Showing posts with label Cyber Security news. Show all posts
Showing posts with label Cyber Security news. Show all posts
Friday, 15 November 2019
A NEW AND DANGEROUS BACKDOOR AVAILABLE ON DEEP WEB
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/11/a-new-and-dangerous-backdoor-available-on-deep-web/
According to reports from digital forensics experts, the dangerous hacker group known as Platinum has announced the release of Titanium, a new backdoor Trojan that includes advanced features to control an infected computer completely.
The report, published by security firm Kaspersky Lab, mentions that this backdoor can hide from the sight of victims posing as some legitimate software, such as CD burner, sound controller, or even as an anti-malware security tool.
Digital forensics experts say Platinum, also identified as TwoForOne, has been active for at least a decade, injecting malicious code into government networks, intelligence agencies, National Defense institutions, telecommunications companies and other large organizations around the world, registering intense activity in the south and east regions of Asia.
Regarding this new malware, Kaspersky Lab experts ensure that Titanium has a complex sequence for its delivery, download and installation on the target system, concluding this process with the deployment of the backdoor.
Titanium is also able to bypass the detection of almost any security tool, employing encryption, camouflage techniques and delivering steganography-covered data via PNG images.
According to the report of the digital forensics specialists, after the Trojan completes the infection, the final payload is delivered and the files necessary for its execution are downloaded using the Windows Background Intelligent Transfer Service (BITS). Communication between the Trojan and its command and control (C&C) server is presented by a cURL tool.
The Trojan must send a base 64-encoded request, which contains a system ID, computer name, and hard drive serial number, to begin the server script: “The commands will begin to be received after setting the connection,” the experts added.
Among the main functions of this Trojan are:
- Reading any system file
- Sending any file from the system to C&C
- Delivery and execution of any file
- Updater tool
In addition, this Trojan has an ‘interactive mode’ that allows attackers to receive inputs from the console programs and send the outputs to the C&C.
According to experts from the International Institute of Cyber Security (IICS) there is still no evidence of this Trojan’s activity in the wild, although the fact that it is available on deep web makes an attack very likely in the near future.
CRITICAL VULNERABILITY AFFECTS LINUX UBUNTU AND FREEBSD SYSTEMS
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/11/critical-vulnerability-affects-linux-ubuntu-and-freebsd-systems/
According to vulnerability testing specialists, a compression library included by default in multiple Linux distributions (Ubuntu, Debian, Gentoo, Arch Linux and FreeBSD among others) is affected by a serious vulnerability that, if exploited, could allow a threat actor to execute malicious code on the targeted computer.
Although this library is also included on Windows and macOS systems, the vulnerability does not appear to affect these deployments.
The affected library is Libarchive, designed to create and read compressed files. According to vulnerability testing specialists, this is a toolkit that fulfills multiple functions related to storage files, also includes other Linux utilities (tar, cpio and cat), which is why it is implemented extensively on more than one operating system.
Just a few days ago details were revealed about a serious vulnerability affecting this library, revealed along with the release of security updates for Libarchive.
The vulnerability, tracked as CVE-2019-18408, allows hackers to execute code on a user’s system with just an incorrectly formatted file. Among the possible exploit scenarios, users could receive malicious files from hackers or from local applications using various Libarchive components for file decompression.
There are many software utilities and operating systems that include Libarchive by default, so the potential attack surface is really considerable, including desktops, server operating systems, server managers, packages, security utilities, file browsers, and media processing tools such as pkgutils, CMake, Pacman, Nautilus, and Samba.
Those responsible for operating systems affected by this vulnerability in Libarchive have already released update patches; however, it is not known whether other applications will release the corresponding update. Vulnerability testing experts consider that not everything is bad news, as Windows and macOS, the most popular operating systems, are not affected by this flaw.
Specialists in vulnerability testing from the International Institute of Cyber Security (IICS) mention that so far there have been no reports of active exploitation of this vulnerability; similarly, a proof of concept is not yet developed, although it could be a matter of hours for this to happen.A
FORTNITE ONLINE SERVERS WORLDWIDE UNDER DDOS ATTACK
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/11/fortnite-online-servers-worldwide-under-ddos-attack/
Increasingly, cybersecurity incidents are affecting thousands, or even millions, of members of the gamer community. According to experts in ethical hacking, this weekend many fans of the popular Epic Games videogame Fortnite reported an alleged denial of service (DoS) attack against its online servers, preventing them from accessing their accounts and connecting to their matches.
Complaints about service failures began on November 9 through social media platforms, mainly Twitter. Soon after, an account allegedly operated by the hacker group known as Lizard Squad claimed the attack was their responsibility, affirming they were testing the effectiveness of Epic Games security bots: “Fortnite is offline, hopefully worldwide,” mentions one of the tweets of the alleged hackers.
Subsequently, The Lizard Squad account began posting dozens of screenshots of users reporting failures on Fortnite servers; however, the platform shows that no security incidents were detected on Fortnite online infrastructure on the aforementioned date, which has only brought more confusion for affected users, mentioned the experts in ethical hacking.
