Daily Archives: September 29, 2019

A proactive approach to cybersecurity requires the right tools, not more tools

The key challenge facing security leaders and putting their organizations at risk of breach is misplaced confidence that the abundance of technology investments they have made has strengthened their security posture, according to a study conducted by Forrester Consulting. The study surveyed over 250 senior security decision-makers in North America and Europe. Participants included CISO, CIO, IT and security VPs from organizations ranging from 3,000 to over 25,000 employees. Currently, security leaders employ a variety … More

The post A proactive approach to cybersecurity requires the right tools, not more tools appeared first on Help Net Security.

Companies vastly overestimating their GDPR readiness, only 28% achieving compliance

Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance. This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: … More

The post Companies vastly overestimating their GDPR readiness, only 28% achieving compliance appeared first on Help Net Security.

Weekly Update 158

Weekly Update 158

It's been a bit of intense country-hopping since the last update so this one is a consolidated "this week in tweets" version. I actually found it kind of interesting going back through the noteworthy incidents of the week in lieu of having original content of my own, see what you think. Given the coming schedule (and a deep, deep desire for a few days of downtime), the next one might be more of the same so I hope it resonates!

Weekly Update 158
Weekly Update 158
Weekly Update 158

References

Because this week is predominantly about noteworthy tweets, I'm going to do the references a little differently. Firstly, with a sponsor shout-out:

Sponsored by Okta: You wouldn’t roll your own hashing algorithm, so why build your own auth? Secure users in mins with a free dev account.

And then the tweets I discussed themselves:

DevSecOps is emerging as the main methodology for securing cloud-native applications

Only 8 percent of companies are securing 75 percent or more of their cloud-native applications with DevSecOps practices today, with that number jumping to 68 percent of companies securing 75 percent or more of their cloud-native applications with DevSecOps practices in two years, according to ESG. The study results also revealed that API-related vulnerabilities are the top threat concern (63 percent of respondents) when it comes to organizations use of serverless. Overall, the study analyzed … More

The post DevSecOps is emerging as the main methodology for securing cloud-native applications appeared first on Help Net Security.

ThreatConnect Platform: Security insight for sound decision-making

In this interview, Jason Spies, VP of Engineering & Chief Architect, ThreatConnect, talks about the powerful features of the ThreatConnect Platform. Oftentimes, the ability for a product to support growth (scale effectively) is forgotten in lieu of a customer being dazzled by individual features or capabilities. Can you talk about the importance of technical considerations when it comes to a Platform scaling to support multiple teams and growing demands overtime? Bottom line, it’s a balance … More

The post ThreatConnect Platform: Security insight for sound decision-making appeared first on Help Net Security.

eBook: The DevOps Roadmap for Security

DevOps is concerned with uniting two particular tribes: development and operations. These tribes have seemingly competing priorities: developers value features while operations value stability. These contradictions are largely mitigated by DevOps. A strong argument could be made that the values of the security tribe – defensibility – could just as easily be brought into the fold, forming a triumvirate under the DevSecOps umbrella. The security tribe’s way forward is to find ways to unify with … More

The post eBook: The DevOps Roadmap for Security appeared first on Help Net Security.

SecTor 2019 Hack Lab Sneak Peak

Fall is officially here, and that can only mean that SecTor is right around the corner! All summer long, I’ve been planning and prepping new ideas for this year’s IoT Hack Lab and training session. With just a few weeks to go until the conference kicks off, I’m more than a little excited about the […]… Read More

The post SecTor 2019 Hack Lab Sneak Peak appeared first on The State of Security.

Ideas and Innovations at DEFCON 2019

Every year when I go to Black Hat USA and DEFCON, I am reminded of the constant battle between light and dark…wait…that’s Return of the Jedi…. I mean of the constant battle between infosec and the big bad hacker. And it’s not just the uber sophisticated hacks that involve fuzzing and SQL Injections (Am I […]… Read More

The post Ideas and Innovations at DEFCON 2019 appeared first on The State of Security.

Cloudflare now supports HTTP/3

Cloudflare, the security, performance, and reliability company helping to build a better Internet, announced support for HTTP/3, the new standard of the web that will make the Internet faster, more secure, and more reliable, for everyone. Cloudflare has been collaborating with industry peers, including Google Chrome and Mozilla Firefox, to bring HTTP/3 to the masses and progress the Internet into the future. An efficient Internet requires the adoption of common, shared protocols to allow computers … More

The post Cloudflare now supports HTTP/3 appeared first on Help Net Security.

MobileIron to offer robust security and management to Oculus for Business

MobileIron, the company that introduced the industry’s first mobile-centric, zero trust platform for the enterprise, announced support for the upcoming release of Oculus for Business. Organizations will be able to onboard, configure and manage Oculus’ leading all-in-one virtual reality (VR) headsets, Oculus Quest and Oculus Go, as part of their established unified endpoint management (UEM) infrastructure, simplifying the entire device lifecycle – from enrollment to retirement. Built for easy adoption and scalability across a variety … More

The post MobileIron to offer robust security and management to Oculus for Business appeared first on Help Net Security.

HITRUST adds new features to its information risk and compliance assessment SaaS platform

HITRUST, a leading data protection standards development and certification organization, announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with … More

The post HITRUST adds new features to its information risk and compliance assessment SaaS platform appeared first on Help Net Security.

Tripwire unveils new version of Tripwire Connect

Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations, announced the next generation of Tripwire Connect, which consolidates data from both Tripwire Enterprise and Tripwire IP360 to provide a single view of security and compliance states, and can be deployed both on-premises and as a software-as-a-service (SaaS) application. The new version of the Tripwire Connect analytics, reporting, integration and management platform delivers scalable, flexible and centralized vision into the … More

The post Tripwire unveils new version of Tripwire Connect appeared first on Help Net Security.

