Category: Cybersecurity News

Latest Python Ransomware Threat Identified

Safety scientists at Trend Micro have found a new Python ransomware threat that takes credit on the achievement of Locky ransomware. The threat actors behind the ransomware have mimicked the ransom note utilized by the gang accountable for Locky. The ransomware note declares files have been encrypted by Locky Locker. Trend Micro have instead named this new ransomware threat PyLocky.

Python is a common script-writing language, even though it is not usually used for generating ransomware. There have been remarkable exclusions such as CryPy and Pyl33t which were issued in 2016 and 2017 respectively.

What makes the latest Python ransomware variation to be prominent is its anti-machine learning abilities. PyLocky unites the Inno Setup installer and PyInstaller which makes it tougher to recognize the threat utilizing static analysis techniques and machine learning-based cybersecurity solutions. Trend Micro notices that similar methods have been used in certain Cerber ransomware variations.

Pylocky ransomware was first seen in electronic mail spam campaigns carried out in July. The campaigns were targeted and comparatively small, although all through July and August, the scale of the campaigns has risen. At first, the spam electronic mail campaigns were mainly transmitted in France and Germany, even though by the end of August it was French companies that were mainly targeted with France accounting for 63.5% of attacks. A quarter of attacks were carried out in Germany, and 7.5% of attacks were carried out in New Caledonia. Variations of the ransom note have been written in English, Italian and Korean, showing the attacks may spread to other areas in the near future.

The spam electronic mails utilized to dispense PyLocky are different and use social engineering methods to get end users to visit a malevolent URL where a .zip file having the PyLocky executable file is downloaded.

If that file is run, PyLocky will hunt for files on all logical drives and will encrypt over 150 different file kinds including images files, audio files, Office documents, databases, game files, archives, video files and system files. Files are encrypted utilizing the triple-DES cipher and the original files are overwritten. As an anti-sandbox safety, PyLocky will sleep for 999,999 seconds if the system has a total memory size of less than 4GB.

There is no free decryptor available that will open files encrypted by PyLocky. Recovery without paying the ransom is only possible by reestablishing files from backups.

New Brazilian Banking Trojan Hides in Plain Sight

An advanced new Brazilian banking Trojan has been found by safety scientists at IBM X-Force. The Trojan has been titled CamuBot because of its use of concealment to fool workers into running the installer for the malware. Like with other banking Trojans, its aim is to get bank account identifications, even though its method of doing so is different from most of the banking Trojans presently used by threat actors in Brazil.

Most banking Trojans are silent. They are silently connected out of sight, oftentimes through PowerShell scripts or Word macros in malevolent electronic mail attachments. In contrast, CamuBot is very visible.

The cheat begins with the attackers doing some reconnaissance to identify companies that use a particular bank. Workers are then identified who are likely to have access to the firm’s bank account particulars. Those people are got in touch with by telephone and the attacker pretends to be a worker at their bank carrying out a regular safety check.

The workers are directed to visit a specific URL and a scan is carried out to decide whether they have the latest security module installed on their computer. The fake scan returns a result that they have out-of-date safety software and they are told to download a new safety module to make sure all online banking dealings remain safe.

When the safety module is downloaded and executed, a standard installer is shown. The installer contains the bank’s logos and accurate imaging to make it seem genuine. The user is directed to shut down all running programs on their computer and run the installer, which directs them through the installation procedure. During that procedure, the installer generates two files in the %Program Data% folder, determines a proxy module, and adds itself to firewall regulations and antivirus software as a confidential application.

The SSH-based SOCKS proxy is then loaded and establishes port forwarding to generate a tunnel linking the appliance to the attacker’s server. As per IBM X-Force, “The tunnel permits attackers to direct their own traffic via the infected machine and use the victim’s IP address when accessing the compromised bank account.”

The installer then leaves and a popup screen is opened which guides the user to what seems to be the bank’s online portal where they are required to enter their banking identifications. Nevertheless, the site they are directed to is a phishing website that transmits the account details to the attacker.

As soon as the banking identifications have been obtained and their account can be accessed, the attacker verifies that the installation has been successful and ends the call. The victims will be unaware that they have given complete control of their bank account to the attacker.

Some users will have additional verification controls in place, such as an appliance linked to their computer that is required in order for account access to be allowed. In such instances, the attacker will advise the end user that an additional software installation is needed. The malware used in the attack can fetch and connect a driver for that appliance. The attacker tells the end user to run an additional program. When that procedure is finished, the attacker is able to intercept one-time codes sent to that appliance from the bank as part of the verification procedure.

A transaction is then tried, which is tunneled through the user’s IP address to make the transaction seem genuine to the bank. IBM X-Force notes that this attack method also permits the attackers to evade the biometric verification procedure.

Zero-Day Windows Task Scheduler Vulnerability Exploited by Threat Group

On August 27, a safety scientist with the online moniker SandboxEscaper found a zero-day weakness in Windows Task Scheduler (Windows 7-10) and issued a proof-of-concept exploit for the fault on GitHub. Microsoft was not alerted to the fault and was not given time to issue a solution to avoid the fault from being abused.

