#FactCheck - "Deep fake video falsely circulated as of a Syrian prisoner who saw sunlight for the first time in 13 years”

Introduction

Advanced deepfake technology blurs the line between authentic and fake. To ascertain the credibility of the content it has become important to differentiate between genuine and manipulated or curated online content highly shared on social media platforms. AI-generated fake voice clone, videos are proliferating on the Internet and social media. There is the use of sophisticated AI algorithms that help manipulate or generate synthetic multimedia content such as audio, video and images. As a result, it has become increasingly difficult to differentiate between genuine, altered, or fake multimedia content. McAfee Corp., a well-known or popular global leader in online protection, has recently launched an AI-powered deepfake audio detection technology under Project “Mockingbird” intending to safeguard consumers against the surging threat of fabricated or AI-generated audio or voice clones to dupe people for money or unauthorisly obtaining their personal information. McAfee Corp. announced its AI-powered deepfake audio detection technology, known as Project Mockingbird, at the Consumer Electronics Show, 2024.

What is voice cloning?

To create a voice clone of anyone's, audio can be deeplyfaked, too, which closely resembles a real voice but, in actuality, is a fake voice created through deepfake technology. 

Emerging Threats: Cybercriminal Exploitation of Artificial Intelligence in Identity Fraud, Voice Cloning, and Hacking Acceleration

AI is used for all kinds of things from smart tech to robotics and gaming. Cybercriminals are misusing artificial intelligence for rather nefarious reasons including voice cloning to commit cyber fraud activities. Artificial intelligence can be used to manipulate the lips of an individual so it looks like they're saying something different, it could also be used for identity fraud to make it possible to impersonate someone for a remote verification for your bank and it also makes traditional hacking more convenient. Cybercriminals have been misusing advanced technologies such as artificial intelligence, which has led to an increase in the speed and volume of cyber attacks, and that's been the theme in recent times.

Technical Analysis

To combat Audio cloning fraudulent activities, McAfee Labs has developed a robust AI model that precisely detects artificially generated audio used in videos or otherwise.

• Context-Based Recognition: Contextual assessment is used by technological devices to examine audio components in the overall setting of an audio. It improves the model's capacity to recognise discrepancies suggestive of artificial intelligence-generated audio by evaluating its surroundings information.
• Conductual Examination: Psychological detection techniques examine linguistic habits and subtleties, concentrating on departures from typical individual behaviour. Examining speech patterns, tempo, and pronunciation enables the model to identify artificially or synthetically produced material.
• Classification Models: Auditory components are categorised by categorisation algorithms for detection according to established traits of human communication. The technology differentiates between real and artificial intelligence-synthesized voices by comparing them against an extensive library of legitimate human speech features.
• Accuracy Outcomes: McAfee Labs' deepfake voice recognition solution, which boasts an impressive ninety per cent success rate, is based on a combined approach incorporating psychological, context-specific, and categorised identification models. Through examining audio components in the larger video context and examining speech characteristics, such as intonation, rhythm, and pronunciation, the system can identify discrepancies that could be signs of artificial intelligence-produced audio. Categorical models make an additional contribution by classifying audio information according to characteristics of known human speech. This all-encompassing strategy is essential for precisely recognising and reducing the risks connected to AI-generated audio data, offering a strong barrier against the growing danger of deepfake situations.
• Application Instances: The technique protects against various harmful programs, such as celebrity voice-cloning fraud and misleading content about important subjects.

Conclusion

It is important to foster ethical and responsible consumption of technology. Awareness of common uses of artificial intelligence is a first step toward broader public engagement with debates about the appropriate role and boundaries for AI. Project Mockingbird by Macafee employs AI-driven deepfake audio detection to safeguard against cyber criminals who are using fabricated AI-generated audio for scams and manipulating the public image of notable figures, protecting consumers from financial and personal information risks. 

