BU-CERT – Bournemouth University Computer Emergency Response Team

Catastrophic hack of AT&T and Verizon is proof Apple is right about iPhone encryption

Posted on 9 October 2024

From bgr.com

For years, Apple has implemented strong encryption in the iPhone and most of its other products, resisting requests from Western governments to build backdoors into its encrypted software. Because, for years, we saw politicians in the US, UK, and other regions demand iPhone backdoors that law enforcement agencies can use when dealing with criminals hiding behind encrypted products and services.

…Fast-forward to early October, and a stunning The Wall Street Journal report shows exactly what happens with backdoors in secure systems. A team of hackers associated with the Chinese government reportedly obtained access to critical infrastructure belonging to AT&T, Lumen, and Verizon that US law enforcement uses for wiretapping purposes.

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

Posted on 17 September 2024

From thehackernews.com

Details have emerged about a now-patched security flaw impacting Apple’s Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device’s virtual keyboard.

The attack, dubbed GAZEploit, has been assigned the CVE identifier CVE-2024-40865.

“A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing,” a group of academics from the University of Florida, CertiK Skyfall Team, and Texas Tech University said.

“The GAZEploit attack leverages the vulnerability inherent in gaze-controlled text entry when users share a virtual avatar.”

Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence.

Cloudflare outage cuts off access to websites in some regions

Posted on 17 September 2024

From bleepingcomputer.com

A rolling Cloudflare outage is impacting access to web sites worldwide, including BleepingComputer, with sites working in some regions and not others.

While Cloudflare says they are currently conducting scheduled maintenance in Sinagpore and Nashville, its status page does not indicate any problems.

However, for many users worldwide, when attempting to access websites utilizing Cloudflare, web browsers will display error messages stating they have trouble connecting to the server, as shown below.

Student Smishing Scams on the Rise

Posted on 12 September 2024

From gov.uk / Student Loans Company

At the start of the 24/25 academic year, the Students Loans Company (SLC) is reminding students to be vigilant of smishing scams.

Scammers target students at this time of year as they receive their first maintenance loan payment. SLC is expecting to pay £2bn to students over the autumn term and last year it stopped £2.9m of maintenance loan payments being taken by smishing and phishing scams, where students received and acted on false communications.

Smishing, which is fraud involving text messages, is currently the most popular form of scam, with students usually being asked to click a link to complete a task – for example verifying bank details or confirming their personal information, providing an opportunity for a payment to be diverted to a scammer’s bank account.

Chinese Volt Typhoon hackers exploited Versa zero-day to breach ISPs, MSPs

Posted on 28 August 2024

From bleepingcomputer.com

The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks.

Versa Director is a management platform ISPs and MSPs use to manage virtual WAN connections created using SD-WAN services.

The vulnerability is tracked as CVE-2024-39717 and resides in a feature allowing admins to upload custom icons to customize the Versa Director GUI. However, the flaw allowed threat actors with administrator privileges to upload malicious Java files disguised as PNG images, which can then be executed remotely.

In an advisory published yesterday, Versa says that Director versions 21.2.3, 22.1.2, and 22.1.3 are impacted by the flaw. Upgrading to the latest version, 22.1.4, will fix the vulnerability, and admins should review the vendor’s system hardening requirements and firewall guidelines.

Versa told BleepingComputer that they classify this vulnerability as a privilege elevation flaw as it was used to harvest credentials from users who logged into the system. However, other types of malware could have been used to perform different types of malicious activity on the device.

macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

Posted on 28 August 2024

From thehackernews.com

Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT.

The artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan said.

HZ RAT was first documented by German cybersecurity company DCSO in November 2022, with the malware distributed via self-extracting zip archives or malicious RTF documents presumably built using the Royal Road RTF weaponizer.

The attack chains involving RTF documents are engineered to deploy the Windows version of the malware that’s executed on the compromised host by exploiting a years-old Microsoft Office flaw in the Equation Editor (CVE-2017-11882).

New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials

Posted on 28 August 2024

From thehackernews.com

Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes.

“By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” Netskope Threat Labs researcher Jan Michael Alcantara said.

“Additionally, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe.”

The attacks have primarily singled out users in Asia and North America, with technology, manufacturing, and finance sectors being the most sought-after sectors.

Microsoft Sway is a cloud-based tool for creating newsletters, presentations, and documentation. It is part of the Microsoft 365 family of products since 2015.