Foxit patched a dozen vulnerabilities in its PDF reader software this week, more than half of which could allow an attacker to directly execute arbitrary code on vulnerable installations of the product.
The company released version 8.0 of its Foxit Reader and Foxit PhantomPDF on Monday, addressing vulnerabilities in builds 126.96.36.1991 and earlier of the product. Details around the issues weren’t publicly disclosed until two days later, on Wednesday, in coordination with the Zero Day Initiative. Like most PDF vulnerabilities, user interaction is required
Like most PDF vulnerabilities, user interaction is required to exploit any of the vulnerabilities, meaning an attacker would have to trick a user into either visiting a malicious page or opening a malicious PDF file. While eight of the vulnerabilities can directly result in remote code execution, technically all of the vulnerabilities could be used to execute code; some just need to be chained together with other vulnerabilities to do so.
One day after BSides LatAm, it was the turn of another security conference in Brazil: You Shot The Sheriff, now in its tenth edition. Happening on one of the coolest days in Sao Paulo, the event took place at Villa Bisutti, where the whole event was very well organised.
The welcome coffee was a good opportunity to meet some friends and also make new ones, as the majority of the security professionals from Brazil and also other countries were attending the event.
Luiz, Nelson and Willian opened the event by talking about the difference between the first edition to the tenth, showing that it has become much more mature and professional but is still a challenge to make it happen. They also talked of their work to keep the event the same size, as they believe that increasing the number of attendees could decrease of the quality of the event, something they work hard to improve with each edition.
After that, Anchises Moraes from RSA opened the talks by presenting about the stone age and the computing era, comparing the information gathered from paintings on cave walls that could lead us to an understanding of what happened at that time, to the information that we are storing on internet that will stay visible to the next generation.
A prolific piece of Trojan smartphone malware which installs malicious apps, games, and continually pushes pop-up adverts onto victim's phones is making its creators as much as $500,000 per day.
Hummer was first discovered by the Cheetah Mobile Security Research Lab in 2014, but the malware initially lay dormant for many months. However, a blog post by the security researchers details how Hummer started infecting hundreds of thousands of phones in summer last year, before exploding into 2016.
Every time the Trojan installs a new application on the infected devices, it's thought the developers make $0.50. While that may sound like a small amount, the proliferation of Hummer means its creators make big bucks.
On the morning of 26th June, news of a phishing campaign hit the Israeli media. Thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment.
Kaspersky Lab decided to investigate. We quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. We also found that the attack was not confined to Israel, but was hitting targets worldwide.
The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating their legitimate browser session and replacing it with a malicious one that included a tab to the legitimate Facebook login page. This was designed to lure the victim back into the social network site.
Upon logging back into Facebook the victim’s session was hijacked in the background and a new file was downloaded. This represented the second stage of the attack, as embedded in this file was an account-takeover script that included a privacy-settings changer, account-data extractor and other tools that could be used for further malicious activity, such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’. Further, the malware infection loop began again as malicious notifications were sent to all the victim’s Facebook friends.
A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations.
Ransomware typically is thought of as a consumer threat, encrypting victims’ files and demanding payments in order to get the decryption key. But more and more ransomware variants are targeting enterprises, as attackers have figured out that forcing large payments from one company is more efficient than squeezing smaller payments out of hundreds of individual victims. The SamSam ransomware variant, which has some worm-like behavior, has been seen attacking businesses specifically. A large-scale ransomware infection on a corporate network can have myriad consequences, but in a health-care organization it can have a variety of privacy and regulatory ramifications, too.
The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.
The Flash Keyboard app has been downloaded more than 50 million times -- but is capable of some extremely dangerous behaviors.
"It looked like it was a convenient keyboard that had some nice features," said Bill Anderson, chief product officer at mobile security company OptioLabs. "The marketing copy in the app store looked great."
For a while, the app was in the top 20 downloads for the Google Play Store, he added.
"The problem was that it asked for just about every permission that an app could ask for," he said. "It was an especially long list. And surprisingly, most people said yes. But the permissions were so excessive that it turned this thing into a potentially marvelous way to hack phones."
At Google I/O 2016, there was a lot of excitement about the pending release of the latest Android operating system Android N and its many features. Dave Burke, VP of Engineering (Android) at Google, announced that among those features would be automatic system updates.
With automatic updates, your phone will automatically download the newest software update available in the background and install it the next time you restart it. So automatic updates sound great, but you might be asking, what’s the big deal? In order to answer that question, let me provide a brief background on the history of updating when it comes to Android devices.
From April 2014 to March 2015, Kaspersky Lab security solutions for Android protected 35,413 users from mobile ransomware. A year later the number had increased almost four-fold to136,532 users. The share of users attacked with ransomware as a proportion of users attacked with any kind of malware also increased: from 2.04% in 2014-2015 to 4.63% in 2015-2016. The growth curve may be less that that seen for PC ransomware, but it is still significant enough to confirm a worrying trend.
The geography of mobile ransomware is quite similar to the one for PC ransomware, with a few notable differences. In 2014-2015 the percentage of mobile users attacked with ransomware was fairly low, much lower than that seen for PCs.
A database of heightened-risk individuals and organizations, some of which are thought to be involved in financial crime, corruption, and terrorism, has leaked.
The so-called World-Check Risk Screening database contains 2.2 million names of people and companies, according to Chris Vickery, a security researcher at MacKeeper, who said on a Reddit thread that he acquired the database.
The database dates back to mid-2014, and it contains names, dates, places of birth, and other sensitive information, which is collected from law enforcement records, political information, articles, blog posts, and social media, among other sources.
The Wi-Fi Alliance industry group is now certifying products that can deliver multi-gigabit speeds and improve coverage in dense networks by delivering data to multiple devices simultaneously.
The new certification program, announced today, focuses on the so-called "Wave 2" features of the 802.11ac specification. 802.11ac is a few years old, but it includes several important features that were not available at launch. One such feature is MU-MIMO (multi-user, multiple-input, and multiple-output), which we wrote a feature on in May 2014. MU-MIMO is powered by multi-user beamforming technology that lets wireless access points send data streams to at least three users simultaneously. Without MU-MIMO, routers stream to just one device at a time but switch between them very fast so that users don't notice a slowdown except when lots of devices are on the network.
After nearly two years of construction, Google along with a consortium of telecom providers announced the completion of the FASTER broadband cable system that links Japan and the United States. The cable system is the fastest of its kind and stretches nearly 9,000 km across the bottom of the Pacific Ocean.
At 60 Terabits per second, FASTER will help “support the expected four-fold increase in broadband traffic demand between Asia and North America.” The system uses a six-fiber pair cable and the latest 100Gbps digital coherent optical transmission technology.
If you’re one of the millions who rocked out at Hard Rock Hotel and Casino Las Vegas or slurped noodles at a Noodles & Company fast food chain in the past year, it’s time to get paranoid. Both companies announced this week separate breaches that include unauthorized access to credit card data.
The Hard Rock Hotel and Casino Las Vegas began notifying guests and patrons of “certain restaurant and retail outlets” located at its Las Vegas casino that hackers breached payments systems extracting credit card data. Credit card data exposed included cardholder name, card number, expiration date, and internal verification code.
“After receiving reports of fraudulent activity associated with payment cards used at the Hard Rock Hotel and Casino Las Vegas, the resort began an investigation of its payment card network and engaged a leading cyber-security firm to assist,” the company said in a statement.
In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark (February 2016), in Italy (February 2016), and in both Denmark and Italy (April 2016).
Unlike the RuMMS campaign, these three campaigns in Europe used view overlay techniques (the same technique we described being used by SlemBunk malware) to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.
This post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the last year. In part #1 here, we present a general overview of the font security area, followed by a high-level explanation of the fuzzing effort we have undertaken, including the overall results and case studies of two bug collisions. In the upcoming part #2, we will share the specific technical details of the project, and how we tried to optimize each part of the process to the maximum extent, and go beyond the current state of the art in Windows kernel font fuzzing.
Much of the product line from security firm Symantec contains a raft of vulnerabilities that expose millions of consumers, small businesses, and large organizations to self-replicating attacks that take complete control of their computers, a researcher warned Tuesday.
"These vulnerabilities are as bad as it gets," Tavis Ormandy, a researcher with Google's Project Zero, wrote in a blog post. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
The post was published shortly after Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected. Ormandy warned that the vulnerability is unusually easy to exploit, allowing the exploits to spread virally from machine to machine over a targeted network, or potentially over the Internet at large.
Three US healthcare organisations are reportedly being held to ransom by a hacker who stole data on hundreds of thousands of patients.
The hacker has also put the 650,000 records up for sale on dark web markets where stolen data is traded.
Prices for the different databases range from $100,000 (£75,000) to $411,000.
Buyers have already been found for some of the stolen data, the hacker behind the theft told news site Motherboard.
No information about the size of the ransom payment sought by the data thief has emerged, although he did say it was "a modest amount compared to the damage that will be caused to the organisations when I decide to publicly leak the victims".
The organisations that data was stolen from are known to be based in Missouri, Georgia and the midwest. The attacker told Motherboard that he would not name the organisations, to give them a chance to pay up.
Symantec has discovered an app on Google Play that steals photos and videos from the popular social media app Viber. Beaver Gang Counter masquerades as a score keeping app for a popular card game but secretly searches for media files related to the Viber app and sends them to a remote server.
It is not just the enterprise, banks and individuals that are targeted by cybercriminals looking to cash in on data and rinse bank accounts.
Things have taken a more sinister turn with the introduction -- and evolution -- of attacks specifically designed to compromise medical devices, which places both patient health and information at serious risk.
A new report released by security firm TrapX on Monday highlights how this trend is becoming more and more serious, and healthcare organizations must sit up and take note of these emerging threats before it is too late.
We've already seen ransomware attacks levied against hospitals this year which have successfully disrupted critical services and taken down full systems, with some hospitals giving in and paying a ransom to resume operating.
This kind of malware, although often heartbreaking for victims and capable of immense disruption, is not in the same ballpark as other attacks which are striking hospitals for the purpose of tampering with devices and data.
Most ransomware programs encrypt files with a locally generated AES (Advanced Encryption Standard) key, which is then itself encrypted with a public RSA key that's part of a public-private key pair. The private key, which is needed for decryption, is sent to a command-and-control server operated by attackers and deleted from the local computer.
Bart does not use public key cryptography like RSA. It scans for files with certain extensions -- music, photos, videos, archives, documents, databases and more -- and then locks them in password-protected ZIP archives using the naming format: original_name.extension.bart.zip.
The ZIP format supports AES encryption natively, so its creators didn't need to implement AES themselves, which is prone to errors. This doesn't mean Bart is flawless, but, at least for now, there's no known way to recover the affected files.
Because it doesn't use public-private key pairs, the new ransomware program doesn't need a command-and-control server either, significantly reducing the costs of development for its creators.
The attackers use only a Tor-hosted payment gateway where victims can submit their malware-generated unique ID, pay the ransom in bitcoin and receive a decryptor. The ransom amount is 3 bitcoins, or around US$1,920, which is high, especially if the victim is not a company.
A botnet of over 25,000 bots lies at the heart of recent DDoS attacks that are ferociously targeting business around the world. More exactly, we're talking about massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites.
US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it's mainly composed of compromised CCTV systems from around the world.
Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri's main product, its WAF (Web Application Firewall).
Sucuri thought they had this one covered, just as other cases where companies that move their sites behind their WAF block the attacks, and eventually the attacker moves on to other targets.
Instead, they were in for a surprise. While the initial attack was a Layer 7 DDoS with over 35,000 HTTP requests per second hitting the server and occupying its memory with garbage traffic, as soon as the attackers saw the company upgrade their website, they quickly ramped up the attack to 50,000 requests.
For Layer 7 attacks, this is an extraordinarily large number, enough to drive any server into the ground. But this wasn't it. The attackers continued their assault at this high level for days.
The new version of the CryptXXX ransomware is spreading primarily through spam, said Caleb Fenton, senior security researcher at SentinelOne, in a technical description of the find posted Monday.
CryptXXX has been a fast and moving target for researchers, considered by some to be “hot new kid on the block” when it comes to ransomware – even nipping at the heels of the notorious Locky ransomware when it comes to infection rates and distribution. In May cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.
Now, SentinelOne reports, cybercriminals have updated CryptXXX again, tweaking the encryption engine further to prevent free un-specified decryption tools from working. According to a Kaspersky Lab support page, the RannohDecryptor utility worked on numerous updated versions of the CryptXXX ransomware. However in late May, with the 3.100 release of CryptXXX, the RannohDecryptor was no longer able to decrypt files from the 3.100 version of the ransomware, but is still effective for early versions of the ransomware.
The Seychelles-based VPN provider Proxy.sh has withdrawn an exit node from its warrant canary—a statement certifying that "to the date of publication, no warrants, searches, or seizures that have not been reported in our Transparency Report, have actually taken place."
The blog post in question simply states: "We would like to inform our users that we do not wish any longer to mention France 8 (188.8.131.52) in our warrant canary until further notice." The statement implies that the France 8 node has been subject to a warrant, but that a gag order forbids Proxy.sh from revealing that fact directly. It is not clear who served the warrant, and for obvious reasons, Proxy.sh is unable to say.
However, the TorrentFreak site obtained the following comment from Proxy.sh: "We recommend our users to no longer connect to it. We are striving to do whatever it takes to include that node into our warrant canary again."