Obviously, the exploit is now being used by at least one hacking group to attack companies. Cybersecurity company ESET reports that a new threat group named PowerPool has been carrying out targeted attacks using the backdoor.

The fault is present in the Advanced Local Procedure Call (ALPC) of Windows Task Scheduler. If local access to an appliance is gained, it is possible to elevate rights to SYSTEM level by overwriting certain files which are not safeguarded by filesystem access control lists.

Microsoft has not yet rectified the fault – and will likely not do so until Patch Tuesday on September 11 – even though Acros Security has issued a micropatch that will block the fault from being abused. Even though the micropatch has been available for numerous days, many companies have decided to wait until Microsoft solves the problem and remain susceptible to attack.

ESET telemetry data indicates the PowePool group has already carried out attacks using a tad altered type of the proof-of-concept exploit, which was recompiled from the source code published on GitHub. Attacks have been noticed in the US, Russia, India, Ukraine, Chile, Poland, Germany, UK, and the Philippines.

In the assaults, the group uses the exploit to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe to give its malware important consents on systems. According to a latest ESET report, the first stage of the attack involves offering the malware through electronic mail in a spam campaign that utilizes Symbolic Link (.slk) file attachments. The spam electronic mails are part of a targeted spear-phishing campaign, with the electronic mail attachment disguised as an invoice.

The first phase of the malware is used for reconnaissance to identify systems of interest that are worthy of a more wide-ranging compromise. If the system is of interest, the malware downloads an added module that is capable of carrying out commands on a compromised system, can download more files, upload data to the attacker’s C2 server, and can halt processes running on an infected appliance.

ESET notes that the second phase of the malware downloads a range of genuine tools which support the attackers to move laterally on the network and compromise additional appliances.

The published exploit has now been included in the attackers’ arsenal and is being utilized to increase privileges on a compromised system.  The exploit was utilized within 48 hours of it being circulated on GitHub. This is a typical example of what occurs when details of vulnerabilities are disclosed outside a coordinated disclosure procedure.

Huge URL Deception Campaign Discovered Targeting 76 Universities

A huge URL deceiving campaign targeting at 76 universities in 14 countries has been found by safety students at SecureWorks.

The threat group called Cobalt Dickens is supposed to be behind the attack. The group is supposed to work out of Iran and is well known for carrying out these sorts of attacks.

The latest campaign has seen the hacking group generate over 300 deceived websites on sixteen domains. Hosted on those websites are bogus login pages for 76 universities, mainly in the United States, but also in universities in Canada, Australia, China, Israel, Japan, Switzerland, Turkey, South Africa, Italy, Germany, the Netherlands, Malaysia, and the UK.

When people are deceived into visiting the bogus login pages and enter their identifications, they are redirected to the genuine university website where they are logged in to a lawful session automatically. They will be unaware that their login identifications have been stolen. The stolen identifications are then used to gain access to the online library systems of universities and intellectual property is stolen.

Universities are appealing targets for cybercriminals. Attacks on financial organizations provide more immediate profit and healthcare companies keep large quantities of valuable data that can easily be sold to identity thieves. Nevertheless, attacks on those companies are more difficult and time-consuming as they normally have more improved cybersecurity protections.

It is much harder to secure university networks and weaknesses often exist which can be easily abused. Universities are therefore seen as easy targets. Attacks can also be very lucrative. Universities often have prized intellectual property which has not yet been commercialized. The information can give companies a substantial competitive advantage.

SecureWorks has issued indicators for the threat and a list of domains that are known to be used by the attackers. Those domains and IP addresses must be obstructed through a router, firewall, or web filter to avoid users from accessing the fake login pages.

The use of 2-factor verification is also strongly suggested. While not infallible, 2-factor verification is an important safety control that can avoid illegal people from gaining access to online resources when login identifications are stolen.  Without the second verification factor, access will be disallowed.

Micropatch Obstructs Zero-Day Vulnerability in Windows Task Scheduler

On August 29, 2018, a proof-of-concept use for a zero-day vulnerability in Windows Task Scheduler was published on GitHub by a safety researcher.

The vulnerability had not earlier been disclosed to Microsoft, and therefore, no repair has been released to tackle the fault. If misused, a malevolent actor might elevate consents of malevolent code running on a compromised appliance from guest or user level to administrator level with complete system access.

The fault is not likely to be tackled by Microsoft before September Patch, even though the cybersecurity company Acros Security has created a workaround – a micropatch – that avoids the abuse of the vulnerability. The repair will safeguard weak 64-bit Windows types until Microsoft issues a repair to rectify the fault.

The abuse for the zero-day vulnerability in Windows Task Scheduler was only verified to work on 64-bit types of Windows. Nevertheless, two safety scientists proposed the abuse might be tweaked to work on 32-bit Windows types. Those tweaks are comparatively minor.  32-bit Windows types are therefore also weak and will likely remain so until Microsoft tackles the problem.

The micropatch was made available for 64-bit Windows 10 v1803 types on August 30, 2018 with a micropatch for Windows Server 2016 released the next day together with detailed information regarding how the repair avoids the vulnerability from being abused. The source code has also been released.

