Category Archives: Hacking News

Experts report a rampant growth in the number of malicious, lookalike domains

Cyber security firm Venafi announced it has uncovered lookalike domains with valid TLS certificates that appear to target major retailers.

Venafi, Inc. is a private cybersecurity company that develops software to secure and protect cryptographic keys and digital certificates.

Ahead of the holiday shopping season, security experts from Venafi conducted a study of typosquatted domains used to target 20 major retailers in the United States, the United Kingdom, Australia, Germany, and France.

The researchers discovered 109,045 lookalike domains using valid TLS certificates to make them appear more trustworthy. The number is doubled compared to last year, the study revealed that less than 19,890 certificates have been issued for legitimate retail domains.

Below key findings of the study:

  • Growth in the number of look-alike domains has more than doubled since 2018, outpacing legitimate domains by nearly four times.
  • The total number of certificates used for look-alike domains is more than 400% greater than the number of authentic retail domains.
  • Over half (60%) of the look-alike domains studied use free certificates from Let’s Encrypt

Experts pointed out that every region had its own lookalike domains, in the US crooks targeted 83,934 retailers, one of which is a top U.S. retailers with over 49,500 typosquatted domains. In the US 14,784 certificates have been issued for legitimate retail domains.

Experts reported nearly 84,000 target retailers in the U.S., including almost 50,000 domains that imitate one of the country’s top retailers. In the U.K., Venafi identifier nearly 14,000 certificates issued for fake retailer domains.

The situation is also worrisome in the UK where Venafi has found the largest ratio of lookalike domains targeting retailers, that are over six times more look-alike domains than valid domains. The researchers found nearly 14,000 target retailers in the U.K., identifier nearly 1,900 certificates issued for fake retailer domains.

In Germany, there were roughly 7,000 certificates for typosquatted domains targeting retailers in the country, the lookalike domains are more likely to use certificates from Let’s Encrypt than any other region (85%).

In Australia, the experts found nearly 3,500 certificated for domains targeting local retailers, while the number of certificated in France was 1,500.

“We continue to see rampant growth in the number of malicious, look-alike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi. “This is a result of the push to encrypt more and potentially all web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”

Pierluigi Paganini

(SecurityAffairs – Checkra1n exploit, checkm8)

The post Experts report a rampant growth in the number of malicious, lookalike domains appeared first on Security Affairs.

New NextCry Ransomware targets Nextcloud instances on Linux servers

NextCry is a new ransomware that was spotted by researchers while encrypting data on Linux servers in the wild.

Security experts spotted new ransomware dubbed NextCry that targets the clients of the NextCloud file sync and share service.

The name comes from the extensions the ransomware appends to the filenames of encrypted files. The malicious code targets Nextcloud instances and it is currently undetected by antivirus engines.

“xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.” reads the post published by BleepingComputer that reported the news.

The user explained that even if his system was backed up, the synchronization process had started to update files on a laptop with the encrypted version on the server.

“I realized immediately that my server got hacked and those files got encrypted.” said xact64. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)”

The user has provided the case SHA1 to BleepingComputer and the popular malware researcher Michael Gillespie analyzed it confirming that the threat is new and uses Base64 to encode the file names. Gillespie added that the ransomware uses the AES‌-256 algorithm to encrypt the files and that the key is encrypted with an RSA-2048 public key embedded in the code of the ransomware.

NextCry is a Python script that has been compiled in a Linux ELF binary using the pyInstaller.

The ransomware demands a ransom of BTC 0.025 (roughly $210 at the time of writing). The analysis of the balance for the bitcoin wallet provided by crooks revealed that no one has paid the ransom until now.

Below the ransom note dropped by the ransomware after the files have been encrypted.


The analysis of the compiled script extracted by another member of the BleepingComputer forum confirmed that the malicious code was designed to targets NextCloud users.


Once executed, the NextCry ransomware reads the NextCloud service’s config.php file in order to find the NextCloud file share and sync data directory. Then the malware deletes some folders that could be used to restore files and then encrypts all the files in the data directory.

Four days ago, another user that goes online with the handle ‘alexpw‘ published on the platform’s support page a message that describes the way his instance, running the latest version of the software, was infected. According to ‘ialexpw‘, he had been locked via SSH.

“Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date.” wrote the users.

The description shared by Alex suggests that attackers have exploited some vulnerabilities in the server.

