Specialized Recruiting Solutions Designed to Access Deep Talent Pools
Call Us: 415-510-2973

Archive for the News Category

New Scam Impersonates VAT Form to Deliver Malware

New Scam Impersonates VAT Form to Deliver Malware

Researchers from Trustwave have unearthed a scam impersonating Her Majesty’s Revenue & Customs (HMRC) to trick victims into downloading malware.

According to the security firm, on September 6 2017, scammers launched an email phishing attack disguised as a HMRC VAT return document, which contained links to the infamous JRAT malware. The email was sent using a registered HMRC-like domain (hmirc-gov.co.uk).

Trustwave explained that the body of the email encourages the user to click on an embedded image of a PDF doc citing an error in their recently submitted VAT return, taking the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file – inside is a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts. There is no actual attachment sent with the message.

Analyzing the Jar file, Trustwave explained that it is the jRAT's bot agent. 

“Each bot has its own configuration and this particular sample has an anti-analysis mechanism where it prevents execution of well-known security and forensic related tools. It adds the process name to ‘Image File Execution’ registry key so that ‘svchost.exe’ will be executed instead”, wrote Dr Fahim Abbasi, Gerald Carsula and Rodel Mendrez.

The Java RAT trojan provides complete remote control over the victim’s computer, they added, citing an increase in phishing campaigns using Microsoft services such as SharePoint (a web-based collaborative platform) and OneDrive (a file sharing service).

“We assume that the scammers route their malware leveraging reputable cloud services like Microsoft to evade detection by various security defenses. Users need to be particularly careful since such scams are quite active during tax return season.”

Speaking to Infosecurity Luis Corrons, PandaLabs technical director, Panda Security, said that this attack shows how creative attackers can be in order to fool users into infecting themselves.

“The technique they use in this particular attack is pretty smart, as it avoids the use of an attachment in an email,” he explained. “The only thing we can ask users for is to be sceptic and to not execute/open anything that comes from an unknown source.”

However, this can only work for so long, he adds. “The security measures in place are the ones that have to take care of these attacks (not the users!), and that is why having a solution capable of classifying all running processes in the computers of a corporate network with real time monitoring and a threat hunting service is the only viable approach to be effectively safe.”

Source: Information Security Magazine

Wi-Fi Alert: Researchers Discover Serious Flaw in WPA2

Wi-Fi Alert: Researchers Discover Serious Flaw in WPA2

Security researchers claim to have discovered new weaknesses in the WPA2 Wi-Fi security protocol which could allow hackers to steal sensitive info or even inject malware into websites.

Discovered by Mathy Vanhoef of the Katholieke Universiteit Leuven, the so-called key reinstallation attacks (KRACKs) are set to be unveiled at the ACM Computer and Communications Security (CCS) conference on Wednesday.

The attack works by focusing on the four-way handshake used by WPA2 to confirm that client and access point have the correct network password and to negotiate a new encryption key to be used to encrypt all subsequent traffic.

This key is installed following message three of the four-way handshake, but because messages can sometimes be dropped or lost, the access point will re-transmit message three several times if it doesn’t receive the correct response in acknowledgement.

This means that the client device may receive message three several times, each time reinstalling the same encryption key but resetting the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.

Vanhoef explained:

“We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message three of the four-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.”

Effectively, it is the reset of transmit nonces that makes decryption of packets possible.

“Essentially, to guarantee security, a key should only be installed and used once,” said Vanhoef. “Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

Android smartphones are said to be particularly at risk because Android and Linux can be tricked into re-installing an all-zero encryption key instead of the real key. This makes it easy for an attacker to both intercept and manipulate traffic sent by Android devices.

Currently, over two-fifths (41%) of Android devices are vulnerable to this kind of attack.

Vanhoef listed 10 CVEs discovered as part of the research: each relating to a specific protocol vulnerability, so “many vendors” are affected by each., according to Vanhoef.

The US-CERT has already released an advisory to a limited set of organizations, with consumer and enterprise WPA1 and WPA2 networks affected.

The full research can be found here.

Source: Information Security Magazine

Iran Blamed for June Parliament Cyber-Attack

Iran Blamed for June Parliament Cyber-Attack

Iran was responsible for a major cyber-attack on the UK parliament over the summer which tried to crack account holders’ passwords, according to British intelligence.

The unpublished report, seen by outlets including the Guardian, laid blame at the feet of state-sponsored snoopers, although it’s still unclear what they were after.

