The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys 1.0.0.0 anti-cheat driver does not adequately restrict unprivileged function calls, allowing local, unprivileged users to execute arbitrary code with SYSTEM privileges on Microsoft Windows systems. The mhyprot2.sys driver must first be installed by a user with administrative privileges.
Excess privilege granted to cloud identities is a key component in 99% of all security tests performed by IBM’s X-Force Red penetration testing team, according to a report released Wednesday by the company.
Both human users and service accounts were consistently found to have more access rights and privileges than they generally need, which makes exploiting a successful breach in a cloud system much easier than it would otherwise be, the report said.
“This setup enabled attackers who managed to get a foothold in the environment to pivot and move laterally to exploit additional cloud components or assets,” according to the report.
That’s bad news for the cloud sector, which also saw a 200% increase in the number of compromised accounts being sold on the dark web, and an increase in the average severity score of vulnerabilities found in cloud systems, IBM said. That severity score, which is based on CVSS, rose to an average of 18 in the latest report, up from 15 ten years ago.
Excess privilege granted to cloud identities is a key component in 99% of all security tests performed by IBM’s X-Force Red penetration testing team, according to a report released Wednesday by the company.
Both human users and service accounts were consistently found to have more access rights and privileges than they generally need, which makes exploiting a successful breach in a cloud system much easier than it would otherwise be, the report said.
“This setup enabled attackers who managed to get a foothold in the environment to pivot and move laterally to exploit additional cloud components or assets,” according to the report.
That’s bad news for the cloud sector, which also saw a 200% increase in the number of compromised accounts being sold on the dark web, and an increase in the average severity score of vulnerabilities found in cloud systems, IBM said. That severity score, which is based on CVSS, rose to an average of 18 in the latest report, up from 15 ten years ago.
A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.
This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.
The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).
These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.
Here’s what the other side of that insert skimmer looks like:
The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.
The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.
To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.
Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.
The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.
Image: NCR
Here are some variations on deep insert skimmers NCR found in recent investigations:
Variations on deep insert skimmers recently found inside compromised ATMs.
The image on the left below shows another deep insert skimmer and its constituent components. The picture on the right shows a battery-operated pinhole camera hidden in a false fascia directly to the right of the ATM’s PIN pad.
Images: NCR.
The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.
Image: NCR.
Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:
Image: NCR
In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:
Image: NCR
The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which stops current skimmer designs from locating and locking into the card reader. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.
Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.
Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).
For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.
Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.
So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.
Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.
Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.
If you enjoyed this story, check out these related posts:
Crooks Go Deep With Deep Insert Skimmers
Dumping Data from Deep Insert Skimmers
To scale their cybersecurity programs, organizations should deploy layered security solutions such as those included in a CIS SecureSuite Membership.
Cybersecurity startup novoShield has launched an enterprise-grade mobile security application, designed to protect users from mobile phishing threats.
Released this week for iPhones via the US and Israeli Apple app stores, novoShield’s namesake app detects malicious websites in real time and blocks users from accessing them. The software also provides users with live on-screen indicators to inform them when a website is safe to browse.
zabbix-6.0.8-1.fc37
6.0.8, fixes CVE-2022-40626
McAfee’s Mobile Research team recently analyzed new malware targeting NTT DOCOMO users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting NTT DOCOMO mobile payment service users. McAfee researchers notified Google of the malicious apps, スマホ安心セキュリティ, or ‘Smartphone Anshin Security’, package name ‘com.z.cloud.px.app’ and ‘com.z.px.appx’. The applications are no longer available on Google Play. Google Play Protect has also taken steps to protect users by disabling the apps and providing a warning. McAfee Mobile Security products detect this threat as Android/ProxySpy and protect you from malware. For more information, to get fully protected, visit McAfee Mobile Security.
The malware actor continues to publish malicious apps on the Google Play Store with various developer accounts. According to the information posted on Twitter by Yusuke Osumi, Security Researcher at Yahoo! Japan, the attacker sends SMS messages from overseas with a Google Play link to lure users to install the malware. To attract more users, the message entices users to update security software.
