Cyber Security News — Past 24 hours | 01.05.2021

5 min readMay 1, 2021

Apple AirDrop Vulnerability Exposes Users’ Personal Information — Official Patch Awaited

Apple users relying on the AirDrop feature need to remain cautious while using this feature. Researchers from the Technical University of Darmstadt have discovered a serious security vulnerability in the Apple AirDrop feature. AirDrop is an innate technology in Apple devices that facilitates users to share data with nearby devices wirelessly. This feature works on Bluetooth and WiFi and allows sending even large files to devices within the range. While AirDrop provides convenience, it also potentially exposes users’ personal data to others over the air due to the bug. As described on a dedicated website, the researchers found two main issues due to the Apple AirDrop feature. One of them exposes the sender’s details, whereas, the other exposes the receivers’ data. Specifically, the problems exist because of faulty hashing of contact identifiers during AirDrop connections. A malicious receiver can therefore learn all contact identifiers of the sender without requiring any prior knowledge of their target. For this, a malicious receiver simply has to wait for a sender to scan for available AirDrop receivers. A malicious sender can thus learn all contact identifiers without requiring any prior knowledge of the receiver — if the receiver knows the sender. Although, this type of exposure doesn’t involve strangers. However, a known sender may easily exploit this issue even without knowing the receiver.The researchers found the security issue back in 2019. They reported the matter to Apple right then. However, until April 20, 2021, Apple hasn’t assured of a fix. It means that the current Apple users with AirDrop on their devices remain vulnerable. However, to protect the users, the researchers have developed and open-sourced a safer alternate — PrivateDrop. Interested users may find it on GitHub where the researchers have shared details about its setup. The team has shared more details about the whole issue in a white paper. They will present this research at the upcoming 30th USENIX Security Symposium (USENIX Security’21).

Source —

Emotet Malware Uninstalls Itself From All The Infected Computers World Wide

In January, the FBI, along with other law enforcement agencies around the world has recalled that the Emotet malware was automatically has been removed from all the infected computers.

The law enforcement agencies that are involved in this operation were from the Netherlands, Germany, the United States, Great Britain, France, Lithuania, Canada, and Ukraine.

According to the report, the agencies have managed to seized control over several hundred botnet servers; not only this, but the agencies have also turned off their entire infrastructure and have stopped all its malicious activities.

The law enforcement officers have used all their access to the Emotet control servers; as per the report, this malware has come under the control of the German Federal Criminal Police Office.

After trying so hard, the law enforcement agencies managed to stop the malware. But now the question arises that how the Emotet uninstaller works? Once the law enforcement has identified the malware, the German federal police agencies implemented a very new Emotet module in the form of a 32-bit EmotetLoader.dll. After implementing the module to all infected systems, the experts affirmed that it would eventually uninstall the malware on April 25th, 2021.Once the security analysts changed the system clock on a test machine, they detected that the uninstaller only deletes the associated Windows services. However, the Emotet uninstaller autoruns the Registry keys and then exits the process, and they left all other things on the infected or compromised machines.The federal police agency of Germany had created a situation that will make the malware Emotet to be quarantined in the computer systems that the Emotet malware has compromised.While Europol claimed that the German Bundeskriminalamt (BKA) federal police agency was responsible for generating and pushing the uninstall module and creating such a situation.
Not only this but the US Department of Justice (DOJ) has also agreed and asserted that the Bundeskriminalamt pushed the uninstaller module on the systems that were compromised by Emotet malware.

Source —

A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and «backdoor every PHP package,» resulting in a supply-chain attack. Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer. The Geneva-based code security firm said one of the bugs was introduced in November 2011, suggesting that the vulnerable code lurked right from the time development on Composer started 10 years ago.

Source —

LuckyMouse Hackers Target Banks, Companies and Governments in 2020

An adversary known for its watering hole attacks against government entities has been linked to a slew of newly detected intrusions targeting various organizations in Central Asia and the Middle East.
The attacks involved deploying a toolkit dubbed SysUpdate in a number of breached organizations, including government and diplomatic agencies, telecom providers, a TV media company, and a commercial bank.
The actor has also been linked to cyberattacks aimed at transnational organizations such as the International Civil Aviation Organization in 2019 and recently attracted attention for exploiting ProxyLogon flaws to compromise the email server of a governmental entity in the Middle East.
LuckyMouse was increasingly active throughout 2020, seemingly going through a retooling process in which various features were being incrementally integrated into the SysUpdate toolkit,» Faou said. «This may be an indicator that the threat actors behind LuckyMouse are gradually shifting from using HyperBro to SysUpdate

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Commiunity @ SLIIT