Although the company did not admitted or denied the incident, the problems continued to arise during the following hours; even prominent Fortnite users, such as the popular video game streamer known as ‘Ninja’, shared their concern about the alleged cyberattack, which occurred in the middle of a tournament: “Does Epic Games release a statement? Will these games count? What’s going on?” he posted on his Twitter account.
There are really few certainties about this incident, although unconfirmed information still appears, as mentioned by ethical hacking specialists. Finally, around 5:00 PM on 9 November, new tweets were posted in the account allegedly operated by Lizard Squad, recognizing that the Epic Games security team had surpassed them on this occasion: “We couldn’t beat these guys; goof game, Epic Games security team,” the post mentions.
It seems that everything has returned to normal, although many users remain concerned about the possibility of further hacking attempts against Fortnite servers, especially in tournament season. On the other hand, Epic Games still does not publish an official statement on the incident.
When it comes to attacks on the IT infrastructure of an online video game, the first possible perpetrator that comes to the mind of the cybersecurity community is the Lizard Squad group. According to ethical hacking specialists from the International Institute of Cyber Security (IICS), since its appearance about five years ago, this group specializes in attacks against online gaming platforms, such as incidents at EA Games, Destiny, Xbox Live, among others. Little is known about Lizard Squad, its members, and especially its motivations; many security experts even believe that these hackers deploy these attacks simply because they can.
A MAJOR CLOUD SERVICES COMPANY SUFFERS MASSIVE RANSOMWARE INFECTION
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/11/a-major-cloud-services-company-suffers-massive-ransomware-infection/
The week is just beginning and new security incidents affecting major technology companies have already being reported. According to web application security specialists, SmarterASP.NET, an ASP.NET hosting service provider, was the victim of a serious ransomware attack that could affect its more than 400k customers.
This is the third time this year that a major web hosting company is affected by an encryption malware infection, clear indicator of poor security measures and evolution of the methods employed by threat actors.
Through a message posted on its website the company acknowledged the incident and claimed that it had already begun work on resetting all its systems, as mentioned by web application security experts. However, it is still unknown whether SmarterASP.NET executives agreed to pay the ransom to hackers or instead the information will be recovered from the company’s backups. “Your account is under attack; the perpetrators have encrypted all your data. We are working with experts to retrieve your information and ensure that this does not happen again,” the statement says.
So far the company has not provided further details about the incident and its management, even its telephone line has been disabled.
The attackers not only compromised the customer information of this service, but also took the time to attack the company, disconnecting its website, leaving it inaccessible throughout Saturday. Finally, SmarterASP.NET web application security team regained control of their website on Sunday morning.
Regarding the ransomware variant used by those responsible for this cyberattack, an anonymous user posted on Twitter some screenshots of a compromised computer, where it can be seen that the information was encrypted with an updated version of the Snatch ransomware, which adds the .kjhbx extension to infected files.
So far the company does not seem to have made much progress in the recovery process, as the number of users reporting that access to their accounts and data remains blocked, including files on their websites and back-end databases, it’s still large.
The incident has hit many of the users of this service very seriously, as most of them use SmarterASP.NET as a back end of web applications to synchronize or back up important information. According to web application security experts, since ransomware also affected these databases, it is impossible for website administrators to move their operations to an alternative IT implementation.
In the past few months, experts from the International Institute of Cyber Security (IICS) reported the attack on two other major hosting companies. The first incident occurred at A2 Hosting in May, where hackers used the GlobeImposter ransomware. The next victim was iNSYNQ, which was infected last July with a variant of the MegaCortex ransomware, which prevented the proper functioning of the company’s systems for almost two months; recovery time for SmarterASP.NET is expected to be similar.
Thursday, 14 November 2019
CALIFORNIA DEPARTMENT OF MOTOR VEHICLES EXPOSES DRIVERS’ PERSONAL INFORMATION
ORIGINAL CONTENT: https://ift.tt/36IH0xv
According to information security specialists, the California Department of Motor Vehicles (DMV) suffered a data breach that exposed the Social Security numbers of thousands of city drivers; the incident would have given other government agencies undue access to this information.
This incident is particularly serious for illegal migrants residing in the state, as the leaked records specify which drivers do not have a social security number, which would reveal their immigration status. The city government says there is no way for migration agencies to have access to these records.
However, the California government noted that some law enforcement agencies have accessed this information as part of investigations into illegal activities.
As per information security specialists, agencies that would have accessed this information include the IRS, the Small Business Administration, and the offices of San Diego and Santa Clara district attorneys; specialists have been unable to determine whether any migration agencies gained access to this information.
On the other hand, the DMV claims that the information was exposed due to an internal error, not as a result of a cyberattack against its IT systems. In addition, the Department asserts that unauthorized access was shut down immediately after it was detected, on the morning of last August 2.
It is estimated that the information of just over 3,200 drivers was exposed during this incident; the Department stresses that all affected users have already been notified. “The security of personal information is vital for DMV; the necessary measures have already been implemented to correct this failure; we deeply regret the inconveniences this problem may have caused,” says a statement from the Department.
