Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

India among top seven countries at high ransomware risk: Sophos

India is among the top seven countries that are highly vulnerable to ransomware circulation as cyber attacks on Windows, Android, Linux and MacOS systems have increased this year globally, a new report has said. 

“Ransomware has become platform-agnostic. Ransomware mostly targets Windows computers, but this year, SophosLabs saw an increased amount of crypto attacks on different devices and operating systems,” said Dorka Palotay, SophosLabs Security Researcher, in a statement on Saturday.

According to "SophosLabs 2018 Malware Forecast" by a global network and endpoint security leader Sophos, two types of Android attack methods are emerging -- locking the phone without encrypting data and locking the phone while encrypting the data.
WannaCrypt, unleashed in May 2017, was the top ransomware intercepted from customer computers, dethroning the long-time ransomware leader Cerber, which first appeared in early 2016. WannaCrypt accounted for 45.3 percent of all ransomware tracked through SophosLabs with Cerber accounting for 44.2 percent.

“For the first time, we saw ransomware with worm-like characteristics, which contributed to the rapid expansion of WannaCrypt. This ransomware took advantage of a known Windows vulnerability to infect and spread to computers, making it hard to control,” added Palotay.

Android ransomware is also attracting cybercriminals. According to SophosLabs analysis, the number of attacks on Sophos customers using Android devices increased almost every month in 2017.

One reason they believe ransomware on Android is taking off is that it's an easy way for cybercriminals to make money instead of stealing contacts and SMS, popping ups ads or bank phishing which requires sophisticated hacking techniques. "It's important to note that Android ransomware is mainly discovered in non-Google Play markets - another reason for users to be very cautious about where and what kinds of apps they download," the researchers noted.

Sophos recommends backing up phones on a regular schedule, similar to a computer, to preserve data and avoid paying a ransom just to regain access.
Read more »

Beware of Fake WhatsApp on Google Play Store

Downloading WhatsApp? Beware! A fake malicious version of WhatsApp was found on Google Play Store as “Update WhatsApp Messenger” which has been developed by a fake company ‘WhatsApp Inc*’.
 When IANS investigated about it on the Google Play Store, they found out that the software has been downloaded up to 5,000 times. While the original WhatsApp has more than 1 billion downloads.
The International Bussiness Times reported that the existence of this shady software was first highlighted by the popular WhatsApp change tracking website WABetaInfo, via Twitter user @MujtabaMHaq. 
WhatsApp is not the only App which had been a victim of cloning, a version of popular mobile game Temple Run 2 can also be found which was uploaded in October. 
“DON’T DOWNLOAD THIS APP! IT’S FAKE! WhatsApp Business is not officially available yet for all,” the WABetaInfo social media account tweeted to its 30,000 followers. It added: “Check only official channels to download WhatsApp Business in future.” 
However, WhatsApp has suffered a server break down for users around the world for about an hour on Friday. The users complained about the issue on Twitter as well as on their Facebook accounts. 
 The company later released a statement saying the issue has been fixed and apologized for any inconvenience.
 Downdetecor.com has reported that more than 46 percent users complained of problems with the connection, while 41 percent reported issues with sending or receiving messages, and about 12 percent WhatsApp had problems with ‘Last seen’ feature of the service.
Read more »

Critical Tor flaw leaks real IP address, users urged to update

The dark web is no longer just a marketplace for illicit drugs, weapons, and other nefarious material. Mainstream media and social networks, from The New York Times to Facebook, are also using it to give users an anonymous way to access their sites. These so-called "onion" services can help publishers evade country-specific web censorship, while also delivering their content to people who simply use the Tor Network to surf in private. The tradeoff for anonymity is a sluggish web browsing experience, but it's a sacrifice more than 2 million people are willing to make. Now, with its almost decade-old onion domains getting rusty, Tor is unveiling its next-gen sites, with the focus on strengthening security.