Businesses need to connect the micropatch through the opatch Agent client. By providing the source code, businesses are able to apply the repair to their systems without using the opatch agent.

Even though the zero-day has been publicly available for many days, there are no reports of the vulnerability being used by threat actors in the wild. Nevertheless, that is not likely to remain the case for long. It is therefore strongly desirable to apply the micropatch to avoid abuse of the flaw. Microsoft must release an official repair in its September 11, 2018 round of updates.

Ransomware Attacks Slow down as Cryptocurrency Mining Proves More Lucrative

Ransomware Attacks Slow down as Cryptocurrency Mining Proves More Lucrative

Throughout the previous two years, ransomware has been preferred by cybercriminals as it offered an easy method to make money. Campaigns might easily be carried out through spam electronic mail, and for many people, it wasn’t even necessary to create the malware from scratch. Ransomware-as-a-service permitted campaigns to be carried out for a 60% cut of the profits earned with no programming experience needed.

Although some threat actors are still using ransomware in spray and pray promotions or more targeted attacks, there has been a clear change toward the use of cryptocurrency mining malware. Cryptocurrency mining malware is used in lieu of ransomware because it is more lucrative. The quantity of new ransomware families found was 26% lower in the first half of 2018 compared to the second half of 2017.

The reputation of cryptocurrency mining malware – or cryptojacking attacks as they are also called – has been verified by Trend Micro in its Midyear Safety Roundup statement. Cryptocurrency mining activity findings nearly doubled in the first half of 2018 compared to the second half of 2017, increasing by 96%. Cryptocurrency mining findings in the first half of 2018 were 956% higher than in the first half of 2017. 47 new families of cryptocurrency mining malware were identified in the first half of 2018.

The statement records the altering methods used by cybercriminals to introduce the malware or drive traffic to sites that have cryptocurrency mining code set up. Those tricks include malvertising campaigns, Ad additions into websites by the Droidclub botnet, adware downloaders, the use of web miner writings in the AOL ad platform, misuse of vulnerabilities like CVE-2017-10271, and downloads through exploit kits.

A ransomware virus can prove very expensive for companies in terms of network downtime and interruption to companies’ procedures while systems are reconstructed and data are recuperated from backups. The expenses linked with cryptojacking are often lesser by comparison, however, the attacks are still expensive. Networks are decelerated which has an effect on production, energy charges rise, hardware can be worn down, or in some instances, permanent harm can be caused.

Cybercriminals are continuously changing methods and are exploring for the simplest method to make money. As the value of cryptocurrencies has risen, and safeguards against ransomware improved by firms, tricks have altered consequently. Trend Micro notes in the statement that business leaders should keep abreast of changing tricks and make sure they have adequate safeguards in place to protect against new attack techniques.

The cybersecurity company has also issued an alert to important infrastructure firms. The number of SCADA vulnerabilities identified by Trend Micro has doubled in the space of a year, with most of those vulnerabilities in human-machine interface (HMI) software. Further, cybercriminals have shifted from reconnaissance to actively abusing those vulnerabilities.

AdvisorsBot Malware Utilized in Targeted Attacks on Restaurants and Hotels

Security scientists at Proofpoint have found a new malware danger that is being used in targeted attacks on restaurants, hotels, and telecom companies. AdvisorsBot malware, so called since its C&C servers comprise the word advisors, was first noticed in May 2018 in a range of spam electronic mail promotions.

AdvisorsBot malware is under development even though the existing form of the malware has been used in several attacks all over the world, although the majority of those attacks have been carried out in the United States. The spam campaigns are thought to be carried out by a threat actor known to Proofpoint scientists as TA555.

AdvisorsBot isn’t linked to Marap malware, even though it operates in a similar way in that the malware is a first-stage payload which is utilized to fingerprint the sufferer and identify whether the aim is of interest and worthwhile of a more broad compromise. Proofpoint notices that these malware variations are two instances of a rising tendency of extremely versatile modular malware that can be utilized in a range of different strikes.

AdvisorsBot malware is written in C, even though another type of malware has been recognized that has been written using PowerShell with a .NET DLL in the PowerShell script. This type of the malware, which has been called PoshAdvisor, and runs in the memory without writing any data to the disk.

The scientists note that these malware variations have several anti-analysis characteristics and can identify a range of different malware analysis tools and can decide if they are running on a virtual machine. If on a VM or malware analysis tools are noticed, the malware exits.

The spam electronic mails used to provide the malware comprise a Word attachment with a macro that, if permitted to run, performs a PowerShell command that downloads a PowerShell script that performs inserted shellcode that runs AdvisorsBot.

Three different electronic mail lures have been found, each of which aims a particular industrial sector. Although the campaign seems to be targeted, electronic mails have been sent to targets unconnected to the content of the electronic mails which indicates a more haphazard distribution of the electronic mails.

Hotels are being targeted with a message that claims to have been sent by one who has earlier remained at the hotel and has been charged two times for the stay. The electronic mail attachment seems to be a bank statement displaying the double charge.

