TRUMP.EXE; EL FALSO RANSOMWARE QUE EXPLOTA LA IMAGEN DEL PRESIDENTE DONALD TRUMP

ORIGINAL CONTENT: https://noticiasseguridad.com/malware-virus/trump-exe-el-falso-ransomware-que-explota-la-imagen-del-presidente-donald-trump/

El presidente de E.U., Donald Trump, siempre recurre al término ‘fake news’ para referirse a los reportes periodísticos que no le son favorables, y a pesar de las críticas por sus constantes ataques a la prensa, en esta ocasión el término se ajusta perfectamente a la situación reportada por especialistas en forense digital.

Recientemente se han reportado diversos casos de un falso ransomware, con temática de Donald Trump, que se entrega vía email; los operadores de esta campaña buscan engañar a las víctimas mostrando una nota de rescate para obtener ganancias por descifrar archivos que en realidad nunca estuvieron cifrados.

Cuando el supuesto ransomware se instala en las computadoras de las víctimas (gracias al archivo trump.exe), los hackers bloquean la computadora objetivo y muestran sólo una imagen de Trump, además de la nota de rescate característica en todas las infecciones de ransomware.

Los expertos en forense digital de la firma de investigación de malware Cisco Talos Intelligence mencionan que han acumulado múltiples evidencias sobre este falso ransomware. Un reporte firmado por el experto Nick Biasini, de Cisco, menciona: “Las muestras recolectadas no cifran los datos de las víctimas, o en algunos casos sólo lo hacen de forma parcial y deficiente. El principal objetivo es engañar a los usuarios, haciéndoles creer que su información se ha bloqueado o perdido por completo, lo que los fuerza a pagar un rescate siendo que su pantalla sólo fue bloqueada”.

Captura de pantalla de Putin Locker

Además de la imagen del presidente Trump, los operadores de esta campaña también están utilizando la imagen del presidente de Rusia, Vladimir Putin, para bloquear las pantallas de cientos de víctimas y mostrar un mensaje amenazante: “Su PC ha sido bloqueada por el locker PuTiN”, o algún mensaje similar. En estos ataques, el fondo de pantalla de las víctimas también es modificado, mostrando un patrón de calaveras en llamas.

Después de completar su instalación, este malware con temática de Putin bloquea la pantalla de las víctimas, elimina los íconos del escritorio y la barra de tareas, además del administrador de tareas. Posteriormente se muestra a las víctimas el medio de contacto para acordar un pago con los hackers.

Aunque la investigación sigue en curso, los expertos en forense digital plantean que es probable que estas infecciones comiencen a través de campañas masivas de spam en redes sociales y vía email. “Las víctimas potenciales son expuestas a falsos anuncios o emails relacionados con la prevención de fraudes bancarios; algunos de estos mensajes son enviados por un supuesto ejecutivo de prevención de riesgos de compañías como Visa”, mencionan los expertos.

Captura de pantalla del “Error Donald Trump”

Hace algunos meses se detectaron múltiples casos de infección con locker malware que usaba la imagen de Trump  (conocido como Error Donald Trump), aunque aún se desconocen mayores detalles sobre sus desarrolladores y objetivos.

Como mencionan especialistas en forense digital del Instituto Internacional de Seguridad Cibernética (IICS), la proximidad de las elecciones presidenciales de 2020 en E.U. hacen mucho más probable que los usuarios de tecnología se conviertan en víctimas de estafas por Internet que involucran el uso de temáticas políticas.

Read More

MARRIOTT HOTEL CHAIN EMPLOYEE DATA LEAK. WHY DO COMPANIES ALLOW THIS TO HAPPEN?

ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/marriott-hotel-chain-hacked-again-customers-personal-information-leaked-why-do-companies-allow-this-to-happen/

Marriott International hotel chain has alerted its associates about a cyber security incident that could negatively impact the security of some associate’s data (specifically their social security numbers), after an unidentified threat actor accessed network of an outside vendor formerly used by Marriott, data protection experts reported. This incident did not involve or impact the security of Marriott’s systems or platforms. A limited number of current and former Marriott US employees’ information was involved in the incident, and all of these employees are in the process of being notified by Marriott in accordance with US legal requirements.

The company mentions that exposure of information stems from a cyberattack suffered by an external vendor which previously had worked for Marriott: ” Marriott learned on September 4, 2019, that an unknown person gained access to information about certain Marriott associates by accessing the network of an outside vendor formerly used by Marriott ,” the company’s statement says.

Apparently, this vendor worked for Marriott receiving official documents (citations, court orders, etc.). The vendor acted as Marriott’s agent for purposes of receiving service of official legal documents such as subpoenas and court orders.  included some partners’.  No partners were involved, only a limited number of employees mentions data protection specialists.

