Connect with us

Biz & IT

A powerful spyware app now targets iPhone owners

Published

on

Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa, known to be in use by the Italian authorities.

The Android app, dubbed Exodus, ensnared hundreds of victims — either by installing it or having it installed. Exodus had a larger feature set and expanded spying capabilities by downloading an additional exploit designed to gain root access to the device, giving the app near complete access to a device’s data, including emails, cellular data, Wi-Fi passwords and more, according to Security Without Borders.

Screenshots of the ordinary-looking iPhone app, which was silently uploading a victim’s private data and real-time location to the spyware company’s servers (Image: supplied)

Both of the apps use the same backend infrastructure, while the iOS app used several techniques — like certificate pinning — to make it difficult to analyze the network traffic, Adam Bauer, Lookout’s senior staff security intelligence engineer, told TechCrunch.

“This is one of the indicators that a professional group was responsible for the software,” he said.

Although the Android version was downloadable directly from Google’s app store, the iOS version was not widely distributed. Instead, Connexxa signed the app with an enterprise certificate issued to the developer by Apple, said Bauer, allowing the surveillance app maker to bypass Apple’s strict app store checks.

Apple says that’s a violation of its rules, which prohibits these certificates designed to be used strictly for internal apps to be pushed to consumers.

It follows a similar pattern to several app makers, as discovered by TechCrunch earlier this year, which abused their enterprise certificates to develop mobile apps that evaded the scrutiny of Apple’s app store. Every app served through an app store has to be certified by Apple or they won’t run. But several companies, like Facebook and Google, used their enterprise-only certificates to sign apps given to consumers. Apple said this violated its rules and banned the apps by revoking enterprise certificates used by Facebook and Google, knocking both of their illicit apps offline, but also every other internal app signed with the same certificate.

Facebook was unable to operate at full capacity for an entire working day until Apple issued a new certificate.

The certificate Apple issued to Connexxa (Image: supplied)

But Facebook and Google weren’t the only companies abusing their enterprise certificates. TechCrunch found dozens of porn and gambling apps — not permitted on Apple’s app store — signed with an enterprise certificate, circumventing the tech giant’s rules.

After researchers disclosed their findings, Apple revoked the app maker’s enterprise certificate, knocking every installed app offline and unable to run.

The researchers said they did not know how many Apple users were affected.

Connexxa did not respond to a request for comment. Apple did not comment.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Kaseya gets master decryptor to help customers still suffering from REvil attack

Published

on

Kaseya—the remote management software seller at the center of a ransomware operation that struck as many as 1,500 downstream networks—said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack.

Affiliates of REvil, one of the Internet’s most cutthroat ransomware groups, exploited a critical zero-day vulnerability in Miami, Florida-based Kaseya’s VSA remote management product. The vulnerability—which Kaseya was days away from patching—allowed the ransomware operators to compromise the networks of about 60 customers. From there, the extortionists infected as many as 1,500 networks that relied on the 60 customers for services.

Finally, a universal decryptor

“We obtained the decryptor yesterday from a trusted third party and have been using it successfully on affected customers,” Dana Liedholm, senior VP of corporate marketing, wrote in an email on Thursday morning. “We are providing tech support to use the decryptor. We have a team reaching out to our customers and I don’t have more detail right now.”

In a private message, threat analyst Brett Callow of security firm Emsisoft said: “We are working with Kaseya to support their customer engagement efforts. We have confirmed the key is effective at unlocking victims and will continue to provide support to Kaseya and its customers.”

REvil had demanded as much as $70 million for a universal decryptor that would restore the data of all organizations compromised in the mass attack. Liedholm declined to say if Kaseya paid any sum in exchange for the decryption tool. Kaseya has since patched the zero-day used in the attack.

That means that, for the time being, it’s not publicly known if Kaseya paid the ransom or received it for free from either REvil, a law enforcement agency, or a private security company.

In the days following the attack, REvil’s site on the dark web, along with other infrastructure the group uses to provide technical support and process payments, suddenly went offline. The unexplained exit left victims and researchers worried that the data would remain locked up forever, since the only people with the ability to decrypt it had vanished.

Where did it come from?

