Category Archives: Hackers

Evernote Critical Flaw Could Have Impacted Millions of Users

A critical flaw that affected Evernote’s web clipper extension for Chrome could have impacted millions of users.

Reports say that the critical flaw in the popular note-taking extension Evernote could have led to the breach of personal data of over 4.6 million users. Hackers could have exploited the vulnerability to steal personal data including emails and financial transactions of users.

Security researchers at Guardio had discovered this vulnerability in the Evernote Web Clipper extension, which is immensely popular and which lets users capture full-page articles, images, emails, selected texts etc.

A blog post by the Guardio research team says, “In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome. A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain. Financials, social media, personal emails, and more are all natural targets. The Universal XSS vulnerability was marked as CVE-2019-12592.”

The hackers exploiting the vulnerability could get users diverted to a website that’s controlled by them. Eventually, the hackers would be able to breach the users’ private data from affected 3rd-party websites. Guardio researchers have even demonstrated, in the PoC (Proof-of-Concept) access to social media, financial transaction history, private shopping lists etc. The Guardio researchers disclosed the flaw to Evernote on May 27 and following the disclosure, Evernote patched the vulnerability and a fixed version was deployed within a few days. The fix was confirmed on June 4th, 2019.

How the vulnerability gets exploited

In the normal course, a JavaScript is injected into the webpages that use the Evernote extension so as to enable the extension’s various functionalities. But, due to the above-mentioned vulnerability (CVE-2019-12592), logical coding error that has left a function (one that’s used to pass a URL from the site to the extension’s namespace) unsanitized, attackers could inject their own script into the webpages. This gives them access to sensitive user information available on the webpages.

The Guardio blog post says, “The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker-controlled payload into all iframes contexts…Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.”

The Guardio researchers have also used a proof of concept video in which they explain how the user is first taken to the hacker-controlled malicious website (via social media, email, compromised blog comments etc) and how the malicious website then silently loads hidden, legitimate iframe tags of targeted websites. These iframe tags would have injected payload that would be customized for each targeted website. Thus, the hackers would be able to steal personal data from the targeted websites.

The solution

Users should go for the latest version of Evernote, which includes the fix for this issue. The latest version can be installed by copying chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc into the address bar. For security reasons it has to be manually copied; it’s to be ensured that the version shows as 7.11.1 or higher.
Users should also make it a point to install browser extensions only from trusted sources.

The post Evernote Critical Flaw Could Have Impacted Millions of Users appeared first on .

Compromised Docker Hosts Use Shodan for Cryptocurrency Mining

Researchers have detected a campaign in which compromised docker hosts use Shodan for carrying out cryptocurrency mining.

Hackers scan for Docker hosts with exposed APIs and use them for cryptocurrency mining, which is done by deploying malicious self-propagating Docker images that are infected with Monero miners and scripts which use Shodan for finding vulnerable targets. Researchers at Trend Micro discovered this campaign after a Docker image that contained a Monero (XMR) cryptocurrency miner binary was deployed on one of their honeypots, set up as part of their efforts to monitor malicious activity aimed at containers, Sergiu Gatlan, security/tech reporter at Bleeping Computer writes, “This type of attack is definitely nothing new seeing that researchers from Imperva discovered a similar campaign abusing the CVE-2019-5736 runc vulnerability to deploy cryptominers during early-March.”

“However, the hackers behind the attacks discovered by Trend Micro now also use scripts designed to scan for more vulnerable machines via Shodan search queries scanning for hosts with the 2375 port open and deploying more infected containers to the new targets after brute-forcing their way,” the Bleeping Computer report further says.

Another independent security researcher who goes by the name Caprico, and researchers at Alibaba Cloud too, have observed this campaign.
A blog post dated May 28, 2019 by the Alibaba Cloud researchers says, “Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker’s remote API unauthorized Access vulnerability. We have named the botnet “Xulu” because it serves as username in the botnet’s mining.”

