Jump to content

Search the Community

Showing results for tags 'malware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 147 results

  1. Apple Accidentally Approved Malware to Run on MacOS The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino's “notarization” defenses for the first time. Notarization can help Apple keep security pretty tight, but anything that does sneak past can then spread quickly because it has the company's imprimatur.Photograph: Mairo Cinquetti/NurPhoto/Getty Images For decades, Mac users had to worry less about malware than their Windows-using counterparts, but over the last few years that's begun to change. In an attempt to crack down on growing threats like adware and ransomware, in February Apple began "notarizing" all macOS applications, a vetting process designed to weed out illegitimate or malicious apps. Even software distributed outside of the Mac App Store now needs notarization, or users wouldn't be able to run them without special workarounds. Seven months later, though, researchers have found an active adware campaign attacking Mac users with the same old payloads—and the malware has been fully notarized by Apple. The campaign is distributing the ubiquitous "Shlayer" adware, which by some counts has affected as many as one in 10 macOS devices in recent years. The malware exhibits standard adware behavior, like injecting ads into search results. It's not clear how Shlayer slipped past Apple's automated scans and checks to get notarized, especially given that it's virtually identical to past versions. But it's the first known example of malware being notarized for macOS. College student Peter Dantini discovered the notarized version of Shlayer while navigating to the homepage of the popular open source Mac development tool Homebrew. Dantini accidentally typed something slightly different than brew.sh, the correct URL. The page he landed on redirected a number of times to a fake Adobe Flash update page. Curious about what malware he might find, Dantini downloaded it on purpose. To his surprise, macOS popped up its standard warning about programs downloaded from the internet, but didn't block him from running the program. When Dantini confirmed that it was notarized, he sent the information on to longtime macOS security researcher Patrick Wardle. "I had been expecting that if someone were to abuse the notarization system it would be something more sophisticated or complex," says Wardle, principal security researcher at the Mac management firm Jamf. "But in a way I’m not surprised that it was adware that did it first. Adware developers are very innovative and constantly evolving, because they stand to lose a ton of money if they can't get around new defenses. And notarization is a death knell for a lot of these standard ad campaigns, because even if the users are tricked into clicking and trying to run the software, macOS will block it now." Wardle notified Apple about the rogue software on August 28 and the company revoked the Shlayer notarization certificates that same day, neutering the malware anywhere that it was installed and for future downloads. On August 30, though, Wardle noticed that the adware campaign was still active and distributing the same Shlayer downloads. They had simply been notarized using a different Apple Developer ID, just a few hours after the company began working on revoking the original certificates. On August 30, Wardle notified Apple about these new versions. "Malicious software constantly changes, and Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered," the company said in a statement. "Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates. We thank the researchers for their assistance in keeping our users safe." Apple also makes a distinction in its notarization materials between its more thorough iOS "App Review" and this check for macOS applications. "Notarization is not App Review," the company wrote. "The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly." Before Apple introduced notarization, malware developers simply needed to pay $99 a year for an Apple Developer ID so they could sign their software as legitimate. Any application not downloaded from the Mac App Store would trigger a warning when users tried to run it about making sure programs downloaded from the internet were safe to use, but users could easily click through them. Notarization makes it much more difficult to deploy malware—or at least that's the idea. Wardle says that in his experience submitting his own security tools for review, Apple's initial, automated check only takes a few minutes to issue an approval. Still, bad actors are clearly slipping through. "I've been quite certain that malicious apps would slip through the notarization process, so this doesn't surprise me," says Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes. "I'd actually been considering writing an app that would exhibit classic malicious behaviors and trying to get it notarized. Unfortunately, this saves me the trouble. This is the proof I've been waiting for that notarization is not effective." Reed also notes that he's started seeing Mac malware like adware evolve to get around notarization. One method is to distribute software that is completely unsigned and unapproved by Apple and trick users into installing it by telling them to expect warnings from Apple and then guiding them through the workaround processes. As with any trust-based system, notarization can help Apple keep security pretty tight, but anything that does sneak past can then spread quickly because it has the company's imprimatur. This is already a problem in both Apple's iOS App Store and Google's Play Store for vetted Android apps. Malicious apps often slip in and then get downloaded by unsuspecting users. Malware scanners would have still detected the notarized Shlayer installations as malicious, but anyone not running antivirus would be out of luck. "Anybody’s going to make mistakes detecting malicious software, because it's difficult to do. Overall from a security perspective, I still think notarization is a good step," Wardle says. "But the average user is going to trust Apple—I do, too! So if something says it's notarized, even a security-conscious user is more likely to trust that it's OK." Apple Accidentally Approved Malware to Run on MacOS
  2. NSA and FBI warn that new Linux malware threatens national security Previously unknown Drovorub is being used by advanced hacking group APT 28. Enlarge Suse The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands. In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security. “Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote. Stealthy, powerful, and full featured The Drovorub toolset includes four main components: a client that infects Linux devices; a kernel module that uses rootkit tactics to gain persistence and hide its presence from operating systems and security defenses; a server that runs on attacker-operated infrastructure to control infected machines and receive stolen data; and an agent that uses compromised servers or attacker-control machines to act as an intermediary between infected machines and servers. A rootkit is a type of malware that burrows deep inside an operating system kernel in a way that prevents the interface from being able to register the malicious files or the processes they spawn. It uses a variety of other techniques as well to make infections invisible to normal forms of antivirus. Drovorub also goes to great lengths to camouflage traffic passing into and out of an infected network. The malware runs with unfettered root privileges, giving operators complete control of a system. It comes with a full menu of capabilities, making a malware equivalent of a Swiss Army knife. Security driver slayer Government officials said Drovorub gets its name from strings unintentionally left behind in the code. “Drovo” roughly translates to “wood” or “firewood,” while “rub” translates to “fell” or “chop.” Put together, the government said, Drovorub means “woodcutter” or to “split wood.” Dmitri Alperovitch, a security researcher who has spent most of his career investigating Russian hacking campaigns—including the one that targeted the DNC in 2016—offered a different interpretation. “Re: malware name ‘Drovorub,’ which as @NSACyber points out translates directly as ‘woodcutter,’” Alperovitch, a co-founder and former CTO of security firm CrowdStrike, wrote on Twitter. “However, more importantly, ‘Drova’ is slang in Russian for ‘drivers,’ as in kernel drivers. So the name likely was chosen to mean “(security) driver slayer." Serving Russia’s national interests for more than a decade Drovorub adds to an already abundant cache of previously known tools and tactics used by APT 28, the Russian military hacking group that other researchers call Fancy Bear, Strontium, Pawn Storm, Sofacy, Sednit, and Tsar Team. The group’s hacks serve Russian government interests and target countries and organizations the Kremlin considers adversaries. In August, Microsoft reported that the group had been hacking printers, video decoders, and other so-called Internet-of-things devices and using them as a beachhead to penetrate the computer networks they were connected to. In 2018, researchers from Cisco’s Talos group uncovered APT 28’s infection of more than 500,000 consumer-grade routers in 54 countries that could then be used for a range of nefarious purposes. Other campaigns tied to APT 28 include: The intrusion into the Democratic National Committee ahead of the 2016 election (along with a different Russian group, known as Cozy Bear) and then distributing damaging documents to sway voter opinion The 2016 hacks of the World Anti-Doping Agency The German Bundestag France’s TV5Monde TV station Thursday’s advisory didn’t identify the organizations Drovorub is targeting or provide even broad descriptions of the targets or geographies where they’re located. It also didn’t say how long the malware has been in the wild, how many known infections there have been to date, or how the hackers are infecting servers. APT 28 often relies on malicious spam or phishing attacks that either infect computers or steal passwords. The group also exploits vulnerabilities on devices that haven’t been patched. Required reading Agency officials said that a key defense against Drovorub is to ensure that all security updates are installed. The advisory also urged that, at a minimum, servers run Linux kernel version 3.7 or later so that organizations can use improved code-signing protections, which use cryptographic certificates to ensure that an app, driver, or module comes from a known and trusted source and hasn’t been tampered with by anyone else. “Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system,” the advisory stated.” Also included are rules that network administrators can plug into the Yara and Snort intrusion detection systems to catch and halt network traffic passing to or from control servers or to flag obfuscated Drovorub files or processes already running on a server. The 45-page document provides a level of technical detail and informed analysis that’s on par with some of the best research from private companies. The advisory is also the first to disclose the existence of this new and advanced malware. Those are things that are rarely available in government advisories. The report should be required reading for anyone managing a network. NSA and FBI warn that new Linux malware threatens national security
