Skip to content

Beware! Two new WhatsApp bugs expose you to a man-in-the-middle attack

Android users have new reasons to worry… again. About a week ago, we provided information about the FlixOnline application which operators were able to successfully bypass the application authentication system in the Google Play Store. This time we report two serious bugs found in WhatsApp. They enable the so-called ‘man-in-the-disk’ attack. What is it exactly? Attackers are able to manipulate the data exchanged between the application and external memory. Details can be found below.


New WhatsApp bugs could’ve let attackers remotely hack your phone

Recently two security vulnerabilities have been spotted in WhatsApp for Android. They could have been exploited to execute malicious code remotely on the device and even exfiltrate sensitive information.

The flaws take aim at devices running Android versions up to Android 9 (including) by carrying out “man-in-the-disk” attack. It makes it possible for adversaries to compromise an app by manipulating certain data being exchanged between it and the external storage. 

The flaw (CVE-2021-24027) leverages Chrome’s support for content providers in Android (via the “content://” URL scheme) and a same-origin policy bypass in the browser (CVE-2020-6516), thereby allowing an attacker to send a specially-crafted HTML file to a victim over WhatsApp, which, when opened on the browser, executes the code contained in the HTML file.

All an attacker has to do is lure the victim into opening an HTML document attachment. Then WhatsApp will render this attachment in Chrome, over a content provider, and the attacker’s Javascript code will be able to steal the stored TLS session keys.

WhatsApp bugs – a mean to an end

Armed with the keys, a bad actor can then stage a man-in-the-middle attack to achieve remote code execution or even exfiltrate the Noise protocol key pairs.

Worse, the malicious code can be used to access any resource stored in the unprotected external storage area and expose sensitive information to any app that’s provisioned to read or write from the external storage.

WhatsApp users are recommended to update to version to mitigate the risk associated with the flaws.


Hijacked Microsoft Exchange used to host cryptominer

Cryptojacking can be added to the list of threats that face any unpatched Exchange servers that remain vulnerable to the ProxyLogon exploit. More than 92 percent of affected MS Exchange servers were patched- but the damage had already been done.

Researchers at Sophos report an unknown attacker is attempting to use a compromised Microsoft Exchange Server to deliver a malicious Monero cryptominer onto other vulnerable Microsoft Exchange Servers. Because the cryptominer is hosted on a compromised Exchange Server, it may be easier for the attacker to deliver the payload to other vulnerable targets as firewalls are less likely to block traffic between Exchange Servers.

The executables file associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA).

The ‘unusual attack’

The attack begins with a PowerShell command to retrieve a file named from another compromised server’s Outlook Web Access logon path (/owa/auth). The .zip file is not a compressed archive at all but a batch script that then invokes the built-into-Windows certutil.exe program to download two additional files, and, which also are not compressed.

The batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there.


SMASH, the newest Rowhammer attack is a threat to your DDR4 memory card

Rowhammer is an umbrella term that refers to a class of exploits that leverage a hardware design quirk in DDR4 systems. SMASH is its newest variant that triggers a malicious JavaScript condition on the latest DDR4 RAM cards despite mitigations implemented by manufacturers for about 5 years.

RAM cards design

Memory RAM cards save data inside what’s called memory cells (each consisting of a capacitor and a transistor) that are arranged in the form of a matrix. But the memory cells tend to lose their state over time and therefore require a periodic reading and rewriting of each cell in order to restore the charge on the capacitor to its original level.

To hell with old mitigations…

To bypass TRR mitigations, SMASH carefully schedules cache hits and failures to activate the multifaceted Rowhammer bit. Then SMASH allows threat actors an arbitrary read/write primitive in the browser:

The exploit chain is initiated when a victim visits a malicious website under the adversary’s control or a legitimate website that contains a malicious ad, taking advantage of the Rowhammer bit flips triggered from within the JavaScript sandbox to gain control over the victim’s browser.


SolarMarker hackers flood the web with 100K sites offering malicious PDFs

Cybercriminals are resorting to search engine poisoning techniques to lure business professionals into seemingly legitimate Google sites that install a Remote Access Trojan (RAT) capable of carrying out a wide range of attacks.

The attack starts by leveraging searches for business forms such as invoices, templates, questionnaires, and receipts as a stepping stone toward infiltrating their systems. Once the user attempts to download the alleged document template is redirected, without knowledge, to a malicious website that hosts the RAT.

According to eSentire researchers, once the RAT gets activated on the victim’s computer, attackers can send commands and upload additional malware, like ransomware, a credential stealer, a banking trojan, or simply use the RAT called SolarMarker (aka Yellow Cockatoo, Jupyter, and Polazert).as a foothold into the victim’s network.

The firm said it discovered over 100,000 unique web pages that contain popular business terms or keywords such as template, invoice, questionnaire, resume, and receipt. What is even more troubling aspect of this campaign is that SolarMarker group uses SEO techniques to populate many of their malicious pages and allow them to be ranked higher on the search results what increase the likelihood of success. 

If you are looking for any financial documents templates, better use only official, well-known websites.


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.