Author Archives: Kevin Jones

Equifax’s Nightmare Continues, Credit Rating “Negative”

Since 2017, Hackercombat.com covered the data breach incident of Equifax and all its relevant angles. The latest was just last March 9, 2019, when the U.S. Senate’s Committee on Homeland Security and Governmental Affairs released their committee report about the result of its probe of the incident. The report included not only the embarrassing situation of Equifax before and after the cyber attack, but also included proposals through legislation on helping companies not to become the next victim of a similar incident.

However, that was not the last episode in this long-running Equifax-drama series, the nightmare for Equifax is not yet ending as Moody’s, one of the global credit rating agencies has slapped the data analytics firm with a drastic credit rating downgrade. Moody’s downgrade is highlighted with the demotion of Equifax’s credit outlook from “stable” to “negative”, which will be felt by the company in the current year.

“We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change. This is the first time the fallout from a breach has moved the needle enough to contribute to the change,” explained Joe Mielenhausen, Moody’s Spokesperson.

With the downgrade, Equifax will have a hard time paying for their current loans, including the tougher time of persuading financial institutions for any future creditors. Moody’s blamed the $690 million after data breach expenses that Equifax had to absorb as the justification for the credit rating downgrade. The mentioned about was the closest estimate of all the expenses that Equifax incurred just to settle the class action lawsuits and all the state and federal fines facing the company after the incident.

“We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021. Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach. The heightened emphasis on cybersecurity for all data oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company’s profit and free cash flow for the foreseeable future,” said Moody’s in a Press Release.

In November 2018, Moody’s made a change with their rating system adding cybersecurity risks handling and cases as a proportionate basis for judging the credit rating for an entity. It is a huge reform being implemented by Moody’s given that cybersecurity issues had not affected the credit rating of companies before.

“For us, it’s not something we view as a totally new idea. We’ve been in the risk management business for a very long time. This is to enhance our thinking about credit as cyber becomes more and more important. We haven’t yet moved a credit rating due to cyber risk or a cyber event, but we see the likelihood of credit-rating impact as steadily increasing. Different sectors have different levels of credit sensitivity to cyber risk. For those higher-risk sectors, there will be impact down to the individual issuer-level over time,” added Derek Vadala, Moody’s Lead for Investors Services Cyber Risk Group.

Related Resources:

Equifax’s Senate Investigation: What Went Wrong?

ICO Slaps Equifax with Maximum Fine for the 2017 Data Breach

Yet Another Equifax Employee Accused Of Insider Trading

Equifax Hack Again, Now a Redirect to a Fake Flash Update…

The post Equifax’s Nightmare Continues, Credit Rating “Negative” appeared first on .

The Future of Web Filtering in the Era of 5G Networks

Security professionals and network administrators today are concerned with securing fifth-generation (5G) networks from digital dangers. Of the different technologies that they use very effectively for safeguarding 5G networks, DNS filtering is notable to a great extent. Let’s discuss different aspects pertaining to the future of DNS filtering in the light of 5G network security.

On the one hand, DNS filtering provides security to 5G networks from all kinds of threats, including botnets, ransomware, phishing scams etc while on the other hand, it also works towards providing network configuration controls for better security and parental controls.

MSPs (Managed Service Providers), ISPs (Internet Service Providers) and Cloud Access Security Brokers can benefit a lot from DNS filtering, using it along with web content categorization.

The 5G era is also the era of the IoT (Internet of Things). It needs to be pointed out that DNS filtering goes a long way in protecting IoT networks, in particular those that are 5G-based, from all kinds of threats, especially the DDoS (Distributed Denial of Service) attacks that very frequently target such networks and critical IoT applications. There are immense possibilities when it comes to using DNS filtering for IoT security on 5G networks, but there still seems to be a lack of sufficient research in this area. It seems that as regards tackling 5G traffic for IoT security management, most solutions are ill-equipped.

Now, let’s dwell on another important aspect of DNS filtering in the era of 5G networks. If on one hand, DNS filtering works towards securing 5G networks, on the other hand, it’s also a big security headache as it happens to be an area of security vulnerabilities. The number of connected devices and applications seems to be increasing like never before, on a global level. With a large number of devices getting connected to the 5G network, cybersecurity could become more challenging than ever before. Most of these devices are likely to be targeted for DDoS attacks and other cyberattacks. Hence, it’s imperative that security experts as well as service providers put in extra effort to study and understand the requirements of the next-generation 5G network. They are, in fact, trying to form a clear understanding of the cybersecurity-related challenges that would come up in the future as regards 5G networks.

A highly proficient 5G-aware DNS filtering is important when it comes to securing 5G-based IoT traffic and experts are coming up with all kinds of new security frameworks that are needed to accomplish the kind of networking abilities that this situation demands. Security firms and experts are working towards devising systems that have the capability of processing 5G-aware DNS filtering rules and thus ensure maximum security against cyberattacks of all magnitudes and kinds.

Though DNS filtering contributes greatly towards providing security to the critical 5G network infrastructure, the involvement of trusted cybersecurity partners and the employment of all kinds of security technologies is also needed. Since no single cybersecurity product can assure 100% security, it’s always best to go for different techniques and technologies including two-factor authentication, antivirus software, spam filters etc and also have concrete remediation policies in place.

Coming back to DNS filtering, it helps organizations adopt effective, extensive and forward-thinking Web use policies, block access to malicious websites and do what all is needed to protect their networks from all kinds of dangers. DNS filtering, along with other technologies, definitely helps organizations protect themselves against all kinds of known and unknown cybersecurity threats and also against unauthorized access to their 5G networks.
Remember, we live in a world where the number of connected devices and applications is increasing rapidly, to the tune of millions. Thus, there is a huge pressure to ensure that all networks are secure and adaptable. Technologies like DNS filtering provide solutions to ensure the kind of security and adaptability that’s needed in this context, especially for the much advanced 5G networks.

Also, Read:

Australia Doesn’t Want Huawei And Zte For Their 5G Networks

EU’s G5 Technology Roll-out In The Age Of Anti-Huawei Publicity

Huawei a Threat to Australia’s Infrastructure, Says Spy Chief

The post The Future of Web Filtering in the Era of 5G Networks appeared first on .

A Brief Look At The Shade Ransomware (2019 variant)

2019 is shaping up as a year when ransomware infection frequency declined by orders of magnitude, compared to the year 2017 when such malware variant made headlines for causing trouble for millions globally. It was very hard not to notice the everyday news about a firm or a public agency becoming the newest victim of ransomware and their struggle with the ransom demand (the money the victims have to pay to restore their files). Of course, that does not mean that news about company X becoming a ransomware target, it still happens but very far few in-between.

Some other ransomware was too old, predated WannaCry for years, but making a comeback this year, 2019. This scenario is what Shade ransomware is exhibiting at the moment, last known active in the wild five years ago in 2014 by Kaspersky Labs. Palo Alto’s Unit42 team meanwhile detected some instances of its resurrection in the United States, India, Thailand, Canada, and Japan.