Ultimately, Anita Gore, a spokesperson for the DMV, told before local media: “We want to emphasize the fact that no other personal record was exposed during this incident; the DMV immediately began an incident correction process to contain the scope of the leak”.
Although the DMV claims that it was not the target of a cyberattack, specialists from the International Institute of Cyber Security (IICS) consider it relevant that the organization conduct a thorough review of its information security policies and practices, to ensure that these kinds of errors won’t happen again.
RANSOMWARE ATTACK INFECTS 30,000 COMPUTERS IN NEW MEXICO SCHOOLS
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/08/ransomware-attack-infects-30000-computers-in-new-mexico-schools/
A serious incident has compromised the computer systems of a US school district. According to digital forensics specialists, a ransomware attack has infected about 30,000 computers belonging to the Las Cruces school district, New Mexico, US. The incident caused servers and Internet devices to shut down throughout the district.
During a press conference, Superintendent Karen Trujillo revealed that the malware managed to compromise these computers during the early hours of October 29; hours later, district IT staff were instructed to shut down operations on all servers and disconnect compromised computers from the Internet.
As you may remember, a ransomware is malicious software created to block access to a device and stored files. To regain this access, victims must pay a ransom to threat actors. The most common methods of ransomware infection are sending malicious emails and using malware-plagued web pages, mentioned by digital forensics experts.
When questioned about the incident recovery process, the district’s IT director, Matt Dawkins, stated that Las Cruces is collaborating with external cybersecurity firms to implement a recovery plan that has proven successful in other ransomware attacks. At the conclusion of the first investigations into the attack, Dawkins mentioned that about 30,000 devices should be “cleaned”; this process includes formatting hard drives, reinstalling operating systems and complementary software.
A subsequent release from the district’s digital forensics team also mentioned that the entire IT infrastructure of Las Cruces will be subject to security audits and hardware upgrades to complete the recovery process and be able to put online systems again.
Regarding the time it will take the recovery process, the district authorities decided not to make an estimate: “Certain setbacks may appear, we must stop and address all possible failures that arise; it’s hard to say how long it’s going to take,” Dawkins added.
As with recovery time, details about potential costs are unknown, although Superintendent Trujillo mentioned that a significant portion of these expenses will be covered by a federal fund reserved for such incidents.
Although most of the district’s computers were impacted, the authorities mentioned that two teams were enabled to access information systems securely, so the closure of activities was not complete, and academic staff, in all schools in the district, it works in an “almost normal” manner. Schools staffs have also resorted to some paperwork and processes by hand.
International Institute of Cyber Security (IICS) digital forensics specialists mention that school districts, like other public organizations, have become one of the new targets for cyberattacks. The main recommendation for any organization is to establish awareness programs to prevent ransomware infections and any other type of malicious program. The costs of prevention are way lower than the costs of recovering from any cybersecurity incident.
PWN2OWN 2019: HACKERS EARN $200K USD FOR FINDING VULNERABILITIES IN SMARTPHONES, TVS AND SMART SPEAKERS
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/08/pwn2own-2019-hackers-earn-200k-usd-for-finding-vulnerabilities-in-smartphones-tvs-and-smart-speakers/
Again, the city of Tokyo, Japan is home to the Pwn2Own ethical hacking event, organized by the Zero Day Initiative and, this time, the Fluoracetate hacker team has swept the competition. After two days of the event, the two experts who make up this team accumulated more than $140k USD in rewards for finding and exploiting vulnerabilities in mobile devices of manufacturers such as Xiaomi, Samsung, among others.
This year’s winning hacker team, made up of Amat Cama and Richard Zhu, began their participation in the event by demonstrating an exploit on a Sony X800G smart TV, earning $15k USD.
Subsequently, ethical hacking experts took control of an Amazon Echo Show 5 smart speaker thanks to an overflow of integers in JavaScript, receiving a prize of $60k USD. Other devices hacked by Fluoracetate include a Samsung Q60 smart TV, Xiaomi Mi9 smartphone and Samsung Galaxy S10.
These hackers have taken a wide advantage over the rest of the participants of Pwn2Own 2019, so they are expected to win the Masters of Pwn title, the name of the hacking tournament, for the third year in a row.
The previous year, Fluoracetate generated more than $80k USD from finding vulnerabilities in next-generation devices, such as Apple’s iPhone X, Xiaomi’s smartphone mobile browser, among other devices, claiming as Pwn2Own 2018 winners.
Although the results of the event were overwhelmingly favorable for Fluoracetate, the rest of the ethical hacking experts who participated also made important findings. The second place in the rankings was for F-Secure Labs, a team that amassed more than $70k USD in rewards for their findings; on the other hand, Flashback, a debuting team at Pwn2Own, took third place, with about $50k USD.
In total, more than $300,000 were given to participating ethical hacking experts; reports on the vulnerabilities found will be sent to the manufacturers of the exploited devices to be corrected within 90 days of the report.