On October 24, Nextcloud released an urgent alert for the CVE-2019-11043 RCE in NGINX, experts warn of the availability of a public exploit for the issue.

“In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and phpfpm configurations. If you do not run NGINX, this exploit does not effect you.” reads the alert.

“Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack.”

Nextcloud admins are recommended to upgrade their PHP packages and NGINX configuration file to the latest version.

Pierluigi Paganini

(SecurityAffairs – NextCry ransomware, malware)

The post New NextCry Ransomware targets Nextcloud instances on Linux servers appeared first on Security Affairs.

Crooks use carding bots to check stolen card data ahead of the holiday season

With the advent of this year’s holiday shopping season are cybercriminals are using carding bots to test stolen payment card data before using them.

Cybercriminals need to test the validity of the stolen card data before carrying out fraudulent transactions or selling them during the holiday shopping season. Cybercriminals are automating this process using carding bots that are able to make small purchases on smaller retailers’ websites.

“While investigating these increasing attacks against checkout pages during the months leading into the holiday season, the PerimeterX research team uncovered two new carding bots.” reads the analysis published by PerimeterX. “One of the new carding bots, dubbed the canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.”

Researchers from PerimeterX spotted two such carding bots targeting e-stores running carding attacks ahead of the holiday shopping season.

The following graph shows the checkout page traffic across PerimeterX customers in September 2019.

carding bots

Experts pointed out that real shoppers differ from bad actors because they make purchases less before the holiday season. Instead, the experts at PerimeterX observed a spike in malicious traffic before the holiday season, in some cases it has increased to over 700% since September.

The first bots called ‘Canary’ was observed in at least two attacks aimed at a particular e-commerce platform used by thousands of businesses.

“Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users.” continues the experts.

Researchers were able to detect the first Canary bot attack after noticing a Safari browser version from 2011 changing IP addresses on a daily basis and that originate from cloud and colocation services. 

The bot was attempting to mimic human behavior, it was creating a shopping cart, then it was adding products to it, and also providing shipping information.

The second attack associated with the Canary bot appears more sophisticated, unlike the previous one, it was changing the IP address and the user agent to mimicking real users having different mobile devices.

In this second attack, the bot was mimicking a different human behavior by adding the products directly to the cart, without checking their pages first, then jumping to check out page.

The second carding bot tracked as ‘Shortcut’ attempt to avoid the e-commerce website to evade detection.

“We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators.” state the researchers. “In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.”

This second attack scenario leverages sees external third-party services handling payments. Attackers abuse API endpoint used these third-party services to validate credit cards.

The name “shortcut” comes after attackers directly access the payment services without passing through the e-commerce website.

Experts observed three attacks involving the Shortcut bot against three websites selling apparel, sportswear, and a grocery shop.

Experts explained that threat actors will continue to use carding bots to validate stolen card data, even if today is quite simple to detect them.

“To be prepared, e-commerce website owners can take a number of actions. Firstly, since legitimate consumers would probably never attempt payment with an empty cart, website owners can prevent users from getting to the payment page without an item in the cart.” concludes the experts. “This basic practice increases the effort required by bots and stops simple carding attacks. Secondly, with bots improving constantly and mimicking user behavior, e-commerce website owners should pay more attention to advanced automated threats.”

Pierluigi Paganini

(SecurityAffairs – carding bots, hacking)

The post Crooks use carding bots to check stolen card data ahead of the holiday season appeared first on Security Affairs.

