Hello Everyone, this week your editor is Dharminder.
I am back again with another edition of This Week in Security, This week I have security news about Google Play Protect Real-Time Code level scanning for Android Malware, Rumored zero-day of Signal messenger app and Kaspersky APT trends report Q3 2023. We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok so let's get started to find details of security news.
Malicious apps poses great threat to the devices running those apps. To help secure Andriod devices, Google provides, Google Play protect a built-in feature which provides proactive protection against malware and unwanted software on all Android devices. On daily basis It scans billions of apps and If it finds a potentially harmful app, Google Play Protect takes necessary action such as sending a warning, preventing an app install, or disabling the app automatically.
To protect Android devices from malicious apps, Google Play Protect checks device for potentially harmful apps regardless of the install source. So far on any app installation, Google Play Protect conducted a real-time check and warned users when it identified an app known to be malicious from existing scanning intelligence or was identified as suspicious from Google’s on-device machine learning, similarity comparisons, and other techniques.
To enhance Google Play Protect’s security capabilities, a real-time scanning at the code-level to combat novel malicious apps has been added. Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats. Scanning will extract important signals from the app and send them to the Google Play Protect backend infrastructure for a code-level evaluation. Once the real-time analysis is complete, users will get a result letting them know if the app looks safe to install or if the scan determined the app is potentially harmful.
Per Google, the latest enhancement will help better protect users against malicious polymorphic apps that leverage various methods, such as AI, to be altered to avoid detection.
If you are Signal message app user and have been reading news about zero day in Signal app from past few days, then this news is for you.
From last few days there were reports about zero-day in Signal messenger app “Generate Link Previews” feature which allows full device takeover. Since the reports were making an impact, Signal has released and official statement on X stating, “PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability, reads a statement on Twitter. After responsible investigation we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels. We also checked with people across US Government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim,”
Earlier the news of the alleged zero-day quickly spread online and among the cybersecurity community on Saturday afternoon.
Due to the impact of the vulnerability, Disabling the 'Generate Link Previews' setting in Signal was suggested as a precautionary measure.
This news also became big because of recent disclosure by TechCrunch on zero-days of apps like WhatsApp, which are being sold in million of dollars. Zero day in famous apps are always in the center of interest, specially for nation-state threat actors as it helps them in stealthily gain access to the targets device.
In general, zero-days vulnerabilities always put end user at risk. It is advisable that end users should always keep the app updated. By updating apps to the latest version, end user may expect fixes of most known vulnerabilities, which means less risk.
It’s been more than six years, The Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on their threat intelligence research. The latest report was published recently which includes observation of Q3 2023.
The reports talks about various activities performed by APT groups, their tools and their targets. Latest report has information on Russian-speaking activity, Chinese-speaking activity, Spanish-speaking activity, Middle East, and Southeast Asia and Korean Peninsula.
Let’s find the details of Russian-speaking activity and Southeast Asia and Korean Peninsula, for rest please click on the the link below.
A new and unknown APT group launched wave of attacks in October 2022 and another one in April 2023 against number of entities in Russia which includes government entities, military contractor, universities and hospitals. Targets of the APT groups were sent spear-phishing emails with MS Office documents attached. Which will cause multi-level infection and installation of a new Trojan to exfiltrate files and allow execution of arbitrary commands. Since the APT group is unknown, so a text “BadRory” which is referenced in malicious files is being used to quote the group.
Southeast Asia and Korean Peninsula
Lazarus campaign targeting the defense industry and nuclear engineer was uncovered. In this campaign, The threat actor first tricks job seekers on social media into opening malicious apps for fake job interviews. The Backdoored application activates only when the user selects a server from the drop-down menu of the Trojanized VNC client. This helps the app to stay under the radar of behavior-based security solutions. The application launches additional payloads into memory and retrieves further malicious code.
As soon as compromised VNC client is executed by the victim, it triggers the creation of further malware known as “LPEClient”. It also employs sophisticated C2 communication methods and disables behavior monitoring by unhooking user-mode syscalls. An updated version of COPPERHEDGE was also used as an additional backdoor, along with a malware variant specifically designed to transfer targeted files to a remote server.
The majority of the affected companies are directly involved in defense manufacturing, including radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, weaponry and maritime companies.
This report is definately an eye opener for all job seekers. While, they are on job hunt, they should be extra cautious of any suspicious activity.