Proxy.sh went on to say: "The warrant canary has been particularly designed to make sure we could still move without being legally able to answer questions in a more detailed manner. We are happy to see it put to use after all and that our users are made aware of it."
Ransomware behavior has been the talk of the town. We have seen oddly long ransom payment deadlines from GOOPIC, password stealing capabilities from RAA, chat support from the latest JIGSAW variant, and all these are just incidents discovered this June. But among these new behaviors, we came across a unique behavior in MIRCOP crypto-ransomware.
Detected as RANSOM_MIRCOP.A, MIRCOP places the blame on users and does not give victims instructions on how to pay the ransom. In fact, it assumes that victims already know how to pay them back.
The emphasis on paying them back paints the situation that the victims already know who to send the ransom demand to. The whole note, which displays a hooded figure in a Guy Fawkes mask, suggests that victims may have “stolen” from a notorious hacktivist group and threatens further actions if the victims are unable to pay.
MIRCOP demands users to pay the ransom amount of 48.48 bitcoins (US$ 28,730.70 as of June 23, 2016), which is among the highest demands we have seen. And at the end of the note, the author leaves a bitcoin address. Unlike other ransomware notes where victims are instructed step-by-step on how to make the payment, MIRCOP suggests that the victim is familiar with making bitcoin transactions. We checked the address and as of this writing, no payments have yet been made.
* Possibility to brute force promo codes in riders.uber.com
* Possibility to get private email using UUID
* Enumerating UserIDs with phone numbers
* Use Partner/Driver App Without Being Activated
* Possible to View Driver Waybill via Driver UUID
* Information regarding trips from other users
The IRS was gearing up to kill e-file PINs later this year, but it has decided to speed up its plans after discovering suspicious activity. These electronic filing personal identification numbers, which people could use to authenticate tax returns filed online, are no longer available on IRS.gov or via the agency's toll-free phone number. If you'll recall, identity thieves used malware to steal taxpayers' info from other websites, which was then used to generate 100,000 PINs, back in February. The thieves were actually gunning for 464,000 PINs, but the agency was able to stop them before they got near that number.
Telegram, the supposedly secure messaging app, has over 100 million users. You might even be one of them. If you are, you should probably stop using it right now. Here’s the unfortunate truth about Telegram: it’s not as secure as the company’s marketing campaigns might lead you to believe.
According to interviews with leading encryption and security experts, Telegram has a wide range of security issues and doesn’t live up to its proclamations as a safe and secure messaging application.
One major problem Telegram has is that it doesn’t encrypt chats by default, something the FBI has advocated for. “There are many Telegram users who think they are communicating in an encrypted way, when they’re not because they don’t realize that they have to turn on an additional setting,” Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. “Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if its not turned on by default, it doesn’t matter.”
There appears to be no end in sight to the ransomware epidemic. New stats released by security researchers at Kaspersky Lab show that the number of users who came across crypto ransomware in the last year increased by more than 500 percent over the previous year.
The variety and volume of ransomware being deployed by attackers has continued to grow at an alarming rate in the last year or so, with pioneering strains such as CryptoLocker, CryptoWall, and others being joined by dozens of new variants. It’s difficult to overstate how much of an effect the emergence of ransomware has had on consumers, enterprises, and the security industry itself. The FBI has been warning users about crypto ransomware for some time now, and has consistently advised victims not to pay any ransoms. Security researchers have been publishing decryption tools for specific ransomware variants and law enforcement agencies have had some success in taking down ransomware gangs.
An elaborate "piracy" phishing operation is targeting U.S. Internet providers and subscribers. Scammers are using the name of anti-piracy tracking company IP-Echelon and rightsholders such as Lionsgate, to send fake DMCA notices and settlement demands to ISPs. U.S. law enforcement has been notified and is currently investigating the matter.
For more than a decade copyright holders have been monitoring unauthorized downloads. Traditionally this resulted in harmless takedown notices, but increasingly, these warnings are bundled with automated “fines.”
Rightscorp and CEG TEK are the best known anti-piracy outfits employing this tactic, and this week another party appeared to have joined.
NASCAR team Circle Sport-Leavine Family Racing (CSLFR) revealed today it faced a ransomware infection this past April when it almost lost access to crucial files worth nearly $2 million, containing car parts lists and custom high-profile simulations that would have taken 1,500 man-hours to replicate.
The infection took place on the computer belonging to Dave Winston, CSLFR's crew chief. Winston's staff detected the infection when encrypted files from Winston's computer began syncing to their joint Dropbox account.
The crew notified Winston, who isolated his computer from the rest of the network, but by that time, the ransomware's encryption process had already all the data it needed to lock the rest of the files.
Googling for details on their ransomware infection, the team discovered they were infected with the TeslaCrypt ransomware. The crooks behind the TeslaCrypt ransomware decided to abandon their criminal operations and release a free decryption key later in mid-May, about a month after CSLFR's infection.
A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.
Happily, just days before my story point-of-sale vendor Ingenico produced a tutorial on how to spot a skimmer on self checkout lanes powered by Ingenico iSC250 card terminals. Unfortunately, it doesn’t appear that this report was widely disseminated, because I’m still getting questions from readers at retailers that use these devices.
Malicious applications can use the noise emanated by a computer's fan speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems.
Other researchers proved in the past that malware could use low-frequency sounds sent through the computer's speakers to exfiltrate data from targeted systems to a nearby microphone-enabled device.
This particular scenario has been proven feasible over the past years, and because of the likelihood of something like this happening, in environments with tight security, some administrators have removed speakers from air-gapped systems.
Four researchers from the Ben-Gurion University of the Negev in Israel have created Fansmitter, a piece of malware that takes the above scenario, but instead of speakers, it uses a computer's fans to send data from the infected host.
Because all data is basically a sequence of ones and zeros, the researchers created Fansmitter to take over the computer's fan speed and make it work at two different speeds, corresponding to a binary "1" and a binary "0".
Fansmitter works with CPU, GPU, or chassis-mounted fans, and can be effective from one to four meters away. Researchers consider this a reliable distance up to which a microphone or a smartphone can be left behind to record sounds emanated from the computer.
For the past decade, Hollywood’s battle against online pirates has been mainly been focused on leaked DVD screeners and illegal streaming sites. Now a pair of security researchers say they’ve discovered a vulnerability in the Google Chrome browser that allows people to save illegal copies of movies from streaming sites like Netflix and Amazon Prime.
The vulnerability, first reported by Wired, takes advantage of the Widevine EME/CDM technology that Chrome uses to stream encrypted video from content providers. Researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories discovered a way to hijack streaming video from the decryption module in the Chrome browser after content has been sent from services like Netflix or Amazon Prime.
The FBI’s apparent capability to unmask users of the Tor Network has caused hand-wringing among those concerned with privacy and civil liberties, many of whom are busy trying to win legal battles to get law enforcement to confess as to how they’re doing it.
A team of academics and researchers, however, have come up with a technique called selfrando they believe defends against such attacks.
The technique will be presented next month at the Privacy Enhancing Technologies Symposium (PETS) in Darmstadt, Germany, but according to the researchers, the Tor Project is already conducting field tests in hardened versions of the Tor Browser used for testing purposes.
The team of nine includes; Mauro Conti of the University of Padua, Stephen Crane and Andrei Homescu of Immunant, Tommaso Frassetto, Christopher Liebchen and Ahmad-Reza Sadeghi of the Technische Universität Darmstadt, Mike Perry and Georg Koppen of The Tor Project, and Per Larsen of the University of California, Irvine. They have already published a paper explaining their work titled “Selfrando: Securing the Tor Browser against De-anonymization Exploits.”
An anime site popular in Mexico and South America has been infected with malware redirecting visitors to a Neutrino Exploit Kit landing page.
The site, Jkanime, streams anime video and has 33 million monthly visitors.
Neutrino is currently the top dog among exploit kits after two of the bigger kits, Angler and Nuclear, have apparently been abandoned
Researchers at Forcepoint, a Raytheon company, disclosed the attacks this week. Nicholas Griffin, senior security researcher said the payload is the CryptXXX 3.0 ransomware, which has mainly been distributed by Neutrino since Angler’s disappearance in late June.
Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit.
According to Rapid7, the vulnerability has been found in injectable code payloads through the Swagger Code Generator for NodeJS, PHP, Ruby, and Java. If exploited, attackers can remotely execute code in a client or server to interact with definition of service systems, a concept the team says could be an "interesting space for future research."
Other similar programming languages in the tool are possibly affected.
A lot of folks in the business (and consumer) world are shaking in their boots about ransomware. It’s understandable. Ransomware is a dangerous threat and, if not protected against, can do serious damage to a company’s data, reputation, and bottom line.
But the truly alarming part is that ransomware is being delivered by malvertising. Malvertising can do this without you knowing (until it’s too late) and without your users taking a single “unsafe” action online. And even mainstream websites are being infected by malvertising—blacklisting dodgy domains doesn’t solve the problem for you or your users.
So malvertising and ransomware. A match made in hell. Let’s take a closer look at the destruction left in their wake and what businesses can do to protect against them.
It seems that those annoying cyberyobs that call themselves the Lizard Squad might have struck again. Sigh! It looks like they’ve run a DDoS (Distributed Denial of Service) attack against Blizzard’s Battle.net servers, stopping players of the popular Overwatch game from – well – playing.
A DDoS is cybervandalism that involves flooding a system with so much data that it’s unusable. If skillful hacking is like picking the lock to a door then a DDoS is stopping others from using the door by piling things up in front of it.
IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.
Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.
The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.
Late Wednesday evening, hackers operating under the name Poodle Corp. compromised the WatchMojo.com YouTube channel and started tagging dozens of videos.
The account hijacking was quickly detected, and the company turned to YouTube for assistance.
WatchMojo is known for their Top 10 videos on a number of topics. In 2013, the brand was listed as the 50th largest channel on YouTube. On Twitter, the company said they're aware "of the hack on our YouTube channel and we're working with YouTube to fix the changes."
A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves.
The evidence exists to proclaim Flash as one of today's most vulnerable and insecure software applications. Targeted in cyber-espionage and malvertising campaigns, Flash has gotten a bad reputation, and for a good reason.
Security researchers have discovered vulnerabilities in Flash almost every month, and for many years, Adobe has been slow to patch them. Things changed recently after browser vendors threatened to have the plugin disabled for most of their users.
But Adobe's new approach to Flash security issues came a little too late, as the community had already worked for years at adding the appropriate features to HTML5 and other standards in order to replace Adobe's piece of junk.
HTML5 was officially released in October 2014, and slowly but surely, started to replace Flash in the advertising market, where many ad networks such as Google and Amazon have announced they'll stop taking static Flash ads, even if still allowing Flash for video ads.
If you have an idea for an app but don't know the first thing about building it, Google has the course for you.
Launched on Wednesday, the Google Android Basics Nanodegree offers to teach beginners how to build a simple Android app in Java. There are no prerequisites. Google says the target student is anyone who's used a smartphone to surf the web.
All of the individual courses that make up the Nanodegree are available online for no charge, Google said, while Udacity offers additional paid services.
The course material, developed by Google, is hosted on learning platform Udacity and builds on earlier programs such as the Android Nanodegree for Beginners. The basics course takes around four weeks if the student commits six hours a week and upon completion they'll have created two basic apps built in Android Studio.
"Some security experts who inspected that new version of iOS got a big surprise.
They found that Apple had not obscured the workings of the heart of its operating system using encryption as the company has done before. Crucial pieces of the code destined to power millions of iPhones and iPads were laid bare for all to see. That would aid anyone looking for security weaknesses in Apple’s flagship software.
Security experts say the famously secretive company may have adopted a bold new strategy intended to encourage more people to report bugs in its software—or perhaps made an embarrassing mistake. Apple declined to comment on why it didn’t follow its usual procedure."
WordPress last week updated to version 4.5.3, a security release for all versions of the content management system.
The update patches more than two dozen vulnerabilities, including 17 bugs introduced in the last three releases, all published this year. Many of the vulnerabilities can be exploited remotely and allow an attacker to control of a website running on WordPress.
The platform continues to focus on security; already this year WordPress has updated a handful of times with sizable security updates and in April, turned on free encryption for custom domains hosted on WordPress.
Last week’s update patches vulnerabilities affecting versions 4.5.2 and earlier.
An unexpected behavior in a relatively new and popular open source API framework called Swagger could lead to code execution, researchers at Rapid7 said.
The company today disclosed some details on the vulnerability, and released a Metasploit exploit module and a proposed patch written by researcher Scott Davis who found the flaw.
Details were privately disclosed on April 19 to the Swagger API team and then on May 9 to CERT, Rapid7 said. To date, Rapid7 Security Research Manager Tod Beardsley told Threatpost, there has been no response from Swagger’s maintainers. Rapid7 said it shared its patch with CERT on June 16 and today made its public disclosure.
Certificate authority Let’s Encrypt is celebrating a major milestone in the young nonprofit’s existence issuing its 5 millionth certificate this month. Let’s Encrypt launched to the general public just seven months ago.
“Our goal is to get the entire web 100 percent HTTPS,” said Josh Aas, executive director for the Internet Security Research Group, the nonprofit that helped launch Let’s Encrypt. “By adding 5 million certificates, representing 7 million unique domains, we are now within reach of encrypting 50 percent of all internet traffic,” Aas said in an interview with Threatpost.
In December 2015, according to data culled from Firefox telemetry, roughly 39.5 percent of Firefox browser page loads were protected by HTTPS connections. Today the number is 45 percent.
