Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s round-up, we look into the significant implications of the recent CrowdStrike outage, explore a critical OAuth implementation flaw making millions of websites susceptible to XSS attacks, and examine how searchable encryption is revolutionizing data security. Additionally, we uncover the security risks posed by WhatsApp for Windows allowing Python and PHP scripts to execute without warning, investigate the stealthy Android spyware LianSpy that evades detection using Yandex Cloud, discuss a new intelligence bill aiming to classify ransomware as a terrorist threat, and address user calls for Microsoft to update Outlook’s friendly name feature to combat phishing attacks.

  • Summary of CrowdStrike Outage and Its Implications

The recent global outage caused by CrowdStrike’s faulty update has revealed significant vulnerabilities within the tech infrastructure. Microsoft admitted its initial estimate of 8.5 million impacted machines was likely too low, highlighting the risks of relying heavily on kernel drivers. David Weston, Microsoft’s VP for enterprise and OS security, emphasized the need for security vendors to balance performance and security while minimizing kernel usage. Microsoft plans to reduce kernel driver dependency and enhance security measures through improved isolation and zero-trust approaches.

The incident affected a wide range of industries, with healthcare being particularly hard-hit. About half of the Health Information Sharing and Analysis Center’s members were impacted, and as of July 25, only 18% had fully recovered. Recovery efforts have been tedious, requiring manual intervention and specialized tools, such as Microsoft’s USB Recovery Tool.

The financial impact of the outage is substantial, with losses estimated at $5.4 billion for Fortune 500 companies. The healthcare sector alone incurred nearly $2 billion in damages, while the banking sector faced over $1.1 billion in losses. The transportation and airlines sector also saw significant disruptions, accounting for $860 million in losses.

Despite the setbacks, the reliance on CrowdStrike and similar cybersecurity firms is unlikely to wane, as their services remain crucial for protecting against cyber threats. The incident underscores the importance of rigorous testing, better supply chain understanding, and robust contingency planning to mitigate future risks.

  • Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw

Salt Labs, the research division of API security firm Salt Security, has uncovered a cross-site scripting (XSS) vulnerability that could potentially affect millions of websites globally. This issue, arising from the improper implementation of OAuth in social logins, is not a product vulnerability that can be centrally patched but an implementation flaw that web developers need to address individually. OAuth is widely used for social logins, and many developers, believing that XSS vulnerabilities are largely mitigated, may not focus sufficiently on potential XSS risks. The familiarity and ease of implementing OAuth can lead to oversights, creating new attack vectors.

The core issue identified by Salt Labs is not with OAuth itself but with its implementation on websites. When not executed with the necessary care and rigor, OAuth can introduce new XSS vulnerabilities, bypassing existing mitigations and potentially allowing for complete account takeovers.

Salt Labs published detailed findings and methodologies, focusing on the implementations by major firms HotJar and Business Insider. These examples illustrate that even well-resourced companies with strong security postures can fall victim to improper OAuth implementation. Yaniv Balmas, VP of research at Salt Labs, indicated that similar issues were also found on websites such as Booking.com, Grammarly, and OpenAI, suggesting widespread vulnerability.

HotJar, in particular, is notable due to its extensive market penetration and the significant amount of personal data it collects. Despite following best practices for preventing XSS attacks, HotJar’s use of OAuth for social logins introduced a new vulnerability. The attack method involves manipulating the OAuth login flow to intercept login secrets, enabling account takeover. HotJar quickly addressed the issue within three days of its disclosure by Salt Labs. This vulnerability is critical because it affects millions of websites using OAuth for social logins. Secure implementation of OAuth requires additional effort and expertise, which many websites may lack. Given the widespread nature of this issue, Salt Labs has made its findings public and provided a free scanner for websites to check their vulnerability to OAuth XSS implementation issues. This proactive measure aims to help organizations identify and address potential risks before they escalate.

  • How Searchable Encryption Changes the Data Security Game

For years, searchable encryption has been a challenging concept for cybersecurity professionals. Organizations must encrypt their most sensitive data to prevent theft and breaches. However, this data also needs to be searched, viewed, and modified to maintain business operations. Traditionally, security engineers have believed that encrypted data couldn’t be used effectively. Historically, the solution was to wrap unencrypted data within layers of hardware, software, policies, and controls. This approach, however, has proven inadequate, as evidenced by high-profile breaches at companies like T-Mobile, United Healthcare, Uber, Verizon, and others. These incidents highlight a critical flaw: sensitive data often remains unencrypted to support daily operations, leaving it vulnerable to attacks.

