[*] [-] [-] [x] [A+] [a-]  
[l] at 7/16/19 3:26pm
US telecommunications company Sprint revealed that hackers compromised an unknown number of customer accounts via the Samsung.com “add a line” website.

The mobile network operator Sprint disclosed a security breach, the company revealed that hackers compromised an unknown number of customer accounts via the Samsung.com “add a line” website.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com “add a line” website.” reads a letter sent to the customers by the company. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

The information exposed in the data breach includes the phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, eligibility, first and last name, billing address, and add-on services.

Sprint us mobile

According to the company , exposed data don’t expose customers to a substantial risk of fraud or identity theft, but in my humble opinion, such kind of information could be used for several malicious purposes.

In response to the incident, on June 25 the mobile network operator reset PIN codes of its users.

The US telecommunications company did not reveal the number of affected customers.

Sprint recommends affected clients to take all the precautionary steps necessary to prevent identity theft and other fraudulent activities as recommended by the Federal Trade Commission (FTC):

As a precautionary measure, we recommend that you take the preventative measures that are recommended by the Federal Trade Commission (FTC) to help protect you from fraud and identity theft.” concludes the letter. “These preventative measures are included at the end of this letter. You may review this information on the FTC’s website at www.ftc.gov/idtheft and www.IdentityTheft.govor contact the FTC directly by phone at 1-877-438-4338 or by mail at 600 Pennsylvania Avenue, NW, Washington, DC 20580.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Sprint, data breach)

The post Sprint revealed that hackers compromised some customer accounts via Samsung site appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Hacking, data breach, information security news, Pierluigi Paganini, Security Affairs, Security News, Sprint]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/16/19 2:13pm
Experts at Vertical Structure and WhiteHat Security discovered a serious flaw that exposed millions of files stored on thousands of exposed Lenovo NAS devices.

An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.

The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.

IOmega NAS devices flaw 3

The experts believe the actual number of exposed systems could be much greater because they were able to identify only 5,114 devices.

“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.

“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”

The vulnerability could have been exploited by a remote, unauthenticated attacker to access the files stored on the NAS devices by sending a specially crafted request via an API that was not protected with any authentication mechanism. The experts pointed out that the devices did not leak data through their web interface.

The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.

After the researchers from Vertical Structure and WhiteHat reported their findings to Lenovo, the company pulled three versions of the affected software out of retirement to solve the issue.

“A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.” reads the advisory published by Lenovo.

In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by unauthenticated attackers to access protected content.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – NAS devices, hacking)



The post A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files appeared first on Security Affairs.

[Category: Breaking News, Hacking, data leak, hacking news, information security news, NAS devices, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/16/19 7:46am
Media File Jacking – Security researchers at Symantec demonstrated how to manipulate media files that can be received via WhatsApp and Telegram Android apps.

Security experts at Symantec devised an attack technique dubbed Media File Jacking that could allow attackers to manipulate media files that can be received via WhatsApp and Telegram Android apps. The issue could potentially affect many other Android apps as well.

The attack technique leverages the fact that any app installed on a device can access and rewrite files saved in the external storage, including the files saved by other apps. Popular apps like WhatsApp and Telegram allow users to choose where to store the file. The researchers pointed out that unlike Telegram for Android.

Anyway, many Telegram users prefer to save their data to external storage using the “Save to Gallery” option.

“The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.” reads the report published by Symantec. “It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.”

A malicious app installed on the recipient’s device can intercept and manipulate media files, including photos, documents, or videos stored on the external storage, that are exchanged between users. The attack is completely transparent for the recipient that is not able to see any suspicious activity.

“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” continues the analysis. ” Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on our internal app data, we found nearly 50% of a given device’s apps have this permission.”

media file jacking attack

Researchers presented four attack scenarios that see a malicious app manipulating media files sent to the recipient:

  1. Image manipulation

The malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp or Telegram and manipulate images in near-real-time.

2.) Payment manipulation

The attackers can manipulate an invoice sent by a vendor to the recipient and trick them into making a payment.

3.) Audio message spoofing

Attackers can use voice reconstruction via deep learning technology to modify the original audio message for malicious purposes.

4.) Spread fake news

In Telegram, attackers can carry out Media File Jacking attacks to alter media files that appear in a trusted channel feed in real-time to spread fake news.

To ensure that media files are kept safe from attackers, Symantec provide s the following recommendations:

  • Validate the integrity of files: Store in a metadata file a hash value for each received media file before writing it to the disk. Then, confirm that the file has not been changed (i.e. the hash is the same) before the media file is loaded by the app in the relevant chat portion for users to see. This step can help developers validate that files were not manipulated before they are loaded. This approach balances between the security (protection against Media File Jacking attacks) and functionality (e.g., supporting third party backup apps) needs of the IM apps.
     
  • Internal storage: If possible, store media files in a non-public directory, such as internal storage. This is a measure some IM apps have chosen.
     
  • Encryption: Strive to encrypt sensitive files, as is usually done for text messages in modern IM solutions. This measure, as well as the previous one, will better protect files from exposure and manipulation. The downside is that other apps, such as photo backup apps, won’t be able to easily access these files.