The electronic mails targeting restaurants claim that the sender of the electronic mail visited the restaurant and experienced complicated, dangerous food poisoning. The electronic mail attachment has details of disease and the opinion of a doctor, together with a warning of legal action.

The electronic mails targeting telecom companies claim to be a resume sent in a speculative application for work.

New Crucial Apache Struts Vulnerability Found

A new Apache Struts vulnerability has been found in the main functionality of Apache Struts. This is a serious vulnerability that lets distant code execution in certain configurations of the framework. The vulnerability might prove more serious than the one that was abused in the Experian hack in 2017.

Apache Struts is an open source framework utilized in several Java-based web applications. It has been approximated that at least 65% of Fortune 500 firms use Struts to some extent in their web applications.

The vulnerability was known by safety scientist Man Yue Mo of Semmle and is being followed as CVE-2018-11776. Semmle unveiled the vulnerability to the Apache Foundation and the timing of publication of the vulnerability matches with the release of a patch to repair the vulnerability.

The possibility for abuse is limited by the fact that only certain configurations of Apache Struts are susceptible to attack. While these configurations are not likely to be set by the bulk of companies, they are far from unusual.

The Apache Foundation has released particulars of the configurations that are susceptible:

  • When the alwaysSelectFullNamespace flag is set to true, which is the default configuration using the Struts Convention plug-in.
  • When the Struts configuration file of an application has “a <action …> tag that does not identify the optional namespace attribute or specifies a wildcard namespace (e.g. “/*”)”.

Now that the vulnerability has been unveiled it is necessary for all companies to update vulnerable versions of Struts as a priority. The vulnerability is present in all supported versions of Apache Struts 2. Users of Struts 2.3 have been advised to upgrade to 2.3.35 and users of 2.5 must upgrade to 2.5.17.

As Semmle noted in an August 22 blog post, earlier vulnerabilities in Apache Struts have led to exploits being developed within a day of the announcement being made of a vulnerability.

It is possible that targets can be easily identified and attacks are unavoidable. As the Experian hack indicated, the failure to tackle Struts weaknesses can prove extremely damaging.

Necurs Botnet Now Dispersing Marap Malware

The Necurs botnet is being utilized to transmit huge quantities of spam electronic mails having Marap malware. Marap malware is presently being utilized for reconnaissance and learning about sufferers. The aim seems to be the creation of a system of infected users that can be targeted in future attacks.

The malware generates an exclusive impression for each infected appliance, contacts its C2 server, and transmits information concerning the sufferer’s system to the attackers including username, operating system, language, country, IP address, domain name, hostname, installed anti-virus software, and details of Microsoft Outlook OST files.

The malware has some basic anti-analysis characteristics and can find when it has been installed on a virtual machine and contains measures to obstruct debugging and sandboxing.

Marap malware is modular and can easily be updated with additional modules post-infection to provide increased functionality. It helps as a malware dropper that can be used to provide many different payloads, even though it is presently unclear what those payloads will be.

The malspam campaign was discovered by safety scientists at Proofpoint who say it involves millions of emails. Marap malware is delivered using a range of different electronic mail attachments, with Microsoft Excel Web Query files (IQY) preferred. The messages have iqy files as attachments, or they are incorporated in PDF files and password-protected ZIP files. Standard Microsoft Word documents with malevolent macros are also being transmitted.

The spam campaign includes a range of different electronic mail subjects and messages including sales requests, important banking documents, invoices, and simple electronic mails just containing malevolent PDF files and ZIP file attachments.

Proofpoint notes that there has been a surge in these flexible malware variations in recent months as threat actors move away from ransomware and ‘noisy’ malware that are easy to notice. In its place, downloaders, for example, Marap malware gives attackers the flexibility to introduce a variety of different attacks and carry out a recce to identify systems that deserve a more significant compromise.

Free Decryptor for Fileslocker Ransomware Created After Master Key Leaked

A free decryptor for Fileslocker ransomware has been created after the leaking of the master key for the ransomware on Pastebin.

The master key is the key utilized by threat actors to decrypt files that have been encoded by the ransomware. The post was generated on December 29, 2018, and states that the master key, which decrypts the secret key, is “relevant to V1, V2 version” and that the poster is “waiting for safety personnel to create decryption tools.”

A free decryptor for Fileslocker ransomware was created by Michael Gillespie, the inventor of MalwareHunterTeams’ ID Ransomware – A tool that can be utilized to decide what ransomware variation has been utilized to encrypt files.

Interestingly, a new Christmas-themed type of Fileslocker ransomware was released in late December which encrypted files and modified the Desktop wallpaper to a Christmassy background. Moreover, the browser on an infected appliance was opened and the Pastebin decryption key was shown.

In order for the free decryptor for Fileslocker ransomware to operate, a victim should upload the ransomware note from the Desktop. The ransom note has the encrypted decryption key, which is unlocked using the newly developed master key-based decryptor.

Filerlocker ransomware is a ransomware-as-a-service offering that is typically distributed by partners who get a cut of the profits from any ransom payments they make from distributing the ransomware. What is not understood is why the master key was released.