For many LinkedIn is a handy way of keeping up with old colleagues and maybe even finding a new job -- and many think that the bigger their network of contacts, the better.
So if a contact request comes in from a recruiter, even one they had never heard of before, many might think there would be little harm in accepting.
But what if that wasn't a recruiter, but rather a hacker using a fake profile in order to gain access to you, your contact details, and the rest of your network? In connecting you've potentially put yourself and your company at risk of being hacked, breached, or otherwise targeted by cybercriminals.
Certainly people are often more than willing to accept a request from a complete stranger to join their network on LinkedIn.
In fact, according to a survey of 2,000 people by cybersecurity researchers at Intel Security, nearly one quarter (24 percent) say they've connected to someone they don't know on LinkedIn, thus potentially allowing hackers to access to a wealth of information which could be used for spear-phishing, malware drops, and other nefarious means.
Partners in crime: investigating mobile app collusion
Mobile operating systems support multiple communication methods between apps running on mobile devices. Unfortunately, these handy interapp communication mechanisms also make it possible to carry out harmful actions in a collaborative fashion. Two or more mobile apps, viewed independently, may not appear to be malicious. However, together they could become harmful by exchanging information with one another. Multiapp threats such as these were considered theoretical for some years, but McAfee Labs recently observed colluding code embedded in multiple applications in the wild. In this Key Topic, we provide a concise definition of mobile app collusion, explain how mobile app collusion attacks are manifested, and how businesses can protect themselves from such attacks.
The state of cryptographic algorithms
Trust is an Internet cornerstone, built on the belief that messages and files freely exchanged on the Internet are authentic. Foundational to that are hashing functions that transform messages and files into a short set of bits. But what happens if cybercriminals break these hashing functions? In this Key Topic, we examine mainstream hashing functions and explain how they become more susceptible to cyberattacks as processor performance increases. We also show the volume of certificates still signed by outdated and weakened hashing functions, including certificates used in industrial and critical infrastructure applications. Finally, we make the case that businesses should actively migrate to stronger hashing functions.
Pinkslipbot: back from its slumber
After three years in hibernation, W32/Pinkslipbot (also known as Qakbot, Akbot, QBot) has re-emerged. This backdoor Trojan with wormlike abilities initially launched in 2007 and quickly earned a reputation for being a damaging, high-impact malware family capable of stealing banking credentials, email passwords, and signing certificates. Pinkslipbot infections dwindled in 2013 but made an aggressive return near the end of 2015. The malware now includes improved features including antianalysis and multilayered encryption abilities to prevent it from being reverse engineered by malware researchers. In this Key Topic, we document its history, evolution, recent updates, and the botnet infrastructure. We also provide details about its self-update and data exfiltration mechanism as well as McAfee Labs’ effort to monitor Pinkslipbot infections and credential theft in real time.
We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets. By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90% of Android devices run on affected versions. Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.
Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community.
In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.
A mobile advertising company that tracked the locations of hundreds of millions of consumers without consent has agreed to pay $950,000 (£640,000) in civil penalties and implement a privacy program to settle charges that it violated federal law.
The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users' ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users.
Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a "geocorder" database to infer the phone user's latitude and longitude, even when an end user hadn't provided permission for location to be tracked through the phone's dedicated location feature.
Advantech has published a new version of its WebAccess product to address vulnerabilities that put installations at risk to remote code execution attacks.
Exploiting the vulnerabilities would be a challenge, however, according to an advisory published Tuesday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
ICS-CERT said the flaws patched in versions prior to 8.1_20160519 would require an attacker to entice the victim to accept a crafted DLL and load it, decreasing the chances the bugs could be exploited.
“These vulnerabilities are not exploitable remotely and cannot be exploited without user interaction,” ICS-CERT said in its advisory. “The exploit is only triggered when a local user runs the vulnerable application, which in certain scenarios can cause it to load a DLL file from an untrusted source.”
The scourge of ransomware over the past two years has been impressive – and not in a good way. The number of frustrated computer users locked out of their PCs is at an all-time high with no signs of the ransomware epidemic relenting.
According to security experts, the last two years have seen an astounding growth in the number of people encountering ransomware. Between April 2015 and March 2016 the number of users hit by ransomware rose 17.7 percent worldwide compared to the prior year, according a new report by Kaspersky Lab.
The in-depth report reveals that tactics have changed significantly for ransomware criminals with crypto ransomware now the dominant strain of ransomware versus Windows blocker ransomware, where a user is blocked from accessing their OS or web browser via a pop-up window.
Criminal hackers are fickle about their attack vectors. You need to look no further for evidence of this than their constant migration from one exploit kit to another. And while there is an expansive menu of exploit kits, attackers do seem to congregate around a precious few.
Researchers who study exploit kits closely, however, are reporting that two major kits, Angler and Nuclear, may be off the table. Both are responsible for tens of millions of dollars in losses, and countless web-based infections dropping everything from ransomware to click-fraud malware. But the recent arrests of the Russian gang behind the Lurk malware may have put an end to the availability of the Angler Exploit Kit and an expose from Check Point Software Technologies has apparently done in the Nuclear Exploit Kit.
French researcher Kafeine, one who specializes in exploit kits, said he has not seen any Nuclear activity since April 30, and Angler since June 7.
The libarchive programming library was recently patched against three critical memory-related vulnerabilities that could be abused to execute code on computers running the vulnerable software.
As is the case with most open source software packages, patching the core library is only half the battle; admins must now ensure that third-party software running the library is also fixed, and that’s not an easy task.
“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected,” said Cisco Talos researcher Marcin Noga in a report published Tuesday. “These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems. Users are encouraged to patch all relevant programs as quickly as possible.”
When we eventually get to look back on 2016, we might be tempted to label it “The Year of Leaking Voter Lists.”
The year began with many people distraught to learn that a database with voter registration records of 191 million voters had been exposed online. Voter registration lists include name, address, political party, telephone number, and whether the voter voted in the last elections and primaries. It appeared that many Americans never knew that these lists were generally considered public records.
But while they were adjusting to that piece of information, they also learned that there was a second leaking voter database with more than 56 million voter records that exposed not only voter registration data but personal information such as Christian values, bible study, and gun ownership in 19 million profiles.
Both databases had been uncovered by Chris Vickery, a security researcher at the cybersecurity firm MacKeeper. And they were both eventually secured after Chris Vickery, this reporter, and Steve Ragan of CSO began making some phone calls and trying to track down the source of the leaks.
This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled who encountered ransomware at least once in a given period. The term ransomware covers mainly two types of malware: so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption ransomware. The term also includes select groups of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of a PC. Nowadays, encryption ransomware is widely regarded as synonymous with ransomware, although, according to Kaspersky Lab statistics the number of users that regularly encounters blockers remains high.
Social media and advertising fraud investigations firm Sadbottrue has discovered a botnet of three million Twitter accounts, along with two smaller botnets of 100,000 bots each, which they suspect to be behind online services that sell or rent Twitter followers.
Selling Twitter followers is a lucrative business, even if Twitter forbids it. People crave attention, and companies don't want to embarrass themselves by having only 100 followers.
Usually, services that do sell Twitter followers, leverage botnets of a few thousand bots, which at the push of a button will become your followers.
Registering millions of Twitter accounts is out of the question since Twitter's staff might very easily detect a huge spike in new user account registration and investigate, exposing the botnet.
But that's exactly what happened, according to Sadbottrue, who discovered a huge botnet that was registered on the same day, on April 17, 2014. That's about 35.4 registrations per second.
The crooks behind this botnet also managed to synchronize their Twitter usernames with the Twitter ID. The Twitter account ID is usually assigned to a user after he registers, so a few tests were probably carried out in advance.
Germany’s Seafile says it was forced to stop using PayPal.
A German Dropbox rival claims PayPal dropped it as a customer because it refused the payment company’s demands to spy on its users’ data.
Seafile GmbH informed its customers on Saturday that they would no longer be able to pay for the service using PayPal—the only payment method that the company had in place.
“We’re looking into alternative payment services, but currently we’re running a cloud service and not getting paid,” CEO Silja Jackson told Fortune.
For the last month, attackers have used a combination of phishing and typosquatting to carry out a campaign aimed at stealing Bitcoin and blockchain wallet credentials.
More than 100 phony Bitcoin and blockchain domains have been set up so far, many which mimic legitimate Bitcoin wallets. Most of the sites were registered on May 26 and more continue to pop up daily suggesting the campaign is still in the early goings.
Artsiom Holub, Dhia Majoub, and Jeremiah O’Connor, researchers with OpenDNS’ Security Labs, traced connections between IP addresses, name servers and Whois indicators over the last few weeks in order to determine the scope of the campaign.
Cyren, an Israeli cloud-based security firm, spotted the first signs of life from the campaign in early June when it observed the domain blocklchain[.]info spreading through a pay-per-click advertising scam via Google AdWords. If a user was tricked into visiting the site – a replica of the real deal – and actually logged in, they would have handed their Blockchain credentials over to attackers.
The attacker managed to combine 2 exploits. The first exploit was to call the split DAO function recursively. That means the first regular call would trigger a second (irregular) call of the function and the second call would trigger another call and so on. The following calls are done in a state before the balance of the attacker is set back to 0. This allowed the attacker to split 20 times (have to look up the exact number) per transaction. He could not do more—otherwise the transactions would have gotten too big and eventually would have reached the block limit. This attack would already have been painful. However—what made it really painful is that the attacked managed to replicate this attack from the same two addresses with the same tokens over and over again (roughly 250 times from 2 addresses each). So the attacker found a second exploit that allowed to split without destroying the tokens in the main DAO. They managed to transfer the tokens away before they get sent to address 0x0 and only after this they are sent back) The combination of both attacks multiplied the effect. Attack one on its [own] would have been very capital intensive (you need to bring up 1/20 of the stolen amount upfront)—the attack two would have taken a long time.
NEC has announced plans to establish a AU$4.38 million Global Security Intel Centre (GSIC) in Adelaide that will focus on Internet of Things (IoT) security.
The IT services firm expects the cost of cyber attacks against enterprise and government IT systems to rise as the adoption of smart technologies and connected devices that make up the IoT accelerates.
Once established, the centre will form part of NEC's cybersecurity network, with the GSIC expected to complement security-focused facilities located globally, including Japan and Singapore.
The South Australian government has welcomed the GSIC, calling it a major boost to the state's IT capabilities.
A new scam, in which fraudsters pose as legitimate ISPs to offer bogus tech support, either via the phone or on the net, is on the rise, the BBC has found.
It is a twist on an old trick which involved cold-calling a victim - often claiming to represent Microsoft - and charging for fake tech support.
The new variants have been spotted in the UK and US.
BT said that it is investigating the issue.
The online version of the scam involves a realistic pop-up which interrupts a victim's normal browsing session with a message that appears to be legitimate and seems to come from the victim's real ISP.
US security firm Malwarebytes has spotted several from US and Canadian ISPs, including ComCast and AT&T. It has also seen webpages created for UK ISPs, including TalkTalk and BT.
In the month since activist hacking group Anonymous pledged to target banks across the world, senior officials have said the public websites of the central banks of both Indonesia and South Korea have been hit by cyber attacks.
In response to the attempted hacks, Bank Indonesia has blocked 149 regions that do not usually access its website, including several small African countries, deputy governor Ronald Waas told Reuters.
Waas said several central banks were hit by similar attacks and were sharing the IP addresses used by the perpetrators.
According to officials, no money was lost in the attacks on Bank Indonesia and the Bank of Korea, which were mainly distributed denial of service (DDoS) attempts. They also said there is no word on who is responsible for the attacks.
Using two-step authentication, normally a code from an app or texted to you, is a crucial, but highly irritating, part of logging into all manner of things.
From banking, Facebook, Twitter, Apple and Yahoo to World of Warcraft, Steam and Xbox Live, two-step authentication is seen as the way to make our insecure username and password system slightly safer.
Most rely on typing in a freshly generated six or eight-digit code after having logged in with a username and password.
Now Google is attempting to make the whole process less irritating and much faster, using a push notification which users can simply accept to login.
Apple is keeping typically tight-lipped about a remote code execution vulnerability it patched in its AirPort router firmware.
Last night, Apple released an advisory warning users of the AirPort Express, AirPort Extreme and AirPort Time Capsule base stations that a new firmware was available—AirPort Base Station Firmware Update 7.6.7 and 7.7.7—and should be applied immediately.
“A memory corruption issue existed in DNS data parsing,” Apple’s advisory reads. “This issue was addressed through improved bounds checking.”
Hackers have taken control of virtual cash worth $60m (£41m) by exploiting a bug in a system designed to help start-ups.
The attack targeted an investment fund called the DAO which is based on technology derived from the Bitcoin crypto-currency.
DAO members are now debating how to recover the diverted funds.
One suggestion involves rolling back the entire computerised system to a time when the hack had not happened.
In the movie Sneakers, a motley gang of security experts chase after a little black box that can crack any form of encryption. Though the idea of a digital skeleton key may seem like the stuff of Hollywood thrillers, there are researchers at the University of Michigan who've recently created just that. They've built a stealthy hardware back door that can be inserted into the blueprints of a computer chip to give intruders complete access to a system after executing an obscure series of commands.
Consider the implications: This kind of low-level attack is extremely difficult to detect and even more challenging to defend against. If a small group of university professors can successfully cook up their own little black box, imagine what an intelligence service with federal backing can do. William Binney, the National Security Agency's (NSA) former technical leader for intelligence, claims that with the NSA's budget of over $10 billion a year, "they have more resources to acquire your data than you can ever hope to defend against."