According to the ethical hacking specialists of the International Institute of Cyber Security (IICS), such events encourage the participation of various members of the cybersecurity community, whether established firms or independent researchers combating the exploitation of vulnerabilities in commonly used hardware and software.
However, it is also a reflection of the multiple security drawbacks present on all kinds of Internet-connected devices, so it is important that ethical hackers encounter these flaws before the threat actors do so.
Wednesday, 13 November 2019
CRITICAL VULNERABILITY IN RING SMART DOORBELLS; WIFI NETWORK USERS’ INFORMATION LEAKED
ORIIGNAL CONTENT: https://www.securitynewspaper.com/2019/11/07/critical-vulnerability-in-ring-smart-doorbells-wifi-network-users-information-leaked/
Although people buy video camera doorbells from Ring manufacturer hoping to increase the security of their homes, a flaw in the software of these devices could expose its users to a new security risk. According to experts in ethical hacking, the flaw would allow a threat actor to extract username and WiFi password from the doorbell user.
According to Bitdefender’s report, the security firm in charge of reporting the vulnerability, Ring’s parent company was informed of this flaw last June; the vulnerability was corrected in the Ring update for September.
It should be remembered that Ring is a company dedicated to the manufacture of doorbells with surveillance camera; almost two years ago, this company was acquired by Amazon for almost $850 million USD. Currently, these surveillance systems are linked to at least 580 police departments in the United States, integrating a neighborhood surveillance network, ethical hacking experts report.
Explained in this way, installing Ring devices in homes would seem like a good idea, although not everyone thinks their use is recommended. Privacy specialists have expressed concern that these systems connect directly to police stations, as well as the obvious exposure to threat actors.
An additional concern is that this is not the first time experts found vulnerabilities in Ring. A couple of years ago, experts at Pen Ten Partners discovered a series of flaws in these devices that, if exploited, allowed hackers to extract passwords from the WiFi network to which the doorbell connects. Other research has shown that it is possible to extract real-time images from these devices.
Ethical hacking experts mention that the vulnerability lies in the connection between the video camera and the Ring app. When setting up a device for the first time, the app must send a sign-in record from the WiFi network to the doorbell. Because this information is sent over an unencrypted network, any hacker could perform a Man-in-the-Middle (MiTM) attack to intercept the sent data. It is important to note that the attacker must be in a location close to the signal from the target WiFi network.
After the latest security issue was revealed in Ring, the company released a statement: “The security of our devices and the trust of our users are the most important thing to us. We want to report that a security update was released to address the reported failure; the problem has already been corrected.”
Due to its characteristics, this attack can only occur during the device configuration process, mentioning ethical hacking specialists from the International Institute of Cyber Security (IICS). However, a hacker could also send fake messages to a user to try to trick them and have them set the ring from scratch again, although the complexity of this scenario increases considerably.
EXPERTS FOUND A BACKDOOR IN SIEMENS PLCS. CRITICAL INFRASTRUCTURE AND SCADA NETWORKS AFFECTED
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/07/experts-found-a-backdoor-in-siemens-plcs-critical-infrastructure-and-scada-networks-affected/
A team of web application security specialists from Ruhr University in Bochum, Germany, has discovered a critical vulnerability in some new programmable logic controller (PLC) models manufactured by Siemens. According to the experts, the flaw is related to the presence of a hidden access feature and could be exploited both to perform cyberattacks and security tool.
The security issue is related to the hardware access function of the Siemens S7-1200 PLC (this feature processes software updates and verifies the integrity of the PLC firmware when starting the device). Apparently, this access shows behavior similar to that of a backdoor.
According to web application security experts, a threat actor may abuse this feature to bypass the firmware integrity verification step for about half a second, time in which the attacker could download malicious code and subsequently gain full control over the device’s processes.
In their report, experts say they ignore why Siemens could have installed such access on these devices: “This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information,” the experts say.
During the investigation, experts discovered that this hidden access can also be useful for security researchers, as it provides a memory device forensic. “We managed to use this feature to access the contents of the PLC’s memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access,” the experts conclude. The findings will be officially presented during a cybersecurity event to be held next month in London.
On the other hand, Siemens received the report on this security flaw in a timely manner and has already announced the launch of a solution as soon as possible. “We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update,” the company’s statement says.
It is still unknown whether Siemens will deploy only software updates or whether new hardware components will be needed to fix this vulnerability. International Institute of Cyber Security (IICS) web application security specialists mention that a hardware replacement would be a definitive solution, but it is very complicated to perform for all affected devices (something similar to the Nintendo Switch case). That being said, the company will most likely release continuous security updates to fix the flaw.
A couple of months ago, another investigation into Siemens S7 PLCs was revealed; on that occasion, experts discovered that all modern PLC S7 families were running the same firmware version, and they even shared the same cryptographic key; the company received all these reports and began the process of correcting security flaws.
