Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Hardhead

Pages: [1] 2 3 ... 6
By Sergiu Gatlan
July 17, 2019 01:28 PM

A new Linux malware masquerading as a Gnome shell extension and designed to spy on unsuspecting Linux desktop users was discovered by Intezer Labs' researchers in early July.

The backdoor implant dubbed EvilGnome is currently not detected by any of the anti-malware engines on VirusTotal [1, 2, 3] and comes with several capabilities very rarely seen in Linux malware strains.

"EvilGnome’s functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules," Intezer researchers found.

"The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions."
Infection via self-extractable archives

EvilGnome is delivered with the help of self-extractable archive created using the makeself shell script, with all the metadata generated when creating the malicious payload archive bundled within its headers, possibly by mistake.

The infection is automated with the help of an autorun argument left in the headers of the self-executable payload which instructs it to launch a that will add the malware's spy agent to the ~/.cache/gnome-software/gnome-shell-extensions/ folder, attempting to sneak onto the victim's system camouflaged as a Gnome shell extension.

By Sergiu Gatlan
July 17, 2019 02:37 PM
New DNS security measures for all .gov domains will be implemented by the U.S. government starting today to help mitigate risks associated with future DNS hijacking incidents.

The DotGov Program "operates the .GOV top-level domain (TLD) and makes it available to US-based government organizations, from Federal agencies to local municipalities," as per the U.S. General Services Administration (GSA).

Starting today, domain point of contacts will automatically be sent email alerts whenever the official .gov registrar will make DNS changes:

In response to recent incidents affecting other top-level domains, authorized .gov domain POCs will now receive a system-generated email when a change is made to their DNS in the DotGov Registrar.

The email will alert the POCs that a change was made to their DNS information and include instructions for mitigation should it be necessary.

All the DNS changes made by the registrar will propagate within roughly 24 hours, depending on multiple factors such as the connectivity and caching, DotGov explains.

"If you’re planning to make critical changes to your name servers over the weekend, please contact us before 5 p.m. on the prior Thursday to ensure the information propagates during weekend hours," adds the registrar.

This new DotGov initiative was prompted by a global Domain Name System (DNS) infrastructure hijacking campaign alert issued during January by the National Cybersecurity and Communications Integration Center (NCCIC), which is part of the Cybersecurity and Infrastructure Security Agency (CISA).

At the time, NCCIC advised network administrators to follow this set of best practices designed to safeguard their networks against DNS hijacking attacks:

• Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.

• Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.

• Search for encryption certificates related to domains and revoke any fraudulently requested certificates.

Author: Tom Spring
July 17, 2019 1:43 pm

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Two firmware vulnerabilities impacting Lenovo, Acer and five additional server brands allow adversaries to brick servers, run arbitrary code on targeted systems and maintain a persistent foothold – surviving even an operating system reinstallation.

The bugs are tied to Gigabyte motherboards used in the vulnerable servers. The culprit is firmware for a motherboard component called a Baseboard Management Controller (BMC), which is used for subsystem management and monitoring. Server-makers using the vulnerable BMC firmware are Lenovo, Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen.

The common thread connecting each of the server brands is the use of two specific motherboard SKUs made by Gigabyte, according to researchers at Eclypsium who first identified the bugs and publicly disclosed their findings Tuesday.

Author: Tara Seals
July 17, 2019 1:29 pm

Identifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices — opening an attack vector.

Vulnerabilities in the way Bluetooth Low Energy is implemented on devices by manufacturers can open the door to global device tracking for the Windows 10, iOS and macOS devices that incorporate it, according to research from Boston University.

An academic team at BU uncovered the flaws, which exist in the periodically changing, randomized device addressing mechanism that many new-model Bluetooth Low Energy (BLE) devices incorporate to prevent passive tracking. A paper on the issues (PDF) was presented Wednesday at the 19th Privacy Enhancing Technologies Symposium.

