IT NEWS

News of data dumps is often scary as the possibilities of identity theft, account takeovers, user de-anonymization, and other online data-driven threats rear their ugly heads. Reading about the latest reports of a new Twitter dump, however, is like opening up an already-healed wound, as the dump turned out to be the same one back in November 2022 that affected more than 400 million users. Security researchers from Privacy Affairs verified this to be true. Only this set is a lot cleaner—the file size containing it significantly smaller because the number of affected users has been halved to 200 million after duplicates were removed.

The person responsible, who claims not to have originally collected the user data, has now decided to make the data freely available, offering it up on the site they were earlier trying to profit from. How bad is this? Should Twitter users be concerned?

From the forums to the public

Privacy Affairs claims data in the set can be used in social engineering attacks and doxxing. If email addresses and phone numbers are included in the dump, and the option to search for users using any of these pieces of data is enabled, then those entries would appear via abuse of an API in the data harvested. Phone numbers, in particular, could leave someone open to identification or SIM swap attacks on their mobile network provider.

Naturally, this would be the biggest concern for people with phone numbers or other identifying information in any leak. In this case, things may not be as bad as they sound. From the forum post:

I combined the files, converted to CSV, added a header, changed invalid control characters to “*”, deduplicated (including the 23M that were the same except for different # of followers), made the dates smaller and computer-friendly, and removed spaces that appeared before some emails. I also used very high compression, so the compressed file is just over 4GB. I intentionally didn’t sort it, so the curious will have an easier job comparing it to the original.

If you suspect you’ve been caught up in this leak, you can check on Haveibeenpwned, which has added the data to its system and is currently notifying anyone signed up for the notification service.

A welcome relief?

The forum poster goes on to say the following:

NOTE: There are NO PASSWORDS, NO PHONES, NO PHYSICAL ADDRESSES in this file. The original scrape did not contain any of that data.

While the data does include email addresses, the lack of passwords, phone numbers, and physical location is good. What’s left behind, other than email addresses, is publicly available information someone could gather up by various means. This includes name, screen name, follow count, account creation date, and others.

Unless your threat model is very specific and hinges on the exposure of your email address, you probably have little to worry about on this occasion. While there could be some form of social engineering risk from this data going public, the majority of it is likely to be data that a casual attacker could harvest from publicly available information very quickly in any case.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you make use of plugins on your WordPress site (and you probably do), it’s time to take a good look at what’s running under the hood. Ars Technica reports that unpatched vulnerabilities being exploited across no fewer than 30 plugins.

A long list of plugin problems

If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it’s used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it’s so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.

Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.

Plugins are created by third parties and vary widely in quality. Some are updated frequently while others are unsupported. Some are so popular that they are successful software products in their own right, with paid staff, secure development lifecycles, and millions of users, and others are made by lone hobbyists. And while WordPress will update itself with security fixes by default, automatic updating of pluigns has to be enabled by each website operator.

So, news of a malware campaign targeting plugins with unpatched vulnerabilities is no surprise. In fact researchers suggest the malware used for these attacks may have been in circulation for three years. Ars Technica reports that once a vulnerable website is detected, the attack injects rogue scripts into the pages of the site. The scripts redirect website visitors to malicious websites when they click anywhere on an affected web page.

According to research by Dr Web, attacks rely on unpatched versions of the following plugins or themes:

• WP Live Chat Support Plugin
• WordPress – Yuzo Related Posts
• Yellow Pencil Visual Theme Customizer Plugin
• Easysmtp
• WP GDPR Compliance Plugin
• Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
• Thim Core
• Google Code Inserter
• Total Donations Plugin
• Post Custom Templates Lite
• WP Quick Booking Manager
• Facebook Live Chat by Zotabox
• Blog Designer WordPress Plugin
• WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
• WP-Matomo Integration (WP-Piwik)
• WordPress ND Shortcodes For Visual Composer
• WP Live Chat
• Coming Soon Page and Maintenance Mode
• Hybrid
• Brizy WordPress Plugin
• FV Flowplayer Video Player
• WooCommerce
• WordPress Coming Soon Page
• WordPress theme OneTone
• Simple Fields WordPress Plugin
• WordPress Delucks SEO plugin
• Poll, Survey, Form & Quiz Maker by OpinionStage
• Social Metrics Tracker
• WPeMatico RSS Feed Fetcher
• Rich Reviews plugin

Plugging the plugin gap

Time and again, not updating a plugin comes back to haunt WordPress admins in the worst possible way. Cleanup is often not an easy task, and a tiny slice of preventative action can keep you far away from a massive repair operation further down the line.

