Snowblind Android, identity services leaks data, Polyfill.io supply chain attack
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Android lying Snowblind in the sun
Security researchers at Promon released a report on an Android malware called Snowblind. This utilizes the Linux “seccomp” security feature to effectively sandbox repackaged apps and set up a filter to look for system commands that might apply to it, redirecting them to benign code. The researchers found one banking app in Southeast Asia impacted by Snowblind, which then attempted to access Android accessibility features to steal data and disable other services. Google said it is aware of this approach and said that based on its current detection, no Snowblind apps live on the Google Play Store.??
Identity verification service exposed data for over a year
The Israel-based company AU10TIX offers “full-service identity verification solutions” used by TikTok, Uber, X, and other platforms. The security firm spiderSilk alerted 404 Media that a threat actor published leaked credentials for the company’s logging platform on Telegram. This included verification images, copies of driver’s licenses, names, and dates of birth, as well as AU10TIX’s own verification rankings for these individuals. 404 Media found signs that malware initially harvested the credentials in December 2022, before being published in a Telegram channel in March 2023. When contacted, the identity firm claims the incident happened 18 months ago with credentials rescinded and that it saw no evidence of exploitation in the wild. However, spiderSilk found they still worked as of June 2024.?
Polyfill.io JavaScript attack impacts thousands of sites
The security firm Sansec published a report that found over 100,000 sites impacted by a supply chain attack on the Polyfill.io service. Sites use this service to allow visitors to use a consistent codebase across browsers. The researchers found a Chinese firm purchased the Polyfill.io domain and took control of its GitHub account back in February. After that, it modified Polyfill to add malicious code that caused site redirects. Andrew Betts, who created the service, warned users to get off the service back in February. Google began warning advertisers of this issue, while Cloudflare and Fastly set up Polyfill.io mirrors to legitimate code.?
Threat clusters targeting critical infrastructure
A joint report from Recorded Future and SentinelOne details two clusters of activities targeting critical infrastructure and government seconds from 2021 through 2023. One cluster was the ChamelGang, a China-linked group that carried out attacks against the All India Institute of Medica Sciences, as well as the government entities in Brazil and East Asia. The researchers noted this cluster shows a trend of using ransomware as a final stage in operations, as a way to cover tracks, and for financial gain. The other cluster shows links to the China-based APT41 and the North Korean threat actors Andariel, using tools like the China Chopper web shell and DTrack backdoor to target manufacturing and other industrial verticals in North America, South America, and Europe. It’s unclear if the two groups are working together or simply overlapping with targets and tooling.
领英推荐
And now a word from our sponsor, Prelude
Arrest made over “honey trap” WhatsApp messages
Back in April, Politico reported on the so-called “honey trap” WhatsApp account, targeting politicians and journalists in the UK. These accounts would send tailored suggestive messages to targets, seemingly in an attempt to get compromising photographs. Metropolitan Police announced they arrested a man as part of its investigation into the message, which violates the UK’s Online Safety Act. There’s no evidence of espionage or state-sponsored actors behind the messages.?
AI gadget leaves API keys exposed in code
404 Media reports the jailbreaking group Rabbitude discovered that the Rabbit R1 AI assistant gadget left critical API keys hard coded. This included APIs for ElevenLabs, Microsoft’s Azure, Yelp, Google Maps, and SendGrid. With these APIs, someone could view all responses given across all Rabbit R1 devices, brick the devices, send emails from internal company accounts, and replace the voice on the devices. To prove its point, Rabbitude sent internal emails to security journalists with the SendGrid API.? Rabbit said it began investigating the incident and appears to have rotated its EleveLabs keys, which would prevent misuse of AI responses.?
P2Pinfect learns new ransomware tricks
Researchers first spotted the peer-to-peer worm, cleverly dubbed P2Pinfect, back in July 2023, attacking Redis servers using a sandbox escape bug. Initially, P2Pinfect seemed content to simply propagate to new servers. Now researchers at Cado Security found that since June 23rd P2Pinfect shows significantly modified internals. As part of this, it now drops cryptominer and ransomware onto infected servers. The researchers note though that since Redis doesn’t save data on disk by default, it would limit ransomware encryption to config files in most instances.??
Don’t trust lawyers with your crypto
The US FBI issued a PSA warning that victims in the US lost almost $10 million worth of crypto assets in the past year to parties claiming to be lawyers. These malicious actors approach victims on social media or messaging apps, offering services to help investigate lost funds, usually claiming to be working with the FBI or CFPB. The fake firms will ask for either upfront legal fees, trick victims into handing over wallet information, or claim they need payment on back taxes before starting recovery.??