Jump to content

Scorpion

Super Moderator
  • Content Count

    392
  • Joined

  • Last visited

  • Days Won

    13

Scorpion last won the day on November 6 2017

Scorpion had the most liked content!

About Scorpion

  • Rank
    Super Moderator
  • Birthday 05/13/1970

Profile Information

  • Gender
    Array
  • Location
    Array
  • Interests
    Array

Contact Methods

  • Skype
    Array
  1. (Image: file photo)Yahoo customers affected by three massive data breaches that resulted in the theft of more than three billion users' data are allowed to sue the company, a judge has ruled. California judge Lucy Koh rejected a bid by Verizon, which bought the internet giant last year, to dismiss a large portion of the claims, including breach of contract, deceit and concealment, and negligence. At the heart of the case, Yahoo was accused of taking too long to notify users of the breaches, which put customers at risk of identity theft and fraud. The filing, dated Friday, cited several customers whose data was stolen by criminals and used for filing fraudulent tax returns or credit card charges. Other customers had to pay out to credit bureaus to freeze their accounts. Koh said that customers may have "taken measures to protect themselves" had they known about the breaches sooner. The case began in 2016 after the company admitted it was hacked in 2014, in which 500 million user accounts were stolen. Later in the year, the company revealed that it was hacked again -- a year earlier in 2013 -- in which one billion accounts were stolen. Yahoo later said that all its three billion users were affected by that breach. A separate attack on the company's systems allowed hackers to steal portions of the company's source code. Attackers used that code to generate cookies, allowing access to accounts without requiring a user's password. Verizon did not immediately respond to a request for comment.
  2. A well-established research team from the Ben-Gurion University of the Negev in Israel has detailed today a new method of extracting data from air-gapped computers using speakers, headphones, earphones, or earbuds. The attack is only experimental at this point, has not been seen in the real world, but has been proven to work and researchers have also created a custom protocol for transmitting data between two computers* —one air-gapped and one Internet-connected that can relay the data further. Attack scenarios include speaker-to-speaker exfiltration, speaker-to-headphones, and headphones-to-headphones. Jack retasking strikes again! The attack —nicknamed MOSQUITO— is possible because of a technique called "jack retasking" that reverses output audio jacks to input jacks, effectively turning speakers into (unconventional) microphones. The same research team explored jack retasking in a previous research project last year, called Speake(a)r, which researchers used to turn headphones into microphones and record nearby audio and conversations. For the current experiment, researchers argue that malware that managed to infect an air-gapped computer can transform and modulate locally stored files into audio signals and relay them to another nearby computer via connected speakers, headphones, earphones, or earbuds. The receiving computer, also infected with malware, uses jack retasking to convert connected speakers, headphones, earphones, or earbuds into a makeshift microphone, receive the modulated audio, and convert back into a data file. MOSQUITO attack supports pretty fast transfer speeds Researchers created a custom data protocol that modulates binary data into audio signals, and they tested their attack for distances between 1 and 9 meters (3.2 to 29.5 feet). Researchers said they managed to transfer data between two computers with speeds varying from 1800 bits/s and 1200 bits/s for speakers facing each other and emitting sound in audible frequency bands (lower than 18kHz). Transfer speeds decreased if the speakers weren't facing each other, the distance between speakers increased, or audio frequency changed (towards low or high frequency). While the first two factors are self-explanatory, the last needs an additional explanation. "The reason for that is that loudspeakers, and particularly home grade PC loudspeakers, were projected and optimized for human auditory characteristics, and therefore they are more responsive to the audible frequency ranges," said researchers. Transfer speeds also decreased when using earphones or earbuds (varied between 600 bits/s and 300 bits/s) and went even lower for headphones (around 250 bits/s). The reason was that headphones directed their sound waves in one particular direction, limiting efficient exfiltration cases to very small distances when headphones were close to each other, and when they emitted sound in audible frequencies only. Other factors that decreased data transfer speeds included environment noise such as music and speech, but researchers said this could be mitigated by moving the data exfiltration frequency above 18kHz. The research team discusses various mitigation and countermeasures in their research paper entitled "MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-SpeakerCommunication." They also released the following demos to showcase their work. [embedded content] [embedded content] The research center from the Ben-Gurion University of the Negev who came up with this new data exfiltration technique has a long history of innovative and sometimes weird hacks, all listed below: LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED SPEAKE(a)R - use headphones to record audio and spy on nearby users 9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan DiskFiltration - use controlled read/write HDD operations to steal data via sound waves BitWhisper - exfiltrate data from non-networked computers using heat emanations Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems xLED - use router or switch LEDs to exfiltrate data Shattered Trust - using backdoored replacement parts to take over smartphones aIR-Jumper - use security camera infrared capabilities to steal data from air-gapped networks HVACKer - use HVAC systems to control malware on air-gapped systems MAGNETO & ODINI - steal data from Faraday cage-protected systems
