Germany’s Federal Office for Information Security (BSI) has announced that it has successfully thwarted a malware attack called BADBOX. BADBOX was pre-installed on at least 30,000 devices across the country.
In a statement released earlier this week, the authorities said they had cut off communication between the devices and their C2 servers. The affected devices include digital photo frames, media players, mobile phones and tablets.
“All of these devices have in common that they run outdated versions of Android and were shipped with malware pre-installed,” the BSI said in a press release.
BADBOX was first documented by the Satori Threat Intelligence and Research team in October 2023, and described as a complex threat.
The attack involves the deployment of Triad Android malware on low-cost, unbranded Android devices. Once connected to the internet, the malware embedded in the device can collect a wide range of data and install additional malware.
The attack, believed to be based in China, also includes an ad fraud botnet called PEACHPIT, which is designed to impersonate popular apps.
Researchers crack Microsoft Azure MFA in an hour
Identity management company Oasis Security has released details of an attack that allowed its researchers to bypass Microsoft’s implementation of multi-factor authentication (MFA).
The attack, dubbed AuthQuake, was reported to Microsoft in late June and a temporary fix was applied with a delay of several days.
According to Oasis, the vulnerability, described as critical, could allow attackers to bypass MFA and gain access to accounts – provided they have a username and password.
Oasis said the AuthQuake method was insecure because it took only an hour (on average) to execute, required no user interaction and did not trigger any notification to the victim.
The tests showed that the chance of guessing the correct MFA code after 24 sessions (which lasted about 70 minutes) was more than 50%.
Microsoft issued the final patch in October.
Critical vulnerability in OpenWrt
A critical security vulnerability has been found in the popular open source operating system for OpenWrt routers.
The vulnerability, which is being tracked as CVE-2024-54143, has a CVSS rating of 9.3 out of a maximum of 10.
Flatt Security researcher RyotaK is credited with discovering and reporting the vulnerability on 4 December 2024.
Successful exploitation of the Imagebuilder vulnerability would allow an attacker to create malicious firmware signed with a legitimate key.
RyotaK, who provided the technical analysis, said it is not known if the vulnerability has ever been exploited. Users are advised to update to the latest version as soon as possible to protect themselves from potential threats.
The bug has been fixed in version 920c8a1 of the ASU.
IOCONTROL malware focuses on SCADA and IoT systems
Iranian-linked attackers have been linked to new malware targeting IoT and OT in Israel and the United States.
Claroty has codenamed this malware IOCONTROL. The malware has the ability to attack IoT and SCADA devices such as IP cameras, routers, PLCs, firewalls and other Linux-based IoT/OT platforms.
“Although the malware is believed to be custom-built, it appears to be generic enough to run on a variety of platforms from different vendors due to its modular configuration,” the company said.
This development makes IOCONTROL the tenth malware family to specifically target industrial control systems, following Stuxnet, Havex, Industroyer and others.
“This malware is essentially a nation-state cyber-weapon used to attack civilian critical infrastructure; at least one of the victims has been the Orpak and Gasboy fuel management systems,” Claroty said.
The ultimate goal of the infection chain is to deploy a backdoor that is automatically triggered every time the device is rebooted. A notable aspect of IOCONTROL is its use of the MQTT protocol and masking of C2 domains using Cloudflare DNS-over-HTTPS.