Most data breaches share a common factor: unencrypted, plaintext data readily accessible to support business functions. This practice falls under the umbrella of “acceptable risk.” Many organizations believe that encrypting data at rest and in transit is sufficient, as this is the focus of current compliance and governance standards. However, these standards often lack a robust definition of strong database encryption, leading to a complacent mindset. Encryption is perceived as complex, expensive, and difficult to manage. Traditional encryption methods involve extensive processes to secure data at rest, requiring specialized expertise and time. Once encrypted data is needed, it must be decrypted, creating a plaintext data store vulnerable to attacks. This cycle of encrypting, decrypting, and re-encrypting is cumbersome and prone to security lapses.

A more effective approach is needed—one that encompasses encryption at rest, in transit, and in use. Searchable Encryption, or Encryption-in-Use, maintains data in an encrypted state while still allowing it to be used, eliminating the complexity and risks associated with traditional methods.

Searchable Encryption is becoming the gold standard for securing sensitive data. The ability to encrypt data while maintaining its utility is a top concern for data analytics and privacy teams. Homomorphic Encryption (HE) has been a potential solution, but it is slow, expensive, and requires substantial processing power. Searchable Symmetric Encryption, however, enables real-time, millisecond query performance while keeping data encrypted.

Jennifer Glenn, an IDC analyst, notes that digital transformation has made data more accessible across business functions but also more exposed. Searchable encryption offers a powerful means to secure data while unlocking its value.

A data management company has developed a solution that achieves the long-sought goal of encrypting data in use. By leveraging patented shredding technology and Searchable Symmetric Encryption, the SaaS Solution eliminates the complexities and vulnerabilities of traditional encryption methods.

The SaaS Solution provides comprehensive encryption at the database layer, ensuring data remains encrypted at all times. Key features include:

  • Full AES 256 encryption with dual key vaults, making data accessible only with both keys.
  • Patented shredding technology that breaks data into pieces, further securing it even before encryption.
  • Always-encrypted datasets supporting full CRUD (Create, Read, Update, Delete) functionality.
  • Fast, encrypted compound searching, ensuring seamless user experience.
  • Continuous Machine Learning and AI-based Threat Detection and Response.
  • Simple JSON API integration for minimal disruption and always-encrypted data availability.
  • Flexible implementation as a SaaS or on-premises solution, with integration capabilities for third-party applications.

In a landscape where threat actors are increasingly sophisticated, it’s crucial to advance our encryption methods. The SaaS Solution represents a significant step forward in data security, offering a robust, practical solution for various industries, including finance, healthcare, banking, manufacturing, government, and more. The need for effective searchable encryption is universal, and the SaaS Solution meets this need by ensuring data is always secure and usable.

  • WhatsApp for Windows Lets Python, PHP Scripts to Execute With No Warning

A recent security vulnerability in the latest version of WhatsApp for Windows allows the execution of Python and PHP attachments without any warning when opened by the recipient. For this vulnerability to be exploited, Python must be installed on the target system, potentially limiting the impact to software developers, researchers, and power users. This issue is reminiscent of a similar problem in Telegram for Windows reported in April, where attackers could bypass security warnings and execute remote code by sending a Python .pyzw file. Telegram initially dismissed the issue but later issued a fix. WhatsApp blocks various file types considered risky, but it does not plan to add Python scripts to this list, according to a statement given to BleepingComputer. Further testing by BleepingComputer revealed that PHP files (.php) are also not included in WhatsApp’s blocklist.

Security researcher Saumyajeet Das discovered the vulnerability while experimenting with different file types that could be attached to WhatsApp conversations. Das found that when sending a potentially dangerous file, such as .EXE, WhatsApp presents the recipient with options to either open or save the file. However, attempting to open these files directly from WhatsApp results in an error, requiring users to save the file to disk before execution. This behavior was consistent across several file types, including .EXE, .COM, .SCR, .BAT, .DLL, .HTA, and .VBS. However, Das identified that WhatsApp does not block the execution of .PYZ (Python ZIP app), .PYZW (PyInstaller program), and .EVTX (Windows event log file) directly from the app.

BleepingComputer’s tests confirmed that Python files could be executed directly from WhatsApp, as could PHP scripts. If all necessary resources are present, a simple click on the “Open” button executes the script.

Das reported the issue to Meta on June 3, and the company responded on July 15, indicating that the issue had already been reported by another researcher. When BleepingComputer tested the latest WhatsApp release for Windows (v2.2428.10.0 on Windows 11), the vulnerability was still present.

Meta dismissed the report through their bug bounty program, categorizing it as “N/A.” A Meta spokesperson stated that they did not consider it a significant issue, emphasizing that users should be cautious about opening files from unknown sources regardless of the platform. Meta explained that WhatsApp has measures in place to warn users when they receive messages from unknown contacts or from numbers registered in different countries. However, if a user’s account is compromised, an attacker could send malicious scripts to all contacts, making it easier to exploit this vulnerability.

Das expressed disappointment with Meta’s response, suggesting that simply adding the .pyz and .pyzw extensions to the blocklist could mitigate the risk. He emphasized that addressing this issue would enhance user security and demonstrate Meta’s commitment to resolving security concerns promptly.