  3. Image: Besjunior, Getty Images/iStockphotoAs Oscar Wilde might have put it: "To lose one filing cabinet full of government documents may be regarded as a misfortune; to lose two looks like carelessness."Carelessness is something the Australian government seems to be quite good at these days. News broke on Sunday that in 2013, confidential personnel files from the then Department of Families, Housing, Community Services and Indigenous Affairs (FaHCSIA), now part of the Department of Social Services, had gone walkies for several days. Just like the secret cabinet files incident reported in January, these documents were discovered in a locked filing cabinet bought from a second-hand furniture store. "The documents were personnel files which had all the personal details [of employees] like home addresses and phone numbers, as well as previous positions held, CVs, and security clearances," the buyer told The Sunday Canberra Times. "It was a two-drawer filing cabinet, and the bottom drawer was completely full," he said. The two incidents aren't quite the same. Personnel files don't have to be handled under the same security protocols as cabinet documents. But there's plenty enough information in them to make identity theft or spearphishing a trivial pursuit. Yes, this is carelessness. Then there was the incident where a "classified notebook belonging to a top Defence official" was discovered, along with his ID ... guess where? "Initial inquiries indicate the items were inadvertently left in a piece of personal furniture recently disposed of by the Defence official," The Canberra Times reported. Three incidents involving lost documents in second-hand furniture doesn't constitute a wave of incompetence, of course, no more than two or three robberies random clustered together constitute a crime wave. But these physical data leaks are being unearthed at a time when confidence in the government's ability to manage data needs to be questioned, and questioned hard. Do we need to repeat the now-familiar litany? The government's recklessness with medical data. The omnishambles of the 2016 Census. The collapse of the Australian Taxation Office (ATO) storage system. The unthinking viciousness of Centrelink's robodebt debacle. Things are no better at the state level -- the corruption of Victoria's Ultranet project and NSW agencies struggling with the security basics, to name but two examples. Do you detect a pattern? I do. So do former senior public servants, but in another way. Last month, The Mandarin, a news site that covers leadership in the public sector, concluded that there's an urgent need to recover the capacity for deep policy analysis in the Australian Public Service (APS). Terry Moran, a former secretary of the Department of the Prime Minister and Cabinet (PM&C), was scathing. "The APS is failing in areas of social policy because it has been stripped of specialist capability and service delivery experience. If it were a patient it would be in palliative care," Moran said. "Successive governments haven't nurtured the APS: they've gutted it." David Borthwick, former secretary of the Department of Environment, Water, Heritage and the Arts, was concerned that a lack of resources meant that departments were flat out delivering their programs, with little time for anything else. "The quality of the Australian Public Service is the foundation of good government. It must have the capacity -- the skilled workforce and the resources -- to undertake the strategic thinking which underpins longer-term reforms," Borthwick said. Highly-respected journalist Laura Tingle reported similar concerns in her Quarterly Essay from 2015, Political Amnesia: how we forgot how to govern. "The blurring of boundaries between the public servant and the political adviser, and the relentless focus on message over substance, results in a diminution of the 'space' in which the independent adviser can operate," Martin Parkinson, currently secretary of the Department of Prime Minister and Cabinet, said at the time. "Today, in some institutions, smart people look around at their colleagues and find there is no one to talk to, to learn from, who has experience in delivering real reform." Ken Henry, a former secretary of the Commonwealth Treasury, said much the same thing in Tingle's essay. "I think many departments have lost the capacity to develop policy; but not just that, they have lost their memory. I seriously doubt there is any serious policy development going on in most government departments," Henry said. All this is about developing policy rather than implementing programs, of course. But aren't they the exact two things that the government is actually for? If Australia were struggling to do either one of them, then we'd be deep in the brown stuff. But we're struggling with both. The most worrying comment for me came from Peter Varghese, a former secretary of the Department of Foreign Affairs and Trade (DFAT). "Deep policy thinking is an area where our system, at both the political and the public service levels, has struggled over the last decade," The Mandarin quoted Varghese as saying. "Recovering the capacity for deep policy analysis is urgent because we are at an inflection point in our history. It is not dissimilar to the period after the second world war when the nation had to set out in a new direction and when the political and public service leaderships worked so well together to chart that direction. Or the period from the early eighties when we set out to internationalise the Australian economy; or the nineties when tax and industrial relations policies had to be redefined." Yes, the Australian government is struggling, both with policy development and with the implementation of data-enabled programs, at the exact moment in history when such things are needed. The government is even having to hire consultants to teach it how to do basic government stuff like organisational development. Parliament is currently running an inquiry into how the government uses contractors, with wide-ranging terms of reference. Stay tuned, but remember that this inquiry will only scratch the surface. Related Coverage Canberra seeks vendor fluent in digital transformation to modernise public service The Australian Public Service Commission is looking for a vendor to train public service staff so they can lead digital transformation within their respective agencies or departments. Australian Home Affairs thinks its IT is safe because it has a cybermoat For a department that is focused on protecting borders, it seems virtual border protection is missing in action. Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw Cisco patches two serious authentication bugs and a Java deserialization flaw. UK government lays out new guidelines for IoT device security (TechRepublic) In its Secure by Design report, the UK government aims to address the risk of consumer privacy being undermined by the Internet of Things. Microsoft forces Windows 10 update on PCs that were set up to block it (TechRepublic) Some users reported being pushed to the Win10 1709 upgrade with no advanced warning.