After detecting this information exposure, Marriott contacted the third party provider, which ensured that they are handling this incident in the best possible way; ” We have been in frequent contact with the vendor since we learned what occurred to ensure appropriate action is being taken in response.  Marriott has already terminated its relationship with the vendor, and the vendor confirmed that it has securely removed all information regarding Marriott associates from its network,” the hotel chain added.

As a security measure for affected associates, Marriott announced that they will be provided them with a free identity theft protection service for one year or two years depending on US state law requirements.

Although the company learned about this incident two months ago, the incident could not be publicly disclosed, as it was necessary to inform each affected associate directly before, in addition to notifying the competent authorities. All affected current and former Marriott associates will have been notified by early next week. Marriott has identified and reported the final number of affected employees to US regulators in accordance with US legal requirements.

This is not the first security incident reported by Marriott. About a year ago, data protection specialists from the International Institute of Cyber Security (IICS) reported that a hacker group managed to compromise the databases of Starwood, one of Marriott’s multiple brands, exposing almost 383 million records and not unique guests as there were multiple records for same guests.

Read More

NO ONE GAVE A DAMN ABOUT THIS NEW FACEBOOK DATA BREACH; USERS’ PERSONAL INFORMATION LEAKED AGAIN

ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/no-one-gave-a-damn-about-this-new-facebook-data-breach-users-personal-information-leaked-again/

According to information security specialists, about one hundred web application developers may have had inadequate access to the data of millions of Facebook users, as the company made a mistake that led to the revocation of some restrictions on the access to this information.

Because the data breach was publicly disclosed only through Facebook’s developer blog, this incident went almost completely unnoticed, except for some members of the cybersecurity community.

Although over a year ago Facebook group access parameters were updated, during this incident users’ names and profile photos, in addition to their activity logs in certain groups, remained accessible to specific developers, mentioned the company’s publication.

In addition, information security specialists point out of the nearly 100 developers with this access through the Facebook Groups API, at least a dozen would have been actively consulting this information over the past two months.

It should be noted that, before April 2018, Facebook group administrators could give app developers access to the group information. After the update in the group APIs, when an administrator authorized an app, developers can only access data such as group name, number of participants, and posts content.

These API updates are part of the measures implemented by Facebook after the Cambridge Analytica scandal was revealed, with which the company sought to improve its data usage policies for users and the companies that can access them.

Facebook claims that it has asked the developers involved to delete any records of information obtained through this improper access, adding that it will conduct some security audits to verify that this process is properly complied with. However, many information security experts believe that the company is not acting with full transparency, as the names of the developers, apps or Facebook groups involved were not disclosed, arguing security reasons.

Finally, the social media giant assured its users (although the message was addressed to developers) that until now there is no evidence to demonstrate abuse of this anomalous access; although when it comes to Facebook, data privacy always seems breached in one way or another.

This has been a convulsed year for Facebook in terms of data breach incidents, so authorities in various parts of the world have made relevant decisions. A few months ago, information security specialists from the International Institute of Cyber Security (IICS) reported a landmark decision by the Federal Trade Commission (FTC), which decided to impose a record $5 billion USD fine on Facebook for its multiple practices that violate various user data protection laws; still, many consider that this fine remains insufficient to put real pressure on these companies.

Read More

TRUMP.EXE; THE FAKE RANSOMWARE THAT EXPLOITS THE IMAGE OF PRESIDENT DONALD TRUMP

ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/trump-exe-the-fake-ransomware-that-exploits-the-image-of-president-donald-trump/

US President Donald Trump always resorts to the term ‘fake news’ to refer to news reports that are not favorable to him, and despite criticism for his constant attacks on the press, this time the term fits perfectly with the incidents reported by digital forensics specialists.

Recently, several cases of a fake Donald Trump themed ransomware have been reported; the operators of this campaign deliver a malicious file via email seeking to trick the victims by displaying a ransom note to make profits by decrypting files that were never actually encrypted.

When the alleged ransomware is installed on the victims’ computers (thanks to the trump.exe file), the hackers lock the targeted computer and display only an image of Trump, in addition to the ransom note feature on almost every ransomware infection.

The digital forensics experts at the malware research firm Cisco Talos Intelligence mention that they have accumulated multiple evidences about this fake ransomware. A report signed by Cisco expert Nick Biasini mentions: “The collected samples do not encrypt the victim’s data, or in some cases only partially and poorly do so. The main goal is to trick users into believing that their information has been locked or completely lost, which forces them to pay a ransom when their screen was just locked”.

A Putin Locker’s screenshot

In addition to the image of President Trump, the operators of this campaign are also using the image of Russian President Vladimir Putin to lock the screens of hundreds of victims and display a threatening message: “Your PC has been blocked by PuTiN malware “, or some similar message. In these attacks, the victims’ wallpaper is also modified, showing a pattern of burning skulls.