The Tor Project released a patch for a vulnerability that leaks the real IP addresses of macOS and Linux users of its Tor Browser when they visit certain types of addresses. However, Windows and Tails users running Tor Browser 7.0.8 remain unaffected.

The patch was issued late Friday and fixes a vulnerability found in Tor Browser version 7.0.8. The patch is in an upgrade to Tor Browser 7.0.9.
TorMoil, as the flaw has been dubbed by its discoverer, is triggered “Due to a Firefox bug in handling ‘file://’ URLs, rather than the more common https:// and http:// address prefixes. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser,” according to a brief blog post published by We Are Segment, the security firm that privately reported the bug to Tor developers.

By using new encryption algorithms, improved authentication, and a redesigned directory, Tor claims its next-gen design will keep an onion address completely private. In the past, its network could learn about your onions, which could have resulted in info leaks and cyber attacks. Just this year, news emerged that a hacker had knocked out about a fifth of the Tor network (over 10,000 "secret" sites in total). "All in all, the new system is a well needed improvement that fixes many shortcomings of the old design, and builds a solid foundation for future onion work," reads the blog post.
Read more »

WordPress site admins urged to update immediately

Millions of websites running WordPress are being strongly urged to update to the latest version of the popular content management system as soon as possible to prevent website takeovers after a serious security vulnerability was uncovered.

On Tuesday, WordPress announced the launch of version 4.8.3 as a security release which mitigates the security flaw.

“Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.”
The advice comes from the WordPress Foundation and Anthony Ferrara, VP of engineering at Lingo Live, who discovered the WordPress flaw that allows attackers to trigger an SQL injection attack leading to complete website hijacking. The vulnerability was discovered in the versions 4.8.2 and below.

Ferrara published technical details about the flaw and explained that it was initially discovered by someone else months ago.

The vulnerability, CVE-2017-14723, occurs as WordPress versions 4.8.2 and earlier mishandles certain characters.

“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability,” the Foundation explained.

Ironically, the release last month of WordPress 4.8.2 was intended to protect against the vulnerability, but – according to Ferrera – it actually “broke a lot of sites” and “didn’t actually fix the root issue (but just a narrow subset of the potential exploits)”.

The CMS provider "strongly encourage[s] you to update your sites immediately."

Ferrera says that he informed the WordPress team of the problem straight after the release of 4.8.2, but was effectively “ignored for several weeks.”

Not only did the fix break a lot of sites that used an undocumented functionality that was removed, but it didn’t fix the root issue, just a narrow subset of the potential exploits.
Read more »
Hackers Arrested
Cyber Security News Hackers Arrested

Russian hackers stole 60.5 million rubles using malware

According to the Ministry of International Affairs of Russian Federation, two natives of the Sverdlovsk region stole more than 60.5 million rubles from Petropavlovsk-Kamchatsky (center of Kamchatka Krai) Bank and another commercial organizations.

Irina Volk, official representative of the MIA, said that hackers were able to access the computers of the affected organizations using Malware.  Stolen money was transferred to the Bank accounts of front organizations and cashed.

Criminal cases of illegal access to computer information and cybercrime will be heard soon. According to the first case, hackers can face up to five years imprisonment. According to second, they can face up to ten years with a fine up to one million rubles.

It is known that they have another partners. The investigation against hacker group continues.

According to Ilya Sachkov (CEO and founder of Group-IB), 100% effective safeguards against cyber attacks does not exist, but every organization can reduce the risks and improve protection of banks. The most important thing for organizations is creation their own Information Systems and Security Division.

- Christina

Read more »

The new Silence Trojan on the loose

In September 2017, Kaspersky Lab’s GReAT investigation team found a new trojan that was deployed to aid cyber-heists of banks in Russia, Armenia, and Malaysia. Experts named the new trojan Silence.

The Russian hacking group has hit at least ten banks across the world with a piece of malware that opens up access to infected computers to compromise banking networks. The attacks are still ongoing.

The attackers used a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things work in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready.
The security outfit says that Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak, which have succeeded in stealing millions of dollars from financial organisations.

