Author Archives: Sandhya Chauhan

Malware Campaigns Attacking Asian Targets Using EternalBlue and Mimikatz



Asian targets are falling prey to a cryptojacking campaign which takes advantage of 'Living off the Land' (LotL) obfuscated PowerShell-based scripts and uses EternalBlue exploit to land Monero coinminer and Trojans onto targeted machines.
At the beginning of this year, a similar malware campaign was identified by the research team of Qihoo 360; reportedly, the campaign was targeted at China at the time. Open source tools such as PowerDump and Invoke-SMBClient were employed to carry out password hashing and execute hash attacks.
The campaign resorts to an exploit which uses SMBv1 protocol which was brought into the public domain by the Shadow Brokers a couple of years ago. It has now become one of the standard tools used by the majority of malware developers.
Referenced from Trend Micro’s initial findings, the aforementioned cryptojacking campaign was only targeting Japanese computer devices but eventually the targets multiplied and now they encompassed Taiwan, India, Hong-Kong, and Australia.
Trend Micro’s research also stated that the EternalBlue exploit, developed by NSA is a new addition into the malware; alongside, they drew a co-relation between the exploit and the 2017 ransomware attacks.  
How does the malware compromise computers?
With the aid of "pass the hash" attacks, it inserts various infectious components into the targeted computer by trying multiple weak credentials in an attempt to log in to other devices which are connected to that particular network.
Upon a successful login, it makes changes in the settings concerning firewall and port forwarding of the compromised machine; meanwhile, it configures a task which is scheduled to update the malware on its own.
Once the malware has successfully compromised the targeted computer, it goes on to download a PowerShell dropper script from C&C server and then it gets to the MAC address of the device and terminates the functioning of all the antimalware software present on the system. Immediately after that, it furthers to place a Trojan strain which is configured to gather the information of the machine such as name, OS version, graphics detail, GUID and MAC address.
“We found the malware sample to be sophisticated, designed specifically to infect as many machines as possible and to operate without immediate detection. It leverages weak passwords in computer systems and databases targets legacy software that companies may still be using,” said Trend Micro.
Trend Micro advises users and enterprises to, “use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable multi-layered protection the system that can actively block these threats and malicious URLs from the gateway to the endpoint.”



Dark Data as a Subset of Big Data Proving to be of Importance



Any data which is disregarded and still remains stored without being indexed anywhere is known as Dark Data, it has a tendency to get lost as it disappears for the researchers first. It has been gathered by organizations unintentionally and therefore it is unstructured in nature, it is not accessible to the public and is neither employed for any decision making.

The primary reason for the generation of dark data is the accumulation of bulk of data and only a small part of it being selected for analysis. Data is generated very rapidly; with every user clicking on a link, data is being generated which is analyzed by the corporations to better their businesses. However, they require only a limited amount of data that is structured and then kept as a record in databases whereas the remaining unstructured data is lost amid other data which is not indexed.

Out of 7.5 sextillion gigabytes of data generated throughout the world on a daily basis, 6.75 Septillion megabytes is left unprocessed and goes as dark data which further remains stockpiled in data repositories. The lack of required tools for analysis is another reason for the generation of dark data.

Referenced from the statements given by Bob Picciano, Senior VP of Analytics at IBM, “Data that is difficult to work with creates a high barrier to entry. People typically forego trying to get any information out of it. About 90% of data generated by most sensors and other sources on the market never get utilized, and 60% of that data loses its true value within milliseconds.”

Dark data can be employed by an organization to gain valuable insights which are even more valuable than the insights they are gaining presently, dark data is a subset of big data in a way and can be used for multiple purposes such as to analyze the network security in an environment.


Electricity Wastage Leading to a Ban on Cryptocurrency Mining in China



In the wake of cryptocurrency mining being listed as one of the hazardous and wasteful activities by China’s central state planner, the National Development and Reform Commission, Chinese government has decided to ban cryptocurrency mining in the country. China, after remaining the hub of bitcoin mining has now plans drafted to terminate the activity.

The list generated by China’s central state planner included more than 450 activities  which failed to abide by the regulations  and are categorized unsafe for either they lead to a wastage of resources or pollutes the environment.  