TRENDMICRO ANTIVIRUS CUSTOMERS’ INFORMATION WAS LEAKED AND SOLD TO ONLINE SCAMMERS
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/07/trendmicro-antivirus-customers-information-was-leaked-and-sold-to-online-scammers/
We must not forget that even specialized companies can suffer cybersecurity incidents. According to digital forensics experts, an employee of Japan-based security firm TrendMicro was discovered stealing information from the company’s customers and selling it to third parties aiming to deploy sophisticated tech support scam campaigns.
The targets of this campaign were the company’s customers using a home-use security solution, who received phone calls from threat actors posing as TrendMicro customer service employees.
The company began receiving reports on these calls, in which criminals used information only operated by some of TrendMicro employees, leading them to intuit that the attackers had the collaboration of an insider. After an internal investigation, TrendMicro determined that an employee had been improperly accessing a database operated by the company’s customer service area to extract sensitive information and sell it to scammers.
“After a thorough investigation, our digital forensics team was able to confirm that this is an internal threat,” the company mentions a blog post. “One of our employees fraudulently accessed our customer support databases, extracting information including names, email addresses, phone numbers, and client support query backup”.
The company also added that, so far, there is no evidence to prove that other sensitive data, such as payment card information, was also compromised. The employee has already been fired by TrendMicro and is awaiting legal proceedings against him.
The company claims that less than 1% of TrendMicro tech support users were affected by this fraudulent campaign. In addition, the company’s digital forensics team report highlights the fact that only English speakers were attacked in this campaign.
Although no financial data was extracted from affected customers, it is possible that the attackers tried to make arbitrary charges for support services that were not really needed.
As a security measure, users are reminded that TrendMicro never makes unsolicited support calls, so in case of receiving a call from an alleged customer service employee users must hang up immediately and, if possible, notify TrendMicro.
International Institute of Cyber Security (IICS) digital forensics specialists mention that TrendMicro’s corporate clients were not targeted by the operators of this campaign, although they recommend that the company remain vigilant, as this is the second incident of unauthorized access to sensitive information that occurred recently on TrendMicro. A few months ago, it was reported that an unidentified hacker accessed a company test lab and managed to extract more than 30 terabytes of information, including sensitive source code.
DATA BREACHES COULD INCREASE THE PRICE OF A COMPANY’S SHARES. THE REASON WHY COMPANIES DON’T FIX THEIR SECURITY
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/07/data-breaches-could-increase-the-price-of-a-companys-shares-the-reason-why-companies-dont-fix-their-security/
Data breach incidents can be catastrophic for any organization, resulting in large fines, loss of user or customer trust, and public image damage. However, a recent research conducted by information security specialists has found that these incidents could in fact be beneficial for some companies.
As you may recall, a data breach involves unauthorized access or disclosure of personal information records. Most countries have legislation applicable in these cases, although not all governments in the world similarly punish such incidents.
Information security specialists stress that any company could be impacted by such incidents, as it does not influence whether they are public or private organizations and no matter the industry sector to which the company belongs. Whether it’s airlines, banks, public institutions and e-commerce sites, they’re all exposed to a data breach.
One of the main indicators for measuring the impact of a data breach on a company is the price of its shares. Information security services firm Comparitech has conducted an analysis of some companies listed on the US stock exchange for the purpose of determining the impact that a data breach has on the stock performance on a compromised company.
From the study of 33 different cases, the researchers found that, on average, a company affected by a data breach lost 7.3% of the value of its shares; in the worst cases, stocks could fall for up to 15 consecutive days.
Yes, this is an undesirable scenario, although the investigation took a surprising turn. About six months after the incident, all affected companies achieved even higher growth than in the six months prior to the data breach (an average of 7.1% compared to previous growth of 4%).
In addition, researchers found that the more recent the data breach is, the larger it causes a decline in the price on the shares of the affected companies. For the companies concerned, financial institutions were the hardest hit, while health care companies suffer to a lesser extent the financial impact of these incidents.
According to information security specialists from the International Institute of Cyber Security (IICS) one of the possible causes of this revaluation is the way in which companies handle these incidents. After suffering a data breach, a company can update its security policies and practices, in addition to its IT infrastructure, to finally undergo audits that demonstrate an improvement in its it security systems, supporting its growth after completing cybersecurity incident recovery processes.
However, Comparitech experts recognize that their research only focuses on analyzing the price of a company’s shares, adding that other variables, such as legal proceedings against affected companies, also influence performance in the stock exchange.
Tuesday, 12 November 2019
MARRIOTT HOTEL CHAIN EMPLOYEE DATA LEAK. WHY DO COMPANIES ALLOW THIS TO HAPPEN?
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/marriott-hotel-chain-hacked-again-customers-personal-information-leaked-why-do-companies-allow-this-to-happen/
Marriott International hotel chain has alerted its associates about a cyber security incident that could negatively impact the security of some associate’s data (specifically their social security numbers), after an unidentified threat actor accessed network of an outside vendor formerly used by Marriott, data protection experts reported. This incident did not involve or impact the security of Marriott’s systems or platforms. A limited number of current and former Marriott US employees’ information was involved in the incident, and all of these employees are in the process of being notified by Marriott in accordance with US legal requirements.
