Zero-click Zoom flaw now patched

Plus, a VPN being used for malware distribution and Pegasus spyware being used by Israel Police

Natalie Silvanovich of Google’s Project Zero bug-hunting team found and reported two zero-click vulnerabilities in video conferencing platform Zoom. Both flaws opened the door to attackers taking control of a victim’s devices and servers without the victim having to do anything. “Many people believe they are protected simply because they are cautious in the use of their devices,” commented Avast Security Evangelist Luis Corrons.This is the best example to show that anyone can be compromised without interaction from the user side. This is why it is so critical to update all our apps to make sure any known security hole is patched.” To exploit the Zoom flaws, an attacker would have had to target Zoom accounts that are connected through Zoom Contacts. After contacting the company, Silvanovich said Zoom was very responsive and supportive of her work. Zoom fixed the flaws and released a security update for its customers on November 24. For more on this story, see WIRED

Europol takes down VPNLab.net for cybercrime

A joint effort among 10 countries and Europol has taken down VPNLab.net for aiding and abetting cybercriminals on an international scale. According to a Europol press release, the virtual private network service was “being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.” In a coordinated manner, law enforcement authorities from all participating countries seized and disrupted the 15 servers around the world that hosted the VPN’s service. Visitors to VPNLab’s website are currently greeted with a notice that reads in part, “Law enforcement has now gained access to VPNLab.net servers and seized the customer data stored within. The investigation regarding customer data of this network will continue.”

Apple & Google oppose antitrust legislation

As the U.S. House Judiciary Committee reviews legislation aimed at loosening Big Tech’s grip on consumers, Apple and Google are loudly stating their objections to the bills while smaller companies and startups are voicing their support. The American Innovation and Choice Online Act would prevent Big Tech from favoring their own services over others, and the Open App Markets Act would allow for more competition on app stores. Apple and Google complained that the new legislation would force them to compromise security and quality, while smaller companies claim they will finally be able to compete on their own merits if Big Tech’s “gatekeeper” status is loosened. For more, see The Verge

Report: Israel Police uses Pegasus spyware on citizens

According to an exclusive report by Israeli business newspaper Calcalist, Israel Police use NSO Group’s Pegasus spyware to remotely hack citizens’ phones. Calcalist says that those who have had their phones hacked include mayors, former government employees, a person close to a senior politician, and leaders of political protests against former Prime Minister Benjamin Netanyahu. Calcalist also claims that the hacking was done without warrants or any court supervision. Israel Police rejected the hacking claims as untrue, but it did not deny using Pegasus as a tool.

Lazarus stole nearly $400M in cryptocurrency in 2021

North Korean cyber group Lazarus stole $395 million in crypto coins last year, which was a full $100 million more than its previous year’s take, according to an investigation by blockchain analysis firm Chainalysis. The values of cryptocurrency have risen considerably over the last year, with Bitcoin rising 60% and Ethereum rising 80%. Most of the stolen funds were Ethereum, with Bitcoin representing about a fifth. Chainalysis says Lazarus stole the crypto over the course of seven hacks into cryptocurrency exchanges and investment firms in 2021. Over the past five years, North Korean hackers have made $1.5 billion in cryptocurrency thefts alone. For more, see Ars Technica

This week’s ‘must-read’ on The Avast Blog

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. 

--> -->