The blog post further says, “Xulu is not the first botnet case that aims at Docker; yet it differs from other botnets by not scanning other hosts by itself, instead it utilizes OSINT (open-source intelligence) technique and dynamically searches Shodan for lists of possible preys…It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.”

The hackers behind the campaign were using the exposed APIs to execute commands on the Docker hosts; these commands would allow them to manage (start, stop or kill) containers and create new ones also by deploying images from a Docker Hub repository that they control.
The Trend Micro team zeroed in on a Docker Hub repository named zoolu2.

Alfredo Oliveira, Senior Threat Researcher at Trend Micro, writes, “By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries.”

The Trend Micro blog post further explains, “All the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner. This piqued our interest since we’ve already had experience with containers being deployed as miners. In addition, some of the images contained a Shodan script that lists Docker hosts with exposed APIs, which we surmised was being used to identify suitable targets for further container distribution.”

Docker found and took down the repository containing the infected Docker containers and Shodan too disabled accounts used to access its API. But reports say that one malicious Docker image, which has already been downloaded more than 10,000 times, is still available. There have also been reports that point out that the hackers had used another Docker Hub account to host infected containers. When that account was deactivated, they kept moving the containers to other accounts.

A GitHub user reporting this issue writes, “This image is a worm/botnet/whatever targeting unsecured Docker API instances (port tcp/2375)…It uses Tor to update its mining config and continuously scrapes Shodan for exposed Docker instances (with a hardcoded user/pass which I changed) to infect them as well. It also sets up an SSH server, with a hashed password for the root user (basically a backdoor account).”

The Bleeping computer report explains how it all works. The malicious Docker images, which are automatically deployed using a script that looks for exposed APIs and which also remotely creates malicious containers using Docker commands, also starts an SSH daemon that enables remote communication with the hackers. A custom-built Monero coin-mining binary gets launched in the background. Simultaneously, a scanning process that makes use of a third script looks for more victims using Shodan API.

The report explains further, “The list of vulnerable hosts gets written to an iplist.txt file which is checked for duplicates, with all the new targets also being scanned for existing cryptocurrency-mining containers which will be deleted if found…The entire list of IP addresses is then sent to the campaign operators’ command-and-control servers “to deploy additional containers to other exposed hosts based on the IP list. It then loops to the beginning of the routine stated earlier with a new host.””

Also, Read

Cryptocurrency Mining Service Coinhive Set to Shut Down

Firefox to Offer Users Automatic Protection Against Cryptocurrency Mining Malware

Cyrptocoin Minning Malware On The Rise

The post Compromised Docker Hosts Use Shodan for Cryptocurrency Mining appeared first on .

ScarCruft, An Anti-North Korean Hacking Team

Malware authors continue to find ways to operate at a more sophisticated level, especially Advanced Persistent Threats (APT). Known as ScarCruft team, as exposed by Kaspersky Lab for establishing espionage campaigns using Bluetooth exploits. ScarCruft focuses its attention with breaking into smartphones of government officials and businessmen operating in the Korean peninsula through Bluetooth. The operation apparently started in 2018, with the use of a specially designed modular malware, composed of many modules in its goal of evading detection.

A Windows-based operation also exists, where espionage takes place once the group establishes a connection to the target server and weaponized a tool that exploits CVE-2018-8120 in order to render the Windows Account Control useless.“The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data,” explained Kaspersky Labs in their official blog.

The Windows version of the malware is a full-fledged backdoor suite, capable of connecting with its command and control server. The C&C once receiving the new information instructs the malware to gather information based on the author’s chosen parameters, while keeping the code updated remotely by the malware author, useful for bypassing antimalware software. With system-level access, the malware can execute Windows-supported commands, especially taking advantage of the PowerShell features that can keep itself from being deleted after a system reboot.

Once a persistent infection is established, the malware will then download a Bluetooth harvester module which will probe all mobile devices that connects to the Windows PC. It will then have the man-in-the-middle capabilities, deliberately checking the information that flows between the infected PC and the mobile device, mostly for espionage purposes. “We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth,” added Kaspersky Labs.