Symantec shared its findings with both Telegram and WhatsApp, the experts explained that the vulnerability will be addressed by Google with the Android Q update.

“With the release of Android Q, Google plans to enact changes to the way apps access files on a device’s external storage. Android’s planned Scoped Storage is more restrictive, which may help mitigate threats like the WhatsApp/Telegram flaw we found.”concludes Symantec. “Scoped Storage means that apps will have their own storage area in an app-specific directory, but will be prevented from accessing files in the entire storage partition, unless an explicit permission is granted by the user.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Media File Jacking, hacking)

The post Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram appeared first on Security Affairs.

[Category: Breaking News, Hacking, Android, information security news, media file jacking attack, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/16/19 6:22am
Hackers stole data of millions of Bulgarians, and sent it to local media, According to the media the source could be the National Revenue Agency.

Hackers have exfiltrated data from a Bulgarian government system, likely the National Revenue Agency (NRA), and have shared it with the local media.

The hackers have stolen the personal details of millions of Bulgarians and sent to the local newspaper download links for the archives containing them.

“The link was sent by anonymous hackers via Russian mail servers on Monday to the Bulgarian media. The array of 57 folders contains thousands of files that they claim to be from the Treasury’s servers, probably.” reads the Monitor website.

The National Revenue Agency is investigating the incident and verifying the authenticity of the data.

“The NRA and the specialized bodies of the Ministry of the Interior and the State Agency for National Security (SANS) check the potential vulnerability of the National Revenue Agency’s computer system.” reads a statement published by the NRA.

“Earlier today, emails of certain media have been sent a link to download files allegedly belonging to the Bulgarian Ministry of Finance. We are currently verifying whether the data is real.”

The hackers claim to have breached Treasury’s servers and have exfiltrated data from more than 110 databases. More than 5 million Bulgarian and foreign citizens are affected, consider that the country has a population composed of 7 million people.

“Your government is slow to develop, your state of cybersecurity is parodyous ,” wrote the hackers.

The hacker bragged about stealing 110 databases from NRA’s network , totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11GB of data out of 21 aggregate data with local news outlets but promised to release the rest in the coming days.

“Perhaps the biggest leak of personal data in Bulgaria. That’s how the 57-folder contains more than a thousand files that anonymous hackers sent to Bulgarian media on Monday.” reported the Capital website. “Upon reviewing the information, Capital has opened databases with more than 1 million rows containing PINs, names, addresses, and even earnings.”

Most of the data is very old, in some cases, information is dated back as far as 2007.

Hackers also leaked information from Department Civil Registration and Administrative Services (GRAO), Bulgaria’s customs agency, the National Health Insurance Fund (NZOK), and data from the Bulgarian Employment Agency (AZ).

The email was sent by an email address belonging to the Russian service Yandex.ru. The message sent to local media by hackers ends with a quote by WikiLeaks founder Julian Assange and calls for his release.

“Your government is stupid. Your is a parody.” closes the email.

Immediately after the leak of the data, the Democratic Bulgaria opposition party demanded the resignation of Finance Minister Vladislav Goranov.

It seems that cyber security for Bulgarian government services is very poor, tt the end of June, Bulgarian police arrested the IT expert Petko Petrov after he publicly demonstrated a security vulnerability in the kindergarten software used by local kindergartens.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Bulgarians, hacking)

The post Mysterious hackers steal data of over 70% of Bulgarians appeared first on Security Affairs.

[Category: Cyber Crime, Data Breach, Digital ID, Hacking, Bulgarians, data leak, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/16/19 3:47am
Security experts at Trend Micro have discovered that iOS URL scheme could allow an attacker to hijack users’ accounts via App-in-the-Middle attack.

Security experts at Trend Micro devised a new app-in-the-middle attack that could be exploited by a malicious app installed on iOS devices to steal sensitive data from other applications. The attack exploits the implementations of the Custom URL Scheme.

Apple iOS implements a sandbox mechanism to prevent that each app could access data of the other ones installed on the device.

Apple also implements some methods to allow sending and receiving limited data between applications, including the URL Scheme (aka Deep Linking). The method could allow developers to launch an app through URLs (i.e. facetime : //,  whatsapp : //,  fb -messenger : //).

For example, a user can click on “Contact us via Whatspp” within an app, launches the WhatsApp app installed on the device passing the necessary information to authenticate the user.

Experts explained how to abuse the URL Scheme for malicious purposes that could potentially expose users to attacks.

Trend Micro pointed out that iOS allows one single URL Scheme to be used by multiple apps allowing malicious apps to exploit the URL Scheme.

iOS allows one single URL Scheme to be claimed by multiple apps. For instance, Sample : // can be used by two completely separate apps in their implementation of URL Schemes. This is how some malicious apps can take advantage of the URL Scheme and compromise users.” reads the analysis published by Trend Micro.

