Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Intel finds another chip exploit


Just when we thought that we were past the myriad of Spectre and Meltdown CPU flaws, Intel (along with Google and Microsoft) has today shed light on a new strain of Spectre-style vulnerabilities called Speculative Store Bypass or Variant 4. While close to eight new variants of Spectre were discovered recently, this is the fourth one to be disclosed by the popular chipmaker.

Variant 4 (CVE-2018-3639) is also a side channel analysis security flaw, but it uses a different process to extract information, and the most common use is in web browsers.

“Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, said in a post on Monday.

The Spectre and Meltdown vulnerabilities led to frantic work by Intel and its computer-maker partners to put in place software code to protect systems.

The biggest maker of computer processors acknowledged that its processors are vulnerable to another dangerous speculative execution side channel flaw that could give attackers unauthorized read access to memory. However, Intel has classified this Variant 4 exploit as a medium-risk vulnerability and added that it shouldn’t affect most users as mitigations rolled out for the ‘first strain’ of Spectre exploit would work against this as well.

In its blog post, Intel says a potential way to exploit the chip-related vulnerability would be to try to access information via code run inside a web browser. The attacks concerning the same are known to work only in a ‘language-based runtime environment’ like a web browser but the company is not aware of a successful browser exploit.

“In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers,” read the blog post.

The chipmaker has worked with its OEM partners and has already pushed the beta microcode update for Speculative Store Bypass to them. In the blog post, it adds,
Read more »

BMW preparing to counter security threats



A nagging fear of security flaws grips even the top car models much to the major concern of the entire automobile sector these days. The crux of it is a recent technical report by Tencent Keen Security Lab where the Chinese security firm made vulnerability disclosure in a few BMW models asking the automobile giant to counter the impending threat at this stage to avoid a huge collapse in the entire system.

Tencent Keen Security Lab, which conducted an in-depth study for nearly a year has revealed 14 vulnerable points in the renowned car models which include BMW 5 Series, BMW 7 Series, BMW i Series, BMW X Series and BMW 3 Series. In its compact technical report, the Chinese security firm has disclosed 14 vulnerable areas in the top model cars before BMW took up the issue on priority basis.

The German multinational company and manufacturer of luxury automobiles and motorcycles swung into action in the light of the new revelations of security flaws. The experts have observed that any hacker can strike a BMW car simply with the help of a local GSM mobile and that an attacker may get an easy access to UDS communication, infotainment along with other components of a BMW car.

The entire technical findings have suggested BMW modify the entire component settings apart from a drastic change in the firmware portion which is the best possible way to leave the hackers clueless.

BMW is already in process to devise an effective mechanism to keep the component setting updating asking the new owners and its service centers across the globe to be aware of this course of action to help them get out of the blues in the store. 
Read more »

3 new attacks by Wicked Mirai botnet

In April 2018, a report revealed how university students developed what would become the WannaCry ransomware.

But before it attacked millions of devices, WannaCry was the Mirai botnet–a DDoS army that was used by, among others, university students that wanted an edge in Minecraft.

This another variant of the Mirai botnet has appeared on the scene, but this one has a twist. The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.

This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices. The original Mirai used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.

This botnet, known for its devastating ransomware WannaCry, has recently added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

Fortinet’s FortiGuard Labs team analyzed the botnet and found that the exploits it uses are matched to the ports it uses.

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”
Read more »
DNS Hijacking
Android devices Android Malware DNS Hijacking

Multilingual Malware Targets Android Devices for Phishing Attacks


A blog post titled 'Roaming Mantis uses DNS hijacking to infect Android smartphones' was published in April 2018, by the Kaspersky Lab, which spoke particularly about this Malware.

The malware i.e. Roaming Mantis utilizes Android malware which is intended to spread by means of DNS hijacking and targets Android gadgets specifically. This activity is said to be found for the most parts in Asia (South Korea, Bangladesh and Japan) in view of the telemetry data by the Kaspersky Lab.

Potential victims were supposedly redirected by DNS hijacking to a pernicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed by the users manually. The application in reality contained an Android Trojan-Banker.

Not long after their publication it was drawn out into the open that various other researchers were also additionally concentrated on this malware family. In May though, while the Roaming Mantis also known as MoqHao and XLoader, was being monitored, the scientists at the Kaspersky Lab observed some very significant changes in their M.O.

“The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition to that, the criminals also added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

According to Kaspersky Lab's researcher Suguru Ishimaru, the last crusade including Roaming Mantis was likewise dissected by the Kaspersky Lab and the discoveries were point by point in its blog post "The Roaming Mantis campaign evolved significantly in a short period of time."