“Recent reports of malspam pushing Shade ransomware have focused on distribution through Russian language emails. However, Shade decryption instructions have always included English as well as Russian text. The Shade ransomware executable (EXE) has been remarkably consistent. All EXE samples we have analyzed since 2016 use the same Tor address at cryptsen7f043rr6.onion as a decryptor page. The desktop background that appears during an infection has been the same since Shade was first reported as Troldesh in late 2014,” explained Brad Duncan, Unit 42’s Threat Intelligence Analyst.

The way Shade ransomware spreads are no different from any contemporary malware of our time. The sample Shade ransomware examined by Unit 42 was proliferating using spam emails. The strongest campaign for this ransomware infection was when there was a huge number of spam emails way back Feb 2019. These emails had an attached pdf or a compressed zip file, with the body of the email describing the attachment as a billing statement from the victim’s service provider.

The pdf or zip file attached aren’t normal files, but just a launcher for executing a malicious Javascript code that will download the actual Shade malware from the command and control servers. The payload itself has not seen any significant changes compared to the Shade variant that Kaspersky Labs first examined in 2014. Once the Shade payload is downloaded, it is executed automatically by the script contained in the zip/pdf file – this is when the encryption of files and generation of text-based warning notification occurs.

The wallpaper set by the user will be replaced by a black background with red text announcing the infection saying: “Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.”

Unlike the previous iteration of Shade ransomware, the newer variant has a direct destination, as the most number of infection cases are in the United States, it was previously wreaking havoc in India, Thailand and Japan’s Windows-based computers. There is also visible indications that certain sectors of specific geographical location are targeted, with victims usually from the telecommunications, wholesale/retail and education industries. Unit 42’s hypothesis points to non-Russian speaking countries as the most vulnerable of receiving spam emails carrying Shade malware.

Also, Read:

Beware of 10 Past Ransomware Attacks

Two Nasty No-Ransom “PewDiePie” Ransomwares, Trouble For Many

Georgia County Hit by Ransomware, Shells out $400,000

The post A Brief Look At The Shade Ransomware (2019 variant) appeared first on .

Banking Trojan Infections Dominated In Q1 2019

Kaspersky Lab, the research arm of Kaspersky, an antivirus vendor has revealed that the first quarter of 2019 saw the double growth of banking trojan cases globally compared to the last quarter of 2018. Cybercriminals have switched their focus on banking trojan after the shutdown of the very popular Coinhive cryptojacking service last March 2019. With the focus towards profit, ransomware infections are slowly declining while operating system mitigations are lessening cryptocurrency malware’s infection vectors.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” explained Victor Chebyshev, Kaspersky’s Lead of Research Development team.

Banking trojans of 2019 are highly modular, with new features added on-the-fly by their respective authors. Kaspersky detected that for the first quarter of 2019 alone, 29,841 variants of banking trojans were discovered. That is a sizable increase from just 18,501 discovered variants in the 4th quarter of 2018.

“As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected,” added Chebyshev.

Kaspersky is expecting that the mobile platform is the segment that will be mostly hit. This is given because users today tend to perform more computing with their mobile device compared to a full fledged computer.

“The rapid rise of mobile financial malware is a troubling sign, especially since we see how criminals are perfecting their distribution mechanisms. For example, a recent tendency is to hide the banking Trojan in a dropper – the shell that is supposed to fly to the device under the security radar, releasing the malicious part only upon arrival,” concluded Chebyshev.

Also, Read:

The All-New Kronos Banking Trojan Discovered

Multimedia Editing Software Hacked to Spread Banking Trojan

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

How Protect Your Android Device From The Mobile Banking Trojan

The post Banking Trojan Infections Dominated In Q1 2019 appeared first on .

GetCrypt Ransomware Encrypts Files, Brute Forces Credentials

Here’s a new ransomware that not only encrypts files and programs on a computer, but attempts to brute force credentials as well.

GetCrypt, a new ransomware that’s being installed through malvertising campaigns and which redirects victims to the RIG exploit kit, encrypts all files on a computer and then demands ransom for decrypting the files. An interesting thing about this ransomware is that it attempts to brute force credentials on the infected systems as well.

Exploit kit researcher nao_sec had discovered the ransomware, which works by redirecting victims to a page hosting the RIG exploit kit. A BleepingComputer report says, “This ransomware was discovered by exploit kit researcher nao_sec who alerted BleepingComputer when they saw being installed via the RIG exploit kit in Popcash malvertising campaigns. When a victim is redirected to a page hosting the exploit kit, malicious scripts will try to exploit vulnerabilities found on the computer.”

If this turns successful, the GetCrypt ransomware is downloaded and installed into Windows.

Lawrence Abrams of BleepingComputer writes that nao_sec’s tweet was also seen by security researcher Vitali Kremez, who then analyzed the ransomware and found some interesting features.

The most notable among his observations is that the ransomware, after being executed by the RIG exploit kit, checks if the Windows language is set to Russian, Ukrainian, Kazakh or Belarusian and then, if it is set to any of these languages, gets terminated and doesn’t encrypt the computer. If the ransomware finds that the Windows is not set to any of the above-mentioned languages, it would examine the CPUID of the computer and then use it to create a 4-character string, which would be used as the extension for encrypted files. Then it runs the vssadmin.exe delete shadows /all /quiet command and clears the Shadow Volume Copies. Then, the whole system is scanned for files to encrypt. The ransomware doesn’t target any particular kind of files for encryption; instead it encrypts all files, except those that are located in or under certain folders, namely :\$Recycle.Bin, :\ProgramData, :\Users\All Users, :\Program Files, :\Local Settings, :\Windows, :\Boot, :\System Volume Information and :\Recovery AppData.

GetCrypt reportedly uses the Salsa20 and RSA-4096 encryption algorithms to encrypt files and during encryption, uses the 4-character string it had created earlier as the extension. Simultaneously, it would also create a ransom note. The ransom note, named decrypt my files #.txt, is created in each folder that is encrypted and on the desktop too. It advises the victim to contact getcrypt@cock.li for instructions regarding ransom payment. The ransomware also changes the desktop background to an image that contains a detailed message. The message says that the system has been infected and all files have been encrypted, and also gives instructions as to what needs to be done to get the files decrypted.

GetCrypt, like many other ransomware infections, also attempts to encrypt files on network shares during the encryption process, but in a rather different manner. The BleepingComputer report explains, “When encrypting, GetCrypt will utilize the WNetEnumResourceW function to enumerate a list of available network shares…If it cannot connect to a share, it will use an embedded list of usernames and passwords to bruteforce the credentials for shares and mount them using the WNetAddConnection2W function.”

“While encrypting unmapped network shares is not unusual, this is the first time we have seen a ransomware try to brute force shares so that they can connect to them from the infected computer,” the report further notes.

Anyhow, it’s possible to decrypt files on a system that has been infected with GetCrypt ransomware. The decryptor has been released. The victim can use the decryptor to decrypt all encrypted files, but it can be done only if an original unencrypted copy of a file that has been encrypted during the infection is available. The decryptor has to be run on an encrypted file and its original unencrypted version as well. Following this, the decryptor would brute force the decryption key and get all files decrypted.

Well, that once again proves the need of having offline back up of files, something that we’ve always been discussing in many of our posts. Backups can get you unencrypted versions of files, which could aid the decryption process in case your system has been infected with the GetCrypt ransomware.