“Apple addressed the issue in later iOS versions (iOS 11), where the first-come-first-served principle applies, and only the prior installed app using the URL Scheme will be launched. However, the vulnerability can still be exploited in different ways.”

The vulnerability is very dangerous when the login process of app A is associated with app B, the image below shows the attack scenario:

ios custom url scheme

When the Suning app users access their e-commerce account using WeChat , it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. The WeChat app received the login request and in turn requests a login token from its server that sends it back to the Suning app.

The experts discovered that since Suning always uses the same login-request query and WeChat does not authenticate the source of the login request, an attacker could carry out a app-in-the-middle attack via the iOS URL Scheme.

“With the legitimate WeChat URL Scheme, a fake- WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.” continues the analysis. “WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”

The discovery demonstrates that an attacker using a malicious app with the same Custom URL Scheme as a targeted app can trick them into sharing users’ sensitive data with it.

“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat : //, line : //, fb : //, fb -messenger : //, etc. We identified some of these malicious apps,” explained the researchers.

Experts remarked that the URL Scheme cannot be used for the transfer of sensitive data. 

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – URL scheme, hacking)

The post iOS URL Scheme expose users to App-in-the-Middle attack appeared first on Security Affairs.

[Category: Breaking News, Hacking, Mobile, hacking news, information security news, iOS, Pierluigi Paganini, Security Affairs, Security News, url scheme]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/16/19 12:42am
Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the Locky ransomware, has released other pieces of malware including the  tRat backdoor and the AndroMut downloader

In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

“CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.

“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”

Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.

First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.

The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.

“Since the update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed ransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of 2019 alone.” continues the analysis.

According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that was used at least in attacks against three victims. 

The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin. 

The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal. 

DoppelPaymer

The authors of DoppelPaymer improved the source code of the BitPaymer.

numerous modifications were made to the BitPaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at which files are encrypted.” continues the report. “The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table, retrieved with the command arp.exe -a. The resulting IP addresses of other hosts on the local network are combined with domain resolution results via nslookup.exe.”

DoppelPaymer leverages ProcessHacker, a legitimate open-source administrative utility, to terminates processes and services that may interfere with the file encryption proces s .

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomare, TA505)

The post DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Cybercrime, DoppelPaymer, information security news, malware, Pierluigi Paganini, Security Affairs, Security News, TA505]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 2:30pm
A critical vulnerability affecting the Ad Inserter WordPress plugin could be exploited by authenticated attackers to remotely execute PHP code.

Security researchers at Wordfence discovered a critical vulnerability in the Inserter WordPress plugin that could be exploited by authenticated attackers to remotely execute PHP code.

Ad Inserter is an Ad management plugin that allows administrators to benefit of advanced features to insert ads at optimal positions. It supports major ad programs, including Google AdSense , Google Ad Manager ( DFP – DoubleClick for publishers), contextual Amazon Native Shopping Ads, Media.net and rotating banners.

The Ad Inserter WordPress plugin is currently installed on over 200,000 websites. 

The security flaw resides in the authorization process implemented in the check_admin_referer ( ) function that was designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces.

“The function check_admin_referer ( ) is intended to protect against cross-site request forgery (CSRF) attacks by ensuring that a nonce (a one-time token used to prevent unwanted repeated , expired, or malicious requests from being processed) is present in the request.” reads the post published by Wordfence.

“The WordPress documentation makes it clear, though, that check_admin_referer() is not intended for access control, and this vulnerability is a good example of why misusing nonces for authorization is a bad idea.”

Experts pointed out that nonce should never be relied on for authentication or authorization, access control.

“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” continues the experts.

Authenticated attackers can bypass authorization checks implemented by the check_admin_referer ( ) function to access the debug mode provided by the Ad Inserter plugin for admins .

The experts discovered that the debugging feature can be triggered by any user who has the special cookie “Cookie: AI_WP_DEBUGGING=2.”

“Normally, these debugging features are only available to administrators, and when certain options are enabled a block of Javascript is included on nearly every page. That Javascript contains a valid nonce for the ai_ajax_backend action,” continues Wordfence.

ad inserter

The debugging feature could be triggered by an attacker that has access to a nonce, he can also exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.

The flaw affects all WordPress websites that uses the Ad Inserter plugin version 2.4.21 or previous ones. The developer revealed the 2.4.22 version on July 13 that address the authenticated RCE flaw.

Below the disclosure timeline:

July 12 – Vulnerability discovered by Wordfence Threat Intelligence Team
July 12 – Firewall rule released to Wordfence Premium users
July 12 – Plugin developer notified of the security issue
July 13 – Patch released
August 11 – Firewall rule becomes available to free users

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Ad Installer, WordPress plugin)

The post Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code appeared first on Security Affairs.

[Category: Breaking News, Hacking, Ad Inserter, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News, Wordpress]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 12:24pm
It has happened again, another JavaScript package in the  npm registry has been compromised, it is the installer for PureScript.

The installer for PureScript package in the  npm registry has tampered forcing project maintainers to purge the malicious code.

Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its npm installer.

Launching the installer by typing  npm i -g purescript from the command line, it is possible to install the package, an extensive collection of libraries that counts for 2,000 installs a week.