The following preventative maintenance could save you a lot of trouble:

• Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
• Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
• Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
• Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company. The last thing you want is a stack of emails some rainy Monday morning telling you that visitors have been drafted into a botnet courtesy of your blog.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has published its first security bulletin of 2023 with details of security vulnerabilities affecting Android devices. Patch level 2023-01-01 includes 20 issues and patch level 2023-01-05 includes fixes for another 40 issues.

The Android security patch level refers to a monthly manifest of security patches rolled out by Google in an effort to close up security holes and malicious code exploits in the Android OS. The more recent your patch level, the less vulnerable your device is to security exploits.

The vulnerabilities that stand out the most in this round are three critical and one high severity vulnerabilities in the Android kernel. But there are some other critical issues to keep an eye on.

Mitigation

If your Android phone is at patch level 2023-01-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication. However, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Kernel

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below are details for the three critical ones in the kernel.

CVE-2022-42719: A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.

CVE-2022-42720: Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.

CVE-2022-42721: A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code.

mac80211

mac80211 is a framework which driver developers can use to write drivers for SoftMAC wireless devices. SoftMAC devices allow for a finer control of the hardware, allowing for 802.11 frame management to be done in software for them, for both parsing and generation of 802.11 wireless frames.

The main purpose of a wireless LAN is to transport data. The 802.11 standard defines various frame types that stations use for communications, as well as managing and controlling the wireless link. 802.11 defines a data frame type that carries packets from higher layers, such as web pages, printer control data, etc., within the body of the frame.

All three critical vulnerabilities in the kernel require a remote attacker to be on the local network and they need to be able to inject WLAN frames to successfully exploit the remote code execution (RCE) vulnerabilities.

WLAN

Another option for attackers that are able to inject WLAN frames is the also critical vulnerability listed as CVE-2022-41674 which is an issue in the Linux kernel before 5.19.16. Attackers could inject WLAN frames and cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

Qualcomm

Another critical vulnerability lies in the Qualcomm Bluetooth component and is listed as CVE-2022-22088. The description of the vulnerability says it’s a memory corruption in Bluetooth HOST due to buffer overflow while parsing the command response received from remote. The vulnerability has a CVSS score of 9.8 (out of 10). The vulnerability only applies to devices with certain Qualcomm chipsets. A full list of those chipsets can be found in the Qualcomm January 2023 Security Bulletin by looking at the details for this CVE number.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Security researchers are advised to be on the lookout for scammers targeting their interest in the latest hard to obtain security testing tools. Flipper Zero, a slick looking portable multi-tool which frequently makes its way into the news, is one of the hottest pieces of kit around for security folks and fans of hardware generally.

It’s also had some issues with regard to production, leading to a perfect storm of “I want this” butting heads with “This is a great opportunity for a bit of scamming”. Indeed, the device is currently listed as being sold out on the official portal. If you do have one to sell, you’re going to be very popular and this is something scammers can most definitely work with.

A world of fake Flippers

Security researcher Dominic Alvieri warns of fake Flipper Zero websites claiming to offer the product for sale.

The sites, promoted by imitation Twitter accounts, look very much like the real thing. Two of the accounts have deleted all of their Tweets and one account itself is now deleted. However, Bleeping Computer notes that the accounts had previously been responding to queries regarding availability.

A nice payday?

At least one known site is still online and “selling” non-existent Flipper devices. As the standard price for a Flipper Zero is $169, and the bogus site in the Bleeping Computer screenshot is $199, that could mean a very tidy profit for someone up to no good.

The payment process asks for a variety of personal information, with an eventual request for payment in various forms of cryptocurrency.

While the sites are being grouped under the banner of a phish, it could be that collection of security researcher data (or anyone else, for that matter) in this case is secondary to the desire to simply make some quick cash. This isn’t to say someone isn’t interested in the data; it could be revisited once the payments run their course (assuming anyone actually pays up. This hasn’t happened yet).

Phishing for authenticity

At time of writing, Bleeping Computer mentions that no payments have yet been made to whoever is setting up these fake websites. Meanwhile, Flipper Zero has multiple problems across other social media sites like Instagram where a lack of verification for the Flipper account means there’s no way to report the (many) imitations.

Unfortunately it’s a case of our fishy friend experiencing a phishy time of things for the immediate future. If you’re on the lookout for new hardware, whether Flipper related or otherwise, always take steps to verify the legitimacy of links which come your way. Ironically, recent changes to Twitter’s verified profile status means that it’s not easy to do this anymore. In this case, doubly so as the official Flipper Zero account’s blue checkmark is a paid Twitter Blue account. This means that in theory anyone could have set it up if the Flipper Zero folks hadn’t been fast enough. The good news is that the official Twitter account is linked from the official Flipper Zero website, so it’s likely to be the real thing.

