Android 11, Android 12, Android 13

CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Android’s address space layout randomization (ASLR) protection while carrying out targeted attacks.

Randomization of the memory locations at which important app and operating system components are loaded into the device’s memory is made possible thanks to Android’s Address Space Layout Randomization (ASLR), which is a fundamental component of Android’s security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.

According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.

Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.

These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests.
While this is going on, security researchers working for Google’s Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISA’s list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.

In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISA’s KEV list.

The post This vulnerability allows hacking any Samsung smartphone model appeared first on Information Security Newspaper | Hacking News.

The company has already responded to this attack and pointed out that more sensitive information, such as social security numbers or debit or credit card numbers, was not stolen; however, the type of data they stole may be useful for social engineering attacks.

The number of users affected by the hack is unknown at this time, but Samsung said it is sending emails to customers who were impacted specifically and will continue this action as its investigation continues.

Consumer devices were not affected during this incident, the company said in a statement, so it is not necessary to change the password of products or accounts at the moment, although it also recommended being aware of any type of unusual activity. in the accounts, as it could be the victim of a phishing message.

This form of cyber fraud against end users consists of attackers posing as a real company so that people voluntarily hand over their data.

Given this, some recommendations that cybersecurity specialists give is to keep track of recent account activity, as well as modify passwords, in addition to activating two-step verification systems.

“We are committed to protecting the security and privacy of our customers. We have hired leading cybersecurity experts and are coordinating with authorities,” the company said in a statement.

He also said that as a result of this attack, long-term changes will be developed and implemented within their systems to improve security, as it should be remembered that this is not the first time this year that they have been victims of a major hack.

In early March, the Lapsus$ hacker group stole 200GB of internal company data, including the source code of Galaxy devices, which is used for encryption tools and biometric unlocking functions of the company’s smartphones. brand.

“There was a security breach related to some internal company data. Based on our initial analysis, the breach involves some source code related to the operation of Galaxy devices, but does not include the personal information of our consumers or employees,” the company said in a statement.

The post Samsung admits hack that leaked personal information (names, birthdays and contact details) of its users appeared first on Information Security Newspaper | Hacking News.

In addition to this issue, an underlying vulnerability would allow a third-party application to be used to send data to arbitrary activity application components in the context of a pre-installed application. This opens up a large attack surface for third-party applications, allowing arbitrary Intent objects with embedded data to be sent to activities that appear to originate from the affected system itself. In other words, an unprivileged application can use an unprotected interface to send Intent objects and perform actions on its behalf.

What is this flaw?

Mobile apps are limited to their own context when you launch an activity app component through an Intent object. This flaw would allow local applications to indirectly use the context of a pre-installed application with the system’s User ID (UID) when initiating activities through a malicious Intent object.

The concept of an attacker-controlled Intent object refers to the pre-installed application affected by this vulnerability using the system UID to obtain an Intent object embedded within another Intent object sent from a malicious application, which will then execute an application activity component using the embedded Intent object. This can be conceptualized as “intent forwarding,” where the attacker controls the Intent object that sends a privileged process that would allow the start of non-exported application activity components (android:exported=”false”).

This condition allows third-party applications to control the contents of Intent objects sent by a pre-installed application running with the system UID. The affected pre-installed application that forwards the Intent objects it receives is a tool with a package name com.android.server.telecom, and apparently the problem in the application exists due to incorrect access control on a dynamically registered transmission receiver in com.android.server.telecom.

This does not seem to be a problem originated in Android Open Source Project (AOSP), because at the moment it only seems to affect some Samsung devices managing com.android.server.telecom files. A local application capable of exploiting the vulnerability can run in the background to initiate specific activities completely inadvertently.

By exploiting the vulnerability, the local application can use specific activities to gain additional capabilities programmatically through privilege escalation, including factory reset, installation of arbitrary applications, arbitrary application installing and uninstalling, and access to sensitive information.

Compromised devices

The following table contains a list of the affected Samsung Android devices. This table is not intended to be exhaustive, and has been put together only to show that researchers have verified that a variety of Android versions, models, and builds are vulnerable:

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Easy way to hack Samsung Galaxy phones with Android 9, 10, 11 or 12 via preinstalled application appeared first on Information Security Newspaper | Hacking News.

According to this report, the flaws allow local threat attackers to execute arbitrary code on affected smartphone models. Before the attack, malicious hackers must gain the ability to execute least-privilege code on the compromised system.

