Security Newsletter

24 June 2019

Mozilla patches Firefox zero-day abused in the wild

The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day -- tracked as CVE-2019-11707.

Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß also said he did not have details about how the zero-day was used, and indicated that Coinbase Security may know more about the in-the-wild attacks.

Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser.

 

Android Malware Bypasses 2FA by Stealing One-Time Passwords

Researchers monitoring malware that affects Android devices discovered malicious apps that can steal one-time passwords (OTP) from the notification system. This development bypasses Google's ban on apps that access SMS and call logs without justification. Google enforced the restriction earlier this year specifically to lower the risk of sensitive permissions where they are not necessary. Cybercriminals found a way around this limitation and instead tap into the notifications to obtain the sensitive information. This method also opens up the door to getting short-lived access codes that are delivered via email.

Multiple malicious apps impersonating the Turkish cryptocurrency exchange BtcTurk were uploaded to Google Play between June 7 and June 13.Their purpose was to steal the login credentials to the service, and most likely try them with other services where 2FA protection against unauthorized access may be available.

One drawback to this technique, Stefanko points out, is that it can steal only the text that fits in the notification. Anything outside it remains hidden to the attacker. While this may not always include the one-time access code, a hacker would be successful in most cases. It appears that this technique is actively tried on Turkish cryptocurrency users, as another app was discovered last week operating in the same way.

 

More #News

 

#Patch Time!

 

#Tech and #Tools

Kindred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us:

• You like to break things, then explain how to fix it? Be part of our Cyber Security team
• You prefer the blue team side? Check out our Security analyst position
• Interested in Governance, Risk and Compliance? Apply for our Information Security Specialist role

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.