Drawing inferences from an anonymous Chinese bitcoin trader, Reuters noted, “Bitcoin mining wastes a lot of electricity,”

Bitcoin, one of the most popular cryptocurrency hit a record high by the end of 2017 and touched $5,000 for the first time ever since November.  This week, it was down by 1.4 percent along with Ripple’s XRP and Ethereum, which fell down by the same margin.

Lately, cryptocurrency has been under inspection in China and eventually, it led to the banning of initial coin offerings and shutting down of local trading exchanges. With electricity being a crucial factor determining the ban, countries with inexpensive electricity have now emerged as the key hosts of cryptocurrency mining.



Fraudsters Gaining Access to Users Mobile Devices to Commit Bank Fraud


With the advent of Unified Payment Services (UPI), the idea of sending money from one bank account to the other without having to top up the sum in the mobile wallet has become a reality. However, with new means of transactions coming up and widening of the horizon of banking operations, there is an even enhanced possibility of bank frauds. Hackers have been continuously coming up with new ways of bypassing security.
ICICI Bank reported that in order to gain remote access of smartphones of various users, cybercriminals trick users into downloading ‘AnyDesk’, an application available on App Store as well as Play Store.
Once the user downloads the app, a nine-digit app code is generated on his mobile device which they are then asked to share with the criminals. After receiving the code, fraudster enters the code onto his mobile and then asks the user to grant him certain permissions. Now, once the criminal gets the permissions, he can access the user’s device with ease.
Users are advised to verify and then install the original UPI app and payment wallets from Apple Store and Google Play Store owned by authenticated companies. Avoid downloading applications from suspicious or unknown sources and consider reading reviews prior to going for the download.
Furthermore, while granting permissions on making the download, one should be highly alert and pay extra attention to the details. Banks suggest having your e-mail ID registered and verified in order to be notified of any illegal action taken on your account.
Other safety tips include getting your SIM card blocked instantly if you happen to misplace your mobile device and logging out of your bank account from the web browser. Lastly, customers should always keep a track of their banking transactions which are sent through SMS, it will allow them to take note of any fraudulent transaction and report it to the bank.  


Apache Httpd 2.4.39 Fixed the Flaw Which Let Users Gain Root Access



A vulnerability in the Apache HTTP server which allows users to write and run scripts in order to gain root on Unix systems was patched in Apache httpd 2.4.39 release.

According to the changelog which was tracked as CVE-2019-0211, all Apache HTTP Server releases were impacted, starting from 2.4.17 to 2.4.38. Additionally, the execution of arbitrary code through scoreboard manipulation has also been made possible.

As the web server is employed for running shared hosting instances, Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, emphasized on the seriousness of the issue in a Twitter post he made about CVE-2019-0211 security issue.

Users with few permissions on the server would now be able to extend the privileges by making the use of scripts which run commands on defenseless Apache servers as root, Cox further explained.

Along with this major flaw, two other control bypass security vulnerabilities were also patched with the Apache HTTP Server 2.4.39 release.

Besides these three, the latest Apache httpd release also fixed three less severe flaws which potentially could have led to normalization inconsistency issues and crashes.

The privilege escalation vulnerability of significant severity was reported by a security engineer on February 22 along with a response and reportedly a fix have been provided by Apache on March 7.





Mark Zuckerberg’s Previous Facebook Posts Deleted, the Company Blames Technical Errors


The public posts made by Facebook’s CEO Mark Zuckerberg on his personal Facebook profile have been deleted; it included some of the critical updates and important announcements made by the company. All the information shared by Zuckerberg in the year 2007 and 2008 has also vanished.
On being enquired, a spokesperson of Facebook said that these posts which included the major announcements like the one regarding the acquisition of Instagram were erased mistakenly because of some technical errors. Another crucial announcement which was disappeared is Zuckerberg’s promise to keep Instagram free from Facebook.
However, today Instagram is integrated more closely by Facebook than what was said to be. The matter is reported to be escalated to an extent that it led two of Instagram’s co-founders to resign last year.

The deletion of the post where Mark pledged to build and grow Instagram separately is the highlight as Zuckerberg seemingly did not abide by it. 

'Every day, we make decisions about what speech is harmful, what constitutes political advertising, and how to prevent sophisticated cyber attacks.’ Zuckerberg told to The Washington Post.