The Pastebin posting provides a hint. It finishes with the expression “The end is just the beginning,” which indicates that Fileslocker ransomware is no more and the group at the rear of the ransomware is moving on to other tasks. This is not unusual. When ransomware variations are retired, the master keys are often issued online. What the threat group moves onto subsequent is anyone’s guess, but for now, at least, any persons who are infected with Fileslocker ransomware will be able to decrypt their files for free of charge.

If you have been infected with Fileslocker ransomware, you can find out how to decrypt files free on this link.

Tribune Publishing Cyberattack Cripples Many U.S. Newspapers

A fresh malware attack on Tribune Publishing has caused interruption to many newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal, among others. The Tribune Publishing cyberattack happened on Thursday, December 28, 2018, and spread all over the Tribune Publishing system on Friday, disturbing the Saturday publications of a number of newspapers that shared the same production platform.

At the outset, the interruption was attributed to a computer failure, even though the LA Times later verified it had suffered a malware attack carried out by threat actors outside the United States. The Tribune Publishing cyberattack didn’t lead to any subscriber or promoter data being accessed and is supposed to have been carried out either to intentionally cause interruption or in an attempt to extract money from Tribune Publishing.

Although the malware variant used in the attack has not been formally verified, numerous sources at the affected newspaper informed the LA Times that the attack included Ryuk ransomware, which was recognized by the extension added to encrypted files: .ryk.

Scientists at Check Point had earlier examined Ryuk ransomware and found it shares some of its source code with Hermes ransomware. The latter had been attributed to an APT danger actor called the Lazarus group: A hacking group with strong relations to North Korea.

Although it is possible that the Lazarus group has carried out the attack specially to cause interruption to News outlets, the attack might similarly have been executed by an actor who has acquired the source code to Ryuk ransomware, or the closely linked Hermes ransomware.

Ryuk ransomware first surfaced in the summer of 2018 and has been used in numerous campaigns targeting companies in the United States. Those attacks seem to have been financially inspired.

Not all agree that Lazarus is behind Ryuk ransomware. Symantec proposes that Ryuk ransomware has been dispersed by the group behind the Emotet banking Trojan and CrowdStrike has attributed Ryuk ransomware to a crime group in Eastern Europe known as Grim Spider.

It’s also presently unclear how the ransomware was connected. Ryuk ransomware campaigns earlier this year have included malspam (phishing) electronic mails. The use of RDP-based methods to connect the malware, such as the use of stolen identifications or brute force RDP attacks is also a probability. IT teams have been working round-the-clock to remediate the Tribune Publishing cyberattack. Production resumed to usual in time for the Sunday publications of the affected papers. It is unclear if the ransom was paid.

FTC Issues Warning Concerning New Netflix Phishing Scam

The U.S. Federal Trade Commission has circulated a warning about a new international Netflix phishing cheat that tries to deceive Netflix subscribers into revealing their account identifications and payment information. The cheat uses a tried and tested method to get that information: The warning of account closure because of payment information being out of date.

Users are transmitted a message requesting them to update their payment details since Netflix has experienced difficulties getting the monthly subscription payment. The user is provided with an “Update Account Now” button which they can click to insert their accurate banking/card information. Nevertheless, clicking the link will not guide the user to the official Netflix site, instead, they will be taken to a web page on a site operated by the scammer. On that site, Netflix login identifications will be harvested together with the banking information entered by subscribers.

The latest campaign was recognized by the Ohio Police Division, which shared a copy of the phishing electronic mail on Twitter. The FTC also issued a warning about the new Netflix phishing cheat in the latest blog post.

Image Source: Ohio Police via FTC

As you can see from the picture, the message appears official as it has the Netflix logo and color scheme. The message also strongly looks like official electronic mail communications often sent by Netflix. Nevertheless, there are tell-tale indications that the electronic mail is not what it appears. Netflix is naturally conscious who their subscribers are and addresses electronic mails to users by their first name. In this electronic mail, the message starts with “Hi Dear.”

Less visible is the hyperlink, however it is something that is fairly easy to check by hovering the mouse arrow over the button. That will show the actual URL, which is not the official Netflix website. One more indication is the phone number on the electronic mail is a U.S. number, which for any person based in another country would be extremely doubtful.

If the link is clicked, the page the user is directed to appears official and is nearly indistinguishable from the actual site, even though if a user checks the URL it will verify they are not on the actual Netflix site for their country.

All of these warning indications must be identified by users, but several people fail to cautiously check messages before clicking. To avoid phishing cheats such as this, make certain you carefully check all electronic mail messages before replying and if ever you receive an electronic mail containing any warning, visit the authorized URL for the firm directly by entering in the website directly into the browser instead of clicking a link in an electronic mail.

Orange Livebox Modems Revealing WiFi Information

Hackers are abusing a fault (CVE-2018-20377) in Orange Livebox ASDL modems that let them get the SSID and the Wi-Fi password of the appliances in plaintext. As soon as access is gained to a weak modem, attackers could update the firmware and alter device settings. Abusing the vulnerability is as easy as sending a GET request.

