Author: AddMgr

Enterprise VulnerabilitiesFrom DHS/US-CERT’s National Vulnerability Database

CVE-2021-29149PUBLISHED: 2021-07-22
A local bypass security restrictions vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xx…

CVE-2021-34431PUBLISHED: 2021-07-22In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.

CVE-2021-22001PUBLISHED: 2021-07-22In UAA versions prior to 75.3.0, sensitive information like relaying secret of the provider was revealed in response when deletion request of an identity provider( IdP) of type “oauth 1.0� was sent to UAA server.

CVE-2021-29143PUBLISHED: 2021-07-22
A remote execution of arbitrary commands vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.0…

CVE-2021-29148PUBLISHED: 2021-07-22
A local cross-site scripting (XSS) vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx…

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people’s basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group’s software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. Dmitry Galov, a security researcher at Kaspersky’s GReAT, describes the Pegasus spyware’s beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim’s SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 
However, the spyware’s sophistication makes it one of the most powerful tools for spying on one’s smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million – that’s how much the whole chain of Android vulnerabilities was offered for, in 2019. Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website’s documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. According to Amnesty International, the goal of MVT is to make it easier to conduct a “consensual forensic study” of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

On iOS we have seen link shortener services pushing spam calendar files to victims’ devices.

We hope you already know that you shouldn’t click on just any URLs. You might be sent one in a message; somebody might insert one under a social media post or you could be provided with one on basically any website. Users or websites providing these links might use URL shortener services. These are used to shorten long URLs, hide original domain names, view analytics about the devices of visitors, or in some cases even monetize their clicks.
Monetization means that when someone clicks on such a link, an advertisement, such as the examples in Figure 1, will be displayed that will generate revenue for the person who generated the shortened URL. The problem is that some of these link shortener services use aggressive advertising techniques such as scareware ads: informing users their devices are infected with dangerous malware, directing users to download dodgy apps from the Google Play store or to participate in shady surveys, delivering adult content, offering to start premium SMS service subscriptions, enabling browser notifications, and making dubious offers to win prizes.
We’ve even seen link shortener services pushing “calendar” files to iOS devices and distributing Android malware – indeed, we discovered one piece of malware we named Android/FakeAdBlocker, which downloads and executes additional payloads (such as banking trojans, SMS trojans, and aggressive adware) received from its C&C server.
Below we describe the iOS calendar-event-creating downloads and how to recover from them, before spending most of the blogpost on a detailed analysis of the distribution of Android/FakeAdBlocker and, based on our telemetry, its alarming number of detections. This analysis is mainly focused on the functionality of the adware payload and, since it can create spam calendar events, we have included a brief guide detailing how to automatically remove them and uninstall Android/FakeAdBlocker from compromised devices.
Figure 1. Examples of shady aggressive advertisements
Distribution
Content displayed to the victim from monetized link shorteners can differ based on the running operating system. For instance, if a victim clicked on the same link on a Windows device and on a mobile device, a different website would be displayed on each device. Besides websites, they could also offer an iOS device user to download an ICS calendar file, or an Android device user to download an Android app. Figure 2 outlines options we have seen in the campaign analyzed here.
Figure 2. Malware distribution process
While some advertisements and Android applications served by these monetized shortened links are legitimate, we observed that the majority lead to shady or unwanted behavior.
iOS targets
On iOS devices, besides flooding victims with unwanted ads, these websites can create events in victims’ calendars by automatically downloading an ICS file. As the screenshots in Figure 3 show, victims must first tap the subscribe button to spam their calendars with these events. However, the calendar name “Click OK To Continue (sic)” is not revealing the true content of those calendar events and only misleads the victims into tapping the Subscribe and Done button.
These calendar events falsely inform victims that their devices are infected with malware, hoping to induce victims to click on the embedded links, which lead to more scareware advertisements.
Figure 3. Scam website requests user to subscribe to calendar events on iOS platform