Also, Read:

Beware of 10 Past Ransomware Attacks

How to Remove Pewcrypt Ransomware

Two Nasty No-Ransom “PewDiePie” Ransomwares, Trouble For Many

The post GetCrypt Ransomware Encrypts Files, Brute Forces Credentials appeared first on .

Why You Need to be Careful About the BlueKeep Vulnerability

WannaCry, the ransomware that struck in 2017, shook the very foundations of thousands of businesses worldwide. The NotPetya attack that followed also caught many businesses unawares and dealt them a big blow. Well, if we’re not careful enough, another such devastating cyberattack could happen in the near future, thanks to a critical vulnerability named BlueKeep.

It was the EternalBlue exploit, patch for which was issued by Microsoft and which many users, including thousands of organizations worldwide, had failed to apply on time, that led to the occurrence of two of the most damaging cyberattacks in recent times- the WannaCry attack and the NotPetya attack. Remember, it was not the EternalBlue exploit as such that caused the attacks, but failure on the part of users and enterprises to patch the vulnerability on time that was the real reason. Now, we have reports of another vulnerability, a ‘wormable’ critical RCE (Remote Code Execution) vulnerability named BlueKeep that, if not taken care of, could lead to damaging cyberattacks.

Microsoft had already come up with a patch for the BlueKeep vulnerability for all supported, plus some unsupported, operating systems. All that companies (and individual users) need to do is to update their older Windows systems right away so as to avoid being one among the potential victims of a probable cyberattack.

Experts point out that the BlueKeep vulnerability, found in Remote Desktop Services (also known as Terminal Services), could enable, if exploited successfully by cybercriminals, access to any targeted Windows system via a backdoor, that too without any credentials or user interaction. Moreover, the vulnerability is ‘wormable’, which means that future exploits might even use the vulnerability to spread malware within or outside of computer networks almost in the same way as was done in the case of the WannaCry ransomware attacks.

The flaw- CVE-2019-0708- affects multiple in-support and out-of-support versions of Microsoft’s operating systems. Those users of Windows 7, Windows Server 2008 R2, and Windows Server 2008 who have enabled automatic updates would stay protected. Special updates have also been issued for two versions that are not supported, namely Windows XP and Windows 2003. It’s reported that Windows 10 and Windows 8 are not affected by the BlueKeep vulnerability. Though Windows Vista is also one among the affected OSs, Microsoft hasn’t released patches for it. Users of Windows Vista should, in order to resolve the issue, either disable RDP (Remote Desktop Protocol) completely or else use RDP only when it’s accessed via VPN.

After Microsoft released the patches, security researchers have created several working proofs-of-concept, but none of them have yet been publicly released. There is no proof of the vulnerability being exploited in the wild as of yet.

Remember, given the wormable nature of BlueKeep, if someone publishes a working exploit or some malware author sells one on the underground web, a situation almost similar to the WannaCry or NotPetya attack could arise. Even the rather less skilled among cybercriminals could make use of the exploit to unleash cyberattacks on computer networks and make profits out of it.

How to avoid being a victim of the BlueKeep exploit

There are some very simple things that could help prevent attacks that could happen by exploiting the BlueKeep vulnerability…

  • If you or your organization runs any of the supported versions of Windows, update it. Enabling automatic updates would be the best option. Download and apply patches immediately if you’re still using unsupported versions- Windows XP or Windows 2003.
  • Avoid RDP and use it only where it is needed.
  • If you must use RDP, configure it properly and don’t expose it to the public internet. Filtering RDP access using firewall or using multi-factor authentication could be good options.
  • Disabling RDP, until you apply the patches that Microsoft has released, would be good.
  • It would be good to have NLA (Network Level Authentication) enabled. Thus, authentication would be needed before a remote session is established. (Remember, despite this, attackers who have valid credentials can successfully authenticate remote sessions and carry out RCE exploit-based attacks).
  • Use trusted multi-layered security solutions to detect and prevent attacks on the network level.

Also, Read:

Vulnerability In Intel Processors Affected Millions of PCs

Belkin Wemo Insight Smart Plug Vulnerability Remains Exploitable

Google Photos Vulnerability that Lets Retrieve Image Metadata

New Google Chrome Zero-Day Vulnerability Detected

Important Features of Vulnerability Scanners

 

The post Why You Need to be Careful About the BlueKeep Vulnerability appeared first on .

Six Best CRM Software for Business for 2019

CRM (Customer Relationship Management) software helps easily manage prospects, leads and customers for any business. By using CRM software, a business could store data (contact information and the like), send emails, make calls, add notes, schedule appointments, create reports and do many such other things.

Here’s a look at the six best CRM software for businesses that are available in the market today-

HubSpot

HubSpot CRM is ideal for beginners and start-ups since it’s basically simple and easy to use. Using this web-based CRM solution, businesses can manage contacts and recent contact activity with ease. The clean visual dashboard of HubSpot helps organize and sort contacts based on deals won or lost, appointment scheduled etc. Customized filters could help sort contacts to suit the needs of any particular business. The dashboard also helps obtain an up-to-the-minute of the entire sales funnel for any business. The tool offers great features like team email, live chat, email scheduling, tasks, deals, ticketing etc. The paid version comes with advanced features like calling, meetings, email tracking notifications, contact activity, and conversational bots. You can log all activities by linking HubSpot CRM to Gmail or Outlook.

PipeDrive

PipeDrive CRM software, which is easy to use, simplifies the sales pipeline process, thereby helping in identifying actions that could get you more sales. It has some interesting features including a clear visual interface, email integration, sales reporting, sales forecasting, the setting of activities and goals, mobile apps that help access CRM from anywhere etc. There are three different pricing plans, namely Silver, Gold and Platinum. While the Silver plan has basic features like drag and drop calendar view, chat and email support, goals, smart email BBC, customizable dashboard etc, the Gold plan comes with more advanced features like workflow automation, smart contact data, and scheduler. The Platinum plan comes with multiple dashboards, teams, and revenue forecast reports. There is also a free trial offer available.

Constant Contact

Constant Contact CRM, which offers different pricing plans depending on the number of email subscribers as well as on the features needed, helps manage contacts, easily upload current contacts list, categorize contacts using tags and send email campaigns to subscribers. The features also include segmentation tools, email list building tools, list cleaning and easy integration with other CRM software.

GreenRope

Some experts call GreenRope the complete CRM solution as it brings together marketing automation, sales pipelines and customer service. There are three sections namely sales, marketing and operations. While the sales part includes a complete CRM, workflow manager, booking calendar system, predictive analytics, lead scoring tool etc, the marketing suite includes features like email marketing software, email tracker, customer journey mapping, landing page builder etc. The operations part includes features like ticketing system, live chat, project management, contact management, event management etc. GreenRope CRM software, which offers 7 different pricing plans, can be used by businesses to manage social media, email marketing, sales, events, project management etc.

SalesForce

An immensely popular CRM software, SalesForce has many advanced features that help manage almost all things pertaining to customer service, sales and marketing, commerce, productivity etc. SalesForce offers 4 different pricing plans and comes with notable features like account management, contact management, opportunity management, lead management, sales data etc. The tool, which offers advanced features depending on the plan chosen, helps businesses grow faster by expanding their customer base and closing deals very fast.