Every member of parliament has an account to conduct official business with their constituents, including Prime Minister Theresa May and cabinet ministers.

In the end only 1% of the 9000 accounts were compromised, according to an official notice at the time which suggested these users had failed to follow best practice guidance issued by the Parliamentary Digital Service.

Several commentators questioned at the time why this guidance was merely optional and strong passwords – or the more secure two-factor authentication – weren’t enforced. Either tactic would have made it harder to 'brute force' the accounts.

Interestingly, those responsible are said to have launched follow-on vishing attacks soon after, trying to trick users into divulging their log-ins over the phone.

An email sent to parliamentary account holders at the time had the following:

"This afternoon we've heard reports of parliamentary users being telephoned and asked for their parliamentary username and password.

"The caller is informing users that they have been employed by the digital service to help with the cyber-attack. These calls are not from the digital service. We will never ask you for your password."

The link to Tehran comes at a particularly testing time geopolitically, with US President Donald Trump said to be preparing moves to tear-up a landmark nuclear deal with the Islamic republic.

European nations, including the UK, are looking to maintain the status quo and keep the JCPOA.

It must be clarified that there’s still no official comment on attribution of the June parliament attacks.

Source: Information Security Magazine

DoubleLocker Ransomware Changes PIN and Encrypts Data

DoubleLocker Ransomware Changes PIN and Encrypts Data

Security researchers are warning of a new breed of Android ransomware designed to both encrypt data on a victim’s device and lock them out by changing the PIN code.

DoubleLocker is based on code from banking trojan Android.BankBot.211.origin which forces users to grant it access to the smartphone’s accessibility service.

Once launched, typically from a fake Adobe Flash Player app on compromised website, it will try to obtain accessibility permissions.

It will then use these to activate device admin rights and set itself up as the home application on the phone.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” explained Eset malware researcher, Lukáš Štefanko. “Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”

True to its name, the ransomware uses two techniques to force its victims to pay up.

First, it changes the device PIN to a new credential which isn’t stored on the phone or sent anywhere. The PIN is only reset by the attacker following payment of the ransom.

Second, it encrypts all files from the device’s primary storage directory, using the AES algorithm and the “.cryeye” extension. There’s no way to recover the files without the encryption key, according to Štefanko.

The ransom to be paid within the 24-hour deadline is just 0.0130 BTC ($54).

For those not wanting to pay up, the only option for affected users is to start a factory reset, cleaning the device of ransomware, although all data will also be lost.

There’s another workaround for rooted devices, but still no way to recover the encrypted data.

Interestingly, although DoubleLocker doesn’t contain any functionality related to harvesting banking credentials, it could be turned into a so-called “ransom-banker”, according to Štefanko.

“[This is] two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom,” he explained. “Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May 2017.”

Source: Information Security Magazine

Locky Skyrockets Up Global Malware Rankings

Locky Skyrockets Up Global Malware Rankings

Check Point’s latest Global Threat Impact Index revealed a major Locky campaign in September, making the ransomware the world’s second most-used malware and impacting 11.5% of organizations globally.

Locky has not appeared in the company’s top 10 “most wanted” malware ranking since November 2016, but the spike, powered by the Necurs botnet (which in itself was ranked at number 10 in the table), propelled it up 25 places in the index, to sit just behind the RoughTed malvertising campaign.

Locky’s distribution began in February 2016, and it rapidly became one of the world’s most prominent malware families. It spreads primarily via spam emails containing a downloader disguised as a Word or Zip attachment which contains malicious macros. When users activate these macros—usually via a social engineering instruction—the attachment downloads and installs the malware that encrypts the user files. In June 2016, the Necurs botnet released an updated version of Locky containing new detection avoidance techniques.

RoughTed meanwhile is large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.

In the No. 3 spot is Globeimposter, ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.

“If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice,” said Maya Horowitz, Threat Intelligence group manager at Check Point. “We’ve got ransomware taking up two of the top three spots—one a relatively new variant that just emerged this year, and the other an older family that has just had a massive reboot. All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position.”

Also of note: HackerDefender, a user-mode Rootkit for Windows, which was the third most prevalent malware in August, dropped out of the top 10 altogether.

The most popular malware used to attack organizations’ mobile devices meanwhile was Triada, backdoor for Android which grants superuser privileges to downloaded malware, and helps it to get embedded into system processes. Triada was followed by Hiddad, an Android malware which repackages legitimate apps, and Lotoor, a hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.

Check Point’s Global Threat Impact Index is a result of the analysis of more than 11 million malware signatures and over 5.5 million infected websites.