Android targets
For victims on Android devices, the situation is more dangerous because these scam websites might initially provide the victim with a malicious app to download and afterwards proceed with visiting or downloading the actual expected content searched for by the user.
There are two scenarios for Android users that we observed during our research. In the first one, when the victim wants to download an Android application other than from Google Play, there is a request to enable browser notifications from that website, followed by a request to download an application called adBLOCK app.apk. This might create the illusion that this adBLOCK app will block displayed advertisements in the future, but the opposite is true. This app has nothing to do with the legitimate adBLOCK application available from the official source.
When the user taps on the download button, the browser is redirected to a different website where the user is apparently offered an ad-blocking app named adBLOCK, but ends up downloading Android/FakeAdBlocker. In other words, the victim’s tap or click is hijacked and used to download a malicious application. If the victim returns to the previous page and taps on the same download button, the correct legitimate file that the intended victim wanted is downloaded onto the device. You can watch one of the examples in the video below.
[embedded content]
In the second Android scenario, when the victims want to proceed with downloading the requested file, they are shown a web page describing the steps to download and install an application with the name Your File Is Ready To Download.apk. This name is obviously misleading; the name of the app is trying to make the user think that what is being downloaded is the app or a file they wanted to access. You can see the demonstration in the video below.
[embedded content]
In both cases, a scareware advertisement or the same Android/FakeAdBlocker trojan is delivered via a URL shortener service. Such services employ the Paid to click (PTC) business model and act as intermediaries between customers and advertisers. The advertiser pays for displaying ads on the PTC website, where part of that payment goes to the party that created the shortened link. As stated on one of these link shortening websites in the privacy policy section, these ads are via their advertising partners and they are not responsible for delivered content or visited websites.
One of the URL shortener services states in its terms of service that users should not create shortened links to transmit files that contain viruses, spyware, adware, trojans or other harmful code. To the contrary, we have observed that their ad partners are doing it.
Telemetry
Based on our detection data, Android/FakeAdBlocker was spotted for the first time in September 2019. Since then, we have been detecting it under various threat names. From the beginning of this year till July 1st, we have seen more than 150,000 instances of this threat being downloaded to Android devices.
Figure 4. ESET detection telemetry for Android/FakeAdBlocker
Figure 5. Top ten countries by proportion of Android/FakeAdBlocker detections (January 1st – July 1st 2021)
Android/FakeAdBlocker analysis
After downloading and installing Android/FakeAdBlocker, the user might realize that, as seen in Figure 6, it has a white blank icon and, in some cases, even has no app name.
Figure 6. App icon of Android/FakeAdBlocker
After its initial launch, this malware decodes a base64-encoded file with a .dat extension that is stored in the APK’s assets. This file contains C&C server information and its internal variables.
Figure 7. Decoded config file from APK assets
From its C&C server it will request another configuration file. This has a binary payload embedded, which is then extracted and dynamically loaded.
Figure 8. Android/FakeAdBlocker downloads an additional payload
For most of the examples we have observed, the this payload was responsible for displaying out-of-context ads. However, in hundreds of cases, different malicious payloads were downloaded and executed. Based on our telemetry, the C&C server returned different payloads based on the location of the device. The Cerberus banking trojan was downloaded to devices in Turkey, Poland, Spain, Greece and Italy. It was disguised as Chrome, Android Update, Adobe Flash Player, Update Android, or Google Guncelleme app (guencelleme is Turkish for “update” so the name of the app is Google Update). In Greece we have also seen the Ginp banking trojan being downloaded. The same malware family variant of SMS trojan was distributed in the Middle East. Besides these trojans, Bitdefender Labs also identified the TeaBot (also known as Anatsa) banking trojan being downloaded as a payload by Android/FakeAdBlocker. Payloads are downloaded to external media storage in the files subdirectory of the parent app package name using various app names. A list of payload APK names is included in the IoCs section.
The emerging fact that the C&C server can at any time distribute different malicious payloads makes this threat unpredictable. Since all aforementioned trojans have already been analyzed, we will continue with the analysis of the adware payload that was distributed to more than 99% of the victims. The adware payload bears many code similarities with the downloader so we are classifying both in the same Android/FakeAdBlocker malware family.
Although the payloads download in the background, the victim is informed about actions happening on the mobile device by the activity displayed saying file is being downloaded. Once everything is set up, the Android/FakeAdBlocker adware payload asks the victim for permission to draw over other apps, which will later result in it creating fake notifications to display advertisements in the foreground, and for permission to access the calendar.
Figure 9. Activity shown after start
Figure 10. Permission request to control what is displayed in foreground
Figure 11. Permission request to edit calendar events
After all permissions are enabled, the payload silently starts to create events in Google Calendar for upcoming months.
Figure 12. Scareware calendar events created by malware (above) and detail (below)
It creates eighteen events happening every day, each of them lasts 10 minutes. Their names and descriptions suggest that the victim’s smartphone is infected, user data is exposed online or that a virus protection app is expired. Descriptions of each event include a link that leads the victim to visit a scareware advertisement website. That website again claims the device has been infected and offers the user to download shady cleaner applications from Google Play.
