Mobile News
Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (thehackernews.com) - Google will now allow their Pixel phones to be configured to ignore 2G downgrade attacks caused by Stingrays (cell-site simulators) and other devices that emulate a cellular baseband (tower) controlled by their service provider. This will prevent attacks like those performed by Intellexa and Predator using the Triton malware. This will also prevent SMS Blasting which bypass carrier spam protections.
Google brings better bricking to Androids, to curtail crims • The Register
- Phones that are in a hand and accelerate quickly (like when stolen by someone running) will automatically lock
- Devices offline for long periods of time, will auto-lock
- and users can now lock phones using their phone number instead of username and password. (Making the author wonder, is there an option for Crims to lock us out of our devices?)
Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (thehackernews.com) - Apple devices may accidentally read your Passwords out loud to you, and Apple accidentally made the microphone work when the microphone indicator isn’t lit. Patches are available for both.
Starlink and T-Mobile Provide Satellite-to-Cell Service to Aid Hurricane Helene Relief - CNET - Starlink is given permission for Satellite-to-cell service in North Carolina where around 17% of cell sites were still offline. Starlink is currently broadcasting emergency alert notifications across all carrier devices. SpaceX has also said the company will begin SMS testing capabilities as well for T-Mobile customers. As the carrier has been working with them since 2022 to develop this ability.
Note: More details are available here: DIRECT_TO_CELL_FIRST_TEXT_UPDATE.pdf (starlink.com) However, the high level, is an unmodified cellphone, with a 0.2w antenna can hit a satellite, if the satellite is carrying sensitive enough antenna. And if there’s enough satellites. Starlink currently has over 5k satellites in Low Earth Orbit constellations and despite complaints from Astronomers, radio enthusiasts, and Verizon and AT&T, they continue their research and deployment with the FCC and FTCs blessing.
Throwback
Recently patched CUPS flaw can be used to amplify DDoS attacks (bleepingcomputer.com) - Last weeks CUPS issue comes in a new flavor. The CUPS daemon is so excited to talk to printers in some cases that after receiving an advertisement via a single UDP packet, it will continue to look for that printer for days, weeks, months, until the CUPS service is restarted. Researchers found that from a single packet, they could illicit a response packet, directed at a victim that was 600 times the initial packet size. (UDP packets have a header size of 2bytes/16bits minimum and we know the CUPS vuln required a payload. So lets round up to 4bytes * 600 = 2400bytes. Now send 2, 4, or even 8 packets(19,200bytes), and you can see why this becomes a problem. )
Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors (thehackernews.com) Interestingly, but not related, Cloudflare reported fighting off the largest DDOS in history this month at 3.8Terabits per second. Researchers believe its the result of a flaw in some 157k routers used across the US, China, and Hong Kong.
Research
Harvard duo modifies Meta glasses to grab strangers’ info • The Register - Harvard students hook their Meta glasses up to a facial recognition service, an LLM, and publicly available voter registries, and it goes about as well as you’d expect, probably worse. Video on their X feed shows the tech in action. A Google docs document the duo wrote on how to protect yourself is also available
Cops often hush up use of facial recognition tools – report • The Register - Despite its many failings, the Washington Post has continued to cover the use of Facial Recognition by police departments in the US, many who direct officers to not mention in reports or official documents when they make use of the service. Legal experts are now debating whether failing to do so may be a violation of the Brady rule, a 1963 ruling that requires Prosecutors to deliver all evidence to the Defense, whether or not it is beneficial to the Prosecution or Defenses case. E.g.; All the facts have to be given. Unfortunately, Facial Recognition has known issues, including misidentifying individuals of any race or skin-color besides middle aged white men. (Source: Gender Shades, 2018 Buolamwini and Gebru, MIT Meida Lab). Consequently, WaPo has identified at least 7 men arrested who were ultimately cleared of any wrong doing, 6 of who were black.
Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals (thehackernews.com) - Malware as a service group “More_eggs” now being packaged and utilized to infect HR departments looking for candidates. The malicious zip from a candidate appears to house a resume, but when clicked on, downloads an infostealer to consume passwords, login credentials and session cookies, among others. And is easily adaptable to other malicious behaviors.
Breaches
ADT discloses second breach in 2 months, hacked via stolen credentials (bleepingcomputer.com) - ADT hit twice in 2 months. Blood in the water. Incident response is a critical tool for companies. Not just after the fact, but before as well. Customers security systems are not currently effected.