OPSWAT launches OPSWAT Academy, a new CIP cybersecurity training and certification program

OPSWAT, a leader in critical infrastructure protection, announced a new critical infrastructure protection (CIP) cybersecurity training and certification program, OPSWAT Academy. Designed for cybersecurity professionals and CIP stakeholders, OPSWAT Academy will provide beginner, intermediate and advanced education strategically designed to reflect the real-world responsibilities and technical proficiencies required of modern-day critical infrastructure security professionals and stakeholders. Through courses that promote best practices and practical approaches to CIP cybersecurity, OPSWAT Academy will help properly prime what … More

The post OPSWAT launches OPSWAT Academy, a new CIP cybersecurity training and certification program appeared first on Help Net Security.

Phishers continue to abuse Adobe and Google Open Redirects

Adobe and Google Open Redirects Abused by Phishing Campaigns

Experts reported that phishing campaigns are leveraging Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Phishers are abusing Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Crooks abuse Google and Adobe services to create URLs that point to malicious websites that anyway are able to bypass security filters because they appear as legitimate URLs from trusted IT giants.

“Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place. reads the post published by Google.

“Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored offers fairly clear benefits and poses very little practical risk.”

An example of Google open redirect is https://www.google.com/url?q=[url] that could be abused by attackers.

“Phishing campaigns commonly utilize open redirects from well known companies as they feel users will be more likely to click on a link if it belongs to Google or Adobe.” reported BleepingComputer.

Below an example of a phishing message that uses Google open redirect that points to a fake login page.

In a similar way, attackers could abuse the Adobe redirect service in phishing campaigns.

Experts suggest administrators and users remain vigilant on open redirects.

Pierluigi Paganini

(SecurityAffairs – google open redirects, phishing)


The post Phishers continue to abuse Adobe and Google Open Redirects appeared first on Security Affairs.

Windows 10 1903 on ARM Gets a Virtualization-based Security Feature

Windows 10 version 1903 on ARM has gotten an additional virtualization-based security feature that creates secured regions of memory that are isolated from the operating system. These secured and isolated regions of memory can then be used by security solutions so that they are better protected from vulnerabilities in the operating s [...]

Week in review: IE zero-day, S3 bucket security, rise of RDP as a target vector

Here’s an overview of some of last week’s most interesting news, articles and podcasts: Cybersecurity automation? Yes, wherever possible Automated systems are invaluable when it comes to performing asset discovery, evaluation and vulnerability remediation, sifting through mountains of data, detecting anomalous activity and, consequently, alleviating the everyday burdens of security teams. How can we thwart email-based social engineering attacks? More than 99 percent of cyberattacks rely on human interaction to work, Proofpoint recently shared. More … More

The post Week in review: IE zero-day, S3 bucket security, rise of RDP as a target vector appeared first on Help Net Security.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

Security Affairs 2019-09-29 06:48:05

Hackers have stolen more than 218 million records from the popular ‘Words With Friends’ developed by the mobile social game company Zynga Inc.

Do you remember Gnosticplayers? The popular hacker Gnosticplayers that between February and April disclosed the existence of some massive unreported data breaches in five rounds.  He offered for sale almost a billion user records stolen from nearly 45 popular online services.

Now the Pakistani hacker claims to have stolen more than 218 million records from the popular mobile social game company Zynga Inc.

Zynga Inc is an American social game developer running social video game services founded in April 2007, it primarily focuses on mobile and social networking platforms.

Among the online games developed by the company, there are FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World that have over a billion players worldwide.

“Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach “Words With Friends,” a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.” reported The Hacker News.

Gnosticplayers shared a sample of stoled data with The Hacker News, exposed records includes:

  • Names
  • Email addresses
  • Login IDs
  • Hashed passwords, SHA1 with salt
  • Password reset token (if ever requested)
  • Phone numbers (if provided)
  • Facebook ID (if connected)
  • Zynga account ID
Zynga words-with-friends

Gnosticplayers revealed that he had access to data belonging to all Android and iOS game players who installed and signed up for the ‘Words With Friends’ game before 2nd September 2019.

Zynga confirmed that the account login information for certain players of Draw Something and Words With Friends that may have been exposed in the data breach. The company pointed out that hackers did not access financial information.

“We recently discovered that certain player account information may have been illegally accessed by outside hackers.  An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.” reads the data breach notification published by the company.

“While the investigation is ongoing, we do not believe any financial information was accessed.  However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.  As a precaution, we have taken steps to protect these users’ accounts from invalid logins.  We plan to further notify players as the investigation proceeds.”

The hacker also claims to have accessed data of other Zynga gamers, including Draw Something and the discontinued OMGPOP game.

The company launched an investigation and hired third-party forensics firms to help it, of course, it also reported the incident to the law enforcement. As a precaution, the gaming firm has taken steps to protect these users’ accounts from invalid logins.

Users of the Words With Friends game, and let me suggest players of Zynga games, should immediately change the password for their account and also on any other services that share the same credentials.

Pierluigi Paganini

(SecurityAffairs – gaming, hacking)

The post appeared first on Security Affairs.

Exclusive — Hacker Steals Over 218 Million Zynga ‘Words with Friends’ Gamers Data

A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc. With a current market capitalization of over $5 billion, Zynga is one of the world's most successful social game developers with a collection of hit online

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

whiteshadow

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

The post WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware appeared first on Security Affairs.

Masad Stealer Malware exfiltrates data via Telegram

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces MoneroBitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.

Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.

Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Masad Stealer Malware exfiltrates data via Telegram appeared first on Security Affairs.