While there are no clues to link the trojan to the infamous Carbanak gang (hacker group specialized in robbing banks), the attacker's mode of operation resembles some past Carbanak techniques. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees, along with a request to open a bank account. The message looks like a routine request and looks as unsuspicious as possible to future victims.

At this point, the Silence attacks could be a new Carbanak operation or the work of copycats that modelled their modus operandi based on Carbanak reports released by cyber-security firms.

Experts were able to piece together how an attack with the Silence trojan works. This can be done with malware or because the employee had reused passwords from accounts included in publicly leaked datasets.
Read more »

The Tesla Model X Hacked by Chinese Researchers

Researchers from a China-based security firm, Tencent Keen Security Lab has managed to hack into a Tesla car, Model X.

Last year, the same group of researchers had hack Tesla's Model S cars, in which they took control of various in-built systems.

They have found several zero-day exploits within in-car module like open its doors, blink the lights, control in-car displays, and, when the car is in motion researchers were able to activate the brakes.

Keen Lab's researchers managed to hack the car by bypassing the car's  firmware signing system, after which they installed their own new firmware that they could manipulate commands according to their needs.

The research team notified the automaker about the existing security vulnerabilities, and as a result, the company patched up the flaws within no time as part of its 8.1 software update.

A Tesla spokesperson released a  full statement regarding the vulnerabilities and related research:

By working closely with this research group following their initial findings last year, we responded immediately upon receiving this report by deploying an over-the-air software update (v8.1, 17.26.0+) that addresses the potential issues. While the risk to our customers from this type of exploit is very low and we have not seen a single customer ever affected by it, we actively encourage research of this kind so that we can prevent potential issues from occurring. This demonstration wasn't easy to do, and the researchers overcame significant challenges due to the recent improvements we implemented in our systems. In order for anyone to have ever been affected by this, they would have had to use their car's web browser and be served malicious content through a set of very unlikely circumstances. We commend the research team behind this demonstration and look forward to continued collaboration with them and others to facilitate this kind of research.




Read more »

Third-party swipes Dell’s web address for a month

A third-party took over the web address used by recovery software on Dell PCs for a month last summer after a contractor apparently failed to update it. The web address was used by Dell to help customers restore their data. Many of the firm's recovery application and backup is installed by default, allowing users to restore factory settings to their computers.

Brian Krebs, a security expert and author, reported the issue saying that the site may have been hijacked "From early June to early July 2017.”

A software backup and imaging company called SoftThinks, one of Dell's partners, previously had control of this address but was taken over by another party at some point between June and July this year.
The domain name called DellBackupandRecoveryCloudStorage.com was checked regularly by software installed as standard on many Dell PCs, so whoever snapped it up could use it to spread malware to unsuspecting Dell customers.

DellBackupandRecoveryCloudStorage.com was the property of Dmitrii Vassilev of "TeamInternet.com," a company listed in Germany that specializes in selling what appears to be typosquatting traffic. Team Internet also appears to be tied to a domain monetization business called ParkingCrew."

Krebs said in his blog: “Approximately two weeks after Dell’s contractor lost control over the domain, the server it was hosted on started showing up in malware alerts.”

Dell admitted to losing control of the domain name but said the problem had been “addressed” in a recent statement. The company said no malware was transferred.

Dell said to the BBC: “We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device.”

A spokeswoman for Dell said that, on 9 July, the developer of the program bought the domain back from the third party that snapped it up - but she would not confirm how much this cost.
Read more »

Pune organizes event to increase awareness about cybersecurity

The City Police of  Pune has organised “Cy-Fi Karandak 2017,” cyber-security gala events of one-act plays in order to increase the awareness against increasing cyber crimes around the city. This festival is being organized in association with the Quick Heal Foundation and Expressions Lab, a theatre organisation.