Figure 13. Titles and descriptions of the events (left) and the reminder displayed by one of them (right)
All the event title names and their descriptions can be found the malware’s code. Here are all scareware event texts created by the malware, verbatim. If you find one of these in your Google Calendar, you are or were most likely a victim of this threat.⚠ Hackers may try to steal your data!Block ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK BELOW TO BLOCK ALL ADS
⚠ YOUR Device can be infected with A VIRUS ⚠Block ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK BELOW TO BLOCK ALL ADS
☠️Severe Viruses have been found recently on Android devicesBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK BELOW TO BLOCK ALL ADS
🛑 Your Phone is not Protected ?! Click To Protect it!It’s 2021 and you haven’t found a way to protect your Device? Click below to fix this!
⚠ Android Virus Protection Expired ?! Renew for 2021We have all heard stories about people who got exposed to malware and expose their data at risk. Don’t be silly, protect yourself now by clicking below!
⚠ You May Be Exposed Online Click To Fix!Hackers can check where you live by checking your device’s IP while you are at home. Protect yourself by installing a VPN. Protect your self by clicking below.
✅ Clear Your Device from Malicious Attacks!Your Device is not invincible from viruses. Make sure that it is free from infection and prevent future attacks. Click the link below to start scanning!
⚠ Viruses Alert – Check Protection NOWHackers and practically anyone who want it can check where you live by breaking into your device. Protect your self by clicking below.
☠️ Viruses on your Device?! CLEAN THEM NOWIt’s 2021 and you haven’t found a way to protect your Device? Click below to fix this!
🛡️ Click NOW to Protect your Priceless Data!Your identity and other important information can be easily stolen online without the right protection. VPN can effectively avoid that from happening. Click below to avail of that needed protection.
⚠ You Are Exposed Online, Click To Fix!Hackers can check where you live by checking your device’s IP while you are at home. Protect yourself by installing a VPN. Protect your self by clicking below.
🧹 Clean your Phone from potential threats, Click Now.Going online exposes you to various risks including hacking and other fraudulent activities. VPN will protect you from these attacks. Make your online browsing secured by clicking the link below.
🛑 Your Phone is not Protected! Click To Protect it!It’s 2021 and you haven’t found a way to protect your iPhone? Click below to fix this!
⚠ YOUR Device can be infected with A VIRUS ⚠Block ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK BELOW TO BLOCK ALL ADS
⚠ You May Be Exposed Online Click To Fix!Hackers can check where you live by checking your device’s IP while you are at home. Protect yourself by installing a VPN. Protect your self by clicking below.
☠️Severe Viruses have been found recently on Android devicesBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK BELOW TO BLOCK ALL ADS
☠️ Viruses on your Device?! CLEAN THEM NOWIt’s 2021 and you haven’t found a way to protect your Device? Click below to fix this!
⚠ Android Virus Protection Expired ?! Renew for 2021We have all heard stories about people who got exposed to malware and expose their data at risk. Don’t be silly, protect yourself now by clicking below!
Besides flooding the calendar with scam events, Android/FakeAdBlocker also randomly displays full screen advertisements within the mobile browser, pops up scareware notifications and adult advertisements, and displays a Messenger-like “bubble” in the foreground mimicking a received message with a scammy text next to it.
Figure 14. Examples of displayed scareware ads
Clicking on any of these would lead the user to a website with further scareware content that suggests that the victim install cleaners or virus removers from Google Play. We have already written about similar shady apps impersonating security software in 2018.
Uninstall process
To identify and remove Android/FakeAdBlocker, including its dynamically loaded adware payload, you need to first find it among your installed applications, by going to Settings – > Apps. Because the malware doesn’t have an icon or an app name (see Figure 15), it should be easy to spot. Once located, tap it once to select it and then tap on Uninstall button and confirm the request to remove the threat.
Figure 15. Manual uninstallation of malware
How to automatically remove spam events
Uninstalling Android/FakeAdBlocker will not remove the spam events it created in your calendar. You can remove them manually; however, it would be a tedious job. This task can also be done automatically, using an app. During our tests we successfully removed all these events using a free app available from the Google Play store called Calendar Cleanup. A problem with this app is that it removes only past events. Because of that, to remove upcoming events, temporarily change the current time and date in the settings of the device to be the day after the last spam event created by the malware. That would make all these events expired and Calendar Cleanup can then automatically remove them all.
It is important to state that this app removes all events, not just the ones created by the malware. Because of that, you should carefully select the targeted range of days.
Once the job is done, make sure to reset the current time and date.
Conclusion
Based on our telemetry, it appears that many users tend to download Android apps from outside of Google Play, which might lead them to download malicious apps delivered through aggressive advertising practices that are used to generate revenue for their authors. We identified and demonstrated this vector of distribution in the videos above. Android/FakeAdBlocker downloads malicious payloads provided by its operator’s C&C server; in most cases, after launch these hide themselves from user view, deliver unwanted scareware or adult content advertisements and create spam calendar events for upcoming months. Trusting these scareware ads might cost their victims money either by sending premium rate SMS messages, subscribing to unnecessary services, or downloading additional and often malicious applications. Besides these scenarios, we identified various Android banking trojans and SMS trojans being downloaded and executed.
IoCs