Apparently, the flaw resides within Web Bridge WebView. WebView exposes a JavaScript interface that allows threat actors to launch arbitrary applications; this flaw can be exploited along with other vulnerabilities to execute arbitrary code in the context of the current user.

The flaw was reported to developers in late 2021 and, in the absence of a functional patch, the researchers who reported it announced their intention to publicly disclose it as a zero-day vulnerability.

In addition, given the nature of the affected implementation and the type of attack, it is considered that the only recommended mitigation mechanism is to restrict interaction with the exposed application.

This Model of Samsung Galaxy is one of the company’s most popular smartphones, so the scope of successful exploitation could be huge. However, reports of the successful exploitation of the fault are still unknown.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day privilege escalation vulnerability in Samsung Galaxy S21 smartphones: No patch available appeared first on Information Security Newspaper | Hacking News.

Through their Telegram channel, the alleged hackers published a survey for their subscribers to decide what the next leak of the group would be after revealing confidential information from chipmaker NVIDIA. Among the options was a supposed 200 GB file storing Vodafone’s source code.

The survey also included as options the source code and databases of the Portuguese media firm Impresa, and the source code of MercadoLibre, the e-commerce giant based in Argentina. Subscribers to the Telegram channel seem to prefer that data be leaked from Vodafone, which was leading the vote at the time of writing.

In its message, the telecommunications company says it is aware of Lapsus$’s threats: “We are investigating these reports together with the police; at the moment we cannot affirm the veracity of this report. However, we are in a position to state that, in general, the types of repositories referenced in the complaint contain proprietary source code and do not contain data from our customers.”

Operating from somewhere in South America, Lapsus$ has hogged cybersecurity reports in recent weeks. In addition to the attack on NVIDIA, hackers reportedly managed to compromise Samsung’s systems, stealing snippets of the source code used in the Galaxy family of smartphones and other sensitive details.

To the misfortune of its users, Vodafone has become a frequent target for hacking groups. A few weeks ago, the firm confirmed that its branch in Portugal suffered a cyberattack that interrupted its services for a long time, ensuring that the leak did not involve personal information of its clients.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vodafone hacked by LAPSUS$ CYBERCRIME GROUP? INVESTIGATION GOING ON appeared first on Information Security Newspaper | Hacking News.

The Argentine firm confirmed the compromise of its systems after hackers from the Latin American group Lapsus$ threatened to expose confidential information from MercadoLibre and other e-commerce platforms. Faced with this threat, MercadoLibre enabled all its security and containment protocols, so it recommended that users of the platform change their passwords and monitor their account statements to prevent any attempt at malicious activity. 

MercadoLibre has established itself as the largest e-commerce and payment processing ecosystem in Latin America. It currently has more than 140 million active buyers and sellers in Argentina, Brazil, Chile, Colombia, Mexico, Peru and Venezuela.

As mentioned above, Lapsus$ has been credited with the commitment of some 24,000 source code repositories operated by MercadoLibre and Mercado Pago. Through a Telegram channel, threat actors published a survey for their subscribers to decide if they should leak the company’s information. In addition to MercadoLibre, hackers are threatening to leak information from Vodafone and Impresa.

This is pretty much the same tactic the cybercriminal group followed by exposing more than 190GB of sensitive information belonging to Samsung. A week ago, the South Korean tech firm confirmed that Lapsus$ managed to compromise its systems, stealing files with details about the source code of the Galaxy family of smartphones.

Cybersecurity specialists report that extortion groups like Lapsus$ steal information from victims and, unlike ransomware operations, these hackers threaten to expose stolen sensitive information on dark web forums if the affected companies do not pay a ransom.

A couple of weeks ago, Lapsus$ also claimed responsibility for the attack on NVIDIA, a technology firm dedicated to the manufacture of chips. The incident resulted in the theft of more than 71,000 NVIDIA employee credentials, some of which were leaked on hacking forums.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post MercadoLibre, the biggest e-commerce company in Latin America, was hacked. Attackers leak source code and customer data appeared first on Information Security Newspaper | Hacking News.

Threat actors could also exploit flaws to degrade security protocols on affected devices in order to make them vulnerable to other hacking variants, impacting models from Galaxy S8 to the recently released Galaxy S21.

Experts begin by explaining that today’s smartphones control all kinds of confidential messages, cryptographic keys, authentication methods, mobile payments and other functions based on various technological implementations. The reported flaws mainly affect devices that use ARM’s TrustZone technology, the hardware support for Android smartphones that allows creating a reliable execution environment for the implementation of advanced security features.

