Cyber Security News of the week — 20.09.2021|24.09.2021

The Good

Google to Auto-Reset Unused Android App Permissions for Billions of Devices

Google on Friday said it’s bringing an Android 11 feature that auto-resets permissions granted to apps that haven’t been used in months, to devices running Android versions 6 and above.

The expansion is expected to go live later this year in December 2021 and enabled on Android phones with Google Play services running Android 6.0 or higher, which the company said should cover «billions more devices.» Google officially released Android 6.0 Marshmallow on October 5, 2015.

«Some apps and permissions are automatically exempted from revocation, like active Device Administrator apps used by enterprises, and permissions fixed by enterprise policy,» Google noted. While permission auto-reset will be turned on by default for apps targeting Android 11 or higher, the new feature has to be enabled manually for apps targeting API levels 23 to 29.

The changes are part of a number of user-facing privacy and security features that Google has pushed out in recent months. The Mountain View-based company, in late July, said it intends to disallow users from signing in to their Google accounts from Android devices running versions 2.3.7 or lower starting September 27, 2021.

Earlier this year, Google announced plans to add iOS-style privacy labels to app listings on the Play Store that highlight the various types of data being collected and how it’s used, in addition to limiting apps, with the exception of a few, from accessing the list of installed apps on Android devices.

Source — Google to Auto-Reset Unused Android App Permissions for Billions of Devices (thehackernews.com)

The Bad

A New Wave of Malware Attack Targeting Organizations in South America

A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans and geolocation filtering to avoid detection, according to new research.

Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat tracked as APT-C-36 , a suspected South America espionage group that has been active since at least 2018 and previously known for setting its sights on Colombian government institutions and corporations spanning financial, petroleum, and manufacturing sectors.

«These URL shorteners are capable of geographical targeting, so if a user from a country not targeted by the threat actors clicks on the link, they will be redirected to a legitimate website,» Trend Micro researchers detailed in a report published last week. «The URL shorteners also have the ability to detect the major VPN services, in which case, the shortened link leads the users to a legitimate website instead of redirecting them to the malicious link».

Multiple verticals, including government, financial, healthcare, telecommunications, and energy, oil, and gas, are said to have been affected, with a majority of the targets for the latest campaign located in Colombia and a smaller fraction also coming from Ecuador, Spain, and Panama.

Source — A New Wave of Malware Attack Targeting Organizations in South America (thehackernews.com)

The Ugly

Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug

The server, which belonged to an unnamed services company, was used to collect timesheet and accounting data for payroll as well as to host a number of virtual machines, according to a report published by Sophos and shared with The Hacker News. «The surprising thing is that this server was in active daily use. » The British security software firm said the «rapid break-in» was made possible by exploiting an 11-year-old installation of Adobe ColdFusion 9 running on Windows Server 2008, both of which have reached end-of-life. Upon gaining an initial foothold, the attackers used a wide range of sophisticated methods to conceal their files, inject code into memory, and cover their tracks by overwriting files with garbled data, not to mention disarm security products by capitalizing on the fact that tamper-protection functionalities were turned off.

In the next stage, the bad actor is believed to have exploited another vulnerability in ColdFusion, CVE-2009–3960, to upload a malicious Cascading Stylesheet file to the server, consequently using it to load a Cobalt Strike Beacon executable. This binary, then, acted as a conduit for the remote attackers to drop additional payloads, create a user account with admin privileges, and even disable endpoint protection systems and anti-malware engines like Windows Defender, before commencing the encryption process.

Source — Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug (thehackernews.com)

Stay Focused. Stay Vigilant.

Cyber Security News Team — Cyber Security Community of SLIIT

First they begin with Us..