'These are important for keeping our community safe. But if we were starting from scratch, we wouldn't ask companies to make these judgments alone,' he added.

Referencing from the statements given to Business insider by Facebook’s spokesperson, 'A few years ago some of Mark's posts were mistakenly deleted due to technical errors. The work required to restore them would have been extensive and not guaranteed to be successful so we didn't do it,'

'We agree people should be able to find information about past announcements and major company news, which is why for years we've shared and archived this information publicly — first on our blog and in recent years on our Newsroom.’


US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

WhatsApp May Oppose the Demand for Traceability of Messages




The government wants to probe into the sources of inciting and provocative messages and posts which have led to violence across the nation, incidents of lynching and various other controversial issues.

In order to do so, it has proposed certain guidelines that would require Whatsapp to unveil information regarding the origins of messages.

As doing so will contradict the end-to-end encryption WhatsApp provides, the company will oppose the proposed regulations. It will also be violating free speech and privacy rights. 

The intermediary guidelines which are reported to be made public after elections will include jail terms and penalties for heads and officials of various messaging platforms and social media companies for non-compliance.

Reasoning WhatsApp’s failure to act in accordance with the proposed guidelines, a person said, “WhatsApp feels the proposed guidelines are too broad and not in sync with privacy protection norms that are important to people everywhere,”

“What is expected from the rules is just not possible considering the end-to-end encryption the company provides — it would mean a new product.” He added.

The Facebook-owned app, which did not answer all the questions, believes that confidentiality is one of the key aspects of what they have to offer. They feel that gathering private information of users is contradictory to the whole idea of WhatsApp which was primarily designed to keep the conversations private. 

Putting the same into perspective, another person said, “The company will continue to push back against government’s attempts that it feels weaken its end-to-end encryption feature,”

While defending its stance on safety and privacy, WhatsApp previously said, “People rely on WhatsApp for all kinds of sensitive conversations, including with their doctors, banks, and families. The police also use WhatsApp to discuss investigations and report crimes,”  

“Attributing messages on WhatsApp would undermine end-to-end encryption and the private nature of WhatsApp, creating the potential for serious misuse. Our focus is on improving WhatsApp and working closer with others in society to help keep people safe.” 

Reasserting the intention of the government, an official told ET, “They don’t or refuse to understand this — we don’t want you to look into the video or the audio or content, just tell us where (it began) or who started it,”

Understanding the concern of national security and integrity, WhatsApp said that it has made essential changes in the product and has addressed misinformation via public education campaigns. Besides that, the company also made necessary alterations like limiting the times a message can be forwarded and letting people exit groups in one tap.

However, the government did not seem to be satisfied with these alterations and has continued to request for traceability.









Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70,000 Websites



Researchers found out that "Social Warfare", a social sharing plug-in powered by Warfare Plugins is infected with a critical Stored XSS Zero-day flaw which allows cybercriminals to place malicious scripts and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used to accumulate more website traffic by receiving more social shares for website developers.

Amidst some of the plugins debugging features, the plug-in carries an exploitable code which assists the payload in being stored in the website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability."

The exploit which was rampantly distributed across the globe is a critical flaw that has allowed hackers to entirely gain control of the ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the attacks are likely to multiply if the flaw is left unpatched. Meanwhile, users are advised by the experts to get an update to version 3.5.3.

Hackers Tracking Location History via Google Photos Vulnerability


A vulnerability has been found in the web version of Google photos which lets malicious websites access the sensitive information related to the photos such as date and geographic coordinates.

On the basis of this metadata information of your photos, they will be tagged by Google photos automatically.

The metadata of any photo allows details to be moved along with the photograph file which is readable by end users, hardware and software.

How the Hack Functions

To begin with, the hackers have to befool the user and trick him into accessing the malicious website while he is logged into his Google Photos account.

As soon as the malicious website opens in the web browser, it generates answers to the questions the attacker has by stealthily generating requests to the Google Photos search endpoint.

As stated in a report by Imperva, the hacker can keep a record of the queries which have been already asked and resume the process from there on upon your next visit onto any of his infectious websites.

Reportedly, the vulnerability has been patched by Google after Imperva brought it to their knowledge.




