Chinese hackers infiltrate US telecommunications providers
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have announced that Chinese hackers have infiltrated US telecommunications service providers.
The FBI revealed that a group of hackers known as Salt Typhoon attacked several US broadband providers, including Verizon, AT&T and Lumen Technologies. The hackers were able to gain access to a communications interception system that major operators maintain for criminal investigations.
However, similar cyber espionage activities are not limited to the United States. The Canadian government has reported that state-sponsored attackers from China have conducted extensive network scans of a wide range of organisations in recent months.
While these scans are currently limited to exploratory efforts, the Canadian government is urging critical organisations in the country to implement strong security measures.
Recommended measures include multi-factor authentication protection, traffic monitoring or phishing exercises.
qBittorrent fixes bug that left users vulnerable to MitM attacks for 14 years.
qBittorrent, a BitTorrent file-sharing application, has fixed a remote code execution vulnerability caused by an SSL/TLS certificate authentication failure in the DownloadManager component. This vulnerability has been present in the application since 2010 and was finally fixed in the latest version 5.0.1, released on 28 October 2024.
The main problem was that qBittorrent had been accepting any certificate since 2010, including fake/illegitimate ones, which allowed attackers in a man-in-the-middle (MitM) position to manipulate data on the network.
Security researcher Sharp Security identifies four main risks from this situation. qBittorrent prompts users to install Python via a fixed URL if Python is not available on Windows. Due to the lack of certificate authentication, an attacker could replace the URL with a malicious version of the Python installer.
In addition, qBittorrent checks for updates by downloading the XML feed from a fixed URL. Without a valid SSL certificate, an attacker could replace the update link in the XML feed with a malicious link. The Download Manager in qBittorrent is also used for RSS feeds, allowing attackers to modify the content of the RSS feed and insert malicious URLs posing as secure torrent links.
Finally, qBittorrent automatically downloads and decompresses the compressed GeoIP database, allowing you to exploit potential memory overflow bugs via files from a fake server.
The latest version of qBittorrent 5.0.1 already addresses these risks, so users are advised to upgrade as soon as possible.
“FakeCall“ malware redirects bank calls to attackers
A new version of Android malware called “FakeCall” redirects users’ outgoing calls to their bank to the attacker’s phone number. This new version is designed to steal sensitive information and money from bank accounts.
FakeCall (or FakeCalls) is a banking Trojan that targets voice phishing, where victims are tricked by fraudulent calls pretending to be from banks.
In previous versions, FakeCall prompted users to call the bank from an app pretending to be a financial institution. A fake screen would then appear with the real bank number, while the victim was redirected to the fraudsters.
In the latest version analysed by Zimperium, the malicious app sets itself as the default call manager.
“The malicious app deceives the user and displays a convincing fake user interface that appears to be a legitimate Android call interface with the phone number of a real bank.” explains a report from Zimperium.
Ransomware gangs target SonicWall VPN
The Fog and Akira ransomware gangs are increasingly targeting corporate networks with SonicWall VPNs. The attackers are likely exploiting an SSL VPN access control vulnerability tracked as CVE-2024-40766.
SonicWall patched this vulnerability in SonicOS in late August 2024 and warned about a week later that it was being actively exploited.
Arctic Wolf points out that Akira and Fog have caused at least 30 breaches that started with remote access to the network using SonicWall VPN accounts. Of these, 75% are linked to Akira, with the remainder attributed to Fog’s ransomware operations. Interestingly, the two groups share infrastructure, suggesting an ongoing unofficial collaboration as previously documented by Sophos.
According to the Arctic Wolf researchers, only a few hours elapsed between the intrusion and the encryption of the data, in some cases as little as 1.5-2 hours.
Japanese researcher Yutaka Sejiyama reports that approximately 168,000 SonicWall endpoints are currently vulnerable to CVE-2024-40766 and exposed to the Internet.
Zero-day vulnerability in Windows themes
ACROS security researchers have discovered a new zero-day vulnerability in Windows that could allow an attacker to remotely steal a user’s NTLM hashes.
A zero-day vulnerability in Windows Themes was discovered while developing a fix for another security issue (CVE-2024-38030) that could also lead to user credential leakage.
It was found that if the theme file used a network path to other files (such as the desktop wallpaper), Windows would automatically send network requests to remote hosts, revealing the user’s NTLM hash, simply by displaying the theme file in Windows Explorer.