The vulnerability was identified by Troy Mursch at Bad Packets, who noted the company’s honeypots were being scanned with GET requests in the run-up to Christmas.  The images were part of targeted attacks on Orange LiveBox ASDL modems, which are utilized by Orange Espana to provide a consumer Internet facility.

Identifying the appliances is a swift and easy procedure. A search can be carried out on the search engine Shodan. A rapid search by Mursch demonstrated there are presently 19,490 of the vulnerable modems in use. Additional 2,018 modems were not leaking data but were exposed to the Internet.

As soon as identified, an attacker only requires to send a GET request to “/get_getnetworkconf.cgi to get plaintext SSIDs and WiFi passwords. An attacker can also see the phone number of the client and the MAC addresses and names of all related clients. Mursch also found that password reuse was widespread, and many appliances had not set a custom password, instead, they used the default admin/admin identifications.

The attack identified by Mursch seems to come from within Spain from a Telefonica Spain customer. It is presently unclear why attempts are being made to access the modems’ Wi-Fi identifications.

Mursch has reported the fault to CCN-CERT, Orange Espana, and Orange-CERT and the vulnerability is presently being probed. The vulnerability is present in Orange Livebox Arcadyan ARV7519 modems running firmware versions 00.96.00.96.613, 00.96.00.96.609ES, 00.96.321S and 00.96.217.

Over 50 Accounts Compromised in San Diego School District Data Breach

A major data breach has been informed by the San Diego School District that has possibly led to the theft of the personal information of over half a million present and former staff and students. The data disclosed as a consequence of the breach date back to the 2008/2009 school year.

The breach was noticed after reports from district staff of a flood of phishing electronic mails. The electronic mails were highly credible and deceived users into visiting a web page where they were required to enter their login identifications. Doing so passed the identifications to the attacker.

The attacker succeeded in compromising over 50 accounts, which permitted access login to the school district’s network which comprised the district database having staff and student information.

A wide variety of confidential information was saved in the database including names, birth dates, deduction information, salary information, savings and flexible spending account details, dependent identity information, tax information, payroll information, legal notices, enrollment information, emergency contact details, Social Security numbers, health data, attendance records, the names of banks, routing numbers, and account numbers for direct deposits.

The break was noticed in October 2018 but was determined to date back January 2018. When a data breach is noticed, the first step that is commonly taken is to shut down access to all undermined accounts. Doing so would obviously forewarn the attacker that the breach has been noticed.

In this situation, the San Diego Unified Police was notified about the breach and the decision was taken to probe the breach before ending access. By taking this measure, the police division was able to identify a person who is supposed to be behind the attack.

All compromised identifications have now been reset and illegal access is no more possible. Additional safety controls have now been applied to avoid similar attacks in the future.

Notices have now been issued to all affected people. Those notices were delayed to allow the police to probe the breach without tipping off the attacker.

Backdoor and Ransomware Detections Rose Over 43% in 2018

The lately published Kaspersky Security Bulletin 2018 demonstrates there has been a 43% rise in ransomware detections and a 44% rise in backdoor detections in the first 10 months of 2018, emphasizing the increasing danger from malware.

Kaspersky Lab is now coping with 346,000 new malevolent files every day and has so far found more than 21.64 million malevolent objects in 2018.

Backdoor detections rose from 2.27 million to 3.26 million in 2018 and ransomware detections are up from 2.2 million detections to 3.13 million. Backdoors comprise 3.7% of malevolent files examined by Kaspersky Lab and ransomware comprises 3.5%.

The biggest cyberthreat in 2018 was banking Trojans, which comprised over half of all malevolent file detections. The main danger was the Zbot Trojan, which was used in 26.3% of attacks, after that the Nymaim Trojan (19.8%), and the SpyEye backdoor (14.7%). 7 of the top ten most widespread malware groups were banking Trojans. The remaining three were backdoors.

Financial wrongdoing, such as the theft of banking identifications and credit card numbers, makes up the majority of attacks, even though APT groups tend to focus on company data theft.

There were fewer new ransomware groups developed in 2018 than 2017, but even though there has been a reduction in ransomware development, the danger of attack is still substantial. The worst month of the year for ransomware attacks was September when 132,047 occurrences were seen. Over the preceding ten months, 11 new ransomware groups have been found and there have been 39,842 changes made to current ransomware variations. As per Kaspersky Lab, in the previous year, 220,000 company users and 27,000 SMB users have been infected with ransomware and had files encrypted.

WannaCry variations were the most generally used, comprising 29.3% of infections, followed by common ransomware (11.4%), and GandCrab ransomware (6.67%).

Banking Trojans and malevolent software invented to attack ATMs and POS systems will carry on to be the main dangers in 2019, as per the report.

Actively Exploited Internet Explorer Vulnerability Patched by Microsoft

Microsoft has issued an out of band update for Internet Explorer to rectify a vulnerability that is being actively exploited. The Internet Explorer vulnerability was found by Clement Lecigne at Google’s Threat Analysis Group, who informed Microsoft of the vulnerability.