Comcast confirms 237K affected in feisty breach notification • The Register - FBCS (Financial Business and Consumer Solutions), a 3rd party to Comcast, updated its breach notification to state the over a quarter million subscribers name, address, social security number, date of birth, and Comcast account number was stolen.
Hacker charged for breaching 5 companies for insider trading (bleepingcomputer.com) - UK resident broke into companies by resetting the passwords of Senior Executives and reading their financial reports. After reviewing data concerning earnings that were yet unreleased, Westbrook invested. And came out flush with cash. To the tune of $3.7m. Unfortunately for Westbrook, despite his use of VPNs and other privacy technologies, the gentleman has been busted and will be charged under the SEC charter against wire fraud, securities fraud, etc…
Lockbit
Four suspected LockBit ransomware gangsters nabbed in Europe • The Register - Four traveled outside the area in which Russia could protect them and got snatched up. Further arrests are expected as Five Eyes countries and others continue to dig through February’s seizure of the LockBit infrastructure with the arrest of LockBitSupp.
Cops unmask suspected Evil Corp kingpin, LockBit affiliate • The Register LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort (thehackernews.com) - Turns out Evil Corp may have been keeping it all in the family. With new sanctions being published, law enforcement also published a family tree, showing multiple sets of brothers, cousins, father-in-laws, etc… working at the top echelons of the organization.
Russia exploited Evil Corp relationship for NATO attacks • The Register - Additionally, it looks like Russia has been keeping its hands clean by directing Evil Corps attacks, at least until the heat got strong in 2019. This would match the long-held belief that Russian cyber gangs aren’t “State-Ignored” or even “State-prohibited-but-inadequate” (Atlantic Council doc, Beyond Attribution, Seeking National Responsibility for Cyber Attacks, 2012) but rather “State-ordered”.
China
The 30-year-old internet backdoor law that came back to bite | TechCrunch - SaltTyphoon has now been caught in the infrastructure of AT&T, Verizon, and Lumen (fmrly CenturyLink). But not just in any infrastructure, they broke into the US vast telephone wiretapping infrastructure, for months. CALEA, the Communications Assistance for Law Enforcement Act, was published in 1994 and requires all non-encrypted telephone communications to be accessible to law enforcement via wiretap, presumably with a warrant. Though Klein’s revelations proved the existence of Room 641A, Snowden’s leaks would highlight the abuses of these requirements. Now, privacy advocates are taking a bitter sweet moment to point out that spying apparatuses for the “good guys” will always end up in the hands of the “bad guys” and this drives home the point. It’s quite likely will never know the extent of the data-access China held for months in this network.
Author’s Note: I’d like to remind you again that Signal Messenger is a free, data, video, voice, and text platform, that works across Windows, macOS, Linux, iOS, and Android and is a fully open source and audited and auditable code base. Signal turns 10 this month and could use your support (financially) and to encourage friends and family to adopt the protocol.
Infrastructure
American Water shuts down online services after cyberattack (bleepingcomputer.com) - American Water, responsible for water and waste water services for 14 million Americans, across 14 states and 18 military installations has been breached by presumably Russian threat actors, though China’s VoltTyphoon and Iran’s CyberAv3ngers have both went after water companies previously. The company has said that clean water operations are continuing, though office services, customer portals, and possibly even billing will be delayed or non-existent. (On the upside, the company has said “No late charges will be accrued during this time.”)
Supply Chain
Qualcomm patches high-severity zero-day exploited in attacks (bleepingcomputer.com) - Local attackers with Low privileged code may be able to create memory corruptions in free-after-use memory attacks on devices. Patches have been provided to OEMs, but it could be years before they hit end user devices. Interestingly, the company also patched a year old CVE with a CVSS 9.8 score. In their WLAN resource manager. Good work is being done upstream to find and patch issues in low level code and chipsets, but users are dependent on OEMs like Samsung and Apple to push the fixes out into user land. And historically, those patches just don’t come in a timely manner. Qualcomm has encouraged concerned users to reach out to their device provider and put pressure on releasing updated code.
700K+ DrayTek routers are sitting ducks on the internet • The Register - Over 785,000 DrayTek devices are believed to be sitting on the internet with a perfect CVSS score of 10 out of 10. It literally can’t get worse than that. Exploitation occurs through the web interface, and despite recommendations against exposing the web interface to the internet, researchers found over 704,000 devices on the web.
Long Form
How the FBI and Mandiant caught a ‘serial hacker’ who tried to fake his own death | TechCrunch
perfctl: A Stealthy Malware Targeting Millions of Linux Servers (aquasec.com)