Freshsales

Freshsales CRM, which is mainly for small businesses, is easy-to-use and offers a 360-degree customer view, which provides access to customer’s social profiles, helps identify customer touch points etc, all from a single dashboard. The tool also allows automatic capture of website visitors and also helps group these visitors based on the way they engage with the websites. Freshsales has four different pricing plans and offers features like auto lead assignment, appointment booking, auto profile enrichment, lead scoring, smartforms etc. It also helps understand and manage customers using the tracking features, email features and built-in phone features that it offers. A free plan called Sprout supports users with contacts, leads, deals, email, integrations, mobile apps etc.

The post Six Best CRM Software for Business for 2019 appeared first on .

ITIL Service Operation Processes: A Brief Introduction

The ITIL Service Operation (SO), which is one of the five core publications that form part of the ITIL Service Management Lifecycle under ITIL (Information Technology Infrastructure Library) Framework, provides guidance regarding maintaining stability in IT Services and helps manage services in supported environments.

The ITIL SO module takes care of some very important responsibilities including the monitoring of services, the resolving of incidents, the fulfilling of requests and the execution of operational tasks. Once the formal handover from the Service Transition process module is done, the SO module takes control of new/changed services and takes care of the execution of all design and transition plans. The SO module also measures all these plans for actual efficiency.

The Objectives

The ITIL SO module, which is totally customer facing, ensures that IT services are delivered efficiently and effectively and also that quality of service is maintained. Hence, key functionalities like fixing problems and service failures, fulfilling of user requests, executing routine operation tasks etc come under the purview of the SO module. The SO module also takes care of some other important aspects including reducing incidents and problems, minimizing impact of service outages on businesses, ensuring authorized access only to agreed IT services, assisting organizations in delivering benefits within SLA in the best of manners, supporting users in service-related matters etc.

The Processes

There are five processes that come under ITIL SO. They are- Event Management, Incident Management, Request Fulfilment, Problem Management and Access Management.

While Event Management is basically about ensuring constant monitoring of CIs and services, Incident Management, as the term suggests, ensures that IT services are restored to working state quickly after unexpected incidents. Request Fulfilment is all about the acknowledging and processing of service requests from users and Problem Management helps find root cause of problems and seeking to mitigate impacts of problems or trying to prevent them from happening. The last, Access Management is all about ensuring authorized access to services and functions in accordance with pre-defined policies.

These five processes are assigned to two major functional groups- the Service Desk and the Technical Support Group (Technical, Application and IT Operations Management), about which we discuss in detail in the next section.

The Functions

ITIL SO comprises four functions and two sub-functions. The functions are- Service Desk, Technical Management, IT Operations Management and Applications Management.

Service Desk, which is the first and single point of contact, takes care of things like coordinating between end user and service provider, managing logged tickets, ensuring timely closure of user requests etc.

Technical Management is all about managing the IT infrastructure by providing technical expertise and support.

The IT Operations management deals with IT related day-to-day operational activities and comprises two sub-functions, namely IT Operations Control (monitoring and controlling of IT services and the underlying infrastructure) and Facilities Management (management of the physical environment where the IT infrastructure is located).

Application Management, as the term suggests, is all about managing applications throughout their lifecycle.

The Benefits

There are many benefits of the ITIL Service Operations process.

The main benefit, however, is that it helps reduce unplanned expenditure for organizations through optimized handling of service outages and proper identification of their causes. By ensuring that the duration and frequency of service outages are minimized, ITIL SO helps organizations make full use of services.

ITIL SO processes support an organizations security policy by ensuring proper access management and also helps obtain operational data to be used by other ITIL processes. Providing quick, effective access to standard IT services also is one of the benefits. It also helps provide a framework for automating iterative operations, thereby helping increase efficiency and better utilization of human resources.

The post ITIL Service Operation Processes: A Brief Introduction appeared first on .

Criminals Hack Forum Used for Trading Stolen Credentials

This is really interesting- a popular online forum that hackers have been using to trade stolen credentials has been hacked!

Reports confirm that OGusers, a popular online form used by hackers to trade stolen account credentials, has been hacked and that this had caused sensitive personal data of many users to be exposed.

Brian Krebs writes, in his website KrebsOnSecurity, “Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.”

It all started with an administrator of OGusers explaining to forum members, on May 12, that an outage had caused a hard drive failure, leading to the erasure of private messages, forum posts and prestige points that’s worth several months. He also stated that he had restored a backup from January 2019. But then, the OGusers administrators didn’t realize that what had happened, coinciding with the outage, was the theft of users’ database from the forum and the wiping of forum hard drives as well. Four days later, on May 16, the administrator of rival hacking community RaidForums uploaded the entire OGusers database for anyone to download for free.

The KrebsOnSecurity report quotes the message that RaidForums administrator Omnipotent has posted. It reads, “On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

Brian Krebs further says, “The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).”

Experts point out that although the passwords that were exposed are hashed, the fact that the encryption method used was MD5, an older and easily hackable form of encryption, puts all passwords at risk of exposure.

Since OGusers is already known as a forum that attracts people who hijack phone numbers to take over victims’ social media, financial accounts, email etc and sell such access for thousands of dollars, the exposure has caused shock among many in the community. Anxious members responded promptly and, as per Brian Krebs, some of them even complained of being targeted by phishing emails. It’s also reported that some members even expressed anger at the main administrator of OGusers. The members even seemed to claim that the main administrator, who uses the nickname ‘Ace’, altered the functionality of the forum following the hack so as to prevent users from removing their accounts.

On the other hand, reports say that an OGusers administrator commented, after the hack was disclosed, that though members’ frustration is understandable, it’s to be noted that even Twitter, Facebook and other Forums that people have used have been breached more than once.

Brian Krebs concludes his report with a very relevant remark. He says, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

Also, Read:

Cyber Criminals are selling Hacking Tools on the Dark Web

Malaysia Continues to Lure Cybercriminals: Report

How Cyber Criminals Attempt Cashing in on Cryptocurrency

Cyber Criminals to Exploit Vulnerabilities

Cyber Criminals Will Attack Critical IT Infrastructure

The post Criminals Hack Forum Used for Trading Stolen Credentials appeared first on .

Ireland And Its Evolving Cybersecurity Issues

Ireland in 2018 experienced a huge decline of malware infection, most especially the lesser cases of ransomware compared to 2017. The European country of almost 5 million people is mirroring the global trend of cybersecurity issues, as cybercriminals are heavily transitioning from the disruptive and destructive ransomware to a silent yet very profitable phishing and cryptojacking. Ireland recorded in 2018 just 1.26% of monthly infection rate, which is one of the lowest in the European region and one of the lowest globally.

This is a sharp contrast to 2017 when millions of computers worldwide were heavily infected by ransomware, more particularly the likes of WannaCry and NoPetya. Cryptojacking is easy to deploy and very difficult to detect, as it is basically a program that consumes CPU/GPU resources like the rest of the programs in a computing device. But the consumed CPU/GPU resources does not produce a tangible output like a typical benign program but rather designed to compute for crypto-hashes in the attempt to mine cryptocurrency.

