TLDR Information Security 2024-05-08

Multiple security vulnerabilities have been disclosed in various Xiaomi Android device applications and system components that enable arbitrary access to activities, services, files with system privileges, phone settings, Xiaomi account details, and more.

Amberstone Security exposed nearly 1.3 million documents through a misconfigured public-facing database. The leaked data, dating back to 2017, contained over 99,000 snapshots of guards checking in for shifts. The data includes sensitive information like names, headshots, ID cards, and signatures, potentially compromising the security of the company's operations and personnel.

A cyberattack on the UK Ministry of Defence exposed personal data of military personnel. The breach affected payroll records but did not disrupt salary payments. Investigations are ongoing to determine the cause of the breach, with potential foreign state involvement suspected.

VPNs may not provide complete protection against snooping when connecting from untrusted networks. Attackers on the same network can abuse the DHCP protocol to force a target's traffic off the VPN tunnel without triggering alerts. By running a rogue DHCP server and manipulating gateway settings, attackers can snoop on the target's traffic while passing it through to the legitimate gateway, bypassing the VPN's encryption.

JFrog identified that nearly 20% of repositories on DockerHub were imageless repositories that were involved in three campaigns to social engineer users to download malware or expose credit card information. The attacks would include links in the description of imageless repositories on DockerHub to redirect users to malicious pages. JFrog worked with DockerHub to remove the repositories and remove the capability to include links in imageless repositories' descriptions.

This article advises against common security methods for Android apps, like relying on signing certificates and trusting the framework API, as they can be bypassed or manipulated by attackers. It also highlights the vulnerability of binary files in Android security, emphasizing the risk of hook attacks on dynamically linked binaries. The article suggests considering the potential benefits of cracked versions of apps as an alternative distribution channel with cost-effective advantages.

Wiz has continued raising money to a staggering $12B valuation, with the goal of acquiring more companies to reach its target of $1B ARR by 2025. Its business now amounts to $350 million ARR.

Anetac has a Dynamic Identity and Security Platform that covers the threat attack surface of service accounts in hybrid environments, mapping access chains and automatically analyzing behavior.

MasterParser seeks to be an all-in-one DFIR tool for analyzing Linux logs and extracting useful information. Currently, the tool has support for auth.log

An internal and external investigation into PDD and its shopping app TEMU concluded that the app is spyware and is likely selling or looking to sell user data. Grizzly Research conducted its own decompilation of the TEMU app and corroborated with third-party researchers that the app is harvesting user data in malicious and hidden ways. The company's corporate financials and infrastructure are also suspect.

This blog post discusses why Tailscale originally charged extra for advanced identity providers and why it decided to remove this charge. Tailscale requires SSO and doesn't allow for username + password authentication, but made the decision to charge extra for some paid/advanced identity providers, believing that clients of those IdPs might want premium features anyway. However, when Tailscale reevaluated its pricing structure, it realized that this created an SSO tax and customer feedback indicated that it didn't really impact their chosen services.

Law enforcement agencies have resurrected the seized darkweb site of the infamous LockBit ransomware gang, teasing new revelations about the group. The revived site features posts with titles suggesting that authorities plan to release information about LockBit members and their activities within the next 24 hours in an apparent move to troll and warn the hackers after successfully infiltrating their operations earlier this year.

Google had to roll back a recent reCaptcha update because it broke in Firefox for Windows.

Summary of all the announcements presented at RSA on day 1.

Cloudflare has introduced a new suite for cybersecurity risk management that offers automated risk posture enforcement across various attack surfaces.