Bluetooth devices advertise themselves as available to other devices in publicly available clear channels, dubbed “advertising channels,” to make pairing with other devices easy. In early versions of the Bluetooth specification, the permanent Bluetooth MAC addresses of devices were regularly broadcast in these clear advertising channels, leading to major privacy concerns stemming from the potential for device-tracking. BLE aimed to solve that by instead allowing device manufacturers to use temporary random addresses in over-the-air communication instead of a device’s permanent address.

Author: Tara Seals
July 17, 2019 9:26 am

The group is using malicious versions of WinRAR and other legitimate software packages to infect targets, likely via watering-hole attacks.


The APT group behind the sophisticated malware known as StrongPity (a.k.a. Promethium) has mounted a fresh spyware campaign that is still ongoing as of July 2019. The group has retooled with new malware to control compromised machines, according to researchers.

“The new malware samples [first identified in early July] have been unreported and generally appear to have been created and deployed to targets following a toolset rebuild in response to the public reporting during the fourth quarter of 2018,” according to the analysis from AT&T’s Alien Labs division, released Wednesday and shared with Threatpost. “Based on compilation times, infrastructure build and use and public distribution of samples, we assess the activity continues to operate successfully as of this report.”

The revamped malware, which is now targeting users located in Turkey, is similar to the group’s hallmark StrongPity/Prometheus code, according to the research, with complete spyware capability. It’s built to locate sensitive documents while establishing a persistent backdoor for remote access.

Help Net Security   July 16, 2019

Artificial intelligence (AI) is rapidly finding applications in nearly every walk of life. Self-driving cars, social media networks, cybersecurity companies, and everything in between uses it.

But a new report published by the SHERPA consortium – an EU project studying the impact of AI on ethics and human rights – finds that while human attackers have access to machine learning techniques, they currently focus most of their efforts on manipulating existing AI systems for malicious purposes instead of creating new attacks that would use machine learning.

The study’s primary focus is on how malicious actors can abuse AI, machine learning, and smart information systems. The researchers identify a variety of potentially malicious uses for AI that are well within reach of today’s attackers, including the creation of sophisticated disinformation and social engineering campaigns.

And while the research found no definitive proof that malicious actors are currently using AI to power cyber attacks, they highlight that adversaries are already attacking and manipulating existing AI systems used by search engines, social media companies, recommendation websites, and more.

By Ionut Ilascu    July 15, 2019 09:35 PM

An app styling itself as a more feature-rich unofficial version of Telegram was installed over 100,000 from Google Play only to provide minimum messaging services and to promote malicious websites.

Named MobonoGram 2019, the app used code from the legitimate Telegram messenger and added a few scripts that ran in secret on the infected device to help with persistence and with loading URLs received from the command server.

By the time security researchers found the malicious app, its developer - RamKal Developers, had already pushed five updates to the official Android store.

Available in English and Farsi, MobonoGram 2019 was available to users in regions that prohibited the use of Telegram (e.g. Russia, Iran) and would start automatically after booting the device, as well as after installing or updating an app.

It is unclear how long MobonoGram 2019 remained on Google Play, but pushing this high a number of installations was possible by redirecting users from third-party repositories to Google's official market for mobile.

Gary Barnett, CEO, Semafone   July 12, 2019

Today’s business landscape is more dynamic than ever before. Organizations are being inundated with data, generated by an ever-increasing number of connected devices and systems. According to IDC, volume of data worldwide will grow ten-fold to 163ZB by 2025, and the majority of that will be created and managed by enterprises.

Along with this increased volume of data comes an increased risk of data breaches. More than 446 million records containing sensitive consumer data were exposed in data breaches in 2018, a 126 percent increase over the previous year, according to the Identity Theft Resource Center.

Help Net Security   July 12, 2019

Organizations around the world are increasingly adopting advanced technologies, which is driving the global Internet of Things (IoT) market.