  4. A Canadian businessman has been arrested in the US for allegedly modifying and encrypting BlackBerry smartphones used by "upper echelon" Australian criminals, Mexican drug cartel members, and other members of the global underworld.Vincent Ramos, 41, the chief executive of Vancouver-based Phantom Secure, was taken into custody in California last week after a global investigation involving the Australian Federal Police and the seizure of shipments of cocaine from the US to Australia. Phantom Secure technicians gutted BlackBerry handsets of their original hardware and software and installed new encryption software and an email program, according to a criminal complaint filed in the US District Court. Of the 20,000 Phantom Secure devices in service around the world, 10,000 were allegedly in Australia, according to estimates touted by the FBI. "According to law enforcement sources in Australia, Canada, and the US, Phantom Secure devices are used by the upper echelon members of various transnational criminal organisations to communicate with their criminal compatriots and conduct the illegal activities of the organisation," FBI Special Agent Nicholas Cheviron wrote in the complaint. Phantom Secure allegedly charged customers between $2,000 and $3,000 for six-month subscriptions and were "specifically designed to prevent law enforcement from intercepting and monitoring communication". The phones' emails were allegedly routed through encrypted servers in Panama and Hong Kong, nations Phantom Secure claimed in marketing materials were "uncooperative" with law enforcement. A transnational drug trafficker and associate of Mexico's infamous Sinaloa cartel, known in court documents as Cooperating Witness One (CW-1), told authorities cartel members used Phantom Secure phones. "CW-1 stated that over the course of several years, his drug trafficking organisation moved hundreds of kilograms of cocaine per month from Mexico through the US, ultimately destined for Canada and Australia," the FBI special agent wrote. "CW-1 used a Phantom Secure device to co-ordinate and complete each of these drug transactions." In August 2015, using Phantom Secure devices, "CW-1 and his Australian conspirators co-ordinated a shipment of 10kg of cocaine from the US to Australia, which was seized by the Australian Border Force," according to court documents. In 2016 Australian Federal Police seized a Phantom Secure device from an Australian arrested for drug smuggling, according to the FBI. "During this period, the AFP communicated with an unknown individual in Los Angeles who packaged and shipped 16 kilograms of cocaine to Australia where it was intercepted on September 11, 2016," the FBI special agent wrote. Ramos faces racketeering conspiracy, conspiracy to distribute narcotics charges, and aiding and abetting charges. The arrest of the head of an organisation helping criminals avoid legal surveillance will, more than likely, be used by those seeking a decryption magic bullet. Last month, Australian Minister for Home Affairs Peter Dutton labelled "ubiquitous encryption" a "significant obstacle" to terrorism investigations. According to the minister, more than 90 percent of counter-terrorism targets are using encryption for communications, including for attack planning in Australia. "Decryption takes time, a precious commodity when threats may materialise in a matter of days or even hours," Dutton said at the time. "Law enforcement access to encrypted communications should be on the same basis as telephone and other intercepts, in which companies provide vital and willing assistance in response to court orders." Speaking at a recent Senate Estimates hearing, Secretary of the Department of Home Affairs Michael Pezzullo said the government's decryption solultion, when details on it are unveiled, would not "undermine legitimate encryption" and would balance societal needs for encryption. "The challenge for governments and parliaments all around the world is how do you ensure that encryption is used for legitimate societal purposes, and not misused by -- in the same way the internet is misused through the dark web -- that encryption is available to those who use it for legitimate purposes and not otherwise," Pezzullo said last month. The secretary for Home Affairs struck out at descriptions of the decryption proposal as a "backdoor". "That's the shorthand, colloquial, and in many respects, highly ill-informed shorthand that is sometimes used in this field," he said. "You assume that a backdoor has to be created, I'm just saying that that is a cartoon-like assumption -- not that you are making -- but you've seen the literature." Later in the hearing, the department said the national facial recognition system it is developing was protected due to its "hub-and-spoke" topology, and a unique characteristic of its network. "We've also got a moat on the outside of the gateway, don't we?" Pezzullo said to Department Deputy Secretary of Intelligence and Capability Maria Fernandez. After Fernandez replied in the affirmative, Pezzullo said the system also has a number of "forward posts ahead of the moat". Details on the department's cybermoat have yet to be fleshed out. In November, Ben Flatgard, director for Cybersecurity Policy on the US National Security Council during the Obama administration, told ZDNet that Australia's push for decryption was reckless policy. "We've been discussing this as long as encryption's been used in commercial applications," Flatgard said. In January, a US senator said the approach to encryption by FBI director Christopher Wray was an ill-informed policy proposal. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible," said Democrat Senator Ron Wyden in a letter. Wray had previously stated that an inability to access encrypted devices was an urgent public safety issue, and the agency was not able to access evidence, despite lawfully being able to.