The attacks have been extended to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Initially the malware was dispersed in five dialects only however now the range has been extended by utilizing an automatic translator. The full rundown of dialects is available here : 


Roaming Mantis is likewise said to be well-equipped for stealing private and sensitive data and necessary related  information from Apple and Android phones while cryptocurrency mining is performed by the accretion of a special script present  in the malware's HTML source code, which gets executed at whatever point the browser is opened.

Read more »

Beware of ZipperDown

Yet another stunning revelation fetches no less fear of vulnerability in the cyber world forcing the security experts to step in. 
A recent programming error has suggested a zipper down, a new vulnerability that could infect the App Store applications. After careful experiments, Pangu Team has jumped in to this conclusion where the use of the code in question might erase the users data.  
The experts at the Chinese iOS jailbreakers who had an in-house research and analysis found 10 per cent iPhone apps in the store to be affected by the bug--responsible for overwriting an app’s data. 
Without any details they precisely claimed to have discovered that the bug in question, beyond doubt, might infect the Andriod Smartphones.










Those who arrived at the disturbing conclusion, have yet to put the entire findings in public domain. But they have agreed to allow the app developers across the globe to know the details privately if need be. 
They said the app developers might find it useful to examine the vulnerability if exists. Before jumping into the conclusion, the Chinese iOS jailbreakers have named many iOS apps which they found more or less vulnerable. 
With the help of a newly developed mechanism, popularly known as Janus, Pangu Team had scanned 168,951 apps where 15,978 were learnt to have been found vulnerable. 
The experiments have more or less concluded that the vulnerability question depends on the users’ app permission. The researchers and experts have scanned a few highly used made in China apps which include QQ Music, Kwai, Weibo, MOMO and NetEase Music. 
In a bid to keep the impending vulnerability at bay at least for the time being, the experts have advised users to put in place a virtual private mechanism since it would help their devices stay safe and to get rid of the attack.
Read more »
student information system
Information Security school breach Server Vulnerability student information system

Students Hack Student Information System; Change Attendance, Grades, and Lunch Balance Data


Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.

The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.

The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.

“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”

The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.

While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”

“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.


In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.

“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.

Read more »

200 Million Data sets sold on 'dark web'



A data security firm has allegedly found a group of a hacker who is operating out of China has been seen selling the data of around 200 million Japanese users on the so-called dark web.

According to a FireEye iSIGHT Intelligence report, in December last year,  they spotted an underground Chinese-language website that was selling the sets of IDs, passwords and email addresses, and other important information.

It appears that the data have been assembled from hacking files of up to 50 smaller Japanese online retailers and gaming websites, and put up for sale as one big giant archive.

The BleepingComputer website has reported that "the price for the entire archive is ¥1,000 CNY ($150.96 USD). Several actors commenting on the forum thread where the suspected Chinese hacker was selling his data commented that they've bought the PII cache but did not receive their files. It is unclear if these comments are true, or if these were made by other data sellers trying to sabotage their competition."

The researchers say that they traced the hacker's online presence on a QQ social network ID that also gave a link to another hacker's social ID.

"This QQ address is connected to an individual living in China's Zhejiang province," researchers said.

Read more »

Intimate data of 3 Million Facebook Users Exposed




Personal data of more than three million people were exposed online for four years by a personality app, called as myPersonality.

The app collected the intimate details of the  Facebook users and can be accessed by anyone on the Internet.

Security researchers who designed the app are based at the Psychometrics Centre at the University of Cambridge. They uploaded a sensitive data of Facebook users onto a poorly protected website that contains a million answers to a personality trait questionnaires.

According to information on the Cambridge website, the app "collected data from over 6 million volunteers" during the period it was active. "It created "one of the largest social science research databases in history."

"This data was anonymized and samples of it were shared with registered academic collaborators around the world through the myPersonality project, resulting in over 45 scientific publications in peer-reviewed journals," said the Cambridge website.


While Facebook has confirmed that they are investigating the matter and have temporarily suspended myPersonality app. "If myPersonality refuses to cooperate or fails our audit, we will ban it," said Ime Archibong, Facebook's vice president of product partnerships.

Read more »
StalinLocker
Malware Attack Ransomware StalinLocker

StalinLocker: ransomeware deletes data if correct code is not put in time

A new ransomware has been discovered called StalinLocker, or StalinScreamer, that gives victims of the attack 10 minutes to put in the correct unlock code and if they’re not able to do that, erases all the data on the infected device.

