Towards the end of last year, WhatsApp dropped a neat little update that beefed up its privacy and security game: a secret code to lock down chats. This nifty tweak aimed to give users an added layer of privacy by hiding locked chats from plain sight and requiring a personal code for access. But for now, it is only available on primary devices. However, that might change soon.According to the go-to source for WhatsApp updates, WABetaInfo, the latest WhatsApp beta for Android 2.24.8.4 update on the Google Play Store reveals something interesting: WhatsApp is cooking up a locked chats feature for linked devices.
Upcoming WhatsApp feature for locked chats on linked devices, as seen in the latest beta (Image Credit–WABetaInfo)
If you check out the attached screenshot, you will see that WhatsApp explores the idea of locked chats support for linked devices in a future app update. To unlock these chats on a linked device, users will need to set up a secret code.
This code can be set up on the primary phone under chat lock settings by choosing the secret code option. Once set up, locked chats vanish from the chats list and can only be accessed via this privacy feature on linked devices.
Introducing this feature for linked devices is a win for both privacy and user convenience. It ensures that locked chats stay synced across all devices, letting users easily access their protected conversations from anywhere without worrying about prying eyes.
Currently, locked chats are stuck on the primary device, potentially exposing conversations on linked devices – a privacy no-no. The locked chats feature for linked devices is in the works and will roll out in a future update.
Imperva SecureSphere WAF, a security tool for on-premise web applications, has a vulnerability in some versions that allows attackers to bypass filters when inspecting POST data.
By sneaking malicious content past the WAF, attackers could potentially exploit security flaws in the protected web applications that the WAF would normally block, which compromises the security of the web applications shielded by the WAF.
A critical vulnerability (CVE-2023-50969) exists in Imperva SecureSphere WAF versions that lack the update referenced in the “Fixed Version(s)” section, allowing attackers to bypass WAF rules designed to inspect POST data, potentially enabling the exploitation of vulnerabilities in protected applications that the WAF would normally block.
The attacker doesn’t need to authenticate and can exploit the vulnerability remotely, while it is rated critical due to the high severity of bypassing security controls.
DocumentRun Free ThreatScan on Your Mailbox
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Technical Details Of The Vulnerability:
The code snippet demonstrates a PHP webshell vulnerability named clam.php, which creates a form that allows users to submit arbitrary commands through a text input field.
Code snippet
When the form is submitted, the `system` function is used to execute the submitted command on the server, posing a security risk because it allows attackers to remotely execute arbitrary code on the server, potentially compromising the system.
The lack of proper input validation and sanitization in the code allows for the injection of malicious code through user input, which an attacker could use to upload malicious files, steal sensitive data, or deface the website.
A security vulnerability exists where a system command can be executed through a POST request with a specific parameter, where standard WAF rules typically block such attempts (e.g., reading password files).
Attempts blocked by a standard WAF rule
By manipulating the Content-Encoding header, one can get around the rules by tricking the WAF into misinterpreting the data and allowing the malicious command to run.
Result after modifying request
A specific WAF rule vulnerability allows attackers to bypass security by sending a malformed HTTP request with a double Content-Encoding header (“No Kill No Beep Beep” and “deflate”) followed by a throwaway parameter before the actual malicious data.
According to the Hoya Haxa, a vulnerability was reported to Imperva on November 10th, 2023, and an update to address this vulnerability was released through Imperva’s ADC rules on February 26th, 2024, whereas details regarding the vulnerability and the remediation process were publicly disclosed in a blog post on March 27th, 2024.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Multiple managers of Google Home held a Reddit AMA (Ask Me Anything). Most were inundated with active users and home automation tinkerers.
The team developing and managing Amazon Alexa’s main rival in home automation assured they have a “vision and roadmap”. However, several Redditors who pounced on the opportunity to discuss Google Home’s future had more queries than answers.
Google Home on the web and “additional controls” on their way
Google Home is one of the most aggressively priced home automation and AI virtual assistants. The uniquely shaped Alexa competitor also rivals third-party and open-source solutions.
The Google Home team that participated in the Reddit AMA included quite a few product and engineering managers. Instead of a multimedia question-answer session, the Reddit CEO held recently to justify his handsome compensation, the Google Home team had a text-only session.
Using the platform, several Redditors posted multiple lengthy posts. One particular post asked when Google would release additional Google Home controls on the web, add devices, and replace Google Assistant with Gemini.
Google Home team is actively working to, “bring additional device control to Google Home for web,” revealed Jacqueline, a Google Home and Nest Product Manager. Needless to add, this does not truly address the question, and the team hasn’t offered any timeline.
As is the norm, support for new devices and additional controls for the existing home automation and IoT devices should first appear in a Public Preview. As expected, the team remained tight-lipped about letting Google’s Gemini AI engine take over from Google Assistant.
Offline or local interactions coming soon to Google Home
For a multi-billion-dollar company, Google Home doesn’t appear to have an expansive and quickly-growing support for smart devices. Additionally, the product often struggles to understand human voices, several comments on the Reddit AMA indicated.
Presumably, that’s why Google Home doesn’t get as much promotion as a Pixel smartphone. The open-source Home Assistant platform, in comparison, has a lot of traction.
The entire Google Home platform seems to trailing its main rival Amazon Alexa and its products and services. During the Reddit AMA, the platform’s managers couldn’t commit to a large number of features, bugs, troubleshooting requests, and additions Redditors eagerly requested.
The team, however, did indirectly admit that Google Home’s instructions and interactions faced reliability and latency issues. To improve the speed or reduce the time taken between a user speaking out instructions and Google Home addressing them, Google is focused on routing more instructions locally.
Team member Daniel revealed that once Google feels it has a “significant” amount of your traffic operating locally, it will shift to focus on bringing “powerful” offline capabilities through the app. At present, Google Home users need an active internet connection for most of the instructions. This could change soon with a definitive offline mode for Google Home.
A startling revelation has identified a dangerous security vulnerability in the xz compression utility, specifically within its liblzma library. This vulnerability has been found to compromise SSH server security.
Xz Utils is a tool found almost everywhere in Linux. It helps to shrink data without losing any information on almost all systems similar to Linux.
It’s important for making data smaller or returning it to its original size during various tasks. Xz Utils can also work with the old .lzma format, which makes it even more useful.
The issue, traced back to a backdoor in the upstream xz repository, was first noticed due to unusual system behavior on Debian sid installations, including excessive CPU usage during SSH logins and errors reported by the memory error detector, Valgrind.
Discovery of the Backdoor
The investigation, led by security expert Andres Freund, uncovered that the backdoor was not limited to Debian’s package but was, in fact, present in the upstream xz tarballs for versions 5.6.0 and 5.6.1.
This malicious code was ingeniously hidden within the distributed tarballs and not in the source code available on the repository, making it particularly insidious.
The backdoor operates by injecting an obfuscated script into the build process, which then modifies the Makefile to execute a payload hidden within seemingly innocuous test files.
Once executed, this payload can modify the behavior of the SSH server, significantly slowing down SSH logins and potentially allowing unauthorized access.
DocumentRun Free ThreatScan on Your Mailbox
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Scope and Impact
The vulnerability explicitly targets x86-64 Linux systems built with GCC and the GNU linker and appears to be designed to evade detection by only activating under certain conditions, such as during the build process of Debian or RPM packages.
This targeted approach suggests a sophisticated understanding of Linux distribution build systems and a clear intent to infiltrate these systems undetected.
Notably, the backdoor does not directly affect the OpenSSH package but exploits a dependency chain where subsystem, patched into openSSH by several Linux distributions, relies on the compromised liblzma.
This indirect attack vector highlights the complex interdependencies in modern software ecosystems and the potential for widespread impact from a single vulnerability.
According to the Red Hat report, this backdoor is only in the latest branch of xz (version 5.6 and 5.6.1). People still running versions 5.4 and older should be fine.
“Current investigation indicates that the packages are only present in Fedora 40 and Fedora Rawhide within the Red Hat community ecosystem, No versions of Red Hat Enterprise Linux (RHEL) are affected”.
Response and Mitigation
The discovery of this vulnerability has prompted immediate action from the security community.
Red Hat has assigned the issue CVE-2024-3094, and efforts are underway to patch affected systems and prevent further exploitation. A detection script has also been developed to help system administrators identify potentially vulnerable installations.
Given the severity of the vulnerability and the potential for unauthorized access to affected systems, users and administrators of potentially impacted systems are urged to upgrade their installations as soon as possible.
The discovery of this backdoor serves as a stark reminder of the ongoing threats to software security and the need for vigilance in monitoring and securing critical infrastructure.
The discovery of a backdoor in the widely used xz compression utility underscores software security’s persistent challenges.
As attackers develop sophisticated infiltration methods, the security community must remain vigilant in identifying and mitigating vulnerabilities.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Google Play is organizing an enticing new giveaway, the “Super Weekly Prize,” exclusively for Gold, Platinum, and Diamond tier members of the Play Points program. The prize raffle is one of the many perks you get if you haven’t redeemed your Play points in a while and you have reached the Gold tier or above.
Google is offering you a chance to score a Pixel 8 phone with Google Play Points
According to 9to5Google’s recent post, members of Play Points from Gold, Platinum, and Diamond levels are now receiving invites to participate in the “Super Weekly Prize.” Under this promotion, the prizes for Platinum users include Pixel 8 Pro Mint (100 pcs), Pixel 8 Mint (100 pcs), and 1000 Google Play points each for 10,400 people.
There haven’t been any claims regarding Pixel 8 or 8 Pro distribution yet, which means a random selection process is in effect. All participants only have one chance of winning, and the winner selections are random.
The Super Weekly Prize is one of the reasons why Google Play Points members should rejoice since it doesn’t require any Play Points redemption. In addition, during the year 2022, Google introduced an exclusive giveaway with T-shirts for its Play Point Platinum members.
Google’s reward-based scheme has grown to over two hundred million members across all thirty-five marketplaces, making it one of the most extensive loyalty programs globally. Its enhanced incentives include the Super Weekly Prize Giveaway Campaign, rewarding its consistent followers with amazing opportunities where they can win valuable prizes.
Only Gold, Platinum, and Diamond tier members fit the criteria to participate in the giveaway
Participants must understand that prizes change depending on their level of membership and other qualifications may apply. Prizes depend on stock availability and eligibility requirements with the new ones getting shipped every Friday at 12:00 AM, midnight.
Super Weekly Prize adds some extra flavor to the Google Play Points program by offering members a chance to win Pixel 8 and 8 Pro handsets or point-based rewards, which make the overall membership experience slightly more thrilling.
Samsung doesn’t want to just make smartphones, TVs, and all the other electronic devices it’s famous for. Apparently, the giant seeks ways to launch a so-called “super app” for mobile banking in collaboration with a major South Korean bank.
SamMobile‘s report has it that this is a project of Samsung Financial Networks, a unit under Samsung Group’s financial affiliates.
The proposed super app could evolve from Monimo, a financial services app introduced by Samsung Financial Networks in April 2022. Monimo offers a range of services including money transfers, foreign currency exchange, and tools for comparing prices and searching for real estate and vehicles within South Korea.
While all of this sounds great, Monimo has struggled to build a large user base, only attracting a few million users in the face of stiff competition from bank and fintech-operated apps, which boast tens of millions of users.
Samsung has proposed collaboration with South Korea’s top five banks – KB Kookmin, Woori, Shinhan, Hana, and the digital-first K Bank – to create a mobile banking super app based on Monimo. The banks are expected to present their proposals to Samsung. As Samsung Group does not own a banking entity, this super app project offers a pathway into the mobile banking services market.
What’s a “super app”?
A “super app” is a mobile application that integrates multiple services and functions into a single platform, essentially serving as a one-stop solution for users. These services can include messaging, social media, payment and financial transactions, ordering food, booking transportation and travel, e-commerce shopping, and more.
The idea is to create a seamless, integrated user experience where various needs can be met without leaving the app. Super apps are particularly popular in Asia, with examples like WeChat in China and Gojek in Indonesia, where they have significantly influenced user behavior and digital economy ecosystems.
What’s WeChat?
WeChat is a multifaceted social media and messaging app developed by Tencent in China, first released in 2011. It has evolved into a “super app,” offering a vast array of services beyond its initial messaging function. Users can send text and voice messages, make voice and video calls, share images and videos, and post updates on their personal timelines.
WeChat’s platform extends to mobile payments and financial services through WeChat Pay, enabling users to conduct transactions smoothly, such as bill payments, money transfers, and purchases both online and offline.
Moreover, WeChat serves as a hub for various third-party services, including ride-hailing, food delivery, travel booking, and e-commerce. The app also offers mini-programs, which are smaller sub-applications within the WeChat ecosystem, allowing users to access a wide range of services without needing to install separate apps.
With its comprehensive features, WeChat has become an integral part of daily life for its users, primarily in China, effectively blending social, commercial, and financial functionalities into a single, cohesive platform.
Hackers have been found leveraging Microsoft OneNote files as a vector to compromise systems across various industries.
The campaign, under the radar of cybersecurity experts, showcases a new trend in cyber threats, exploiting commonly used office applications to gain unauthorized access to corporate networks.
The Campaign Unveiled
The malicious campaign was first documented by pr0xylife on their GitHub repository. According to researchers from THE DFIR REPORT, it revealed a widespread email phishing operation targeting companies in manufacturing, technology, energy, retail, insurance, and several other sectors.
The emails contained OneNote attachments purporting to be “secure messages,” a guise to trick recipients into opening the files.
Document
Download Free CISO’s Guide to Avoiding the Next Breach
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Understand the importance of a zero trust strategy
Complete Network security Checklist
See why relying on a legacy VPN is no longer a viable security strategy
Get suggestions on how to present the move to a cloud-based network security solution
Explore the advantages of converged network security over legacy approaches
Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
Proofpoint Threat Research highlighted the campaign’s relatively low volume, with researchers saying that fewer than a thousand messages were observed over two days.
However, the broad targeting across unrelated industries underscores the threat actors’ intent to cast a wide net, hoping to snag unsuspecting victims.
Execution and Initial Access
The attack begins with the victim receiving an email containing a OneNote file.
Upon opening, this file presents a large “Open” button behind which lies a Windows batch file named “O p e n.cmd.”
Once executed, this file leverages PowerShell to download an IcedID DLL disguised as a JPG file. This DLL then connects to command and control servers, signaling the system’s successful compromise.
OneNote Phishing Email
The simplicity of the initial access vector, coupled with the use of a non-sophisticated OneNote file, highlights the attackers’ reliance on social engineering rather than technical sophistication to breach corporate defenses.
Cobalt Strike Beacon and Persistence
The intrusion doesn’t stop at the initial breach.
On the 33rd day of the intrusion, the IcedID malware facilitated the execution of Cobalt Strike beacons, a testament to the attackers’ patience and persistence.
The IcedID malware was observed dropping several files
Cobalt Strike, a legitimate tool used by cybersecurity professionals, has been co-opted by hackers for malicious purposes, allowing them to maintain a foothold within the compromised network.
The campaign also demonstrated a method for achieving persistence by creating scheduled tasks and installing AnyDesk, a remote desktop software.
During the deployment of AnyDesk, a service creation event was generated under the System channel
This allowed the attackers to return to the compromised system at will, further entrenching their presence within the victim’s network.
Defense Evasion and Privilege Escalation
The attackers employed various techniques to evade detection, including masquerading the malware DLL as a standard image file type and using standard Windows process names for their malicious payloads.
The earliest indicators that something suspicious occurred were the Sysmon events
Additionally, the initial compromise was facilitated through an account in the domain administrators’ security group, bypassing the need for privilege escalation.
Exfiltration and Impact
The campaign’s ultimate goal appears to have been data exfiltration and ransomware deployment.
Threat actors were so kind to use the sponsored version, to bring some additional PUPs as well
The attackers prepared for exfiltration by installing FileZilla on the compromised server and later deployed Nokoyawa ransomware, encrypting files and demanding a ransom for their release.
Nokoyawa.
If you see this, your files have been successfully encrypted and stolen.
Don't try to search free decryption method.
It's impossible.
We are using symmetrical and asymmetric encryption.
ATTENTION:
- Don't rename encrypted files.
- Don't change encrypted files.
- Don't use third-party software.
You are risking irreversibly damaging the file by doing this.
If you manage to keep things quiet on your end, this will never be known to the public.
To reach an agreement you have 48 hours to visit our Onion Website.
How to open Onion links:
- Download the TOR Browser from the official website.
- Open and enter this link:
http://nokopay<REDACTED>
- On the page, you will see a chat with the Support.
- Send your first message.
Don't waste your time.
Otherwise, all your valuable and sensitive data will be leaked.
Our websites are full of companies that doubted the fact of the data breach or its extent.
- http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/
- http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/
- http://snatchteam.top
This campaign underscores the evolving landscape of cyber threats, where attackers exploit the trust in commonly used applications to bypass traditional security measures.
The use of Microsoft OneNote files to deliver malware represents a shift towards more creative attack vectors, necessitating a reevaluation of cybersecurity strategies to protect against such threats.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
As reported by 9to5Google, YouTube Music is getting a makeover for the custom share sheet within the Android app. This redesign follows its recent rollout on iOS just a few days back.
Now, when you tap “Share,” you won’t see the grid-based sheet that used to take up more than half of the display. Instead, it is much smaller, featuring a carousel that displays about five targets per screen.
Below, you will find buttons for “Copy link,” which used to be the first option in the previous look, and “Share with other apps” to open the system Share sheet. The new size, about a third of the screen, is more convenient for one-handed usage.
This new design mirrors the layout of the YouTube app, but there are a few distinctions. For example, while the share sheet on YouTube Music spans edge-to-edge, the one on the main app has rounded edges.
YouTube Music launched in 2015 and has been on the rise since then. Stats indicate that its user base jumped by 60% between 2019 and 2020. When it comes to pricing, there is a free tier available for YouTube Music. However, it has several limitations, like no background playing and plenty of ads.
An individual subscription to YouTube Music costs $9.99 per month. Its main rivals, Apple Music and Spotify, also provide individual plans priced at $10.99.
Alternatively, you can access YouTube Music as part of your YouTube Premium subscription, priced at $13.99 per month. This premium package offers ad-free content on the main app, the option to download videos for offline viewing, background play, and additional features. Recently, YouTube Premium crossed the milestone of 100 million subscribers worldwide.
DinodasRAT, also known as XDealer, is a sophisticated C++ backdoor targeting multiple operating systems. It is designed to enable attackers to monitor and extract sensitive information from compromised systems covertly.
Notably, a Windows variant of this RAT was employed in attacks against government bodies in Guyana, an operation that was thoroughly analyzed by ESET researchers and named Operation Jacana.
Following ESET’s exposé in early October 2023, a previously unknown Linux variant of DinodasRAT was uncovered.
Indications suggest that this version, labeled V10 by the perpetrators, may have been active since 2022.
However, the first detected Linux variant, V7, dates back to 2021 and has not been publicly detailed. This report delves into the technical aspects of a Linux implant utilized by the attackers.
Are you from the SOC and DFIR Teams? – Analyse linux Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Infection and Persistence Mechanisms
The DinodasRAT Linux implant predominantly affects Red Hat-based and Ubuntu distributions. Upon execution, it generates a hidden mutex file to prevent multiple instances from running.
The backdoor achieves persistence through direct execution, SystemV or SystemD startup scripts, and by executing itself with the parent process ID as an argument, complicating detection efforts.
Backdoor main code
Victim Identification and Persistence
The RAT gathers system information and infection timing to create a unique identifier (UID) for the victim’s machine, which does not include user-specific data.
This UID comprises the infection date, an MD5 hash of the system’s hardware report, a random number, and the backdoor version.
Document
Download Free CISO’s Guide to Avoiding the Next Breach
Are you from The Team of SOC, Network Security, or Security Manager or CSO? Download Perimeter’s Guide to how cloud-based, converged network security improves security and reduces TCO.
Understand the importance of a zero trust strategy
Complete Network security Checklist
See why relying on a legacy VPN is no longer a viable security strategy
Get suggestions on how to present the move to a cloud-based network security solution
Explore the advantages of converged network security over legacy approaches
Discover the tools and technologies that maximize network security
Adapt to the changing threat landscape effortlessly with Perimeter 81’s cloud-based, unified network security platform.
The UID and other relevant details are stored in a hidden file, “/etc/.netc.conf”, which the RAT uses to maintain a profile of the backdoor.
Stealth and Service Manager Utilization
DinodasRAT employs techniques to avoid updating file access times and leverages Systemd and SystemV service managers to ensure its persistence on infected systems.
It determines the Linux distribution type and installs appropriate init scripts to launch the backdoor after network setup.
Command and Control (C2) Communication
The Linux variant communicates with its C2 server using TCP or UDP, with the domain hard-coded into the binary.
The RAT has a variable timed interval for sending information back to the C2, and if the user is root, communication is immediate.
It follows a structured network packet format and recognizes various commands for managing the infected system.
The Linux variant shares encryption methods with its Windows counterpart, using Pidgin’s libqq qq_crypt library functions and the Tiny Encryption Algorithm (TEA) in CBC mode.
It also shares encryption keys with the Windows version for C2 and name encryption.
The infrastructure used by DinodasRAT’s Linux versions was active during the analysis, with one IP address serving both Windows and Linux C2 domains.
The most affected regions include China, Taiwan, Turkey, and Uzbekistan. Kaspersky products detect this Linux variant as HEUR:Backdoor.Linux.Dinodas.a.
The discovery of the Linux variant of DinodasRAT highlights the threat actors’ capability to infiltrate Linux infrastructure. Unlike the Windows-focused Operation Jacana, the Linux variant does not prioritize user information for infection management.
Instead, it relies on hardware-specific data to generate UIDs, emphasizing the goal of maintaining access to Linux servers.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
