• Fingerprint scanner on Nokia 9 Pureview gets tricked by a gum after latest update
    Fingerprint scanner on Nokia 9 Pureview gets tricked by a gum after latest update. A flawed update has impacted the phone's in-screen fingerprint scanner. The bug allows any stranger to bypass the phone's lock.Read More
  • Malicious attachment disguised as top-secret US document leveraged to target organizations in Europe
    Malicious attachment disguised as a top-secret US document was leveraged to target organizations in Europe. The campaign is used against several financial service firms and embassies in Europe. The infection process starts with attackers sending phishing emails to the targets.Read More
  • PreAmo adware affects 90 million Android devices in new ad-fraud campaign
    PreAmo adware has affected 90 million Android devices in a new ad-fraud campaign. Six fake apps claiming to boost the functionalities of smartphones are being used to distribute adware named ‘PreAmo’. The campaign is used to make money out of three ad agencies, namely Presage, Admob and Mopub.Read More
  • Bodybuilding.com notifies users of a security breach that occurred last year
    ‘Bodybuilding.com’ notified users of a security breach that occurred last year. The breach impacted its IT systems and customers’ personal details. The firm detected unauthorized activity on one of its employee’s email in February 2019.Read More
  • ‘Wi-Fi Finder’ app exposes 2 million network passwords due to an unprotected database
    ‘Wi-Fi Finder’ app exposed 2 million network passwords due to an unprotected database. The security lapse allowed anyone to access the database and steal other customers’ Wi-Fi network passwords. It is believed that tens of thousands of exposed Wi-Fi passwords are for networks in the US.Read More
  • Thousands of sensitive documents related to the Mexican embassy posted online
    Thousands of sensitive documents related to the Mexican embassy were posted online. The incident occurred after the hacker managed to compromise a vulnerable server belonging to the embassy. More than 4,800 sensitive documents were compromised from the Mexican Embassy.Read More
  • jQuery JavaScript library receives security patch for a rare Prototype Pollution vulnerability
    The jQuery JavaScript library received a security patch for a rare vulnerability called Prototype Pollution. The flaw can enable an attacker to modify a JavaScript object’s prototype. Most websites that still use the 1.x and 2.x versions of the jQuery library are affected by the ‘Prototype Pollution’ vulnerability.Read More
  • Zero-day XML External Entity Injection vulnerability found impacting Microsoft Internet Explorer
    Zero-day XML External Entity Injection vulnerability found impacting Microsoft Internet Explorer. The flaw can enable an attacker to steal confidential information or exfiltrate local files from the victim’s machine. XXE injection works if a user opens a specially crafted .MHT file.Read More
  • CARBANAK: Continuing the Source Code Analysis
    Figure 2: Commented out source code to unload AVG user-space hooks In November of 2017, FLARE also disclosed an evasion for Trend Micro’s detection of process injection that remained active in the CARBANAK source code. Source Code Survey The CARBANAK source code contained numerous exploits, previous C2 hosts, passwords, and key material. Table 1: Exploits for elevation found in CARBANAK source code The CARBANAK source code also contains code copied wholesale from Mimikatz including the sekurlsa module for dumping passwords from lsass.exe and Terminal Services patching code to allow multiple remote desktop protocol connections. Table 2 shows recovered passwords used for RC2-encrypted communications and other purposes along with the corresponding name in the source code and their status as they were encountered (active in source code, commented out, or compiled into a binary). Table 2: Passwords found in CARBANAK source code and binaries I found an encrypted server certificate in a debug directory.Read More
  • Research on private key generation reveals theft of ETH funds from accounts with discoverable keys
    “The chances of duplicating or guessing the same randomly-generated private key already used on the Ethereum blockchain is approximately 1 in 115 quattuorvigintillion (2^256), so brute forcing someone’s private key should be practically impossible,” says ISE researcher Adrian Bednarek. For example, the team hypothesized that in various Ethereum wallet software implementations, a 256-bit, sufficiently random private key might be created, but the full value of the key becomes truncated on output due to coding mistakes. To find these keys, the researchers enumerated every possible private key in targeted sub-sections of the 256-bit key space where truncated or weak keys seemed likely to occur. ISE researchers intentionally placed one U.S. dollar worth of ETH in a weak private key derived wallet and witnessed that within seconds, the ETH was transferred out and into the bandit’s wallet. Duplicating or guessing just one randomly-generated private key already in use on the Ethereum blockchain would be a statistically significant event, yet ISE was able to uncover 732 of them, alluding to issues in key generation.Read More
  • Malicious lifestyle apps found on Google Play, 30 million installs recorded
    A total of 50 malicious apps have managed to bypass Google's security checks and land on the Google Play store, leading to millions of installs on Android devices. It was only last week that researchers from Check Point uncovered a total of six apps laden with the PreAMo ad fraud malware on Google Play which had been installed 90 million times. Now, the cybersecurity team from Avast have found a further 50 apps relating to lifestyle services which masquerade as legitimate software but are actually adware, and these malicious apps have been downloaded a total of 30 million times. "Although the bypassing itself is not explicitly forbidden on the Play Store, Avast detects it as Android:Agent-SEB [PUP], because apps using these libraries waste the user's battery and make the device slower," the researchers say. Each app displays full-blown ads to users, and in some cases, will also attempt to lure viewers to install additional adware-laden applications. Newer versions of TsSdk were found in music and fitness apps and have been installed almost 28 million times.Read More
  • Banking Trojan Drive-by Download Leverages Trust in Google Sites
