Search This Blog

Showing posts with label Devices. Show all posts

Here’s List of the World’s Riskiest Connected Devices

 

IoT devices ranging from video conferencing systems to IP cameras are among the five riskiest IoT devices connected to networks, according to research highlighted by Forescout's cybersecurity research arm, Vedere Labs. 

In their recent research, the company identified recurring themes, showcasing the increasing attack surface as more devices are connected to enterprise networks, as well as how threat actors are able to leverage these devices to achieve their goals. 

“IP cameras, VoIP and video-conferencing systems are the riskiest IoT devices because they are commonly exposed on the internet, and there is a long history of threat actor activity targeting them,” The Forescout report said.

With the addition of IoMT in healthcare, the attack surface now includes IT, IoT, and OT in almost every organisation. Organizations must be aware of dangerous devices in all categories. Forescout recommends that companies implement automated controls and that they do not rely on siloed security in the IT network, OT network, or for specific types of IoT devices.

This latest study updates the company's findings from 2020, in which networking equipment, VoIP, IP cameras, and programmable logic controllers (PLCs) were listed as the riskiest devices across IT, IoT, OT, and IoMT in 2022.

New entrants, such as hypervisors and human-machine interfaces (HMIs), however, are indicative of trends such as critical vulnerabilities and increased OT connectivity.

Vedere Labs examined device data in Forescout's Device Cloud between January 1 and April 30. The anonymized data comes from Forescout customer deployments and contains information on nearly 19 million devices, which the company claims are growing on a daily basis.

A device's overall risk was calculated based on three factors: configuration, function, and behaviour. Vedered Labs calculated averages per device type after measuring the risk of each individual device to determine which are the riskiest.

7-year Android Malware Campaign Targeted Uyghurs: Report

 

A long-running surveillance and espionage campaign targeting one of China's largest ethnic minority groups has been revealed by researchers. Palo Alto Networks discovered the "Scarlet Mimic" group in 2016, which was initially spotted targeting Uyghur and Tibetan rights activists. 

Although the Chinese government has long oppressed and spied on these and other minority groups in the country, no direct attribution of this group's activities to Beijing is currently available. Check Point explained in a new report this week that Scarlet Mimic's mobile malware dates back to 2015. 

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

It has since identified 20 variants of the MobileOrder Android spyware, the most recent of which was discovered in mid-August of this year.

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

The malware is thought to be hidden in applications with Uyghur-language titles and disguised as PDF documents, photos, or audio. According to Check Point, it is spread through social engineering rather than being made available on the Google Play Store.

“When the victim opens the decoy content, the malware begins to perform extensive surveillance actions in the background. These include stealing sensitive data such as the device information, SMS messages, the device location, and files stored on the device,” the report continued.

“The malware is also capable of actively executing commands to run a remote shell, take photos, perform calls, manipulate the SMS, call logs and local files, and record the surround sound.”

Check Point advised anyone who might be a victim of this campaign to install anti-malware software on their device, use a VPN, and avoid clicking on suspicious links.

"Scarlet Mimic seems to be a politically motivated group. In the past, there have been reports from other researchers that it could be linked to China,” the vendor concluded.

“If true, it would make these surveillance operations part of a much wider issue, as this minority group has reportedly been on the receiving end of attacks for many years.”

This week, Beijing is on the defensive at the United Nations after a long-awaited report from the UN Human Rights Office confirmed evidence of serious human rights violations against Uyghur and other ethnic minority groups in Xinjiang.

Researchers Discovered Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

 

Budget Android device models that are replicas of popular smartphone brands are infected with numerous trojans devised to target the WhatsApp and WhatsApp Business messaging apps. Doctor Web discovered the malware in the system partitions of at least four different smartphones in July 2022: P48pro, redmi note 8, Note30u, and Mate40. 

The cybersecurity firm said in a report published, "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version."

The tampering specifically affects two files, "/system/lib/libcutils.so" and "/system/lib/libmtd.so," which have been modified in such a way that when the libcutils.so system library is used by any app, it activates the execution of a trojan embedded in libmtd.so. If the apps that use the libraries are WhatsApp and WhatsApp Business, libmtd.so launches a third backdoor whose primary function is to download and install additional plugins from a remote location.

The researchers stated, "The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps' files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules."

Libmtd.so is configured to start a local server that enables connections from a remote or local client via the "mysh" console if the app using the libraries turns out to be wpa supplicant - a system daemon used to manage network connections.

Potential Risks

Based on the discovery of another trojan embedded in the system application responsible for over-the-air (OTA) firmware updates, Doctor Web hypothesised that the system partition implants could be part of the FakeUpdates (aka SocGholish) malware family.

The malicious app, on the other hand, is designed to exfiltrate detailed metadata concerning the infected device as well as download and install other software without the user's knowledge using Lua scripts.

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.