Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

QNAP Fixes Photo App Vuln

NAS vendor QNAP has issued a patch to fix a vulnerability in its Photo Station application. The vulnerability is being actively exploited by a ransomware zero-day from the DeadBolt threat actor, starting on Saturday and continuing this week.

The attack is only a problem for users whose NAS servers are open to the Internet - something of a no-no around here. If you want to share photos, use a cloud service: they're free and perfectly set up for sharing via the web. NAS devices work best for sharing on the LAN, and QNAP has had several problems with their devices being exploited when exposed to the Internet.

Toulas, Bill, QNAP patches zero-day used in new Deadbolt ransomware attacks, Bleeping Computer, 5 September 2022. Available online at https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/.

Android Banking Trojan Poses as Antivirus and Cleaner Apps

As Google has restricted apps in its Play Store from using management API's and Accessibility permissions, the operators of the SharkbotDropper trojan have produced a new version which manages to evade detection and remains in the Play Store. The trojan poses as an antivirus called "Kyhavy Mobile Security" and a cleaner app called "Mister Phone Cleaner", with over 50 thousand and 10 thousand installs respectively.

While the previous versions of the dropper used the Accessibility permissions to fake on-screen button clicks to automatically install Sharkbot with no user interaction, the new version can no longer do this - so it downloads an APK package and the asks the user to install what it claims is an update for the fake antivirus. While an alert user might not fall for this, enough apparently do to make it worthwhile, and allows the app to evade detection in the Play Store.

Once installed, Sharkbot will perform credential stealing by displaying a phishing site in front of a banking application, keylogging, remote control via Accessibility permissions, SMS message interception and other functions. It also uses new C2 infrastructure to target user in Spain, Australia, Poland, Germany, the USA and Austria.

Segura, Alberto and Mike Stokkel, Sharkbot is back in Google Play, Fox It blog, 2 September 2022. Available online at https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/.

IRS Blunder Releases Confidential Data of 120,000 Taxpayers

A bureaucratic blunder by somebody at the US Internal Revenue Service has seen the Form 990-T confidential data on 120,000 taxpayers made available for download via the Tax Exempt Organization Search function. This form is used to report business income, claim an income tax refund, request a credit for certain federal excises and a few other purposes. While the IRS is required to publish the information filed by non-profit tax-exempt organizations, but should be kept private for individuals.

The files which contained this information have been removed from the IRS site, and the agency will be contacting organizations which routinely use the files in an attempt to have them replace them with the updated versions as they become available. Reading between the lines, it sounds as though people who do not routinely use the files but have downloaded them would not be known to the IRS.

Uncredited, IRS statement on Forms 990-T, Internal Revenue Service, 2 September 2022. Available online at https://www.irs.gov/newsroom/irs-statement-on-forms-990-t.

Quantum Computing Overhyped, Says Oxford Quantum Physicist

Oxford University physicist Nikita Gourianov has ripped into the quantum computing industry, daring to point out the elephant in the room: the industry has not yet developed one single product that can solve practical problems. As he points out, quantum computing firms are obtaining vastly more funding from investors than they are able to earn in real revenue, and such revenue as they do obtain "most comes from consulting missions aimed at teaching other companies about 'how quantum computers will help their business, as opposed to genuinely harnessing any advantages that quantum computers have over classical computers'".

This places security pros in a bind; while the prudent course for us is to assume that sooner or later quantum cryptanalysis will break public-key crypto, Gourianov argues that these fears are overblown. The original article is behind a firewall, but the link below provides an overview.

Tangermann, Victor, Oxford Physicist Unloads on Quantum Computing Industry, Says It's Basically a Scam, The Byte, 2 September 2022. Available online at https://futurism.com/the-byte/oxford-physicist-unloads-quantum-computing.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.