The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.

The developer accepted the request but was disappointed for the decision.

“ after a few too many disagreements and unpleasant conversations with @shinnn about the maintenance of the purescript npm installer, we (the compiler maintainers) recently decided that it would be better if we maintained it ourselves, and asked him if he would transfer the purescript package on npm to us. He begrudgingly did so.” wrote Garrood. “The 0.13.2 PureScript compiler release, which we cut last week, is the first release of the compiler since we took over the purescript npm package.”

Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times.

@shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.

The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.

“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package” wrote Garrood.

A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – np m , hacking)

The post The npm installer for PureScript package has been compromised appeared first on Security Affairs.

[Category: Breaking News, Hacking, Hackers, hacking news, information security news, npm, Pierluigi Paganini, PureScript, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 12:24pm
It has happened again, another JavaScript package in the  npm registry has been compromised, it is the installer for PureScript.

The installer for PureScript package in the  npm registry has tampered forcing project maintainers to purge the malicious code.

Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its npm installer.

Launching the installer by typing  npm i -g purescript from the command line, it is possible to install the package, an extensive collection of libraries that counts for 2,000 installs a week.

The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.

The developer accepted the request but was disappointed for the decision.

“ after a few too many disagreements and unpleasant conversations with @shinnn about the maintenance of the purescript npm installer, we (the compiler maintainers) recently decided that it would be better if we maintained it ourselves, and asked him if he would transfer the purescript package on npm to us. He begrudgingly did so.” wrote Garrood. “The 0.13.2 PureScript compiler release, which we cut last week, is the first release of the compiler since we took over the purescript npm package.”

Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times.

@shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.

The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.

“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package” wrote Garrood.

A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – np m , hacking)

The post The npm installer for PureScript package has been compromised appeared first on Security Affairs.

[Category: Breaking News, Hacking, Hackers, hacking news, information security news, npm, Pierluigi Paganini, PureScript, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 7:04am
Instagram has recently addressed a critical flaw that could have allowed hackers to take over any Instagram account without any user interaction.

Instagram has recently addressed a critical vulnerability that could have allowed attackers to completely take over any account without user interaction.

The news was first reported by TheHackerNews, the issue was reported to the Facebook-owned photo-sharing service by the Indian security expert Laxman Muthiyah.

According to Muthiyah, the flaw affects the “password reset” mechanism implemented by Instagram for the mobile version of the service. When Instagram users request to recover their passwords, they have to confirm a six-digit secret passcode (that expires after 10 minutes) that is sent to their associated mobile number or email account. This means that to change the passwords in the work case the attackers need to try one million of possible combinations.

The expert focused its test on the maximum number of requests allowed and discovered the absence of blacklisting. He was able to send requests continuously without getting blocked even when he reached the maximum number of requests he can send in a fraction of time.

“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account.” reads the analysis of the expert. “But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it.” “Two things that struck mind was the number of requests and the absence of blacklisting.”

Finally, he discovered two things that allowed him to bypass their rate limiting mechanism, a race condition and the IP rotation.

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited.” explained the expert. “The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. “

Summarizing the rate limiting can be bypassed by carrying out a brute force attack from different IP addresses and leveraging race condition, sending concurrent requests.

The expert also published a video PoC of the attack that shows the exploitation of the flaw while hacking an Instagram account using 200,000 different passcode combinations without being blocked.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.” added the expert.

Laxman Muthiyah received by the company a $30,000 reward as part of its bug bounty program.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Instagram, hacking )

The post A flaw could have allowed hackers to take over any Instagram account in 10 minutes appeared first on Security Affairs.

[Category: Breaking News, Hacking, brute force attack, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 6:31am
On July 6, a ransomware attack brought down government computer systems at La Porte County, Indiana, finally, the county decided to pay $130,000 ransom .

On July 6, a ransomware attack paralyzed the computer systems at La Porte County, Indiana, according to County Commission President Dr. Vidya Kora, employees were not able to access to any government email or website.

The county IT director shut down the computer systems to avoid the spreading of the threat and to limit potential damage. At least half of the servers at the county’s infrastructure were infected, less than 7% of the laptops was not impacted.

Now La Porte County decided to pay $130,000 to recover data on systems infected with the ransomware.

For at least three days, government systems were not working forcing the County officials to evaluate the option to pay the ransom.

Immediately after the attack, the county reported the incident to the FBI and was working with experts of some security firms to investigate the attack and mitigate the threat. The law firm of Mullen Coughlin LLC was managing the incident response operations, but despite the efforts of the experts the La Porte County was not able to resume its operations.

According to WSBT, La Porte County’s systems were infected with a variant of the Ryuk ransomware, the same malware that infected computers at City of Lake City on June 10.

“Two organizations in our area are recovering from recent cyber attacks. Both the South Bend Clinic and La Porte County government are dealing with the aftermath.” reported the WSBT.

“La Porte County paid the ransom on a cyber attack that locked up part of the government’s computer system. The Ryuk virus got into the backup servers.”