After completing its installation, this Putin-themed malware locks the victims’ screens, removes the icons from the desktop and the taskbar, in addition to the task manager. Victims are then shown the method to contact the hackers and set a ransom figure.

Although the research is still ongoing, digital forensics experts say these infections are likely to start through massive spam campaigns on social media and via email. “Potential victims are exposed to fake advertisements or emails related to the prevention of banking fraud; some of these messages are sent by supposed risk prevention executives from companies like Visa,” the experts mention.

A “Donald Trump Error” screenshot

A few months ago, multiple cases of infection with locker malware using Trump’s image (known as Donald Trump Error) were detected, although further details about its developers and goals are still unknown.

As digital forensics specialists from the International Institute for Cyber Security (IICS) mention, the proximity of the 2020 US presidential election makes it much more likely that technology users will become victims of Internet scams involving the use of political themes.

Read More

GRAND THEFT AUTO AND RED DEAD REDEMPTION DEVELOPERS OFFER UP TO $10K USD TO HACK THEIR VIDEOGAMES

ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/11/06/grand-theft-auto-and-red-dead-redemption-developers-offer-up-to-10k-usd-to-hack-their-videogames/

A couple of years ago, video game developer company Rockstar Games, in partnership with cybersecurity platform HackerOne, launched a vulnerability bounty program to look for security flaws and possible hacking vectors at Grand Theft Auto Online. Ethical hacking experts now report that this program will be extended to Red Dead Redemption 2 (for PC, PS4 and Xbox One), as well as to mobile versions of some of the company’s games.

“We are committed with the privacy and security of our users’ information. We will soon be launching a new bounty program in HackerOne to incentivize researchers’ participation and the search for potential security errors in our products,” the company’s statement says.

The company will pay a minimum fee of $150 USD to researchers who submit reports that fit the parameters of the bounty program. It is important to note that the program is limited to reports of in-game security issues or potential security risks of users’ information, so Rockstar Games will not include in-game bug reports, modifications of hardware (modding) or cheating methods.

According to ethical hacking experts, Rockstar Games has banned hundreds of users for alleged abusive behavior in its online games. Although the company claims that it has never incorrectly or arbitrarily banned any user, the new bounty program provides offers an up to $10k USD payment for any researcher who reports an erroneous ban made by the moderators of the company.

The parameters for a report to be eligible for a bounty were also updated; major modifications include:

• The report must conform to all the terms of the program, no exception
• The report should refer to a previously unreported flaw
• If more than one report on the same flaw is received, the report that was first received will be the first to be considered
• Flaws should not be disclosed by any means before or after submitting reports to Rockstar Games

Besides, ethical hacking experts mention that the company is willing to receive recommendations on new security measures, but the program is fully focused on finding and resolving exploitable security vulnerabilities. In other words, recommendations are welcome, but they are not eligible for rewards.

Vulnerability bounty programs have proven to be success stories in the fight against hackers exploiting vulnerabilities in multiple computer developments, so large companies are turning to this approach to an increasing extent. According to ethical hacking experts from the International Institute of Cyber Security (IICS), during 2018 Microsoft paid more than $2 million USD to researchers who participated in its various vulnerability bounty programs. It is estimated that the figure at the end of 2019 will increase considerably, as the company extended its program to other areas, such as GitHub, open source software used by the European Union, among others.

Read More

UN SEVERO ATAQUE DE RANSOMWARE INTERRUMPE OPERACIONES EN LA REGIÓN CANADIENSE DE NUNAVUT

CONTENIDO ORIGINAL: https://noticiasseguridad.com/hacking-incidentes/un-severo-ataque-de-ransomware-interrumpe-operaciones-en-la-region-canadiense-de-nunavut/

El ransomware sigue siendo una de las principales amenazas de ciberseguridad para cualquier individuo o compañía. Especialistas en análisis de vulnerabilidades reportan una severa infección de ransomware que ha paralizado todas las operaciones informáticas en Nunavut, un territorio canadiense remoto.

A través de un comunicado, el gobierno de la localidad mencionó: “Todos los servicios gubernamentales que dependen de acceso a recursos digitales se han visto afectados por una sofisticada infección”·

Por el momento, los servicios públicos básicos, como la energía eléctrica, no se han visto comprometidos, mencionó el Premier Joe Savikataaq; “nuestro equipo de análisis de vulnerabilidades nos ha comunicado que tal vez haya algunas fallas cuando nuestros sistemas sean restablecidos”, añadió el premier. No obstante, se anticipa que el restablecimiento de los sistemas podría ser un proceso altamente complejo para la administración de Nunavut, un área que comprende enorme extensión territorial (casi 2 millones de km²), pero que apenas cuenta con 35 mil habitantes.

