hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts
News for discussion
Apple patches critical vulnerability allowing to hijack iPhones
Ian Beer from Google Project Zero discovered a dangerous iPhone vulnerability that allows hijacking smartphones over wireless networks. The modern iPhones, iPads, Macs, and Apple Watches use Apple's Wireless Direct Link (AWDL) protocol to create mesh networks for features like AirDrop and Sidecar. This protocol is vulnerable. Ian Beer created a special platform of a Raspberry Pi 4B and two Wi-Fi adapters to hack an iPhone remotely. According to him, the attacker could be hundreds of meters away from the victim. The vulnerability is a buffer overflow in the AWDL driver. Since the drivers are located in the operating system's kernel, this exploit could be used for extremely severe attacks. Since AWDL analyzes Wi-Fi packets, malicious code can be distributed over air.
Apple has patched this vulnerability with the release of iOS 13.5. However, the users who have not installed the update or whose devices have not received it are still at risk.
Well, well, well. Here we have one of the coolest iPhone vulnerabilities in the entire history of their existence. Vulnerable AWDL protocol allows arbitrary code execution on phones.
Exploitation does not require any user interaction. It's like in a bad hacker movie: you press a button – you hack the victim. Well, that's cool!
Well, of course, we are also pleased that the author of this vulnerability mentioned our one-year-old report about AWDL and BLE in Apple products!
Sure, we will see more than one exploit based on AWDL bugs: it's a painfully convenient channel for interacting with the phone, and it's somehow written pretty badly. The only thing that saves us is that there are very few Apple phones running older iOS versions in the world.
Tesla Model X can be stolen in minutes
Lennert Wouters, an information security specialist from KU Leuven, discovered a vulnerability that allows an attacker to hack and modify the Tesla Model X smart key fob's firmware. On top of that, there are several Bluetooth bugs both in the Model X and the key fob.
The firmware update vulnerability could be exploited using an old ECU (electronic control unit) from another Model X. An ECU can be easily purchased online, on eBay, or at various Tesla used parts stores. Attackers could modify the old ECU to trick the victim's key fob into believing that it connects to a paired vehicle. After that, all that remains is to send a malicious firmware update to the key fob via BLE (Bluetooth Low Energy). Thus, an attacker could open a car. Successful exploitation requires the attacker to be within 5 meters from the genuine key fob. Besides, only a tech-savvy attacker can do all this.
Tesla is preparing patches and plans to start rolling out an update for key fobs this week.
More than 300,000 Spotify accounts hacked
VpnMentor researchers discovered a 72 GB database of hacked Spotify accounts. It contains over 380 million entries, including usernames, passwords, email addresses, country, and personally identifiable information. The leak affected a small number of users – over 300 thousand accounts. The VpnMentor team found it on July 3 and then contacted Spotify. Spotify has reset the compromised passwords to protect users.
TikTok fixes bugs allowing account hijacking
TikTok developers have fixed two vulnerabilities that allowed hijacking user accounts registered through third-party applications. A reflected XSS was found in a vulnerable URL parameter on tiktok.com and m.tiktok.com. It could be used to execute malicious code within a victim's browser session. Also, a TikTok API endpoint is vulnerable to CSRF attacks, which allows changing account passwords of users who signed up using third-party applications.
The vulnerabilities received a severity rating of 8.2 and were patched by TikTok in late September.
Oracle WebLogic RCE exploited by DarkIRC malware
Hackers continue to attack WebLogic servers using a remote code execution (RCE) vulnerability (CVE-2020-14882) patched by Oracle two months ago. According to Shodan, there are currently about 3,000 potentially vulnerable active WebLogic servers. The most interesting malware used in these attacks is the DarkIRC botnet.
DarkIRC has been actively promoted on hacker forums since last August. Its notable feature is searching for C&C servers using a non-standard DGA algorithm. DarkIRC is loaded and launched using a PowerShell script. Before unpacking the binary, the malware checks if it's in a virtual machine or sandbox. In such a case, it terminates its processes. If the environment is favorable, the target code is unpacked and copied to the% APPDATA% \ Chrome \ Chrome.exe folder. The functionality of DarkIRC is rich: the bot can collect information about the infected system, execute commands, register keyboard input, download additional files, steal data from browsers and the Discord IM client, and replace clipboard content (e.g., Bitcoin wallet address). The malware can also execute various DDoS attacks on the application and network layers (like Slowloris and R.U.D.Y or HTTP, TCP, UDP, and SYN flood attacks). It can also spread via MSSQL, RDP, SMB, or USB.
New WAPDropper malware subscribes victims to paid services
New malware secretly subscribes Android users to paid services. Currently, cybercriminals are actively spreading malware in real attacks. Check Point discovered this new Android malware family; it's distributed by WAPDropper through third-party app stores. As soon as it hits the victim's mobile device, the subscription mechanism is immediately launched. As a result, users receive huge bills unless they unsubscribe or report the problem to their operator. This type of attack is called "WAP fraud". The malware uses two different modules: a dropper and another one directly responsible for WAP fraud. The latter is loaded after the malware is installed. The malware hides its icon so that users cannot find it on their device and uninstall the application. The malware checks if the victim is using a proxy server or a VPN.