But it's not just the government that's watching us. IBM recently filed a patent for "monitoring individuals using distributed data sources," a stark reminder that much of what people do with their mobile devices is scooped up and stored in corporate data silos for later analysis. It's an inconvenient fact that Silicon Valley prefers to drown out with marketing pitches.
Citrix Systems is forcing all its GoToMyPC remote desktop access service customers to reset their passwords because of a “very sophisticated attack” that targeted the service over the weekend.
John Bennett, product line director for Citrix said the attack was a result of leaked passwords from other accounts used to crack open existing GoToMyPC accounts.
“Citrix can confirm the recent incident was a password reuse attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett told Threatpost in an email statement.
It's no big secret that Google's Chrome browser is a bit of a battery hog. The native browsers on both Windows and macOS (Edge and Safari) are widely reported to outlast Google's offering. In its latest campaign, Microsoft is quantifying this difference: in a test that cycles through some common sites including Facebook, YouTube, Wikipedia, and Amazon, Microsoft's latest browser lasted 7 hours and 22 minutes on a Surface Book system. Chrome lasted just 4 hours and 19 minutes.
Between these extremes were Firefox, at 5 hours and 9 minutes, and Opera in battery-saving mode, at 6 hours and 18 minutes.
Microsoft has gone a step beyond just measuring how long each system runs by measuring the power draw of the Wi-Fi, CPU, and GPU during its test workload. A task that drew 2.1W in Edge pulled 2.8W in Chrome, 3.1W in Opera, and 3.2W in Firefox. This lower draw translates to the longer battery life.
Backdoors into encrypted communications may soon be mandatory in Russia.
A new bill in the Russian Duma, the country's lower legislative house, proposes to make cryptographic backdoors mandatory in all messaging apps in the country so the Federal Security Service—the successor to the KGB—can obtain special access to all communications within the country.
Apps like WhatsApp, Viber, and Telegram, all of which offer varying levels of encrypted security for messages, are specifically targeted in the "anti-terrorism" bill, according to Russian-language media. Fines for offending companies could reach 1 million rubles or about $15,000.
Two mobile variants of Triada and Horde malware have been spotted in the wild by Check Point Software Technologies researchers who warn the latest samples have adopted dangerous new techniques including the ability to evade Google’s security on some OS versions.
The Android Trojan called Triada, researchers say, now is capable of infecting the Android default browser along with three other niche Android OS browsers including 360 Secure, Cheetah and Oupeng. Once infected, attackers can intercept browser URL requests. Next, if a user happens to visit one of a number of specific URLs, the malware will deliver a spoofed website designed to capture personal financial data.
Up until now, Triada main function was to steal money via SMS messages as part of in-app purchases. However, armed with the new URL spoofing capabilities, the Triada Android malware can now intercept any URL on infected phones and entice a user to “enter credentials in a fraudulent page, or even download additional malware, without knowing he is visiting a malicious site,” wrote Oren Koriat, Check Point analyst in a research blog outlining his research.
The number of network infections generated by some of the most prolific forms of malware -- such as Locky, Dridex, and Angler -- has suddenly declined.
Instances of malware and ransomware infection have risen massively this year, but cybersecurity researchers at Symantec have noticed a huge decline in activity during June, with new infections of some forms of malicious software almost at the point where they've completely ceased to exist.
Locky has been one of the most prolific ransomware threats of 2016, as the high-profile infection of a Hollywood hospital demonstrated, but researchers have seen very few new cases of the system locking malware in recent weeks -- and that's just a month after infections peaked.
Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.
The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.
Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.
We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware.
Algeria has temporarily blocked access to social media across the country in an attempt to fight cheating in secondary school exams.
Almost half of students are being forced to retake the baccalaureat exam, starting on Sunday, after the initial session was marred by online leaking.
In just one week back in February this year, Akamai's security products picked up automated attacks that employed over one million different IPs to test login credentials and hijack user accounts.
Akamai says the crooks used 1,127,818 different IPs to launch 744,361,093 login attempts using 220,758,340 distinct email addresses.
Attackers targeted multiple services, but a vast majority of the login attempts were aimed at two companies, one in the financial sector, and one in media & entertainment.
The automated attack against the financial target accounted for over 90 percent of the total attack volume.
Akamai says crooks used 993,547 distinct IPs to check 427,444,261 accounts. The security and networking giant was alerted to the presence of this campaign because 22,555 IPs had been previously blacklisted by their WAF (Web Application Firewall).
The campaign against the financial institution started strong, with the attackers checking over 248,000 IPs on the first day, and ended even stronger with the attackers testing over 526,000 IPs on the seventh day, which accounted for more than half of the total IPs used in the attack.
Windows 10 already includes ways to clear out applications and data to repair misbehaving systems or prepare them to be sold, courtesy of the Refresh and Reset features added in Windows 8. Microsoft is now adding a third option: a new refresh tool.
High-tech hackers brought in by the Pentagon to breach Defense Department websites were able to burrow in and find 138 different security gaps, Defense Secretary Ash Carter said Friday.
The so-called white-hat hackers were turned loose on five public Pentagon internet pages and were offered various bounties if they could find unique vulnerabilities. The Pentagon says 1,410 hackers participated in the challenge and the first gap was identified just 13 minutes after the hunt began.
Overall, they found 1,189 vulnerabilities, but a review by the Pentagon determined that only 138 were valid and unique.
The experiment cost $150,000. Of that, about half was paid out to the hackers as bounties, including one who received the maximum prize of $15,000 for submitting a number of security gaps. Others received varying amounts, to as low as $100.
"These are ones we weren't aware of, and now we have the opportunity to fix them. And again, it's a lot better than either hiring somebody to do that for you, or finding out the hard way," said Carter.
There has been a sudden drop off in activity relating to a number of major malware families in recent weeks. Dridex (W32.Cridex), Locky (Trojan.Cryptolocker.AF), the Angler exploit kit and Necurs (Backdoor.Necurs), are among the threats who appear affected by this development. Following reports of scaling back in activity by a range of cybercrime gangs, Symantec telemetry has confirmed that some of these groups have virtually ceased operating, while others appear to have greatly scaled back activity.
Locky has been one of the most prevalent ransomware threats in recent months, but Symantec has seen very few new Locky cases, either from spam campaigns or exploit kits since the beginning of June. While the threat has not disappeared, there has been a significant dip in activity, indicating that that there has been some disruption in the actors’ operations or a conscious decision to scale back.
CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.
And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."
Thus, the choice is American-built-and-backdoored or nothing, apparently.
The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data.
Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.
Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.
“This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” GitHub said in an advisory published Thursday by Shawn Davenport, GitHub VP of security. “We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts."
GitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.
Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.
The latest update brings Flash to v. 184.108.40.206 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.
The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.
Mozilla is experimenting with a new feature in Firefox that lets users log in to the same site with two different accounts.
Containers is an "experimental" feature in Firefox Nightly version 50, which is designed to reflect the idea that people project different aspects of themselves in different contexts in real life. Containers brings that concept to the web.
Mozilla security engineer Tanvi Vyas says it will allow "users to log in to multiple accounts on the same site simultaneously and gives users the ability to segregate site data for improved privacy and security."
The feature could improve the browser experience for people who currently use two browsers to log in to, say, two separate Twitter accounts or mail accounts at the same time.
It may also benefit those who use a secondary browser to isolate ad trackers from their primary browser. Vyas notes that users can open private tabs to do these tasks, but this approach lacks some of the conveniences of normal mode.
Security firm QuintessenceLabs (QLabs) has taken to quantum computing to find the solution for secure communication.
John Leiseboer, CTO of QLabs, said that the bigger picture of what his organisation does is build random number generators using quantum techniques as well as build key management systems which generate, store, and distribute key material, as well as manage the policies associated with the usage of cryptographic applications.
"We use a special algorithm called one time pad which has some very powerful security properties, the most important being something called information theoretic security which basically means there are no attacks that can be mounted algorithmically or through computational power that can crack it. It is as good as the key itself," Leiseboer said.
On June 14, someone using what appears to have been a list of e-mail addresses and passwords obtained from the breach of "other online services" made a massive number of login attempts to GitHub's repository service. A review of logins by GitHub's administrators found that the attacker had gained access to a number of accounts, according to a blog post by Shawn Davenport, Vice President of Security at GitHub.
It’s not clear what the source of the e-mail/password combinations was, but there are certainly plenty of them out there right now—the recent bounty of "megabreaches," consisting of aged passwords from MySpace, Tumblr, LinkedIn and the dating site Fling, totaled more than 642 million accounts in all. And though they date back more than three years, there may have still been some that were being re-used by their owners on GitHub.
The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to the Ponemon Institute.
Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. In fact, the study found that companies lose $158 per compromised record. Breaches in highly regulated industries like healthcare were even more costly, reaching $355 per record – a full $100 more than in 2013.
“The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don’t have a plan in place to deal with this process efficiently,” said Caleb Barlow, Vice President, IBM Security. “While the risk is inevitable, having a coordinated and automated response plan, as well as access to the right resources and skills, will make or break how much a company is impacted by a security event.”
Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email artist currently flagged by anti-spam activists as one of the world’s Top 10 Worst Spammers, was reportedly raided by the FBI in connection with a federal spam investigation.
According to a June 9 story at ABC News, on April 27, 2016 the FBI raided the San Diego home of Persaud, who reportedly has been under federal investigation since at least 2013. The story noted that on June 6, 2016, the FBI asked for and was granted a warrant to search Persaud’s iCloud account, which investigators believe contained “evidence of illegal spamming’ and wire fraud to further [Persaud’s] spamming activities.”
Persaud doesn’t appear to have been charged with a crime in connection with this investigation. He maintains his email marketing business is legitimate and complies with the CAN-SPAM Act, the main anti-spam law in the United States which prohibits the sending of spam that spoofs that sender’s address or does not give recipients an easy way to opt out of receiving future such emails from that sender.
Cisco has alerted users of vulnerabilities in the web interface of its RV series of wireless VPN firewalls and routers that allow for remote code execution.
The networking giant, however, isn’t planning on releasing firmware updates until the third quarter, Cisco said. Cisco says it is not aware of public attacks against these vulnerabilities, but users will remain exposed until at least September; workarounds are not available either.
“The vulnerability is due to insufficient sanitization of HTTP user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request with custom user data,” Cisco said in its advisory. “An exploit could allow the attacker to execute arbitrary code with root-level privileges on the affected system, which could be leveraged to conduct further attacks.”
Cisco said the RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router are affected.
Attackers have rekindled their love affair with Windows macros over the last few years, using the series of automated Office commands as an attack vector to spread malware. And while hackers will surely continue to use macros, at least until the technique becomes ineffective, new research suggests they may be shifting gears and beginning to use another proprietary Microsoft technology to deliver threats.
Attackers have been placing malicious code alongside object linking and embedding (OLE) code, along with well-formatted text and images. According to researchers with Microsoft who observed the behavior, it’s being done to trick users into enabling the object or content and in turn, running the malicious code.
OLE technology allows for the facilitation of content, images, text, from elsewhere, usually by another application. If a user wants to edit the embedded data they can allow Windows to activate the originating application and load the content.
The research of Yang Yu, founder of Tencent's Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.
Yu says the attacker can leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim's network traffic through a point controlled by the attacker.
By network traffic, Yu refers to all traffic, not just Web HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft's Crypto API, and other OS maintenance operations.
"It does not require the attacker [to] reside in the same network," Yu writes in a technical preview offered to Softpedia. "The attack can even succeed when there are firewall and NAT devices in between."
A flaw in the popular Telegram Messenger app that allows attackers to crash devices and run up wireless data charges is being disputed by the app maker who calls the claims false.
According to two Iranian-based researchers, Sadegh Ahmadzadegan and Omid Ghaffarinia, Telegram users are vulnerable to attacks via specially crafted messages that can bypass size limits and crash devices that receive the messages. Additionally, researchers claim if Telegram users are using paid and metered cellular data plans, those malicious messages could also be costly to recipients’ because data plans are depleted and possible overage charges are incurred.
The Federal Bureau of Investigation (FBI) reports that "exposed dollar losses" to CEO fraud emails total $3.1bn since October 2013.
The FBI revealed the figure in a new public-service announcement (PSA) on the Internet Crime Complaint Centre (IC3) to warn businesses about criminals who use bogus email accounts to pose as CEOs to trick financial controllers into wiring funds to the fraudsters' bank accounts.
The new numbers suggest CEO fraud or "business email compromise" may be a vastly bigger problem for businesses than previously thought.
In April the FBI reported victims worldwide had lost $2.3bn to the scam between October 2013 and February 2016.
Verizon fixed a critical flaw in its Verizon.net messaging system that permitted attackers to hack the email settings of other customers and forward email to any email account.
The flaw, found by Randy Westergren, a senior software developer with XDA Developers, impacted any of Verizon’s estimated 7 million FiOS subscribers who depended on their Verizon.net email accounts. Westergren initially reported the vulnerability to Verizon on April 14. The vulnerability was fixed by Verizon on May 12. Public disclosure of the flaw was Monday.
“I confirmed a very serious vulnerability: any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc.,” Westergren wrote in a technical description of the vulnerability.
Microsoft pushed out 16 bulletins on Tuesday addressing 44 different vulnerabilities in its software, including Windows, Exchange Server, Office, Edge, and Internet Explorer.