References:

• https://www.cnbctv18.com/technology/mcafee-deepfake-audio-detection-technology-against-rise-in-ai-generated-misinformation-18740471.htm
• https://www.thehindubusinessline.com/info-tech/mcafee-unveils-advanced-deepfake-audio-detection-technology/article67718951.ece
• https://lifestyle.livemint.com/smart-living/innovation/ces-2024-mcafee-ai-technology-audio-project-mockingbird-111704714835601.html
• https://news.abplive.com/fact-check/audio-deepfakes-adding-to-cacophony-of-online-misinformation-abpp-1654724

Introduction:

With improved capabilities and evasion strategies, the Vultur banking Trojan has reappeared and is a serious danger to Android users. The virus now employs numerous encrypted payloads, encrypted communication, and poses as legitimate apps. It is transmitted by trojanized dropper programs on the Google Play Store. Vultur targets victims via phone calls and SMS messages. With the help of this updated version of Vultur, attackers may take total control of compromised devices. They can perform a variety of remote control operations like install, remove, upload, and download files, halt the execution of programs, and circumvent the lock screen. The virus is now far more hazardous than it was previously because of its improved capacity to remotely access and manipulate machines.

Overview: 

The Android banking malware Vultur is well-known for its ability to record screens. It was first identified by ThreatFabric in March 2021 and targets banking apps for remote control and keylogging.

The malicious apps were hosted on the Google Play Store by the Brunhilda dropper-framework, which was used for its distribution. Initial versions of the program used reputable remote access tools such as ngrok and AlphaVNC.

Hybrid attacks have been used in recent operations to disseminate the Brunhilda dropper via phone calls and SMS. The dropper uses a number of payloads to distribute an upgraded version of Vultur.

41 new Firebase Cloud Messaging (FCM) commands and seven new Command-and-Control (C2) methods are included in the most recent version of Vultur. 

With the help of Android's Accessibility Services, these enhancements concentrate on remote access functionality that improves the malware's capacity to communicate with the victim's screen.

Modus operandi of Attack:

Hybrid Attack Method:

• Utilizes a phone call, two SMS messages, and trick users into installing malware.

• First SMS tricks victims into calling a certain number by claiming to have made significant, unlawful transactions, which gives the impression of urgency.

• Although there was no transaction in reality, the urgency motivates victims to act quickly.

Trozonized MacAfee App:

• The victims are told to install a trojanized version of the McAfee Security program from a given link during the phone call.

• This app looks harmless and has features similar to the original McAfee Security app, but it's actually the Brunhilda dropper.

• The victims are misled into assuming that the security software they are installing is authentic.

Execution of Vultur Payloads:

• Three payloads connected to Vultur are decrypted and executed via the Brunhilda dropper.

• Threat actors can carry out a variety of malicious operations, including keylogging and screen recording, on the victim's mobile device thanks to these payloads, which grant them total access over it.

• The infected device of the victim allows the threat actors to launch additional assaults or obtain private data.

Indication of the attack:

The symptoms of a Vultur banking Trojan infection include:

• Remote Access: This malware gives the hacker the ability to remotely use the infected device via clicking, scrolling, and swiping through Android's accessibility services.

• File Management: Through this, the malware is able to copy, share, remove, create, and locate files from devices it has infected.

• App Blocking: For instance; the malicious software can be programmed to stop the victims from opening a certain bunch of apps.

• Custom Notifications: Attackers can embed the malware with the functionality of displaying the customized notifications in the taskbar.

• Keyguard Disabling: The malware may be designed to turn off Screen Lock Guard feature so the lock screen security measure can be easily bypassed.

• Encrypted C2 Communication: The malware chooses AES data encryption, with Base64 text encoding to provide hidden traces for C2 communication.

• Payload Decryption: The malware uses native code, mostly written in C as well as C++, to decode the goods, thus, making a process of reversing more complicated.

• Spying on Financial Apps: The malware uses screen-streaming and keylogging as ways of acquiring facts about the victim’s mobile banking applications.