“While we have seen a welcome drop in ransomware and malware attacks, it would be a mistake to assume the level of the cyber threat to Irish organizations has also decreased. We are seeing major behavioral change amongst criminal hackers, who want access to a victim’s computer and an organization’s network to access data, but also use their computing power to mine for cryptocurrency. This is about playing the long game and exploiting people’s lack of training and understanding when it comes to cybercrime. Microsoft’s analysts predict phishing will continue to be an issue for the foreseeable future for that reason,” explained Des Ryan, Microsoft Ireland’s Solutions Director.

To add insult to injury, Microsoft underscored that many private and public entities in the country lack adequate staff training when it comes to cybersecurity. The vulnerable companies also practice lax IT security protocols, a trait that opens an opportunity for something that goes wrong to grow exponentially.

Also, Read:

5 Fundamental Cybersecurity Issues With Email

Will AI Solve the Gaming Industry’s Cybersecurity Issues?

How Healthcare Organizations Can Solve Cybersecurity Issues

Importance of Changes in Corporate Mindset in Preventing CyberSecurity Issues

Orange’s Acquisition of SecureLink, Set To Expand Cybersecurity Market

The post Ireland And Its Evolving Cybersecurity Issues appeared first on .

Law Enforcement Operation Dismantles GozNym Banking Malware

An international law enforcement operation has led to the dismantling of the global cybercrime networkcybercrime network that used the GozNym banking malware to steal money from bank accounts across the world.

TechCrunch reports, “Europol and the U.S. Justice Department, with help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.”

Prosecutors have stated, in a press conference held in The Hague, that ten defendants in five countries have been charged with using the GozNym malware to steal money from over 41,000 victims, including business and financial institutions. Of these ten people, five have been arrested in Moldova, Ukraine, Bulgaria, and Russia while the remaining five, all Russians, are on the run. The leader of the cybercrime network and his technical assistant are being prosecuted in Georgia.

TechCrunch security editor Zack Whittaker writes, “All were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016 and pleaded guilty in April in his role in the GozNym malware network.”

He adds, “The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.”

The victims of the GozNym attacks have not been named, but it’s reported that in the U.S at least 11 businesses, including two law firms and a casino, plus a church, have been impacted.

The banking malware GozNym was developed from two existing malware families- Gozi and Nymaim- and spread across the U.S, Germany, Poland and Canada. It first emerged in 2016 and has hit dozens of banks and credit unions since then. The leader of the cybercrime network working behind GozNym had built it from the code of the two malware families, both of which had their source code leaked years earlier. He then recruited accomplices and advertised GozNym on Russian speaking forums.

The TechCrunch report explains how GozNym, which is described as malware “as a service”, works- “The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers are said to have sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.”

The report further says that according to prosecutors, the GozNym network was “hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes toward cybercrime and favored by criminals.”

An administrator of the “Avalanche” network, an infrastructure platform which provided services to over 200 cybercriminals and which was dismantled in 2016 during a German-led operation, had also provided bulletproof hosting services to the GozNym network. This administrator would also face prosecution in Ukraine (where his apartment is located) for his role in providing bulletproof hosting services to the GozNym network.

Also, Read:

Security Researchers Uncover Dark Tequila Banking Malware

Ramnit Banking Trojan, August 2018’s Top Malware

Multimedia Editing Software Hacked to Spread Banking Trojan

Malware Attack Using Google Cloud Computing Platform

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

The post Law Enforcement Operation Dismantles GozNym Banking Malware appeared first on .

Hackers Inject Scripts in WordPress Live Chat Plugin

Site administrators using WP Live Chat Support for WordPress are advised to upgrade the plug-in to the latest version to close persistent cross-site scripting (XSS) vulnerability that is exploited without any authentication.

Installed on more than 60,000 websites, the plug-in is presented as a free alternative to complete customer loyalty and chat solution.

The danger of automatic attacks

Sucuri researchers discovered that versions of the plug-in earlier than 8.0.27 are susceptible to persistent XSS issues that can be exploited remotely by a hacker who does not have an account on the affected site.

The hackers can automate their attacks and cover more victims, without having to authenticate on the target site. So going by the popularity of the plugin if you add it, and with little effort of the plugin, you are in for trouble.

Talking about XSS error, it’s quite serious issues, because it allows the hacker to place malicious code on websites or web applications, and then it compromises visitor accounts or shares them on modified pages.

XSS can be persistent if a malicious code is added to a section stored on the server, for instance, user comments. When a user loads the infected page, the malicious code is scanned by the browser and the attacker’s instructions are executed.

The details from Sucuri elucidates how exploiting this vulnerability could be due to unprotected “admin_init hook” – a common attack vector for WordPress plugins.

The researchers say that the wplc_head_basic function did not use the appropriate authorization controls to update the plug-in’s settings.

“Because the ‘admin_init’ hooks can be called by visiting /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker can use these endpoints to get the ‘wplc_custom_js ‘update arbitrarily’, “Castros details

The content of the option is included on every page that loads live chat support so that hackers who reach a vulnerable site can insert JavaScript code on multiple pages

Sucuri informed developers of the plug-in on April 30 and a corrected version was released on Wednesday.

Related Resources:

Protect Your WordPress Website from SQL Injection

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

How to Clean Malware-Infected WordPress Website [Infographic]

WordPress Acting Weird? 10 Signs Your Site May Be Hacked

 

The post Hackers Inject Scripts in WordPress Live Chat Plugin appeared first on .

Laptop Running Six Most Dangerous Malware up for Auction

This is news! A laptop containing six of the most dangerous of malware created till date is up for auction.

A Samsung NC10-14GB 10.2-Inch Blue Netbook, which contains six such malware strains which together have caused damages worth $95B over the years, has been put up for auction. This laptop has in fact been isolated and airgapped so as to prevent the spread of the malware that it contains. (Well, we know that if you are an expert, you might be cynical about the effectiveness of airgapping; but technically speaking, it’s supposed to help curb the spread of malware!).

It’s illegal to sell malware for operational purposes in the U.S. The seller of the malware-packed laptop, as per reports, has devised a way to get around this issue by calling it art. This laptop, which runs on Windows XP SP3, is now called ‘The Persistence of Chaos’.

A Forbes report dated May 15, 2019, says, “The singular laptop is an air-gapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008) running Windows XP SP3 and loaded with the malware and restart script. It also comes with a power cord, just in case the 11-year-old battery isn’t still holding a viable charge.” The report further adds, “It’s currently sitting on a white cube in a room somewhere in New York City and is being sold under the guise of art as “The Persistence of Chaos”. It’s certainly subversive and skirts the legalities of selling malware (it’s illegal to sell for operational purposes), but hey, anarchy is entertaining.”

The infected laptop is a creation of performance artist Guo O Dong in collaboration with cybersecurity company Deep Instinct. Curtis Silver, who has authored the Forbes report, has quoted Guo O Dong as telling him via email, “I created The Persistence of Chaos because I wanted to see how the world responds to and values the impact of malware.”