The researchers have no conclusive evidence that the ScarCruft team is associated with North Korea, given that the hermit country’s diplomatic agency was also a victim. A Hong Kong government diplomatic agency which has strong ties with North Korea was also reported of falling for the same espionage campaign. An unnamed public agency in Russia also had signs of malware infection that were similar to the one reported by the Hong Kong and North Korean agencies, showing the threat actor’s motivation to focus their campaign against someone connected with diplomatic ties between the mentioned nations.

“The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve,” concluded Kaspersky Labs.

Related Resource:

North Korean Spy Charged For 2014 Sony Pictures Hack

North Korean Hackers Swindles over $1 billion

North Korean Hackers Stole Cryptocurrency Funds From South Korea

Over 100 Targets in US Hit By North Korean Hackers

The post ScarCruft, An Anti-North Korean Hacking Team appeared first on .

Ransomware Attack Impacts Baltimore Emails, Online Payments

Some key online operations in the U.S city of Baltimore have been impacted following a ransomware attack.

Reports reveal that all online payment gateways and emails have been totally affected, bringing them all to a standstill, in Baltimore following a ransomware attack that happened in the first week of May. The hackers who have launched the ransomware strike are demanding a hefty amount as ransom for freeing all systems in the city.

Security experts have found that the ransomware attack on Baltimore has been executed using the EternalBlue exploit. The EternalBlue exploit, about which we have already written on many occasions, was developed by the U.S NSA (National Security Agency) exploit and was reportedly leaked by the Shadow Brokers hacker group in April 2017. It was using this exploit that cybercriminals launched the extremely devastating WannaCry attack in May 2017 and then the NotPetya attack in June 2017. EternalBlue exploits a vulnerability in the implementation of Microsoft’s SMB (Server Message Block) protocol and allows cybercriminals to execute remote commands on their target computers. Microsoft had released a patch for the issue in March 2017, but many users hadn’t installed the patch when the WannaCry attack and then the NotPetya attack happened. Even now, as per reports, there are millions of systems worldwide that are vulnerable to EternalBlue.

Reports say that the ransomware attack in Baltimore has impacted thousands of computers and has also affected many important services including health alerts, water bills, real estate sales etc. It’s also reported that as per a ransom note that was recovered from a computer in the city, the ransomware has been identified as RobbinHood, a relatively new ransomware variant.

A New York Times report dated May 22, 2019, says, “On May 7, the city discovered that it was a victim of a ransomware attack, in which critical files are encrypted remotely until a ransom is paid.”

The report further says, “The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading, but not before it took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations.”

It’s also reported that at least 1,500 pending home sales have been delayed. However, the city has put into place an offline fix this week to allow the transactions to proceed.

As regards the ransom note, the New York Times report says, “A copy of a digital ransom note, obtained by The Baltimore Sun, stated that the city could unlock the seized files for a price: three Bitcoins (nearly $24,000) per system or 13 Bitcoins (about $102,000) for them all…The price of this decentralized, hard-to-track virtual currency fluctuates wildly. On the day of the attack, the ransom would have cost about $17,000 per system, or less than $75,000 for them all.)”

The ransom note reads- “We won’t talk more, all we know is MONEY!…Hurry up! Tik Tak, Tik Tak, Tik Tak!”

The city officials have reportedly decided not to pay the ransom as of now. Mayor Bernard Young has reportedly told local reporters, as regards paying the ransom- “Right now, I say no. But in order to move the city forward? I might think about it. But I have not made a decision yet.”

Also, Read:

Still No Solution: Ransomware Attack Against Wolverine Solutions Group

Onslow County Utility Hit with Ransomware Attack

Port of San Diego, The Newest Victim of Ransomware Attack

Beware of 10 Past Ransomware Attacks

The post Ransomware Attack Impacts Baltimore Emails, Online Payments appeared first on .