The remote code execution vulnerability, tracked as CVE-2018-8653, is in the Internet Explorer scripting engine, which manages memory objects. If the vulnerability is abused, an attacker might corrupt the memory in a way that lets the implementation of arbitrary code with the same level of rights as the existing user.

If the attack happens while a user is logged in that has administrative privileges, an attacker would be able to take complete control of the user’s appliance and connect programs, modify or erase data, or create new accounts with complete admin privileges.

For the vulnerability to be exploited, a user would need to visit a specifically created web page having the exploit code. This might be achieved through malvertising – malevolent advertisements that redirect users to the malevolent webpages – or by sending electronic mails having a hyperlink to the malevolent web page.

Updates have been issued for:

  • Internet Explorer 11 on Windows 10
  • Windows 8.1
  • Windows 7 SP1
  • Internet Explorer 10 on Windows Server 2012
  • Internet Explorer 9 on Windows Server 2008

Obviously, the updates must be applied as soon as possible, even though temporary measures can be taken until the update is applied to defend against attack. Microsoft proposes rights to the jscript.dll file for the Everyone group must be removed. This will not have any unfavorable effects for users of Internet Explorer 9, 10, or 11, which use the jscript9.dll file by default.

To modify rights on 32-bit systems, enter the following command at an admin command prompt:

cacls %windir%\system32\jscript.dll /E /P everyone:N

On 64-bit systems, enter the following command:

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

No details have been issued to date on present attacks that are abusing this vulnerability. Google has yet to provide that information to Microsoft.

90% of Malware Delivered Through Spam Email

Cybercriminals use a range of methods to gain access to business networks to install malware, even though by far the most usual method of dispersing malware is spam electronic mail. As per the latest study by F-Secure, in 2018, 90% of malware was distributed through spam electronic mail.
The most usual kinds of malware distributed via spam electronic mail are bots, downloaders, and backdoors, which jointly comprise 52% of all infections. Banking Trojans comprise 42% and Emotet, Trickbot, and Panda banking Trojans are most usual. Although 2018 has seen several ransomware attacks on companies, ransomware comprises just 6% of spam-delivered malware. F-Secure notices that all through 2018, email-based ransomware attacks have decreased.
Analysis of spam electronic mails has indicated that among the most effective and most used appeals is a failed delivery notice, particularly during the holiday period. At this time of the year, users are likely to be anticipating package deliveries.
During the holiday period, a lot of users let their guard down and reply to messages that they would identify as doubtful at other times of the year. This was shown by F-Secure through replicated Black Friday and Cyber Monday themed phishing attacks. The campaign observed a 39% surge in people replying to the phishing messages than at other times of the year.
F-Secure’s study showed 69% of spam electronic mails try to get users to visit a malevolent URL. The hyperlinks in the messages lead users to phishing websites where they are requested to enter confidential information such as credit card numbers, Office 365 logins, or other identifications. Hyperlinks also guide users to sites hosting exploit kits that probe computers for vulnerabilities and quietly download malware or trick users into downloading apparently benign files that have malevolent scripts. 31% of spam messages have malevolent attachments – often macros and other scripts that download malevolent software.
In years gone, spam electronic mails were comparatively easy to identify; nevertheless, lots of the spam and phishing electronic mails now being sent are much more sophisticated. Cybercriminals are using well-tried social engineering ways to receivers to disclose confidential information or install malware. Many spam electronic mails are almost the same as those sent by real companies, complete with proper branding and logos.
With more users opening malevolent electronic mail attachments and clicking hyperlinks in electronic mails at this time of year, companies confront a higher danger of malware infections, electronic mail account breaches, and theft of confidential information.
Obviously, an advanced spam filtering solution should be applied to avoid malevolent messages from being delivered to inboxes. Web sieving technology can be applied to avoid workers from visiting malevolent websites. Though, as good as technological solutions are at obstructing spam, phishing, and malware downloads, it’s important not to disregard the last line of protection: Workers.
Safety consciousness training must be provided to all workers to teach them cybersecurity best ways and how to identify malevolent electronic mails. Through continuous training, the vulnerability of workers to phishing attacks can be substantially decreased. As per Cofense, training and phishing simulation exercises can decrease worker vulnerability to phishing attacks by over 90%.

BleedingBit Vulnerabilities Affect Millions of Wireless Access Points

Armis Labs has found two vulnerabilities in Texas Instruments’ Bluetooth Low Energy (BLE) chips that are used in wireless access points produced by Cisco, Meraki, and Aruba. The affected wireless access points are used by hundreds of thousands of companies all over the world.

Cisco, Meraki, and Aruba provide no less than 70% of business wireless access points, which places all of those companies at risk. It is not yet known precisely how many appliances are vulnerable and have the BleedingBit vulnerabilities, even though Armis Labs doubts millions of appliances might be affected.

If theBleedingBit vulnerabilities are abused, attackers would be able to take complete control of the access points without any requirement for verification. The access points could be deactivated, data could be interrupted, malware fitted, or the attackers might use the vulnerabilities to gain access to company systems served by the access points and access any appliance in the neighborhood of the AP.