Five of the bulletins have been branded critical because each vulnerability associated with them could be used to carry out remote code execution; the remaining 11 are marked important.
According to experts, one of the more concerning critical fixes involves a use after free vulnerability that affects Microsoft Windows DNS server for Windows Server 2012 and 2012 R2. If an attacker sent a specially crafted request to a DNS server, they could convince it to run arbitrary code, Microsoft’s advisory warns.
A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities.
The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com.
The company didn't outright confirm the breach, but said it was investigating.
"We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email.
Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.
The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts.
The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some GOP political action committees, U.S. officials said. But details on those cases were not available.
The ransomware, dubbed RAA by researchers, has been circulating through attachments masquerading as Word .doc files according to Lawrence Abrams, who wrote about the malware late Monday night on his site BleepingComputer.com.
Initially discovered by two security researchers, @JAMES_MHT and @benkow_, RAA encrypts files using code from CryptoJS, an open source library that’s easy to use and handles cipher algorithms like AES, DES, and so on. In this instance, RAA scans victims’ machines and encrypts select files with AES-256.
Adobe today said it will patch Flash Player this week, addressing a vulnerability being exploited in “limited, targeted attacks.”
The flaw, CVE-2016-4171, exists in versions of Flash prior to, and including, 220.127.116.11 on Windows, Macintosh, Linux and ChromeOS platforms.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in its notification.
Artificial intelligence and big data are white hot technologies but both need to analyse vast amounts of data to work effectively: now Apple is trying to see if it is possible to use both without compromising its tough stance on protecting users' privacy.
At the company's World Wide Developers' Conference in San Francisco the company announced a number of initiatives around machine learning and data analytics.
Apple said it will use a deep learning technology called long short-term memory to make its Quicktype keyboard able to offer more intelligent options during conversations. For example, automatically offering up information about where you are from in Maps, if the question crops up in a chat with a friend.
It is also using deep learning and computer vision to allow the iPhone to provide facial recognition so users can sort pictures of different people into albums. It's applying the same kind of technology to object and scene recognition as well -- doing 11 billion computations per photo to be able to understand what is in each image -- which can then be used to search for them later. Apple said it is also using artificial intelligence to analyse a user's photo library to cluster images by location, people or scenes into a new 'memories' tab.
Browser makers and other tech companies have gone to great pains to beef up weak crypto libraries, in particular those that are exposed to fallback attacks such as POODLE.
Attackers exploiting these vulnerabilities are able to dial back the encryption protecting communication to SSLv2 and SSLv3, for example, forcing servers to fall back to these weaker versions of the protocol should a more secure connection fail. With attacks such as POODLE, an attacker that successfully forces a fallback could steal private keys and decrypt traffic.
As more of these weaker versions of the libraries are replaced, more and more continue to pop up in embedded and connected devices.
Siemens has provided firmware updates addressing vulnerabilities in two popular products lines, the SIMATIC WinCC flexible, and the SIMATIC S7-300 CPU family.
The SIMATIC S7-300 flaw is a denial-of-service issue that could be remotely exploited to cause the device to go into defect mode, an advisory from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) said. Admins would need to perform a cold restart to recover affected systems.
SIMATIC S7-300 CPUs with Profinet support prior to V3.2.12, and SIMATIC S7-300 CPUs without Profinet support prior to V3.3.12 are affected, Siemens said.
Security researchers have discovered a variant of the FLocker Android ransomware that not only infects mobile devices, but also can infect smart TVs running certain versions of the operating system.
The FLocker ransomware has been active for more than a year now, and it is many ways a typical piece of mobile ransomware. It is designed to scare victims into paying a ransom–$200 in this case–by locking the infected device and throwing up a screen that accuses the victim of some fictitious crime. The ransomware doesn’t appear to encrypt files on an infected device, but it locks the screen so the user can’t open any other apps or take any other actions until paying the ransom.
Researchers at Trend Micro said they have seen various versions of FLocker over the last year and the activity level of the ransomware has varied. The newest version of the malware, however, includes the ability to infect art TVs, many of which run Android.
Reddit user FiletOfFish1066 just got fired from his programming job. The reason and circumstances will completely blow your mind, though. FiletOfFish1066 (FOF) worked at a well-known tech company in the Bay Area and for six full years did nothing except play League of Legends, browse Reddit, work out in a gym, and basically do whatever he felt like doing. Guess how much his company paid him to basically do nothing for a full six years? $95,000 per year on average.
“From around 6 years ago up until now, I have done nothing at work. I am not joking. For 40 hours each week I go to work, play League of Legends in my office, browse reddit, and do whatever I feel like. In the past 6 years I have maybe done 50 hours of real work. So basically nothing. And nobody really cared. The tests were all running successfully. I shit you not, I had no friends or anything at work either, so nobody ever talked to me except my boss and occasionally the devs for the software I was testing.” -Reddit via Payscale Career News
KrebsOnSecurity has featured several recent posts on “insert skimmers,” ATM skimming devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. I’m revisiting the subject again because I’ve recently acquired how-to videos produced by two different insert skimmer peddlers, and these silent movies show a great deal more than words can tell about how insert skimmers do their dirty work.
Last month I wrote about an alert from ATM giant NCR Corp., which said it was seeing an increase in cash machines compromised by what it called “deep insert” skimmers. These skimmers can hook into little nooks inside the mechanized card acceptance slot, which is a generally quite a bit wider than the width of an ATM card.
“The first ones were quite fat and were the same width of the card,” said Charlie Harrow, solutions manager for global security at NCR. “The newer ones are much thinner and sit right there where the magnetic stripe reader is.”
US Army-funded researchers at MIT believe an optical equivalent of a "sonic boom" created using graphene could make chips a million times faster than they are today.
Researchers at MIT and several other universities have discovered that graphene can be used to slow light down below the speed of electrons to create an intense beam of light.
The researchers call the effect an "optic boom", since it is similar to the sonic boom caused by shock waves when a jet breaks the speed of sound.
In graphene, an electron "spews out plasmons" when it moves faster than the speed of the trapped light. The researchers believe this new way of converting electricity into light could pave the way for light-based circuits in ultra-compact computing devices.
MIT highlights that the research was supported by US Army Research Laboratory and the US Army Research Office, through MIT's Institute for Soldier Nanotechnologies.
MIT postdoc Ido Kaminer explains that using light instead of flowing electrons to move and store and data could push operating speeds up to vastly higher levels than those achieved by today's chips.
It's time to face the facts: no matter how secure you might believe your corporate network to be, sooner or later, cybercriminals will find their way in.
They could enter using stolen credentials, they could find their way in using malware, or they could be in the system for some time before you realise something is wrong.
You understandably panic when hackers have infiltrated your network and look to shutdown the infected PCs, because that's the correct thing to do, right? Wrong. The FBI has warned that while this might be an understandable impulse, it's not always the right decision.
"When we come into an incident, most people want to immediately fix it, they want it to go away as fast as possible," said Kurt Pipal, assistant legal attaché at the Office of the Legal Attaché for the FBI in the UK, speaking during panel on law enforcement and cybercrime at Infosecurity Europe 16 in London.
"I get that, it's a driver from a business perspective. However, not understanding the true intrusion events could mean you don't clear it out -- they're called 'advanced persistent threats' for a reason."
One of the biggest networks of spam-sending computers in the world has gone quiet, puzzling experts, internet security firms have said.
For years the Necurs botnet has distributed junk mail and malware for many different groups of cyber-thieves.
But the amount of malicious traffic emerging from Necurs has now dwindled to almost nothing.
It is not clear what has caused the slowdown and whether traffic will return to previously high levels.
One of the first signs of the disruption was seen earlier this month when email messages spreading the Dridex banking trojan and Locky ransomware caught by security firms dried up.
Today, most vehicle functions – steering, acceleration, braking, remote start, and even unlocking the doors – are controlled by software that accepts commands from a diverse array of digital systems operating both inside and outside the vehicle. However, this software contains millions of lines of code, and in these lines of code there may be vulnerabilities that can be exploited by individuals with malicious intent.
FireEye iSIGHT Intelligence analysts and Mandiant consultants reviewed the key threats to interior and exterior vehicle systems and assessed the top five threats created by vehicle software vulnerabilities.
A few weeks ago CERT Poland released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks up where its predecessor, Carberp, leaves off. This post takes a closer look at its command and control (C2) mechanism and what it takes to elicit a configuration file from its C2 servers.
Users accounts for iMesh, a now defunct file sharing service, are for sale on the dark web.
The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the "dotcom" boom. After the Recording Industry Association of America (RIAA) sued the company in 2003 for encouraging copyright infringement, the company was given status as the first "approved" peer-to-peer service.
At its peak in 2009, the service became the third-largest service in the US. But last month, iMesh unexpectedly shut down after more than a decade in business.
LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database.
Google has recently patched a high severity security bug in the Chrome browser that allowed crooks to send malicious code to your browser and take over your entire system.
The issue, tracked by the CVE-2016-1681 identifier, affects the browser's built-in PDF reader called PDFium.
Google patched the issue with the release of Chrome 51.0.2704.63, released on May 25. In the meantime, Chrome released another wave of security updates at the start of June.
Cisco's Aleksandar Nikolic was the researcher that discovered and reported the issue to Google, who even awarded him $3,000 for his efforts.
According to the researcher's account, the issue was discovered six days earlier, on May 19, and Google's team fixed it right away.
Executive Director Josh Aas:
"On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.
We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions.
If you received one of these emails we ask that you not post lists of email addresses publicly."
The National Security Agency is researching opportunities to collect foreign intelligence — including the possibility of exploiting internet-connected biomedical devices like pacemakers, according to a senior official.
“We’re looking at it sort of theoretically from a research point of view right now,” Richard Ledgett, the NSA’s deputy director, said at a conference on military technology at Washington’s Newseum on Friday.
Biomedical devices could be a new source of information for the NSA’s data hoards — “maybe a niche kind of thing … a tool in the toolbox,” he said, though he added that there are easier ways to keep track of overseas terrorists and foreign intelligence agents.
When asked if the entire scope of the Internet of Things — billions of interconnected devices — would be “a security nightmare or a signals intelligence bonanza,” he replied, “Both.”
Netgear on Friday released firmware updates for two of its router products lines, patching vulnerabilities that were reported six months ago.
Users should update to firmware version 18.104.22.168, which includes fixes for an authentication bypass vulnerability and also addresses a hard-coded cryptographic key embedded in older versions of the firmware.
A vulnerability note published by CERT operating at the Software Engineering Institute at Carnegie Mellon University said Netgear router models D6000 and D3600 running firmware versions 22.214.171.124 and 126.96.36.199 are affected. CERT cautions that other models and firmware versions could also be susceptible to the same issues.
“The Fund is part of the Mozilla Open Source Support program (MOSS) and has been allocated $500,000 in initial funding, which will cover audits of some widely-used open source libraries and programs,” Chris Riley, Mozilla’s Head of Public Policy, explained.
“But we hope this is only the beginning. We want to see the numerous companies and governments that use open source join us and provide additional financial support.”
Projects that want Mozilla’s help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if the software is commonly used and is vital to the continued functioning of the Internet or the Web.
Bluetooth 5.0, the latest version of the ubiquitous wireless standard, is set to be announced on June 16, according to an e-mail sent by Bluetooth SIG Executive Director Mark Powell.
The update will apparently be called "Bluetooth 5" without a point number in an effort to "[simplify] marketing." It's primarily of interest because the update promises to double the range and quadruple the speed of Bluetooth 4.2. It also adds "significantly more capacity to advertising transmissions," which is more exciting than it sounds because it doesn't necessarily have anything to do with what you normally think of when you think of "advertising."
One piece of advice that often appears in closed message boards used by Russian cybercriminals is “Don’t work with RU”. This is a kind of instruction given by more experienced Russian criminals to the younger generation. It can be interpreted as: “don’t steal money from people in Russia, don’t infect their machines, don’t use compatriots to launder money.”
“Working with RU” is not a great idea where cybercriminals’ safety is concerned: people from other countries are unlikely to report an incident to the Russian police. In addition, online banking is not very popular in the RU zone – at least, it is much less popular than in the West. This means that the potential income from operating in the RU zone is lower than in other zones, while the risk is higher. Hence the rule “Don’t work with RU”.
As always, there are exceptions to the rule. A rather prominent banker Trojan – Lurk – that is the subject of this paper has been used to steal money from Russian residents for several years.
We have written about this banker Trojan before. It caught our attention almost as soon as it appeared because it used a fileless spreading mechanism – malicious code was not saved on the hard drive and ran in memory only. However, until now no detailed description of Lurk had been published.
Good customer service is part of running a successful business. It shouldn’t be a surprise that even crypto-ransomware purveyors are now thinking of ways to make the process of paying for crypto-ransomware easier. The innovation brought forth by some new JIGSAW variants? Instead of using dark web sites, it communicates to the user via… live chat.
So what kicked it off?
Well starting in 1989 and until 2012, there was the version here and there that would lock something, demand payment either through e-mail, snail mail (seriously, look up the AIDS Trojan) and even SMS payment.
Then we saw the huge emergence of a new form of Ransomware, you might know it as FBI or Law Enforcement ransomware, it basically locked down your screen, pretending to be from a LE organization, accused you of committing some crime and demanded you pay, usually using prepaid cards, to have your computer unlocked.
The Latest Intelligence page has been refreshed through May 2016, providing the most up-to-date analysis of cybersecurity threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Here are some key takeaways from this latest batch of intelligence.