Security Affairs newsletter Round 240

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Bad News: AI and 5G Are Expected to Worsen Cybersecurity Risks
Boardriders and its subsidiarities QuikSilver and Billabong infected with ransomware
Major ASP.NET hosting provider SmarterASP hit by ransomware attack
Apple Mail stores parts of encrypted emails in plaintext DB
Australian Govt agency ACSC warns of Emotet and BlueKeep attacks
CERTrating a new Tool to evaluate CERT/CSIRT maturity level
ZoneAlarm forum site hack exposed data of thousands of users
Bugcrowd paid over $500,000 in bug bounty rewards in one week
Buran ransomware-as-a-service continues to improve
Experts warn of spike in TCP DDoS reflection attacks targeting Amazon, SoftLayer and telco infrastructure
Facebook is secretly using iPhones camera as users scroll their feed
Mexican state-owned oil company Pemex hit by ransomware
TA505 Cybercrime targets system integrator companies
A flaw in PMx Driver can give hackers full access to a device
Adobe patch Tuesday updates addressed critical flaws in Media Encoder and Illustrator products
Microsoft Patch Tuesday updates fix CVE-2019-1429 flaw exploited in the wild
New TSX Speculative Attack allows stealing sensitive data from latest Intel CPUs
Russian man Aleksei Burkov extradited for running online criminal marketplace
Canadian intelligence agencies CSE and CSIS are divided on Huawei 5G ban
CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking
Experts found privilege escalation issue in Symantec Endpoint Protection
Flaws in Qualcomm chips allows stealing private from devices
Tracking Iran-linked APT33 group via its own VPN networks
A new sophisticated JavaScript Skimmer dubbed Pipka used in the wild
DDoS-for-Hire Services operator sentenced to 13 months in prison
New TA2101 threat actor poses as government agencies to distribute malware
The Australian Parliament was hacked earlier this year
Two men arrested for stealing $550,000 in cryptocurrency with Sim Swapping
Checkra1n, a working iPhone Jailbreak, was released
WhatsApp flaw CVE-2019-11931 could be exploited to install spyware

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 240 appeared first on Security Affairs.

DDoS-for-Hire Services operator sentenced to 13 months in prison

Sergiy P. , the administrator of DDoS-for-hire services was sentenced to 13 months in prison, and additional three years of supervised release.

Sergiy P. Usatyuk, a man that was operating several DDoS-for-hire services was sentenced to 13 months in prison, and additional three years of supervised release.

DDoS-for-hire services, aka stressers or booters, allows crooks to launch large scale DDoS attacks by paying a subscription fee.

“An Orland Park, Illinois, resident was sentenced yesterday to 13 months in prison, followed by three years of supervised release on one count of conspiracy to cause damage to internet-connected computers for his role in owning, administering and supporting illegal booter services that launched millions of illegal denial of service, or DDoS, attacks against victim computer systems in the United States and elsewhere.” reads the press release published by the DoJ.

The defendant made hundreds of thousands of dollars by launching millions of DDoS attacks with the platforms he was operating with a co-conspirator from August 2015 to November 2017.

The list of illegal DDoS-for-hire services operated by the man includes (“ExoStresser”),, (“Betabooter”),,,, and ExoStresser.

An advertising on the ExoStresser website ( said that the booter service alone had launched 1,367,610 DDoS attacks, and caused targeted victim computer systems to suffer 109,186.4 hours of network downtime.

According to the authorities, Betabooter was used by one of the subscribers to the service in November 2016 to hit the school district in the Pittsburgh, Pennsylvania area, with a series of DDoS attacks. The attacks disrupted the computer systems of 17 organizations that shared the same infrastructure, including other school districts, the county government, the county’s career and technology centers, and a Catholic Diocese in the area.

DDoS-for-hire service was a profitable business for Usatyuk and its co-conspirator that reportedly made over $550,000 from charging subscriber fees to paying customers of their booter services, as well as from selling advertising space to other booter operators.

The man was sentenced on one count of conspiracy to cause damage to internet-connected computers for launching millions of DDoS attacks.

The Chief U.S. District Judge Terrence W. Boyle condemned Usatyuk to forfeit dozens of servers and electronic equipment, as well as $542,925 in proceeds from his illegal scheme.

“DDoS-for-hire services pose a malicious threat to the citizens of our district, as well as districts across the country, by impeding critical access to the internet and jeopardizing safety and security in the process,” said U.S. Attorney Robert J. Higdon Jr. for the Eastern District of North Carolina.  “The operation and use of these services to disrupt the operations of our businesses and other institutions cannot be tolerated.  Anyone who weaponizes web traffic in this manner will be vigorously pursued and prosecuted by my office.”

Pierluigi Paganini

(SecurityAffairs – DDoS-for-hire services, hacking)

The post DDoS-for-Hire Services operator sentenced to 13 months in prison appeared first on Security Affairs.

Two men arrested for stealing $550,000 in cryptocurrency with Sim Swapping

On Thursday, US authorities arrested two crooks charging them with stealing $550,000 in cryptocurrency from at least 10 victims using SIM swapping.

American law enforcement has declared war to sim swapping scammers and announced the arrest of two individuals for stealing $550,000 in Cryptocurrency.

The suspects stole the funds from at least 10 victims using SIM swapping between November 2015 and May 2018. In February, a 20-year-old college student that has stolen more than $5 million worth of cryptocurrency through SIM swapping attacks got a 10 years jail sentence.

In May, the U.S. Department of Justice charged nine individuals connected to a hacking crew focused on identity theft and SIM swapping attacks.

In SIM swap frauds crooks are able to port the phone number of the victims to a new SIM card under their control.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by organizations to protect their customers.

Attackers obtain victims’ information by launching a phishing campaign, or by purchasing them in the underground market.

Crooks use the information gathered on the victims in the attempt to impersonate them in front of a telco operator and ask it to provide a new SIM to replace the old one that was lost or stolen.

They can prove their identity by answering basic security questions and requesting the cancellation of the old SIM and the activation of a new one. Once obtained a new SIM, crooks can operate with the victim’s mobile account, intercepting or initiating calls, accessing SMSs (including authorizations codes sent by bank and cryptocurrency exchanges) and to authorize transactions.

SIM swapping

“Two Massachusetts men were arrested today and charged in U.S. District Court in Boston with conducting an extensive scheme to take over victims’ social media accounts and steal their cryptocurrency using techniques such as “SIM swapping,” computer hacking and other methods.” reads the press release from DoJ. “Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts, were charged in an 11-count indictment, charging them with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse and one count of aggravated identity theft. “

According to the DoJ, the two defendants Eric Meiggs (20) and Declan Harrington (21) targeted users with high-value cryptocurrency accounts, and also executives of cryptocurrency companies.

The duo has also been charged for taking over social media accounts of their victims, including two who individuals that “had high value or ‘O.G.’ (slang for ‘Original Gangster’) social media account names.”

The duo has been charged with:

  • one count of conspiracy to commit wire fraud,
  • eight counts of wire fraud,
  • one count of computer fraud and abuse, and
  • one count of aggravated identity theft.

The defendants face a maximum penalty of 20 years in prison, the aggravated identity theft charge can add to the sentence additional 2 years in prison.

In March, the FBI issued a SIM swapping alert in response to the increasing cases of SIM jacking attacks.

In October, the U.S. Federal Trade Commission (FTC) released guidance on how to protect against SIM swapping attacks in October, below the list of countermeasures recommended by the agency:

• Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
• Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
• Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
• Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

Pierluigi Paganini

(SecurityAffairs – SIM swapping, cybercrime)

[adrotate banner=”13″]

The post Two men arrested for stealing $550,000 in cryptocurrency with Sim Swapping appeared first on Security Affairs.

Experts found privilege escalation issue in Symantec Endpoint Protection

Symantec addressed a local privilege escalation flaw that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2.

Symantec addressed a local privilege escalation flaw, tracked as CVE-2019-12758, that affects all Symantec Endpoint Protection client versions prior to 14.2 RU2. The vulnerability could be exploited by attackers to escalate privileges on target devices and carry out malicious actions, including the execution of malicious code with SYSTEM privileges.

The issue is similar to other vulnerabilities discovered by researchers from SafeBreach Labs in other antivirus solutions from several security vendors, including McAfee, Trend Micro, Check Point, Bitdefender, AVG and Avast.  

The flaws could allow attackers to bypass the self-defense mechanism of the antivirus solutions and deliver persistent malicious payloads.

Like other DLL hijacking issues in security solutions, the Symantec Endpoint Protection LPE flaws could be exploited only by attackers with Administrator privileges.

“This vulnerability could have been used in order to bypass Symantec’s Self-Defense mechanism and achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into a process which is signed by Symantec and that runs as NT AUTHORITY\SYSTEM.” reads the advisory published by SafeBreach.

“we found a service (SepMasterService) of the Symantec Endpoint Protection which is running as signed process and as NT AUTHORITY\SYSTEM, which is trying to load the following DLL which doesn’t exist: c:\Windows\SysWOW64\wbem\DSPARSE.dll”

In the case of the Symantec Endpoint Protection experts discovered a service called SepMasterService, which is running as signed process and as NT AUTHORITY\SYSTEM, attempts to load a DLL from the following patch: c:\Windows\SysWOW64\wbem\DSPARSE.dll

The researchers tested the flaw by compiling a 32-bit Proxy DLL (unsigned) out of the original dsparse.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\SysWow64\Wbem, and restarted the computer:

“We were able to load an arbitrary Proxy DLL (which loaded another arbitrary DLL) and execute our code within a service’s process which is signed by Symantec Corporation as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continues the analysis.