  5. Just two botnets accounted for 97% of all spam emails in the last three months of 2017, according to a McAfee report released earlier today. For most of these months, Necurs has spent its time churning out "lonely girl" spam lures for adult websites, pump-and-dump schemes [1, 2], and delivering ransomware payloads. Overall, nearly two out of three spam emails sent in the last quarter of 2018 were sent from the infrastructure of this mammoth botnet. Second on the list was the Gamut botnet, also built on Windows machines infected with malware that hijacks systems to send out spam. Gamut —while smaller in size when compared to Necurs— had previously been more active in Q3, sending more spam than the aforementioned. In Q4, Gamut activity went down, but the botnet still accounted for 37% of all email spam, compared to Necurs' 60%. Most of Gamut's email subjects were related to job offer–themed phishing and money mule recruitment (tricking people to buy products with stolen money and sending the products to crooks; relaying money from hijacked bank accounts to crooks' accounts). Ransomware statistics for Q4 2017 But the report, which takes an eagle-eye view of the malware scene in Q4 2017, also shines a light on the ransomware scene. McAfee says that the numbers of both desktop and mobile ransomware were up in late 2017, by 35% in Q4 and by 59% for the year. On the desktop side, the security firm says that a big contributor to the growth of ransomware detections was the Ransom:Win32/Genasom family, a generic term that has been used for CryptoMix variants. On the mobile scene, the number of new mobile ransomware families went down, but the number of infections continued to grow. But this part of the McAfee report is questionable, as another similar report from ESET said that mobile ransomware went down, not up, in 2017. Other malware statistics for Q4 2017 As for other malware trends, the McAfee Labs Threats Report for Q4 2018 contains the following findings: ?* The number of new malware strains grew by 35% ?* The total number of malware detections grew by 35% ?* Waboot malware was the most detected threat of Q4 2017 ?* Mac malware grew by 24% in Q4 and 243% for the year ?* Flashback (infostealer) and Longage (RAT) were the most prevalent Mac threats in Q4 2017 ?* JavaScript-based malware grew by 9% ?* PowerShell malware more than tripled, growing by 267% ?* Macro malware increased by 53% in Q4, declined by 35% in 2017 ?* Faceliker malware continued to grow after initial detection
  6. Meltdown-Spectre Intel has almost wrapped up revised microcode updates that address unexpected reboots caused by its first attempt at mitigating the Spectre variant 2 attack. The chip-maker's recently updated microcode revision guidance indicates that most of its platforms from the past decade now have production-ready patches to mitigate the Spectre attack. On January 22, three weeks after releasing microcode updates to address the speculative execution side-channel vulnerabilities, Intel advised PC makers to halt the deployment of its Spectre patches due to unexpected system reboots and in some instances data loss. Over the past month Intel has released revised updates for Skylake, Kaby Lake, Coffee Lake chips and, at the end of February, released fixed production updates for Broadwell and Haswell chips. As of Thursday, Intel has moved beta updates for Sandy Bridge and Ivy Bridge processors to production. These include Xeon and Core processors for the two families. It also released revised production updates for Haswell Server EX Xeon, Haswell ULT, and Broadwell Server EX Xeon CPUs. The revised microcode updates are delivered to end-users as firmware updates from PC and server manufacturers. Dell has now released new BIOS updates with Intel's revised microcode for datacenter servers and PowerEdge Server 14G, 13G, and 12G generation servers, with 11G updates still in process. Dell has also released revised BIOS updates available for most of its client devices across XPS, Vostro, Venue, Precision, OptiPlex, Latitude, Inspiron, and Alienware brands. HP's support page indicates that most of its commercial and consumer laptops, desktops and tablets have fixed softpaq updates available for download. Lenovo meanwhile expects to update ThinkCenter, ThinkPad, ThinkStation, and Yoga by the end of March. Updates for affected Lenovo enterprise systems are also targeted for delivery throughout March. Admins managing large Windows deployments can use Microsoft's recently released Spectre and Meltdown patch assessment tool to check the status of devices on their networks. Previous and related coverage New Spectre attack variant can pry secrets from Intel's SGX protected enclaves Sensitive data protected by Intel's Software Guard Extensions could be open to a new side-channel attack. Intel's Spectre fix for Broadwell and Haswell chips has finally landed Chips that sparked Intel's recall of microcode for Spectre Variant 2 attack now have stable fixes. First Intel, now AMD also faces multiple class-action suits over Spectre attacks Customers accuse the chip maker of charging premium prices for a faulty product. Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode Intel makes progress on reissuing stable microcode updates against the Spectre attack. Meltdown-Spectre: Now the class action suits against Intel are starting to mount up Intel faces 32 class action lawsuits over its processor flaws and says more may be in the pipeline. Meltdown-Spectre flaws: We've found new attack variants, say researchers Intel and AMD may need to revisit their microcode fixes for Meltdown and Spectre. Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14. Spectre reboot problems: Now Intel replaces its buggy fix for Skylake PCs And offers patching tips from US CERT, which it failed to brief on the bugs. Meltdown-Spectre: Malware is already being tested by attackers Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs. Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix The out-of-band update disabled Intel's mitigation for the Spectre Variant 2 attack, which Microsoft says can cause data loss on top of unexpected reboots. Meltdown-Spectre: Why were flaws kept secret from industry, demand lawmakers Great work on patching your own products, but why were smaller tech companies kept in the dark? Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming Dell and HP have pulled Intel's firmware patches for the Spectre attack. Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs AMD PCs can now install Microsoft's Windows update with fixes for Meltdown and Spectre and the bug that caused boot problems. Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch Intel's firmware fix for Spectre is also causing higher reboots on Kaby Lake and Skylake CPUs. 26% of organizations haven't yet received Windows Meltdown and Spectre patches Tech Republic Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities. Bad news: A Spectre-like flaw will probably happen again CNET Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.
  7. A sharp rise in cyber attacks targeting hospitals has been assisted by a failure by healthcare to address known vulnerabilities or comply with best security practices, with password sharing, outdated software and exposed servers rife within the sector.This lax approach to cyber security means that many cyber attackers and hackers are happy to take advantage of what they view as an easy target in order to get their hands on sensitive information - including medical records and other sensitive personal data. According to figures in the McAfee Labs Threats Report for March 2018, 2017 saw a 211 percent increase in disclosed security incidents in the healthcare compared with 2016. According to researchers at the security company, many of these incidents were "caused by failures to comply with security best practices or to address vulnerabilities in medical software". That compares to a rise in reported cyber attacks against educational establishments of 125 percent and a jump of around 15 percent in reported incidents against the financial and public sectors. While some cyber attackers view targeting hospitals as a step too far when it comes to conducting campaigns, for others they're lucrative hubs of valuable data just waiting to be exploited. During the course of the research, researchers found exposed healthcare data, sensitive images and vulnerable software, resulting in the ability to reconstruct patient body parts with the use of 3D printing. Typical security holes in healthcare organisations include hardcoded, embedded passwords, remote code execution, unsigned firmware or failures to address known vulnerabilities in medical software. Default accounts, cross-site scripting and vulnerabilities in web servers were also found to be issues, with many systems found to be running on old software. Arguably, the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber attacks came with last years' WannaCry ransomware outbreak. While no patient data was compromised as a result of this global cyber attack, a large number of National Health Service hospitals and doctor's surgeries in the UK were forced offline as systems become infected. Later analysis of the incident found that basic patching could have prevented WannaCry from having such a massive impact. But with the rise in attacks against healthcare, combined with the sensitive personal data they hold, and how a cyber attack against a hospital could result in harm to patients, means organisations in the sector - and those which provide technology to them - must take more care when it comes to cyber security. "Both healthcare organisations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices," said Christiaan Beek, McAfee lead scientist and senior principal engineer.