TwoBleedingBit vulnerabilities have been found. CVE-2018-16986 lets memory corruption in the BLE stack, through which complete control of the AP might be gained. To abuse the vulnerability, an attacker would need to be within the limit of the AP and BLEwould need to be turned on. No knowledge of the appliance would be needed and there are no other preconditions to abuse the vulnerability.

An attacker would need to send particularly created packets to the AP containing code which is run in the next phase of the attack. The second phase involves sending an overflow packet to trigger a vital memory overflow which lets the attacker run the earlier sent code.

The vulnerability has been verified to affect Cisco Aironet Access Points 1800i, 1810, 1815i,1815m, 1815w, 4800 and the Cisco 1540 Aironet Series Outdoor Access Point. Meraki MR30H, MR33, MR42E, MR53E, and MR74 Access Points are also affected.

The second of the BleedingBit vulnerabilities – CVE-2018-7080 – is existing in the over-the-air firmware download (OAD) feature of Texas instruments’ chips utilized in ArubaSeries 300 Wi-Fi Access Points. The vulnerability is a development backdoor tool that has not been detached. If abused, the vulnerability would let a new and completely different variety of firmware to be installed, letting the attacker gain complete control of the appliance.

Armis Labs says that abuse of the BleedingBit vulnerabilities would not be spotted by usual AV solutions and would be unlikely to raise any red flags. The attacker might move laterally between network parts, interrupt traffic, install malware, interfere with operating systems, and hijack a wide variety of appliances unnoticed.

Cisco has already repaired its affected appliances, and Meraki has published help on how users can make modifications to BLE settings to avoid misuse of the vulnerabilities. Misuse of CVE-2018-7080 can be obstructed by deactivating OAD functionality.  Texas Instruments has now rectified the fault in BLE-STACK v2.2.2.

Elon Musk Bitcoin Fraud Makes $180,000 in a Day

The assurance of payment of a substantial sum in return for a small payment is a typical cheat that has been carried out in different forms for several years. An admin fee is needed before a Saudi prince’s inheritance will be paid, and payment is required to assist a widow to get her husband’s wealth out of the country.

This week an exciting variation of the cheat has been carried out on Twitter that has been astonishingly effective. The Saudi prince was substituted by Elon Musk, who the scammers claimed had assured to pay 10,000 BTC to the community. The donation, it was declared, was as a thank you for the help Elon Musk had received since he left the position of director of Tesla in what assured to be the biggest Bitcoin giveaway ever.

Such a strange and generous gift to the community must have set alarm bells ringing, in any case, 10,000 BTC is roughly $64 million – a considerable thank you in anybody’s book.

All that was needed was for partakers to pay a nominal amount (0.1 to 3 BTC) to a particular Bitcoin address. Elon Musk assured to pay back 1-30 times the amount that was paid. To inspire bigger donations, anybody sending 0.3 BTC or more would get an additional 200% in return.

Such a cheat would likely be identified as such, but genuine sources seemed to be encouraging the giveaway through their authorized Twitter accounts, including the Ministry of Transportation of Colombia and the National Disaster Management Authority of India to name but two.

Those accounts were used to confirm that some people had already received big payments in return for a small BTC deal. Sites used to promote the cheat also had sensibly credible names such as musk.fund, musk.plus and spacex.plus.

The truth was the Twitter accounts helping the giveaway had been hacked and the domains were listed by the scammers.

The ElonMusk Bitcoin cheat seemed too good to be correct and it was. Nevertheless, it has been remarkably effective. The Bitcoin address had received 392 payments totaling 28 BTC – About $180,000 – within 24 hours.

Zero-Day VirtualBox Vulnerability and Exploit Published

Particulars of a zero-day VirtualBox vulnerability have been published online together with a step by step activity.

The vulnerability in the Oracle open source hosted hypervisor was published on GitHub by Russian safety scientist, Sergey Zelenyuk, instead of being disclosed to Oracle to permit the bug to be repaired. The decision was affected by an earlier vulnerability that he found in VirtualBox that was disclosed to Oracle but took the company 15 months to repair.

Zelenyuk described the decision to go public with the vulnerability and exploit was because of frustration with Oracle and the bug revelation and bug bounty procedure – “I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The purpose is my disagreement with current state of infosec, particularly of safety research and bug bounty,” wrote Zelenyuk.

The vulnerability is a series of bugs that can be abused to allow malevolent code to dodge the virtual machine and perform on the original operating system. The exploit activates a buffer surplus situation using packet descriptors which allow malevolent code to be run in kernel ring 3, which is used for most user programs. It is possible to merge the exploit with kernel privilege growth bugs to gain access to kernel ring 0.

As per Zelenyuk, the exploit is 100% dependable and works irrespective of the host or original operating system and affects all VirtualBox releases.

The vulnerability is specifically disturbing for malware scientists as VirtualBox is a popular selection for studying and reverse engineering malware in a secure atmosphere. If malware authors were to insert the exploit into their malware, it would be possible to flee the VM and infect the safety researcher’s machine.

It remains to be seen how swiftly VirtualBox will be repaired. With the vulnerability and abuse now in the public domain, it is possible that Oracle will not wait 15 months to create a repair.