HashDetection name

B0B027011102B8FD5EA5502D23D02058A1BFF1B9Android/FakeAdBlocker.A

E51634ED17D4010398A1B47B1CF3521C3EEC2030Android/FakeAdBlocker.B

696BC1E536DDBD61C1A6D197AC239F11A2B0C851Android/FakeAdBlocker.C

C&Cs
emanalyst[.]bizmmunitedaw[.]infoommunite[.]toprycovernmen[.]clubransociatelyf[.]infoschemics[.]clubomeoneha[.]onlinesityinition[.]topfceptthis[.]bizoftongueid[.]onlinehoneiwillre[.]bizeaconhop[.]onlinessedonthep[.]bizfjobiwouldli[.]bizofferanda[.]biz
File paths of downloaded payloads
/storage/emulated/0/Android/data/com.intensive.sound/files/Download/updateandroid.apk/storage/emulated/0/Android/data/com.intensive.sound/files/Download/Chrome05.12.11.apk/storage/emulated/0/Android/data/com.intensive.sound/files/Download/XXX_Player.apk/storage/emulated/0/Android/data/com.confidential.pottery/files/Download/Google_Update.apk/storage/emulated/0/Android/data/com.confidential.pottery/files/Download/System.apk/storage/emulated/0/Android/data/com.confidential.pottery/files/Download/Android-Update.5.1.apk/storage/emulated/0/Android/data/com.cold.toothbrush/files/Download/Android_Update.apk/storage/emulated/0/Android/data/com.cold.toothbrush/files/Download/chromeUpdate.apk/storage/emulated/0/Android/data/com.cold.toothbrush/files/Download/FreeDownloadVideo.apk/storage/emulated/0/Android/data/com.anaconda.brave/files/Download/MediaPlayer.apk/storage/emulated/0/Android/data/com.anaconda.brave/files/Download/GoogleChrome.apk/storage/emulated/0/Android/data/com.dusty.bird/files/Download/Player.apk
MITRE ATT&CK techniques
This table was built using version 9 of the ATT&CK framework.

