Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Counterfeit Phones Harbour WhatsApp Back Doors

Antivirus firm Dr. Web has discovered a number of low-end Android smartphones which carry pre-installed malware intended to target the WhatsApp and WhatsApp Business messaging apps. The phones, which are designed and named to mimic some high-end models, are popular in Asia, as is WhatsApp. This type of phone is also often picked up as a spare by travellers for use with a local SIM.

The back doors are present in the system partition of the phones, which actually have an outdated version of Android installed. One of the main Android system libraries has been slightly modified so that, when called from an application, it loads a trojan from the file libmtd.so. This checks to see which appplication caused it to load, and if it is WhatsApp or the "Settings" or "Phone" system apps, it then proceeds to load a second-stage trojan, which sends system information to a C2 server, which replies with a list of available plugins. From there, the trojan has full access to the application's files and can read chat messages, send spam, intercept and listen to phone calls and many other actions.

Uncredited, Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices, Dr. Web, 22 August 2022. Available online at https://news.drweb.com/show/?i=14542&lng=en.

Residential Proxies Used for Credential Stuffing Attacks

The FBI and Australian Federal Police have jointly warned that threat actors are using proxies on residential service provider networks to run credential stuffing attacks. By doing this, rather than repeatedly using a single IP address, they make it hard for firewalls to identify and rate limit the attacks.

Naive home users are often attracted to install proxy software on the promise that they will be pooling their bandwidth with that of other users and will therefore be able to enjoy faster downloads or earn some money from selling their unused bandwidth. This is, of course, technical nonsense - your cable modem or ADSL connection is a single pipe of fixed 'diameter' and you cannot get more through it by using someone else's pipe that links them to the Internet. Nevertheless, having installed the software, they now represent an opportunity for cyber criminals.

Residential networks are also a more likely source for web traffic; firewalls are more likely to block attempted logons from data center networks - although having said that, I routinely observe attempts to send traffic through the mod_proxy module on my own web servers.

Uncredited, Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts, FBI Private Industry Notification, 18 August 2022. Available online at https://www.ic3.gov/Media/News/2022/220818.pdf.

New Malware Combines RAT, Spyware and Ransomware

A new remote access trojan called Borat RAT has additional capabilities, being able to download a ransomware payload to the victim's machine and also run as a keylogger. The malware, discovered and named by Cyble, can also operate as a remote proxy, credential stealer and trojan dropper. It has a few other tricks which seem primarily intended to annoy or intimidate its victim, such as turning the monitor on and off, hiding and unhiding the taskbar and start button. It can also record audio and video if a microphone and webcam are discovered.

Uncredited, Meet Borat RAT, a New Unique Triple Threat, The Hacker News, 22 August 2022. Available online at https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.html.

Yet Another Air Gap Technique

Dr. Mordechai Guri of Ben Gurion University of the Negev, who specialises in devising incredibly ingenious techniques for exfiltrating data across air gaps, has come up with yet another. This time, he has used the micro-electro-mechanical gyroscope found in many smartphones to pick up ultrasonic tones which are generated by a nearby infected computer and demodulate them into binary data. By using the gyroscope, the exploit avoids using the microphone, which is highly protected - the gyroscope is generally regarded as safe for apps to use.

Dr Guri's experiments show that, after infecting the victim computer, perhaps via a compromised USB key, attackers can exfiltrate sensitive data over a few meters of air gap, using this 'speakers-to-gyroscope' covert channel. By now, Dr. Guri and his research group have pretty much demolished the notion that information cannot be exfiltrated from a computer that is not connected to any kind of network or communications link.

Guri, Mordechai, GAIROSCOPE: Injecting Data from Air-Gapped Computers to Nearby Gyroscopes, 18th Intl. Conf. on Privacy, Security and Trust (PST), Auckland, 21 December 2021. Available online at https://arxiv.org/abs/2208.09764.

The next few days' Security News may appear at odd times, as travel interferes with the work cycle.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.