The company mentions that exposure of information stems from a cyberattack suffered by an external vendor which previously had worked for Marriott: ” Marriott learned on September 4, 2019, that an unknown person gained access to information about certain Marriott associates by accessing the network of an outside vendor formerly used by Marriott ,” the company’s statement says.
Apparently, this vendor worked for Marriott receiving official documents (citations, court orders, etc.). The vendor acted as Marriott’s agent for purposes of receiving service of official legal documents such as subpoenas and court orders. included some partners’. No partners were involved, only a limited number of employees mentions data protection specialists.
After detecting this information exposure, Marriott contacted the third party provider, which ensured that they are handling this incident in the best possible way; ” We have been in frequent contact with the vendor since we learned what occurred to ensure appropriate action is being taken in response. Marriott has already terminated its relationship with the vendor, and the vendor confirmed that it has securely removed all information regarding Marriott associates from its network,” the hotel chain added.
As a security measure for affected associates, Marriott announced that they will be provided them with a free identity theft protection service for one year or two years depending on US state law requirements.
Although the company learned about this incident two months ago, the incident could not be publicly disclosed, as it was necessary to inform each affected associate directly before, in addition to notifying the competent authorities. All affected current and former Marriott associates will have been notified by early next week. Marriott has identified and reported the final number of affected employees to US regulators in accordance with US legal requirements.
This is not the first security incident reported by Marriott. About a year ago, data protection specialists from the International Institute of Cyber Security (IICS) reported that a hacker group managed to compromise the databases of Starwood, one of Marriott’s multiple brands, exposing almost 383 million records and not unique guests as there were multiple records for same guests.
NO ONE GAVE A DAMN ABOUT THIS NEW FACEBOOK DATA BREACH; USERS’ PERSONAL INFORMATION LEAKED AGAIN
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/no-one-gave-a-damn-about-this-new-facebook-data-breach-users-personal-information-leaked-again/
According to information security specialists, about one hundred web application developers may have had inadequate access to the data of millions of Facebook users, as the company made a mistake that led to the revocation of some restrictions on the access to this information.
Because the data breach was publicly disclosed only through Facebook’s developer blog, this incident went almost completely unnoticed, except for some members of the cybersecurity community.
Although over a year ago Facebook group access parameters were updated, during this incident users’ names and profile photos, in addition to their activity logs in certain groups, remained accessible to specific developers, mentioned the company’s publication.
In addition, information security specialists point out of the nearly 100 developers with this access through the Facebook Groups API, at least a dozen would have been actively consulting this information over the past two months.
It should be noted that, before April 2018, Facebook group administrators could give app developers access to the group information. After the update in the group APIs, when an administrator authorized an app, developers can only access data such as group name, number of participants, and posts content.
These API updates are part of the measures implemented by Facebook after the Cambridge Analytica scandal was revealed, with which the company sought to improve its data usage policies for users and the companies that can access them.
Facebook claims that it has asked the developers involved to delete any records of information obtained through this improper access, adding that it will conduct some security audits to verify that this process is properly complied with. However, many information security experts believe that the company is not acting with full transparency, as the names of the developers, apps or Facebook groups involved were not disclosed, arguing security reasons.
Finally, the social media giant assured its users (although the message was addressed to developers) that until now there is no evidence to demonstrate abuse of this anomalous access; although when it comes to Facebook, data privacy always seems breached in one way or another.
This has been a convulsed year for Facebook in terms of data breach incidents, so authorities in various parts of the world have made relevant decisions. A few months ago, information security specialists from the International Institute of Cyber Security (IICS) reported a landmark decision by the Federal Trade Commission (FTC), which decided to impose a record $5 billion USD fine on Facebook for its multiple practices that violate various user data protection laws; still, many consider that this fine remains insufficient to put real pressure on these companies.
TRUMP.EXE; THE FAKE RANSOMWARE THAT EXPLOITS THE IMAGE OF PRESIDENT DONALD TRUMP
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/trump-exe-the-fake-ransomware-that-exploits-the-image-of-president-donald-trump/
US President Donald Trump always resorts to the term ‘fake news’ to refer to news reports that are not favorable to him, and despite criticism for his constant attacks on the press, this time the term fits perfectly with the incidents reported by digital forensics specialists.
Recently, several cases of a fake Donald Trump themed ransomware have been reported; the operators of this campaign deliver a malicious file via email seeking to trick the victims by displaying a ransom note to make profits by decrypting files that were never actually encrypted.
When the alleged ransomware is installed on the victims’ computers (thanks to the trump.exe file), the hackers lock the targeted computer and display only an image of Trump, in addition to the ransom note feature on almost every ransomware infection.
The digital forensics experts at the malware research firm Cisco Talos Intelligence mention that they have accumulated multiple evidences about this fake ransomware. A report signed by Cisco expert Nick Biasini mentions: “The collected samples do not encrypt the victim’s data, or in some cases only partially and poorly do so. The main goal is to trick users into believing that their information has been locked or completely lost, which forces them to pay a ransom when their screen was just locked”.
