Weekly overview of safety news – August 9, 2024

I apologize. I wrote last week’s edition of this review, but forgot to publish it. Also, I’m trying to put it under an HTML file. <details> And <summary> tag so you can expand or close it before reading this week’s issue. However, I couldn’t get it to render on DEV (although it rendered fine in my Markdown editor).

Introduction

Welcome everyone, in this week’s edition we will be discussing articles on various aspects of cybersecurity that will have you on the edge of your seat. Some articles will leave you wondering: How is that even possible? And some will leave you thinking: I never thought of that.

To help you get started, here’s a general overview of the items we’ll be reviewing:

Errors in Windows (two to be exact)
DNS poisoning via a hacked ISP
18 year old browser vulnerability
5G baseband bugs (now fixed by some)
Ransomware gangs are being caught up
Phishing (no surprises, we’ve covered similar articles in the past, but this one is clever)

Now that we’ve said that, let’s go!

The way these aforementioned Windows features are designed is what led to the flaws. The interesting (and scary) thing about the flaw is that it allows for initial system compromise without any security warnings.

The snippet below shows one of the ways to bypass the protections of Smart App Control and SmartScreen. This shows one of the consequences of exploiting these flaws: malware delivery to a system.

One of the easiest ways to bypass these protections is to sign the app with a legitimate Extended Validation (EV) certificate, a technique already abused by malicious actors to spread malware.

What made this possible? Two things (among others). First, the update mechanism of the affected applications was delivered without TLS. Second, the attackers were able to perform a man-in-the-middle (MitM) attack due to their control over the ISP.

The fragment below describes a situation of an affected application:

For example, the 5KPlayer app uses an insecure HTTP connection instead of an encrypted HTTPS connection to check if an update is available and, if so, to download a configuration file named Youtube.config.

StormBamboo, the name used within the industry to track down the hacking group responsible, used DNS poisoning to spread a malicious version of the Youtube.config file from a malicious server.

The idea of having your system fully patched with the latest updates, only to find out that someone has downgraded it to a previous version that contains vulnerabilities is scary. That is what this attack is all about. At the time of writing, Microsoft is working on a solution.

This is how the leak works:

“I was able to expose a fully patched Windows machine to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days,” Leviev said.

The Israeli researcher says he found a way to manipulate an XML file containing an action list to push a “Windows Downdate” tool that bypasses all verification steps, including integrity verification and Trusted Installer enforcement.

This is a type of vulnerability you call: It’s been a long time coming. The bug was first reported over 18 years ago and now browser vendors are scrambling to fix it after a security firm investigated what could happen if the vulnerability were exploited.

This is how the vulnerability works:

The critical vulnerability “exposes a fundamental flaw in the way browsers handle network requests, potentially allowing malicious actors to gain access to sensitive services running on local devices,”

By using 0.0.0.0 in combination with the ‘no-cors’ mode, attackers can leverage public domains to attack services running on localhost and even achieve arbitrary code execution (RCE), all using a single HTTP request

As mentioned in the introduction, some providers (e.g. Google) have fixed these bugs. But it is interesting to know that such an attack was possible.

The following excerpt highlights how fleas can be exploited. Note that “Tu” is one of the researchers.

Tu explained that a malicious hacker could exploit the vulnerabilities he found, posing as a friend of the victim and sending a believable phishing message.

Or by directing the victim’s phone to a malicious website, the hacker could trick the victim into providing their login credentials on a fake Gmail or Facebook login page, for example

Remember the part in the introduction about ransomware gangs falling into the hands? Well, that’s what this article is about. A researcher went after the gang and discovered what he called “simple” online dashboards used by these gangs. This was enough to learn the inner workings of the ransomware operations and eventually obtain decryption keys.

The following excerpt summarizes the entire article:

The research shows that ransomware gangs can be susceptible to many of the same simple security issues as large corporations, providing law enforcement with a potential way to crack down on criminal hackers operating far outside their jurisdiction.

It’s no surprise that threat actors abuse legitimate services to launch their attacks. But the combination of Google and WhatsApp is what intrigued me for this article.

The fragment below briefly explains the attack and how it can be initiated:

The attackers chose a group of the most well-known websites in the computer world to create the threat, including Google and WhatsApp to host the attack elements, and an Amazon lookalike to collect the victim’s information

The attack’s starting point is a phishing email that directs recipients to an image that appears to be an Amazon account verification link. This image is in turn hosted on Google Drawings, in an attempt to evade detection.