Fortune Business Insights in a report, titled “Global Internet of Things (IoT) market: Global market analysis, insights and forecast, 2019-2026” states that IoT technology holds significant potential in the ICT sector.

As per the report, the global market was valued at $190.0 Bn in the year 2018 and is anticipated to reach $1111.3 Bn by 2026. The analysts in the report predict that the global market will expand at a ferocious CAGR of 24.7% throughout the forecast years.

Help Net Security   July 12, 2019

Businesses are increasing the pace of investment in AI systems to defend against the next generation of cyberattacks, a study from the Capgemini Research Institute has found. Two thirds (69%) of organizations acknowledge that they will not be able to respond to critical threats without AI.

With the number of end-user devices, networks, and user interfaces growing as a result of advances in the cloud, IoT, 5G and conversational interface technologies, organizations face an urgent need to continually ramp up and improve their cybersecurity.

By Lawrence Abrams    July 12, 2019 05:00 PM

If you read the news, it's hard not to see that ransomware is far from dead and may be worse then ever.

Emboldened by large government payouts, ransomware developers are increasingly targeting cities, the enterprise, and charities where they can create large scale damage and thus potentially large-scale ransom payments.

It is no longer a playing field swamped with small players. While the smaller variants do exist, attackers are now performing more targeted attacks than ever with tried-and-true ransomware variants.

By Lawrence Abrams     July 12, 2019 07:45 AM

A ransomware attack at New York City's Monroe College has shutdown the college's computer systems at campuses located in Manhattan, New Rochelle and St. Lucia.

According to the Daily News, Monroe College was hacked on Wednesday at 6:45 AM and ransomware was installed throughout the college's network. It is not known at this time what ransomware was installed on the system, but it is likely to be Ryuk, IEncrypt, or Sodinokibi, which are known to target enterprise networks.

Reports indicate that the attackers are asking for 170 bitcoins or approximately $2 million dollars in order to decrypt the entire college's network. The college has not indicated at this time whether they will be paying the ransom or restoring from backups while gradually bringing their network back online.

By Sergiu Gatlan    July 12, 2019 03:50 PM

Microsoft is rolling out Microsoft Forms proactive phishing detection to improve the product's security by blocking phishing attacks from abusing surveys and forms created using the app.

Microsoft Forms is part of Microsoft's Office 365 cloud-based subscription service and it allows users to create surveys, quizzes, and polls designed to collecting feedback and data online.

"In order to make Forms a more secure service, we are going to enable automatic phishing detection to prevent our customers from losing sensitive data via phishing forms," says an update to the Microsoft 365 Roadmap.

The new feature uses automated machine reviews to "proactively detect malicious password collection in forms and surveys" in an attempt to block phishers from abusing the Microsoft Forms app to create phishing landing pages.

By Lawrence Abrams    July 12, 2019 03:30 AM

Mozilla plans on adding a new dedicated social tracking protection component to their tracker protection system. This feature is currently under development, but is targeted for the Firefox 70 release.

According to a Mozilla bug report, a tracker protection for social sites will be moved into its own category named "Social media trackers". Based on mockups found by BleepingComputer, social tracking protection will be enabled by default in the Standard setting, but Firefox will not aggressively block all trackers that could break the functionality of a site.

By Ionut Ilascu June 25, 2019 07:02 PM

A family of banking trojans for Android has spread beyond Russia, a region it normally targeted, and operates in an aggressive way to replace the default SMS app and deploy phishing screens on compromised devices.

Dubbed Riltok, the strain has been known since March 2018 and operated mainly in Russia, where 90% of its victims are located.
Spreading outside Russia

Towards the end of the year, the cybercriminals behind it created a version destined for English speakers. In January 2019 occurred Riltok variants for Italian and French victims.

Other detections were recorded in the U.K. and Ukraine. From the European countries, most of the infections are in France (4%).

Pages: [1] 2 3 ... 6