REvil is one of several ransomware groups believed to operate out of Russia or another Eastern European country that was formerly part of Soviet Union. The group’s disappearance came a few days after President Joe Biden warned his Russian counterpart Vladimir Putin that, if Russia didn’t rein in those ransomware groups, the US might take unilateral action against them.

Observers have speculated since then that either Putin pressured the group to go quiet or the group, rattled by all the attention it received from the attack, decided to do so on its own.

Some of the companies victimized by the attack include Swedish grocery store chain COOP, Virginia Tech, two Maryland towns, New Zealand schools, and international textile company Miroglio Group.

REvil is also behind a crippling attack on JBS, the world’s biggest producer of meat. The breach caused JBS to temporarily close some plants.

Continue Reading

Biz & IT

AT&T nightmare: Woman had to wait 3+ months for broadband at new home

Published

on

Enlarge / Lovie Newman tells News 4 San Antonio about having to wait nearly four months for AT&T Internet service.

AT&T reportedly forced a San Antonio woman to wait nearly four months to get Internet service at her new home, and she didn’t get close to solving the problem until she asked a local news station for help.

“Lovie Newman planned for a smooth transition into her new home, including scheduling a transfer for her AT&T high-speed Internet service in advance,” according to a report Tuesday by News 4 San Antonio.

The house Newman moved into was apparently newly built and not yet connected to AT&T’s network, but it sounds like the months-long wait was due primarily to mistakes by AT&T technicians and customer-service problems. In what Newman called “a complete nightmare,” AT&T continually rebuffed her attempts to get Internet service.

Newman scheduled an installation appointment for April 1, but when the day came, AT&T called to say, “we need to reschedule,” she told the news station. Initially, Newman “was told there was a service outage in her new far East Side neighborhood,” News 4 journalist Darian Trotter reported. “Technicians were working on it, but she says they had no idea when service in the area would be restored.”

“I wasn’t hearing back, and I kept getting rescheduled and pushed around to different departments,” Newman said.

“You never came to my house”

Newman was able to schedule another installation appointment in May after the outage was fixed, but installers never came to her house. “For three and a half months, she says she made countless efforts to get connected, including the one time she got an appointment and eagerly waited for technicians to arrive,” News 4 said.

Newman was at home waiting for installers to arrive when she got a message from AT&T saying, “we missed you,” she told News 4. “I’m like, ‘you never came to my house. How did you miss me?'” AT&T installers had mistakenly gone to a different address in Alamo Heights, the report said.

“Out of desperation, she considered switching service providers,” but “an online search of at least three companies revealed service in her neighborhood wasn’t available.” The TV station’s video report shows that those three providers were Charter Spectrum, Grande Communications, and Google Fiber.

“I put in my address and it said, ‘not available,'” Newman said. Newman was afraid of losing her job because of the lack of AT&T Internet service, but News 4 said that “Newman’s employer was able to make special accommodations to keep her working.”

Even though AT&T has dragged its feet for months, its website says that service should be readily available to Newman. We entered Newman’s address into AT&T’s online availability checker, and it reports that fiber-to-the-home service is available where she lives:

AT&T gets moving after hearing from reporter

After months of waiting for AT&T to provide a broadband connection, Newman contacted Trotter at News 4 over two weeks ago. The station reached out to AT&T, and while the company initially did not reply to the media organization, the prospect of news coverage got AT&T’s attention.

The news video showed an email sent to Newman on July 8 from an employee in an AT&T executive office. “The AT&T Office of the President (OOP) received a communication from a local news media reporter,” the email said. “However, since you are our customer, I wanted to reach out to you directly.”

The week after that July 8 email, News 4 “received a statement from a spokeswoman saying, ‘our team has already begun looking into this and is in contact with Ms. Newman,'” Trotter said in the news report. Newman was still waiting for service to be installed this week when the News 4 report aired. “I want my Internet to be installed, up and running by this weekend,” she told the station.

Due to News 4 prodding AT&T into action, it seems that Newman is finally close to getting connected—nearly four months after AT&T abruptly canceled her first installation appointment. “After we got involved, Newman says techs have recently installed wiring, and an Internet box has been set up outside her home,” Trotter said at the end of his report. “Everything is ready, she just needs to schedule the installation.”

We contacted Newman and AT&T today about whether service has been or will soon be installed and will update this article if we get new information.