Indicator of Compromise:

File hash (SHA-256)

• edef007f1ca60fdf75a7d5c5ffe09f1fc3fb560153633ec18c5ddb46cc75ea21
• 89625cf2caed9028b41121c4589d9e35fa7981a2381aa293d4979b36cf5c8ff2
• 1fc81b03703d64339d1417a079720bf0480fece3d017c303d88d18c70c7aabc3
• 4fed4a42aadea8b3e937856318f9fbd056e2f46c19a6316df0660921dd5ba6c5
• 001fd4af41df8883957c515703e9b6b08e36fde3fd1d127b283ee75a32d575fc
• fc8c69bddd40a24d6d28fbf0c0d43a1a57067b19e6c3cc07e2664ef4879c221b
• 7337a79d832a57531b20b09c2fc17b4257a6d4e93fcaeb961eb7c6a95b071a06
• 7f1a344d8141e75c69a3c5cf61197f1d4b5038053fd777a68589ecdb29168e0c
• 26f9e19c2a82d2ed4d940c2ec535ff2aba8583ae3867502899a7790fe3628400
• 2a97ed20f1ae2ea5ef2b162d61279b2f9b68eba7cf27920e2a82a115fd68e31f
• c0f3cb3d837d39aa3abccada0b4ecdb840621a8539519c104b27e2a646d7d50d
• 92af567452ecd02e48a2ebc762a318ce526ab28e192e89407cac9df3c317e78d
• fa6111216966a98561a2af9e4ac97db036bcd551635be5b230995faad40b7607
• dc4f24f07d99e4e34d1f50de0535f88ea52cc62bfb520452bdd730b94d6d8c0e
• 627529bb010b98511cfa1ad1aaa08760b158f4733e2bbccfd54050838c7b7fa3
• f5ce27a49eaf59292f11af07851383e7d721a4d60019f3aceb8ca914259056af
• 5d86c9afd1d33e4affa9ba61225aded26ecaeb01755eeb861bb4db9bbb39191c
• 5724589c46f3e469dc9f048e1e2601b8d7d1bafcc54e3d9460bc0adeeada022d
• 7f1a344d8141e75c69a3c5cf61197f1d4b5038053fd777a68589ecdb29168e0c
• fd3b36455e58ba3531e8cce0326cce782723cc5d1cc0998b775e07e6c2622160
• 819044d01e8726a47fc5970efc80ceddea0ac9bf7c1c5d08b293f0ae571369a9
• 0f2f8adce0f1e1971cba5851e383846b68e5504679d916d7dad10133cc965851
• fb1e68ee3509993d0fe767b0372752d2fec8f5b0bf03d5c10a30b042a830ae1a
• d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a
• f4d7e9ec4eda034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd2
• 7ca6989ccfb0ad0571aef7b263125410a5037976f41e17ee7c022097f827bd74
• c646c8e6a632e23a9c2e60590f012c7b5cb40340194cb0a597161676961b4de0

Command and Control Servers

• safetyfactor[.]online
• cloudmiracle[.]store
• flandria171[.]appspot[.]com (FCM)
• newyan-1e09d[.]appspot[.]com (FCM)

Droppers distribution URL’s

• mcafee[.]960232[.]com
• mcafee[.]353934[.]com
• mcafee[.]908713[.]com
• mcafee[.]784503[.]com
• mcafee[.]053105[.]com
• mcafee[.]092877[.]com
• mcafee[.]582630[.]com
• mcafee[.]581574[.]com
• mcafee[.]582342[.]com
• mcafee[.]593942[.]com
• mcafee[.]930204[.]com

Steps to be taken when your device is compromised?.

• Change the password: Vultur revealed multiple cases where threat actors can gain access to your financial and private information. To safeguard your account, reset passwords on other devices and create secure, unique passwords during the time. Instead of simply storing your password, a reputed password manager is the most secure way of storing information.

• Keep an eye on your transactions and accounts: It is advised that you regularly monitor your online accounts for any unusual or illegal activity. Keep a watch out for any irregularities, and report anything suspicious to the provider or authorities straight immediately.. Also check your credit reports and scores attentively to make sure that your identity or cards are not compromised.