The Angler toolkit, which had consistently ranked second in our list of web attacks by toolkit, came out on top in May, comprising 51.2 percent of all toolkit activity. The Nuclear exploit kit, which topped April’s list, has dropped out of the top five this month, likely due to research that was published in late April, shedding light on the toolkit’s infrastructure and likely leading to disruptions. This follows the disappearance of the Spartan toolkit from our top five list in April. The Spartan toolkit had also previously topped the list of web attacks by toolkit.
For the last two weeks, the tech world’s security teams have been practically under siege. On an almost daily basis, new collections of data from hundreds of millions of stolen accounts have appeared on the dark web, ripped from major web firms and sold for as little as a few hundred dollars each worth of bitcoins. And behind each of those clearance sales has been one pseudonym: “Peace_of_mind.”
“Peace_of_mind,” or “Peace,” sells data on the dark web black market TheRealDeal. His or her “store” page has a 100-percent satisfaction rating and feedback like “A+++,” and “follows up with your questions and delivers promptly.” And Peace’s growing selection of merchandise includes 167 million user accounts from LinkedIn, 360 million from MySpace, 68 million from Tumblr, 100 million from the Russian social media site VK.com, and most recently another 71 million from Twitter, adding up to more than 800 million accounts and growing.
A high-severity vulnerability in Google’s Chrome browser that allows attackers to execute code on targeted systems via a PDF exploit has been patched by Google.
Researchers at Cisco said users were at risk if they were enticed to view a specially crafted PDF document with an embedded jpeg2000 image within Google’s Chrome default PDF viewer, called PDFium.
“Being fairly easy for an attacker to take advantage of this vulnerability, the most effective attack vector is for the threat actor to place a malicious PDF file on a website then redirect victims to the website using either phishing emails or even malvertising,” wrote the Cisco Talos team in a technical description of the vulnerability publicly disclosed on Thursday.
Internet file sharing has long been a prime route for malware to spread. The situation is one of the reasons (aside from the exposure of proprietary data) that many companies restrict the use of cloud file sharing to corporate-approved systems. But it turns out that those enterprise cloud folders are just as bad. As more companies sanction the use of cloud applications for collaboration and sharing data—even just between individuals' computers and mobile devices—those cloud apps have increasingly become fertile ground for malware.
Crooks behind the revamped CryptXXX 3.100 ransomware have switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit. The sudden change in distribution was spotted on Monday by researchers at the SANS Internet Storm Center.
“This is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK,” wrote Brad Duncan, handler at SANS Internet Storm Center. But he said the switch was noteworthy because SANS had not yet seen CryptXXX distributed by Neutrino.
The move comes as security experts report a resurgence of the CryptXXX ransomware that was recently revamped with new encryption algorithm and a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.
A hacker, who has links to the recent MySpace, LinkedIn, and Tumblr data breaches, is claiming another major tech scalp -- this time, it's said to be millions of Twitter accounts.
A Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained the database, which includes an email address (and sometimes a second email), usernames, and plain-text passwords.
Tessa88 is selling the cache for 10 bitcoins, or about $5,820 at the time of writing.
In December 2014, SophosLabs published a paper entitled Vawtrak – International Crimeware-as-a-Service, explaining how cybercriminals have adopted the “Pay As You Go” model that has become so popular in the mainstream technology industry.
Cybercrooks have provided services to one another for years, for example by trading spamming lists, writing malware programs to order, and finding and selling vulnerabilities.
But once you’ve provided another bunch of crooks with your malware source code files, or with access to your mailing lists, you can’t easily control what they do with them.
Last week, KrebsOnSecurity broke the news of an ongoing credit card breach involving CiCi’s Pizza, a restaurant chain in the United States with more than 500 locations. What follows is an exclusive look at a point-of-sale botnet that appears to have enslaved dozens of hacked payment terminals inside of CiCi’s locations that are being relieved of customer credit card data in real time.
Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.
Here's a Facebook hack straight from the pages of the novel 1984: A way to rewrite the record of the past.
"Who controls the past controls the future: who controls the present controls the past," went the ruling party's slogan in George Orwell's dystopian novel.
Security researchers have found a way to control the past, by altering Facebook's logs of online chats conducted through its website and Messenger App.
Such modified logs could be used to control the future, the researchers suggest, by using them to commit fraud, to falsify evidence in legal investigations, or to introduce malware onto a PC or phone.
Canada's University of Calgary paid almost $16,000 ($20,000 Canadian, ~£10,800) to recover crucial data that has been held hostage for more than a week by crypto ransomware attackers.
The ransom was disclosed on Wednesday morning in a statement issued by University of Calgary officials. It said university IT personnel had made progress in isolating the unnamed ransomware infection and restoring affected parts of the university network. It went on to warn that there's no guarantee paying the controversial ransom will lead to the lost data being recovered.
The uTorrent community forums have been hacked, exposing the private details of hundreds of thousands of users. The hackers were able to get their hands on the user database, and a warning issued by the software maker says that passwords should be considered compromised.
With well over 150 million active users a month uTorrent is by far the most used BitTorrent client around.
In addition, the software also has a dedicated community forums with tens of thousands of visitors per day, and over 388,000 registered members.
Attackers have found a new way to exploit the Widows Background Intelligent Transfer Service (BITS) which is being used to infect and reinfect targeted PCs with malware even after the initial infection has been removed.
According to security researchers at Dell SecureWorks, attackers are exploiting a lesser-known BITS “notification” feature. The feature allows attackers to create a re-occurring task to download and install malware even after the original malware is extracted.
BITS is used by Windows Update and third-party software for application updates. The service has a long history of being abused by attackers dating back to 2007. And even up until today, BITS is still an attractive feature for hackers because the Windows component includes the ability to retrieve or upload files using an application trusted by host firewalls, said Matthew Geiger, Sr. security researcher for SecureWorks’ Counter Threat Unit.
A new “heat map of the internet” has revealed the countries most vulnerable to hacking attacks, by scanning the entire internet for servers with their front doors wide open.
Produced by information security firm Rapid7, the National Exposure Index finds that the most exposed country in the world is Belgium, followed by Tajikistan, Samoa and Australia. The US comes 14th and the UK 23rd.
The map of the internet was produced by Rapid7’s Project Sonar, a tool which allows the firm to scan every single public-facing IP address in a matter of hours, and look at which services they are offering to the wider internet.
Many, even most, of those services will be appropriate. For instance, a web server with an open port 80, the “door” through which HTTP web pages are sent through, is appropriate (even if the encrypted version, HTTPS, would be more secure). But eight of the top 10 services offered by servers on the internet are unencrypted, such as POP3, an outdated email protocol, and FTP, an insecure method of transferring files over the net.
Security firm Bitdefender has found a vulnerability in public cloud infrastructures which it said allows a third party to eavesdrop on communications encrypted with transport layer security (TLS) protocol.
The vulnerability is leveraged by Bitdefender for its own research purposes, developing a technique called TeLeScope, which is only effective against virtualised environments that run on top of a hypervisor.
According to Bitdefender, such infrastructures are provided by industry giants Amazon, Google, Microsoft, and DigitalOcean, with the security vendor flagging banks, companies dealing with either intellectual property or personal information, and government institutions as the sectors likely to be affected by the security flaw.
The internet is under heavier attacks than ever. In Akamai's Q1 2016 State of the Internet - Security Report, the content delivery network (CDN) company found there's been a 125 percent increase in distributed denial of service (DDoS) attacks year over year.
But, wait, there's more. Much more. There's also been a 35 percent increase in the average attack duration. In the first quarter of 2015, the average attack lasted almost 15 hours. Now, they're up to just over 16 hours.
Adding insult to injury, truly massive DDoS attacks, 100 Gigabits per second (Gbps), are now more common than ever. The first quarter of 2016 saw 19 such attacks compared to 2015's eight assaults. That's an increase of 137.5 percent.
That last one is even worse than it sounds. In just the first three months of 2016, there were 19 100Gbps attacks. In 2015's last quarter there were only five.
All together in 2016's first quarter, Akamai witnessed 4,523 DDoS attacks. That's a significant increase from the previous quarter's 3,693 attacks. This increase was largely driven by repeat attacks on customers rather than cyber crooks going after more targets.
While SNSLocker isn’t a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland façade hid quite a surprise. After looking closer at its code, we discovered that this ransomware contains the credentials for the access of its own server.
We also found out that they used readily-available servers and payment systems. This shows that the authors behind SNSLocker are in it for the same reason a lot of cybercriminals have moved to ransomware: easy setup of systems for massive infection, and quick return of income. However, they were either too quick or they aren’t investing that much on the operation when they left their credentials out in the open (the credentials have also been shared in social media by other security researchers). We have reported this finding to law enforcement agencies.
Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).
US bound hopefuls who are looking for additional US Visa information might end up talking to cyber criminals who could send them a malicious file. We can see two entries from Skype when we try to search for the legitimate account. If you don’t have keen eyesight, you might choose the wrong account.
Google said that it will initiate on June 16 a gradual deprecation of SSLv3 and RC4 for Gmail IMAP/POP mail clients.
Both the crypto protocols cipher are notoriously unsafe and are being phased out in big chunks of the Internet. Google, for its part, had already announced in May that it would no longer support SSLv3 and RC4 connections for Gmail SMTP.
“Unlike Gmail SMTP, this change will be rolled out as a gradual change, where it may take longer than 30 days for users to be fully restricted from connecting to Gmail from SSLv3 or RC4 connections; however, we recommend updating your clients soon in order to avoid any potential disruption,” Google said this week in an announcement.
An unknown number of Lexus automobiles have seen their infotainment and navigation head units broken by a bug in an over-the-air software update from Lexus.
The glitch, which was confirmed by a Lexus spokesperson, was delivered in a routine software update. In affected cars, it can cause the dashboard screen to spontaneously reset itself and, as a result, both the radio and navigation system can be unusable. It affects cars equipped with Lexus' Enform system with navigation.
Mozilla fixed 13 security issues, including two critical vulnerabilities that could have led to spoofing and clickjacking, among other issues, when it updated Firefox to the latest build, Firefox 47, this week.
One of the issues, a buffer overflow, could have resulted in a potentially exploitable crash according to an advisory published by the company on Tuesday. According a security researcher that goes by the handle firehack, the overflow could have popped up when the browser parsed HTML5 fragments in a foreign context. When a fragment was inserted into an existing document, it could’ve crashed the browser.
The second critical issue corresponds to not one, but several memory safety bugs reported by 14 different Mozilla developers and community members. The details of the bugs weren’t revealed, but according to the advisory the likeliness that some could be exploited to run arbitrary code was high enough that it warranted fixing.
“We’re doing something a little different this year. We’ve got a bunch of App Store/developer-related announcements for WWDC next week, but frankly, we’ve got a busy enough keynote that we decided we’re not going to cover those in the keynote. And rather, just cover them in the afternoon and throughout the week. We’re talking to people today for news tomorrow about those things, in advance of WWDC, and then developers can come and be ready for sessions about these things, with knowledge about them before the conference. We haven’t done this before, but we figured, what the heck, let’s give it a try.”, Phil Schiller.
D-Link is wrestling with a vulnerability in its DCS930L Wi-Fi camera that was privately disclosed by security company Senrio.
The flaw exposes the cameras to remote code execution, a Senrio report says.
CEO Stephen Ridley told Threatpost that his company is working with D-Link on remediation. D-Link, meanwhile, said in a statement emailed to Threatpost:
“Security is the highest priority for D-Link and we are proactively working with the source of the report since receiving the inquiry to ensure that any vulnerabilities discovered are addressed. Once information and testing is completed, additional information will be made available to customers online at www.mydlink.com."
The availability of pirated content on torrent sites can come with hidden repercussions. Symantec research of popular torrent websites has observed a potentially unwanted application (PUA) distribution campaign. On several sites, we found fake torrents with the names of popular games, such as Assassin’s Creed Syndicate or The Witcher 3, which were used as bait to trick users into silently installing PUAs on their computer. Symantec believes this PUA distribution campaign abuses legitimate affiliate pay-per-install programs.
A PUA is a type of software that may impact security, privacy, resource consumption, or is associated with other security risks. There are several ways that a PUA might get installed on a computer or device. It may arrive as a freeware application or be bundled with third-party software. In many cases, user consent is required, but on some occasions a more intrusive PUA may perform a silent install that escapes attention.
US regulators have warned banks about potential cyber attacks linked to the interbank messaging system.
The statement came two weeks after the Federal Bureau of Investigations sent a notice cautioning US banks after the hacking of Bangladesh's central bank.
The FBI message warned of a "malicious cyber group" that had already targeted foreign banks.
In February, hackers stole $81m (£56m) from Bangladesh's account with the Federal Reserve Bank of New York.
The hackers used the Bangladesh central bank's Swift credentials to transfer money to accounts in the Philippines. Swift is the system banks use to exchange messages and transfer requests.
The hackers attempted to steal nearly $1bn, but several of their requests were rejected because of irregularities.
Security firm FireEye has found malicious phishing campaigns targeting Apple iCloud users through the use of phony Apple domains.
FireEye has reported that since January this year, several phishing campaigns have targeted the Apple IDs and passwords of Apple users in China and the United Kingdom.
An Apple ID is provided to all of Apple's customers, allowing users access to services such as iCloud, the iTunes Store, and the App Store. According to FireEye, anyone with access to an Apple ID, password, and some additional information, such as date of birth and device screen lock code, can completely take over the device and use the credit card information to impersonate the user and make purchases via the Apple Store.
One of the phishing kits found by FireEye, named zycode, targeted Apple users in China by mimicking over 30 Apple domains, appearing as an Apple login interface for Apple ID, iTunes, and iCloud designed to lure people into submitting their Apple IDs.
Besides buzzing to alert you to calls, texts, and alarms, a phone's vibration motor can also function as a solid speech sensor, researchers have demonstrated.
And that means one more potential method for spies to eavesdrop on phone conversations, Nirupam Roy and Romit Roy Choudhury from the University of Illinois at Urbana-Champaign argue in a paper detailing their VibraPhone, a system designed to recover and distill words from currents transmitted by vibration motor circuits.
"We show that the vibrating mass inside the motor, designed to oscillate to changing magnetic fields, also responds to air vibrations from nearby sounds," the pair write.
That the motor did respond to sound wasn't surprising but they didn't expect it could be used to reproduce audible speech and thus act as a kind of microphone.
Besides eavesdropping, the researchers argue it could be used to enable voice control on devices that don't have a microphone, such as fitness trackers, and could be a fairly low overhead on battery power since it operates in passive mode.
Facebook has patched a vulnerability in the desktop and mobile versions of its Messenger app that allows an attacker to access and modify chats, exposing the victim to potential fraud and malware.
Researchers at Check Point Software Technologies privately disclosed the issue May 2 to Facebook, which patched it two weeks later. The flaw, Check Point said, allows an attacker to, among other things, access chat history and add or change links to a chat session. If the victim is persuaded to click on what is now a malicious link, they could start a malware download or establish a connection to an attacker’s command and control server.
Check Point said the victim would be unaware of the changes, and that chat threads could be deleted or modified, and also links and files could be replaced or added; researcher Roman Zaikin is credited with the discovery.
A provocative white hat hacker who has previously disclosed vulnerabilities in both California’s ObamaCare portal and FireEye's core security product has now revealed a serious flaw in the Council of Better Business Bureau’s (CBBB) Web-based complaints application, which is used by nearly a million people annually to file complaints against businesses.
The CBBB criticized the “unauthorized application vulnerability test” but said in a statement that they believe “the motivation was not malicious," and are "not pursuing the matter further."
The CBBB is the umbrella organization for the independent local BBBs, the not-for-profit consumer advocacy groups that operate in the United States, Canada, and Mexico. The BBBs attempt to mediate disputes between consumers and businesses, and also accredit businesses based on how well the business meets the BBB’s “Standards of Trust.”
Independent security researcher Kristian Erik Hermansen discovered the vulnerability while attempting to file a complaint against Verizon. He told Ars the telecoms giant had defrauded a family member and that despite a successful class-action lawsuit against the company, the fraudulent charges were causing the family member credit problems.
Cyber-thieves are adopting ransomware in "alarming" numbers, say security researchers.
There are now more than 120 separate families of ransomware, said experts studying the malicious software.
Other researchers have seen a 3,500% increase in the criminal use of net infrastructure that helps run ransomware campaigns.
The rise is driven by the money thieves make with ransomware and the increase in kits that help them snare victims.
Ransomware is malicious software that scrambles the data on a victim's PC and then asks for payment before restoring the data to its original state. The costs of unlocking data vary, with individuals typically paying a few hundred pounds and businesses a few thousand.
Google is rolling out its June patches for Android, which contain dozens of fixes for critical and high-severity bugs in the world's most widely-used mobile operating system.
The first Monday of a new month brings the latest Android security bulletin, detailing bugs that affect Google's own Nexus devices and devices from the Android ecosystem.
Secure Android devices should be running Android Security Patch Level of June 01, 2016. Google notified Android partners about the issues in this bulletin on May 2.
One of the most serious bugs fixed in this update is once again Android's Mediaserver component.
A remote code-execution vulnerability in Mediaserver could enable an attacker using a specially-crafted file to cause memory corruption during media file and data processing," Google notes. The bug affects all versions of Android that Google provides patches for, from Android 4.4.4 KitKat through to Android 6.0.1.
Drive-by attacks that install the once-feared TeslaCrypt crypto ransomware are now able to bypass EMET, a Microsoft-provided tool designed to block entire classes of Windows-based exploits.
The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Short for Enhanced Mitigation Experience Toolkit, EMET has come to be regarded as one of the most effective ways of hardening Windows-based computers from attacks that exploit security vulnerabilities in both the operating system or installed applications. According to a blog post published Monday by researchers from security firm FireEye, the new Angler attacks are significant because they're the first exploits found in the wild that successfully pierce the mitigations.
"The level of sophistication in exploit kits has increased significantly throughout the years," FireEye researchers wrote. "Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode."
Microsoft's search engine Bing will display more detailed warnings when users encounter potential phishing and malware sites.
The company has announced it's refining how it communicates potential threats in Bing results and to website operators using the Bing webmaster dashboard.
Rather than provide only a generic malware warning, Bing's new approach will be more specific about different types of threats and their potential impact.
For end users, it will now highlight whether the page ahead is a phishing site. In such cases, Bing will offer an explanation about how the site might trick the user into disclosing financial, personal, or other sensitive information.
Webmasters are notified through the Bing dashboard and from there can ask for a review of the status after the issue is addressed.
The alarm on Mitsubishi's Outlander hybrid car can be turned off via security bugs in its on-board wi-fi, researchers have found.
The loophole could mean thieves who exploit the bugs gain time to break into and steal a vehicle.
The vulnerability can also be used to fiddle with some of the car's settings and drain its battery.
Mitsubishi recommended that users turn off the wi-fi while it investigates the issues with the system.
Some people change their smartphone or tablet almost as casually as they change their clothes. They buy and later sell mobile devices without the slightest concern about the information that, one device after another, they keep putting in the hands of total strangers. This article is aimed at all those people, and in it you will be able to learn what measures you can take to protect your privacy.
When you delete a file, is the data really deleted?
Unfortunately, no. With most IT equipment, deleting a file means telling the system that the next time it needs to write data, it can overwrite the space used by the file in question.
However, until the new write operation takes place, the information remains physically stored in the form of bits on the corresponding storage drive and can be recovered. This kind of deletion is known as logical deletion and is the procedure that almost all operating systems use.
In contrast, there is another kind of deletion called physical deletion which modifies the data bit by bit, by creating junk content on the storage medium. This procedure ensures that the data cannot be recovered, but it takes much longer and therefore usually is considered undesirable for tasks where the user experience is central.
A hacker has obtained 171 million user accounts associated with social networking giant, VK.com.
The stolen database contains full names, email addresses and plain-text passwords, and in many cases locations and phone numbers.
The St. Petersburg, Russia-headquartered social network -- formerly known as VKontakte -- is said to be the largest in Europe, with over 350 million users at the last count. The hack is thought to have been carried out in late-2012 or early 2013, but the hacker who is selling the data could not be more precise.
Given the timing, the entire store of VK's data -- which at the time had just under 190 million users -- is likely to have been taken in the hack.
It was a tough week for TeamViewer, a service that allows computer professionals and consumers to log into their computers from remote locations. For a little more than a month, a growing number of users have reported their accounts were accessed by criminals who used their highly privileged position to drain PayPal and bank accounts. Critics have speculated TeamViewer itself has fell victim to a breach that's making the mass hacks possible.
On Sunday, TeamViewer spokesman Axel Schmidt acknowledged to Ars that the number of takeovers was "significant," but he continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services.
Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.
The impact is potentially quite severe, too. An attacker could hijack the update process and deliver malware that would compromise your PC.
The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity.
The LiveUpdate toolkit is what you'd call bloatware or crapware, software prepacked on your computer that's already there when you boot up for the first time. Very few people are aware of its presence, and most of them think it should be there to begin with because it's provided by their laptop's manufacturer.
Unfortunately for ASUS customers, the company's official "bloatware" doesn't use the most secure mechanism to deliver updates, as US security researcher Morgan Gangwere has discovered.
In a paper published by the Association for Computing Machinery, researchers from Tel Aviv University have detailed how inexpensive kit can be used to harvest 4,096-bit encryption keys in just a few seconds and from distances of around 10 metres (33 feet).
These are the same boffins who hid a loop of wire and a USB radio dongle in a piece of pita bread last year and used it to steal keys over the air.
In their latest research, the team managed to pick up encryption keys using acoustics. As a computer's processor churns through the encryption calculations, the machine emits a high-frequency "coil whine" from the changing electrical current flowing through its components.
Researchers who dig deep through the code of one of the latest strains of ransomware might be surprised and even a little irked at what they find. Hidden inside some of those strings of code are taunts aimed at them.
According to Lawrence Abrams who runs BleepingComputer.com, the malware, BlackShades Crypter a/k/a SilentShades was spotted late last month by a researcher that goes by the name Jack, targeting both users in the United States and Russia. The ransomware behaves like most variants and once a user is infected it goes ahead and encrypts users’ files with an extension, in this case “.silent.”
CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.
Over the past two months, KrebsOnSecurity has received inquiries from fraud fighters at more than a half-dozen financial institutions in the United States — all asking if I had any information about a possible credit card breach at CiCi’s. Every one of these banking industry sources said the same thing: They’d detected a pattern of fraud on cards that all had all been used in the last few months at various CiCi’s Pizza locations.
Earlier today, I finally got around to reaching out to the CiCi’s headquarters in Texas and was referred to a third-party restaurant management firm called Champion Management. When I called Champion and told them why I was inquiring, they said “the issue” was being handled by an outside public relations firm called SPM Communications.
CryptXXX ransomware has received a major overhaul by its authors, putting it on the fast track to unseat Locky as top moneymaker for criminals.
Researchers at Proofpoint said that on May 26, cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack. Proofpoint said StillerX targets the credentials of a wide range of applications such as casino software to Cisco VPN credentials.
Proofpoint researchers say CryptXXX authors have upped the ransomware’s feature set with a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack. Proofpoint said StillerX targets the credentials of a wide range of applications such as casino software to Cisco VPN credentials.
“It absolutely looks like CryptXXX is the hot new kid on the block,” said Kevin Epstein, VP of Threat Operations Center at Proofpoint in an interview with Threatpost. “With TelsaCrypt exiting the ransomware business, CryptXXX looks to soon rival Locky via infection rates and distribution.”
The network time protocol, at the center of a number of high-profile DDoS attacks in 2014, was updated on Thursday to ntp-4.2.8p8. The latest version includes patches for five vulnerabilities, including one rated high-severity.
NTP, specifically the NTP daemon, synchronizes system clocks with time servers.
Vulnerable NTP servers were used two years ago with regular frequency to carry out amplification attacks against targets. High-bandwidth NTP-based DDoS attacks skyrocketed as attackers used vulnerable NTP implementations to amplify DDoS attacks much in the way DNS amplification has been used in the past. Some NTP amplification attacks reached 400 Gbps in severity, enough to bring down even some of the better protected online services.
A WordPress plugin was patched Thursday night, close to a week after reports began to surface of public attacks against a zero-day vulnerability.
WP Mobile Detector was pulled from the WordPress Plugin Directory once the attacks went public. It was restored last night and users are urged to update to version 3.7 immediately. The plugin detects if a visitor to a WordPress site is using a smartphone and delivers a compatible theme.
Researchers at Sucuri said yesterday that attacks against WordPress sites running the plugin started on May 27. The zero-day was disclosed on Tuesday by Plugin Vulnerabilities, a WordPress security site. The flaw allows an attacker to upload arbitrary files.
Google has rolled out a new free online tool that tests how good or poor your website is for mobile devices, and then provides detailed recommendations on what to fix.
The new Test My Site service, hosted by Google's marketing-focused Think With Google, is the company's latest effort to encourage businesses to make their sites more mobile-friendly. Just type in the URL for a homepage and it will return a score out of 100 for mobile friendliness, mobile speed, and desktop speed.
Google says that people are five times more likely to leave a website that's not easy to use on mobile and that half of all visitors will ditch a page if it takes more than three seconds to load.
In the course of monitoring an organized Russian ransomware campaign, Flashpoint analysts were able to gain significant visibility into the tactics, techniques, and procedures employed by a campaign boss operating a ransomware scheme out of
As the Russian hacking community lowered the access requirements for unsophisticated Russian cybercriminals to engage in ransomware campaigns, corporations and individuals face a commensurately greater challenge of effectively protecting their data and operations from being held ransom.
Recent threats powered by ransomware campaigns which have surfaced in the Deep & Dark Web appear to be specifically aimed at the healthcare industry. Cybercriminals consider this industry in particular to be a valuable target due to the treasure trove of personally identifiable information their systems house. While prior efforts focused on stealing and reselling the data, now criminals are turning to ransomware to hold the data hostage.
Businesses today pride themselves on responding quickly to changing conditions. Unfortunately, cybercriminals aren’t any different. A newly discovered malware family hitting point-of-sale (PoS) systems has been found which emphasizes speed in how the information is stolen and sent back to attackers. We called this attack FastPOS, due to the speed and efficiency of its credit card theft capabilities.
FastPOS is designed to immediately exfiltrate any stolen card data, instead of storing it locally in a file and periodically sending it to the attackers. This suggests that it may have been designed to target situations with a much smaller network environment. An example would be where the primary network gateway is a simple DSL modem with ports forwarded to the POS system.
According to X-Force intelligence, Marcher first appeared in the wild in late 2013. It is known to be a commercial offering sold in Russian-speaking underground forums by its supposed developer or distribution accomplices.
In the first year of its activity, Marcher did not target banks; initially, it was only used by its various operators to steal credit card information from infected victims. To do so, a phishing overlay screen was triggered when users accessed the Google Play app store, plastering a fake window on top of the app store’s activity to request users’ credit card number, expiration date and CVV2 code. In 2014, Marcher began targeting banks, starting with a large bank in Germany, PhishLabs reported.
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering (FLARE) team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE.
FLARE found the samples on VirusTotal while researching droppers compiled with PyInstaller — an approach used by numerous malicious actors. The IRONGATE samples stood out based on their references to SCADA and associated functionality. Two samples of the malware payload were uploaded by different sources in 2014, but none of the antivirus vendors featured on VirusTotal flagged them as malicious.
Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that IRONGATE is not viable against operational Siemens control systems and determined that IRONGATE does not exploit any vulnerabilities in Siemens products. We are unable to associate IRONGATE with any campaigns or threat actors. We acknowledge that IRONGATE could be a test case, proof of concept, or research activity for ICS attack techniques.
Our analysis finds that IRONGATE invokes ICS attack concepts first seen in Stuxnet, but in a simulation environment. Because the body of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) malware is limited, we are sharing details with the broader community.
Facebook member or not, the social networking giant will soon follow you across the web -- thanks to its new advertising strategy.
From today, the billion-plus social network will serve its ads to account holders and non-users -- making one giant push in the same footsteps as advertising giants like Google, which has historically dominated the space.
In case you didn't know, Facebook stores a lot of data on you. Not just what you say or who you talk to (no wonder it's a tempting trove of data for government surveillance) but also what you like and don't like. And that's a lot of things, from goods to services, news sites and political views -- not just from things you look at and selectively "like" but also sites you visit and places you go.
Facebook now has the power to harness that information to target ads at you both on and off its site.
“It’s raining! I need a ride!” somebody might wail on Messenger.
“Oh yea? I just got out of a taxi!” a friend might respond.
Wouldn’t it be nice (and, of course, revenue-producing) if Facebook’s algorithms could understand that the ride-needer needs a taxi, that he would probably say yes if Messenger prompted him to connect with Uber, and that his friend does not need a taxi since she just got out of one?
That’s exactly the scenario that Facebook’s trained its artificial intelligence (AI) language-processing to handle. Facebook announced its newest AI system, called DeepText, on Wednesday.
Facebook says that DeepText is a deep learning-based text understanding engine that can understand with near-human accuracy the textual content of thousands of posts per second, spanning more than 20 languages.
TeamViewer said, "the truth of the matter is TeamViewer experienced network issues because of the DoS-attack to DNS servers and fixed them, there is no security breach at TeamViewer, regardless of the incident, TeamViewer continuously works to ensure the highest possible level of data and user protection."
Instead, the company blamed recent account hack claims at the feet of "careless use of account credentials." As we've seen in the last year, countless credentials are now being traded and released online, and coupled with the fact many will use the same passwords across different services, one loose set can lead to the compromise of multiple accounts.
"In addition, users might unintentionally download and install malware programs," the company said. "Yet once a system is infected, perpetrators can virtually do anything with that particular system -- depending on how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth."
When it comes to identifying malware infections, organisations tend to stop the fight there, in what Josh Goldfarb, FireEye CTO of emerging technologies, said is a frustrating practice.
According to Goldfarb, what many organisations are doing is re-imaging a laptop or cleaning up the malware, and putting it back into service without foresight to realise it will happen again.
"It's kind of a chicken or an egg situation where organisations are so busy playing whack-a-mole that they don't have time to come up for air, and try and understand why they're so busy playing whack-a-mole," Goldfarb explained to ZDNet.
A trusted, ethical cybersecurity industry is vital to underpinning Australia's social and economic wellbeing, Major General Stephen Day, the former head of Cyber and Information Security at the Australian Signals Directorate, has said.
He also believes it is in the best interests of the country's national security to conduct business in such a way.
Speaking at the Intel Security Innovation Forum in Sydney on Thursday, Day said that all people involved in the area of security have a role to play in ensuring the industry goes forward in an ethical and trusted manner.
Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.
Today’s post examines some of the missteps that preceded this embarrassing and potentially brand-damaging “oops.” We’ll also explore the limits of automated threat intelligence gathering in an era of megabreaches like the ones revealed over the past week that exposed more than a half billion usernames and passwords stolen from Tumblr, MySpace and LinkedIn.
Google on Wednesday updated the Chrome browser for the third time since the start of May.
Chrome 51.0.2704.79 for Windows, Mac, and Linux patched 15 vulnerabilities. It also paid out $14,000 in bounties to prolific bug hunters Mariusz Mlynski ($7,500) and Rob Wu ($6,500).
The previous Chrome update on May 27 addressed 42 flaws with Mlynski cashing in to the tune of $30,000 after earning $15,500 in an update pushed out at the start of May.
As we have discussed in our previous blogs, the ability to determine what app is currently running in the foreground is central for mobile banking malware to create overlay "injections" to phish the current running application. Android 5.0 Lollipop and Android 6.0 Marshmallow have thwarted malware’s ability to find the current running task by deprecating getRunningTasks() API, but ever since Google rolled out the Android security enhancement, malware authors have engaged in a cat-and-mouse game of workarounds and fixes. We have been blogging about each of these malware evolutions as we spot them in the wild.
The recent variants of Android.Bankosy and Android.Cepsohord, observed over the last quarter, are using two new tricks to circumvent the new security enhancements. One of these two techniques requires an additional special permission from the user, while another does not require any additional permission at all.
As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today by PhishMe.
That was up from 56 percent in December, and less than 10 percent every other month of last year.
And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789 percent increase over the last quarter of 2015.
Twitter has revealed that the firm has paid out $322,420 to bug bounty hunters in only two years.
It was not that long ago that researchers seeking to report security vulnerabilities in systems and software had few outlets to do so. Emails and contact forms were the standard communication channel, and should a bug be investigated and deemed valid, the researcher was likely to receive little more than a pat on the back and perhaps public credit.
However, things have changed. Cyberthreats and data breaches are now a daily occurrence, which means businesses looking to protect their products and networks have to either hire in-house or seek external help to discover and fix problems before they can be exploited.
Something is happening with TeamViewers servers at the moment, and all clues point to a massive breach that has led to many users going on Reddit and complaining about having their computers hacked, some even reporting seeing new purchases in their PayPal accounts.
The problems started around noon today when users weren't able to connect to the TeamViewer network. A few hours later, the company's website also went down, but the team managed to bring it back online a few hours later.
On Twitter, the TeamViewer team wrote that they're only experiencing issues in some parts of their network, but they denied any security breach, at least on their side.
Some users have reported finding new transactions in their PayPal and bank accounts, while others discovered someone had been poking around their email account.
"Encryption and privacy is not the same thing," said Nick Savvides, Symantec APAC cybersecurity strategy manager.
Encryption is a privacy "enhancing tool", Savvides went on to explain, while privacy is more about handling what information is collected, how the collected information is handled, and what other data can be derived from it. The two are often confused because they are related: Encryption is used to maintain privacy.
Savvides said that unfortunately most websites do not use encryption, highlighting the company's most recent Internet Threat Security Report, which revealed that 97 percent of active websites do not have any basic security and 75 percent have unpatched vulnerabilities, with 16 percent of those being critical.
For the security minded, one of the scariest revelations from the now three-year-old Snowden leaks had nothing to do with accommodating ISPs (shocking) or overreaching and often vague anti-terrorism practices and policy (an even bigger shock, right?). Instead, when news trickled out about matters like the National Security Agency’s Vulcan data repository or its Diffie-Hellman strategy, online privacy advocates found themselves quaking. Suddenly, seemingly everyone had to re-evaluate one of the most often used tools for maintaining a shred of anonymity online—the VPN.
VPNs, or virtual private networks, are typically used to obfuscate users’ IP addresses and to add a layer of security to Web browsing. They work by routing traffic through a secure, encrypted connection to the VPN’s server. The reasons for using VPNs vary. Some people use VPNs to change their IP address so they can access location-specific media content in a different geographic location or download things on torrent that are less likely to be traced back to them. Others hope to minimize online tracking from advertisers, prevent the negative effects of rogue access to Wi-Fi networks, or even just obfuscate their IP address to specific sites they visit.
The number of internet domains serving up ransomware has risen massively in just the space of three months, as cybercriminals look to cash in.
Sites designed to host malware, exploit kits, phishing scams, and other threats have also reached their highest-ever level, according to security researchers at Infoblox.
In raw numbers, exploit kits remain the biggest security threat, accounting for just over 50 percent of the index. As in past quarters, Angler remains the top piece of ransomware, but a new contender has emerged from far back in the pack: observations of Neutrino have grown by 300 percent, the researchers said.
"Again in simple terms: Ransomware is working," the report said.
Microsoft has tackled a problem with its email filters that had prevented them from properly screening out spam.
It first acknowledged the problem with Outlook and Hotmail on Tuesday evening.
"Some users may be receiving excessive spam mail," a service page update stated.
Samsung is advising customers against succumbing to Microsoft’s nagging and installing Windows 10.
The consumer electronics giant's support staff have admitted drivers for its PCs still don’t work with Microsoft's newest operating system and told customers they should simply not make the upgrade.
That’s nearly a year after Microsoft released Windows 10 and with a month to go until its successor – Windows 10 Anniversary Update – lands.
Samsung’s customers have complained repeatedly during the last 12 months of being either unable to install Microsoft’s operating system on their machines or Windows 10 not working properly with components if they do succeed.
However, with the one-year anniversary fast approaching it seems neither of these tech giants have succeeded in solving these persistent problems.
The next time you're in the market for a new Windows computer, consider this: if it comes from one of the top five manufacturers, it's vulnerable to man-in-the-middle attacks that allow hackers to install malware.
That's the take-away from a report published Tuesday by researchers from two-factor authentication service Duo Security. It found third-party updating tools installed by default threatened customers of Dell, HP, Lenovo, Acer, and Asus. The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.
A stable Tor Browser 6.0 has been released; it disabled SHA-1 support, got rid of the Mac Gatekeeper problem, and switched its default search results to DuckDuckGo.
How do you know that something has become very popular? Simple – when poorly-made knockoff versions start to hit the marketplace. Ransomware, it seems, has hit that point.
The writers behind the new ZCRYPT ransomware family have either scrapped support for Windows XP, or did a sloppy job in creating it. This new family only targets systems with newer versions of Windows, specifically Windows 7 and later. Is ZCRYPT deliberately cutting of older operating systems, or is it just poorly-written malware?
Most major PC makers are shipping their desktops and notebooks with pre-installed software, which researchers say is riddled with security vulnerabilities.
A highly-critical report by Duo Security released Tuesday said Acer, Asus, Dell, HP and Lenovo all ship with software that contains at least one vulnerability, which could allow an attacker to run malware at the system-level -- in other words, completely compromising an out-of-the-box PC.
The group of PC makers accounted for upwards of 38 million PCs shipped in the first quarter of the year, according to estimates garnered from IDC's latest count.
How much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows? That price probably depends on the power of the exploit and what the market will bear at the time, but here’s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft’s current security defenses is USD $90,000.
So-called “zero-day” vulnerabilities are flaws in software and hardware that even the makers of the product in question do not know about. Zero-days can be used by attackers to remotely and completely compromise a target — such as with a zero-day vulnerability in a browser plugin component like Adobe Flash or Oracle’s Java. These flaws are coveted, prized, and in some cases stockpiled by cybercriminals and nation states alike because they enable very stealthy and targeted attacks.
Owners of WordPress-based websites should update the Jetpack plug-in as soon as possible because of a serious flaw that could expose their users to attacks.
Jetpack is a popular plug-in that offers free website optimization, management and security features. It was developed by Automattic, the company behind WordPress.com and the WordPress open-source project, and has over 1 million active installations.
Researchers from Web security firm Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.
A comprehensive listing of the most important events impacting the security ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić.
Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks.
According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.
Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability, said John Kuhn, senior threat researcher for IBM Managed Security Services.
Apple has yet to patch a vulnerability disclosed during last week’s Hack in the Box hacker conference in Amsterdam that allows an attacker with physical access—even on the latest versions of iOS—to swap out legitimate apps with malicious versions undetected on the device.
Researcher Chilik Tamir of mobile security company Mi3 Security disclosed last week during his talk at the show that an iOS mitigation for a previous attack he’d developed was incomplete and with a modification, he could still infect non-jailbroken iOS devices with malicious or misbehaving apps.
Apple declined to comment about the vulnerability it has known about the issue since Jan. 27. On May 23 Apple informed Tamir that it was working on a patch.
PayPal has announced the suspension of its business operations in Turkey as of 6th June, citing failure to obtain a new license for its service in the country.
Turkey has made recent efforts to promote its own domestic tech sector, advancing censorship laws and other regulation to push large international companies out of the market. PayPal, as the latest victim on this trail, posted a statement [Turkish] on its local Turkish website today: “PayPal’s priority has always been its customers. However, a local financial regulator has denied our Turkish payments license and we have had to regretfully comply with its instruction to discontinue our activities in Turkey.” [Roughly translated from Turkish]
Police do not need a warrant to obtain a person's cellphone location data held by wireless carriers, a U.S. appeals court ruled on Tuesday, dealing a setback to privacy advocates.
The full 4th U.S. Circuit Court of Appeals in Richmond, Virginia, voted 12-3 that the government can get the information under a decades-old legal theory that it had already been disclosed to a third party, in this case a telephone company.