Newman’s AT&T nightmare unfortunately not unique

Newman’s ordeal is similar to one we wrote about in April. In that case, Comcast had an error in its coverage map and falsely told the customers that Internet service would be available at their new home. The couple, Edward Koll and Jo Narkon, then paid Comcast $5,000 for a network extension, but the project kept getting delayed. Comcast finally provided Internet service after Koll contacted Ars and we reached out to Comcast’s public relations department.

Koll and Narkon ended up waiting six months for cable Internet and had to use unreliable and data-capped cell service that entire time. We’ve written other stories over the years about Comcast falsely telling customers that they could get service. After our article about Koll and Narkon published a few months ago, we heard from a few more people in Comcast territory who were incorrectly told that Internet service would be available at their homes.

We also wrote about a frustrated AT&T-using family in Mississippi in November 2020. AT&T had falsely promised Kathie McNamee and her family U-verse Internet service of about 5Mbps, which is slow by today’s standards but still much faster than what they ended up getting. Ultimately, AT&T only provided the family speeds of up to 768kbps over its legacy DSL network and has not upgraded its network there or in many other areas where glacially slow AT&T speeds are the norm.

This kind of AT&T home-Internet problem is nothing new. Back in 2015, we wrote about a family in Georgia that couldn’t get AT&T Internet at a home they bought even though their neighbors and the home’s previous owners had service. AT&T said it didn’t have enough capacity to hook up additional customers.

Continue Reading

Biz & IT

Saudi Aramco confirms data leak after $50 million cyber ransom demand

Published

on

Enlarge / The Hawiyah Natural Gas Liquids Recovery Plant, operated by Saudi Aramco, in Hawiyah, Saudi Arabia, on Monday, June 28, 2021.

Bloomberg | Getty Images

Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company.

Aramco said in a statement that it had “recently become aware of the indirect release of a limited amount of company data which was held by third-party contractors.” The oil company did not name the supplier or explain how the data were compromised.

“We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cyber security posture,” Aramco added.

The statement came after a hacker claimed on the dark web that they had stolen 1 terabyte of Aramco’s data, according to a post from June 23 seen by the Financial Times. The hacker said it had obtained information on the location of oil refineries, as well as payroll files and confidential client and employee data.

In another post, the perpetrator offered to delete the data if Aramco paid up $50 million in a niche cryptocurrency Monero, which is particularly difficult for authorities to trace. The post also offered prospective buyers the chance to purchase the data for about $5 million.

The oil giant has the capacity to pump more than one in every 10 barrels of crude in the global market and any threats to its security or facilities are closely watched by oil traders and policymakers.

The security vulnerabilities of energy companies and pipelines in particular have fallen under the spotlight recently after the hack of the Colonial Pipeline in the US earlier this year resulted in fuel shortages across the east coast of the country.

It was unclear who was behind the Aramco incident. Cyber researchers noted that the attack did not appear to be part of a ransomware campaign, where hackers use malware to seize a users’ data or computer systems and only release it once a ransom has been paid. Nor did the hacker claim to be part of a known ransomware gang.

Instead, the hacker appeared to have seized a copy of the data without using malware, and set up dark web profiles to telegraph its activities.

Saudi Aramco’s facilities have been targeted in the past by both physical and cyber attacks.

In 2019 the Abqaiq processing facility in the eastern part of the country, which prepares the majority of the kingdom’s crude for export, was hit by a series of missile and drone strikes that the US blamed on Iran. Global oil prices soared until Saudi Arabia was able to reassure markets it could still export enough oil to keep customers well supplied.

In 2012 an alleged cyber attack on Saudi Aramco was also blamed on Iran. Cyber security experts have said this was probably a retaliation for the Stuxnet attack on Iran’s nuclear program, which has been widely attributed to the US and Israel.

The 2012 attack erased data on about three-quarters of Aramco’s computers, according to reports at the time, including files, spreadsheets and emails. They were replaced with an image of a burning US flag.

Saudi Aramco refineries, including the newly opened Jazan facility, which was listed in screenshots of the allegedly leaked data, have also been subject to physical attacks both from drones and missile strikes, which have been claimed by Iran-backed Houthi rebels in Yemen. The Jazan refinery is in Saudi Arabia’s southwest on the Red Sea, not far from the Yemen border.

The extortion attempt was first reported by the Associated Press.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Trending