This article is more than 1 year old
VMware 2FA flaw can divulge that vital second credential to malicious actors
Plus: Deep dive into the NSO Group's zero-click exploit and 'Hack the DHS!'
In Brief VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product.
CVE-2021-22057 is the rascal behind this issue and is rated 6.6/10. VMware Verify is part of the wider VMware Workspace ONE Access product, now available in version 21.08.0.1 to fix this bug and a 5.5-rated Server Side Request Forgery that can allow a malicious actor with network access to make HTTP requests to arbitrary origins and read the full response
News of the two new flaws in WorkspaceONE came a day after VMware warned of a critical-rated flaw in the suite.
Google: NSO's zero-click cado nasty was 'terrifying'
A deep-dive by Google' crack Project Zero team has revealed how the spyware installed by the beleaguered NSO Group actually works, and rated it genuinely scary.
Researchers Ian Beer & Samuel Groß examined the FORCEDENTRY exploit using sample's obtained by Canadian non-profit Citizen Lab. "It's pretty incredible, and at the same time, pretty terrifying," they said this week.
The zero-click exploit used an integer overflow vulnerability in Apple's CoreGraphics PDF parser, in conjunction with open source JBIG2 image compression code. This enabled an attacker to run scripts on a target device without user interaction.
In a recent lawsuit, Apple claimed the NSO Group set up over 100 dummy iPhone accounts and used these to spam out its spyware using FORCEDENTRY. Cupertino claims this was used to surveil politicians, activists, journalists and academics, some of whom were American citizens.
NSO Group denies the charges.
Joker malware hits 500,000 Android users
If you're running the Android app Color Message (and according to Google's figures over half a million people are) it's time to remove it and reformat your handset.
According to mobile security shop Pradeo, the app was contaminated with the Joker malware that has proved popular among scammers over the last year or so. Upon installation the code exfiltrates the victim's contact database to an outside server and installs software that automatically signs users to premium services.
Other apps infected with Joker recently include Safety AppLock, Convenient Scanner 2, Push Message-Texting&SMS, Emoji Wallpaper, Separate Doc Scanner and Fingertip GameBox. Together they account for around another 200,000 people who trusted the Google Play security scanning systems and lost out.
All the infected applications have now been removed by Google, but may pop up on other app stores or .apk download sites. And Joker will no doubt be back soon.
America wants you to hack the DHS
More signs of sense from the US Department of Homeland Security (DHS) after it announced a bug bounty program dubbed "Hack the DHS".
Not all of it, before you get too excited - the program permits attacks on "select external DHS systems" and only then by carefully vetted pentesters. Initially they'll get access to such virtual systems on a bug hunt, then in 2022 the DHS plans an in-person competition with as-yet unspecified bounties on offer.
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.”
We've come a long way from the bad old days where government was so paranoid the very thought of a competition like this would have caused conniption fits. But the benefits clearly outweigh the risks.
Venerable Phorpiex malware steals $500,000+ in digicash
Hopes that the Phorpiex malware strain might have gone offline for good have provided unfounded, and instead its operators are back to their wicked thieving ways.
The malware has pulled in an estimated $500,000 in cryptocurrency this year alone, according to research from security biz CheckPoint. This after its makers reportedly shut down their command and control servers and put the source code up for sale in August, only to release a new, decentralized, build based around a bot dubbed "Twizt”, using peer-to-peer for shifting data and purloined digital dosh.
"In a one-year period between November 2020 to November 2021, Phorpiex bots hijacked 969 transactions and stole 3.64 Bitcoin, 55.87 Ether, and $55,000 in ERC20 tokens," CheckPoint said. "In 2021, the price of Bitcoin and Ethereum increased significantly. The value of the stolen assets in current prices is almost half a million US dollars."
Who could possibly have guessed there is no honor among thieves? ®