TacticIDNameDescription

Initial AccessT1476Deliver Malicious App via Other MeansAndroid/FakeAdBlocker can be downloaded from third-party websites.

T1444Masquerade as Legitimate ApplicationAndroid/FakeAdBlocker impersonates legitimate AdBlock app.

PersistenceT1402Broadcast ReceiversAndroid/FakeAdBlocker listens for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality will be activated every time the device starts.

T1541Foreground PersistenceAndroid/FakeAdBlocker displays transparent notifications and pop-up advertisements.

Defense EvasionT1407Download New Code at RuntimeAndroid/FakeAdBlocker downloads and executes an APK filefiles from a malicious adversary server.

T1406Obfuscated Files or InformationAndroid/FakeAdBlocker stores base64-encoded file in assets containing config file with C&C server.

T1508Suppress Application IconAndroid/FakeAdBlocker’s icon is hidden from its victim’s view.

CollectionT1435Access Calendar EntriesAndroid/FakeAdBlocker creates scareware events in calendar.

Command And ControlT1437Standard Application Layer ProtocolAndroid/FakeAdBlocker communicates with C&C via HTTPS.

ImpactT1472Generate Fraudulent Advertising RevenueAndroid/FakeAdBlocker generates revenue by automatically displaying ads.

Cybercriminals may target the popular event with ransomware, phishing, or DDoS attacks in a bid to increase their notoriety or make money

The United States’ Federal Bureau of Investigation (FBI) has issued a warning about threat actors potentially attempting to disrupt the upcoming Tokyo 2020 Summer Olympics. It went on to warn that cybercriminals could utilize various flavors of cybercrime such as distributed denial of service (DDoS) attacks, ransomware, social engineering to derail the Olympic games.
However, for now, there have been no signs of an attack targeting the popular sporting event. “The FBI to date is not aware of any specific cyber threat against these Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments,” the FBI said.
The Bureau highlighted that large-scale popular events such as the Olympics attract various types of cybercriminals since it allows them to pursue different agendas, ranging from making money and boosting their notoriety to sowing confusion.
The Games of the  32nd Olympiad could prove especially attractive to threat actors since due to the COVID-19 pandemic, spectators are largely barred from venues and the event will be only viewed through broadcast or digital viewing platforms.
“Adversaries could use social engineering and phishing campaigns in the lead up to the event to obtain access or use previously obtained access to implant malware to disrupt affected networks during the event. Social engineering and phishing campaigns continue to provide adversaries with the access needed to carry out such attacks,” the federal law enforcement agency warned.
Beyond phishing and social engineering attacks, the threat actors could also resort to using ransomware or DDoS attacks to target internet service providers and television broadcast companies to disrupt the live broadcasts of various sporting disciplines. Cybercriminals could also attempt to cripple the Olympics by targeting the various elements making up its infrastructure such as mass transit providers, hotels, or event security infrastructure.
The FBI also shared advice on how service providers could mitigate the risks of such attacks. This includes creating and setting business continuity plans to lower the chances of service interruptions in case an attack occurs and regularly monitoring networks and applying best practices since a substantial part of the workforce has transitioned to remote-work environments and employs the use of Virtual Private Networks.

On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named “MosaicLoader,” which targets people looking for cracked software as part of a global campaign. Bitdefender researchers stated in a report shared with The Hacker News, “The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service.” “The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.” The malware’s name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation.
MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. It’s important to note that such Windows Defender exclusions can be found in the registry keys listed below: 1.File and folder exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPaths 2.File type exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsExtensions 3.Process exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsProcesses One of the binaries, “appsetup.exe,” is designed to attain system persistence, while the second, “prun.exe,” is a downloader for a sprayer module that can obtain and deploy a range of attacks from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba. Because of MosaicLoader’s broad capabilities, compromised systems can be co-opted into a botnet, which the threat actor can then use to spread a variety of malicious software, including both publicly available and customized malware, to gain, expand, and manage unauthorized access to victim computers and networks. The researchers added, “The best way to defend against MosaicLoader is to avoid downloading cracked software from any source.”Besides being against the law, cybercriminals look to target and exploit users searching for illegal software, adding it’s essential to check the source domain of every download to make sure that the files are legitimate.