The six strains of malware that the laptop contains are

WannaCry – The ransomware that spread all across the world and made a devastating impact on over 200,000 computers across over 150 countries.

Mydoom – The fastest-spreading email worm till date, Mydoom was first seen in January 2004 and worked mainly by sending junk email through infected computers and at the same time appearing as a transmission error.

Sobig – First detected to be infecting computer systems in August 2003, this malware, which is a worm and a trojan, is the second fastest spreading worm as of 2018. It deactivated itself in September 2003.

BlackEnergy – The malware that was first seen in 2007 and then worked by generating bots for executing DDoS attacks that were distributed via email spam. At a later stage of evolution, it would drop an infected DLL component directly to the local application data folder.

ILOVEYOU – This malware, which spread through an email attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’, was sent from an infected person to people in his contact list. Once the attachment gets opened, a script is started that would overwrite random types of files- Office files, audio files, image files, etc. Seen since May 2000.

DarkTequila – This malware, which has been active since 2013 and seen impacting systems in Latin America, spreads through spear phishing and infected USB drives. Hackers use DarkTequila to steal corporate data, bank credentials, and personal data as well.

Curtis Silver observes in his Forbes report, “On a base level the goal if we believe light grey text on a white background, is to sell this malware infused laptop under the blanket of art for academic purposes. On a deeper level, it’s a statement of social anarchy, of controlled chaos and an exposé of how fragile our machine-connected lives really are.”

This is a very relevant observation because news relating to this laptop (if it has all the malware that it claims to have), is in all respects, a worrying thing.

Also, Read:

Wolters Kluwer Cloud Accounting & Tax System Down To Malware Attack

The Fileless Malware Attacks Are Here To Stay

Japanese Government to Deploy Defensive Malware

Kodi Hardware Add-on Users, Mostly At Risk With Malware

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post Laptop Running Six Most Dangerous Malware up for Auction appeared first on .

Best 5 Nintendo 3DS Emulator for Android, iOS & PC

The Nintendo 3D was introduced on February 26, 2011, in Japan and around the world. Later in less than six months, Nintendo has declared a significant price drop. Initially, Nintendo started experimenting with a stereoscopic 3D video game from the 1980s.

Nintendo didn’t taste great success initially, but gradually it continued to innovate, and in 2010 it announced its first Nintendo console managed in official 3D in the Nintendo Ds family that has achieved a great success.

Today we’ll talk about the few best 3Ds emulators for Android and PC that will help you play Nintendo games on your phone or PC, and you will not have to change any settings. If you want the new Nintendo Switch emulator, it is also available.

Best 3DS Nintendo Emulators for PC, Mac, and Linux.

1. nds4droid 

nds4droid is a free Nintendo DS emulator. It is still in its infancy, but supports many features you’d expect like save states and sound. It also supports the OUYA game console.

One of the best things about Nds4droid is that the application is open source, so any user can download it without paying anything and even change its code. Loading ROMs are exactly the same as it would be with any other emulator.

Nds4droid supports some video games, but it has its limitation. Some work perfectly, while others have problems with the emulator. Final Fantasy IV, for example, works well, but with a frame rate that is less than desirable.

Nds4droid is a powerful emulator for the Nintendo DS. It does not yet support the full catalog of Nintendo DS games, but you can still play excellent titles.

2. Drastic 3ds Emulator for Android

It is one of the fastest android emulators that play Nintendo games at full speed. The emulator works on enhancing the 3D graphics by 2 times, it gives you a smooth game experience and makes you win the games.  It can perform most popular games with ease. With this emulator, you can even enjoy high-end graphics on your smartphone. It has a lot of features. Screen layout customization, Google Drive support, fast forwarding, controller customization, software and hardware controller support are some of them to name.

3. Citra 3Ds Emulator For Windows

Citra is a work-in-progress 3DS emulator. Citra can currently emulate, with varying degrees of success, a wide variety of different homebrew programs and commercial software. It is compatible with multiple platforms such as Windows, Mac OS X, and Linux, the developers constantly work with the stability issues for the tool and it offers maximum features when compared to other emulators in the market.

4. NeonDS (for Windows)

NeonDS (for Windows) is a NintendoDS emulator that allows you to play old commercial games for Windows computers. This mouse mimics the stick on the Nintendo DS portable computer. The Nintendo DS is the first portable console that offers two screens; one of them is a touch screen. NeonDS allows you to emulate the Nintendo DS, and let you play DS games on your computer.

5. 3DS emulator app for iOS

The 3DS Emulator can be installed with iOs 11, iOS 11.12 or iOS 11.2 without jailbreaking, the apps give access to paid Nintendo games for free. The Nintendo 3DS emulator for the Apple operating system is a very useful framework that allows users to simulate and create an environment similar to the 3DS console, on their iOS-based mobile phone or computer. The simulation environment is fully functional as if you are using a 3DS console, without obstacles or bugs. Users can experience the same on it looks on the 3DS console.

Source: https://gbhackers.com/working-nintendo-3ds-emulator-2019/

Related Resource: 

Gamers Be Warned, Never Download ‘Free AAA’ Games In Peer-To-Peer Networks

4 Things Gamers Should Never Forget Even If It Is The Holiday Season

The post Best 5 Nintendo 3DS Emulator for Android, iOS & PC appeared first on .

The Sad State of New Zealand’s Cyber Attack Readiness

The New Zealand Financial Innovation & Technology Association (FinTechNZ), a financial-technology organization has exposed the alarming situation of companies based on New Zealand, only around 6% have a reasonable level of cybersecurity defense infrastructure and readiness in place. Such level is very low considering the number of multinational companies having a local branch office in New Zealand and the eagerness of the government to comply with its internal IT security arrangements for both itself and businesses operating within the country’s territory.

“We need to increase protection against attacks, especially bearing in mind that more than 90 percent of New Zealand companies are small businesses. New Zealand is not exempt from major cyber-attacks which could impinge on the economy and livelihood as a nation. We need to understand the multi-dimensional nature of cyber threats and key issues that government and private sector face,” explained James Brown, FintechNZ’s General Manager.

New Zealand’s NCSC has observed at least 347 cases of cybersecurity breaches and cyber attacks from their latest record dated July 2017 to June 2018, with a majority of which were not perpetrated by professional private hacking groups, but rather hacking groups allegedly funded by rogue states.

“Cyber risks are a borderless challenge and we can always improve on national preparedness in our cyber-attack strategy. We want to ensure the cybersecurity of our national infrastructures, our businesses and people. Cyber-crime is rising and is increasingly being identified as a top threat to New Zealand, as criminals, rogue nations and others in the darknet seek to strike and disrupt at any moment. The tech sector epitomises Kiwi ingenuity and entrepreneurial flair. With exports amounting to nearly $7 billion and total revenue predicted exceeding $10 billion in 2017, the industry is an integral part of the New Zealand economy,” concluded Brown.

Unlike the nuclear arms race during the early cold war to the late ’90s, cyberwarfare is raging for quite a while now between states without the knowledge of an ordinary person. Also known as cyber espionage and digital hijacking, various countries involved with cyber warfare have their own goals in mind, hence very difficult to read why they are doing it against other nations.