In addition to the image of President Trump, the operators of this campaign are also using the image of Russian President Vladimir Putin to lock the screens of hundreds of victims and display a threatening message: “Your PC has been blocked by PuTiN malware “, or some similar message. In these attacks, the victims’ wallpaper is also modified, showing a pattern of burning skulls.
After completing its installation, this Putin-themed malware locks the victims’ screens, removes the icons from the desktop and the taskbar, in addition to the task manager. Victims are then shown the method to contact the hackers and set a ransom figure.
Although the research is still ongoing, digital forensics experts say these infections are likely to start through massive spam campaigns on social media and via email. “Potential victims are exposed to fake advertisements or emails related to the prevention of banking fraud; some of these messages are sent by supposed risk prevention executives from companies like Visa,” the experts mention.
A few months ago, multiple cases of infection with locker malware using Trump’s image (known as Donald Trump Error) were detected, although further details about its developers and goals are still unknown.
As digital forensics specialists from the International Institute for Cyber Security (IICS) mention, the proximity of the 2020 US presidential election makes it much more likely that technology users will become victims of Internet scams involving the use of political themes.
GRAND THEFT AUTO AND RED DEAD REDEMPTION DEVELOPERS OFFER UP TO $10K USD TO HACK THEIR VIDEOGAMES
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/grand-theft-auto-and-red-dead-redemption-developers-offer-up-to-10k-usd-to-hack-their-videogames/
A couple of years ago, video game developer company Rockstar Games, in partnership with cybersecurity platform HackerOne, launched a vulnerability bounty program to look for security flaws and possible hacking vectors at Grand Theft Auto Online. Ethical hacking experts now report that this program will be extended to Red Dead Redemption 2 (for PC, PS4 and Xbox One), as well as to mobile versions of some of the company’s games.
“We are committed with the privacy and security of our users’ information. We will soon be launching a new bounty program in HackerOne to incentivize researchers’ participation and the search for potential security errors in our products,” the company’s statement says.
The company will pay a minimum fee of $150 USD to researchers who submit reports that fit the parameters of the bounty program. It is important to note that the program is limited to reports of in-game security issues or potential security risks of users’ information, so Rockstar Games will not include in-game bug reports, modifications of hardware (modding) or cheating methods.
According to ethical hacking experts, Rockstar Games has banned hundreds of users for alleged abusive behavior in its online games. Although the company claims that it has never incorrectly or arbitrarily banned any user, the new bounty program provides offers an up to $10k USD payment for any researcher who reports an erroneous ban made by the moderators of the company.
The parameters for a report to be eligible for a bounty were also updated; major modifications include:
- The report must conform to all the terms of the program, no exception
- The report should refer to a previously unreported flaw
- If more than one report on the same flaw is received, the report that was first received will be the first to be considered
- Flaws should not be disclosed by any means before or after submitting reports to Rockstar Games
Besides, ethical hacking experts mention that the company is willing to receive recommendations on new security measures, but the program is fully focused on finding and resolving exploitable security vulnerabilities. In other words, recommendations are welcome, but they are not eligible for rewards.
Vulnerability bounty programs have proven to be success stories in the fight against hackers exploiting vulnerabilities in multiple computer developments, so large companies are turning to this approach to an increasing extent. According to ethical hacking experts from the International Institute of Cyber Security (IICS), during 2018 Microsoft paid more than $2 million USD to researchers who participated in its various vulnerability bounty programs. It is estimated that the figure at the end of 2019 will increase considerably, as the company extended its program to other areas, such as GitHub, open source software used by the European Union, among others.
Monday, 11 November 2019
A SERIOUS RANSOMWARE ATTACK SHUTS DOWN OPERATIONS IN CANADIAN REGION NUNAVUT
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/05/a-serious-ransomware-attack-shuts-down-operations-in-canadian-region-nunavut/
Ransomware remains one of the main cybersecurity threats for any individual or company. Vulnerability testing specialists report a serious ransomware infection that has crippled all computer operations in Nunavut, a remote Canadian territory.
In a statement, the local government said, “All government services that depend on access to digital resources have been affected by a sophisticated infection”.
At the moment, basic public services, such as electricity, have not been compromised, Premier Joe Savikataaq said; “Our vulnerability testing team has told us that there may be some failures when our systems are re-established,” the premier added. However, it is anticipated that the restoration of the systems could be a highly complex process for the administration of Nunavut, an area comprising huge territorial extension (almost 2 million km2), but which has only 35 thousand inhabitants.
Although the government of the region did not explicitly mention what kind of computer threat it is facing, local media accessed a copy of the ransom note found on Nunavut’s systems, which is in fact identical to the note delivered in the infections of the DoppelPaymer ransomware.
Vulnerability testing specialists at security firm Emsisoft believe this incident could be related to ransomware attacks detected by government organizations in different US territories. According to these reports, ransomware attacks in the US have decreased markedly, so attackers could be looking for a new victim, in this case, municipalities in Canada.