  3. Android malware posing as Covid-19 contact tracing apps You might want to think twice before downloading a contact tracing app from a link (Image credit: EclecticIQ) As countries around the world started providing Covid-19 contact tracing apps to their citizens, cybercriminals used this to their advantage to distribute Android malware, according to a new report from EclecticIQ and ThreatFabric. Researchers from both companies as well others identified malicious Android apps that were disguised as the official contact tracing applications for Colombia, India, Singapore and Indonesia. Surprisingly, the sample from India was released just 13 days after the official Indian contact tracing app was made available on the Google Play Store. After analyzing the samples, EclecticIQ and ThreatFabric found they used the commodity and open source malware SpyMax, SpyNote and Aymth. The attackers also repackaged applications with Metasploit to give them remote access trojan capabilities. To distribute their malicious contact tracing apps, the cybercriminals relied on phishing links that were designed to trick users into installing their apps. Malicious contact tracing apps Based on the findings of EclecticIQ and ThreatFabric's report, it is almost certain that threat actors will continue to use commodity and open source-based malware disguised as legitimate contact tracing apps for financial gain. The low barrier to entry provided by these tools combined with the continued rollout of contact tracing apps by countries around the world, presents a continued financial opportunity for cybercriminals into the near future. Cyber threat intelligence specialist at ElecticIQ's Fusion Center, Peter Ferguson explained in a press release that users should only download Covid-19 contact tracing apps from official app stores, saying: "Users should never download contact tracing android applications from links sent to them or from third party stores. If they are interested in downloading their nation's contact tracing application, they should use the official site or the Google Play Store." Throughout the pandemic, cybercriminals have repeatedly tried to capitalize on the disruption it has caused worldwide by using Covid-19 as a lure to trick users into installing malware on their devices. They will likely continue to launch similar campaigns because of how successful they've been so far. This means that businesses and consumers need to remain vigilant when it comes to Covid-19-related threats and scams. Android malware posing as Covid-19 contact tracing apps
  4. New form of Linux malware has a clever use for the Dogecoin API Doki malware uses the Dogecoin API to find its operator's C&C server (Image credit: Aranami/Flickr) As more businesses shift their workloads to cloud environments, Linux threats are becoming increasingly common and cybercriminals have devised new tools and techniques to launch attacks against Linux infrastructure. One technique they often employ is scanning for publicly accessible Docker servers and then abusing misconfigured Docker API ports to set up their own containers and execute malware on their victim's infrastructure. The Ngrok botnet is one of the longest ongoing attack campaigns that leverages this technique and a new report from Intezer Labs shows that it takes only a few hours for a new misconfigured Docker server to be infected by this campaign. Recently though, the company detected a new malware payload, which they dubbed Doki, that differs from the usual cryptominers typically deployed in this kind of attack. What sets Doki apart from other malware is that it leverages the Dogecoin API to determine the URL of the its operator's command and control (C&C) server. The malware has managed to remain in the shadows and undetected for over six months despite the fact that samples of Doki are publicly available in VirusTotal. Doki malware Once the hackers abuse the Docker API to deploy new servers inside a company's cloud infrastructure, the servers, which run a version of Alpine Linux, are then infected with crypto-mining malware as well as Doki. According to Intezer's researchers, Doki's purpose is to allow hackers to main control over the servers they've hijacked to make sure that their cryptomining operations continue. However, the new malware differs from other backdoor trojans by using the Dogecoin API to determine the URL of the C&C server it needs to connect to in order to receive new instructions. Doki uses a dynamic algorithm, known as a DGA or domain generation algorithm, to determine the C&C address using the Dogecoin API. The operators of the Ngrok botnet can also easily change the server where the malware receives its commands from by making a single transaction from within a Dogecoin wallet they control. If DynDNS happens to receive an abuse report about the current Doki C&C URL and the site is taken down, the cybercriminals only need to make a new transaction, determine the subdomain value and set up a new DynDNS account and claim the subdomain. This clever tactic prevents businesses and even law enforcement from dismantling Doki's backend infrastructure as they would need to take over control of the Dogecoin wallet from the Ngrok first. Via ZDNet New form of Linux malware has a clever use for the Dogecoin API
  5. Today, one of the top priority dimensions of raising capabilities of cyberoperations is the creation of special hardware and software appliances and information technologies to carry out intelligence-gathering and offensive operations. It involves active development of so-called information weapons, a category that encompasses the whole range of means of attacking the adversary’s information resources. This type of attack mainly affects computer and telecommunications systems, including software, databases, computing and data processing, and also communications networks. Of particular importance is the establishment of dedicated offensive technologies that can be applied covertly against command and control infrastructure in order to disrupt the orderly functioning of their key components, and to seize control over them. Intellligence-gather cyber tools are intended to collect information about adversary, including structure, functioning, and vulnerabilities of its command systems. To achieve that, automated workstations will have malware inserted in order to establish a distributed, remotely controlled, intelligence gathering network. It may include thousands of computers in government and military facilities in various countries. The definition of malware includes external or internal programming code possessing various destructive functions, such as: destroying or changing software, destroying or corrupting data after a certain condition is met (“logic bombs”); exceeding the user’s authority in order to copy confidential information or to make such copying possible (“trojan horses”); corrupting protection systems or making it possible to bypass them; intercepting user login credentials through phishing or keystroke logging; intercepting data flowing within a distributed systems (monitors, sniffers); concealing one’s presence; self-replication, associating with other software and/or embedding own fragments into other operating or external memory not originally targeted by the malware; destroying or corrupting software code in operating memory; corruption, blocking, or supplanting data created by applications and entered into data links or external memory. Overall, there are three main types of destructive functions that may be performed by malware: Preserving or collection of fragments of data created by user, applications, uploading and downloading data, in external memory (local or remote) in the net or a stand-alone computer, including passwords, keys, and other access credentials, confidential documents in electronic form, or simply general corruption of fragments of sensitive data; Changing application algorithms (deliberate action against external or operating memory), in order to change the basic logic of their functioning; imposing a specific work regime or changing data being recorded by data produced by malware. Overall, the use of malware assumes the existence of an internal distribution mechanism to spread it to global or local networks, including the internet, to carry out specific tasks. These may include: penetrating remote computers to completely or partially seize control; launching own copies of malware on the infected computer; possible further penetration of all available networks. Such malware is mainly distributed as files attached to emails and electronic messages, and also through specially placed hyperlinks. This type of attack is distinguished by its scale and high speed of infection. Internet sites engaged in spreading malware increase by a factor of two every year. These sites attract attention of internet users by posting current informational content: news, analysis, overview of information technologies, and also commercial and entertainment articles. More than 20% of sites are specifically intended for malware distribution. Other means of using malware include: distributed denial of service (DDOS) attacks by generating intense traffic from false requests, which makes it impossible for actual users to gain access to the network or servers; dissemination of malware through USB memory devices, the most efficient means of doing so; embedding and activating code inserts. At the same time, many NATO countries have established military units for cyber-operations, and also pursue the development of scientific and technical infrastructure to develop special information technologies for offensive use, including self-multiplying and self-distributing malware, and developing doctrines for their use. Moreover, there is the so-called file-less (packet) malware distributed as net packets and penetrating computers through OS vulnerabilities or security holes in applications. In order to embed malware remotely, one can use social engineering or weaknesses in organizational network administration, such as unprotected local disks. The most widespread means of embedding malware is the Internet. Offensive malware targets both individual computers and networks. It accomplishes penetration using known and newly discovered weaknesses of both software and hardware developed by the potential adversary, but also in devices and programs developed by the world’s leading IT firms, most of which are based in the US. Other means of embedding malware are: agents, remote technical means including peripheral appliances of the system being attacked, combined attacks, etc. Malware developers focus on the ability to maintain stealthy presence amidst the target’s software and remain there even after an upgrade or software renewal. Main means of covert embedding of malware include: Pretending to be ordinary software. This approach assumes embedding malware using the process of installing a new application. It may be embedded in graphic or text editors, system utilities, screensaver, etc. Its existence is not concealed after installation; Pretending to be a module for expanding the computing environment. It’s a frequent variation on the previous one, and uses access to the ability to expand environments. For example, for Microsoft Windows OS such modules may include DLL modules and drivers, potentially containing malware; Malware replacing one of several application modules of the attacked environment. This method consists of choosing one or several modules for replacement with malware-infected modules in order to carry out the intended tasks. Such malware should externally be able to carry out the normal functions of the software thus targeted; Direct association. This method consists of associating malware with executable files of one or several legal programs in the system. This is the simplest method for single-task, single-user systems; Indirect association. It consists of associating malware with the code of a software module loaded into operating memory. In this instance the executable file remains unchanged, which makes malware detection harder. It’s also necessary to ensure the installable part of the virus already is present in the system. The most potentially useful means of embedding