TrustZone divides a phone into two parts: 

• Normal World: Running regular tasks, such as Android OS
• Secure World: Management of the security subsystem and space for sensitive device resources. This segment is only accessible to trusted applications with sensitive security features, including encryption

Samsung made some serious mistakes in designing the way its smartphones encrypt material stored in TrustZone, employing a single key and allowing IV reuse, in what they see as a design that allows for a trivial decryption process for some potential attackers. The report also specifies that Samsung employs AES-GCM on its devices, a reliable encryption algorithm but is implemented incorrectly, as this algorithm requires a random dataset for each new encryption operation, something that does not happen on Galaxy devices.

During testing, exploiting these bugs made it possible to extract information from the Safe World in TrustZone, which Samsung devices should identify as confidential and which should be protected with a reliable encryption algorithm.

This attack not only allows information to be extracted from TrustZone, but also allowed researchers to evade security standards such as FIDO2, exposing hundreds to hundreds of millions of people who have used these smartphones over the past five years. The researchers tried to contact Samsung to come up with a more accurate estimate.

In this regard, the company issued a patch for this security issue, tracked as CVE-2021-25444. The problem lies with Keymaster Trusted Applications, which performs cryptographic operations on secure world through some hardware components. Subsequently, the company issued a patch to address CVE-2021-25490, whose exploitation would allow a degradation attack to be deployed on the affected devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Don’t use any Samsung smartphone launched from 2017 till 2021 (including S21): Flawed encryption could expose your confidential data appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws, in addition to their respective scores assigned under the Common Vulnerability Scoring System (CVSS). It is worth mentioning that these flaws do not have a CVE identification key.

No CVE key: Improper disinfection of user-provided data within the Galaxy Store app would allow threat actors to create a seemingly legitimate link that would redirect users to an arbitrary domain from which a remote code execution (RCE) attack can be performed.

This is a highly severe vulnerability and received a CVSS score of 7.7/10.

No CVE key: Improper error handling when accessing trusted URLs would allow malicious hackers0 on the local network to trick users into visiting malicious websites or opening specially crafted files that will lead to an RCE scenario on the affected systems.

According to the report, the flaws reside in all versions of the Samsung Galaxy S21 software, making it a widespread problem.

While vulnerabilities can be exploited by unauthenticated remote threat actors, no active exploitation attempts have been detected so far. Still, users of affected devices are encouraged to apply the available updates as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Two critical vulnerabilities in Samsung Galaxy S21 smartphones appeared first on Information Security Newspaper | Hacking News.

In addition to exploiting flaws in the affected payment systems, the attack also requires abuse of contactless payment terminals, eventually allowing the target device to be tricked into falsifying communication between the smartphone and an illegitimate payment terminal.

Apple’s payment system hasn’t been Yunosov’s only target of attack. In subsequent reports, the expert demonstrated how to compromise the security of a Samsung device to empty users’ accounts without having to unlock the device. While the attack works differently, the result is the same as in compromise apple systems.

Another report notes that the same method used to compromise Apple Pay could be used to hack into a Samsung Pay account linked to Visa and MasterCard payment cards, although the flaws appear to have already been addressed.

At the time of writing, Samsung had not issued any comment on these flaws, while Apple and payment operators consider that these are not exploitable flaws, so they will most likely not receive security patches.

An Apple representative mentioned, “This is a concern with a Visa system, but they don’t believe this type of fraud can happen in the real world given the multiple layers of security in place; in the unlikely event that an unauthorized payment is recorded, Visa has the mechanisms in place for its customers to report this malicious activity.”

Visa notes, “Visa cards connected to mobile wallets are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have shown that they are impractical to execute at scale in the real world.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Expert shows how easy it is to hack apple pay and Samsung tap. They can empty bank accounts appeared first on Information Security Newspaper | Hacking News.

2021 has been a really good year for Xiaomi, as trends indicate that for the first time the company will occupy the first place in the shipment of smartphones, surpassing giants such as Samsung. This and other emerging manufacturers such as Huawei and OnePlus have shown incredible growth over the past few years, although recent reports cast serious doubts on the functionality of security measures in these products.

The police’s cybersecurity unit in Lithuania published a report in which they point out that some recent models of smartphones could detect and censor the use of specific words remotely. These tests were performed on the Xiaomi Mi10T, Huawei P40 and OnePlus 8T models.