Also, Read:

Cyber Attacks Stopped By An Israeli Bomb

How to Protect Yourself from Online Cyber Attacks at Work

Yet Again! Cyber Attack on Toyota Car Maker

Australia’s Election Proposal To Combat Cyber Attack

1 Million Swiss Devices Victim Of Cyber Attack

 

 

The post The Sad State of New Zealand’s Cyber Attack Readiness appeared first on .

Apple’s Secure iOS Enclave, Too Secure To Secure

The very secrecy of Apple with the overall infrastructure of iOS devices, especially the iPhone is both its strength and weakness when it comes to security and privacy. Hackercombat.com reported yesterday that the WhatsApp Spyware is wreaking havoc for 1.5 billion WhatsApp users on both iOS and Android platforms. The openness of Android was blamed for the proliferation of malware for a decade now, but the same trait gives Google an easier time to make quick adjustments to its Google Play Protect, Android’s built-in antimalware system.

With the demise of Blackberry devices as the official government smartphone, vulnerable iOS devices took over. An installed old version of WhatsApp instance on an iPhone basically turns the device into a prolific cyber espionage device. Apple has boasted that their iOS devices, more particularly the iPhone uses a secure enclave, it is a locked-down device out-of-the-box. The problem there is it is too locked down to a point that there is no way for users to determine that their device is already spying on their activities of using the iPhone.

“To exacerbate the situation, payloads are often tested and perfected for weeks or more before deployment, thus ensuring a high chance of exploitation, and, inversely, a low chance of detection—especially in the case of ‘0 click’ attacks requiring no user interaction,” said Jonathan Levin, iOS independent researcher.

This is due to the lack of documentation of how the secure enclave actually work against the interest of users to scan the device for infections. In fact, Apple has banned any form of antivirus app in the App Store, and even if that becomes a possibility in the future, the architecture stops any apps from touching the secure enclave that Apple created. The WhatsApp spyware episode is an eye-opener for the industry, with Android being a much easier platform to have mitigation methods from the get-go, until Google issues a patch.

“The simple reality is there are so many 0-day exploits for iOS. And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones,” explained Stefan Esser, a cybersecurity researcher.

All an iOS device user can do is to launch the App Store, hoping that the vulnerable app has an update from the developer. There is no mitigation method a user can do in order to prevent cyber espionage, as iOS devices prohibit low-level access to the device. Users cannot even download a specialized app to “monitor” the operations of the phone and issue a status report, as such app requires low-level access to the hardware that the iOS devices prohibit.

“These security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology. Because of this, we are rarely able to confirm infections of those who we even already suspect being targeted. Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders,” emphasized Claudio Guarnieri, Amnesty International’s Technologist.

Source: https://www.vice.com/en_us/article/pajkkz/its-almost-impossible-to-tell-if-iphone-has-been-hacked

Related Resources:

Apple’s iOS 12 is all about Security

Twitter Bug Carelessly Shared Location Data of Some iOS Users

Apple ID and Password may not be secure for iOS phishing

The post Apple’s Secure iOS Enclave, Too Secure To Secure appeared first on .

A Quick Glimpse On The WhatsApp “Spyware” Issue

The embattled Facebook is facing another huge setback this week, as their acquired iOS/Android app, WhatsApp is affected by a spy-like trojan on some version of the app available for download. The social media giant categorizes the issue as a “spyware” that was embedded to some variants of WhatsApp inserted by threat actors as they exploit a major vulnerability in the app. The alleged embedded “spyware” was planted by an alleged Spyware firm named NSO Group, which is based in Israel. The extent of its access to the mobile device-wide, from it, serving as a RAT (Remote Access Trojan), activation of front/back cameras, read emails/SMS/MMS and capability to access user’s contacts.

The trouble is cross-platform, as infected versions of WhatsApp for iOS and Android were seen in the wild. Even small players such as the already deprecated Windows Phone 10 platform and Samsung’s Tizen version of WhatsApp are also affected. The only visible indication that the user is “targeted” is frequent instances of dropped calls from the app. The spyware is said to have the capability to perform cyber espionage on the phone, making it unsafe for anyone to use WhatsApp as an instant messaging and voice call service.

Meanwhile, NSO Group is strongly denying the allegations, as its spokesperson went public saying: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.“ With the incident, Facebook is critically recommending all their 1.5 billion WhatsApp users to uninstall their current WhatsApp installed on their devices, redownload a fresh version of WhatsApp (clean version available for download) in the Google Play Store, log in to their account and specifically perform a password reset procedure. The United States law enforcement agencies are already in the case, as they try to help Facebook uncover more details of the spyware infection of WhatsApp.

The innocence of NSO Group is being challenged by Amnesty Tech, expressing concerns about this new type of attack vector that harms mobile users. “NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” emphasized Danna Ingleton, Amnesty Tech’s Deputy Director.

This WhatsApp trouble is happening on the wake of Facebook proudly announcing the “privacy first” end-to-end encryption initiative for their other instant messaging Facebook Messaging. The social media giant also recently announced the eventual infrastructure merger of WhatsApp, Instagram, and Facebook, which basically creates just 1-product for the entire organization.

Apple’s iOS and Google’s Android both have a default configuration to automatically download app updates from their respective app stores the moment the app publisher posted a new version of the app. This feature is usually only disabled by advanced users through the settings page of their respective app stores. Hackercombat.com strongly recommends the resetting for user password for all users of WhatsApp, and if convenient to the users, also the password for their Facebook and Instagram accounts. Though the merger of infrastructure is not yet complete, as the plan for it is still in the pipeline, it is better to be safe than sorry.

Source: https://gbhackers.com/whatsapp-hacked-iphone-or-android/

Also, Read:

WhatsApp Launches Service to Fight Fake News in India

The WhatsApp Gold Scam is Back, in a New Form!

All WhatsApp Users Must Update: Zero Day Bug Found in WhatsApp

WhatsApp’s Founder Accused Facebook of “Sold My Users’ Privacy”

Checkpoint Research Released Video Demo of a Nasty WhatsApp flaw

 

 

The post A Quick Glimpse On The WhatsApp “Spyware” Issue appeared first on .

Chinese National Indicted For Anthem’s 2015 Massive Data Breach

The U.S. Department of Justice State Prosecutors found probable cause to charge 32-year old Fujie Wang, a Chinese national for allegedly responsible for the data breach in Anthem, a health insurance firm, four years ago in 2015. The incident which resulted in Anthem losing control of at least 78.8 million records. Accused as a member of a Chinese hacking syndicate, Wang is now facing four cases of:

  • Intentional damage to a Protected Computer
  • Conspiracy to Commit Wire Fraud
  • Conspiracy to Commit Fraud
  • And other Related Activity in Connection with Computers

Anthem in 2015 confirmed that 78.8 million of their customers had their information was stolen, which included their full names, birth dates, addresses, employment information, and its corresponding income data, medical information and social security numbers. Aside from him, the other suspects that are still at large at the time of this writing were using their online aliases of Zhou Zhihong, Kim Young and Deniel Jack.

The Federal Bureau of Investigation before Wang was arrested posted a wanted notification to inform the public that the authorities was looking for him:

Federal Bureau of Investigation

The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history. These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their personal identifiable information,” explained Brian Benczkowski, U.S. Assistant Attorney General.