malware, not including through global networks, in order to gain covert access to enemy networks are: IRATEMONK allows embedding of malware in order to conduct surveillance on desktop and portable computers through recording onto the hard-drive BIOS, giving it the ability to implement its code by replacing the MBR. It works on various types of hard drives, including Western Digital, Seagate, Maxtor, and Samsung. It supports FAT, NTFS, EXT3, and UFS file systems, but systems with RAID are not. After embedding, IRATEMONK launches its payload every time the target computer is turned on. SWAP allows embedding malware for espionage by using motherboard BIOS and HPA domain of the hard drive by running the OC launch code. This program allows remote access to various operating systems (Windows, FreeBSD, Linux, Solans) with various file systems (FAT32, NTFS, EXT2, EXT3, UFS 1.0). Two utilities are used for installation: ARKSTREAM (it spoofs the BIOS) and TWISTEDKILT (it writes SWAP protocol and the malware payload to the HPA area of hard drive, and is used mainly against cell phones). COTTONMOUTH is a USB device insert providing a wireless bridge to the target network and also for loading exploits to the target system. It may open a covert channel to send commands and data. Built-in radio transmitter allows it to collaborate with other COTTONMOUTH. It’s based on TRINITY component base, with HOWLERMONKEY used as the transmitter. There’s also a version called MOCCASIN, which is inserted into a USB keyboard’s commutation matrix. FIREWALK is an insert used to passively collect Gigabit Ethernet traffic, and to embed malware into Ethernet packets. It can create a VPN tunnel between the targeted network and the center. It’s possible to establish wireless communications with other HOWLERMONKEY-compatible devices. This insert is similar in execution to COTTONMOUTH. It uses TRINITY component base, and HOWLERMONKEY as transmitter. NIGHTSTAND is a mobile system for active attacks on Wi-Fi nets, with the target being Windows machines when direct access is not possible. The system is based on a notebook-type portable computer running Linux and equipped with radio communications. External amplifiers and antennas give it range of up to 13km. DEITYBOUNCE delivers programming access to Dell PowerEdge servers with the help of motherboard BIOS and the use of the SMM regime to obtain the ability to launch itself before the system is launched. After set-up, it will run every time the system is switched on. FEEDTROUGH is equipment for installing two types of malware, BANANAGLEE and ZESTYLEAK, used to overcome network firewalls. This method is used when the firewall is launch. Malware’s installation is performed if operating system is present in the database, otherwise it is installed normally. FEEDTROUGH remains in place when the firewall operating system is updated. CTX4000 is a portable continuous emitter. It is used to obtain data from inserts installed on targeted systems. NIGHTWATCH is a PC-based system, used to process signals from the targeted monitor. Signals may be obtained using data collection systems (inserts in fiberoptic cables) or from a general purpose receiver. HOWLERMONKEY is a short- and medium-range radio transmitter. It is a special radio module for other inserts. It is used to collect data from inserts and enabling remote access to it. Moreover, there are other methods of embedding malware, through transceivers installed in USB cables or devices, through Wi-Fi, Bluetooth, GSM devices and cables attached to the targeted computer. One of the promising methods of remote malware placement is the unmanned aerial vehicle (UAV). USAF specialists have developed the WASP (Wireless Aerial Surveillance Platform) UAV on the basis of the FMQ-117B aerial target. It’s main mission are reconnaissance cyberoperations. Thanks to its onboard equipment, it may break into detected Wi-Fi networks, intercept cell phone conversations. WASP equipment includes HD-resolution camera, 11 antennas for various radio communications, GPS receiver, and onboard computer running Linux. Its memory contains a malware arsenal to break into wireless networks and a dictionary with 340 thousand words for “brute force” attacks. Obtained data and intercepted conversations are recorded in the onboard computer memory (solid-state hard drive with 500 GB memory) and may also be sent using internet channels to a special server using 3G and 4G networks, or the compromised Wi-Fi hot-spots. The UAV’s GPS allows it to operate autonomously along an assigned route, but it needs operator’s involvement for take-off and landing. Each system costs about $6 thousand, not including the cost of the UAV. Similar efforts are underway by US Army Cyber Command in order to interfere with automated command points at tactical and operational levels. The Sun Eagle tactical reconnaissance UAV is being used to test equipment for remote malware insertion into Wi-Fi and LTE wireless networks. Overall, United States and NATO are developing various methods and means for remote malware insertion. They include various physical data processing and transmission, and also different environments for proliferation. Countering such types of cyber weapons is a difficult and complex task, demanding considerable research efforts and financial expenditures.
  6. Live Coronavirus Map Used to Spread Malware Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software. A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu. In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware. Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate. “It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!” The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java. “Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.” It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware. As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know. A tip of the hat to @holdsecurity for a heads up about this malware offering. Source: Live Coronavirus Map Used to Spread Malware (KrebsOnSecurity - Brian Krebs)
  7. Major vulnerabilities found in top free VPN apps on Google Play store SuperVPN Free VPN Client is one of the most popular free VPN apps you can find on the Google Play store, having gained more than 100 million installs already. But besides being a very popular app, there’s something else you need to know about this free VPN: SuperVPN Free VPN Client is also very dangerous. You see, our analysis shows that this app has critical vulnerabilities that opens it up to dangerous attacks known as man-in-the-middle (MITM) hacks. These vulnerabilities will allow hackers to easily intercept all the communications between the user and the VPN provider, letting the hackers see everything the user is doing. This is actually quite the opposite of what a VPN is supposed to do. A VPN is supposed to keep your online activities private and secure from all snooping eyes. In fact, a VPN is supposed to be so safe that, even if a hacker could intercept these communications, it would take them longer than the age of the universe to even begin to decrypt the data. But that’s not what SuperVPN has done here. The implications here are pretty dire. Based on our research, more than 105 million people could right now be having their credit card details stolen, their private photos and videos leaked or sold online, every single minute of their private conversations recorded and sent to a server in a secret location. They could be browsing a fake, malicious website set up by the hacker and aided by these dangerous VPN apps. But what’s even worse is that this app isn’t alone: of the top VPN apps we analyzed, 10 free VPN apps have similar critical vulnerabilities. If you’ve installed any of these dangerous VPN apps, you should delete them immediately: Vulnerable VPN apps on Google Play Store About this research In order to undertake our analysis, we first developed a proof of concept for creating a man-in-the-middle (MITM) attack. We then looked at the top apps in Google Play that were returned when searching for the keyword “vpn” in January 2019. We first attempted our MITM attack on two top-10 VPNs – SuperVPN and Best Ultimate VPN – and then filtered and tested the remaining apps. We disclosed these vulnerabilities to all 10 affected VPN apps in October 2019 and provided them with enough time to fix these issues. Unfortunately, only one of them, Best Ultimate VPN, answered and ultimately patched their app based on the information we provided within this 90-day period. The others did not respond to our queries. We’ve also reported these vulnerabilities to Google, but so far haven’t heard anything back from them yet. Key takeaways 10 of the top free VPN apps in the Google Play store have significant vulnerabilities, affecting nearly 120 million users These vulnerabilities allow hackers to easily intercept user communications, including seeing the visited websites and stealing usernames and passwords, photos, videos, and messages 2 apps use hard-coded cryptographic keys, and 10 apps are missing encryption of sensitive data. 2 of these apps suffer from both vulnerabilities. One app was already identified as malware, but never removed from the Play store, gaining 100 million installs in the meantime. In earlier research, we identified this app for potentially manipulating Google Play in order to rank highly and get more installs 4 of the affected apps are located in Hong Kong, Taiwan or mainland China Some apps have their encryption keys hard-coded within the app. This means that, even if the data is encrypted, hackers can easily decrypt this data with the included keys Because of the vulnerabilities, hackers can easily force users to connect to their own malicious VPN servers Let’s take an in-depth look at one app to show what kind of vulnerabilities we found. SuperVPN putting 100 million users at risk SuperVPN is a highly popular Android VPN that was in position 5 for the “vpn” keyword at the time of our analysis. According to Google Play, the app has been downloaded more than 100 million times (in January 2019 it only had 50 million installs): SuperVPN app installs Just to show you how big of a number that is for any VPN, this is the same number of installs for much more popular apps like Tinder and AliExpress: Tinder app installs AliExpress app installs What we did In our tests, we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This communication contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information. What we found After decrypting the data, we found sensitive information about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication. Once we had this information, we replaced the real SuperVPN server data with our own fake server data. Who is behind SuperVPN? SuperVPN and its developer SuperSoftTech have been in our sights before. Our previous research analyzed the few companies secretly behind many VPN products. From that, we know that SuperSoftTech claims to be based in Singapore, but it actually belongs to the independent app publisher Jinrong Zheng, a Chinese national likely based in Beijing. We also discovered that SuperVPN had been called out before in a 2016 Australian research article as being the third-most malware-rigged VPN app. This is only one example of vulnerabilities we found in all 10 apps listed in this article. A reputation for manipulation SuperVPN was discussed before in our earlier research on the potential manipulation tactics the top VPNs were using to seemingly rank higher in Google Play results. In that research, we discovered that the top 10 results for the “vpn” keyword in Google Play were all free VPNs. They were ranking more highly than market leader VPNs, such as NordVPN and ExpressVPN. Our research discovered that these better-ranked apps seemed to be using three easy manipulation techniques to get such high rankings. That means