Microsoft SharePoint Servers Actively Targeted By Hackers

Hackers are actively exploiting recent patched remote code execution vulnerabilities in the Microsoft SharePoint Servers version to inject the China Chopper web shell, which allows hackers to inject various commands.

Canadian and Saudi Arabian cybersecurity raised awareness about the ongoing attack targeting the outdated systems.

The vulnerability affects all versions of SharePoint Server 2010 to SharePoint Server 2019, and vulnerabilities can be tracked as CVE-2019-0604, it was patched by Microsoft in February, releasing security updates on March 12 and again April 25.

“An attacker who exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The exploitation of this vulnerability requires a specially crafted SharePoint application package.”

In this case, the attackers used the China Chopper web shell to access the compromised servers remotely and issue commands and manage files on the victim server.

The web shell allows an attacker to upload and download any files from the compromised server and to edit, delete, copy, rename and even to change the timestamp of existing files.

Alien vault security researcher Chris doman tweeted about the ongoing campaign and published some additional IoCs.

SharePoint CVE-2019-0604 now being exploited in the wild – reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9r pic.twitter.com/70LQCOmuTn

— chris doman (@chrisdoman) May 9, 2019
According to cybersecurity agencies, the targeted industries are academic, utility, heavy industry, manufacturing and technology sectors.

Mitigations

The organization running share point servers recommended updating the servers to addresses the vulnerability.

Indicators of compromise

SHA256 Hash
05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4
b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688
7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604
2e4b7c022329e5c21e47d55e8916f6af852aabbbd1798f9e16985f22a8056646
c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e

SHA1 Hash
f0fb0f7553390f203669e53abc16b15e729e5c6f
ee583451c832b07d8f2b4d6b8dd36ccb280ff421
dc8e7b7de41cac9ded920c41b272c885e1aec279
4c3b262b4134366ad0a67b1a2d6378da428d712b

MD5 Hash
0eebeef32a8f676a1717f134f114c8bd
198ee041e8f3eb12a19bc321f86ccb88
708544104809ef2776ddc56e04d27ab1
b814532d73c7e5ffd1a2533adc6cfcf8

Filename
pay[.]aspx
stylecss[.]aspx
IP Address
114.25.219.100

Source: https://gbhackers.com/hackers-microsoft-sharepoint-servers/

Related Resources:

Unpatched Remote Code Execution in Ghostscript Revealed by Google

Git Repository Vulnerability Causes Remote Code Execution Attacks

The post Microsoft SharePoint Servers Actively Targeted By Hackers appeared first on .

Cyber Attacks Stopped By An Israeli Bomb

Justice, Israel style, the final judgment of Israeli Defense Force (IDF) against cyber attackers was decisive and literally with the “bang”. The highly contested Gaza strip between Israel and Palestinian Hamas has been going on for many decades, but according to the Israeli military intelligence, the later also house an elite hacker unit along with the areas it controls in the strip. An official video of the airstrike against a building that Palestinian hackers occupied was released by IDF on Twitter.

It shows the target building from a top viewing camera, and it suddenly became just a pile of rubble after the airstrike done by Israeli Defence Force. Though it is not yet know how many bodies were dead inside the building, the IDF is very confident that it housed a considerable number of elite hacker team maintained by Palestinian Jihadist.

“At the end of last week, a joint operation by the General Security Service and the IDF thwarted Hamas’ attempt to use the cyber dimension to hit Israeli targets. Following the technical counterterrorism activities, IDF fighter jets attacked a building from which Hamas’s cyber network operated. We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed,” explained IDF in Twitter (through Google Translate).

IDF has not revealed details who were the leaders of the elite hacker group, and what particular cybercrime they have committed against Israel to justify the military bombing. A leader of IDF who wishes not to be named has underscored the importance of getting ahead compared to their enemies. He is happy with the Israeli forces were able to stop cyber attacks through the use of physical attacks against the structure occupied by the hacker group.