The finale of the event is scheduled to be held in Pune from December 21 to 25, at Bharat Natya Mandir. There are more than 100 teams from Maharashtra and Goa who have applied for this, while only 28 finalists will now compete on the theme “Human Life in the Cyberworld — How Convenient, How Vulnerable?” for cash prizes and the Karandak trophy.

To promote this event, an online Karandak was launched, the interested teams submitted their videos via social media; the finals of which will also be held in December.

“The amount of Cyber Crimes reported in Pune is surprisingly high- even higher than that of Delhi and NCR,” said Senior Police Inspector Radhika Phadke. “We need this kind of a platform to create awareness about the psychological and emotional consequences of these crimes. Especially in cases of matrimony fraud, the victim suffers extreme emotional distress. Through theatre, we can convey the human side of it,” she added.

“Cyber-crime would account for nearly 80 percent of all crimes in coming years,” said assistant commissioner of police Milind Patil
Read more »

DoubleLocker Ransomware Locks Android devices


A ransomware dubbed as DoubleLocker has infected Android devices by changing the security PIN of the device and encrypting all the data stored.

Researchers from cybersecurity firm ESET have discovered the Double Locker ransomware, that is a two-step ransomware which adopts a dual-locking approach.

According to researchers, the ransomware is dispersed through a fake Adobe Flash Player apps. The ransomware's code is based on banking Trojan known as Android.BankBot.211.origin, which compels users to grant administrative permissions, and activate the device’s admin rights and set itself as the default home application.

The attackers have set the ransom at 0.013 Bitcoin (approx. USD 70), which is demanded to be paid within 24 hours of the attack. “Double Locker affects the android devices primarily in two ways: first, encrypts all the data files with AES encryption mechanism and corrupts the same with the .cyreye file extension, thus becoming a perfect case for a ransom demand. Additionally, the malicious software also affects the accessibility of the devices by changing the pin of the device, which cannot be accessed by the users,” explained Sandeep Sharma, Associate Research Manager – Software and Services at IDC.

Researchers stated that the Double Locker ransomware is much more advanced as compared to other types of Android ransomware. This ransomware has an ability to abuse the device accessibility setting to have access to device administrator in order to control the device.

 After getting all the admin rights, the malware sets itself as the default home application on the device, and further, after this, it blocks the users from bypassing the lock.

The best way to remain unaffected y this kind of ransomware is to backup of all data regularly, and even after getting attacked by the ransomware you can get your original device without paying ransomware by resetting your device to factory reset.

Read more »

Kaspersky Lab: Deleted NSA's hacking code

Russia-based antivirus software company Kaspersky Lab said that a security mistake by US National Security Agency's  contractor led to leaking confidential hacking tools to the cybersecurity firm.

The Lab claimed that after realizing that the downloaded secret hacking tools were classified, they deleted every file.  In September, US officials ordered the probe saying the firm was influenced by Kremlin, and compromised data could harm national security.

"The archive was deleted from all our systems. The archive was not shared with any third parties," Kaspersky Lab said on Tuesday.

According to Kaspersky Lab's investigation, on  11 September 2014,  the NSA's contractor was working on his personal computer at home when he detected a piece of malware.

"US law tolerates inadvertent acquisition of classified data but doesn't allow to distribute it. We deleted it to follow the law," the company's CEO Eugene Kaspersky tweeted on Wednesday. The Russian security firm added: "Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like 'top secret' and 'classified'."

The company was not able to pinpoint the exact date as the contractor apparently disabled the Kaspersky antivirus software. On 4 October 2014, the contractor again turned the antivirus software back on.

“The user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator,” Kaspersky says. “The malware dropped from the trojanised keygen was a full-blown backdoor, which may have allowed third parties access to the user’s machine.”

While reviewing the file’s contents, the company removed all the files and reported the matter to Chief Executive Eugene Kaspersky.

“We deleted the archive because we don’t need the source code to improve our protection technologies and because of concerns regarding the handling of classified materials,” said Kaspersky spokeswoman Sarah Kitsos.

Read more »
Subscribe to: Comments (Atom)