NSO Group, an Israeli cyber intelligence firm, developed Pegasus spyware as a surveillance tool. As claimed by the corporation, this firm is known for developing advanced software and technology for selling primarily to law enforcement and intelligence agencies of approved nations with the sole objective of saving lives by preventing crime and terror activities. Pegasus is one such software designed to get unauthorized access to your phone, gather personal and sensitive data, and transfer it to the user who is spying on you. Pegasus spyware, according to Kaspersky, can read SMS messages and emails, listen to phone calls, take screenshots, record keystrokes, and access contacts and browser history. A hacker may commandeer the phone’s microphone and camera, turning it into a real-time monitoring device, according to another claim. It’s also worth mentioning that Pegasus is a complex and expensive spyware meant to spy on specific individuals, so the typical user is unlikely to come across it. Pegasus malware snooped on journalists, activists, and certain government officials, and Apple, the tech giant that emphasizes user privacy, was a victim of the attack. Indeed, according to Amnesty’s assessment, Apple’s iPhone is the easiest to snoop on with Pegasus software. According to the leaked database, iPhones running iOS 14.6 feature a zero-click iMessage exploit, which could have been used to install Pegasus software on the targeted entities’ iPhones. The Cupertino behemoth has issued a statement condemning the assault. Apple’s Head of Security Engineering and Architecture, Ivan Krsti, in a statement said, “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.” Citizen Labs had already uncovered this flaw. Zero-click attacks are practically invisible and run in the background because they do not require the user’s involvement. In iOS 14, Apple included the Blastdoor framework to make zero-click attacks more difficult, although it does not appear to be operating as planned.

Over the past couple of years, modern technology has been actively implemented in medicine. AI helps to assess the degree of lung damage, identify malignant tumors, and is used in the development of new drugs.Similar technologies are being used in Russia. For example, the Russian platform Botkin.AI allows detecting lung cancer through the analysis of medical images using artificial intelligence technologies in the Microsoft Azure cloud. The solution has already been successfully implemented in several regions of the country. Russia also has a digital histological laboratory UNIM, which examines histological materials using a neural network to make a correct diagnosis.According to the development director of the Webiomed project, Alexander Gusev, the biggest competition in Russia is in the fields of image processing, especially in the analysis of lung tomograms for COVID diagnosis. The second popular field is speech recognition and information synthesis.One of the main problems with AI is that market participants often do not understand how much a particular development might cost in everyday medical practice.Another problem is the legislation. Russian law defines that AI software is a medical device and must undergo a long and expensive registration.It should be noted that now there are only six AI systems in Russia that have been registered as medical software devices.According to the general opinion of experts, doctors do not easily agree to the introduction of AI. “When we ask about the attitude of doctors to innovation, they are just happy and express a desire to work with AI. However, about 2.5-5% of managers and doctors use AI products all the time,” Mr. Gusev added.At the same time, it does not take much time to understand the technology. AI development is often similar to a conventional computer program interface.