Plenty more phish in the sea? Let’s hope not.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Supreme Court of Ohio issued a ruling days before the New Year that a software and service provider shouldn’t be covered by insurance against a ransomware attack as it didn’t cause direct or physical harm to tangible components of software, as it doesn’t have any.

“When insurance policy covers ‘physical damage’, there must be direct physical loss or physical damage of the covered media containing the computer software in order for the software to be covered under the policy,” the opinion document noted.

This decision overturned a lower court ruling involving EMOI Services, an Ohio-based company selling software for scheduling appointments, medical billing, and record keeping. In 2019, attackers gained access to EMOI’s computer systems, planting ransomware and demanding a ransom of three Bitcoins, which amounted to $35,000 that time. After hiring a third-party vendor to fix the systems, EMOI Services owners realized it would cost them less if they pay the ransom, so they did.

After the company paid the ransom, the attackers handed over the decryption key to restore data. However, some systems and files remained encrypted, such as EMOI’s telephone system and a trove of its non-critical files.

When EMOI Services filed an insurance claim for losses from the ransomware attack—the ransom payment and costs associated with investigating the attack, remediating from it, and upgrading its security systems—Owners Insurance Co., its policy owner, denied the claim. The insurers contended the attack has no “direct physical loss to media”, which is covered by the policy. EMOI Services then sued Owners Insurance Co, alleging breach of contract.

The Court of Common Pleas in Montgomery County ruled in favour of the insurer, agreeing that EMOI’s policy only covers direct or physical loss or damage. The Second District of the Court of Appeals, however, reversed this, saying a potential coverage is possible if EMOI can prove the ransomware attack against it caused actual damage to its software.

The opinion in the Supreme Court of Ohio finally set it all straight: EMOI’s insurance policy is “clear and unambiguous in its requirement”. “Since software is an intangible item that cannot experience direct physical loss or direct physical damage, the endorsement does not apply in this case,” the ruling said. This was made despite the policy defining computer software as a form of “media”.

“EMOI contends that the policy covers that damage even when there has been no damage to hardware. We are not persuaded by this argument. The most natural reading of the phrase ‘direct physical loss of or damage to’ is that EMOI is insured for direct physical loss of its media and insured for direct physical damage to its media,” the court elaborated on its ruling. Note that the stresses in these statements were reproduced from the court document.

“Similarly, although the term ‘computer software’ is included within the definition of ‘media,’ it is included only insofar as the software is ‘contained on covered media.’ We hold that ‘covered media’ means media that has a physical existence.”

In an email interview with Insurance Journal, Policyholder attorney K. James Sullivan said the Ohio Supreme Court looked at the issue of direct physical loss with a “20th Century lens.”

“I suspect we’re going to see an increasing number of losses to policyholders driven by twenty-first century fact patterns, such as pandemics, harm to computer systems, harm to air quality, etc., so it will be interesting to watch how the Ohio Supreme Court, insurers, and policyholders adapt going forward, Sullivan said. “Based on the underpinnings of these most recent opinions, it seems that insurance policy language needs to catch up to the evolving and emerging risks faced by modern-day Ohio policyholders.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The FBI has issued a public notice which includes advice to block adverts. Why? Let’s take a look.

The bogus advert tightrope

It’s no secret that rogue ads have been a particular plague on the Internet for as far back as we can remember. From irritating pop ups and spinning “You’ve won a prize” banners to adverts pushing malicious redirects and malvertising, you never quite know what’s waiting in your browser when the page you request loads up.

The FBI warning concerns fake ads impersonating the real thing and diverting potential victims off to parts unknown.

…cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.

The ads are regular search engine advertisements that typically sit at the top of your Google or Bing searches. (Depending on the search engine used, ads are indicated by the word “Sponsored” or “Ad”.) The ads the FBI is warning about paid for by criminals, and mimic real brands by using similar domain names, and linking to legitimate-looking web pages that are “identical to the impersonated business’s official webpage.”

Frustratingly, the FBI’s release is quite light on details but it does provide some suggestions for avoiding these scams.

Suggestions for avoiding these rogue ads

The FBI advice for people generally:

• Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
• Rather than search for a business or financial institution, type the business’s URL into an Internet browser’s address bar to access the official website directly.
• Use an ad blocking extension when performing Internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.

The FBI advice for business:

• Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
• Educate users about spoofed websites and the importance of confirming destination URLs are correct.
• Educate users about where to find legitimate downloads for programs provided by the business.