“Hamas no longer has cyber capabilities after our strike. After dealing with the cyber dimension, the Air Force dealt with it in the physical dimension,” emphasized Brig. Gen. Ronen Manlis.

Aside from the hacker group, IDF’s other target is Hamed Ahmed Abed Khudri, allegedly the person behind the funding behind the illegal transfer of funds from Iran to IDF’s enemies in the Gaza strip. The Palestinian Islamic Jihad was linked to numerous money-laundering activities, as the structure of its organization is cellular, anyone tasked to pin down identities has a hard time due to the structure.

“Transferring Iranian money to Hamas and the PIJ [Palestinian Islamic Jihad] doesn’t make you a businessman. It makes you a terrorist,” added IDF.

“Immediately assessing the level of conflict in such a dynamic situation is impossible. However, military activity working along laws of armed conflict should consider principles of proportionality when using force. The scarce official announcement suggests that the potential cyberattack has been thwarted using technical means. That will make analysts wonder what was the point, and justification grounds for using kinetic force. That said, the view that people involved in cyber activity linked to a conflict need to be aware of such risks to them has been more and more crystallizing over the last years,” said Dr. Lukasz Olejnik, Research Associate for Center for Technology and Global Affairs of Oxford University.

Source: https://thehackernews.com/2019/05/israel-hamas-hacker-airstrikes.html

Related Resources:

Israeli Fintech Firms Targeted by Cardinal RAT Malware

Massive Ransomware Attack On Israeli Websites Foiled

The post Cyber Attacks Stopped By An Israeli Bomb appeared first on .

Is Your Baby Monitor Susceptible to Hacking?

There’s no doubt that digital technology, in many of its forms, brings everyday tasks much closer-to-hand. From discovering breaking news, to online shopping, to keeping tabs on your home via security cameras—everything is within the touch of a button. Even so, with the growing reach of the Internet of Things (IoT), new and unsuspected threats are just around the corner—or are already here. 

One of the most alarming threats to emerge is the breach of privacy. In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news.

For example, in early January of this year, a Western Australian mother voiced her worries when she discovered that the baby monitor she recently purchased was compromised. The monitor allowed her to log in with a QR code and a generic password in order to watch her child through a camera. Though she followed the instructions for installation, upon opening the monitoring website she was greatly alarmed to see a vision of a stranger’s bedroom, rather than her child’s.

This type of case isn’t isolated, as another report surfaced last year when a stranger allegedly hacked a baby monitor camera to watch a mother breastfeed. In yet another case, a Texas couple, whose devices were hacked, said they heard a man’s voice coming from their baby monitor threatening to kidnap their child. It doesn’t get much scarier than that.

Though you might not have prepared for it, it’s increasingly clear you need to take steps to protect yourself, your children, your privacy, and your new smart devices from these kinds of emerging privacy threats, as well as others. As a first precaution, you should always remember to change the default passwords on all your networked devices, starting with your router, creating strong new ones and securing them safely whenever possible with a password manager. You should then pick the best endpoint and network security solutions you can find to protect all the networked devices in your home.

Trend Micro Password Manager provides a password manager that lets you generate and sync strong passwords across your PCs, Macs, Android, and iOS devices.

In addition, Trend Micro Security provides the best endpoint security for PCs, Macs, Android and iOS—a key part of any home security strategy. Trend Micro Maximum Security includes Trend Micro Mobile Security as part of its subscription, so you can protect up to 10 devices.

Finally, Trend Micro Home Network Security is specifically designed to protect all your new “smart” connected devices in the home. It filters incoming and outgoing traffic to provide an extra layer of protection against intrusions or hacking of the home network. It protects your router and a wide range of smart devices, including security cameras, child monitoring devices, smart TVs, refrigerators, smart speakers, and even smart doorbells and thermostats, from emerging IoT threats—and the list goes on.

With our endpoint and network security solutions, we’ve got you covered! Click the links above for more details on our solutions.