  8. Asia-Pacific had to deal with the highest number of malicious mobile apps last year and also was the region most affected across multiple categories, including ransomware and online banking malware.Some 3.3 million malicious mobile apps were detected in the region--five times more than EMEA, which was the next most effected region with 617,290 identified malicious apps. Asia-Pacific also clocked the highest number of threats in ransomware, accounting for 40 percent of the global figure, according to Trend Micro's 2017 annual security roundup report. In addition, the region saw the highest number of exploit kit attacks, at 70 percent, and had the highest number of PCs infected by online banking malware, at 55 percent. Last year, 553 data breaches were reported publicly, compared to 813 in 2016, noted Trend Micro's Asia, Middle East, and Africa managing director, Dhanya Thakkar. However, the number of affected records hit almost 5 billion, compared to 3.3 billion in 2016. "Ransomware threats and exploit kits also decreased in 2017, signalling a shift away from spray-and-pray attacks, and towards smaller-scale, more effective, and more targeted attacks," Thakkar said. Globally, there were 1.7 billion ransomware over the last two years, resulting in an estimated loss of US$5 billion. Asia-Pacific was hit by almost 40 percent of such attacks. Some 630 million threats were detected in 2017 alone, down from 1.07 billion the year before. Trend Micro also pointed to "soaring rates" of cryptocurrency mining malware, which exceeded 100,000 in October last year. More than 45.6 million cryptocurrency mining activities were identified across the year, accounting for a large proportion of events detected on Internet of Things (IoT) devices. The number of Business Email Compromise attempts also doubled between the first and second half of the year. Singapore issues cautionary note on mobile banking Meanwhile, Singapore's banking regulator and cybersecurity government agency issued a joint statement advising consumers to exercise caution when conducting mobile banking transactions. "Cybercriminals are targeting mobile banking users to phish for their personal data, login credentials to online services, and credit card information. These threats come in different forms, such as the installation of malware on mobile devices, the sniffing of data over unsecured Wi-Fi networks, or phishing scams masquerading as official correspondence from financial institutions," they said. The statement listed recommended steps consumers should take when banking on their mobile devices, which included accessing only trusted sources, avoiding unsecured Wi-Fi networks when banking online, and enabling two-factor authentication.
  9. Researchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years. The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Slingshot reached targets from a compromised software update for routers made by Latvian firm MikroTik. Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory -- an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools. The two tools, Cahnadr and GollumApp, work in tandem to gather information and hide data collection and exfiltration from the target. Kaspersky researchers found it can capture screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data. The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed. According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector. The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018. Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates. Slingshot hasn't been observed using previously undisclosed flaws but it did use three known vulnerabilities affecting non-Microsoft Windows utilities to load a kernel-mode component of Cahnadr. According to Kaspersky's FAQ on Slingshot, the GollumApp module features nearly 1,500 functions. "To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. "Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration. "The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications." Kaspersky advised anyone who uses MikroTik routers to update to its latest software release. Also, the company says MikroTik's Winbox software no longer allows downloading files from the router to the computer. Previous and related coverage Microsoft: Windows Defender can now spot FinFisher government spyware Microsoft dismantles government-grade malware to improve Windows and Office 365 defenses. UK government websites, ICO hijacked by cryptocurrency mining malware US and Australian government domains were also affected by the bold cryptojacking scheme. Kaspersky hauling Homeland Security to court to overturn federal ban The Russian security firm claims it did not receive due process and the US government relied on.
  10. Video: Microsoft fends off mining malware attackResearchers at Kaspersky Lab have discovered espionage malware that appears to have been developed by a government to spy on targets across Africa and the Middle East for the past six years. The researchers haven't named Slingshot's country of origin but note the presence of debug messages written in perfect English, while various component names such as Gollum and Smeagol suggest the authors are fans of The Hobbit. Slingshot reached targets from a compromised software update for routers made by Latvian firm MikroTik. Its router management software, Winbox, downloads DLLs from the router's file system and loads them directly into a computer's memory -- an intended feature that Slingshot's developers exploited by adding a malicious library called ipv4.dll, which downloads the espionage tools. The two tools, Cahnadr and GollumApp, work in tandem to gather information and hide data collection and exfiltration from the target. Kaspersky researchers found it can capture screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data. The researchers haven't discovered how Slingshot infects MikroTik routers to use the WinBox bridge to the PC, however they note in a technical paper that WikiLeaks' Vault 7 leak of CIA hacking tools did reference an exploit for MikroTik's router OS called ChimayRed. According to MikroTik, latest versions of WinBox no longer download the ipv4.dll file from the router, closing the attack vector. The malware appears to have been narrowly used with Kaspersky counting just 100 detections among its users between 2012 and February 2018. Over half the compromised computers were in Kenya and Yemen, with the remainder in Libya, Afghanistan, Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and United Arab Emirates. Slingshot hasn't been observed using previously undisclosed flaws but it did use three known vulnerabilities affecting non-Microsoft Windows utilities to load a kernel-mode component of Cahnadr. According to Kaspersky's FAQ on Slingshot, the GollumApp module features nearly 1,500 functions. "To run its code in kernel mode in the most recent versions of operating systems, that have Driver Signature Enforcement, Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities. "Following infection, Slingshot would load a number of modules onto the victim device, including two huge and powerful ones: Cahnadr, the kernel mode module, and GollumApp, a user mode module. The two modules are connected and able to support each other in information gathering, persistence and data exfiltration. "The most sophisticated module is GollumApp. This contains nearly 1,500 user-code functions and provides most of the above described routines for persistence, file system control and C&C communications." Kaspersky advised anyone who uses MikroTik routers to update to its latest software release. Also, the company says MikroTik's Winbox software no longer allows downloading files from the router to the computer. Previous and related coverage Microsoft: Windows Defender can now spot FinFisher government spyware Microsoft dismantles government-grade malware to improve Windows and Office 365 defenses. UK government websites, ICO hijacked by cryptocurrency mining malware US and Australian government domains were also affected by the bold cryptojacking scheme. Kaspersky hauling Homeland Security to court to overturn federal ban The Russian security firm claims it did not receive due process and the US government relied on.