Source: Information Security Magazine

Cyberbullying on the Rise for Schoolkids

Cyberbullying on the Rise for Schoolkids

A cyberbullying study, which surveyed American parents and K-12 school IT professionals, found that 35.3% of IT professionals surveyed say they believe cyberbullying incidents will increase in the 2017-2018 school year.

The study, conducted by Lightspeed Systems to raise awareness of the issue of cyberbullying in schools and how access to technology affects today’s youth, indicated that a rise in school cyberbullying incidents can be observed over a longer period of time as well: More than half (55.9%) of those surveyed say that bullying is happening more frequently at their schools than it did just five years ago.

According to survey results, the majority of parents and IT professionals agree that the ultimate responsibility to stop cyberbullying in schools falls upon parents. However, 59.5% of parents said school administration, teachers and school IT staff are responsible for halting incidents of cyberbullying. Many IT professionals (26.5%) said stopping cyberbullying requires a group effort by parents, teachers, other school staff and students. Seventy-seven percent of parents said they have talked with their children about cyberbullying.

Additionally, more than a quarter of the K-12 IT professionals surveyed say cyberbullying happens frequently in their schools.

“Helping school IT departments keep children safe in their digital learning journeys is a goal of every solution that Lightspeed Systems develops,” said Lightspeed president and CEO Brian Thomas. “Every school has challenges related to cyberbullying and it’s our objective to provide smart products that keep children safe and on-track while they learn.”

The news comes as across the pond, the UK government is addressing the issue: Britain plans to become the safest place in the world to be online thanks to new government proposals announced by culture secretary Karen Bradley.

As detailed on the UK government’s website, the Internet Safety Strategy aims to crack down on dangers like cyber-bullying, trolling and under-age access to porn. Proposals include a new social media code of practice to see a joined-up approach to remove or address bullying, intimidating or humiliating online content, an industry-wide levy so social media companies and communication service providers contribute to raise awareness and counter internet harms, and an annual internet safety transparency report to show progress on addressing abusive and harmful content and conduct.

Source: Information Security Magazine

Phishing Gambit Tailors Malware to Location

Phishing Gambit Tailors Malware to Location

A recent malicious payload delivery has been uncovered, tailored by geographic location. It’s a tactic not commonly used by attackers.

According to PhishMe analysis, on September 28 threat actors used a phishing narrative that claimed to deliver a scanned document needing the recipient's attention. Attached to the message was a .7z archive containing a malicious VBScript application tasked with obtaining and running the Locky ransomware or the TrickBot banking trojan. What was unique in this campaign is that before executing the intended payload, the VBScript determines where the target is located.

 Depending upon the location of the target, they will be delivered different malware. This script is designed to deliver the TrickBot malware to targets in Great Britain, United Kingdom, Australia, Luxembourg, Belgium and Ireland. If outside of those locations, the target receives the Locky ransomware.

It is not uncommon for threat actors to deploy malicious payloads from multiple malware families during a single phishing campaign. These malware tools may include ransomware, a financial crimes trojan, or other botnet malware. However, it is not as common for those attackers to deploy different malware tools based upon the geographic location of their victim.

“By using different tools, attackers open up multiple fronts where network defenders and information security professionals are presented with multiple potential threats to address at the same time,” PhishMe researchers said in a blog. “Without the help of sufficient context, could create a scenario that puts network defenders at a disadvantage.”

To wit: By employing a geographical based approach to deliver malware, this forces enterprise security professionals, especially those who support multinational organizations, to formulate a response strategy that may vary from region to region. This adds in an additional level of complexity as defenders must devise a security plan for each region of operation.

“Involving actionable intelligence in the response planning phase can simplify this effort,” the researchers said. “By understanding the options for malware delivery, security professionals can realistically assess their options for defense and mitigation. Regardless of the malware payload, it is crucial for organizations to develop a plan to address and respond to a potential attack against network infrastructure.”

Source: Information Security Magazine

Hundreds of Fake iPhone Accounts Spread Social Scams

Hundreds of Fake iPhone Accounts Spread Social Scams

Security experts have warned users not to fall for scams and malicious content being spread by hundreds of fake iPhone social media accounts set up to capitalize on Apple’s latest smartphone release.

ZeroFOX claimed its filters have detected a whopping 532 fraudulent accounts aimed at spreading malicious links, urging users to hand over personal information, and share content.

