Welcome back, readers old and new, to Mirus’s weekly cyber security blog, Threat Thursday!
In this week’s Threat Thursday, there’s massive updates to Windows, Adobe and – unfortunately – the Anubis malware.
Jackal and Hide: Anubis Malware Evolves Behind the Scenes
A super-creepy new update is being developed for the Anubis banking trojan, one of the most prevalent malwares in the Android operating system.
Researchers at Hold Security have been closely examining developments in the Anubis Control Panel, a software designed for threat actors allowing them to access almost anything on their victims’ devices. The latest development? It can now tell whether or not a victim is so much as looking at their phone. Utilising the retina-scanning software of certain smartphones, Anubis users now have further chilling insight into their victims’ personal phone use.
It’s likely that this helps hackers stay covert, amending or accessing user details when they know the victim isn’t looking. It wouldn’t be the first such feature either; previous Anubis builds have been able to monitor a phone’s gyro features, recognising when the phone is being picked up or otherwise moved. There’s further details in Hold’s report, available here.
The prevalence of Anubis hasn’t been helped by the Google Play Store’s ongoing malware problem, which regularly sees malicious apps removed for nefarious purposes. Often disguised as seemingly harmless apps – such as camera or private messaging functions – they continue to find their way onto the app store. Anubis is the current hacker’s darling, which Hold Security’s founder Alex Holden sums up quite concisely in his analysis: “It’s huge”, says he.
Those Code Execution Vulnerabilities Just Won’t Cut WordPress Some Slack
A mere fortnight since we last reported on a critical WordPress vulnerability, another one of far greater scale rears its ugly head.
SiteOrigin’s Page Builder plugin – which sees an install base of over one million – is vulnerable to two critical flaws, both allowing attackers to “forge requests on behalf of a site administrator”, and “execute malicious code in the administrator’s browser”. The vulnerabilities were disclosed on the Wordfence website on Monday.
Thankfully, Wordfence contacted developer SiteOrigin and, within a day, a critical update was launched to fix both vulnerabilities. If you’re relying on the Page Builder plugin, now’s the time to upgrade to version 2.10.16 if you want to keep your site secure.
And Now, The Boring Bit; Our Monthly Critical Update Report (with Special Guest, Cisco!)
Arguably the most boring part of any Threat Thursday (besides uploading it to HubSpot, as my manager often attests) is the monthly patch updates. While we covered Android’s latest in last week’s edition, there’s now an absolute whopper of a security update available for Windows, another for various Adobe products and, what the heck – let’s throw in Cisco’s new groove too. Look, we know they’re dull, but that doesn’t make them any less important.
If you’re a fan of the number one, then the latest patch from Microsoft, which fixes 111 vulnerabilities, is the monthly update for you! The latest updates cover a veritable smorgasbord of Microsoft Products, fixing critical Remote Code Execution vulnerabilities in Excel and SharePoint, as well as Edge, PowerBI and the seemingly immortal Internet Explorer. 16 of these flaws, mostly relating to the Windows operating system, are rated as critical, so it’s advised to get these updates installed as soon as possible across your devices.
Over at Adobe, the fixes are remarkably similar; 16 critical cases, most of them to do with Remote Code Execution vulnerabilities. 12 of these were encountered in Adobe Reader and its bedfellow, Acrobat. Not quite the colossal fix that Microsoft put out then, but one with some critical patches to two very common pieces of software.
Finally – while not a typical fixture – it’s worth mentioning the patches made to a number of Cisco network security products. These too have seen critical vulnerabilities entering the double digits, with 12 flaws relating to numerous threats, including memory leaks, denial of service attacks and the usual data slurping. The most affected products include the Adaptive Security Appliance (ASA) and Firepower Threat Defence software, the former suffering the most critical of the newly discovered vulnerabilities; a directory attack allowing for the viewing or deletion of arbitrary files. Cisco explains all in their recent patch notes, here.
Zoom’s New Fix for ‘Zoombombing’ Lets You Takes Personal Meeting IDs Away Until People Learn to Use them Properly
Previously, Zoom meetings were joinable with a single click, thanks to the handy-dandy Personal Meeting ID feature. This was a 9 or 11-digit number, sent out (ideally) to people you chatted with regularly, and allowed regular group members to join coordinated chats as and when they needed.
Sadly, with so many people sharing these details online and publicly, the craze of Zoombombing became prevalent among brash infiltrators, who could join in these Zoom meetings uninvited and have a jolly good earwig of sensitive conversations. It bought a lot of bad press to Zoom who – while guilty of previous security oversights – weren’t entirely to blame for the occurrence. Forced password protection or 2FA would have been nice though, guys.
Now, though, Zoom allows meeting coordinators to disable PMIs altogether, making existing PMI links invalid, just in case. While this does mean that previously scheduled meetings made with a PMI will be invalidated, and that users will have to create new secure meetings using randomly generated IDs, it’s a step in the right direction and extra reassurance for those concerned over the security of their previous IDs. Zoom has more information over on their blog, here.
While Zoom’s security has come under intense scrutiny of late, developments like this, as well as their acquisition of networking and encryption specialists Keybase, demonstrate a genuine effort to improve their protective measures. With such a large install base, here’s hoping they can pull it all off.
And that’s all we’ve got time for this week.
Threat Thursdays in your inbox
Better yet, why not sign up for our weekly newsletter? Just pop your email address in the box on the right ➡️ of this page and we’ll be sure to drop all the latest security news into your inbox every Thursday!