July 25, 2017
You know what aren’t “sexy” for security researchers? Mainframes.
These high-performance systems typically designed for large-scale computing are the last bastion of security testing and research because typically they’re considered to be the most secure platform on Earth. It’s why these systems are at the heart of almost every critical transaction that ordinary people rely on every day — including bank wire transfers and ATM transactions, booking flights, and handling millions of payments at retail outlets around the world.
But what doesn’t help the appeal is that mainframes are notoriously difficult to get access to, making security testing difficult, if not impossible.
Ayoub Elaassal, a security auditor at consulting firm Wavestone, was one of the lucky few who were able to access a mainframe for an audit. It was running z/OS, a specialized operating system built by IBM for its z Series machines.
It didn’t take him too long to find a vulnerability that, if exploited, could have given him root access to a mainframe and its vital, sensitive data.
July 20, 2017
An advanced hacking and cyberespionage campaign against high-value targets has returned.
The so-called ‘DarkHotel’ group has been active for over a decade, with a signature brand of cybercrime that targets business travellers with malware attacks, using the Wi-Fi in luxury hotels across the globe.
Hotel Wi-Fi hotspots are compromised in order to help deliver the payload to the selected pool of victims. The exact methods of compromise remain uncertain, but cybersecurity experts believe it involves attackers remotely exploiting vulnerabilities in server software or infiltrating the hotel and gaining physical access to the machines.
Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.
But now the actors behind DarkHotel have changed tactics again, using a new form of malware known as Inexsmar to attack political targets. Researchers at Bitdefender — who’ve analysed the malware strain — have linked the Inexsmar campaign to DarkHotel because of similarities with payloads delivered by previous campaigns.
July 20, 2017
A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack.
Researchers at IoT security firm Senrio discovered the Devil’s Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. The bug occurs when sending a large XML file to a vulnerable system’s web server.
The flaw itself lies in gSOAP, an open source web services code library maintained by Genivia, which is imported by the Axis camera’s remote configuration service. Senrio researchers were able to use the flaw to continually reboot the camera or change network settings and block the owner from viewing the video feed.
They were also able to reset the camera to factory default, which will prompt the attacker to change the credentials, giving them exclusive access to the camera feed.
July 18, 2017
Google is adding a set of features to its security roster to prevent a second run of last month’s massive phishing attack.
The company is adding warnings and interstitial screens to warn users that an app they are about to use is unverified and could put their account data at risk.
This so-called “unverified app” screen will land on all new web apps that connect to Google user accounts to prevent a malicious app from appearing legitimate. Any Google Chrome user landing on a hacked or malicious website will recognize the prompt as the red warning screen.
Some existing apps will also have to go through the same verification process as new apps, Google said.
Google also said it will add those warnings to its Apps Scripts, which let Google use custom macros and add-ons for its productivity apps, like Google Docs.
July 7, 2017
A newly uncovered form of Android malware aims to steal data from over 40 popular apps including Facebook, WhatsApp, Skype and Firefox – and the trojan has been actively engaging in in this illicit activity for almost two years.
Dubbed SpyDealer by the Palo Alto Networks researchers who discovered it, the malware harvests vast accounts of personal information about compromised users, including phone numbers, messages, contacts, call history, connected wi-fi information and even the location of the device.
The espionage capabilities of the trojan also enable it to record phone calls and videos, along with surrounding audio and video, take photos with both front and rear cameras, take screenshots of sensitive information and monitor the devices location at all times.
Described as an advanced form of Android malware, SpyDealer is able to open a backdoor onto compromised devices by abusing a commercially available Android accessibility service feature in order to root phones into providing superuser privileges.
June 30, 2017
NEW YORK, NY — US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation.
The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015.
The order was signed to help authorities track 26 individuals suspected of involvement with illegal drug and narcotic-related activities in Pennsylvania.
The wiretap cost the authorities $335,000 to conduct and led to a dozen arrests.
But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.
The revelation was buried in the US Courts’ annual wiretap report, published earlier this week but largely overlooked.
June 29, 2017
Facebook has a fleet of low-paid contractors who are tasked with investigating possible connections with terrorism on it site.
The key takeaway: Moderators are granted “full access” to any account once it’s been flagged by the social network’s algorithms, which are looking for details or connections that might suggest a terror link. Moderators can track track a person’s location and read their private messages.
The news comes from The Guardian, just days after Facebook chief executive Mark Zuckerberg announced the social network now has two billion users.
“The counter-terrorism unit has special clearance to carry out investigations into user accounts if they are suspected of having links to terrorist groups identified by the US State Department,” says the report. “Moderators will then access the individual’s private messages, see who they are talking to and what they are saying, and view where they have been.”
June 29, 2017
Victims of this week’s Petya outbreak are being given one more reason to not pay up — the malware is not able to restore files.
Researchers from Comae Technologies and Kaspersky Lab have independently arrived at the same conclusion that Petya is a wiper, not ransomware.
Anton Ivanov and Orkhan Mamedov of Kaspersky Lab said the malware is meant to disguise itself as ransomware, and the “installation key” the user is shown on a Petya ransom note is merely randomised data.
“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” the pair said.
“What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”
June 27, 2017
Tuesday saw a second major cyberattack in as many months, affecting several countries and dozens of major companies — and that’s just the start.
Some of the dust has settled throughout the day. Here’s what you need to know, now.
- THE SAME ATTACK — BUT DIFFERENT
If you thought this was similar to last month’s WannaCry ransomware attack, you’d be right.
Just like last time, the unknown attacker used a backdoor exploit developed by the National Security Agency, EternalBlue, which leaked some months ago. The attacker installed the backdoor on thousands of computers, later used as a delivery vehicle for a ransomware payload.
June 27, 2017
A number of firms around the world are reporting that they have been impacted by a major cyber attack which the UK’s cyber security agency is describing as a “global ransomware incident.”
Many of the initial reports of organisations affected came from Ukraine, including banks, energy companies and even Kiev’s main airport. But since then more incidents have been reported across Europe, indicating the incident is affecting more organisations more widely.
The National Bank of Ukraine said it has been hit by an “unknown virus” and is having difficulty providing customer services and banking operations as a result, while Kiev’s Boryspil International airport is also understood to be suffered from some kind of cyber attack. Even the radiation monitoring facility at the Chernobyl nuclear power plant has been hit.
Ukraine’s Interior Ministry has already called the cyberattack the biggest in Ukraine’s history