Most of the Antivirus Android Apps Ineffective and Unreliable



In a report published by AV-Comparatives, an Austrian antivirus testing company, it has been found out that the majority of anti-malware and antivirus applications for Android are untrustworthy and ineffective.

While surveying 250 antivirus applications for Android, the company discovered that only 80 of them detected more than 30% of the 2,000 harmful apps they were tested with. Moreover, a lof of them showed considerably high false alarm rates.

The detailed version of the report showcased that the officials at AV-Comparatives selected 138 companies which are providing anti-malware applications on Google Play. The list included some of the most well-known names like Google Play Protect, Falcon Security Lab, McAfee, Avast, AVG, Symantec, BitDefender, VSAR, DU Master, ESET and various others.

ZDNet noted that the security researchers at AV-Comparatives resorted to manual testing of all the 250 apps chosen for the study instead of employing an emulator. The process of downloading and installing these infectious apps on an Android device was repeated 2,000 times which assisted the researchers in concluding the end result i.e., the majority of those applications are not reliable and effective to detect malware or virus.

However, the study conducted by AV-Comparatives also highlighted that some of the offered antivirus applications can potentially block malicious apps.

As some of the vendors did not bother to add their own package names into the white list, the associated antivirus apps detected themselves as infectious. Meanwhile, some of the antivirus applications were found with wildcards in order to allow packages starting with an extension like "com.adobe" which can easily be exploited by the hackers to breach security.

On a safer side, Google guards by its Play Protect which provides security from viruses on Android by default. Despite that, some users opt for anti-malware apps from third-party app stores or other unknown sources which affect safety on their devices.

The presence of malicious apps on Google Play was also noticed in the past and with the aforementioned study, Android is becoming an unsafe mobile platform.



Google Maps, Gmail, Drive, Facebook and Instagram Suffered Outage




Google addressed an influx of complaints it received from the users regarding the misbehavior of its popular services like Gmail, YouTube, and Google Drive among others. Users all across the world were troubled by the outage of the services they heavily rely upon for various day-to-day activities. 

Though the cause of the outage has not been confirmed, the issues of the users were addressed by Google.

Besides Google, Youtube has also received complaints by its users which it addressed on Twitter telling them that the platform is aware of the service disruption and the problems faced by its users. Alongside, YouTube assured the sufferers that it is already looking into the matter and will come up with a fix.

Notably, YouTubers and content creators were facing problems while uploading videos and viewers were unable to watch the videos smoothly.

Addressing the issues with Google Drive, the company said, “We’re investigating reports of an issue with Google Drive. We will provide more information shortly. The affected users are able to access Google Drive, but are seeing error messages, high latency, and/or other unexpected behavior.”

Similarly, for Gmail, the company stated, we’re investigating reports of an issue with Gmail. We will provide more information shortly. The affected users are able to access Gmail but are seeing error messages, high latency, and/or other unexpected behavior.

Furthermore, Google mentioned in its G Suite Status Dashboard that the issue has been rectified and the services, i.e., Gmail and Google Drive will be functioning properly soon.

“The problem with Google Drive should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better.”

While acknowledging the disruptions faced by its Cloud Engine, Google said, “We are still seeing the increased error rate with Google App Engine Blobstore API. Our Engineering Team is investigating possible causes. Mitigation work is currently underway by our Engineering Team. We will provide another status update by Tuesday, 2019-03-12 20:45 US/Pacific with current details.”

On the other hand, Facebook was down for more than 14 hours due to which millions of users across the globe were denied access to the platform. It was on Thursday morning, Facebook along with its associated apps seemed to be regaining operational status.

While Facebook is yet to provide an explanation for the services being disrupted, it said, "We're aware that some people are currently having trouble accessing the Facebook family of apps,"
"We're working to resolve the issue as soon as possible."

Being fallen prey to the same crisis, the issues faced by Instagram users included not being able to refresh the feed and other glitches while accessing the content.

Commenting on the matter, Elizabeth Warren, a potential Democratic candidate in the next US presidential election, said in a statement to New York Times, "We need to stop this generation of big tech companies from throwing around their political power to shape the rules in their favor and throwing around their economic power to snuff out or buy up every potential competitor."







Enterprise VPN Provider Citrix, Hacked; 6TB of Sensitive Data Stolen



Enterprise VPN provider, Citrix, was subjected to a hack which is doubted to have stolen private data pertaining to the company’s technology.