• Make sure you are using identity theft protection: Many pieces of information about your identity are stored in an Android device. Cyber criminals can easily get hold of this data and make major damage to you, including stealing your money and identity. For your own protection, some of the identity theft protection services that monitor all your personal information and notify you on any unusual activity and, as well, helps you to freeze your accounts would be beneficial.

• Immediately get in touch with your banks and credit card companies: Your personal information such as credit card or bank details is of high risk to be exposed to hackers who could use them to make transactions without you knowing. You should inform your credit card and the lending bank about the situation as soon as possible. They would help you if your cards were used for fraudulent charges and your card be either frozen or canceled. Besides, they can get new cards issued.

• Make your contacts alert regarding the fraud you faced: Threat actors may access your social media or email accounts to send phishing messages or spam to people in your contact list, if they gain access to them. Moreover, they may masquerade as you and try to extort cash from you or disclose your personal information. Distributing a message to your contacts stating that they shouldn’t open or reply to any messages that look like they are not from you and look very strange or suspicious, will be a great idea.

• Make a backup and wipe all your device content in factory settings: You can always factory reset your device to ensure it is free of viruses and spyware. In other words, it will refresh Android and leave behind all your data and settings. Back up all the critical data prior to processing it and assure that everything is restored from a trustworthy source only.

Preventive measures to be taken:

• Avoid calling back to the hacker: If a hacker texts you claiming to have approved a sizable bank transaction, refrain from picking up the phone. You can always check by making a call to your own financial intuition. However, never pick up on an unknown number that someone else sends you.

• Avoid sideloading apps and shortened URLs: Try to avoid sideloading apps. That's the moment when you install apps from unofficial sources. Users may be tricked into downloading malware using short URLs.

• Be careful granting permissions: Be cautious when allowing permissions for apps. Think about whether an app really needs access to specific data or device functions.

• Limit the apps you have on your phone: On your phone, having plenty of apps might sometimes make it easier to become infected with malware. Over time, these apps may allow harmful code to enter your system, and the more programs you have to update and monitor, the greater the risk to your Android device. This is how to remove pointless apps from your Android device.

• Download apps from reputable sources: Additionally, make sure the programs you download are from reputable and authorized developers. Do your homework and read reviews before you install.

• Keep your Android device updated: With the help of software and security upgrades, your phone can automatically maintain security. Remember to install them.

• Have good antivirus software on all your devices: The best defense against malware on all of your devices is to install antivirus software. By blocking you from clicking on potentially dangerous links, antivirus software can keep malware off your devices and keep hackers from accessing your personal data.

Conclusion:

Vultur is a terrifying banking Trojan with a great deal of sophistication. It's unsettling that hackers can take complete control of your Android device, which emphasizes how crucial it is that you take precautions. It all starts with a text message in these attacks. You must take the time to independently contact your banking institution to check whether there are any issues. You may prevent having your entire device compromised and your personal information exposed by simply investing an additional few minutes.

Reference:

• https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/
• https://www.threatfabric.com/blogs/vultur-v-for-vnc\
• https://www.tomsguide.com/computing/malware-adware/this-nasty-android-banking-trojan-lets-hackers-completely-hijack-your-phone-how-to-stay-safe
• https://thehackernews.com/2024/04/vultur-android-banking-trojan-returns.html?m=1
• https://www.smallbiztechnology.com/archive/2024/04/vultur-trojan-heightens-android-app-security-risks.html/
• https://securityaffairs.com/161320/malware/vultur-banking-trojan-android.html
• https://www.malwarebytes.com/blog/detections/android-trojan-spy-vultur
• https://www.scmagazine.com/brief/updated-vultur-android-banking-trojan-emerges
• https://innovatecybersecurity.com/security-threat-advisory/windows-server-updates-blamed-for-domain-controller-crashes-kb5035855-and-kb5035857/

‍

Executive Summary:

Apple has quickly responded to two severe zero-day threats, CVE-2024-44308 and CVE-2024-44309 in iOS, macOS, visionOS, and Safari. These defects, actively used in more focused attacks presumably by state actors, allow for code execution and cross-site scripting (XSS). In a report shared by Google’s Threat Analysis Group, the existing gaps prove that modern attacks are highly developed. Apple’s mitigation comprises memory management, especially state management to strengthen device security. Users are encouraged to update their devices as soon as possible, turn on automatic updates and be careful in the internet space to avoid these new threats.