According to this research, the problems exist because the apps preinstalled on these devices sometimes receive a blacklist of words blocked by decision of the manufacturer, especially terms considered offensive and related to issues such as the independence of regions such as Taiwan and Tibet.

Specialists say that devices enabled with this list of words could block any content that includes these terms.

This feature, probably intended for devices sold in China, is disabled for smartphones sold in Lithuania (place of research), the United States and other countries outside Asia, although the researchers point out that manufacturers have no impediment to enable this function arbitrarily and remotely.

For Xiaomi devices, this set of terms subject to censorship is called “MiAdBlocklist” and is active in preloaded applications, including package installers, security and optimization tools, web browser and others, so the operation of this blacklist could be related to these applications and not work independently.

In addition to the report on the list of censored terms, experts noted that Mi Browser collects a large amount of user information unnecessarily and without requesting express permission from users, in addition to Xiaomi sending an encrypted SMS from the user’s device when registering for its suite of cloud services, which they consider a potential risk of leakage of confidential data.

Regarding the Huawei P40, experts believe that it is not recommended that Huawei App Gallery redirect users to third-party repositories, as these platforms are plagued by malicious developers looking to infiltrate vulnerable devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Xiaomi Mi 10T, Huawei P40 and OnePlus 8T spy on what users type on their phones. 5 reasons not to buy these devices appeared first on Information Security Newspaper | Hacking News.

In a recent statement, Samsung revealed to its customers that it is possible to disable any smart TV from the company with the TV Block feature. This is a little-known feature, so the company had to issue this message as a measure against the recent looting in some cities in South Africa.

The company mentions that this is a remote security feature to detect if these devices were improperly activated, in an attempt to ensure that Samsung’s smart TVs are only used by legitimate users: “The goal is to mitigate the creation of secondary markets linked to the sale of illegally obtained goods. This technology is already preloaded on all Samsung TV products.”

This feature is activated remotely on all televisions stolen from looted warehouses, and it is enough to send the serial numbers to Samsung servers. When these stolen devices connect to the internet, Samsung will check the list of stolen devices and disable all smartphone functions in case of finding a match.

As in any technological implementation, a device can be locked by mistake. In these cases, the full functions of the smart TV will be restored if the user requests it from the technical support area of the company, which can be done via email; the problems should be solved within 48 hours.

Mike Van Lier, Samsung’s chief consumer officer, said: “In line with our values of harnessing the power of technology to solve societal challenges, we will continuously develop and expand strategic products in our specially designed defense-grade security consumer electronics division with innovative and intuitive business tools designed for a new world.”

While Samsung says TV Block is an innovative feature with demonstrable positive results, the cybersecurity community believes it would be possible for threat actors to gain access to these block lists and perform malicious actions. Samsung has not commented on the matter, although it is expected that the necessary measures will be implemented to mitigate this risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Now you can block your SAMSUNG TV remotely as if it was a stolen Phone. New TV BLOCK functionality added appeared first on Information Security Newspaper | Hacking News.

The vulnerability was described as a potential buffer overflow in software drivers for certain HP LaserJet products and Samsung product printers that could lead to privilege escalation. A security report published by SentinelLabs mentions that some HP, Xerox and Samsung printer models could contain the vulnerable software, distributed worldwide since 2005.

The vulnerable driver was identified as SSPORT.SYS, which is installed and activated automatically regardless of whether the printer is wireless or wired. It should be clarified that the Windows operating system also loads this driver automatically when the device boots: “Given its characteristics, this driver is an ideal target for hackers, as it will always load into the operating system even if a printer is not connected,” the report states.

To be precise, the vulnerable function of the driver is the process of accepting data without the validation of the size parameter. A threat actor could invade the driver buffer to elevate its privileges to a SYSTEM account and execute kernel-mode code to perform arbitrary actions.

While the researchers found that the flaw can be exploited, the SentinelLabs report does not include a proof of concept (PoC) exploit or a more detailed description of the attack.

Researchers reported the flaw last February, so HP released a security patch in mid-May. The company mentions that no exploits have been detected in real scenarios, although they acknowledge that the affected models include those produced by manufacturers such as Samsung, HP, MultiXpress and Samsung Xpress.

Finally, the company asked users of affected deployments to update as soon as possible in order to mitigate the risk of exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CVE-2021-3438 affects millions of HP printers worldwide. Update the firmware to fix it appeared first on Information Security Newspaper | Hacking News.