Jun 22 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that gives you the support you need. Unlike Sam Smith’s fans when he tries to crowd surf 😂
Today’s hottest cyber security stories:
iOS device users beware! Operation Triangulation is coming for you
Microsoft Azure: AD: Critical ‘noAuth’ flaw allowed full account takeover
Condi malware targets TP-Link routers with DDoS attacks
There’s fresh info on the now infamous Operation Triangulation, folks, so listen up. First up, props to Kaspersky who discovered the malware after being targeted earlier in the year.
Since then, they’ve swapped the shot glasses for reading glasses and have been studying up on all things Triangulation.
They’ve nicknamed the latest incarnation ‘TriangleDB’ and it’s officially a ‘backdoor’. Sneaky, sneaky!
The malware has a lifespan of 30 days, after which it gets automatically uninstalled unless the time period is extended by the attackers.
"The implant is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability," Kaspersky researchers said in a new report published today.
Another scary thing about TriangleDB is it’s incredibly proficient in covering its tracks.
"It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again."
"The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and instals spyware," Eugene Kaspersky, CEO of Kaspersky, said earlier this month.
"The deployment of the spyware is completely hidden and requires no action from the user."
Russian govt: USA did it!
Another interesting element of this story is the fact that the Russian government is openly accusing the U.S. of being behind these hacks for espionage purposes. Huge if true!
Indeed, the Russian government accused the U.S. of breaking into "several thousand" Apple devices belonging to domestic subscribers and foreign diplomats as part of what it claimed to be a reconnaissance operation.
Taste of their own medicine, perhaps?
However, Apple said it has “never worked with any government to insert a backdoor into any Apple product and never will."
If you own an iOS device and you’re worried Operation Triangulation might be spying on you, the first thing to do is reboot your device. Simples.
Also, please bear in mind that this appears to be a very targeted attack so, unless you’re a political figure in Russia, you probably don’t have to worry too much.
They may try and ensnare you again via an invisible iMessage with a malicious attachment. So, if you’re genuinely worried, we would recommend rebooting at least once a day. And taking your device to Apple to have them investigate thoroughly.
Apple have just released iOS 16.5.1, so if you have an iPhone be sure to go to your settings and get that software updated asap.
Stay safe, folks!
Researchers have revealed that a vulnerability in the OAuth process of Microsoft Azure Active Directory (AD) could have been leveraged to achieve complete account takeover.
Descope, an identity and access management service based in California, discovered and reported this issue in April 2023, naming it nOAuth.
According to Omer Cohen, the Chief Security Officer at Descope, nOAuth represents a flaw in the authentication implementation that has the potential to impact OAuth applications in Microsoft Azure AD's multi-tenant environment.
The vulnerability stems from a misconfiguration that enables a malicious actor to manipulate email attributes found within the "Contact Information" section of an Azure AD account.
By exploiting the "Log in with Microsoft" feature, the attacker can hijack a victim's account – a scary prospect indeed!
Luckily, there’s an easy way to avoid this…
This comes straight from Microsoft. When using Azure AD, DO NOT use email claims for authorisation purposes. That’s about all the advice we have on this one for now. You’re welcome lol.
Fortinet FortiGuard Labs has identified a recently discovered malware named Condi, which is actively taking advantage of a security vulnerability present in TP-Link Archer AX21 (AX1800) Wi-Fi routers.
The primary objective of Condi is to enlist these routers into a botnet for conducting distributed denial-of-service (DDoS) attacks.
The campaign associated with Condi has significantly intensified since the conclusion of May 2023. The individual responsible for this malware, operating under the online pseudonym zxcr9999 on Telegram, manages a Telegram channel called Condi Network. This channel serves as a platform for advertising their illicit activities.
"The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code," security researchers Joie Salvio and Roy Tay said.
"Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks," ASEC said.
So long and thanks for reading all the phish!