• NSA’s Ghidra already found to be plagued by a security vulnerability
    NSA’s Ghidra already found to be plagued with a security vulnerability. The reverse engineering tool was released by NSA this month as open-source software. The vulnerability found in Ghidra could be exploited with a remote code execution attack.Read More
  • Ex-employee spills the beans on Uber using spyware to outrun rival in Australia
    Ex-employee spilled the beans on Uber using spyware to outrun rival in Australia. The spyware enabled the ridesharing company to track its competitor’s cars and capture information such as driver’s name, car details among others. Uber deployed the spyware against an Australian taxi service company known as GoCatch.Read More
  • Magecart group breaks into MyPillow and Amerisleep websites, potentially stealing credit card information
    Magecart group breaks into MyPillow and Amerisleep websites, potentially stealing credit card information. While MyPillow was hit with Magecart attacks in 2018, Amerisleep is said to be targeted as early as 2017. The pillow manufacturing company has reworked the site after the attack but Amerisleep is still to respond with a fix.Read More
  • Google Photos vulnerability exposes geo-location details of users’ images
    Google Photos vulnerability exposes geo-location details of users’ images. This vulnerability could allow attackers to infer the metadata of the images stored in Google Photos. To be precise, the vulnerability could allow attackers to know where, when, and with whom your photos were taken.Read More
  • Fin7 threat actor group makes a come back with SQLRat and DNSbot
    Fin7 threat actor group makes a come back with SQLRat and DNSbot. In the new campaigns, researchers observed two new malware samples ‘SQLRat’ and ‘DNSbot’. Researchers from Flashpoint also observed the threat group’s new attack administrative panel ‘Astra’.Read More
  • Instagram testing new username auto-lock feature
    Instagram is testing new username auto-lock feature. ​Instagram username auto-lock feature will automatically lock users’ old usernames for 14 days after switching to a new handle. This feature will put an end to hackers who use bots to grab usernames as soon as the users switch to a new handle.Read More
  • Goldmouse aka APT-C-27 targets the Middle East by leveraging WinRAR’s dated security bug
    Goldmouse aka APT-C-27 targets the Middle East by leveraging WinRAR’s dated security bug. The threat actor is reportedly disseminating njRAT backdoor via malicious Word documents. Attack samples also showed that the malicious code was primarily written in Arabic.Read More
  • Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
    Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords. In an interview with KrebsOnSecurity, Facebook software engineer Scott Renfro said the company wasn’t ready to talk about specific numbers — such as the number of Facebook employees who could have accessed the data.Read More
  • Securing Industrial IoT in the Modern World
    Manufacturing plants relying on real-time operation, accuracy and reliable quality of work leverage IoT, SCADA (Supervisory Control and Data Acquisition) systems and Industrial Internet of Things (IIoT) in addition to traditional networks to ensure operations run seamlessly. IIoT devices may spread across multiple plants, share between locations, use data in the cloud and be managed by consoles on the corporate network, which also have access to cloud data. In the case of IIoT, the device could be a real-time plant where security could affect latency and slow performance, or a tiny sensor that does not have the compute resources for a security layer to be added. As a result, any data transfer between IIoT and the rest of the network can be encrypted and controlled by the more modern gateway, ensuring a level of security that may not have otherwise been available. The security challenges SCADA and IIoT present may seem more complex at-a-glance, but actually are not all that different from the challenges that any enterprise business encounters on a daily basis: keep threats out, know what is on the network, who has access and react fast when a breach occurs.Read More
  • Bank payment scams claim 84,000 victims
    Scams in which criminals trick bank customers into paying them money out of their bank accounts jumped by 45% in the second half of last year. Over the whole of last year, more than 84,000 bank customers fell victim, some losing tens of thousands of pounds. Banks say scam merchants are shifting their attention from trying to penetrate banking systems to conning members of the public directly. Katy Worobec, who deals with economic crime at UK Finance, believes the most sinister examples are when fraudsters phone, email or arrive in person, claiming to be from the police or from the customer's bank. "We are seeing a shift away from some of the methods that fraudsters are using to try and attack banks' security systems to focusing on the person and duping them into making the payment themselves," she says. But banks can still avoid paying if they can prove gross negligence by the customer.Read More
  • NSO Group spyware used to target widow of Mexican journalist, researchers say
    Days after Javier Valdez Cárdenas, a reporter known for his coverage of international drug trafficking, was murdered in May 2017, multiple attempts were made to hack the phone of his widow, Griselda Triana, with spyware made by NSO Group, according to Citizen Lab, a digital rights and research organization at the University of Toronto. The text messages sent to Triana, who is also a journalist, were laced with software that would have turned her phone into a multifaceted surveillance device, Citizen Lab researchers said. One of the messages tugged at her grief as a widow, asking, “What do you think of this story?” Triana didn’t click on either link and turned the texts over to Mexican advocacy groups, which shared them with Citizen Lab for forensic analysis. The surveillance tool aimed at Triana is known as Pegasus, the researchers said, an invasive malware strain developed by Israeli vendor NSO Group. The links sent to Triana would have directed her to domains controlled by the same organization, Citizen Lab said. Researchers have not specifically identified that organization, referring to it only as RECKLESS-1.Read More
  • Zero-day in WordPress SMTP plugin abused by two hacker groups