Loocipher Ransomware

It seems that $100,000 out of $130,000 are being covered by insurance.

“Fortunately, our county liability agent of record, John Jones, last year recommended a cybersecurity insurance policy which the county commissioners authorized from Travelers Insurance” explained Dr. Vidya Kora,

Recently other administrations decided to pay the ransom to decrypt their files. Crooks earned a total of over $1 million in June from the attacks on two municipalities in Florida, Lake City and Riviera Beach.

In April, Stuart City was victim of the Ryuk Ransomware too, but it refused to pay the ransom. Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Recently the United States Conference of Mayors asked its members to “stand united” against paying ransoms in case their systems are hit by ransomware. The decision is essential to discourage criminal practice.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – La Porte, ransomware)

The post La Porte County finally opted to pay $130,000 Ransom appeared first on Security Affairs.

[Category: Breaking News, Hacking, Malware, Cybercrime, hacking news, information security news, La Porte, malware]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 12:38am
A serious vulnerability in Walkie-Talkie App on Apple Watch forced the tech giant to disable the applications to avoid attackers spying on its users.

Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due to a vulnerability that could be exploited to spy on users. The issue was reported to Apple via its report a vulnerability portal.

apple Walkie-Talkie app Apple Walkie-Talkie app – Source The Mirror

The Walkie-Talkie app allows users to communicate with other users using a compatible Watch, it emulates the traditional behavior of walkie-talkie.

According to TechCrunch, Apple is already working on a patch, but the application will not work until it will release a fix.

“Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.” reads the post published by TechCrunch. “Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.”

An attacker can use another user’s iPhone to listen to communication s made throgh the app, at the time no other technical details have been made publicly disclosed.

“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” reads a statement from Apple. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent.”

The good news is that Apple is not aware of attacks in the wild exploiting the vulnerability.

Early this year, another major vulnerability in the Apple FaceTime allowed hearing the audio of the person you were calling before he picks up the call.

At the time, privacy advocated and authorities raised concerns about how Apple managed to address the issue.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – walkie-talkie app, GDPR)

The post Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw appeared first on Security Affairs.

[Category: Breaking News, Hacking, Apple, hacking news, information security news, Pierluigi Paganini, Security News, walkie-talkie app]

[*] [-] [-] [x] [A+] [a-]  
[l] at 7/15/19 12:05am
Security experts at Emsisoft released a new decryptor, it could be used for free by victims of the Ims00rry ransomware to decrypt their files.

Thanks to the experts at Emsisoft the victims of the Ims00rry ransomware can decrypt their files for free.

The Ims00rry ransomware used AES-128 algorithm for the encryption process. Unlike most of the ransomware, Ims00rry and doesn’t append an extension to the filenames of the encrypted files. Instead, the ransomware adds the text “— shlangan AES-256—” before the contents of the files. Authors of the malware ask the victim to contact them through the Telegram account @Ims00rybot.

Crooks demands a 50$ ransom worth of Bitcoin to decrypt the files.

Below the text of the ransom note:

I am sorry!!!
My friend. I want to start my own business, but i have no money.
All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256.
If you want to restore your files payment and write to Telegram bot
Price decrypt software is $50.
Attention!!!
Do not rename or move the encrypted files.
Bitcoin wàllet:
1tnZbveCXmqRS1gfZSxztG5MbdJhptaqu

Contact Telegram bot:
@Ims00rybot

Emsisoft release the detailed usage guide for the decryptor that is available here.

Ims00rry ransomware

In May Emsisoft experts released free Decrypter tools for other threats, the JSWorm 2.0 and GetCrypt.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – ransomware, malware)

The post Emsisoft released a free decryptor for the Ims00rry ransomware appeared first on Security Affairs.

[Category: Breaking News, Malware, hacking news, Ims00rry ransomware, information security news, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/14/19 4:25pm
SAP released 11 Security Notes as part of the Patch Day – July 2019, one of which was a Hot News Note addressing a critical flaw in Diagnostics Agent.

This month SAP released 11 Security Notes as part of the Patch Day – July 2019. One of them is a Hot News Note that addresses a critical vulnerability in Diagnostics Agent tracked as CVE-2019-0330.

The vulnerability is an OS command injection issue that could be exploited to fully compromise the SAP system, it received a CVSS score of 9.1.

The Diagnostics Agent is a central component of the SAP Solution Manager system landscape. It allows to manage monitoring and diagnostics events communications between every SAP system and Solution Manager that allows administrators to execute OS commands through a GAP_ADMIN transaction.

Each command is validated using a whitelist file that is present in the Diagnostic Agent installation directory. The CVE-2019-0330 flaw could be exploited by an attacker to bypass the validation process by sending a specially crafted payload.

“Using its basic functionality, a SolMan admin can execute OS commands through a GAP_ADMIN transaction, in order to perform analysis into an SAP system. Once executed, those commands are validated using a whitelist file located in the SMDAgent installation directory.” reads the analysis published by Onapsis. “This vulnerability may allow an attacker to bypass this validation by sending a custom-crafted payload. Using this technique the attacker could obtain full control over an SAP system compromising the SMDAgent user, allowing access sensitive information (such as credentials and critical business information), changing application configurations or even stopping SAP services.”

