• React Native documentation for Fabric Native Components includes a detailed guide with specific commands
• One command was flawed, potentially resulting in malware deployment
• A hacker discovered the flaw and tried to exploit it

Hackers found a way to abuse official company documents and get people to install malware on their devices, new research has claimed.

In a recent blog post, cybersecurity researchers from Checkmarx explained how the React Native documentation for Fabric Native Components includes a detailed guide for creating custom components.

While Checkmarx did not detail the malware and its capabilities, it did say that the implications of this attack “extend beyond immediate data exposure”, suggesting the malware was some form of an infostealer.

Trust, but verify

React Native is an open-source framework developed by Meta, for building mobile applications using JavaScript and React, allowing developers to create applications for iOS, Android, and other platforms from a single codebase. Fabric Native Components, on the other hand, are part of the Fabric architecture in React Native, which is a re-engineered rendering system aimed at improving performance, interoperability, and developer experience in building native components.

The guide uses “RTNCenteredText” as an example, and suggests using “yarn upgrade rtn-centered-text” to update local development packages.

The problem here is that the command first checks the npm registry for packages, before looking at local files. A cybercriminal picked up on this flaw, created a malicious package with the same name, and uploaded it to npm.

“This incident serves as a reminder that supply chain security requires vigilance at every level,” the researchers said. “Documentation must be precise about package management commands, developers need to verify package sources, and security tools should monitor for packages that may be impersonating official examples.”

In this example, developers are advised to use explicit paths when adding local packages. “Instead of using “yarn upgrade”, use “yarn add ../package-name” to ensure you're referencing local development packages,” the researchers conclude.

You might also like

• Hundreds of malware-laden fake npm packages posted online to try and trick developers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers found over 300,000 files of personally identifiable information
• The files are attributed to AI chatbot startup WotNot
• It took over to months for the information to be closed after initial disclosure

A huge Google Cloud storage bucket containing 346,381 files, attributed to AI startup ‘WotNot’, has been found unprotected online, experts have warned.

The exposed files, found by researchers at CyberNews, contained a ‘treasure trove’ of personal information, including passports, medical records, and CVs, which of course include full names, contact information, and addresses.

The storage bucket was accessible to anyone without needing authorization, and was left open for over two months after initial disclosure notifications were sent.

The risk of outsourcing

WotNot provides AI chatbots to businesses, offering a ‘personalized experience’ which is ‘available 24/7, responds instantly, and totally reliable’. The startup boasts 3,000 customers, and offers its services to ‘any vertical’, like Insurance, Finance, Healthcare, SaaS, and Banking. High profile customers include the University of California, Chenening, and Amneal Pharmaceuticals.

Using third party vendors for systems and resources is incredibly common, but businesses are left at risk if their vendors are compromised. AI services especially are interconnected, so are more likely to bring an uncontrolled flow of data - especially since customers are prompted to enter identifying information to the chatbots.

This incident, and the recent Blue Yonder ransomware attack, illustrate how important robust vetting and frequent cybersecurity assessments are when collaborating with third parties.

Data leaks containing personally identifiable information put both the customer and organization at risk.

“While WotNot’s scale may be modest, this leak presents a significant security and privacy threat and impact to affected individuals. The exposed personal documents provide threat actors a complete toolkit for identity theft, medical or job-related fraud, and various other scams,” Cybernews researchers said.

On a customer level, the risk of identity theft and social engineering attacks, since personal data can be used to design phishing attacks specific to the individual, or identification documents can be used to take out loans or commit fraud.

You might also like

• Take a look at our pick of the around best malware removal software
• Many small businesses are falling well short when it comes to cybersecurity plans
• Check out our choices for best antivirus software

• Local media reported hackers broke into Uganda bank's IT system and wired out $16.8 million
• Subsequent investigation uncovers a fraud scheme, with the "hacking" being a cover-up story
• Part of the money was recovered

An organized criminal group seems to have stolen millions of dollars from Uganda’s central bank, and then made up a story about the bank being hacked, to cover up their tracks.

A report from local media publication, The Monitor, notes how news recently broke of a Southeast Asian threat actor called Waste apparently broke into the bank’s IT infrastructure, and used the access to wire roughly $16.8 million (62 billion Ugandan shillings) out of the country.

The country’s finance minister, Henry Musasizi, even told the country’s parliament that the reports were true, after which global news wire agencies and media, such as Reuters, picked the story up.

Organized crime

"It is true our accounts were hacked into but not to the extent of what is being reported. When this happened, we instituted an audit and at the same time, an investigation," Musasizi apparently initally told Uganda's parliament.

"To avoid misrepresentation of facts, I wish to indulge the House that we be patient that when the audit is finalised, which is now at the tail-end, I come and report."

However, newer reports are saying that the investigation uncovered a larger scheme, possibly including insiders.

Apparently, a group created fake expenditures regarding waste management activities in Uganda, and sent the money out in two batches. One batch, some $7 million, was sent to a bank account in the UK. It was subsequently frozen and is now considered as recovered.

The other batch, $6 million, was sent to a bank in Japan, and has not been recovered because the fraudsters on the Japanese side “presented ‘solid and sufficient’ paperwork to prove that they undertook the said activities against which BoU effected payment of $6m.”

The masterminds of the scheme, according to a subsequent investigation conducted by a "renowned consultancy firm" are in the Ministry of Finance's Treasury department and Accountant General's office, "with possible involvement of Central Bank staff with top level clearance."

"The perpetrators then created a cover-up story of hacking of the Central Bank's IT infrastructure," the publication concludes.

You might also like

• Evolve Bank admits cyberattack saw millions of customers have data stolen
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Three Advantech access points carried 20 vulnerabilities due to shared firmware
• Six of the flaws are critical, with a severity score of 9.8
• They allow for remote code execution, denial of service, and more

Multiple Advantech access points have been found carrying almost two dozen vulnerabilities, some of which even enabled remote code execution (RCE) with root privileges, experts have warned.

A report from cybersecurity researchers at Nozomi Networks, who noted EKI-6333AC-2G, EKI-6333AC-2GD, and EKI-6333AC-1GPO access points had 20 vulnerabilities, due to shared firmware. Of those 20, six were deemed critical, with a severity score of 9.8.

The affected devices provide dual-band Wi-Fi connectivity for industrial applications, such as EV manufacturing, or automated protection lines. They ensure real-time communication for thingslike rail-guided vehicles (RGVs), and as such play a major role in an industrial setting.

Severe impact

The report outlines two ways crooks could exploit these flaws: either through LAN/WAN, or over-the-air. With the former, attackers can send malicious requests to the device, given they have network access. With the latter, however, they only need to be close enough to leverage weaknesses in wireless protocols.

The impact can be quite severe, Nozomi further explained. Attackers could abuse the flaws to install backdoors and thus enable continuous access; they could cripple automation processes with denial-of-service (DoS) attacks; and they could use the access points for lateral movement throughout the target infrastructure, potentially deploying more malware or even ransomware.

"These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity, and availability of the affected devices," the researchers commented.

The flaws have since been fixed. For EKI-6333AC-2G and EKI-6333AC-2GD, make sure to patch to version 1.6.5, and for EKI-6333AC-1GPO, 1.2.2. Furthermore, researchers recommend users continuously monitor the devices and proactively manage any potential vulnerabilities, to safeguard their industrial IT infrastructure.

The full list of all the flaws, their CVEs, severity scores, and impact on vulnerable devices, can be found on this link.

Via The Hacker News

You might also like

• Business routers vulnerable to OS command injection attack
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Most businesses expect their employees to do work on personal mobile devices, report finds
• Employees are not expected to go through security courses
• Many firms don't have guidelines for mobile device use

When it comes to mobile cybersecurity, most small and medium-sized enterprises (SME) are falling well short, a new report from CyberSmart has claimed.

The report found a significant majority (60%) expects their employees to use their personal mobile devices to carry out work tasks.

This is problematic for different reasons, but from a cybersecurity perspective, it’s problematic as businesses have no visibility into people’s personal devices, the apps they use, the websites they visit, or files they download, making securing the business network infinitely more difficult.

"Chronically underserviced"

To make matters even worse, employees are not being taught even the basics of cybersecurity, and no one is raising their awareness on the dangers lurking on the internet. In fact, almost two-thirds (60%) of staff members are not expected to carry out mobile security training, the report states.

“An organisation that allows employees to use personal mobile phones to carry out work without security training is massively increasing the chance of a security incident taking place across mobile devices,” CyberSmart noted.

Finally, many organizations (40%) have no guidelines whatsoever, on how their employees should (or should not) use their mobile devices.

“While these results are concerning, SMEs in the UK remain chronically underserviced by the cybersecurity industry” said Jamie Akhtar, Co-Founder and CEO at CyberSmart. “It is important to make the distinction that many of these organisations have limited resources and are already stretched thin making it difficult for them to invest in cybersecurity.”

Akhtar advises SMEs to “consistently focus” on cybersecurity training, IT policies, and fostering a more security-conscious culture, as that can result in a more secure workplace.

You might also like

• Dangerous new Android malware infects 11 million devices — here's what we know
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• ESET researchers uncover 'Bootkitty', a first-of-its-kind UEFI bootkit for Linux
• Bootkitty seems to be in early stages of development, but could pose a major risk
• Linux users warned to be on their guard against possible attacks

UEFI bootkits are reportedly making their way into Linux, researchers from ESET have warned, after spotting a first-of-its-kind Linux UEFI bootkit, which seems to either be an experimental version, or a version in early development stages.

UEFI bootkits are sophisticated malware targeting the Unified Extensible Firmware Interface (UEFI), which is responsible for booting an operating system and initializing hardware. These bootkits compromise the firmware at a low level, meaning that even reinstalling the operating system, or even replacing the hard drive, does not eliminate the malware’s presence. Even antivirus programs have difficulties spotting them.

They enable attackers to control the system from its earliest stages of boot, often used for espionage, surveillance, or launching other malicious payloads. By rooting themselves so deep into a system, UEFI bootkits are often very hard to detect or remove.

Bootkitty

The variant ESET’s researchers found is called ‘Bootkitty’, and given its state, features, and operational level, they believe that it is still in early development stages.

Bootkitty relies on a self-signed certificate, which means it won’t run on systems with Secure Boot - therefore, it can only target some Ubuntu distributions.

Furthermore, the use of hardcoded byte patterns and the fact that the best patterns for covering multiple kernel or GRUB versions were not used, means that the bootkit cannot be widely distributed. Finally, Bootkitty comes with many unused functions, and does not have kernel-version checks, which often results in system crashes.

In any case, the finding marks an important moment in the development and destructive potential of UEFI bootkits.

While all evidence points to a piece of malware that can hardly do any meaningful damage, the fact remains that bootkits made their way to Linux. And with so many devices being powered by the OS, the attack surface is absolutely massive.

Via BleepingComputer

You might also like

• This dangerous UEFI bootkit can hijack your Windows PC with ease
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Security researchers from Check Point Research discover new malware loader written in Godot's programming language
• Godot is a popular open source game development platform
• At least 17,000 devices were infected with infostealers and cryptojackers so far

Hackers are abusing a popular gaming engine to infect people’s computers with malware used to steal private data and cryptocurrency.

Researchers from Check Point Research have detailed a previously undetected hacking technique targeting users of the Godot Gaming Engine, an open source game development platform used to build both 2D and 3D games across Windows, macOS, Linux, Android, iOS, HTML5, and others, with a community of more than 2,700 developers.

Check Point says since late June 2024, crooks have been building malicious code written in GDScript (Godot’s Python-like scripting language) calling on some 200 GitHub repositories and more than 220 Stargazer Ghost accounts, which were hosting a piece of malware called GodLoader.

Infostealers and cryptojackers

In typical malware loader fashion, GodLoader would drop different malware to the infected devices, with the researchers spotting mostly RedLine stealer, and XMRig, a popular cryptojacker.

RedLine is an infamous infostealer capable of grabbing passwords, crypto wallet details, and other data stored in browsers, sensitive data, session cookies, and more. XMRig turns the infected device into a cryptocurrency miner, generating tokens for the attacker (while rendering the computer useless for pretty much anything else).

GodLoader, the researchers further explained, was downloaded at least 17,000 times, which is a rough estimate on the number of infected devices. However, the attack surface is much, much larger.

Check Point argues that in theory, crooks could hide malware in cheats, cracks, or modes, for different Godot-built games. Looking at the number of popular games developed with Godot, that would put the attack surface at approximately 1.2 million people.

Since GodLoader is yet to be flagged by most antivirus programs, it is essential to remain vigilant at this time, and careful when dealing with Godot-related content.

You might also like

• A clever new infostealer malware is able to easily bypass Google Chrome cookie encryption
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Breach by SL Data Services has exposed 600,000 personal records
• Records include full names, addresses, and financial information
• The database was not password protected

A database belonging to SL Data Services containing hundreds of thousands of records has been discovered online to be publicly exposed and not password-protected or encrypted.

Over 640,000 records (713.1GB) PDF files were discovered by cybersecurity researcher Jeremiah Fowler, who revealed this included vehicle records, court records, and property ownership reports. The documents were primarily labelled ‘background checks’, and included full names, addresses, email addresses, employment details, social media accounts, phone numbers, and criminal records.

It’s not clear how long the information was openly accessible, but after the responsible disclosure notice was sent, the information was restricted one week later. The database may belong to a third-party contractor, or directly by SL Data Services.

Background check information

Since the vast majority of the exposed information was from background checks, there is a very real possibility that these were conducted without the knowledge or consent of the individual whose information was exposed.

This leaves many people vulnerable, especially to social engineering attacks, as criminals could easily leverage sensitive information to trick victims, using information about family members, financial information, or employment records.

With such extensive personally identifiable information exposed, there’s also a risk of identity theft, exposing victims to serious financial loss.

There’s no indication yet that criminals accessed the open database or collected any sensitive information, but now that the information has been restricted, researchers will likely monitor the dark web to see if any of the data is listed for sale.

This isn’t the first data breach this year from a background check company, as National Public Data suffered one of the biggest data breaches ever back in August 2024, and is now facing a class action lawsuit for failing to protect personal records.

You might also like

• Take a look at our pick of the best antivirus software around
• Massive data leak could mean one-third of Americans has data leaked online
• Check out our choices for best malware removal software

• VulnCheck found a bug being actively exploited in ProjectSend
• Crooks are using it to create rogue accounts and deploy malware
• Thousands of instances are at risk, experts warn

Researchers have warned hackers are taking advantage of a critical vulnerability in ProjectSend giving them access to servers and the ability to run arbitrary commands remotely.

ProjectSend is a free, open source file-sharing software businesses can use to securely upload, manage, and share files with clients, team members, or other designated users. It's commonly used by businesses, freelancers, and nonprofits that don’t want to rely on third-party services such as Dropbox.

Apparently, an older version, that predates May 16, 2023, carried a critical authentication bypass vulnerability - and since the bug was never assigned a CVE, and thus was never publicly disclosed, most users were unaware of its existence.

Multiple attackers

As a result, the vast majority of ProjectSend users - 99% of them - were operating an older, unpatched and vulnerable version. In total, there are apparently 4,000 public-facing instances, and just 1% are using a patched version.

Once VulnCheck, a cybersecurity platform that focuses on identifying and analyzing vulnerabilities, observed the bug being actively exploited in the wild, it was given a designation CVE-2024-11680. Crooks were using it to create new accounts under their control, plant webshells, and embed JavaScript code.

VulnCheck added the exploitation picked up pace in September 2024, when Metasploit and Nuclei both released public exploits for the flaw.

"VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings," the platform said. "These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic."

"Both exploit tools modify the victim's configuration file to alter the sitename (and therefore HTTP title) with a random value."

At this time, there is no information about the identity of the attackers, or their motives, however it was said that the attempts came from at least 100 different IP addresses, meaning that numerous groups and individual hackers were taking advantage of the bug.

Via BleepingComputer

You might also like

• New MOVEit Transfer security flaws have been discovered — so patch now
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• T-Mobile details how Salt Typhoon accessed its routers
• It explained what the hacker's methods and how they were spotted
• T-Mobile's CSO stresses hackers didn't steal any data

T-Mobile has revealed the hackers who recently targeted its infrastructure were seen running commands on its routers, but stressed its defenses worked as intended and that no major damage was done.

The declaration follows recent news of an incident where Salt Typhoon, an infamous Chinese state-sponsored threat actor, breached T-Mobile's network in a cyber-espionage campaign on behalf of the country’s government.

The FBI also recently confirmed the group had successfully gained access to networks and private communications of members of the US government.

Working as intended

Now, T-Mobile’s Chief Security Officer, Jeff Simon, told Bloomberg the attackers were spotted while running commands, usually used in the reconnaissance stage of a cyberattack, on company routers. Some of the commands used matched indicators of compromise previously linked to Salt Typhoon, he added.

At the same time, Simon published a blog post in which he said the company’s defenses worked as intended, so Salt Typhoon was unable to cause any significant damage, or steal any sensitive customer or company information.

"Many reports claim these bad actors have gained access to some providers' customer information over an extended period of time – phone calls, text messages, and other sensitive information, particularly from government officials. This is not the case at T-Mobile," Simon said.

"Our defenses protected our sensitive customer information, prevented any disruption of our services, and stopped the attack from advancing. Bad actors had no access to sensitive customer data (including calls, voicemails, or texts).”

Simon also said that the attack originated from a wireline provider’s network that was connected to T-Mobile. "We quickly severed connectivity to the provider's network as we believe it was – and may still be – compromised."

After blocking the access, T-Mobile said it now sees no additional attacker activity, suggesting Salt Typhoon abandoned the initiative. In any case, the information was shared with government and industry partners.

You might also like

• IoT devices across the world targeted by major new botnet
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• NordLayer introduces Download Protection, a tool that scans files in download
• The tool was previously introduced to NordVPN
• It comes at no additional cost, but currently only to Windows users

NordLayer has introduced a new feature called Download Protection in order to better protect its users from internet-borne threats.

NordLayer provides secure remote access, private gateways, and encrypted connections to enhance cybersecurity and support modern work environments. It is a sister company to NordVPN, one of the biggest and most popular VPN providers around today.

NordVPN introduced Download Protection as part of its Threat Protection Pro upgrade in early 2024, allowing users to scan files for malware during downloads, helping to prevent malicious content from infecting devices - and the same tool is now being added to NordLayer, as well.

Download Protection in NordLayer

“Download Protection, a reactive anti-malware solution with easy-to-understand single-toggle controls, is adopted from our sister company NordVPN where it has already been used and trusted by millions of users worldwide,” noted Evaldas Kasnauskas, product manager at NordLayer.

“By bringing this proven technology to NordLayer, we’re enhancing our customer’s defense against cyberattacks that spread and are executed through infected files as well as strengthening our Secure Web Gateway (SWG) offering.”

Download Protection is a simple tool - whichever files the user downloads, it will scan for potential malware.

NordLayer said it works at all times, even if a user is not connected to a VPN. It was also said the tool works in real time, removing infected files before they land on the computer, and “seamlessly integrates” with existing security measures. The functionality is enabled by a single click of a button, and comes at no additional cost to all NordLayer subscription tiers.

At the moment, the new feature is available to Windows app users, and is managed through the cloud-hosted NordLayer Control Panel. Other desktop platforms are soon to follow, it was concluded.

You might also like

• Watch out - downloading that web app could infect your whole device with malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• AI can be manipulated by differences in the alpha channel of images, experts warn
• This can pose risks to medical diagnoses and autonomous driving
• Image recognition needs to adapt for the possibility of this attack

While AI has the ability to analyze images, new research has revealed a significant oversight in modern image recognition platforms.

Researchers at the University of Texas at San Antonio (UTSA), have claimed the alpha channel, which controls image transparency, is frequently ignored, which could open the door to cyberattacks with potentially dangerous consequences for the medial and autonomous driving industries.

The UTSA research team, led by Assistant Professor Guenevere Chen, has developed a proprietary attack method named "AlphaDog" to exploit this overlooked vulnerability in AI systems. The alpha channel, a part of RGBA (red, green, blue, alpha) image data, controls the transparency of images and plays a crucial role in rendering composite images, and can cause a disconnect between how humans and AI systems perceive the same image.

Vulnerability for cars, medical imaging, and facial recognition

The AlphaDog attack is designed to target both human and AI systems, though in different ways. For humans, the manipulated images may appear relatively normal. However, when processed by AI systems, these images are interpreted differently, leading to incorrect conclusions or decisions.

The researchers generated 6,500 images and tested them across 100 AI models, including 80 open-source systems and 20 cloud-based AI platforms such as ChatGPT. Their tests revealed AlphaDog performs particularly well when targeting grayscale regions of images.

One of the most alarming findings of the study is the vulnerability of AI systems used in autonomous vehicles. Road signs, often containing grayscale elements, can be easily manipulated using the AlphaDog technique, misinterpreting road signs, potentially leading to dangerous outcomes.

The research also highlights a critical issue in medical imaging, an area increasingly reliant on AI for diagnostics. X-rays, MRIs, and CT scans, which often contain grayscale images, can be manipulated using AlphaDog. In the wrong hands, this vulnerability could lead to misdiagnoses.

Another area of concern is the potential manipulation of facial recognition systems, raising the possibility of security systems being bypassed or the misidentification of individuals, opening the door to both privacy concerns and security risks.

The researchers are collaborating with major tech companies, including Google, Amazon, and Microsoft, to address the vulnerability in AI platforms. "AI is created by humans, and the people who wrote the code focused on RGB but left the alpha channel out. In other words, they wrote code for AI models to read image files without the alpha channel," said Chen.

"That's the vulnerability. The exclusion of the alpha channel in these platforms leads to data poisoning…AI is important. It's changing our world, and we have so many concerns," Chen added.

Via TechXplore

More from TechRadar Pro

• These are the best AI writers
• Microsoft's AI healthcare bots might have some flaws
• Take a look at the best mini-PCs