Security Wrap-Up (July 20th, 2021)

Hi, everybody - it’s me, Chad! Hopefully, your week is off to a smooth start. I’m slowly but surely getting deeper into the Community here at Automox, and we figured this was a good chance for me to share some interesting security news with you. Below are a few crazy things currently happening in the world:

Microsoft: Israeli Firm’s Tools Used to Target Activists, Dissidents
In a pretty disturbing security story, an Israel-based company called Candiru sold spyware that exploited Windows vulnerabilities and has since been used in targeted attacks across various countries, according to new reports from both Microsoft and the University of Toronto’s Citizen Lab.

The tools were being used in “precision attacks” targeting politicians, human rights activists, journalists, academics, embassy workers, and political dissidents, said Microsoft on their blog. The Microsoft Threat Intelligence Center (MSTIC) was alerted about the spyware, which led them to discover CVE-2021-31979 and CVE-2021-33771, both elevation of privilege vulnerabilities in the Windows kernel. Microsoft released patches for the flaws earlier this week and has updated its tools with protections against the spyware used in these attacks.

FBI: Threat actors may be targeting the 2020 Tokyo Summer Olympics
Finally, some news about sports! Oh, wait…never mind. This week, the FBI warned of threat actors potentially targeting the upcoming Olympic Games, although no evidence has been obtained. As the FBI explains, attacks coordinated by threat actors targeting the Tokyo 2020 Summer Olympics could involve distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats. In light of previous incidents, the FBI suggests “reviewing or establishing security policies, user agreements, and patching plans to address current threats posed by malicious cyber actors.”, so keep that cyber hygiene clean, folks!

Hackers got past Windows Hello by tricking a webcam
Fun Facial-Recognition Fact: Windows Hello facial recognition only works with webcams that have an infrared sensor (in addition to the regular RGB sensor)! Turns out, it doesn’t even look at RGB data. Which means that with one straight-on infrared image of a target’s face and one black frame, the researchers found that they could unlock the victim’s Windows Hello-protected device.

By manipulating a USB webcam to deliver an attacker-chosen image, researchers were able to trick Windows Hello into thinking the device owner’s face was being presented, unlocking the device. Microsoft calls the finding a “Windows Hello security feature bypass vulnerability” and released patches on Tuesday to address the issue. Microsoft also suggests that users enable "Windows Hello enhanced sign-in security,” which uses Microsoft’s “virtualization-based security” to encrypt Windows Hello face data and then process it in a protected area of memory.

Unpatched iPhone Bug Allows Remote Device Takeover
In Apple news, a vulnerability in iOS could allow for remote code execution (RCE), researchers found. The assessment is a revision from a previous analysis of the flaw that determined it was low-risk/kind of an odd denial-of-service (DoS) problem affecting iPhone’s Wi-Fi feature.

Apple fixed the original DoS issue with iOS 14.6, without issuing a CVE. However, researchers recently found that it could be used for RCE with little interaction with the victim – and that the attack worked on fully patched iPhones. A successful exploit of the bug (dubbed “WiFiDemon”) would let an attacker take over the phone, install malware, and/or steal data. It’s expected to be patched in the next week or so. In the meantime, iPhone users can disable the Wi-Fi Auto-Join feature via Settings->WiFi->Auto-Join Hotspot->Never. Users should also avoid connecting to unknown Wi-Fi hotspots in general (but specifically any that contain the “@” symbol) to avoid this specific attack.

2 Likes