that SuperVPN by SuperSoftTech seems to not only be using manipulation techniques to rank highly in Google Play, but is also dangerously vulnerable. We attempted to contact Mr. Zheng on multiple occasions, but we have not heard back from him. How MITM hackers penetrate VPN apps In order to really understand how critical and dangerous these vulnerabilities are, you have to understand a little of how users normally connect to VPNs. The exact process for VPNs can seem a bit complicated, but the connection is pretty simple. Now, with a hacked VPN connection, there’s a MITM hacker who positioned himself right in the middle of your app and the VPN’s backend server: And this is the dangerous part: by changing the details, he can now force you to connect to his malicious server instead of the real VPN server. While everything will appear to work normally, and you think that you’re being extra safe and secure, you’re actually being seriously exposed. In total, your personal life is exposed, and it’s only limited by the hacker’s imagination what he can do with all that data. What this means for your safety This is a disastrous finding on two levels. In the broader sense, it’s disastrous that any app that participates in user data would have these wide-open vulnerabilities that make it particularly easy for hackers and government agencies to monitor user communications. In a more specific, and more dangerous, sense, it’s disastrous that a VPN would have these vulnerabilities. After all, users are connecting to VPNs in order to increase their privacy and security. For that reason, they’re more willing to transmit sensitive information on VPN apps than on other apps. For a VPN app to then be so vulnerable is a betrayal of users’ trust and puts them in a worse position than if they hadn’t used any VPN at all. However, there could be something larger at play here. When looking at these apps together, there seem to be two essential possibilities: These core vulnerabilities are intentional for these free VPN apps. After all, since a successful MITM attack would allow someone the ability to monitor sensitive user data (or reroute users to fake VPN servers) without the user’s knowledge, that’s a useful tool for any surveillance-hungry organization or nation. On the other hand, we should probably not attribute to malice what can be explained by stupidity – or here, laziness. In simple terms, the app developers here are so focused on getting high amounts of users and stuffing their app with ads, that they placed lower priority on the core security features of their apps. While one possibility may seem worse than another, at some point only the result matters: people using these vulnerable apps are putting their data – and possibly their lives – in danger. Based on that essential fact alone, we highly recommend users avoid these vulnerable VPN apps at all costs. When looking for an effective VPN, we recommend users do their due diligence. Ask yourself the following questions: Do I know this VPN developer or brand? Do they seem trustworthy? Where is the VPN located? Is it in a privacy-friendly country? For mobile apps, what permissions are they requiring? Do they actually need those permissions to function (such as the camera, GPS, microphone)? Free is great – but can you trust this VPN? There are a few commendable free VPNs or VPNs with free options from reputable brands. Taking an active role in filtering out the good VPNs from the bad ones will save users a lot of trouble later on. Source
  8. These Crappy Android Cleaner Apps Are Actually Malware While the latest Android malware you should look out for hasn’t been as popular as the scammy apps that recently drove 382+ million downloads, it’s plenty serious. Security researchers from Trend Micro recently called out a number of Android apps—with more than 470,000 total downloads combined—for being bogus system-cleaning utilities that actually had the potential to install more than 3,000 other malware apps on a user’s device. Worse, these shitty apps could also log into these other shitty apps using your Facebook or Google credentials to help perpetuate advertising fraud (and likely get the malware’s creators a decent payout, until caught). As Trend Micro describes: "Based on our analysis, the 3,000 malware variants or malicious payloads (detected by Trend Micro as AndroidOS_BoostClicker.HRX) that can be possibly downloaded to an affected device with this campaign pretend to be system applications that do not show app icons on the device launcher or application list. The cybercriminals behind this campaign can use the affected device to post fake positive reviews in favor of the malicious apps, as well as perform multiple ad fraud techniques by clicking on the ads that pop up." Though odds are good that you haven’t been infected by the original apps or the malware they dump on your device, here’s a quick list of the apps you’d want to look out for (just in case): Shoot Clean-Junk Cleaner,Phone Booster,CPU Cooler Super Clean Lite- Booster, Clean&CPU Cooler Super Clean-Phone Booster,Junk Cleaner&CPU Cooler Quick Games-H5 Game Center Rocket Cleaner Rocket Cleaner Lite Speed Clean-Phone Booster,Junk Cleaner&App Manager LinkWorldVPN H5 gamebox What’s more important in this case is Trend Micro’s takeaways for avoiding shitty apps like these on the Google Play Store. But first, I’m going to give you my advice: You don’t need cleaner apps for your Android. Sample size of one here, but I’ve never used (or needed) a cleaner app in all the countless years I’ve used Android, and my devices have never suffered. Besides, you’re only asking for trouble if you actually think that an app with a scammy-sounding title like “Super Clean-Phone Booster,Junk Cleaner&CPU Cooler” is going to do anything helpful for your phone. If you really, really feel like your device’s performance is terrible, consider backing up your photos and videos to the cloud, factory reset your device, and set it up from scratch again. Odds are good your device will still feel slow, since newer apps and operating system updates might have more demanding requirements than when you first purchased your smartphone, but you might at least be able to clear up some system resources by mass-clearing out any background apps you forgot about. And if your phone was nearly maxed out with data, clearing up some space might make Android feel a little faster. As for Trend Micro, they have a great observation about how it’s difficult to verify an app’s legitimacy by only looking at its reviews and ratings—if you’re just focusing on numbers and stars, that is. "Verifying an app’s legitimacy is typically done by checking user-created reviews on the Play Store. However, in this particular case, the malicious app is capable of downloading payloads that can post fake reviews unbeknownst to the user. Despite the slew of positive reviews, it does leave some red flags — even though different users left positive reviews, the comments they leave contain the same, exact text: ‘Great, works fast and good.’ They also gave the app the same four-star rating." As always, stick to downloading apps from Google Play and turn off your device’s ability to install apps from unknown sources, if you’ve ever used that to sideload an app and forgot to reset it. When you’re considering installing a new app on your device, even from Google Play, ask yourself whether it’s truly necessary. Do a web search to see if more trustworthy alternatives exist from well-known app developers and brands. Read the reviews to see if they sound off. Has the app been around for years and received regular updates, or is this an app’s very first version—and, somehow, it’s racked up a ton of reviews despite only being a few days old? Unfortunately, the onus is on you to keep your device free of crappy apps. Google can help, but it can’t catch everything in advance—as we’ve seen. And make sure you’re giving your friends this advice, too; you might be smart, but your loved ones who are a bit less tech-savvy are probably going crazy with cleaner and other crapware downloads. Help them! Source
  9. US government goes all in to expose new malware used by North Korean hackers The US Pentagon, the FBI, and the Department of Homeland Security on Friday exposed a North Korean hacking operation and provided technical details for seven pieces of malware used in the campaign. The US Cyber National Mission Force, an arm of the Pentagon’s US Cyber Command, said on Twitter that the malware is “currently used for phishing & remote access by [North Korean government] cyber actors to conduct illegal activity, steal funds & evade sanctions.” The tweet linked to a post on VirusTotal, the Alphabet-owned malware repository, that provided cryptographic hashes, file names, and other technical details that can help defenders identify compromises inside the networks they protect. An accompanying advisory from the DHS’s Cybersecurity and Infrastructure Security Agency said the campaign was the work of Hidden Cobra, the government’s name for a hacking group sponsored by the North Korean Government. Many security researchers in the private sector use other names for the group, including Lazarus and Zinc. Six of the seven malware families were uploaded to VirusTotal on Friday. They included: Bistromath, a full-featured remote access trojan and implant that performs system surveys, file uploads and downloads, process and command executions, and monitoring of microphones, clipboards, and screens Slickshoes, a “dropper” that loads, but doesn’t actually execute, a “beaconing implant” that can do many of the same things Bistromath does Hotcroissant, a full-featured beaconing implant that also does many of the same things listed above Artfulpie, an “implant that performs downloading and in-memory loading and execution of DLL files from a hardcoded url” Buttetline, another full-featured implant, but this one uses fake a fake HTTPS scheme with a modified RC4 encryption cipher to remain stealthy Crowdedflounder, a Windows executable that’s designed to unpack and execute a Remote Access Trojan into computer memory But wait... there’s more Friday’s advisory from the Cybersecurity and Infrastructure Security Agency also provided additional details for the previously disclosed Hoplight, a family of 20 files that act as a proxy-based backdoor. None of the malware contained forged digital signatures, a technique that’s standard among more advanced hacking operations that makes it easier to bypass endpoint security protections. Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, posted an image on Twitter that showed the relationship between the malware detailed on Friday with malicious samples the Moscow-based security firm has identified in other campaigns attributed to Lazarus. Friday’s joint advisory is part of a relatively new approach by the federal government to publicly identify foreign-based hackers and the campaigns they carry out. Previously, government officials mostly steered clear of attributing specific hacking activities to specific governments. In 2014, that approach began to change when the FBI publicly concluded that the North Korean government was behind the highly destructive hack of Sony Pictures a year earlier. In 2018, the Department of Justice indicted a North Korean agent for allegedly carrying out the Sony hack and unleashing the WannaCry ransomware worm that shut down computers worldwide in 2017. Last year, the US Treasury sanctioned three North Korean hacking groups widely accused of attacks that targeted critical infrastructure and stole millions of dollars from banks in cryptocurrency exchanges. As Cyberscoop pointed out, Friday marked the first time that the US Cyber Command identified a North Korean hacking operation. One reason for the change: although the North Korean government hackers often use less advanced malware and techniques than counterparts from other countries, the attacks are growing increasingly sophisticated. News agencies including Reuters have cited a United Nations report from last August that estimated North Korean hacking of banks and cryptocurrency exchanges has generated $2 billion for the country’s weapons of mass destruction programs. Source