Unlike a typical breach where an attacker takes out the information stored in the target company’s website, cloud storage or server in a 1-time, big time event, Wang’s team were very deliberate with the infiltration by using stealthy techniques. The indictment decision of the DOJ coincides with the current trade negotiations between China and the United States in hopes to harmonize if not end the current trade war happening between the two top economies of the world.

Aside from Anthem, Wang is also facing charges for infiltrating three more businesses which the DOJ has refused to name but hinted that those were from the communication, technology industry and basic industrial material sector respectively. Anthem was also lax when it comes to training their employees with cybersecurity topics such as anti-phishing techniques to minimize the chance for them to fall for online frauds and scams. The primary suspect on how Anthem’s system was infiltrated was due to an employee with privileged access to the system opened a malicious email, through clever social engineering method, the contents of the email was able to convince the user to open a phishing link or an attachment which contains a malware dropper.

October 20, 2018, hackercombat.com broke the story about Anthem’s decision to pay their affected stakeholders $16 million as settlement for their data breach episode. It was labeled as the “biggest sum gathered by the government in a healthcare data breach”. This was the result of Anthem’s verification of their own systems, and most of the amount will be paid for the credit monitoring and identity theft protection of all its affected customers.

Source: https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/

Also, Read:

Data Breaches in Healthcare Comes From Within

Data Breach at Georgia Tech Impacts 1.3 Million People

Tougher Legislation Proposed in California For Data Breaches

All about Data Breaches, How They Happen and Their Impact

500px’s Data Breach, Happening Since July 2018

 

The post Chinese National Indicted For Anthem’s 2015 Massive Data Breach appeared first on .

Microsoft SharePoint Servers Actively Targeted By Hackers

Hackers are actively exploiting recent patched remote code execution vulnerabilities in the Microsoft SharePoint Servers version to inject the China Chopper web shell, which allows hackers to inject various commands.

Canadian and Saudi Arabian cybersecurity raised awareness about the ongoing attack targeting the outdated systems.

The vulnerability affects all versions of SharePoint Server 2010 to SharePoint Server 2019, and vulnerabilities can be tracked as CVE-2019-0604, it was patched by Microsoft in February, releasing security updates on March 12 and again April 25.

“An attacker who exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The exploitation of this vulnerability requires a specially crafted SharePoint application package.”

In this case, the attackers used the China Chopper web shell to access the compromised servers remotely and issue commands and manage files on the victim server.

The web shell allows an attacker to upload and download any files from the compromised server and to edit, delete, copy, rename and even to change the timestamp of existing files.

Alien vault security researcher Chris doman tweeted about the ongoing campaign and published some additional IoCs.

SharePoint CVE-2019-0604 now being exploited in the wild – reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9r pic.twitter.com/70LQCOmuTn

— chris doman (@chrisdoman) May 9, 2019
According to cybersecurity agencies, the targeted industries are academic, utility, heavy industry, manufacturing and technology sectors.

Mitigations

The organization running share point servers recommended updating the servers to addresses the vulnerability.

Indicators of compromise

SHA256 Hash
05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4
b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688
7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604
2e4b7c022329e5c21e47d55e8916f6af852aabbbd1798f9e16985f22a8056646
c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e

SHA1 Hash
f0fb0f7553390f203669e53abc16b15e729e5c6f
ee583451c832b07d8f2b4d6b8dd36ccb280ff421
dc8e7b7de41cac9ded920c41b272c885e1aec279
4c3b262b4134366ad0a67b1a2d6378da428d712b

MD5 Hash
0eebeef32a8f676a1717f134f114c8bd
198ee041e8f3eb12a19bc321f86ccb88
708544104809ef2776ddc56e04d27ab1
b814532d73c7e5ffd1a2533adc6cfcf8

Filename
pay[.]aspx
stylecss[.]aspx
IP Address
114.25.219.100

Source: https://gbhackers.com/hackers-microsoft-sharepoint-servers/

Related Resources:

Unpatched Remote Code Execution in Ghostscript Revealed by Google

Git Repository Vulnerability Causes Remote Code Execution Attacks

The post Microsoft SharePoint Servers Actively Targeted By Hackers appeared first on .

Cyber Attacks Stopped By An Israeli Bomb

Justice, Israel style, the final judgment of Israeli Defense Force (IDF) against cyber attackers was decisive and literally with the “bang”. The highly contested Gaza strip between Israel and Palestinian Hamas has been going on for many decades, but according to the Israeli military intelligence, the later also house an elite hacker unit along with the areas it controls in the strip. An official video of the airstrike against a building that Palestinian hackers occupied was released by IDF on Twitter.

It shows the target building from a top viewing camera, and it suddenly became just a pile of rubble after the airstrike done by Israeli Defence Force. Though it is not yet know how many bodies were dead inside the building, the IDF is very confident that it housed a considerable number of elite hacker team maintained by Palestinian Jihadist.

“At the end of last week, a joint operation by the General Security Service and the IDF thwarted Hamas’ attempt to use the cyber dimension to hit Israeli targets. Following the technical counterterrorism activities, IDF fighter jets attacked a building from which Hamas’s cyber network operated. We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed,” explained IDF in Twitter (through Google Translate).

IDF has not revealed details who were the leaders of the elite hacker group, and what particular cybercrime they have committed against Israel to justify the military bombing. A leader of IDF who wishes not to be named has underscored the importance of getting ahead compared to their enemies. He is happy with the Israeli forces were able to stop cyber attacks through the use of physical attacks against the structure occupied by the hacker group.

“Hamas no longer has cyber capabilities after our strike. After dealing with the cyber dimension, the Air Force dealt with it in the physical dimension,” emphasized Brig. Gen. Ronen Manlis.

Aside from the hacker group, IDF’s other target is Hamed Ahmed Abed Khudri, allegedly the person behind the funding behind the illegal transfer of funds from Iran to IDF’s enemies in the Gaza strip. The Palestinian Islamic Jihad was linked to numerous money-laundering activities, as the structure of its organization is cellular, anyone tasked to pin down identities has a hard time due to the structure.

“Transferring Iranian money to Hamas and the PIJ [Palestinian Islamic Jihad] doesn’t make you a businessman. It makes you a terrorist,” added IDF.

“Immediately assessing the level of conflict in such a dynamic situation is impossible. However, military activity working along laws of armed conflict should consider principles of proportionality when using force. The scarce official announcement suggests that the potential cyberattack has been thwarted using technical means. That will make analysts wonder what was the point, and justification grounds for using kinetic force. That said, the view that people involved in cyber activity linked to a conflict need to be aware of such risks to them has been more and more crystallizing over the last years,” said Dr. Lukasz Olejnik, Research Associate for Center for Technology and Global Affairs of Oxford University.

Source: https://thehackernews.com/2019/05/israel-hamas-hacker-airstrikes.html

Related Resources:

Israeli Fintech Firms Targeted by Cardinal RAT Malware

Massive Ransomware Attack On Israeli Websites Foiled

The post Cyber Attacks Stopped By An Israeli Bomb appeared first on .