The post Is Your Baby Monitor Susceptible to Hacking? appeared first on .

Password-less future moves closer as Google takes FIDO2 for a walk

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ the phone – rather than ‘something they know’ the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”  

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha. 

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.

Hackers Are Going After Cisco RV110, RV130, and RV215 Routers

Cybercriminals always look for vulnerabilities in routers, and if they find one, it becomes an easy target for them.

We have seen how the hackers were not only scratching the surface, they had set their eyes on how to compromise devices for their malicious activities. They dig vulnerabilities in routers to conduct hacking campaigns.

In 2018 we saw some high profile campaigns of router attacks. The VPNFilter, a malware suspected to be the work of Russians, and the FBI issued a warning to businesses and households to immediately reboot routers to counter the threat.

Nevertheless, it looks like many didn’t heed this warning and that left routers in a vulnerable situation. According to Avast’s Threat Landscape Report for 2019, it suggests that 60 percent of users have never updated their routers firmware, thus exposing themselves to simple vulnerabilities.

Now this latest report from ZDNet, reveals further.

Two days after Cisco patched a critical vulnerability in a well-liked emblem of SOHO routers, and someday after the newsletter of proof-of-concept code, hackers have begun scans and assaults exploiting the mentioned safety computer virus to take over unpatched gadgets.

The vulnerability tracked as CVE-2019-1663, used to be of notice when it got here out on February 27 as it gained a severity ranking from the Cisco group of 9.8 out of 10.

It gained this kind of prime score since the computer virus is trivial to take advantage of and does now not require complex coding talents and sophisticated assault routines; it bypasses authentication procedures altogether; and routers may also be attacked remotely, over the web, without attackers desiring to be bodily provided at the identical native community because the susceptible tool.

Affected fashions come with the Cisco RV110, RV130, and RV215, all of that are WiFi routers deployed in small companies and home properties.

Because of this, the house owners of those gadgets would possibly not most probably be keeping track of Cisco safety signals, and these types of routers will stay unpatched –unlike in massive company environments the place IT staff would have already deployed the Cisco fixes.

In step with a scan through cyber-security company Rapid7, there are over 12,000 of those gadgets readily to be had online, with the overwhelming majority positioned in America, Canada, India, Argentina, Poland, and Romania.

All of those gadgets are actually beneath assault, in step with cyber-security company Unhealthy Packets, which reported detecting scans on March 1.

The corporate detected hackers scanning for some of these routers the use of an exploit that used to be printed an afternoon previous at the weblog of Pen Take a look at Companions, a UK-based cyber-security company.

It used to be probably the most Pen Take a look at Companions’ researchers, alongside two different Chinese language safety mavens, who discovered this actual vulnerability ultimate yr.

In its weblog publish, Pen Take a look at Companions blamed the foundation reason behind CVE-2019-1663 on Cisco coders the use of an infamously insecure serve as of the C programming language -namely strcpy (string replica).

The corporate’s weblog publish incorporated an evidence of ways the use of this C programming serve as left the authentication mechanism of the Cisco RV110, RV130, and RV215 routers open to a buffer overflow that allowed attackers to flood the password box and fasten malicious instructions that were given achieved with admin rights all through authentication procedures.

Attackers who learn the weblog publish seem to be the use of the instance supplied within the Pen Take a look at Companions article to take over susceptible gadgets.

Any proprietor of those gadgets will wish to observe updates once imaginable. In the event that they consider their router has already been compromised, reflashing the tool firmware is really helpful.

The post Hackers Are Going After Cisco RV110, RV130, and RV215 Routers appeared first on .

Over 100 Targets in US Hit By North Korean Hackers

As reported in the NY Times, North Korean hackers have targeted American and European businesses for 18 months kept up their attacks last week even as President Trump was meeting with North Korea’s leader in Hanoi.

