Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Signal Users' Number Compromised By Twilio Breach

The Twilio breach a couple of weeks ago revealed the phone numbers of 1,900 Signal users, according to an advisory published by Signal. The Signal encrypted messaging app uses Twilio for phone number verification, and this is how the numbers were leaked. However, message history, contact lists, profile information and other data were not compromised.

Signal is contacting the affected users and prompting them to re-register the Signal app - this is necessary because it was possible for the attackers to register these phone numbers to another device using an SMS verification code revealed by the breach.

Uncredited, Twilio Incident: What Signal Users Need to Know, Signal Support, August 2022. Available online at https://support.signal.org/hc/en-us/articles/4850133017242.

Zoom Update Vulnerability Exposes Mac Users

A nasty vulnerability in the automatic update feature of the Zoom videoconferencing app for Mac OS could grant attackers root access, security researcher Patrick Wardle revealed at DefCon on Saturday. Although initial installation of Zoom prompts for the user password, subsequent updates do not, because the updater runs as root. By feeding it a package with the right name, an attacker could either downgrade the zoom version or even install a trojan, earning the vuln a CVSS score of 8.8.

This is the most recent of a long series of vulnerabilities in Zoom; the company has released a patch which fixes this vulnerability but users really should not rely on the auto-update process to install it.

Purdy, Kevin, Update Zoom for Mac now to avoid root-access vulnerability, Ars Technica, 16 August 2022. Available online at https://arstechnica.com/information-technology/2022/08/zoom-patches-mac-auto-updater-vulnerability-that-granted-root-access/.

Zoom Security Bulletin ZSB-22018, Local Privilege Escalation in Zoom Client for Meetings for macOS, Zoom Inc., 13 August 2022. Available online at https://explore.zoom.us/en/trust/security/security-bulletin/.

Credential Theft Still Popular - Especially Callback Phishing

A new report from Ponemon Institute says that 54% of security incidents were caused by credential theft, followed by ransomware and DDoS attacks, backing similar results in the Verizon Data Breach Investigations Report. One leading cause: almost 60% of organizations do not revoke credentials once they are no longer needed, and these unused and unmonitored accounts are easy prey for attackers.

But as user awareness is improving resistance to simple phishing attacks, spear-phishers are increasing their use of hybrid techniques such as barrel-phishing and callback phishing. A report from Agari claims that while phishing attacks have increased by only 6% since Q1 2021, callback phishing has increased by 625%.

Toulas, Bill, Callback phishing attacks see massive 625% growth since Q1 2021, Bleeping Computer, 15 August 2022. Available online at https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/.

Uncredited, Credential Theft Is (Still) A Top Attack Method, The Hacker News, 15 August 2022. Available online at https://thehackernews.com/2022/08/credential-theft-is-still-top-attack.html.

Uncredited, The State of Cybersecurity and Third-Party Remote Access Risk, SecureLink (sponsor), August 2022. Available online at https://www.securelink.com/research-reports/the-state-of-cybersecurity-and-third-party-remote-access-risk/ (registration required).

Android Banking Trojan Expands Capabilities and Reach

The SOVA (Russian for owl) banking trojan, which first appeared in September 2021, has continued to develop. The trojan uses the Accessibility Services feature of Android to overlay its own form fields over banking and shopping apps, and in its latest incarnation, SOVA v4, is able to intercept two-factor authentication codes and steal cookies. The operators have also expanded its targets from Spain and the US, where it was first seen, to Australia, Brazil, China, India, the Philippines and the UK.

Lakshamanan, Ravie, SOVA Android Banking Trojan Returns With New Capabilities and Targets, The Hacker News, 15 August 2022. Available online at https://thehackernews.com/2022/08/sova-android-banking-trojan-returns-new.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.