    Two cyber-security companies providing firewall plugins for WordPress sites have detected attacks abusing a zero-day vulnerability in a popular WordPress plugin. At least two hacker groups have been observed abusing the zero-day to change site settings, create rogue admin accounts to use as backdoors, and then hijacking traffic from the hacked sites. Attacks didn't stop, though, but they continued throughout the week, with hackers trying to take over as many sites as they could before site owners applied the patch. Hackers currently scan for sites using this plugin and then modify settings to enable user registration, an operation that many WordPress site owners have disabled for security reasons. During initial attacks spotted by NinTechNet, hackers modified the "wp_user_roles" option that controls the permissions of the "subscriber" role on WordPress sites, giving a subscriber the same abilities of an admin account. Updating to the latest plugin version is recommended, as WordPress security firm White Fir Design, which also published a report on these attacks, also documented other security flaws in the same plugin that might get abused [1, 2, 3, 4].Read More
  • UK’s Police Federation hit by ransomware
    The U.K.’s Police Federation has confirmed it’s been hit by a cyberattack. The union-like organization, which represents the 43 police forces across England and Wales, described the event as a ransomware attack in a statement shared on Twitter. The ransomware attack hit computers at the federation’s Surrey headquarters on March 9, but was only revealed Thursday. The National Crime Agency is investigating the attack, which the Police Federation said was “not targeted specifically” at the police organization but likely part of a wider campaign. A spokesperson for the Police Federation did not comment beyond the organization’s statements, and referred comment to the National Crime Agency, which did not immediately respond to questions. The news comes two days after Norwegian aluminum manufacturer Norsk Hydro was hit by a strain of LockerGoga, a new kind of ransomware that first emerged earlier this year.Read More
  • PSA: Don’t use this fake Wasabi wallet to ‘store’ your Bitcoin
    Wasabi, the popular anonymizing Bitcoin BTC wallet, has been been duped in an apparent bid to steal your Bitcoin — and the ruse comes complete with an entirely phony website. Wasabi’s co-founder, nopara73, shared the discovery this morning: “The first malware that pretends to be Wasabi […]. Notice only the Windows download link points to their own website, the rest is to our GitHub?” he tweeted. Indeed, the fraudulent site (wasabibitcoinwallet [dot] org) features a download page that links to the latest version of “Wasabi.” It lists four versions for download (macOS, Windows, and two for Linux). All the links direct users to the real Wasabi wallet (hosted via GitHub) except the Windows link, which automatically downloads a very suspicious .msi file hosted by the scammers‘ website directly. Wasabi is an open-source Bitcoin wallet.Read More
  • Multiple vulnerabilities found in Java Card
    Such a breach directly leads to the security compromise of a Java Card VM, applet firewall breach and jeopardises security of co-existing applications," he said. "In some cases, whole card environment can be compromised, but that's dependant on the underlying OS / processor architecture (ie presence of the flat address space, isolation between tasks)." He said that he was able to verify 18 of the issues in the environment of the most recent Java Card 3.1 software from Jan 2019 (Oracle Java Card VM reference implementation in the form of a simulator). These cards could not be immediately exploited with the use of our "favorite" issue found in Oracle reference implementation, so there was a need to find and use another one (which we did)," said Gowdiak. "As a result, full access to smartcard memory could be achieved, applet firewall could be broken or native code execution could be gained." Gowdiak said that while none of the exploit codes can successfully pass off-card verification process, the vulnerabilities should be still perceived in terms of a significant weak point of given Java Card VM implementation.Read More
  • Renegade Android apps can siphon off your web logins, browser history. So make sure Chrome or OS is patched, friends
    If you're running an earlier flavor of Android, you can try to update the operating system's WebView component via Google Play services. The security flaw is within the Chromium browser engine, which powers Chrome on Android, and WebView, which apps can use to render web content. From Android 7.0 and onward, Chrome implements WebView using its Chromium engine, and pre-7.0, WebView is a separate component, hence why there are two separate patch routes depending on which flavor of the OS you're using. "Since Android 7.0, WebView has been implemented via Google Chrome and, therefore, updating the browser is enough to fix the bug," a spokesperson for Positive told us this week. "On earlier Android versions, WebView must be updated via Google Play. Positive reiterated that while the most recent versions of Android will get a fix by updating to the latest version of Chrome, those running anything older than Android 7.0 will need to patch WebView separately, either via Google Play or through an over-the-air update from the device manufacturer.Read More
  • Internet-Exposed IBM BigFix Relays May Lead to Full Remote Compromise
    Internet-facing relays in IBM BigFix deployments could lead to information disclosure and potential full remote compromise if not properly configured, Atredis Partners security researchers have discovered.  “Internet-facing relays, if any, in a BigFix deployment might be configured as non-authenticating, which exposes the deployment to security risks,” IBM notes in an advisory. “Security attacks in this context might mean unauthorized access to the relays and any content or actions, and download packages associated with them or to the Relay Diagnostics page that might contain sensitive information (for example: software, vulnerability information, and passwords),” IBM continues.  According to Atredis Partners’ security researchers, BigFix deployments with external relays that lack authentication expose a very large amount of information to unauthenticated external attackers, and could even lead to full remote compromise. Read More