A SMS message from France (from Twitter post by Yusuke)
Malware on Google Play
The Mobile Research team also found that the malware actor uses Google Drive to distribute the malware. In contrast to installing an application after downloading an APK file, Google Drive allows users to install APK files without leaving any footprint and makes the installation process simpler. Once the user clicks the link, there are only a few more touches required to run the application. Only three clicks are enough if users have previously allowed the installation of unknown apps on Google Drive.
Following notification from McAfee researchers, Google has removed known Google Drive files associated with the malware hashes listed in this blog post.
When an NTT DOCOMO network user installs and launches this malware, it asks for the Network password. Cleverly, the malware shows incorrect password messages to collect more precise passwords. Of course, it does not matter whether the password is correct or not. It is a way of getting the Network password.
Ask the Network password twice (Only NTT DOCOMO users can see these)
The Network password is used for the NTT DOCOMO payment service which provides easy online payments. NTT DOCOMO mobile network users can start this payment service by just setting 4-digits password called a Network password. The charge will be paid along with the mobile phone bill. When you need to pay online, you can simply do the payment process by entering the 4-digits password.
After the password activity, the malware shows a fake mobile security screen. Interestingly, the layout of the activity is similar to our old McAfee Mobile Security. All buttons look genuine, but these are all fake.
Interface comparison.
There is a native library named ‘libmyapp.so’ loaded during the app execution written in Golang. The library, when loaded, tries to connect to the C2 server using a Web Socket. Web Application Messaging Protocol (WAMP) is used to communicate and process Remote Procedure Calls (RPC). When the connection is made, the malware sends out network information along with the phone number. Then, it registers the client’s procedure commands described in the table below. The web socket connection is kept alive and takes the corresponding action when the command is received from the server like an Agent. And the socket is used to send the Network password out to the attacker when the user enters the Network password on the activity.
RPC Function name
Description
connect_to
Create reverse proxy and connect to remote server
disconnect
Disconnect the reverse proxy
get_status
Send the reverse proxy status
get_info
Send line number, connection type, operator, and so on
toggle_wifi
Set the Wi-Fi ON/OFF
show_battery_opt
Show dialog to exclude battery optimization for background work
Registered RPC functions description
Initial Hello packet contains personal information
Sending out The Network password
To make a fraudulent purchase by using leaked information, the attacker needs to use the victim’s mobile network. The RPC command ‘toggle_wifi’ can switch the Wi-Fi connection status of the victim, and ‘connect_to’ will provide a reverse proxy to the attacker. A reverse proxy can allow connecting the host behind a NAT (Network Address Translation) or a firewall. Via the proxy, the attacker can send purchase requests via the victim’s mobile network.
Network and command flow diagram
It is interesting that the malware uses a reverse proxy to steal the user’s network and implement an Agent service with WAMP. McAfee Mobile Research Team will continue to find this kind of threat and protect our customers from mobile threats. It is recommended to be more careful when entering a password or confidential information into untrusted applications.
193[.]239[.]154[.]23
91[.]204[.]227[.]132
ruboq[.]com
SHA256
Package Name
Distribution
5d29dd12faaafd40300752c584ee3c072d6fc9a7a98a357a145701aaa85950dd
com.z.cloud.px.app
Google Play
e133be729128ed6764471ee7d7c36f2ccb70edf789286cc3a834e689432fc9b0
com.z.cloud.px.app
Other
e7948392903e4c8762771f12e2d6693bf3e2e091a0fc88e91b177a58614fef02
com.z.px.appx
Google Play
3971309ce4a3cfb3cdbf8abde19d46586f6e4d5fc9f54c562428b0e0428325ad
com.z.cloud.px.app2
Other
2ec2fb9e20b99f60a30aaa630b393d8277949c34043ebe994dd0ffc7176904a4
com.jg.rc.papp
Google Drive
af0d2e5e2994a3edd87f6d0b9b9a85fb1c41d33edfd552fcc64b43c713cdd956
com.de.rc.seee
Google Drive
The post Fake Security App Found Abuses Japanese Payment System appeared first on McAfee Blog.
IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 210163.
This is a current list of where and when I am scheduled to speak:
I’m speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022.
I’m speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on September 22, 2022.
The list is maintained on this page.