A step too far, or the inevitable conclusion of bad ads out of control?

The really fascinating part here is the suggestion to block adverts. This isn’t something I recall seeing from law enforcement before, even if there is a light reference to enabling and disabling ads on “certain websites”. As noted by Techspot, blocking ads remains a controversial subject in some quarters. It’s likely that many sites you use rely on advertising cash to keep the lights on, with others moving into subscription, paywall, and additional features models instead.

Some folks and organisations use dedicated ad blocker extensions via their browser, or prefer the options found in script blocking apps. Others rely on security tools to block ads or detect and neutralise exploits and malvertising.

Whatever your approach and opinion of paid advertising online, the problem of bad ads cluttering up sponsored search results will be around for a long time to come. While the FBI release may give some folks the impression that fake adverts in search listings is a new threat, it’s been around forever. Even so, criminals know that it works and often gets results.

If you’re shopping around, or looking for financial advice and services, you could do worse than be very cautious around those paid results at the top of your page. A few minutes of hesitation could help you avoid a few hours of calling up customer support.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Synology has issued an advisory about a vulnerability that allows remote attackers to execute arbitrary commands through a susceptible version of Synology VPN Plus Server.

VPN Plus Server

VPN Plus Server allows users to turn their Synology Router into a Virtual Rrivate Network (VPN) server.

A VPN uses encryption to create a secure connection over a public network, such as the Internet. Consumer VPNs create a secure tunnel between a user and their VPN provider, so they can hide their browsing habits from their ISP and use their VPN provider’s IP address to connect to the Internet. Business VPNs create a tunnel between a user and the organization they work for, so they can access business information securely over the Internet.

The Synology VPN Plus Server is a business VPN that allows users to easily access and control client desktops within a network under a Synology Router, from anywhere, as long as they have Internet access, without further need of a client software.

Vulnerability

The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in VPN Plus Server got listed as CVE-2022-43931.

The vulnerability is described as an out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 which allows remote attackers to execute arbitrary commands via unspecified vectors. The CVSS score of the critical vulnerability is rated at 10 (out of 10).

An out-of-bounds write or read vulnerability makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

The vulnerability was discovered internally by the Synology Product Security Incident Response Team (PSIRT). However, just because the problem wasn’t discovered by criminals, that doesn’t mean they won’t use it. Sometimes patches are reverse engineered by threat actors so they can understand what’s been fixed, create an exploit for it, and use it against unpatched systems.

The affected products are VPN Plus Server for SRM 1.3 which needs to be upgraded to 1.4.4-0635 or above, and VPN Plus Server for SRM 1.2 which needs to be upgraded to 1.4.3-0534 or above.

To upgrade VPN Plus Server, go to Package Center, stop the VPN Plus Server service and install the latest version via Package Center.

As a workaround, you can disable the Remote Desktop feature. To do so, click Synology VPN on the left panel of the management, and go to Remote Desktop, and untick Enable Remote Desktop.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The password management company LastPasss notified customers in late December about a recent security incident. The notice was posted as an update of the security incident previously reported in August of 2022, which also was updated and covered on November 30, 2022.

According to LastPass, an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the August incident. Some of the stolen source code and technical information were used to target another LastPass employee, which allowed the threat actor to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

Actions for customers

LastPass states that users that followed their best password practices have nothing to worry about. LastPass’ default master password settings and best practices include the following: 

• Since 2018, a twelve-character minimum for master passwords is required.
• LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. You can check the current number of PBKDF2 iterations for your LastPass account here.
• It is recommended that you never reuse your master password on other websites. This is always true, but it completely defeats the security advantage of using a password manager. In case of a leaked or stolen password, threat actors can use credential stuffing techniques to unlock other accounts.

According to LastPass, if you followed these guidelines, it would take millions of years to guess your master password using generally-available password-cracking technology.

If you haven’t done so already, we would advise that you enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password was compromised. The instructions to enable MFA can be found on the LastPass support pages.

LastPass

LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.

As a keeper of that many passwords, LastPass is juicy prey for threat actors. So, it comes as a surprise that the initial breach was able to lead to further compromises.

Unencrypted data

Security researchers are worried about the fact that LastPass stores website URLs unencrypted.

These questions were raised because the security notice says:

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

It is indeed hard to understand why LastPass would not consider website URLs sensitive fields and it makes you wonder what the other unencrypted data is. Leaked website URLs can lead to targeted pjhishing attacks, so LastPass users should be extra weary of emails asking them to log in or change their password at sites for which they have their password stored in LastPass. Always visit the site directly and do not follow the links in emails. And, as always, enable MFA where you can.

We have reached out to LastPass to ask for additional information and we will keep you informed here.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Some of Okta’s source code fell into the hands of an unauthorized party. The code was stolen from GitHub in the first part of December, according to a statement issued by the company. In the same statement the company reassured users that there was no impact to any customers.

Okta

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of identity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

Stolen source code

GitHub alerted Okta about a possible breach in early December. An investigation by Okta revealed that the unauthorized access was used to copy code from the Okta Workforce Identity Cloud (WIC) code repositories.

Okta Workforce Identity Cloud provides a unified solution for secure access to any resource from any user that needs it, while maintaining the “Principle of Least Privilege” (POLP). The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function.

Customers unaffected

In the statement that was also sent out by mail to security contacts, Okta told their customers that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. This includes Okta’s HIPAA, FedRAMP, and DoD customers. This is because Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully functional and secure.

Auth0

A few months ago, Okta subsidiary Auth0 disclosed a similar incident, where code repository archives that predated Okta’s acquisition of Auth0 were stolen. It never became clear how the unauthorized party, that notified Okta about the possession of the archives, exfiltrated them.

LAPSUS$

Okta themselves admitted to a breach that happened in January of 2022, where the LAPSUS$ cybercriminal group accessed two active customer tenants within their SuperUser application and viewed limited additional information in certain other applications like Slack and Jira that could not be used to perform actions in Okta customer tenants. The January breach was initially believed to have a much larger impact and there was talk of possibly 366 customers that might be affected.

Measures

When Okta learned of the latest incident, it placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications. The company also reviewed the integrity of all the code that was recently placed on GitHub, and rotated GitHub credentials. Law enforcement has also been notified of the breach.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers at Cyble Research & Intelligence Labs (CRIL) have found a new version of the Android banking Trojan called Godfather.

The new version of Godfather uses an icon and name similar to a legitimate application named MYT Music, which is hosted on the Google Play Store with over 10 million downloads.

History

Group-IB researchers established that Godfather is a successor of Anubis. Anubis was a widely used Android banking Trojan that lost popularity after its functionality got limited by Android updates and security vendors’ detection and prevention efforts.

Godfather’s success is mostly due to its ability to create convincing lay-over screens for over 400 applications. This use of lay-over screens or web fakes, are basically HTML pages created by threat actors that display over legitimate applications. This allows the threat actors to harvest login credentials for banking applications and other financial services. The target apps include banking applications, cryptocurrency wallets, and crypto exchanges.

The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17). The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik.

Install

Several of the new Godfather samples were found masquerading as the MYT Müzik application which is written in the Turkish language. After installing it uses an icon and the name that are very similar to a legitimate application named MYT Music. MYT Music is a popular app with over 10 million installs.

Getting permissions

To get the necessary permissions, the Trojan poses as Google Protect, which is a standard security tool found on all Android devices. It pretends to initiate a scan and asks the user for access to the Accessibility Service. Which makes sense to the user given that they think the app will scan the device. With access to the Accessibility Service, the Trojan can grant itself all the permissions it needs to steal information from the affected device.

Capabilities

Once fully active, Godfather steals sensitive data such as SMS messages, basic device details including installed apps data, and the device’s phone number. It can also control the device screen, forward incoming calls of the victim’s device, and inject banking URLs. The Trojan is capable of initiating money transfers by making USSD (Unstructured Supplementary Service Data) calls without using the dialer user interface

It sends the harvested data to the attacker. Who, in turn, now know which apps are installed and can inject HTML phishing pages that are most effective if the victim has the imitated app installed. The Command & Control (C2) server’s URL is fetched from a Telegram channel.

IOCs

For the variant posing as the MYT Muzik app CRIL provided:

APK Metadata Information

• App Name: MYT Müzik
• Package Name: com.expressvpn.vpn
• SHA256 Hash: 138551cd967622832f8a816ea1697a5d08ee66c379d32d8a6bd7fca9fdeaecc4

Malwarebytes for Android detects these new variants of the Godfather Trojan as Android/Trojan.Spy.Banker.MYT.

How to avoid malware

There are a few basic guidelines that can help you prevent installing malware on your device.

• Download and install software only from official app stores like Google Play Store or the iOS App Store. And check whether the app you are downloading is exactly the one you wanted and not some imitator.
• Use a reputed anti-virus/anti-malware and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Use strong passwords and enforce multi-factor authentication (MFA) wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device if possible.
• Be very careful before opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions. Reading carefully what you are allowing an app to do helps you flag unusual and suspicious requests.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.