On Friday, Citrix told that FBI informed them about "international cyber criminals" working their way into the organization’s networks.

They were further told that most probably the criminals resorted to the technique of “password spraying” to break into the company’s networks. They did do by appropriately guessing the password to an account which belongs to the company.

The hackers involved are reported to be a part of an Iranian Hacking group which has attacked over 200 companies, along with multiple government agencies, technology firms and gas, and oil companies.

Referenced from a blog post by Resecurity, the cybersecurity firm contacted Citrix in an attempt to warn them about the hack which was on the way.

And, while refraining from telling the origins of the source from where the firm learned of the hack, it said that it "has shared the acquired intelligence with law enforcement and partners for mitigation."

While FBI denied commenting on the matter, Resecurity drew a connection between the hackers and a nation state, "due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy."

Citrix expressed a probability of business documents being acquired and downloaded by the attackers and told in a notice, "The specific documents that may have been accessed, however, are currently unknown."

"Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI," the company further included in the notice.


Facebook to be reoriented towards user privacy and encryption says Mark Zuckerberg



On Wednesday, Facebook’s CEO, Mark Zuckerberg put forth a reoriented model of privacy for the social media platform which has continued to encourage generation after generation to share what’s up with their life via pictures and status updates.

In an essay Mark posted on his account, he announced his future plans regarding Facebook which are focused on safety, interoperability, private interactions, encryption, secure data storage and reducing permanence.

After consistently being in news for security issues, the company has finally decided to appropriately position itself for an unknown time which is yet to come. Seemingly, the plan of action has been fuelled by the descending trust of the users and ongoing arguments with regulators across the globe.

Explaining the new model, Zuckerberg told that Facebook would be subjected to a change which would remodel the platform after a living room, where people will have complete control over who can communicate with them and a trust that no one else can access what they share, which is in contrast to the initial model which was based into broadcasting information to large sections.

Referencing from Zuckerberg’s Facebook post, “Public social networks will continue to be very important in people's lives -- for connecting with everyone you know, discovering new people, ideas and content, and giving people a voice more broadly. People find these valuable every day, and there are still a lot of useful services to build on top of them. But now, with all the ways people also want to interact privately, there's also an opportunity to build a simpler platform that's focused on privacy first.”

“In a few years, I expect future versions of Messenger and WhatsApp to become the main ways people communicate on the Facebook network. We're focused on making both of these apps faster, simpler, more private and more secure, including with end-to-end encryption. We then plan to add more ways to interact privately with your friends, groups, and businesses. If this evolution is successful, interacting with your friends and family across the Facebook network will become a fundamentally more private experience.”

The subtle and skeptical reactions to Mark’s announcement included privacy advocates questioning about the data that is collected for Facebook’s benefits, they asked if the practice will be minimized. Meanwhile, they asserted on the CEO’s need to talk beyond encryption and prioritize answering the questions on data collection for business purposes.

Referenced from the statements given by Jess Chester, executive director of a nonprofit privacy advocacy group in Washington, “Why does it always sound like we are witnessing a digital version of Groundhog Day when Facebook yet again promises — when it’s in a crisis — that it will do better,”

“Will it actually bring a change to how Facebook continually gathers data on its users in order to drive big profits?" He added.

Commenting on the matter, Jennifer Grygiel, assistant professor of communications at Syracuse University, questioned, “What’s not clear is how they are going to make this transition safely. We have already seen the risks associated with WhatsApp and private encryption in India, for example, where misinformation has led to mobs and the loss of life,”

Studies suggest that consumer trust in Facebook took critical hits due to continuous exploitation of users’ data. In terms of reputation among 100 highly visible public companies, Facebook fell from being 51st to 94th last year. Moreover, certain Facebook user polls implied people entirely getting rid of the app by uninstalling it.

While acknowledging the reduced trust quotient in his post, Zuckerberg wrote, “I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing,” he said. “But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.”


To Zuckerberg’s proposal of a future which would look different, Twitter bore witness to another skeptical remark as Ashkan Soltani, a former Federal Trade Commission official and privacy researcher, said “This move is entirely a strategic play to use privacy as a competitive advantage and further lock in Facebook as the dominant messaging platform.”