replicate this procedure.

(Bleeping Computer)

White hat hackers broadcast through decommissioned satellite

A group of white hat hackers demonstrated at DEF CON how to take control of a satellite in geostationary orbit. The group used a satellite called Anik F1R, which had been decommissioned in 2020. For some context, it should be noted that the group was authorized to perform the hack and had also been given permission and access to an unused uplink facility which included the hardware to connect to a satellite. The group simply sought to demonstrate how easy it could be to physically take control of decommissioned satellites using software that costs just $300.

(Security Affairs)

Hackers target hotel and travel companies with fake reservations

A hacker, known only as TA558 has been running phishing campaigns that target hotels, hospitality and travel companies, sending out mail that seeks to book reservations on behalf of conference organizers, tourist office agents, and other sources that recipients would pay attention to. Those who click on the URL in the message body, which is appears as a reservation link, receive an ISO file from a remote resource, which contains a batch file that launches a PowerShell script. This script eventually drops a RAT payload onto the victim’s computer and creates a scheduled task for persistence.

(Bleeping Computer)

Thanks to today’s episode sponsor, Code42

It’s not just about the data leaving your company – what about the data coming in? Along with departing employees, new talent is also actively joining your organization. This poses cybersecurity challenges since they could be knowingly or unknowingly bringing data from their former company into your network. Code42 Incydr is an Insider Risk Management SaaS that provides a comprehensive understanding of your data exposure and shows which activities require security intervention. Learn more at Code42.com/showme.

Grandoreiro banking malware targets Mexico and Spain

Researchers at Zscaler ThreatLabz have observed the malware targeting organizations in Mexico and Spain. It is is a modular backdoor that supports keylogging, command execution, guiding victim’s browsers to specific URLs, imitating mouse and keyboard movements, and more. The threat actors behind this campaign impersonate Mexican government officials, the malware uses multiple anti-analysis techniques along with implementation of Captcha for evading Sandboxes.

(Security Affairs)

Amazon quietly fixes Ring Android app bug

According to The Record, Amazon has resolved a vulnerability discovered in May that exposed the data and camera recordings of Ring app users on Android devices. The bug had been reported on May 1 to the Amazon Vulnerability Research Program by researchers from cybersecurity firm Checkmarx. In a report released on Thursday, the researchers showed how in a series of steps, they were able to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings. 

(The Record)

Fears over China’s access to genetic data of UK citizens

According to The Guardian, political and security tensions between Beijing and the west are leading to calls for a review of the “transfer of genetic data to China from a biomedical database containing the DNA of half a million UK citizens.” The UK Biobank says it has about 300 projects which allow researchers in China to access “detailed genetic information” or other health data on volunteers. This is anonymized data, shared under an open-access policy for use in studies into diseases from cancer to depression, and at present there is no suggestion it has been misused or participants’ privacy compromised.

(The Guardian)

Last week in ransomware 

Last week saw the return of the BlackByte ransomware group, launching a data leak site that uses extortion tactics similar to LockBit 3.0. According to Bleeping Computer, “last week also saw attacks Argentina’s Judiciary of Córdoba, a UK water supplier (though Clop attributed to the wrong company), and LockBit claiming to be behind the attack on Entrust. Finally, researchers found a new variant of the SOVA Android malware that includes a ransomware feature to encrypt mobile devices.”

(Bleeping Computer)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.