- Warnings: Millions of Xiaomi phones vulnerable to remote hacking
Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets. The vulnerability, now patched, exists in MIUI – Xiaomi’s own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0.The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them. Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack. Researchers say they discovered vulnerable analytics packages in at least four default apps provided by Xiaomi in its MIUI distributions, one of those apps being the default browser app.
Cyber Security Tips: Users are strongly recommended to update their firmware to version 7.2 as soon as possible.
- Google notifies users of 4,000 state-sponsored cyber-attacks per month
A senior executive of Alphabet’s Google unit said on Monday that the company was notifying customers of 4,000 state-sponsored cyber-attacks per month. Speaking at a Fortune magazine tech conference in Aspen, Colorado, Google senior vice president and Alphabet board member Diane Greene mentioned the figure while touting Google’s security prowess. The internet search leader, which develops the Android mobile system and also offers email and a range of other applications for consumers, has led the way in notifying users of government spying. Others, including Microsoft, have since followed suit. Google had previously said that it had been issuing tens of thousands of warnings every few months and that customers often upgraded their security in response.
- Researchers Found a Hacking Tool that Targets Energy Grids on the Dark Web
A sophisticated piece of government-made malware, designed to do reconnaissance on energy grid’s system ahead of an eventual cyber-attack on critical infrastructure, was found on a dark web hacking forum. The malware contains about 280 kilobytes of densely packed code that, like a ninja warrior, cleverly and stealthily evades a large number of security defenses. It looks for and avoids a long list of computer names belonging to sandboxes and honeypots. It painstakingly dismantles antivirus’s one process at a time until it’s finally safe to uninstall them. It takes special care when running inside organizations that use facial recognition, fingerprint scanners, and other advanced access control systems. And it locks away key parts of its code in encrypted vaults to prevent it from being discovered and analyzed. Once the malware has gained administrative control of a computer, it uses its lofty perch to survey the connected network, report its findings to its operators, and await further instructions. From then on, attackers have a network backdoor that allows them to install other types of malware, either for more detailed espionage or potentially sabotage.
Cyber Security Tips: Energy grids need to improve its cyber security by using security product such as firewall, IDS, Monitoring tools, and strong authentication.
- Twitter will now support large GIFs up to 15MB in size
Micro-blogging website Twitter has increased its animated GIF (graphics interchange format) size limit from 5MB to 15MB if uploaded on the web from a desktop, a media report said on Tuesday. However, the 5MB photo limit stays the same, along with the GIF limit, for mobile uploads on Twitter.