PII harvesting is one of the most common tactics, providing hackers with enough info to hack users’ accounts or commit follow-on fraud.

“Dozens of these sites had similar redirect chains: first directing a user to a blog site, then redirecting to a fake survey which prompts users to enter personal details in order to claim their ‘free iPhone’,” explained ZeroFOX.

“For an attacker, social media can be abused to create a variety of accounts to promote the same payload, increasing the surface area and total exposure of the attack. Moreover, linking and commenting between accounts can make them appear more trustworthy from the perspective of would-be victims.”

The promise of free iPhones is also being used to lure victims into clicking on malicious links, the firm warned.

So-called “fame farming” was highlighted as yet another social media scam to be aware of. Typically, fraudsters will create fake accounts purporting to represent major brands, so they can quickly amass large numbers of followers, likes and shares.

Once the fraudulent account has reached a certain level of popularity, it can be used to launch attacks and other scams or could even be sold on the cybercrime underground, according to ZoneFOX.

These new threats aren’t particularly revolutionary, but the high price tag of the new iPhone 8/X models coupled with the trustworthiness of Apple’s brand make them particularly dangerous to unwary netizens, the firm concluded.

It urge users to switch on two-factor authentication for social accounts, ensure AV is up to date on all devices, beware unverified accounts, and to avoid downloading apps or files from social media.

Source: Information Security Magazine

Hyatt Suffers Second Card Data Breach in Two Years

Hyatt Suffers Second Card Data Breach in Two Years

Hotel giant Hyatt is warning its customers around the world that their payment data may have been compromised in another breach at the company, its second in two years.

The firm’s security team identified unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18 and July 2 this year.

The data stolen included cardholder name, card number, expiration date and internal verification code, but no additional personal information, according to a statement penned by global president of operations, Chuck Floyd.

There’s no indication of how many customers were affected, although Hyatt claims it is only a “small percentage” of those who visited during the period.

The breach affected 41 facilities across 11 countries: the US, Brazil, China, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia and South Korea.

Floyd continued:

“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.”

Hyatt suffered a similar breach back in 2015, although that time it affected 250 hotels in over 50 countries worldwide.

“We worked quickly with leading third-party cybersecurity experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future,” Floyd said at the time.

That hasn’t prevented him from repeating the same line this time around.

“As a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide,” he said in the new statement this week.

John Christly, global CISO of Netsurion and EventTracker and member of the PCI SSC, argued that hackers are specifically targeting hotels running certain POS systems.

“These are often integrated POS environments running applications that are not as secure as modern, hardened payment terminals designed to capture and encrypt payment data. Hotel systems send the data to the back office instead of directly to the payment processor, adding an additional step that creates weakness in the hotel POS system,” he explained.

“In addition, there are large volumes of payment card transactions between restaurants, on-site shops, spas, parking, and the front-desk, ensuring there is plenty of customer data for a hacker to compromise.”

Christly urged hotels to maintain PCI compliance, train employees well, install AV on every device and integrate a managed SIEM in order to better protect customer data.

Source: Information Security Magazine

Equifax in Trouble Again After Site Displays Malicious Content

Equifax in Trouble Again After Site Displays Malicious Content

Equifax has been left red-faced again after its website began displaying malicious content stemming from third party vendor code.

Reports started to emerge over the past day or so that users clicking through on the main Equifax.com site were being presented with a scam Adobe Flash update page with a centerbluray.info URL.

The domain is detected only by Google and Malwarebytes as malicious.

Clicking on said update would infect the user’s computer with adware, currently only detected by three out of 65 AV firms on VirusTotal: Panda, Symantec and Webroot.

A statement Equifax sent to researcher Kevin Beaumont revealed the problem was down to a third-party partner:

“Despite early media reports Equifax can confirm that its systems were not compromised and that the reported issue did not affect our consumer online dispute portal.

"The issue involves a third party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.”

Although this incident turned out to be a supply chain hack on a partner, it threatens to further damage the reputation of the under-fire credit reporting agency, which was breached earlier this year and the highly sensitive records of 145.5 million Americans and 700,000 Brits compromised.

The incident should drive home the importance to organizations of due diligence on partners and regular scanning/testing of all web properties.

In related news, a US Republican congressman has introduced new legislation which would require credit agencies to stop using Social Security numbers by 2020.

White House cybersecurity coordinator, Rob Joyce, is known to favor replacing the identifiers altogether, perhaps with a modern cryptographic version.

Source: Information Security Magazine

Page 1 of 23112345...102030...Last »