GriftHorse malware / New Windows domains backdoor / iPhone Apple Pay + Visa bug

Welcome to Security Center – our weekly update on the most devastating cyberattacks, high-severity vulnerabilities, and biggest data leaks – precisely selected by our editors.

Don’t miss it out! Sign up now and have it delivered to your inbox each Monday to start a week safe and sound. Additionally, you will receive a portion of the hottest company news and access to selected technical articles written by our experts with advice and tricks for more effective protection of your IT infrastructure.

In the meantime, let’s check what happened in the cyber-world last week.

GriftHorse Android malware hit 10 million devices in 70 countries

In this new financial scam, bad actors are using a trojan called GriftHorse. After infecting the device, the apps bombard the phone with deceptive alerts, offering a free gift to the user after clicking on it. These then redirect the users to a geo-specific webpage to submit their phone numbers to verify, but in reality, they submit their numbers to a premium SMS service that will charge their phone bill for more than $42 (£30 –€36) per month.

Scammers had created around 200 authentic-looking applications for a varied set of categories, including lifestyle, tools, entertainment, dating, and personalization – making this campaign the most widespread scam discovered in 2021.

Read more

Nobelium uses custom malware to backdoor Windows domains

Microsoft has discovered new malware used by the Nobelium hacking group – the threat actor behind last year’s SolarWinds supply-chain attack – to deploy additional payloads and steal sensitive info from Active Directory Federation Services (AD FS) servers. The malware, dubbed by Microsoft researchers FoggyWeb, is a passive and highly targeted backdoor that abuses the Security Assertion Markup Language (SAML) token. It is designed to help the attackers remotely exfiltrate sensitive information from compromised AD FS servers by configuring HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server matching the custom URI patterns.

Organizations that believe they might’ve been breached or compromised are advised to audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access. Then additionally remove user and app access, review configurations for each, and re-issue new, strong credentials and use a hardware security module (HSM).

Read more

Researchers discover bypass ‘bug’ in iPhone Apple Pay, Visa to make contactless payments

Thanks to these new mobile security issues attackers could bypass an Apple iPhone’s lock screen to access payment services and make contactless transactions. The vulnerability occurs when Visa cards are set up in Express Transit mode in an iPhone’s wallet feature. Express mode has been designed with commuters in mind, when they may want to quickly tap and pay at a turnstile to access rail, for example, rather than hold up a line due to the need to go through further identity authentication.

The issue is caused by the use of a unique code – nicknamed “magic bytes” – that is broadcast by transit gates and turnstiles to unlock Apple Pay. The attack can be triggered by capturing and then broadcasting the “magic bytes” and then modifying a set of other variables.

Read more

More IT security must-reads

  1. BloodyStealer: Advanced New Trojan Targets Accounts of Popular Online Gaming Platforms (Dark Reading)
  2. Urgent Chrome security update released to patch widely exploited 0-day (Hack Read)
  3. ERMAC, a new banking Trojan that borrows the code from Cerberus malware (Security Affairs)
  4. Scalper bots are now targeting graphics card vendors (ZDNet)
  5. A New Jupyter Malware Version is Being Distributed via MSI Installers (The Hacker News)
  6. New Tomiris Backdoor Found Linked to Hackers Behind SolarWinds Cyberattack (The Hacker News)
  7. Defend against zero-day exploits with Microsoft Defender Application Guard (Microsoft Blog)
  8. Fortinet, Shopify and more report issues after root CA certificate from Lets Encrypt expires (ZDNet)
  9. Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws (The Hacker News)
  10. QNAP fixes bug that let attackers run malicious commands remotely (Bleeping Computer)