“There are two root causes for this vulnerability:

  • No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
  • The fastprox.dll library is trying to import the dsparse.dll from it’s current working directory (CWD), which is C:\Windows\SysWow64\Wbem, while the file is actually located in the SysWow64 folder.”

Symantec addressed the flaw with the release of the Symantec Endpoint Protection 14.2 RU2 on October 22, 2019.

“The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are being loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time it is restarted.” concludes SafeBreach.

Pierluigi Paganini

(SecurityAffairs – Symantec Endpoint Protection, hacking)

The post Experts found privilege escalation issue in Symantec Endpoint Protection appeared first on Security Affairs.

Flaws in Qualcomm chips allows stealing private from devices

Security vulnerabilities in Qualcomm allow attackers to steal private data from hundreds of million millions of devices, especially Android smartphones.

Security experts from Check Point have discovered security flaws in Qualcomm that could be exploited attackers to steal private data from the so-called TrustZone.

The TrustZone is a security extension integrated by ARM into the Corex-A processor that aims at creating an isolated virtual secure environment that can be used by the main operating system running on the applications’ CPU.

The ARM TrustZone is part of all modern mobile devices, the most popular commercial implementations of the Trusted Execution Environment (TEE) for mobile devices running on top of ARM hardware:

  • Qualcomm’s Secure Execution Environment (QSEE), used on Pixel, LG, Xiaomi, Sony, HTC, OnePlus, Samsung and many other devices.
  • Trustronic’s Kinibi, used on Samsung devices for the Europe and Asia markets.
  • HiSilicon’s Trusted Core, used on most Huawei devices.

The flaws affect the first of the above implementations, the Qualcomm’s Secure Execution Environment (QSEE).

The QSEE is a sort of hardware enclave that protects sensitive information (i.e. private encryption keys, passwords, payment card credentials) and offers a separate secure environment for executing Trusted Applications.

“TEE code is highly critical to bugs because it protects the safety of critical data and has high execution permissions. A vulnerability in a component of TEE may lead to leakage of protected data, device rooting, bootloader unlocking, execution of undetectable APT, and more.” reads the analysis published by Check Point. “Therefore, a Normal world OS restricts access to TEE components to a minimal set of processes. Examples of privileged OS components are DRM service, media service, and keystore. However, this does not reduce researchers’ attention to the TrustZone.”

The experts reversed the Qualcomm’s Secure World operating system used a custom-made fuzzing tool to find the vulnerabilities.

“We can now execute a trusted app in the Normal world. We found a way to load a patched version of signed trustlet in the Secure world and adapted the CPU emulator to communicate with it. In other words, we emulated a trustlet’s command handler on the Android OS. All that’s left to do is to repeatedly call the command handler with different inputs generated on the basis of code coverage metrics. The QEMU emulator can be used to produce such metrics.” reads the analysis. “The prepared fuzzer easily found that the prov trustlet can be crashed by the following packet.”

Qualcomm fuzzer

The experts used the fuzzing tool to test trusted code on Samsung, LG, Motorola devices, and found the following vulnerabilities in the implementation of Samsung, Motorola, and LG:

  • dxhdcp2 (LVE-SMP-190005)
  • sec_store (SVE-2019-13952)
  • authnr (SVE-2019-13949)
  • esecomm (SVE-2019-13950)
  • kmota (CVE-2019-10574)
  • tzpr25 (acknowledged by Samsung)
  • prov (Motorola is working on a fix)

The flaws could be also exploited by an attacker to:

  • execute trusted apps in the Normal World (Android OS),
  • load patched trusted app into the Secure World (QSEE),
  • bypass the Qualcomm’s Chain Of Trust,
  • adapt the trusted app for running on a device of another manufacturer.

Check Point reported the vulnerability (CVE-2019-10574) to Qualcomm in June, only a day before the publication of the research the flaw was addressed.

The security firm also disclosed its findings to all affected vendors, some of them, including LG, Samsung, and Qualcomm, have already released a patch to address them.

Pierluigi Paganini

(SecurityAffairs – mobile, Qualcomm)

The post Flaws in Qualcomm chips allows stealing private from devices appeared first on Security Affairs.

Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices

Hundreds of millions of devices, especially Android smartphones and tablets, using Qualcomm chipsets, are vulnerable to a new set of potentially serious vulnerabilities. According to a report cybersecurity firm CheckPoint shared with The Hacker News, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a

Company Detected Years-Long Breach Only After Hacker Maxed Out Servers’ Storage

What could be even worse than getting hacked? It's the "failure to detect intrusions" that always results in huge losses to the organizations. Utah-based technology company InfoTrax Systems is the latest example of such a security blunder, as the company was breached more than 20 times from May 2014 until March 2016. What's ironic is that the company detected the breach only after it

A flaw in PMx Driver can give hackers full access to a device

Eclypsium experts found a vulnerability affecting the popular PMx Driver Intel driver that can give malicious actors deep access to a device.

In August, Eclypsium researchers found multiple serious vulnerabilities in more than 40 device drivers from tens of vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.

The experts warn that the vulnerabilities that can be exploited by attackers to deploy persistent backdoor on vulnerable systems.

The experts pointed out that since they reported the issued to the vendor, only Intel and Huawei addressed them with patches and advisories, while Insyde and Phoenix provided patches to their OEM customers.

According to Eclypsium, Intel addressed a vulnerability in its PMx Driver (PMxDrv). The vulnerability could be exploited to have full access to the devices. The driver implements a superset of all the capabilities including read and write to physical memory, model specific registers, control registers, IDT and GDT descriptor tables, debug registers, gain I/O and PCI access.

“This level of access can provide an attacker with near-omnipotent control over a victim device. Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999.” reads the analysis published by Eclypsium.”Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as part of the toolset used to solve the AMT issue.”

Experts recommend users and organizations to enable Hypervisor-protected Code Integrity (HVCI) for devices that support the feature.

This option will only work with 7th generation or newer processor, new processor features such as mode-based execution control, this means it will not possible to enable HVCI on many devices.

The only universally effective possible consist of blocking or blacklisting old, known-bad drivers.

“The only universally available option possible today is to block or blacklist old, known-bad drivers. To this end, we would like to specifically commend the response of Insyde Software, a UEFI firmware vendor. Of the 19 vendors we notified early this summer, Insyde is the only vendor to date to proactively contact Microsoft and ask that the old version of the driver be blocked.” concludes the report. “Due to this request, Windows Defender will proactively quarantine the vulnerable version of the driver so it can’t cause damage to the system.”

Pierluigi Paganini

(SecurityAffairs – PMx Driver, hacking)

The post A flaw in PMx Driver can give hackers full access to a device appeared first on Security Affairs.

New ZombieLoad v2 Attack Affects Intel’s Latest Cascade Lake CPUs

Zombieload is back. This time a new variant (v2) of the data-leaking side-channel vulnerability also affects the most recent Intel CPUs, including the latest Cascade Lake, which are otherwise resistant against attacks like Meltdown, Foreshadow and other MDS variants (RIDL and Fallout). Initially discovered in May this year, ZombieLoad is one of the three novel types of microarchitectural data

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon's Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network. In case you don't own one of these, Amazon's Ring Video Doorbell is a smart wireless home

Hackers Breach ZoneAlarm’s Forum Site — Outdated vBulletin to Blame

ZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News. With nearly 100 million downloads, ZoneAlarm offers antivirus software, firewall, and additional virus protection solutions to home PC users, small businesses, and mobile

Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light

A team of cybersecurity researchers has discovered a clever technique to remotely inject inaudible and invisible commands into voice-controlled devices — all just by shining a laser at the targeted device instead of using spoken words. Dubbed 'Light Commands,' the hack relies on a vulnerability in MEMS microphones embedded in widely-used popular voice-controllable systems that unintentionally

New Chrome 0-day Bug Under Active Attacks – Update Your Browser Now!

Attention readers, if you are using Chrome on your Windows, Mac, and Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. With the release of Chrome 78.0.3904.87, Google is warning billions of users to install an urgent software update immediately to patch two high severity vulnerabilities, one of which attackers are

Leading Web Domain Name Registrars Disclose Data Breach

Another day, another massive data breach—this time affecting a leading web technology company, as well as both of its subsidiaries, from where millions of customers around the world have purchased domain names for their websites. The world's top domain registrars, Network Solutions, and disclosed a security breach that may have resulted in the theft of customers' account

Two Hackers Who Extorted Money From Uber and LinkedIn Plead Guilty

Two grey hat hackers have pleaded guilty to blackmailing Uber, LinkedIn, and other U.S. corporations for money in exchange for promises to delete data of millions of customers they had stolen in late 2016. In a San Jose courthouse in California on Wednesday, Brandon Charles Glover (26) of Florida and Vasile Mereacre (23) of Toronto admitted they accessed and downloaded confidential corporate