According to recent research, the Wi-Fi network name issue that entirely disabled an iPhone’s network connectivity had remote code execution capabilities and was discreetly patched by Apple earlier this year. On Monday, Apple released iOS 14.7 for iPhones, which includes bug fixes and security improvements as well as a remedy for the Wi-Fi denial-of-service issue. However, the company has not yet provided security information that may suggest whether its vulnerability has been fixed. The denial-of-service vulnerability, which was discovered last month, was caused by the way iOS managed string formats associated with the SSID input, causing any up-to-date iPhone to crash when connected to wireless access points with percent symbols in their names, such as “%p%s%s%s%s%n.” While the problem could be solved by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is likely to provide a fix in iOS 14.7, which is currently accessible to developers and public beta testers. Researchers from mobile security automation business ZecOps discovered that the same flaw could be abused to accomplish remote code execution (RCE) on targeted devices by simply adding the string pattern ” % @” to the Wi-Fi hotspot’s name, which may have had far-reaching repercussions. The issue was termed “WiFiDemon” by ZecOps. It’s also a zero-click vulnerability as it allows a threat actor to infect a device without needing user interaction, however, it does necessitate that the setting to automatically connect Wi-Fi networks is enabled (which it is, by default). “As long as the Wi-Fi is turned on this vulnerability can be triggered,” the researchers noted. “If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack.” “This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk,” the company stated. “After turning off the malicious access point, the user’s Wi-Fi function will be normal. A user could hardly notice if they have been attacked.The RCE variant was discovered to be exploitable in all iOS versions before iOS 14.3, with Apple “silently” fixing the problem in January 2021 as part of their iOS 14.4 release. The vulnerability was not issued a CVE identifier. Given the vulnerability’s exploitability, iPhone and iPad owners must update to the most recent iOS version to reduce the risk associated with the flaw.

Juniper Networks’ Steel-Belted Radius (SBR) Carrier Edition has a severe remote code-execution vulnerability that leaves wireless carrier and fixed operator networks vulnerable to tampering. By centralizing user authentication, giving the proper level of access, and verifying compliance with security standards, telecom carriers utilize the SBR Carrier server to manage policies for how subscribers use their networks. It enables carriers to distinguish service tiers, diversify revenue models, and manage network resources. Juniper Networks, Inc. is a multinational technology company based in Sunnyvale, California. Routers, switches, network management software, network security solutions, and software-defined networking technology are among the networking products developed and sold by the company. Pradeep Sindhu started the company in 1996, with Scott Kriens serving as the original CEO until September 2008. Juniper Networks began by specializing in core routers, which are used by internet service providers (ISPs) to execute IP address lookups and route internet traffic. SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible authentication protocol are affected by the bug (CVE-2021-0276). It was on Wednesday, Juniper released a patch. On the CVSS vulnerability-severity rating scale, it gets a 9.8 out of 10. According to Juniper’s advisory, it’s a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially designed packets to the platform, causing the RADIUS daemon to crash. This can cause RCE as well as denial-of-service (DoS), which prevents phone subscribers from having a network connection. The flaw is one of the dozens that the networking giant patched this week across its carrier and corporate product lines, including multiple high-severity flaws that could be used to launch DoS assaults. Juniper claims that one of these can also be used for RCE. CVE-2021-0277 is an out-of-bounds read vulnerability that affects Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions). The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd) processes specially designed LLDP frames (l2cpd). On a local area network (usually over wired Ethernet), network devices utilize LLDP to advertise their identification, capabilities, and neighbors. “Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued on Thursday.

Experts believe that screenshots of work correspondence sent by company employees to third parties may fall into the hands of fraudsters. Such actions lead not only to reputational and financial risks for companies, but also to the risk of cyber threats.”If the phone numbers of colleagues are visible in the correspondence, attackers can use this information: for example, for hacking, spam, data mining with the help of social engineering”, says Alexander Tikhonov, general director of the SAS Russia/CIS IT company.Kaspersky Lab said that the risks of cyber threats for companies became more relevant after the transition to remote work, since office workers began to use shadow IT more often for business correspondence that was not approved by the company.”Employees are increasingly using personal gadgets, as well as programs installed on them, for personal use for work purposes,” the company explained. Thus, 59% of Russians use personal mail to solve work issues, 55% communicate at work in messengers that are not approved by IT departments, and they admit that with the transition to a remote employment format, they began to do this regularly.According to AlfaStrakhovanie analytical center, more than 60% of Russians send screenshots of work correspondence in messengers or post them on social networks. Moreover, 43% of respondents said that their company uses one of the standard instant messengers for corporate communication, and 23% responded that their company does not regulate the method of communication at all.”People tend to think that social networks are not dangerous, that they are surrounded only by friends in the digital space,” said Pavel Adylin, executive director of Artezio. He emphasized that the problem can only be solved by gradually improving the level of literacy and digital security of the business.