Sign in with Apple got 0-day which allowed unauthorized access to third-party user accounts

Welcome to the next episode of the Xopero Security Center! This week we look at a bug in Sign in with Apple service that could expose users to possible hacking and third-party account takeover.

Sign in with Apple with a zero-day that could have given attackers unauthorized access to user accounts

Who doesn’t like a simple and seamless sign in – like Sign in with social media account or your Apple Face ID, Touch ID, or a device passcode option? Yes, fast and simple… Very nice. But the newly discovered bug could open users to the possibility that their third-party accounts would be completely hijacked.

Full account takeover

The issue has affected only third-party applications which were using Sign in with Apple and didn’t implement their own additional security measures. The sign-in service, which works similarly to the OAuth 2.0 standard, logs in users by using either a JWT (JSON Web Token) or a code generated by an Apple server. In the latter case, the code is then used to generate a JWT. Apple gives users the option of sharing the Apple email ID with the third party or keeping the ID hidden. When users hide the ID, Apple creates a JWT that contains a user-specific relay ID.

The worst-case scenario? The attacker could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. Fortunately, it is already fixed – all thanks to the app developer Bhavuk Jain.

Read more

Got any VPN configuration update requests sent by your IT department? Proceed with caution – there is a new phishing scam in the wild

A new phishing campaign targets Microsoft Office 365 users who work remotely. Attackers try to coax them into updating the VPN configuration they use to access company assets while working from home.

Statistics show that the new phishing scam so far landed in the inboxes of up to 15k targets. The attackers are spoofing the sender email address in the phishing emails to match the domains of their targets’ organizations and embed hyperlinks that instead of directing the recipients to new VPN configs send them to phishing landing sites designed to steal their Office 365 credentials.

The malicious landing page is a cloned Office 365 login page hosted on the Microsoft-owned domain. Are you asking yourself – how? Attackers abuse the Azure Blob Storage. And that is just the beginning, the page comes with a valid Microsoft certificate which makes it so much harder to detect the phishing attempt in time… or at all.

Read more

eBay for cybercriminals – REvil ransomware operators started auctioning victims data

COVID-19 made life harder for all of us. The economic slowdown caused by the virus is also hitting hard ransomware groups, and many have settled on different methods to increase payouts. Some are now doubly extorting targets – one payment for the encryption key and another one for a promise to permanently delete stolen data. There is also another way – hackers behind the REvil ransomware has begun auctioning off sensitive data stolen from targeted companies.

Over the past few days, operators responsible for spreading the REvil ransomware  (a.k.a. “Sodin” and “Sodinokibi“) used their Dark Web “Happy Blog” to announce its first ever stolen data auction. Criminals are selling files taken from a Canadian agricultural production company that has so far declined their extortion demands.

They have set the minimum deposit at $5,000 in virtual currency, with the starting price of $50,000. What’s to gain? A successful bidder will get three databases and more than 22,000 files stolen from the company.

Read more

New cold boot attack affects seven years of LG Android smartphones

LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. 

The vulnerability CVE-2020-12753 impacts the bootloader component that ships with LG smartphones. Separate from the Android OS, the bootloader is a piece of firmware specific to each phone vendor. It is the first part of code that runs when a user starts the device, and it ensures that firmware and the Android OS itself start in a correct and secure manner. This bootloader component had been added to LG smartphones starting with the LG Nexus 5 series.

US software engineer Max Thomas who discovered a vulnerability, says the bootloader component’s graphics package contains a bug that lets attackers sneak in their own code to run alongside the bootloader’s graphics under certain conditions, such as when the battery dies out and when the device is in the bootloader’s Download Mode.

He says that threat actors who perfectly time an attack can gain the ability to run their own custom code, which could allow them to take over the bootloader, and inherently the entire device. 

The bug impacts all LG smartphones utilizing QSEE (Qualcomm Secure Execution Environment) chips that use the EL1 or EL3 runtime firmware, and all LG devices running Android 7.2 and later. To be clear, the CVE-2020-12753 vulnerability is what researchers call a “cold boot attack” meaning a vulnerability that can only be exploited by having physical access and connecting to a vulnerable device.

LG has released a patch for this bug in the LVE-SMP-200006 security update in May. 

Read more

Ransomware gangs team up to form extortion cartel

Maze ransomware operators have recently started to publish encrypted data of victims who refused to pay. They even launched a dedicated “Maze news” site. Soon after this tactic was quickly adopted by other groups, which now includes thirteen active ransomware operations known to leak stolen data if not paid.

Ransomware cartel formed.  The Maze gang is once again stirring up the threat landscape by creating a cartel of ransomware operations to share resources and extort their victims. Last week on they added the information and files for an international architectural firm to their data leak site. What made this leak different was that the info was not from a Maze ransomware attack, but rather by another enterprise-targeting ransomware operation known as LockBit.

Asked by Bleeping Computer, Maze operators operators confirmed that they are working with LockBit to share their experience and data leak platform. They also stated that another ransomware operation would be joining their collaborative group in the coming days.

“Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business,” Maze told BleepingComputer.

By joining forces to share advice, tactics, and a centralized data leak platform, ransomware operations can focus more on creating more sophisticated attacks and successful extortion attempts.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Apple Jailbreak Zero-Day Gets a Patch (ThreatPost)
2. Cisco warns: These Nexus switches have been hit by a serious security flaw (ZDNet)
3. Hacker posts database stolen from Dark Net free hosting provider DH (Naked Security)
4. Octopus Scanner Sinks Tentacles into GitHub Repositories (ThreatPost)
5. VMware Cloud Director flaw lets hackers take over virtual datacenters (BleepingComputer)
6. Hackers hijack one of Coincheck’s domains for spear-phishing attacks (ZDNet)
7. TrickBot Adds BazarBackdoor to Malware Arsenal (ThreatPost)
8. Attackers tried to grab WordPress configuration files from over a million sites (HelpNetSecurity)
9. Mozilla fixes high‑risk Firefox flaws, bug in DoH feature (We Live Security)
10. New ‘Tycoon’ Ransomware Strain Targets Windows, Linux (DarkReading)