Experts pointed out that the SDMAgent must be installed in every SAP system for diagnostic purposes, this means that the extent of the attack is broad and could affect the entire landscape.

SAP also released a High priority Security Note that addresses a code injection flaw, tracked as CVE-2019-0328, that affects the ABAP Tests Modules of NetWeaver Process Integration.

The CVE-2019-0328 vulnerability received a CVSS score of 8.7. 

The flaw resides in the Extended Computer Aided Test Tool (eCATT), a tool used to cover automatic testing in SAP business processes.

July 2019 Patch Day updates also address other 9 Medium severity flaws: Denial of service in Commerce Cloud (CVE-2019-0322), XSS in OpenUI5 (CVE-2019-0281), XSS in Information Steward (CVE-2019-0329), XSS in ABAP (CVE-2019-0321), XSS in SAP BusinessObjects (CVE-2019-0326), Unrestricted File Upload in NetWeaver (CVE-2019-0327), Missing Authorization check in ERP HCM (CVE-2019-0325), Information disclosure in NetWeaver (CVE-2019-0318), and Content Injection in Gateway (CVE-2019-0319).

sap security notes july window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – SAP security, hacking)

The post SAP Patch Day – July 2019 addresses a critical flaw in Diagnostics Agent appeared first on Security Affairs.

[Category: Breaking News, Security, hacking news, information security news, Pierluigi Paganini, SAP, Security Affairs, Security News, Security Notes]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/14/19 10:59am
The UK’s National Cyber Security Centre (NCSC) issued a security advisory to warn organizations of DNS hijacking attacks and provided recommendations this type of attack.

In response to the numerous DNS hijacking attacks the UK’s National Cyber Security Centre (NCSC) issued an alert to warn organizations of this type of attack.

“In January 2019 the NCSC published an alert to highlight a  large-scale global campaign to hijack Domain Name Systems (DNS).” reads the security advisory.

“Since that alert was published we have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors. This Advisory covers some of the risks for organisations around DNS hijacking activity and gives advice on ways the risks can be mitigated.”

DNS hijacking is the practice of subverting the resolution of  Domain Name System  (DNS) queries to carry out several malicious activities. It can be achieved using a malicious code that modifies the computer’s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or t hrough mo difying the behaviour of a trusted DNS server so that it does not comply with internet standards.

The Domain Name System (DNS) is the service responsible for pointing the web browser to the right IP address when we navigate to a web domain.

According to a report recently published by Avast, for nearly a year, Brazilian users have been targeted with router attacks. In the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

router attacks brazil

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to modify DNS settings of targeted routers.

Recently, experts at Cisco Talos published a detailed analysis of the DNS hijacking campaign conducted by Sea Turtle threat actor for espionage purposes.

UK’s NCSC explains the variety of motivations and objectives behind DNS hijacking attacks ranging from taking down or defacing a website, to intercepting data.

The main risks enumerated in the report are:

  • Creating malicious DNS records;
  • Obtaining SSL certificates;
  • Transparent Proxying for traffic interception;

To prevent phishing attacks, NCSC recommends using unique, strong passwords, and enabling multi-factor authentication when the option is available.

To prevent registrar accounts from being compromised using familiar Account Take Over (ATO) techniques (i.e. Phishing, Credential stuffing , Social engineering) the agency suggests regularly checking the details linked to the account. It is important that they are up to date and point to the organization rather than an individual.

Restricting access to these accounts only to personnel charged with the management of the registrar accounts.

“Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed.” continues the report. “A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner.”

In case an organization runs its own DNS infrastructure, the NCSC recommends implementing access and change control systems that can provide backup and restore function for DNS records. It also recommends enforcing strict access to the systems hosting DNS services.

NCSC also recommends implementing SSL monitoring and Domain Name System Security Extensions (DNSSEC) specifications.

Early 2019, DHS issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e. . gov ) to prevent DNS hijacking attacks.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – DNS hijacking, hacking)

The post NCSC report warns of DNS Hijacking Attacks appeared first on Security Affairs.