  11. Stating with Firefox 60 —expected to be released in May 2018— websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers have decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. A total of five new flags added The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled. device.sensors.proximity.enabled device.sensors.ambientLight.enabled The Firefox code commit in which these two flags have been added also includes three other flags —to enable or disable all sensors APIs, to enable/disable the Device Orientation Sensor API, and to enable/disable the Motion Sensor API. device.sensors.enabled device.sensors.orientation.enabled device.sensors.motion.enabled These three flags will ship enabled by default, as access to these two APIs is needed by a broad range of a wide range of mobile websites. Privacy concerns over the Proximity and Ambient Light APIs The Proximity and Ambient Light sensors are both new and highly controversial. A key factor in the decision to ship these two APIs disabled by default is the work of privacy expert Lukasz Olejnik. Olejnik published two research reports on the possible ways attackers and advertisers could abuse these two APIs. For example, Olejnik argued that the W3C Proximity Sensor API could allow websites and advertisers to query the position of nearby objects in relation to a user's smartphone or tablet. Additionally, he also argued that malicious sites could use the W3C Ambient Light Sensor API to steal browser data. Shipping these two APIs off by default takes care of some of Olejnik's concerns, albeit it does not mitigate the risk altogether. "More user control is always good," Olejnik said regarding Mozilla's decision.
  12. A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program*to encrypt a victim's files.* Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware*using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen. While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services.* First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further. How the Qwerty Ransomware encrypts a computer The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG*gpg.exe*executable, the*gnuwin32*shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program. Qwerty Ransomware Package The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially. Batch File When the batch file is executed, the keys will be imported as shown below. Importing Keys After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt. JavaScript File When find.exe is executed it will launch the following commands on the victim's computer. taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file: gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s" This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the*.qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty. Encrypted Qwerty Files When encrypting files, it will encrypt any file that does not contain the following strings: Recycle temp Temp TEMP windows Windows WINDOWS Program Files PROGRAM FILES ProgramData gnupg .qwerty README_DECRYPT.txt .exe .dll After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it. shred -f -u -n 1 "%s%s" It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file. In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt*which contains instructions to contact cryz1@protonmail.com to receive payment instructions. Qwerty Ransom Note Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files. How to protect yourself from the Qwerty Ransomware In order to protect yourself from ransomware*in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections*or heuristics.* For example,*Emsisoft Anti-Malware*and*Malwarebytes Anti-Malware*both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer. Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all: Backup, Backup, Backup! Do not open attachments if you do not know who sent them. Do not open attachments until you confirm that the person actually sent you them, Scan attachments with tools like*VirusTotal. Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated. Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs. Use hard passwords and never reuse the same password at multiple sites. For a complete guide on ransomware protection, you visit our*How to Protect and Harden a Computer against Ransomware*article. IOCs Hashes: find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9a e558a41841e502 gpg.exe:2b605abf796481bed850f35d007dad24 iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608 f821becd646efb key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f 9eec663733a09e libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da 02182eee3bcf02 libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5f b2f11e46955154 ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f6773309 08a4c3c87a2b48 qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344 dfaadaf54330b8 run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b06 4f2b2e34bf20bf shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490 ff822ac68bc23a Associated Files: README_DECRYPT.txt Ransom Note Text: Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost! Associated Emails: cryz1@protonmail.com Executed Commands: taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin
  13. Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future. The US company says it noticed in recent months mass edits to the CNNVD website. Recorded Future says CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities. Backdating started after a previous Recorded Future report The backdating operations started after the publication of a Recorded Future report in November last year in which Recorded Future described how CNNVD delays the disclosure of critical bugs to give Chinese cyber intelligence agencies the time to evaluate the operational utility of said vulnerabilities. Recorded Future has been taking snapshots of the CNNVD website in the past year and has detected backdating edits to at least 267 critical vulnerabilities. For example, the publication data of CVE-2016-10136, a vulnerability in the Adups firmware included with many smartphones has been backdated 235 days, while the Office CVE-2017-0199 vulnerability has been backdated 57 days. Backdating done to hide "vulnerability evaluation" program "CNNVD’s manipulation of its vulnerability publication data ultimately reveals more than it conceals," the Recorded Future team says. "First, the selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities. "Second, while many think of the MSS (Ministry of State Security) as primarily a foreign intelligence service, it also has a large, and arguably more important, domestic intelligence mandate." Recorded Future analysts argue that the delay in disclosure and backdating of critical flaws were most likely carried out to hide security flaws from local companies, those expected to rely on the database for daily patching operations. This was done to aid surveillance of Chinese internal entities. Nonetheless, experts now believe that because of the new backdating practice, foreign cyber intelligence agencies will have a harder time in spotting the critical flaws that MSS and its hackers are evaluating and pondering for their cyber arsenal. This will make preparing countermeasures much harder for foreign states. In its November report, Recorded Future also revealed that CNNVD was housed in the same building as China’s Ministry of State Security (MSS), and was most likely under its firm control. The US cyber intelligence firm had previously revealed that MSS was in charge of China's international hacking efforts, and was commanding Chinese-linked APT groups through government contractors —such as APT3. Chinese officials have also recently banned Chinese security researchers from attending a foreign security conference, hoping to keep them from disclosing security flaws to western firms.