The ransomware does not actually demand any ransom, other than the condition given to unlock the victim’s device.

Named after Joseph Stalin, the late leader of the Soviet Union, the malware pays tribute to him by showing a red screen with a picture of Stalin, along with the USSR anthem playing in the background, when StalinLocker takes over the computer and the 10 minute countdown begins.



The ransomware was discovered by MalwareHunterTeam, which on Twitter explained how the malware worked and how to know the code to unlock your locked device.


According to them, the code can be guessed by subtracting the date the malware was run by 30/12/1922, which is the date that represents the foundation of the USSR.


This ransomware, unlike others, seems to purely focus on destroying user data as it does not demand any ransom in Bitcoin or other ways but simply attempts to erase all data if conditions are not met. If the user correctly enters the code, however, the files are unlocked with no problem.

The malware is similar to a previous one that forced victims to PlayerUnknown’s Battlegrounds game for an hour to get their device unlocked, but unlike StalinLocker, it did not threaten the erasure of the victim’s data.

Currently, StalinLocker is in a testing stage but it could turn out to be a major problem for Windows users once it is out for good.

Read more »

Cisco warns of critical bugs in DNA center

Cisco released a list of 16 security advisories on May 16, including three critical flaws in Digital Network Architecture (DNA) Center that rated a 10/10 on the CVSS (Common Vulnerability Scoring System) scale platform that could allow an attacker to seize complete administrative control. Cisco Systems patched the bug on Wednesday.

One of the three, logged as CVE-2018-0222, is caused by DNA Center having default and static administrative account credentials, which an attacker could use to log into an affected system and execute commands with root privileges.

One of the critical bugs “Could allow an unauthenticated, remote attacker to bypass authentication and access critical services,” according to Cisco. “The vulnerability is due to a failure to normalize URLs prior to service requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue. A successful exploit could allow the attacker to gain unauthenticated access to critical services, resulting in elevated privileges in DNA Center.”

Cisco also warned of four additional vulnerabilities – each rated high. All of the vulnerabilities have available patches for mitigation.

Each could allow an unauthenticated and remote attacker to bypass Cisco’s authentication checks and attack core functions of the DNA platform, which was introduced in 2016. DNA has been touted as a move away from the company’s hardware-centric business towards one more reliant on software and services; it’s an open, software-driven architecture focused on automation, virtualization, analytics and managed services.

The three critical flaws all give attackers elevated privileges that can compromise the entirety of the DNA Center but go about it in very different ways. One involves exploiting a hardcoded admin password, one attacks the Kubernetes port, and the third relies on a specially crafted URL not being normalized before DNA Center resolves a service request.

Cisco announced DNA Centre in the summer of 2017, offering customers network automation software and a centralized management interface for its “intent-based networking” system. Admins can use DNA Center to set policies for network segmentation, configure network infrastructure, and monitor network glitches. It ships as part of a dedicated appliance.
Read more »

RIG EK delivers Grobios trojan

Exploit kit activity has been declining since the latter half of 2016, but we do still periodically observe significant developments in this space and the RIG EK seems to buck the trend. It’s been involved in an ongoing activity involving a wide range of crimeware payloads; and the latest campaign saw RIG dropping the Grobios malware, which is tailored to be a really stealthy backdoor and takes great pains to avoid detection and evade virtual and sandbox environments.

The campaign was first seen on March 10 by FireEye Labs, redirecting victims to a compromised domain, latorre[.]com[.]au, with a malicious iframe injected into it. That iframe, in turn, loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page. RIG then loads a malicious Flash file which when opened drops the Grobios trojan.

The Trojan’s main hallmark is an impressive arsenal of evasion and anti-sandbox techniques, according to FireEye researchers. Researchers and blog post co-authors Irshad Muhammad, Shahzad Ahmed, Hassan Faizan, Zain Gardezi, report that the developers clearly tried to impede any attempts to dissect the malware, as it was well-protected with multiple anti-debugging and anti-analysis and anti-VM techniques to hide its behaviour and C2 traffic.

“The main purpose of Grobios malware is to help attacker establish a strong foothold in the system by employing various kinds of evasions and anti-VM techniques,” Ali Islam, director of FireEye, told Threatpost. “Once a strong foothold is established, an attacker can drop a payload of his/her choice, which can be anything from an info stealer to ransomware, etc.”

In an effort to evade static detection, the studied Grobios sample was packed with the Windows executables compression tool PECompact. "The unpacked sample has no function entries in the import table," the blog post states. "It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings."
Read more »
Subscribe to: Comments (Atom)