[Category: Breaking News, Hacking, Reports, Security, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/13/19 11:08pm
A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Croatia government agencies targeted with news SilentTrinity malware Customers of 7-Eleven Japan lost $500,000 due to a flaw in the mobile app Hackers compromised a Canonical GitHub account, Ubuntu source code was not impacted Backdoor mechanism found in Ruby strong_password library Cyberattack shuts down La Porte County government systems Experts uncovered a new Magecart campaign that hacked over 960 stores Hackers are poisoning the PGP SKS keyserver network poisoned Spotting RATs: Delphi wrapper makes the analysis harder UK ICO fines British Airways £183 Million under GDPR over 2018 security breach A new Astaroth Trojan Campaign uncovered by Microsoft Flaw in Zoom video conferencing software lets sites take over webcam on Mac Kaspersky report: Malware shared by USCYBERCOM first seen in December 2016 Maryland Department of Labor discloses a data breach Prototype Pollution flaw discovered in all versions of Lodash Library Adobe Patch Tuesday updates for July 2019 address only 5 minor flaws Kali Linux is now available for Raspberry Pi 4 Microsoft released Patch Tuesday security updates for July 2019 Parents Guide for Safe YouTube and Internet Streaming for Kids Severe vulnerabilities allow hacking older GE anesthesia machines UK ICO proposes a $123 million fine for Marriott 2014 data breach A new NAS Ransomware targets QNAP Devices Agent Smith Android malware already infected 25 million devices Intel addresses high severity flaw in Processor Diagnostic Tool New FinFisher spyware used to spy on iOS and Android users in 20 countries CVE-2019-1132 Windows Zero-Day exploited by Buhtrap Group in government attack Exclusive, experts at Yoroi-Cybaze ZLab released a free decryptor for Loocipher Ransomware Hackers stole $32 million from Bitpoint cryptocurrency exchange New Miori botnet has a unique protocol for C2 communication FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – newsletter)

The post Security Affairs newsletter Round 222 – News of the week appeared first on Security Affairs.

[Category: Breaking News, Hacking, information security news, malware, Newsletter, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/13/19 11:00pm
Brazilian users have been targeted by a large number of router attacks aimed at modifying the configuration of their routers for malicious purposes.

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to execute commands without the users’ knowledge.

The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones.

Crooks targeted users of many major organizations, including Netflix and large banks like Santander, Bradesco, and Banco do Brasil.

A router CSRF attack could be launched by tricking victims into visiting a compromised website with malicious advertising ( malvertising ) typically served through third-party ad networks to the site.

“Avast frequently observes malvertising infections on local Brazilian websites that host adult content, illegal movies or sports content. Just by visiting a compromised site, the victim is redirected to a malicious page where their router is automatically attacked without user interaction.” reads a blog post published by Avast.

Malware then guesses routers’ passwordswhich new research from Avast shows are often weak. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.”

Avast researchers also observed crooks using DNS hijacking to deliver crypto mining scripts to users’ browsers.

Experts first observed the router attacks last summers, researchers from Radware and Netlab first reported them.

Experts at Qihoo 360 NetLab reported that between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

In April 2019, experts at Bad Packets uncovered a new wave of attacks mainly aimed at compromising D-Link routers, many of them hosted belonging to Brazilian users.  

According to Avast, in the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

router attacks brazil

The router attacks involved an exploit kit that attempts to find the router IP on a network, then attempts to guess the password using common login credentials.

“The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country.” states the analysis published by Avast. “The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.”

Experts explained that the GhostDNS variant Novidade was one of the most active in router attacks against Brazilian users.

Avast confirmed that Novidade attempted to infect its users’ routers over 2.6 million times in February alone, the experts observed at least three campaigns spreading the malware.

In the past three months, experts also uncovered three drive-by attacks from another exploit kit tracked “SonarDNS EK” because it was based on the SONAR JS framework.

“Users should be careful when visiting their bank’s or Netflix’s website, and make sure the page has a valid certificate, by checking for the padlock in the browser URL bar. Additionally, users should frequently update their router’s firmware to the latest version, and set up their router’s login credentials with a strong password.”  concludes Avast.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – router attacks, Brazil)

The post For nearly a year, Brazilian users have been targeted with router attacks appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Internet of Things, Malware, botnet, CSRF, DNS hijacking, hacking news, information security news, IoT, Pierluigi Paganini, router attacks, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/13/19 8:41am
The United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Facebook will be obliged to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal. In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

“The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information, according to three people briefed on the vote, in what would be a landmark settlement that signals a newly aggressive stance by regulators toward the country’s most powerful technology companies.” reported The New York Times.

Facebook Cambridge Analytica scandal

The news is not a surprise for the expert, the settlement was anticipated by the media over the past months. The final approval will arrive in the coming weeks from the US Justice Department, that usually approves settlements reached by the FTC.

If approved, it would be the biggest fine assigned by the federal government against a tech firm.

The probe began more than a year ago, the agency found that the way Facebook manages user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. The settlement obliged the company to review its privacy practices.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

In April, Facebook disclosed its first quarter 2019 financial earnings report that revealed the company had set $3 billion aside in anticipation of the settlement with the FTC.

“This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data,” said Representative David Cicilline, a Democrat and chair of a congressional antitrust panel.

It’s very disappointing that such an enormously powerful company that engaged in such serious misconduct is getting a slap on the wrist.

— David Cicilline (@davidcicilline) July 12, 2019

Recently the UK’s Information Commissioner Office (ICO) has also imposed a £500,000 fine on Facebook over the Cambridge Analytica scandal.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Cambridge Analytica, Facebook)

The post FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal appeared first on Security Affairs.

