Beware! Two new WhatsApp bugs expose you to a man-in-the-middle attack

Android users have new reasons to worry… again. About a week ago, we provided information about the FlixOnline application which operators were able to successfully bypass the application authentication system in the Google Play Store. This time we report two serious bugs found in WhatsApp. They enable the so-called ‘man-in-the-disk’ attack. What is it exactly? Attackers are able to manipulate the data exchanged between the application and external memory. Details can be found below.

New WhatsApp bugs could’ve let attackers remotely hack your phone

Recently two security vulnerabilities have been spotted in WhatsApp for Android. They could have been exploited to execute malicious code remotely on the device and even exfiltrate sensitive information.

The flaws take aim at devices running Android versions up to Android 9 (including) by carrying out “man-in-the-disk” attack. It makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage. 

The flaw (CVE-2021-24027) leverages Chrome’s support for content providers in Android (via the “content://” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), thereby allowing an attacker to send a specially-crafted HTML file to a victim over WhatsApp, which, when opened on the browser, executes the code contained in the HTML file.

All an attacker has to do is lure the victim into opening an HTML document attachment. Then WhatsApp will render this attachment in Chrome, over a content provider, and the attacker’s Javascript code will be able to steal the stored TLS session keys.

WhatsApp bugs – a mean to an end

Armed with the keys, a bad actor can then stage a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs.

Worse, the malicious code can be used to access any resource stored in the unprotected external storage area and expose sensitive information to any app that’s provisioned to read or write from the external storage.

WhatsApp users are recommended to update to version to mitigate the risk associated with the flaws.


Hijacked Microsoft Exchange used to host cryptominer

Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the ProxyLogon exploit. More than 92 percent of affected MS Exchange servers were patched- but the damage had already been done.

Researchers at Sophos report an unknown attacker is attempting to use a compromised Microsoft Exchange Server to deliver a malicious Monero cryptominer onto other vulnerable Microsoft Exchange Servers. Because the cryptominer is hosted on a compromised Exchange Server, it may be easier for the attacker to deliver the payload to other vulnerable targets as firewalls are less likely to block traffic between Exchange Servers.

The executables file associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA).

The ‘unusual attack’

The attack begins with a PowerShell command to retrieve a file named from another compromised server’s Outlook Web Access logon path (/owa/auth). The .zip file is not a compressed archive at all but a batch script that then invokes the built-into-Windows certutil.exe program to download two additional files, and, which also are not compressed.

The batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there.


SMASH, the newest Rowhammer attack is a threat to your DDR4 memory card

Rowhammer is an umbrella term that refers to a class of exploits that leverage a hardware design quirk in DDR4 systems. SMASH is its newest variant that triggers a malicious JavaScript condition on the latest DDR4 RAM cards despite mitigations implemented by manufacturers for about 5 years.

RAM cards design

Memory RAM cards save data inside what’s called memory cells (each consisting of a capacitor and a transistor) that are arranged in the form of a matrix. But the memory cells tend to lose their state over time and therefore require a periodic reading and rewriting of each cell in order to restore the charge on the capacitor to its original level.

To hell with old mitigations…

To bypass TRR mitigations, SMASH carefully schedules cache hits and failures to activate the multifaceted Rowhammer bit. Then SMASH allows threat actors an arbitrary read/write primitive in the browser:

The exploit chain is initiated when a victim visits a malicious website under the adversary’s control or a legitimate website that contains a malicious ad, taking advantage of the Rowhammer bit flips triggered from within the JavaScript sandbox to gain control over the victim’s browser.


SolarMarker hackers flood the web with 100K sites offering malicious PDFs

Cybercriminals are resorting to search engine poisoning techniques to lure business professionals into seemingly legitimate Google sites that install a Remote Access Trojan (RAT) capable of carrying out a wide range of attacks.

The attack starts by leveraging searches for business forms such as invoices, templates, questionnaires, and receipts as a stepping stone toward infiltrating their systems. Once the user attempts to download the alleged document template is redirected, without knowledge, to a malicious website that hosts the RAT.

According to eSentire researchers, once the RAT gets activated on the victim’s computer, attackers can send commands and upload additional malware, like ransomware, a credential stealer, a banking trojan, or simply use the RAT called SolarMarker (aka Yellow Cockatoo, Jupyter, and Polazert).as a foothold into the victim’s network.

The firm said it discovered over 100,000 unique web pages that contain popular business terms or keywords such as template, invoice, questionnaire, resume, and receipt. What is even more troubling aspect of this campaign is that SolarMarker group uses SEO techniques to populate many of their malicious pages and allow them to be ranked higher on the search results what increase the likelihood of success. 

If you are looking for any financial documents templates, better use only official, well-known websites.


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. FBI nuked web shells from hacked Exchange Servers without telling owners (Bleeping Computer)
2. Microsoft Patches Four More Critical Exchange Server Bugs (Threat Post)
3. Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits (The Hacker News)
4. Researcher release PoC exploit for 0-day in Chrome, Edge, Brave, Opera (Hack Read)
5. Experts released PoC exploit code for a critical RCE in QNAP NAS devices (Security Affairs)
6. Adobe fixes critical vulnerabilities in Photoshop and Digital Editions (Bleeping Computer)
7. YIKES! Hackers flood the web with 100,000 pages offering malicious PDFs (The Hacker News)
8. Google Chrome 90 introduces the security feature we’ve been waiting for (
9. ‘Name:Wreck’ is the latest collision between TCP/IP and the standards process (
10. Meet the Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever (Vice)