Aunque el gobierno de la región no mencionó de forma explícita qué clase de amenaza informática está enfrentando, medios locales accedieron a una copia de la nota de rescate encontrada en los sistemas de Nunavut, que es de hecho idéntica a la nota entregada en las infecciones del ransomware DoppelPaymer.

Los especialistas en análisis de vulnerabilidades de la firma de seguridad Emsisoft consideran que este incidente podría estar relacionado con los ataques de ransomware detectados en organizaciones gubernamentales en diferentes territorios de E.U. Según estos reportes, los ataques de ransomware en E.U. han disminuido notablemente, por lo que los atacantes podrían estar en busca de una nueva víctima, en este caso, las municipalidades en Canadá.

“Las organizaciones en E.U. cuentan con cada vez mejores medidas de protección contra estos incidentes, por lo que los actores de amenazas podrían trasladar sus operaciones contra otros objetivos menos complejos”, menciona el reporte de la compañía.

Este ha sido un inicio de semana agitado en temas de ciberseguridad para muchas compañías e instancias de gobierno en diversas partes del mundo. Hace apenas unas horas, especialistas del Instituto Internacional de Seguridad Cibernética (IICS) reportaron lo que parece ser una campaña de ransomware contra algunas organizaciones españolas; una de las primeras víctimas fue la radiodifusora Cadena SER, cuyos oyentes reportaron constantes fallas en las transmisiones.

Read More

ESTOS TEMAS Y PLUGINS GRATUITOS DE WORDPRESS PODRÍAN CONTENER MALWARE. EVITE SU INSTALACIÓN

CONTENIDO ORIGINAL: https://noticiasseguridad.com/malware-virus/estos-temas-y-plugins-gratuitos-de-wordpress-podrian-contener-malware-evite-su-instalacion/

WordPress es, probablemente, el más popular sistema de gestión de contenido (CMS) de la actualidad, por lo que no es extraño que también sea objeto de múltiples amenazas de ciberseguridad. Acorde a expertos en ciberseguridad, la más seria de estas amenazas es una campaña criminal desplegada por un grupo identificado como WP-VCD, de la que derivan la mayoría de los incidentes de hacking contra sitios en WordPress.

Un reporte publicado por la plataforma especializada ZDNet aporta amplios detalles acerca de esta campaña de ataques, abordando un tema con especial interés: el hecho de que estos hackers no explotan vulnerabilidades para infiltrarse en los sitios comprometidos e instalar backdoors, sino que usan versiones piratas de temas y plugins, por lo que sólo deben esperar a que un administrador de sitios web descargue e instale el software infectado.

Los expertos en ciberseguridad detectaron múltiples indicios de actividad de estos hackers en sitios web fraudulentos, que ofrecen versiones pirateadas de plugins y temas de WordPress de paga. Además, todos estos sitios maliciosos cuentan con buenas clasificaciones en los resultados de búsqueda debido a que reciben impulso de palabras clave de todos los sitios de WordPress que ya hayan sido hackeados, reportan los expertos en ciberseguridad, por lo que es realmente fácil que un usuario encuentre este software malicioso.

Los sitios donde se detectó esta actividad maliciosa son:

• http://www.download-freethemes.download
• http://www.downloadfreethemes.co
• http://www.downloadfreethemes.space
• http://www.downloadnulled.pw
• http://www.downloadnulled.top
• http://www.freenulled.top
• http://www.nulledzip.download
• http://www.themesfreedownload.net
• http://www.themesfreedownload.top
• http://www.vestathemes.com

Para comprobar este comportamiento, los expertos en ciberseguridad realizaron una búsqueda de Google, ingresando el nombre de algunos populares temas de WordPress junto con la palabra ‘descargar’, descubriendo que la primera página de resultados muestra al menos tres de estos sitios.

Después de que los administradores de sitios web descargan cualquiera de los plugins o temas infectados, pasan sólo unos cuantos segundos para que su sitio de WordPress sea completamente comprometido. La descarga de estos componentes agrega al sitio objetivo un backdoor identificado como ‘100010010’, lo que garantiza que los hackers tienen una forma de acceder a la instalación.

Posteriormente, el malware WP-VCD se agrega a todos los temas usados en el sitio, para evitar que éste desaparezca del sistema debido a una posible desinstalación. Finalmente, si el malware actúa en un entorno de alojamiento compartido, se pude propagar a otros servidores, infectando otros sitios alojados en el mismo sistema.

Acorde a los expertos del Instituto Internacional de Seguridad Cibernética (IICS), el objetivo principal de estos hackers es usar los sitios hackeados para crear una botnet y, desde un C&C, controlar todas las actividades de estos sitios.

Read More