[Category: Breaking News, Digital ID, Laws and regulations, Social Networks, Cambridge Analytica, Facebook, information security news, Pierluigi Paganini, privacy, Security Affairs, Security News, social networks]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/13/19 8:41am
The United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Facebook will be obliged to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal. In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

“The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information, according to three people briefed on the vote, in what would be a landmark settlement that signals a newly aggressive stance by regulators toward the country’s most powerful technology companies.” reported The New York Times.

Facebook Cambridge Analytica scandal

The news is not a surprise for the expert, the settlement was anticipated by the media over the past months. The final approval will arrive in the coming weeks from the US Justice Department, that usually approves settlements reached by the FTC.

If approved, it would be the biggest fine assigned by the federal government against a tech firm.

The probe began more than a year ago, the agency found that the way Facebook manages user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. The settlement obliged the company to review its privacy practices.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

In April, Facebook disclosed its first quarter 2019 financial earnings report that revealed the company had set $3 billion aside in anticipation of the settlement with the FTC.

“This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data,” said Representative David Cicilline, a Democrat and chair of a congressional antitrust panel.

It’s very disappointing that such an enormously powerful company that engaged in such serious misconduct is getting a slap on the wrist.

— David Cicilline (@davidcicilline) July 12, 2019

Recently the UK’s Information Commissioner Office (ICO) has also imposed a £500,000 fine on Facebook over the Cambridge Analytica scandal.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Cambridge Analytica, Facebook)

The post FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal appeared first on Security Affairs.

[Category: Breaking News, Digital ID, Laws and regulations, Social Networks, Cambridge Analytica, Facebook, information security news, Pierluigi Paganini, privacy, Security Affairs, Security News, social networks]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/13/19 2:14am
The Magecart continues to target websites worldwide, it infected over 17,000 domains by targeting improperly secured Amazon S3 buckets. 

The Magecart gang made the headlines again, according to a new report published by RiskIQ , it has infected over 17,000 domains by targeting improperly secured Amazon S3 buckets

A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.

According to RiskIQ , since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.

“However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets.” reads the analysis published by RiskIQ . “These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.”

The attackers scan the web for misconfigured buckets containing any JavaScript files, then download the files, modify them by appending the skimming code to the bottom, and overwrite the script on the bucket.

RiskIQ experts believe threat actors have already compromised a large number of S3 buckets affecting over 17,000 domains, including websites in the top 2,000 of Alexa rankings.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment.” concludes RiskIQ.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets.”

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify​​

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

( SecurityAffairs  – Magecart, hacking)

The post Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, AWS, hacking news, information security news, MageCart, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/12/19 1:19pm
A new variant of the implements a unique protocol to communicate with Command and Control infrastructure

A new variant of the Miori botnet uses a unique protocol to communicate with C&C infrastructure, it implements a protection mechanism to access the login panel.

The Miori bot borrows the code from the dreaded Mirai malware. it first appeared oi the threat landscape in late 2018 when the bot was spread by exploiting a ThinkPHP remote code execution vulnerability after the exploit code was made publicly available. The Miori bot targets IoT devices having SSH and Telnet services exposed online and that are poorly secured.

Previous Miori variants used to communicate with the C2 server with a binary-based protocol with a login prompt displayed to anyone that knew its IP address.

Current version leverages a text-based protocol and implements protection that drops the connection if a specific string is not provided, it also supports encrypted commands

“When we tried to connect to the C&C server, instead of getting the usual login prompt, it displayed a message (seen in Figure 2) and simultaneously terminated the connection. The message is directed at researchers, which makes it evident that the cybercriminals behind the variant are wary of security researchers’ usual methods. ” reads the analysis published by Trend Micro.

The message displayed after attempting to connect to the C&C console was “Fuck Off researcher!!”

The new Miori variant supports encrypted commands and is allowed to connect to the command server only after sending the specific string.

miori botnet -variant-protocol

The malicious code uses a simple substitution method for the encryption process, the researchers discovered the correspondence table hard-coded in the code used for the decryption.

While the malware waits for instructions, it also searches for vulnerable systems to compromise.

The Miori botnet , similarly to other Mirai variants is used to launch DDoS attacks, it supports both TCP and UDP flood attacks.

The malicious code also supports other additional commands for terminating the attack and for killing its process.

The analysis of the strings found in the sample revealed the URL of the site that offers for sale the source code of the Miori bot. The authors are offering for sale the source code for US$110.

“Regardless of the reason behind its design, the malware’s routine is generally similar to typical Mirai variants: infect vulnerable IoT devices and use them as platforms for launching a DDoS attack. These differences also emphasize the necessity of keeping up with evolving IoT malware in the future.” concludes Trend Micro.

“Users can reduce the impact of such schemes by applying the right patches and updates for their deployed devices. As this malware acts like a typical Mirai variant, making sure to change default credentials with tougher security in mind can reduce the possibility of unauthorized access and success of brute force attacks.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Miori Botney, IoT)

The post New Miori botnet has a unique protocol for C2 communication appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Internet of Things, Malware, hacking news, information security news, malware, Miori botnet, Mirai, Security News]

As of 7/16/19 8:11pm. Last new 7/16/19 5:43pm.

Next feed in category: Dark Reading