  14. Windows Server, Apache Solr, and Redis servers have been targeted this week by cyber-criminals looking to take over unpatched machines and install malware that mines cryptocurrency (known as a coinminer). Two separate campaigns have been spotted, both very active this week. One by the Imperva crew, targeting Redis and Windows Servers, and another by the ISC SANS team, targeting Apache Solr installations. Campaign targeting Redis and Windows Server The most active of the two was a campaign that Imperva nicknamed RedisWannaMine. This campaign is ongoing, and according to Imperva, cyber-criminals have been compromising servers by mass-scanning the Internet for systems running outdated Redis versions that are vulnerable to the CVE-2017-9805 exploit. Once criminals gain access to a host, their typical infection chain is to drop the ReddisWannaMine malware that later installs a scond-stage cryptocurrency miner. But the ReddisWannaMine campaign also displays the classic behavioral pattern of a self-propagating worm. This is because attackers also use the same infected servers to mass-scan and later exploit other targets. However, the ReddisWannaMine attackers aren't only targeting other Redis servers, but are also looking for Windows Servers with exposed SMB ports. For these latter Windows Servers instances, attackers deploy the now classic leaked NSA exploit EternalBlue. In these infections, too, they also drop a coinminer on the Windows Server machines they compromise, showing that cryptocurrency is the primary objective of these attacks. This isn't the first time that a coinminer campaign has targeted Redis servers. Earlier in February made almost $1 million by infecting Redis and OrientDB servers with similar coinminer malware. Campaign targeting Apache Solr But besides the ReddisWannaMine crew, there was another very active cyber-criminal group this week. This second one targeted Apache Solr servers that hadn't received patches for the CVE-2017-12629 vulnerability. Just like in the ReddisWannaMine incidents, attackers focused on infecting victims with a cryptocurrency miner. ISC SANS researchers didn't notice any self-propagation mechanism, meaning scans and infections were taking place from a central location, but they did manage to determine an approximate number of affected servers —1,777— infections that appear to have taken place between February 28 and March 8. But while Redis and Windows Servers are standalone systems that are easier to patch, Apache Solr (search servers) are in many cases embedded in other more complex software, and patching isn't as easy at it sounds because updating Solr might sometimes breaking internal systems that depend on it.
  15. A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand. The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files. Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery. Over a quarter of all victims lost their data for good The survey reveals that 55% of all responders suffered a ransomware infection in 2017, compared to the previous year's study, when 61% experienced similar incidents. Of all the victims who suffered ransomware infections, CyberEdge discovered that 61.3% opted not to pay the ransom at all. Some lost files for good (8%), while the rest (53.3%) managed to recover files, either from backups or by using ransomware decrypter applications. Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors. The rest (19.6%) lost their data. Ransomware authors either didn't provide ransomware decryption instructions or apps, or these tools did not yield expected results. Overall, the study found that over a quarter of ransomware victims (27.6%) lost their data for good, either by paying or not paying the ransom demand. Other findings of the CyberEdge survey are below: ?* 77% of all organizations suffered a form of cyber-attack in 2017 (down from79% in 2016). ?* Security-related budgets are prognosticated to rise in 2018 with 4.7% compared to last year. ?* Security-related budgets are expected to account for 12% of the overall IT budget for companies in 2018. ?** Four in five organizations said they are experiencing a shortage of personnel with IT security skills. ?* Nine in ten companies are experiencing cloud-related security and privacy problems. ?* Survey respondents said they perceive mobile devices and app containers (Docker, Kubernetes, Cloud Foundry) as their organization's weakest link in terms of security. ?* Respondets said they plan to invest money in 2018 in advanced malware analysis/sandboxing (network security), containerization/micro-virtualization (endpoint and mobile security), and API gateway (application and data-centric security)
×
×
  • Create New...