Introduction

Apple has proved its devotion to the security issue releasing the updates fixing two zero-day bugs actively exploited by hackers. The bugs, with the IDs CVE-2024-44308 and CVE-2024-44309, are dangerous and can lead to code execution and cross-site scripting attacks. The vulnerabilities have been employed in attack and the significance of quick patch release for the safety of the users.

Vulnerabilities in Detail

The discovery of vulnerabilities (CVE-2024-44308, CVE-2024-44309) is credited to Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG). These vulnerabilities were found in JavaScriptCore and WebKit, integral components of Apple’s web rendering framework. The details of these vulnerabilities are mentioned below:

CVE-2024-44308

• Severity: High (CVSS score: 8.8)
• Description: A flaw in the JavaScriptCore component of WebKit. Malicious web content could cause code to be executed on the target system and make the system vulnerable to the full control of the attacker.
• Technical Finding: This vulnerability involves bad handling of memory in the course of executing JavaScript, allowing the use of injected payloads remotely by the attackers.

CVE-2024-44309

• Severity: Moderate (CVSS score: 6.1)
• Description: A cookie management flaw in WebKit which might result in cross site scripting (XSS). This vulnerability enables the attackers to embed unauthorized scripts into genuine websites and endanger the privacy of users as well as their identities.
• Technical Finding: This issue arises because of wrong handling of cookies at the state level while processing the maliciously crafted web content and provides an unauthorized route to session data.

Affected Systems

These vulnerabilities impact a wide range of Apple devices and software versions:

• iOS 18.1.1 and iPadOS 18.1.1: For devices including iPhone XS and later, iPad Pro (13-inch), and iPad mini 5th generation onwards.
• iOS 17.7.2 and iPadOS 17.7.2: Supports earlier models such as iPad Pro (10.5-inch) and iPad Air 3rd generation.
• macOS Sequoia 15.1.1: Specifically targets systems running macOS Sequoia.
• visionOS 2.1.1: Exclusively for Apple Vision Pro.
• Safari 18.1.1: For Macs running macOS Ventura and Sonoma.

Apple's Mitigation Approach

Apple has implemented the following fixes:

• CVE-2024-44308: Enhanced input validation and robust memory checks to prevent arbitrary code execution.
• CVE-2024-44309: Improved state management to eliminate cookie mismanagement vulnerabilities.

These measures ensure stronger protection against exploitation and bolster the underlying security architecture of affected components.

Broader Implications

The exploitation of these zero-days highlights the evolving nature of threat landscapes:

• Increasing Sophistication: Attackers are refining techniques to target niche vulnerabilities, bypassing traditional defenses.
• Spyware Concerns: These flaws align with the modus operandi of spyware tools, potentially impacting privacy and national security.
• Call for Timely Updates: Users delaying updates inadvertently increase their risk exposure

Technical Recommendations for Users

To mitigate potential risks:

1. Update Devices Promptly: Install the latest patches for iOS, macOS, visionOS, and Safari.
2. Enable Automatic Updates: Ensures timely application of future patches.
3. Restrict WebKit Access: Avoid visiting untrusted websites until updates are installed.
4. Monitor System Behavior: Look for anomalies that could indicate exploitation.

‍

‍

Conclusion

The exploitation of CVE-2024-44308 and CVE-2024-44309 targeting Apple devices highlight the importance of timely software updates to protect users from potential exploitation. The swift action of Apple by providing immediate improved checks, state management and security patches. Users are therefore encouraged to install updates as soon as possible to guard against these zero day flaws.

References:

• https://support.apple.com/en-us/121752
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44308
• https://securityonline.info/cve-2024-44308-and-cve-2024-44309-apple-addresses-zero-day-vulnerabilities/ 

‍