  10. French Firms Rocked by Kasbah Hacker? A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products. In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East. Further investigation revealed the electricity provider was just one of many French critical infrastructure firms that had systems beaconing home to the malware network’s control center. Other victims included one of France’s largest hospital systems; a French automobile manufacturer; a major French bank; companies that work with or manage networks for French postal and transportation systems; a domestic firm that operates a number of airports in France; a state-owned railway company; and multiple nuclear research facilities. HYAS said it quickly notified the French national computer emergency team and the FBI about its findings, which pointed to a dynamic domain name system (DNS) provider on which the purveyors of this attack campaign relied for their various malware servers. When it didn’t hear from French authorities after almost a week, HYAS asked the dynamic DNS provider to “sinkhole” the malware network’s control servers. Sinkholing is a practice by which researchers assume control over a malware network’s domains, redirecting any traffic flowing to those systems to a server the researchers control. While sinkholing doesn’t clean up infected systems, it can prevent the attackers from continuing to harvest data from infected PCs or sending them new commands and malware updates. HYAS found that despite its notifications to the French authorities, some of the apparently infected systems were still attempting to contact the sinkholed control networks up until late 2019. “Due to our remote visibility it is impossible for us to determine if the malware infections have been contained within the [affected] organizations,” HYAS wrote in a report summarizing their findings. “It is possible that an infected computer is beaconing, but is unable to egress to the command and control due to outbound firewall restrictions.” About the only French critical infrastructure vertical not touched by the Kasbah hackers was the water management sector. HYAS said given the entities compromised — and that only a handful of known compromises occurred outside of France — there’s a strong possibility this was the result of an orchestrated phishing campaign targeting French infrastructure firms. It also concluded the domains associated with this campaign were very likely controlled by a group of adversaries based in Morocco. “What caught our attention was the nature of the victims and the fact that there were no other observed compromises outside of France,” said Sasha Angus, vice president of intelligence for HYAS. “With the exception of water management, when looking at the organizations involved, each fell within one of the verticals in France’s critical infrastructure strategic plan. While we couldn’t rule out financial crime as the actor’s potential motive, it didn’t appear that the actor leveraged any normal financial crime tools.” ‘FATAL’ ERROR HYAS said the dynamic DNS provider shared information showing that one of the email addresses used to register a key DNS server for the malware network was tied to a domain for a legitimate business based in Morocco. According to historic records maintained by Domaintools.com [an advertiser on this site], that email address — [email protected] — was used in 2016 to register the Web site talainine.com, a now-defunct business that offered recreational vehicle-based camping excursions just outside of a city in southern Morocco called Guelmim. Archived copies of talainine.com indicate the business was managed by two individuals, including someone named Yassine Algangaf. A Google search for that name reveals a similarly named individual has been credited by a number of major software companies — including Apple, Dell and Microsoft — with reporting security vulnerabilities in their products. A search on this name at Facebook turned up a page for another now-defunct business called Yamosoft.com that lists Algangaf as an owner. A cached copy of Yamosoft.com at archive.org says it was a Moroccan computer security service that specialized in security audits, computer hacking investigations, penetration testing and source code review. A search on the [email protected] address at 4iq.com — a service that indexes account details like usernames and passwords exposed in Web site data breaches — shows this email address was used to register an account at the computer hacking forum cracked[.]to for a user named “fatal.001.” A LinkedIn profile for a Yassine Algangaf says he’s a penetration tester from the Guelmim province of Morocco. Yet another LinkedIn profile under the same name and location says he is a freelance programmer and penetration tester. Both profiles include the phrase “attack prevention mechanisms researcher security tools proof of concepts developer” in the description of the user’s job experience. Searching for this phrase in Google turns up another Facebook page, this time for a “Yassine Majidi,” under the profile name “FatalW01.” A review of Majidi’s Facebook profile shows that phrase as his tag line, and that he has signed several of his posts over the years as “Fatal.001.” There are also two different Skype accounts registered to the ing.equipepro.com email address, one for Yassine Majidi and another for Yassine Algangaf. There is a third Skype account nicknamed “Fatal.001” that is tied to the same phone number included on talainine.com as a contact number for Yassine Algangaf (+212611604438). A video on Majidi’s Facebook page shows him logged in to the “Fatal.001” Skype account. On his Facebook profile, Majidi includes screen shots of several emails from software companies thanking him for reporting vulnerabilities in their products. Fatal.001 was an active member on dev-point[.]com, an Arabic-language computer hacking forum. Throughout multiple posts, Fatal.001 discusses his work in developing spam tools and RAT malware. In this two-hour Arabic language YouTube tutorial from 2014, Fatal.001 explains how to use a RAT he developed called “Little Boy” to steal credit card numbers and passwords from victims. The main control screen for the Little Boy botnet interface includes a map of Morocco. Reached via LinkedIn, Algangaf confirmed he used the pseudonyms Majidi and Fatal.001 for his security research and bug hunting. But he denied ever participating in illegal hacking activities. He acknowledged that [email protected] is his email address, but claims the email account was hacked at some point in 2017. “It has already been hacked and recovered after a certain period,” Algangaf said. “Since I am a security researcher, I publish from time to time a set of blogs aimed at raising awareness of potential security risks.” As for the notion that he has somehow been developing hacking programs for years, Algangaf says this, also, is untrue. He said he never sold any copies of the Little Boy botnet, and that this was one of several tools he created for raising awareness. “In 2013, I developed a platform for security research through which penetration test can be done for phones and computers,” Algangaf said. “It contained concepts that could benefit from a controlled domain. As for the fact that unlawful attacks were carried out on others, it is impossible because I simply have no interest in blackhat [activities].” Source: French Firms Rocked by Kasbah Hacker? (KrebsOnSecurity - Brian Krebs)
  11. Nasty Android malware reinfects its targets, and no one knows how Users report that xHelper is so resilient it survives factory resets. Enlarge A widely circulating piece of Android malware primarily targeting US-based phones used a clever trick to reinfect one of its targets in a feat that stumped researchers as to precisely how it was pulled off. xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps. On Wednesday, Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away. Blind alleys Company researchers initially suspected that pre-installed malware was the culprit. They eventually dropped that theory after the user performed a technique that prevented system apps from running. Malwarebytes analysts later saw the malware indicating that Google Play was the source of the reinfections, but they ruled out this possibility after further investigation. Eventually (and with the help of the Android user), company researchers finally identified the source of the reinfections: several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device. “This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier wrote in Wednesday’s post. “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.” Malwarebytes Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds. And with that, xHelper once again menaced the user’s device. The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position disable the Google Play Store app before removing the folders. Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset (the user reported that her device didn’t have an SD card). “I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier wrote in an email. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.” Source: Nasty Android malware reinfects its targets, and no one knows how (Ars Technica)
  12. Gmail Is Catching More Malicious Attachments With Deep Learning Users of Gmail get 300 billion attachments each week. To separate legitimate documents from harmful ones, Google turned to AI—and it’s working. Photograph: Getty Images Distributing malware by attaching tainted documents to emails is one of the oldest tricks in the book. It's not just a theoretical risk—real attackers use malicious documents to infect targets all the time. So on top of its anti-spam and anti-phishing efforts, Gmail expanded its malware detection capabilities at the end of last year to include more tailored document monitoring. Good news, it's working. At the RSA security conference in San Francisco on Tuesday, Google's security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents is faring against the 300 billion attachments it has to process each week. It's challenging to tell the difference between legitimate documents in all their infinite variations and those that have specifically been manipulated to conceal something dangerous. Google says that 63 percent of the malicious documents it blocks each day are different than the ones its systems flagged the day before. But this is exactly the type of pattern-recognition problem where deep learning can be helpful. Currently 56 percent of malware threats against Gmail users come from Microsoft Office documents, and 2 percent come from PDFs. In the months that it's been active, the new scanner has increased its daily malicious Office document detection by 10 percent. "Ten percent matters," Bursztein told WIRED. "We're trying to close the gap as much as possible. We want to keep adding machine learning everywhere we can, where it makes sense. Machine learning does amazing things sometimes, but sometimes it’s overhyped. We try to use it as an extra layer rather than the only layer. We think that works way better." The document analyzer looks for common red flags, probes files if they have components that may have been purposefully obfuscated, and does other checks like examining macros—the tool in Microsoft Word documents that chains commands together in a series and is often used in attacks. The volume of malicious documents that attackers send out varies widely day to day. Bursztein says that since its deployment, the document scanner has been particularly good at flagging suspicious documents sent in bursts by malicious botnets or through other mass distribution methods. He was also surprised to discover how effective the scanner is at analyzing Microsoft Excel documents, a complicated file format that can be difficult to assess. Though a 10 percent detection increase may not sound like a lot, it's a massive improvement at the scale Google is working on, and any gains are productive given that the threat of malicious documents is a real concern around the world. Bursztein says that companies and nonprofits are three times more likely to be targeted by malicious documents than other organizations, and that government entities are five times more likely. Some industries are more likely than others to be targeted, as well. Transportation and critical infrastructure utilities, for example, have a much higher risk than the education sector. The prevalence of malicious document attacks varies around the world, but for attackers the approach is always an option. Bursztein points out that kits for crafting malicious documents and tailoring them to evade antivirus scanners are readily available in online criminal forums, ranging in price from about $400 to $5,000. While the scanner is catching more malicious documents than ever, Bursztein and his colleagues will continue to refine it in the hopes of blocking an even bigger chunk of the malware sent to Gmail accounts worldwide. "Malware is something we did after spam and phishing, because malware is a bit harder," he says. "We don't have the malware itself in an email; the documents are all we have at that point. But we always want to improve our detection capabilities and with malicious documents we chose the one where we could make the most impact for our users." When a full-blown hack is just a rogue Word document download away, users will take whatever extra protections they can get. Source: Gmail Is Catching More Malicious Attachments With Deep Learning (Wired)
  13. New Coronavirus Strain? Nope, Just Hackers Trying to Spread Malware PhotoCredit: NurPhoto via Getty The hackers have been using files and emails that warn about a new coronavirus strain to trick users into opening them. Doing so can secretly deliver malware to the victim's machine. Received a random file about the coronavirus? It's best to avoid opening it. Hackers are starting to exploit fears around the ongoing outbreak to infect computers with malware, according to security researchers. The attacks have been occurring through files and emails that pretend to know something about the coronavirus, but have actually been designed to take over the victim's computer. On Wednesday, the hackers were spotted sending out spam emails to users in Japan, warning about a new strain of coronavirus reaching the island country, according to IBM Security. The emails, which are written in Japanese, urge the recipient to open up the attached Word document to learn more. If macros are enabled, the opened document will be able to execute a series of commands to secretly download the Emotet malware, which can steal sensitive information from your machine or deliver other dangerous payloads, such as ransomware. The email pretends to come from a disability welfare service provider: "This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it," IBM Security said in the report. "We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too." On Thursday, the security firm Kaspersky Lab also reported uncovering malicious files disguised as documents about a new strain of coronavirus. To deliver the payload, the hackers were using PDFs, MP4 files and Word documents. "The file names imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case," Kaspersky Lab said. In reality, the discovered files contained a range of different malware threats capable of destroying, blocking modifying and copying data on the victim's machine. "So far we have seen only 10 unique files, but as this sort of activity often happens with popular media topics, we expect that this tendency may grow," said Kaspersky malware analyst Anton Ivanov in a statement. On Friday, the security firm updated the number of detected malicious files to 32. Source
  14. Mac users are getting bombarded by laughably unsophisticated malware For malware so trite and crude, Shlayer is surprisingly prolific. Enlarge Kaspersky Lab Almost two years have passed since the appearance of Shlayer, a piece of Mac malware that gets installed by tricking targets into installing fake Adobe Flash updates. It usually does so after promising pirated videos, which are also fake. The lure may be trite and easy to spot, but Shlayer continues to be common—so much so that it’s the number one threat encountered by users of Kaspersky Labs’ antivirus programs for macOS. Since Shlayer first came to light in February 2018, Kaspersky Lab researchers have collected almost 32,000 different variants and identified 143 separate domains operators have used to control infected machines. The malware accounts for 30 percent of all malicious detections generated by the Kaspersky Lab’s Mac AV products. Attacks are most common against US users, who account for 31 percent of attacks Kaspersky Lab sees. Germany, with 14 percent, and France and the UK (both with 10 percent) followed. For malware using such a crude and outdated infection method, Shlayer remains surprisingly prolific. An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.” Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware. Second verse, same as the first The file downloaded by the Python variant Kaspersky Lab analyzed installs adware known as Cimpli. It ostensibly offers to install applications such as Any Search, which as indicated by search results is clearly a program no one should want. Behind the scenes, it installs a malicious Safari extension and a tool that includes a self-signed TLS certificate that allows the extension to view encrypted HTTPS traffic. To work around any user suspicions, Cimpli superimposes its own windows over dialog boxes that macOS provides. The left windows in the image below are what targeted users see when Cimpli is installing the Safari extension. The window to the right is what’s covered up. By clicking on the button, the user unwittingly agrees to install the extension. The HTTPS decryption tool also superimposes a fake window over the installation confirmation box. Once installed, all user traffic is redirected to an attacker-controlled proxy server. Enlarge Kaspersky Lab Shlayer traditionally has relied on paid affiliates to seed advertising landing pages that display the fake Flash updates. Kaspersky Lab said Shlayer offers some of the highest rates. A newer ploy is the embedding of malicious links in pages on Wikipedia and YouTube. Kaspersky Lab said a single affiliate did so by registering more than 700 expired domains. It’s hard to believe that malware this artless would be among the most common threats facing Mac users. One explanation may be that Shlayer operators must bombard Mac users over and over in a brute-force fashion to compensate for extremely low success rates. A more somber, and probably less likely, possibility: the success rate is high enough that operators keep coming back for more. In either case, it’s likely that the help of affiliates contributes to Shlayer’s ranking. In any event, Shlayer’s ranking is a good reason for people to remember that Flash is an antiquated browser add-on that presents more risk than benefit for the vast majority of the world. For those who must use it, they should download updates solely from https://get.adobe.com/flashplayer/. People should never receive updates from windows that are displayed when trying to view videos or install software. The distinction can be hard for less experienced users, because Flash itself presents—or at least used to present—notifications when updates were available. People also would do well to steer clear of sites offering pirated material. Source: Mac users are getting bombarded by laughably unsophisticated malware (Ars Technica)
  15. Now 29-year-old faces years in the clink after long battle to bring him to justice A 29-year-old Russian scumbag has admitted masterminding the Cardplanet underworld marketplace as well as a second forum for elite fraudsters. Aleksei Burkov appeared in a US federal district court in Virginia this week to plead guilty [PDF] to access device fraud, and conspiracy to commit computer intrusion, identity theft, wire and access device fraud, and money laundering. Cardplanet was an internet souk in which crooks bought and sold stolen bank card details. When he was cuffed and charged last November, prosecutors estimated the website accounted for roughly $20m in fraud. Burkov also ran, we're told, an exclusive invite-only cybercrime den in which malware, money laundering, and hacking-for-hire were touted by top-tier miscreants as well as credit cards. "To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to 'vouch' for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance," Uncle Sam's legal eagles said of the secret den on Thursday. "These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum." For the Feds, this has been a long time coming. US authorities sought Burkov's extradition back in 2017 after he was collared in Israel in 2015. After exhausting his opportunities to appeal the extradition in the Israeli legal system, Burkov was sent to the US to face trial in November of last year, and has now finally coughed to his crimes. Burkov faces a maximum of 15 years behind bars when he is sentenced on May 8, though courts typically hand down much lighter sentences when perps skip lengthy trials and go straight to pleading guilty. Source
  16. PyXie RAT capabilities include keylogging, stealing login credentials and recording videos, warn researchers at BlackBerry Cylance - who also say the trojan can be used to distribute other attacks, including ransomware. A newly discovered hacking campaign by a 'sophisticated cyber criminal operation' is targeting healthcare and education organisations with custom-built, Python-based trojan malware which gives attackers almost control of Windows systems with the ability to monitor actions and steal sensitive data. Malicious functions of the remote access trojan , dubbed PyXie RAT, include keylogging, credential harvesting, recording video, cookie theft, the ability to perform man-in-the-middle attacks and the capability to deploy other forms of malware onto infected systems. All of this is achieved while clearing evidence of suspicious activity in an effort to ensure the malware isn't discovered. However, traces of the attacks have been found and detailed by cyber security researchers at Blackberry Cylance, who named the malware PyXie because of the way its compiled code uses a '.pyx' file extension instead of the '.pyc' typically associated with Python. PyXie RAT has been active since at least 2018 and is highly customised, indicating that a lot of time and resources have gone into building it. "The custom tooling and the fact it has remained under the radar this long definitely shows a level of obfuscation and stealth in line with a sophisticated cyber criminal operation," Josh Lemos, VP of research and intelligence at Blackberry Cylance told ZDNet. The malware is typically delivered to victims by a sideloading technique which leverages legitimate applications to help compromise victims. One of these applications uncovered by researchers was a trojanized version of an open source game, which if downloaded, will go about secretly installing the malicious payload, using PowerShell to escalate privileges and gain persistence on the machine. A third stage of the multi-level download sees PyXie RAT leverage something known in the code as 'Cobalt Mode' which connects to a command and control server as well as downloading the final payload. This stage of the download takes advantage of Cobalt Strike – a legitimate penetration testing tool – to help install the malware. It's a tactic which is often deployed by cyber criminal gangs and something which aids in making attacks more difficult to attribute. This particular downloader also has similarities with another used to download the Shifu banking trojan, however, it could simply be a case of criminals taking open source – or stolen – code and re-purposing it for their own ends. "An advantage of utilizing a widely used tool such as Cobalt Strike is it makes attribution difficult since it is used by many different threat actors as well as legitimate pentesters. With the Shifu banking trojan similarities, it is unclear if it is the same actors or if someone else reused some of its code," said Lemos. Once successfully installed on the target system, the attackers can can move around the system and implement commands as they please. In addition to being used to steal usernames, passwords and any other information enter the system, researchers note that there are cases of PyXie being used to deliver ransomware to compromised networks. "This is a full-featured RAT that can be leveraged for a wide range of goals and the actors will have different motives depending on the target environment. The fact it has been used in conjunction with ransomware in a few environments indicates that the actors may be financially motivated, at least in those instances," said Lemos. The full extent of the PyXie RAT campaign still isn't certain, but researchers have identified attacks against over 30 organisations, predominately in the healthcare and education industries, with hundreds of machines believed to have been infected. Aside from likely being a well-resourced cyber criminal group, it's currently unknown who exactly is behind PyXie RAT, but the campaign is still thought to be active. However, despite the sophisticated nature of the malware, researchers state that it can be protected against by standard cyber hygiene and enterprise security best practices including operating system and application patching, endpoint protection technology, auditing, logging and monitoring of endpoint and network activity and auditing of credential use. Source
  17. After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been. Microsoft first announced the BlueKeep vulnerability in May; now, hackers have finally caught up with it. When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it's fallen short of the worst case scenario. Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft's Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide. But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic. "BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. "They’re not seeking targets. They’re scanning the internet and spraying exploits." Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days. Since those devices exposed only port 3389 to the internet—the port used by RDP—he quickly suspected BlueKeep. Beaumont then shared a "crashdump," forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines. Hutchins says he hasn’t yet determined which coin they’re trying to mine, and notes that the fact the target machines crash indicate that the exploit may be unreliable. The malware's authors appear to be using a version of the BlueKeep hacking technique included in the open-source hacking and penetration testing framework Metasploit, Hutchins says, which was made public in September. It's unclear also how many devices have been impacted, although the current BlueKeep outbreak appears to be far from the RDP pandemic that many feared. "I've seen a spike, but not the level I'd expect from a worm," says Jake Williams, a founder of the security firm Rendition Infosec, who has been monitoring his clients' networks for signs of exploitation. "It hasn’t hit critical mass yet." In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft's response to its BlueKeep bug—an unexpected happy ending. "Every month that passes by without a worm happening, more people patch and the vulnerable population goes down," Williams says. "Since the Metasploit module has been out for a couple of months now, the fact that no one has wormed this yet seems to indicate there’s been a cost-benefit analysis and there’s not a huge benefit to weaponizing it." But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn't passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be hit with a more serious—and more virulent—specimen of malware that exploits Microsoft's lingering RDP vulnerability. That could take the form of a ransomware worm in the model of NotPetya or also WannaCry, which infected almost a quarter million computers when it spread in May of 2017, causing somewhere between $4 and $8 billion damage. In the meantime, the current spate of BlueKeep cryptocurrency mining will represent an annoyance for those unlucky enough to have their computers crashed or hijacked by its cryptocurrency mining—and at most a vague harbinger of a more severe attack on the horizon. "A BlueKeep exploit is perfect for getting more systems to mine from," says Hutchins. "It’s not necessarily going to affect whether someone still makes a ransomware worm at some point." If helping hackers mine a few cryptocoins is the worst that BlueKeep ultimately inflicts, in other words, the internet will have dodged a bullet. Source
  18. All Android 8 (Oreo) or later devices are impacted. Google released a patch last month, in October 2019. Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth. Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source. But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning. While the lack of one prompt sounds unimportant, this is a major issue in Android's security model. Android devices aren't allowed to install apps from "unknown sources" -- as anything installed from outside the official Play Store is considered untrusted and unverified. If users want to install an app from outside the Play Store, they have to visit the "Install apps from unknown sources" section of their Android OS and enable the feature. Until Android 8, this "Install from unknown sources" option was a system-wide setting, the same for all apps. But, starting with Android 8, Google redesigned this mechanism into an app-based setting. In modern Android versions, users can visit the "Install unknown apps" section in Android's security settings, and allow specific apps to install other apps. For example, in the image below, the Chrome and Dropbox Android apps are allowed to install apps, similar to the Play Store app, without being blocked. The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app. Google said this wasn't meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device. The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones. Since there's no prompt for an install from an unknown source, tapping the notification starts the malicious app's installation. There's a danger that many users might misinterpret the message as coming from the Play Store, and install the app, thinking it's an update. HOW TO PROTECT YOURSELF There are good news and bad news. The bad news is that the NFC feature is enabled by default on mostly all newly-sold devices. Many Android smartphone owners may not even be aware that NFC is enabled even right now. The good news is that NFC connections are initiated only when two devices are put near each other at a distance of 4 cm (1.5 inches) or smaller. This means an attacker needs to get his phone really close to a victim's, something that may not always be possible. To stay safe, any user can disable both the NFC feature and the Android Beam service. If they use their Android phones as access cards, or as a contactless payment solutions, they can leave NFC enabled, but disable the Android Beam service -- see image below. This blocks NFC file beaming, but still allows other NFC operations. So, there's no need to panic. Just disable Android Beam and NFC if you don't need them, or update your phone to receive the October 2019 security updates and continue using both NFC and Beam as usual. A technical report on CVE-2019-2114 is available here. Source: Android bug lets hackers plant malware via NFC beaming (via ZDNet)
  19. Jack Wallen offers up his best advice for avoiding malware on Android. We're back to the topic that bears repeating every month or so: Android and malware. They seem to be like chocolate and peanut butter these days. But why? Is it the developer's fault? Is the onus on Google? I'm going to open a rather messy can of worms and say the blame could easily fall on the shoulders of everyone involved--including the user. But in the end, no matter how secure a platform Google released, if Android is used poorly, bad things will happen. The same holds true for Windows, macOS, and (gasp) even Linux. That's right. I could deploy a Linux desktop to someone and if they misuse the platform, similar bad things could happen. So what's a user to do? Nothing different than I've said before. In fact, I laid out a simple plan for users in 4 ways to avoid malware on Android. But as many an admin knows, the simpler the advice is for end users, the more likely the advice will stick. My advice? Only install applications you have to have. How users use devices I know, it's not really that easy. Why? Because users don't have the control necessary to limit themselves to only installing required applications. According to this article from sister site ZDNet, social media takes up the bulk of smartphone usage, with Americans spending an average of just over an hour a day on Facebook and 48 minutes on Instagram. Millennials spend roughly 48 minutes per day texting, versus 30 minutes for baby boomers. Boomers, on the other hand, spend 43 minutes per day on email, whereas millennials spend less than 10 minutes per day within an email app. Outside of that, the majority of time spent on smartphones is divided between the following apps/services: Internet Podcasts Snapchat Music Twitter Youtube News apps Messenger Phone So our full list of most-used apps and services looks like: Facebook Instagram Texting Phone Internet Podcasts Snapchat Music Twitter Youtube Messenger News apps Email Of those apps/services, Android has the following built into its ecosystem: Texting - Messages Phone - Phone app Internet - Chrome Podcasts - Play Music Music - Play Music Youtube - Youtube app Messenger - Messenger app News Apps - Google News Email - Gmail app What's left over? Instagram Snapchat Twitter By installing only three apps, the majority of millennials and boomers can satisfy all of their mobile needs. Three simple apps, each of which are found in the Google Play Store and have been thoroughly vetted by both the companies that created them and Google itself. Or have they? Back in 2014, more than four million Snapchat users' data was released by hackers reacting to Snapchat's claim it had no knowledge of vulnerabilities. This wasn't an issue with the Snapchat app, but the Snapchat service. And it wasn't malware. Installing the Snapchat app on an Android device wasn't accompanied by malicious code. The app itself was safe. As are all of the apps on the list above. At least they are as safe as any piece of software can be. Which is to say, not 100%. But that's the risk we all take for living an always-connected life. As the saying goes, any computer connected to the internet is vulnerable. What's the solution? This is where it gets simple. If you want to avoid malware on Android, you install only the apps you must have to do your work. Outside of that, you install Instagram, Snapchat, and Twitter and use the built-in apps to round out your experience. I know what you're asking. What about games? Funny thing, games. The majority of responses to the original ZDNet screen time poll never mentioned games. Of course we all know that the mobile gaming industry is massive, so people are--without a doubt--playing games on their devices. For those that do, I would suggest one of two things: Have a separate device for games. Only install games from official companies or reputable developers. In the end, the solution is to limit the apps you install on your device and to only install those apps from the Google Play Store. Do that and the chances of your device getting infected with malware is drastically reduced. Just remember, nothing is guaranteed in this digital age. Be safe. Source: How to avoid malware on Android in one easy step (via Tech Republic)
  20. MessageTap malware is meant to be installed on Short Message Service Center (SMSC) servers, on a telco's network. One of China's state-sponsored hacking groups has developed a custom piece of Linux malware that can steal SMS messages from a mobile operator's network. The malware is meant to be installed on Short Message Service Center (SMSC) servers -- the servers inside a mobile operator's network that handle SMS communications. US cyber-security firm FireEye said it spotted this malware on the network of a mobile operator earlier this year. HOW MESSAGETAP WORKED FireEye analysts said hackers breached a yet-to-be-named telco and planted the malware -- named MessageTap -- on the company's SMSC servers, where it would sniff incoming SMS messages, and apply a set of filters. First, MessageTap would set SMS messages aside to be stolen at a later point if the SMS message's body contained special keywords. "The keyword list contained items of geopolitical interest for Chinese intelligence collection," FireEye said. "Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government." Second, MessageTap would also set SMS messages aside if they were sent from or to particular phone numbers, or from or to a device with a particular IMSI unique identifier. FireEye said the malware tracked thousands of device phone numbers and IMSI codes at a time. PART OF APT41'S ARSENAL The company's analysts linked the malware to a relatively new Chinese hacker group it calls APT41 [PDF report]. In a previous report, FireEye said that APT41 stood apart from other Chinese groups because besides performing politically-motivated cyber-espionage, the group's members also carried out financially-motivated hacks, most likely for their private benefits. Furthermore, FireEye also found evidence on the hacked telco's network that APT41 interacted with the mobile operator's call detail record (CDR) database -- a database that stores metadata on past phone calls. FireEye said APT41 queried for the "CDR records [that] corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services." While FireEye didn't name the hacked telco or the spied on targets, Reuters journalists said that MessageTap was related to China's efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers' movements. CHINESE HACKING OPERATIONS ARE CHANGING The discovery of this campaign is significant, in the grand scheme of things of Chinese cyber-espionage operations, as a whole. For the past years, Chinese hacking groups have been known for their smash-and-grab approach, where they hacked a target and stole as much data as they could, to analyze it at later points. APT41's modus operandi shows a carefully planned and very targeted surveillance operation aimed at a very small group of targets. That's different from what Chinese hacking groups have done in the past, but it appears to have become the norm these days -- if we take into account the CCleaner and ASUS Live Update hacks, where Chinese hackers also breached a company just to go after a small subset of its customers. The overall arch is that Chinese hacker groups are now getting very good at targeted operations, on par with what we've usually seen from US or Russian operations. On a side note, FireEye's report today also confirms a general trend of Chinese hackers going after telecom opertions, first detailed in a June 2019 Cybereason report which found that Chinese government hackers had breached the networks of at least ten foreign mobile operators. Source: Chinese hackers developed malware to steal SMS messages from telco's network (via ZDNet)
  21. Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals. A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities. Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it's also targeting the Zyxel P660HN-T1A. In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. "The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device's resources when launching attacks," Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet. "As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device's full resources dedicated to its attack". Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages. While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren't hosted by Valve, but rather are private servers hosted by players. The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals. Those interested in these malicious services don't even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services. "There's clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites," said Davila. As more IoT products become connected to the internet, it's going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren't kept up to date. The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks. "In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords," Davila explained. The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you're updating twice a year," he added. Source: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army (via ZDNet)
  22. Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully hiding from the company’s app review process. The apps were all from a single developer but covered a wide range of areas, including a restaurant finder, internet radio, BMI calculator, video compressor, and GPS speedometer … The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background. Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery drain. Wandera said the malware iPhone apps evaded Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server. Apple says it is improving its app review process to detect this approach. The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm. The apps were all from AppAspect Technologies. iOS aims to guard against this by sandboxing. Each app gets its own private environment, so cannot access system data or data from other apps unless using processes specifically permitted and monitored by iOS. However, Wandera cautions that there have been examples of the sandbox failing, giving three examples of this. Wandera is the same company that warned how a Siri feature could be used for phishing non-technically knowledgeable iPhone users. Apple confirmed the removal of the 17 apps to ZDNet. Source: 1. 17 malware iPhone apps removed from App Store after evading Apple’s review (via 9to5Mac) - Main article 2. Trojan malware infecting 17 apps on the App Store (via Wandera) - Main reference to the article p/s: The list of 17 apps that are mentioned on the article are as follows:
  23. A new report -- Webroot Threat Report: Mid-Year Update -- has found that one in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 and exploits have grown 75 percent since January 2019. According to the report, Hackers are using trusted domains and HTTPS to trick victims. Nearly a quarter (24 percent) of malicious URLs were found to be hosted on trusted domains, as hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. 1 in 50 URLs (1.9 percent) were found to be malicious, which is high, the report says, given that nearly a third (33 percent) of office workers click more than 25 work-related links per day. Nearly a third (29 percent) of detected phishing web pages use HTTPS as a method to trick users into believing they're on a trusted site via the padlock symbol. Phishing continued rapid growth into 2019, and criminals are expanding their phishing targets. Phishing grew rapidly, with a 400-percent increase in URLs discovered from January to July 2019. The top industries impersonated by phishing include: 25 percent are SaaS/Webmail providers 19 percent are financial institutions 16 percent are social media 14 percent are retail 11 percent are file hosting Eight percent are payment services companies Phishing lures are becoming increasingly personalized as more PII is collected from breaches. Phished passwords are used for more than account takeover. Specifically: extortion emails are being used, claiming the user has been caught doing something embarrassing or damaging that will be shared with colleagues, friends and family unless a ransom is paid, says the results. Phishing doesn't always target usernames and passwords. The attacks also go after secret questions and their answers, says the report. Windows 7 is becoming even riskier, with infections increasing by 71 percent. Between January and June, the number of IPs that host Windows exploits grew 75 percent Malware samples seen on only one PC are at 95.2 percent, up from 91.9 percent in 2018 Out of all infected PCs, 64 percent were home user machines, and 36 percent were business devices. More at: (Webroot) Source
  24. Hackers continue to target the Drupal vulnerability named Drupalgeddon2 to install malware onto unpatched systems, Akamai’s security researchers have discovered. Tracked as CVE-2018-7600, the security flaw impacts Drupal versions 6, 7 and 8. The bug was addressed in March 2018, with the first attacks targeting it spotted only several weeks later, attempting to deploy malicious programs such as crypto-miners and backdoors. Now, Akamai security researcher Larry W. Cashdollar reveals that the vulnerability continues to be targeted in a recently observed malicious campaign where attackers attempt to run code embedded in a .gif file. Although not widespread, the campaign appears to be targeting a broad range of high profile websites, without a focus on a specific industry. One of the analyzed .gif files was hosted on a compromised bodysurfing website located in Brazil. The file contains obfuscated PHP code designed to decode base64-encoded malware stored in a variable. The researcher discovered that the malware could scan for credentials stored in local files, send email with the discovered credentials, replace the local .htaccess file, display MySQL my.cnf configuration files, execute a remote file, show system information, rename files, upload files, and launch a web shell. In addition to the .gif, the attack drops a piece of malware stored in a .txt in the form of a Perl script. This malicious program uses Internet Relay Chat (IRC) for command and control (C&C) communication. The threat can launch distributed denial-of-service (DDoS) attacks, but also functions as a remote access Trojan (RAT). It can connect to a now defunct IRC server and join a specific channel to receive commands. Functionality included in the malware allows it to gather information from the local system and provide attackers with control over it. It also supports a SQL flood command, which allows the malware operators to send generic HTTP GET requests to MySQL’s default port, 3306, on the specified target. “This piece of code has been widely shared and modified by the criminal Internet underground,” Cashdollar says. The new campaign underlines once again the importance of maintaining a good security hygiene, which also involves patching in a timely manner. The targeted Drupalgeddon2 vulnerability is a year and a half old and can be easily exploited, which creates great risks for enterprise environments with unpatched systems, as scanning and infection attacks can be automated. “Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take,” the researcher concludes. Source
  25. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  • Create New...