  • New Android Spyware LianSpy Evades Detection Using Yandex Cloud

Since at least 2021, users in Russia have been targeted by a previously undocumented Android spyware known as LianSpy, according to cybersecurity vendor Kaspersky. Discovered in March 2024, LianSpy utilizes Yandex Cloud for command-and-control (C2) communications, avoiding dedicated infrastructure and enhancing evasion tactics.

Kaspersky’s security researcher Dmitry Kalinin detailed the spyware’s capabilities in a technical report published Monday. LianSpy can capture screencasts, exfiltrate user files, and harvest call logs and app lists. The distribution method remains unclear but may involve exploiting an unknown security flaw or direct physical access to target devices. The spyware masquerades as apps like Alipay or Android system services. Once activated, LianSpy checks if it is running as a system app to operate with administrator privileges. If not, it requests extensive permissions to access contacts, call logs, notifications, and overlay capabilities. It also verifies its environment to establish persistence across reboots, hides its icon, and triggers activities such as data exfiltration and configuration updates.

In some variants, LianSpy collects data from instant messaging apps popular in Russia and adjusts its operations based on network connectivity. It updates its configuration by searching for specific files on a threat actor’s Yandex Disk every 30 seconds, downloading and storing these files in an encrypted SQL database.

LianSpy is notable for bypassing the privacy indicators feature introduced in Android 12, which mandates status bar icons for microphone and camera permissions. It achieves this by manipulating the Android secure setting parameter, effectively hiding notification icons. The spyware also uses NotificationListenerService to suppress background service notifications.

Another sophisticated aspect is LianSpy’s use of a renamed su binary (“mu”) to gain root access, suggesting delivery via an unknown exploit or physical access. C2 communications are unidirectional, with the spyware transmitting stolen data and receiving configuration commands via Yandex Disk. Credentials for Yandex Disk are updated from a hard-coded Pastebin URL, adding a layer of obfuscation and complicating attribution.

LianSpy joins a growing list of advanced spyware tools targeting mobile devices through zero-day exploits. Kalinin emphasized its sophisticated espionage tactics, including covert screen recording and evasion using root privileges, indicating a secondary infection following an initial compromise.

  • Intelligence Bill Would Elevate Ransomware to a Terrorist Threat

Amid a surge in ransomware attacks, the Senate Intelligence Committee proposes treating ransomware like terrorism. The bill, spearheaded by Chairman Mark Warner (D-VA), includes unprecedented measures: designating ransomware gangs as “hostile foreign cyber actors,” labeling nations harboring these gangs as “state sponsors of ransomware,” and imposing sanctions on such states. This would grant the U.S. intelligence community greater authority to target ransomware actors by prioritizing ransomware as a national intelligence issue.

This approach, if passed into law, would mark the first time U.S. legislation directly links ransomware to terrorism, reflecting the significant economic damage these attacks inflict. Critics, however, question the efficacy of additional sanctions on already heavily sanctioned states and the fluid nature of ransomware groups that frequently rebrand. Nonetheless, the bill’s proponents argue it signals a serious escalation in U.S. efforts to combat ransomware.

The bill names 18 ransomware groups and directs the intelligence community to focus on ransomware threats to critical infrastructure. It also mandates the Secretary of State and Director of National Intelligence to designate countries supporting ransomware as state sponsors, subject to sanctions similar to those for terrorism.

Despite some skepticism about the bill’s impact, it underscores the urgency of addressing ransomware as a national security threat. This legislative move highlights the evolving nature of cyber threats and the need for updated policies to combat them effectively.

  • Users Call on Microsoft to Update Outlook’s Friendly Name Feature

Users are calling on Microsoft to reconsider how Outlook displays sender email addresses, as phishing criminals exploit the current format to deliver malicious emails. Outlook prioritizes showing the “friendly name” of the sender rather than the actual email address, making it easier for scammers to deceive users. This issue, highlighted in Microsoft’s support forums with over 100 votes, is not a bug but a problematic feature that compromises security.

Currently, Outlook only reveals the actual email address upon hovering over the name or opening the email, depending on the version. This display method increases the risk of users mistaking malicious emails for legitimate ones, potentially clicking harmful links.

A user in the support forum shared experiences of tech-savvy employees being deceived by phishing emails due to this feature, emphasizing the need to disable sender aliases altogether for enhanced security. While older Outlook versions can be configured to show actual addresses, this is impractical for many users.

Despite Microsoft’s reputation for security, users express frustration over the company’s inaction on this well-known issue. Another user criticized the oversight, highlighting the significant risk it poses compared to other security measures. The lack of a straightforward fix or at least an option to disable friendly names is seen as a major security flaw. Microsoft has yet to respond to queries about potential changes to address these concerns.

 

References:

Share post: