CISA Adds Chinese Shopping App-Infected Android Zero-Day to KEV Catalog

• Written by Ari Denial Cybersecurity & Tech Writer

A Chinese e-commerce app Pinduoduo has been accused of exploiting a high-severity Android vulnerability as a zero-day to spy on its users, according to a warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability, tracked as CVE-2023-20963 , is an Android Framework security flaw that enables attackers to elevate privileges on unpatched Android devices without user interaction.

Google’s suspension of the Pinduoduo app coincides with increasing tensions between the US and China over security concerns. CISA has added CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) list, citing Lookout’s findings that the Chinese e-commerce app exploited the Android Framework security flaw in the wild to spy on users.

Lookout’s telemetry data suggests that many victims were located outside of China, including in the US.

The vulnerability allows attackers to escalate privileges without user interaction, enabling the malicious code to perform various actions such as installing apps, removing apps, and accessing private data from third-party apps.

The discovery of an Android exploit being used by a popular app like Pinduoduo for financial gain and competitive advantage is a worrying shift in the threat landscape, according to Justin Albrecht, a threat intelligence researcher at Lookout. He added that the privileges gained by exploiting this vulnerability let the malicious code install apps and grant permissions, among other things.

Meanwhile, Bud Broomhead, CEO at Viakoo, said Android phones are good places to plant bots and form a botnet army, and the vendor of Pinduoduo has not been proactive in alerting users about the vulnerability.

CEO of Approov, Ted Miracco, has raised concerns about the security of Android devices following recent zero-day vulnerabilities discovered in them. Miracco said that while zero-day vulnerabilities are dangerous, both iOS and Android devices are vulnerable, and no operating system is immune to such security threats. Apple announced earlier this week that it had patched two zero-day vulnerabilities affecting iPhones, iPads, and Macs, which were added to CISA’s KEV catalog.

CISA has instructed federal agencies to patch two zero-day vulnerabilities that have been exploited in the wild by May 1st, affecting iPhones and Macs.

Automated Data Theft: Vice Society’s Sophisticated PowerShell Exfiltrator

• Written by Ari Denial Cybersecurity & Tech Writer

Vice Society, a ransomware group, has introduced an advanced PowerShell script to automate the theft of data from compromised networks. The group typically steals valuable corporate and customer data and uses it to extort victims or sell it to other cybercriminals for profit.

The new data exfiltrator is fully automated, utilizing “living off the land” binaries and scripts to avoid detection by security software, ensuring that their activities remain undetected until the final stage of the ransomware attack.

In early 2023, Palo Alto Networks Unit 42 discovered a new data theft tool used by the Vice Society ransomware gang. The tool was discovered during an incident response, where a file named “w1.ps1” was recovered from a victim’s network.

The script utilizes PowerShell to automate the exfiltration of data and consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill(). These functions work together to identify potential directories for exfiltration, process groups of directories, and finally exfiltrate data via HTTP POST requests to Vice Society’s servers.

According to Unit 42’s report , the script does not require any arguments, leaving the responsibility of identifying files to copy out of the network to the script itself. The report also notes that the script ignores files that are less than 10 KB in size and those that do not have a file extension.

The use of “living off the land” binaries and scripts make it difficult for security software to detect the script’s activities, ensuring that the gang’s activities remain covert until the final stage of the ransomware attack.

The Vice Society’s new PowerShell script for automated data theft has a master exclusion and inclusion list to determine what files to steal. It excludes files from common backup and system folders but targets folders containing over 433 strings in multiple languages, including German and English.

The use of sophisticated tools makes Vice Society a significant threat to organisations worldwide, making it challenging for defenders to stop their attacks.