“Organizations in the US have better measures to protect against these incidents, so threat actors could move their operations against other, less complex targets,” the company’s report says.
This has been a hectic start to the week on cybersecurity issues for many companies and government bodies in various parts of the world. Just a few hours ago, specialists from the International Institute of Cyber Security (IICS) reported what appears to be a ransomware campaign against some Spanish organizations; one of the first victims was the broadcaster Cadena SER, whose listeners reported constant failures in the transmissions.
THESE FREE WORDPRESS THEMES AND PLUGINS MIGHT CONTAIN MALWARE. AVOID THEIR INSTALLATION
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/05/these-free-wordpress-themes-and-plugins-might-contain-malware-avoid-their-installation/
WordPress is probably the most popular content management system (CMS) today, so it’s no wonder it’s also the subject of multiple cybersecurity threats. According to cybersecurity experts, the most serious of these threats is a criminal campaign deployed by a group identified as WP-VCD, from which most hacking incidents against WordPress sites stem.
A report published by the specialized platform ZDNet provides extensive details about this attack campaign, addressing one topic with special interest: the fact that these hackers do not exploit vulnerabilities to infiltrate compromised sites and Install backdoors, but they use pirated versions of legitimate WordPress themes and plugins, so they should just wait for a website administrator to download and install the infected software.
Cybersecurity experts detected multiple signs of these hackers’ activity on fraudulent websites, offering pirated versions of paid WordPress plugins and themes. In addition, all of these malicious sites have good rankings in search results because they receive keyword boost from all WordPress sites that have already been hacked, cybersecurity experts report, so it’s really easy for a user to find this malware.
The sites where this malicious activity was detected are:
- http://www.download-freethemes.download
- http://www.downloadfreethemes.co
- http://www.downloadfreethemes.space
- http://www.downloadnulled.pw
- http://www.downloadnulled.top
- http://www.freenulled.top
- http://www.nulledzip.download
- http://www.themesfreedownload.net
- http://www.themesfreedownload.top
- http://www.vestathemes.com
To check this behavior, cybersecurity experts performed a Google search, entering the name of some popular WordPress themes along with the word ‘download’, discovering that the first page of results shows at least three of these sites.
After website administrators download any of the infected plugins or themes, it’s only a few seconds before their WordPress site is fully compromised. Downloading these components adds a backdoor identified as ‘100010010’ to the target site, ensuring that hackers have a way to access the installation.
Subsequently, the WP-VCD malware is added to all the topics used on the site, to prevent it from disappearing from the system due to a possible de-installation. Finally, if the malware acts in a shared hosting environment, it can be spread to other servers, infecting other sites hosted on the same system.
According to the experts of the International Institute of Cyber Security (IICS), the main goal of these hackers is to use the hacked sites to create a botnet and, from a C&C, control all the activities of these sites.
DOWNLOAD THIS PARADISE RANSOMWARE DECRYPTION TOOL AND SAVE YOUR FILES
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/05/download-this-paradise-ransomware-decryption-tool-and-save-your-files/
A team of ethical hacking specialists has developed a free tool to remove the encryption implemented by the ransomware variant known as Paradise, which provides victims of this infection an option to regain access to their encrypted files without having to negotiate with threat actors.
Paradise ransomware has been active at least since September 2017 and, according to experts from security firm Emsisoft, the perpetrators of these infections continue to distribute the ransomware today.
Ethical hacking experts claim that this encryption malware is not used directly by its developers, but is sold to third parties, who are responsible for delivering the malicious file to victims, a practice known as ‘ransomware-as-a-service’. After infecting the victim’s device and encrypting the files, Paradise adds them a different extension; among which are: .paradise, .2ksys19, .p3rf0rm4 and .FC; Paradise has been proven to use at least 50 different extensions in its attacks.
The creators of this free tool (available here) ensure that it is possible to remove encryption on most extensions used by Paradise, although they also point out that, in case a user fails to decrypt their files, they should be patient and store the encrypted files until the next update to this tool appears.
Upon completion of the encryption, Paradise shows the victims different versions of the ransom note, as this depends on the third party who has delivered the malware; the common denominator of these notes, as in most ransomware infections, is the demand for a payment in Bitcoin. However, experts say that no matter who is the attacker, the tool is really functional.
In previous occasions, Emsisoft ethical hacking experts also published tools to remove encryption from other ransomware variants, such as STOP Djvu, HildaCrypt, Avest and Muhstik, and their collaboration was instrumental in publishing a decryptor for the GandCrab ransomware, which was used in nearly 50% of global ransomware infections.
The work of the cybersecurity community is fundamental in the fight against ransomware attacks. A couple of weeks ago, experts from the International Institute of Cyber Security (IICS) reported the case of a German ethical hacker who, after falling victim to a ransomware infection, managed to infiltrate the attackers’ servers to extract the malware code and use it to develop a decryption tool, benefiting hundreds of victims.