    Brazilian hackers have developed a drive-by download attack leveraging the inherent trust in the Google name. A banking trojan known as LoadPCBanker is deployed using the file cabinets template in Google sites as a delivery vehicle. The process, discovered by Netskope, relies heavily on users' tendency to trust the Google name, together with an apparent failure by Google to block malicious uploads to the File Cabinet. Although Google search does not disclose such a guest house, there is a Manoel Carvalho who plays football for the Brazilian Corinthians team on loan from Cruzeiro -- and the attackers are likely relying on natural curiosity, especially the Brazilian love of football, to tempt visitors into downloading the malware. The malware is clearly targeted at Portuguese speakers; but the difficulties in money transfers into and out of Brazil make it likely that they are only interested in Brazilian targets and Brazilian banks. It noted that in general, the Brazilian hacker is very insular: Brazilian bank fraud is primarily targeted against Brazilian banks.Read More
  • FBI: US companies lost $1.3 billion in 2018 due to BEC scams
    Losses due to BEC (Business Email Compromise) scams have doubled in 2018, compared to 2017 figures, and have reached a whopping $1.3 billion, according to the yearly FBI internet crime report. On the other hand, the number of ransomware victim complaints has gone down to 2014 levels, when ransomware attacks first started to become popular across the world; however, financial losses caused by ransomware attacks are now higher than ever, suggesting that crooks are now carefully selecting their victims in order to inflict the greatest damage and obtain the highest payouts. These scams rely on hackers compromising a legitimate email account, which they use to send out emails to trick employees at the same company or upstream/downstream business partners to wire funds into their accounts, using fake invoices or business contracts. As the table below shows, complaints and losses from BEC scams have exploded in recent years, with 2018 passing the one billion mark in terms of damages --marking the first time a form of cybercrime has caused damages of more than $1 billion.Read More
  • DNSpionage brings out the Karkoff
    In April 2019, we also discovered the actors using a new malware, which we are calling "Karkoff." This post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an analysis of the recent Oilrig malware toolset leak — and how it could be connected to these two attacks. Instead of using the .oracleServices directory, which we had previously observed, the attacker uses a .msdonedrive directory and renames the malware "taskwin32.exe." The scheduled task was also renamed to "onedrive updater v10.12.5." This new sample is similar to the previous version disclosed in our previous post. It is in reverse order starting with "rNameA," followed by "GetUse," and the offset is also named incorrectly "aRnamea" and "aGetuse" (GetUserNameA()): For example, the following rule would no longer alert due to a failed pattern match: rule DNSpionage { strings: $conf="Configure.txt" condition: All of them } The malware searches for two specific anti-virus platforms: Avira and Avast.Read More
  • Belkin Wemo Zero-Day Vulnerability Could Leave the Door Open for IoT Attacks
    The Belkin Wemo Insight smart plug is still at risk of zero-day attacks nearly one year after a vulnerability was first disclosed, security researchers discovered. The researchers suggested that threat actors are targeting a diverse range of internet of things (IoT) devices in the hopes of discovering one with a vulnerability, and then using default credentials to gain access. How the Belkin Wemo Becomes an IoT Attack Target Researchers had informed Belkin about a remote code execution problem with its smart plug device on May 21, 2018. If consumers don’t use strong passwords for IoT devices and ensure they aren’t unnecessarily tied to critical network devices, bugs such as the Belkin Wemo vulnerability could allow cybercriminals to take over everything from smart TVs to desktops and even surveillance cameras, the researchers added. Security by Design Principles for IoT Devices Of course, threat actors will likely look for vulnerabilities in many other IoT devices to penetrate network defenses.Read More
  • Healthcare has a massive cybersecurity problem, and we’re not doing enough to fix it.
    The value of healthcare data Bringing technology into the healthcare system is overdue, and should be revolutionary. neccorp, CC BYPart of the cybersecurity problem has less to do with the security flaws present in healthcare systems and more to do with the enormous value of healthcare data. Hospitals and healthcare organizations are tasked with gathering tons of personal details on their patients, including their social security numbers, medications they’re taking, and credit card information. As our healthcare systems increasingly rely on digital interfaces for patients and personal medical devices, much of the security burden is placed on patients. Another is an interest issue; healthcare experts got into healthcare because they care about treating and improving people’s lives, not because they like working with computers. Many hospitals and security organizations are stepping up their efforts to improve security, but they simply aren’t doing enough.Read More
  • Singapore's cyber security chief says international norms, partnerships are key issues
    "Cyberspace should not be any different from the physical domains," Mr Koh said. "For instance, in the maritime domain, there are rules that govern how states should behave, such as through the United Nations Convention on the Law of the Sea." "Similarly, in the aviation domain, we abide by rules set by the International Civil Aviation Organisation. These rules underpin our modern economies and security." "We are sharply cognisant that a world where "might makes right" spells disaster for us, and other small states and perhaps middle powers," he said. "Some in these circles have said that it is challenging for states to agree on consensual positions… and that perhaps the UN is not working the way it should be," Mr Koh said. "The threats are coming from all over the world, so it compels us to work closely with our regional and international partners." Singapore sees cybersecurity as a key enabler for its Smart Nation drive.Read More
  • Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts
    Windows Installer uses Microsoft Software Installation (MSI) package files to install programs. We recently discovered malicious MSI files that download and execute other files and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations. The .zip file contains normal files like iLua.inf, msvcr120.dll, and msvcp120.dll; files digitally signed by Avira; AutoIt-related files; and an encrypted dynamic-link library (DLL). To be able to execute malicious code in the context of a legitimate process and bypass security solutions, the malware is using one of our Avira executables out of the context of an Avira regular installation to inject malicious code into it. As a first line of defense, we recommend that users avoid installing unknown files and clicking on URLs that may redirect to sites that download malicious files.Read More