According to researchers at the cybersecurity company McAfee the attacks, which include efforts to hack into banks, utilities and oil, and gas companies, began in 2017. This was the time when tensions between North Korea and the United States were flaring. But even though both sides have toned down their fiery threats, the attacks persist.

The attacks began soon after the incident in 2017 when Mr. Trump mocked Kim Jong-un as “rocket man” in a speech at the United Nations in.

Victor Cha, the Korea chairman at the Center for Strategic and International Studies in Washington said: “For 15 months, they haven’t tested weapons because of this negotiation but over those same 15 months they have not stopped their cyber activity.”

The McAfee researchers gained access to one of the main computer servers used by the North Korean hackers to stage their attacks. They did this with the help of an unnamed foreign law enforcement agency.

The McAfee researchers said they watched, in real time, as the North Koreans attacked the computer networks of more than a hundred companies in the United States and across the world. Last month, they expanded their targets to companies in Turkey, operating from a block of internet addresses traced to Namibia, one of the few countries that still maintain friendly relations with Pyongyang.

“We’ve seen them hit in excess of 100 victims. They are very, active. It’s been nonstop.” said Raj Samani, McAfee’s chief scientist.

The exact motive of the attacks was not clear. They were well-researched and highly focused and, in many cases, aimed at engineers and executives who had broad access to their companies’ computer networks and intellectual property.

McAfee, will not name the target of the attacks and said it would be alerting victims and government authorities on Monday. But the firm did confirm that all attack leads to North Korean hackers.

In the United States, the most frequent marks are in Houston and New York. Other major targets included London, Madrid, Tokyo, Tel Aviv, Bangkok Rome, Taipei, Hong Kong, and Seoul. Russia and China were relatively untouched as the two countries maintain cordial relations with North Korea.

North Korea, has long been accused of using hackers to further its national interests. In 2014, North Korean hackers hit Sony Pictures Entertainment in retaliation for a movie that mocked Mr. Kim. They destroyed Sony’s computer servers, paralyzed the studio’s operations and eventually leaked embarrassing emails ahead of the 2016 elections.

North Korean hackers are known to attacks on banks across the world for financial gain, not surprised for a country ravaged by economic sanctions. The “WannaCry” attack in 2017, was also traced to North Korea.

Mr. Cha, of the Center for Strategic and International Studies, said cyber attacks remained the “third leg” of North Korea’s overall military strategy. “They’re never going to compete with the United States and South Korea soldier to soldier, tank for tank,” he said. “So they have moved to an asymmetric strategy of nuclear weapons, ballistic missiles, and the third leg is cyber that we really didn’t become aware of until Sony.”

McAfee’s researchers believe that North Korea’s hackers had significantly improved their capabilities since the Sony attack. They are much better at hiding their tracks and researching their targets. In many of the attacks McAfee witnessed, North Korean hackers had done their homework.

The hackers would scan the business site LinkedIn, hunting for the profiles of industry job recruiters. They sent emails that appeared to come from those recruiters’ accounts. When a target clicked on an attachment or link in the email, the hackers gained access to the target’s computer.

“The campaign was clearly really well prepared. It was very well researched and targeted. They knew the individuals they were going for, and they drafted emails in such a way that their targets clicked on them,” said Christiaan Beek, McAfee’s senior principal engineer and lead scientist. The tools they used to implant malware in the recent attacks is called “Rising Sun” which is because of a reference in the code

Security experts said the attacks would have to be addressed at some point if the two countries should continue talks.

The post Over 100 Targets in US Hit By North Korean Hackers appeared first on .

Customers Blame Companies not Hackers for Data Breaches

RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.

The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.

Despite the fact that consumers harbour heightened concerns about their privacy, they continue to exhibit poor cyber hygiene, with 83% of users admitting that they reuse the same passwords across many sites, leaving them more vulnerable.

Key takeaways from the RSA Data Privacy study, include:

  • Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents. 
  • Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
  • Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical. 
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.

Cyber Security Roundup for January 2019

The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


BLOG
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS