Page 27 of 29 FirstFirst ... 171920212223242526272829 LastLast
Results 651 to 675 of 702
  1. #651
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Put Two Factor Authentication on lots of websites with a single app...

    https://authy.com/

  2. #652
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    A good reason to make sure your laptop has the latest firmware...

    ...the LoJax malware is unable to attack recent versions of computer firmware, meaning that if you keep your firmware updated, you’re unlikely to be a victim.
    Russian Malware That Embeds Itself Into PC Firmware Found in Wild

  3. #653
    disturbance in the Turnip baldrick's Avatar
    Join Date
    Apr 2006
    Last Online
    Today @ 03:33 PM
    Location
    Heidleberg
    Posts
    20,185
    ^ though if you are updating your firmware via a windows software I would not be so confident

    but it seems like a good idea if you are installing an OS , flash the firmware first

  4. #654
    Valve Master
    Latindancer's Avatar
    Join Date
    Mar 2010
    Last Online
    @
    Location
    Australia
    Posts
    10,855
    "it will survive the reinstallation of an operating system or even the replacement of the computer’s hard disk".

    Where on earth does it hide ? The CPU ? The RAM ?

  5. #655
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Quote Originally Posted by Latindancer View Post
    "it will survive the reinstallation of an operating system or even the replacement of the computer’s hard disk".

    Where on earth does it hide ? The CPU ? The RAM ?
    Firmware doesn't "hide". It's stored on Flash ROM usually.

  6. #656
    Thailand Expat David48atTD's Avatar
    Join Date
    Jan 2016
    Last Online
    Today @ 03:33 PM
    Location
    Palace Far from Worries
    Posts
    6,158
    Just for fun ...


  7. #657
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Chinkies is nosey little fuckers...

    Super Micro shares are cheap right now though.

    A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

    The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

    Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.

    The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.

    Supermicro, based in San Jose, California, gave this statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”

    Bloomberg News first contacted Supermicro for comment on this story on Monday at 9:23 a.m. Eastern time and gave the company 24 hours to respond.

    Supermicro said after the earlier story that it “strongly refutes” reports that servers it sold to customers contained malicious microchips. China's embassy in Washington did not return a request for comment Monday. In response to the earlier Bloomberg Businessweek investigation, China’s Ministry of Foreign Affairs didn’t directly address questions about the manipulation of Supermicro servers but said supply chain security is “an issue of common concern, and China is also a victim.”

    Supermicro shares plunged 41 percent last Thursday, the most since it became a public company in 2007, following the Bloomberg Businessweek revelations about the hacked servers. They fell as much as 27 percent on Tuesday after the latest story.

    The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

    Based on his inspection of the device, Appleboum determined that the telecom company's server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the `Silicon Valley of Hardware,’ and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.

    The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company's technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. It's not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.

    AT&T Inc. spokesman Fletcher Cook said, “These devices are not part of our network, and we are not affected.” A Verizon Communications Inc. spokesman said “we’re not affected.”

    "Sprint does not have Supermicro equipment deployed in our network," said Lisa Belot, a Sprint spokeswoman. T-Mobile U.S. Inc. didn’t respond to requests for comment.

    Sepio Systems’ board includes Chairman Tamir Pardo, former director of the Israeli Mossad, the national defense agency of Israel, and its advisory board includes Robert Bigman, former chief information security officer of the U.S. Central Intelligence Agency.

    U.S. communications networks are an important target of foreign intelligence agencies, because data from millions of mobile phones, computers, and other devices pass through their systems. Hardware implants are key tools used to create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.

    The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

    In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

    People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI's cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI's most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

    Appleboum said that he's consulted with intelligence agencies outside the U.S. that have told him they've been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.

    In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue.

    Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

    Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.

    In the case of the telecommunications company, Sepio's technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.

    Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

    The goal of hardware implants is to establish a covert staging area within sensitive networks, and that's what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client's security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip.

    The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He's now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

    “Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors -- like the Chinese intelligence and security services -- can access the IT supply chain at multiple points to create advanced and persistent subversions.”

    One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That's why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

    In the wake of Bloomberg's reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won't necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

    National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That's allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

    “For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits -- we don't know until we find some. It could be all over the place -- it could be anything coming out of China. The unknown is what gets you and that's where we are now. We don't know the level of exploits within our own systems.”

    https://www.bloomberg.com/news/artic...in-u-s-telecom

  8. #658
    disturbance in the Turnip baldrick's Avatar
    Join Date
    Apr 2006
    Last Online
    Today @ 03:33 PM
    Location
    Heidleberg
    Posts
    20,185
    If the data is traversing the server encrypted, who gives a fcuk

  9. #659
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Quote Originally Posted by baldrick View Post
    If the data is traversing the server encrypted, who gives a fcuk
    You'd be amazed how many people don't bother encrypting internal traffic. They think firewalls and VPNs cover it.

  10. #660
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Had a mate on the phone this morning panicking because he'd got a Booking.com cancellation for a booking he'd never made.

    I've taught him how to spot Phishing emails but this was legit, so he phoned Booking.com and they told him the booking was made on the 9th.

    I can only assume that someone got his hotmail.com and booking.com passwords (unless they were the same, which in itself is a big NO)... AND... he'd saved his card details there.

    The most logical thing is that they were checking to see if the card worked, and deleted the original booking email, but he spotted the cancellation before they could delete it.

    So I told him to cancel his card, change the passwords (and make them unique for each system) and add 2FA on his Hotmail account (it's a piece of piss, you just use the Authenticator app on your phone as a second login credential).

    However, the important thing is that you should never, ever, ever save payment details on these sites.

    Pay.As.You.Go.

    Just sayin'.

  11. #661
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Got a PS4? Watch out for dodgy messages.

    It seems a malicious message is making the rounds on the PlayStation Network. Reddit reports suggest PS4 owners are receiving a message that contains indecipherable characters that are causing their console to stop functioning, and requiring a factory reset to regain functionality.


    According to some users, players on in multiplayer games may send the offending message as a means of taking down an opposing team, and the best remedy may be to change your messaging settings to private so that only trusted friends can send you a message.

    Users are also being warned that the console may crash not only when you open the message but also if you receive the notification.
    One possible solution may be to access your messages via the mobile app and delete the offending message, though some users have found that to also be futile.

    This is not the first time that such an exploit has been used to crash a gadget. The mechanism of the attack seems to rely on deficiencies in the text processing ability of code; past reports indicate similar exploits by
    sending an SMS to crash a phone. There's also, of course, the famous incident from earlier this year when a Telugu character would crash various apps on the iPhone.

    Update: An earlier version of this article more ambiguously stated the message was causing consoles to be bricked. It has now been amended to clarify that this was a 'soft brick', and that the device is still recoverable via a factory reset.

  12. #662
    disturbance in the Turnip baldrick's Avatar
    Join Date
    Apr 2006
    Last Online
    Today @ 03:33 PM
    Location
    Heidleberg
    Posts
    20,185
    haaarrrryyyyy - you should be all over this one - or are you freaking out wondering how you are going to roll out full disk encryption by tomorrow

    https://www.theregister.co.uk/2018/1...sd_encryption/

    SSDs from crucial and samsung have been only using the Disk Encryption Key on the hardware to encrypt drives and this can be manipulated via the debugging ports and firmware
    worse still bitlocker assumes everything is good and the DEK is derived from the user password

    whoops

  13. #663
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Quote Originally Posted by baldrick View Post
    haaarrrryyyyy - you should be all over this one - or are you freaking out wondering how you are going to roll out full disk encryption by tomorrow

    https://www.theregister.co.uk/2018/1...sd_encryption/

    SSDs from crucial and samsung have been only using the Disk Encryption Key on the hardware to encrypt drives and this can be manipulated via the debugging ports and firmware
    worse still bitlocker assumes everything is good and the DEK is derived from the user password

    whoops
    Since my Governance team make the Sloth out of Zootopia look like he's got ADHD, I'm actually OK with that one at the moment.

    But useful to know going forward!

  14. #664
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    You would think after the Bangladesh breach that they *might* have spent a few quid on security.

    In a shocking revelation, the head of the Federal Investigation Agency’s (FIA) cybercrime wing has said data from "almost all" Pakistani banks was stolen in a recent security breach.


    "According to a recent report we have received, data from almost all Pakistani banks has been reportedly hacked," FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News on Tuesday.

    When pressed to clarify, the official said data from "most of the banks" operating in the country had been compromised.


    Speaking to DawnNewsTV, Shoaib said hackers based outside Pakistan had breached the security systems of several local banks. "The hackers have stolen large amounts of money from people's accounts," he added.


    "The recent attack on banks has made it quite clear that there is a need for improvement in the security system of our banks," he observed.

    He said the FIA has written to all banks, and a meeting of the banks' heads and security managements is being called. The meeting will look into ways the security infrastructure of banks can be bolstered.

    "Banks are the custodians of the money people have stored in them," Shoaib said. "They are also responsible if their security features are so weak that they result in pilferage."


    It wasn't immediately clear when exactly the security breach took place.


    According to Shoaib, more than 100 cases are being investigated by the agency in connection with the breach.


    "An element of banking fraud which is a cause of concern is that banks hide the theft [that involves them]... and the clients report [the theft] to the banks and not to us, resulting in a loss of people's money," he told DawnNewsTV.


    "We are trying to play a proactive role in preventing bank pilferage," he added.


    Shoaib said the agency has arrested many gangs involved in cybercrimes and recovered stolen money from them.


    A gang was arrested last week whose members used to disguise themselves as army officials and withdraw money from banks after gathering people's data, the official added.

    'Data of over 8,000 account holders sold'

    The disclosure comes days after around 10 banks blocked all international transactions on their cards, as concerns about a breach of credit and debit card data spread in the banking circles.

    Sources told Dawn the State Bank of Pakistan (SBP) has been informed by several commercial banks that they have blocked international payments on debit and credit cards as a precautionary measure after cyber attacks on their clients’ accounts.


    According to a digital security website
    krebsonsecurity.com, data of over 8,000 account holders of about 10 Pakistani banks was sold in a market of hackers.


    A large Pakistani bank sent messages to its clients that online mobile banking services would be terminated for a temporary period from November 3 onwards on ‘technical grounds’.


    The first cyber attack was reported by BankIslami on October 27. The bank said that Rs2.6 million was stolen from international payment cards after which it has stopped such transactions and allowed biometrically verified payments only on ATM cards within Pakistan.


    Next day, the SBP issued directives to all banks to ensure that security measures on all information technology systems — including those related to card operations — are continuously updated to meet future challenges, ensure real-time monitoring of card operations related systems and transactions and immediately coordinate with all the integrated payment schemes, switch operators and media service providers.

    https://www.dawn.com/news/amp/1443970

  15. #665
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    This is hilarious. That will fucking teach the tight bastards.


    An independent researcher who was disgruntled with traditional bug bounty methods took it upon himself to leak the details of an exploit in Oracle’s Virtual Box without first informing Oracle.


    Sergey Zelenyuk discovered a flaw that would allow him to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges.

    The vulnerability exists in VirtualBox 5.2.20 and prior versions.


    The bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode.


    “The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3.” Zelenyuk wrote in a technical write-up posted to his
    GitHub account in technical write-up. ”Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv.


    Zelenyuk said he likes VirtualBox and that he publicly posted the exploit in part because vendors take too long to patch their products, inconsistencies concerning which types of bugs will be compensated for, and the unclear pricing on how much researchers will be paid for their research. Oracle has yet to release and update for the flaw.


    After triggering the necessary set of conditions Zelenyuk is able to trigger an integer overflow condition and later a buffer overflow that could be abused to escape the confinements of the virtual operating system.


    Zelenyuk described the exploit as “100% reliable,” adding that “it either works always or never because of mismatched binaries or other, more subtle reasons I didn’t account.”


    Craig Young, computer security researcher at Tripwire, said the vulnerability is in the implementation of a virtual Intel E1000 compatible network adapter.


    “The write-up demonstrates how an attacker with permissions to load Linux kernel modules in a Virtual Box guest environment can achieve low-privileged code execution on the host OS which can then be elevated to gain administrative access to the host,” Young said. “Anyone using Virtual Box for accessing untrusted content (malware analysts for example) should immediately review their machine profiles and at least temporarily discontinue use of the E1000 device in favor of the PCNET adapter.”


    Young added that users should avoid running any less than trustworthy applications in any Virtual Box environment with E1000 enabled until Oracle is able to release a fix.

    https://www.scmagazine.com/home/secu...ed-researcher/

  16. #666
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Researchers at cybersecurity company ESET have found a malware campaign that compromises device’s firmware component. The campaign is believed to be supported and spread by Kremlin-backed group Fancy Bear.

    According to the report, the malware is dubbed LoJax, and is capable enough to “serve as a key to the whole computer” by infecting the Unified Extensible Firmware Interface (UEFI) of a device. It is very hard to detect, and can also survive the operating system (OS) reinstallations.

    “The way that LoJax accesses both the UEFI and LoJack is by using binary files that, from the operating system, compile information about its hardware,” Panda Security researchers said in a blog.

    “LoJax isn’t dangerous simply because of the infection of the UEFI itself, but also due to the fact that many cybersecurity solutions, including corporate cybersecurity solutions that are present in many companies, completely overlook Computrace LoJack and the UEFI software, as the classify it to be safe.”

    LoJack is an anti-theft software, which is most commonly known for its cyber attack on the Democratic National Committee in 2016, as well as several other attacks on European organizations.

    “Although we were aware in theory that UEFI rootkits existed, our discovery confirms that they are used by an active advanced persistent threat group,” said ESET researcher Jean-Ian Boutin, in a press release.

    “These attacks targeting the UEFI are a real threat, and anyone in the crosshairs of Sednit [Fancy Bear] should be watching their networks and devices very closely.”

    'LoJax' malware can survive operating system reinstallations - E Hacking News


  17. #667
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Months after announcing its privacy-focused DNS service, Cloudflare is bringing 1.1.1.1 to mobile users.


    Granted, nothing ever stopped anyone from using 1.1.1.1 on their phones or tablets already. But now the app, now available for iPhones, iPads and Android devices, aims to make it easier for anyone to use its free consumer DNS service.

    The app is a one-button push to switch on and off again. That’s it.


    Cloudflare rolled out 1.1.1.1
    earlier this year on April Fools’ Day, no less, but privacy is no joke to the San Francisco-based networking giant. In using the service, you let Cloudflare handle all of your DNS information, like when an app on your phone tries to connect to the internet, or you type in the web address of any site. By funneling that DNS data through 1.1.1.1, it can make it more difficult for your internet provider to know which sites you’re visiting, and also ensure that you can get to the site you want without having your connection censored or hijacked.

    It’s not a panacea to perfect privacy, mind you — but it’s better than nothing.


    The service is
    also blazing fast, shaving valuable seconds off page loading times — particularly in parts of the world where things work, well, a little slower.

    “We launched 1.1.1.1 to offer consumers everywhere a better choice for fast and private Internet browsing,” said Matthew Prince, Cloudflare chief executive said. “The 1.1.1.1 app makes it even easier for users to unlock fast and encrypted DNS on their phones.”


    You can download the app from
    Apple’s App Store and Google Play.

    https://techcrunch.com/2018/11/11/cloudflare-privacy-dns-service-ios-android/

  18. #668
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Windows users in Europe have recently been the target of a sophisticated malware campaign that provides attackers with a diverse array of capabilities, including cryptomining, credential stealing, ransomware and remote-access takeovers.


    Named DarkGate by its developer, the malware is reportedly distributed via Torrent files disguised as popular entertainment offerings — including the Spanish basketball dramedy Campeones and the zombie drama The Walking Dead. But these files actually execute malicious VBscripts on those who download them.

    Upon infection, the first malware’s interaction with the C2 server commences the mining process, but from there DarkGate has the potential to carry out additional attacks.


    So far, the campaign has focused largely on users in Spain and France, according to a Nov. 13
    blog post from endpoint security company enSilo, whose researcher Adi Zeligson discovered the threat on Dec. 27, 2017.


    Researchers say that DarkGate appears to be closely related to a previously known password-stealer called Golroted.


    DarkGate’s password-stealing component uses NirSoft tools to swipe user credentials, browsers cookies, browser history and Skype chats, enSilo reported. But the attackers seem to clearly favor cryptocurrency credentials, reported blog post authors Zeligson and fellow researcher Rotem Kerner, as the malware “looks for specific strings in the names of windows in the foreground that are related to different kinds of crypto wallets” used for trading on various crypto applications and websites.


    Aside from its versatility, DarkGate is also notable in that it practices the act of process hollowing — the act of loading a legitimate process onto a system in order to use it as a wrapper to conceal malicious code. DarkGate abuses the processes vbc.exe or regasm.exe for this purpose, the
    blog post explains.


    The malware also relies on UAC (User Account Control) bypass capabilities to elevate its privileges. For this, it employs two distinct tricks, exploiting both the scheduled task DiskCleanup and the legitimate process file eventvwr.exe, aka the Event Viewer Snapin Launcher.

    Another of DarkGate’s remarkable traits is its human-powered, “reactive” C2 infrastructure, which is staffed by actual people. These operators “act upon receiving notifications of new infections with crypto wallets,” reported blog post authors Zeligson and fellow researcher Rotem Kerner.

    Additionally, “When the operator detects any interesting activity… they then proceed to install a custom remote access tool on the [infected] machine for manual operations.”


    DarkGate deceptively attempts to hide its C2 infrastructure by disguising its malicious servers as known legitimate services, including Akamai CDN or AWS. The malware also takes measures to avoid detection by monitoring for conditions typically found in a sandbox or VM environments ,as well as by checking for the presence of specific AV solutions.


    In an email interview with SC Media, an enSilo spokesperson said the researchers believe that the attackers “aim for targets which will maximize their monetary gain and as such prefer to reach valuable targets; for example, organizations with significant computing resources.”

    https://www.scmagazine.com/home/secu...windows-users/

  19. #669
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Schoolboy error - again.

    Tens of millions of text messages have been exposed on a company’s database by a security lapse.


    The messages, which included password reset links, two-factor authentication codes and shipping notifications, were exposed on a server belonging to Voxox.

    Alarmingly, the
    San Diego-based communications company’s server was not password protected, meaning anyone who knew where to find it could easily snoop.


    Berlin-based security researcher Sébastien Kaul found the database had just over 26 million text messages when it was taken offline by Voxox following an inquiry by TechCrunch.

    But the volume of messages processed through the platform per minute suggests this figure may be higher.


    Each record included the recipient’s mobile phone number, the message, the Voxox customer who sent the message, and the shortcode they used – although the codes themselves would only have been usable for a very short amount of time.


    Voxox acts as a gateway for companies such as Amazon by converting shipping codes or two-factor authentication codes into text messages to be passed on to customers’ mobile phones.


    And apps such as Viber ad HQ Trivia use the technology to verify a user’s phone number or send a two-factor authentication code.
    Among its findings, TechCrunch discovered several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network.

    It also found several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries; and a password was sent in plaintext to a Los Angeles phone number by dating app Badoo.


    Dylan Katz, a security researcher, told TechCrunch: “My real concern here is the potential that this has already been abused.
    “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

    Kevin Hertz, Voxox’s co-founder and chief technology officer, told TechCrunch in an email that the company was “looking into the issue and following standard data breach policy at the moment” and that the company was “evaluating impact”.

    https://www.independent.co.uk/news/u...-a8638876.html

  20. #670
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    A new hacking tool making the rounds in underground forums has been deemed the latest "go-to" universal offering for attackers targeting Microsoft Windows PCs.


    The software is called L0rdix and according to cybersecurity researchers from enSilo is "aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, [and] can avoid malware analysis tools."


    In a blog post on Tuesday, enSilo researcher Ben Hunter said the tool is relatively new and is available for purchase. There are, however, indicators that L0rdix is still undergoing development despite an array of different functions already implemented within the malware.


    Written in .NET, L0rdix has been developed with stealth in mind. The malware is obfuscated using the standard ConfuserEx obfuscator, and some samples have been tweaked with the more sophisticated .NETGuard obfuscator.


    The developers of L0rdix have made an effort when it comes to virtual environments and sandboxes, which are commonly used by researchers for the purposes of reverse engineering and malware analysis.


    L0rdix not only performs a number of standard scans to detect these environments but also uses WMI queries and registry keys to search for strings which may indicate sandbox products.


    "The less common checks made by L0rdix include searching processes that load sbiedll.dll which belongs to the sandboxie product, aspiring to increase its chances to avoid running in a simple free virtual environment tool," Hunter added.


    The malware has been constructed with sales in mind, containing five core modules with configuration auto-update capabilities and a structure which allows future modules to be easily integrated within L0rdix.


    Once a machine is infected, the malware pulls information including OS version, device ID, CPU model, installed antivirus products and current user privileges. This information is encrypted and sent to the command-and-control (C2) server, alongside a screenshot of the machine.


    The malware's files and configuration settings are then updated based on this information, and it is at this point where L0rdix 'decides' whether or not cryptocurrency mining and data theft are appropriate.


    L0rdix will then infect all removable drives, mapping itself to their icons and hiding the legitimate drive files and directories.


    "All of this is done to make sure that the malware will execute by the user double-clicking it on another machine," the researcher says.


    Another function is responsible for maintaining persistence. The malware will copy itself to a number of traditional areas, such as scheduled tasks -- but this is an area which is ripe for improvement in the future.


    L0rdix is also able to act as a botnet by enslaving the infected PC, with optional commands including opening specific URLs in a browser -- which potentially could be used for domain flooding in Distributed Denial-of-Service (DDoS) attacks -- killing specific processes, uploading and executing additional payloads, and executing cmd commands.


    In addition, the malware is able to monitor Windows clipboards for signs of cryptocurrency wallets and strings. If found, this content is sent to the C2, and L0rdix will also aim to collect browser cookies and credentials.


    When it comes to fraudulent cryptocurrency mining, some samples contain miner code -- but enSilo believes this was developed in one of the later stages of coding as in some samples, this functionality is absent.


    "While it's very easy to notice that most of the effort was put into evading virtual environments and analysis tools along with implementing the stealing module, L0rdix still presents unfinished modules and weak implementation details such as simple encryption or simple data handling between the server and the client," Hunter says. "Those indicators might suggest that the tool is still under development."


    enSilo expected to see more sophisticated versions of the multipurpose tool in the future as L0rdix undergoes further development to stay attractive to underground buyers.


    https://www.zdnet.com/article/l0rdix...fe-of-hacking/

  21. #671
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Flash Player vulnerable AGAIN....

    https://nakedsecurity.sophos.com/201...vulnerability/

    Update Flash or your Flash-enabled browser (or both).

  22. #672
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    The cheeky fuckers...



    Hackers are offering Black Friday discounts for stolen credit card details being bought and sold on the dark web as they seek to cash in on an online shopping bonanza.


    Security experts including the FBI, the UK's cyber defence agency and online security firms have warned of a wave of hacking and fraud as criminals exploit Britain's biggest weekend of online shopping across Black Friday and Cyber Monday.

    Last year proved another record year for sales, with billions spent in the UK alone, or more than £10,000 per second according to one estimate. But with a spike in digital shoppers, hackers are also making the most of the surge in online transactions.


    Messages on encrypted messaging app Telegram seen by the Telegraph showed hackers were promoting "festive season" deals to fellow cyber criminals.


    On one dark web forum called "Gansta's Paradise", hackers were offering a 25pc "Black Friday discount" on stolen credit cards, according to security company RepKnight.


    Hackers were seen advertising their services on "carding" message groups on the app, a technique to steal credit cards by infecting online stores and then laundering the money by using them to buy luxury goods and selling them on.
    https://www.telegraph.co.uk/technolo...-card-details/

  23. #673
    Thailand Expat misskit's Avatar
    Join Date
    Dec 2009
    Last Online
    @
    Location
    Chiang Mai
    Posts
    27,673
    DOJ unseals charges in alleged massive online ad fraud

    The Department of Justice (DOJ) on Tuesday unsealed charges against eight individuals in an alleged widespread digital advertising fraud that reportedly used botnets to give the appearance of billions of humans looking at online ads.


    Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko were charged with crimes including wire fraud, money laundering, computer intrusion and aggravated identity theft, according to a department release.


    The department also announced that a federal court unsealed seizure warrants allowing the FBI to take over 31 domains as well as seize data from 89 servers involved in the botnets, or networks of infected internet-connected devices that can be utilized by hackers.

    MORE. https://thehill.com/policy/cybersecu...nline-ad-fraud

  24. #674
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Poor old Vlad gets a taste of his own medicine....

    Moscow recently opened its first cable-car service and promised free rides for the first month. Unfortunately, only days after after the service was made available, attackers reportedly hacked into the cable car systems and infected them with ransomware.


    With eager passengers waiting to take their free ride, police officers were explaining that the cable car was shut down due to technical reasons according to a report from the TheMoscowTimes.


    According to another Russian media report, the main computer for the cable car system was infected with ransomware and was demanding a ransom payment in bitcoins to decrypt the files required for the operation of the cable car.

    "According to the agency interlocutor, a message was received from an unknown person on the head computer of the Moscow Cable Cars operating company requesting to transfer bitcoins to him in exchange for decrypting all the electronic files of the computer that is responsible for the cable car operation. The amount of the ransom, said in the letter, depends "on the speed of response to the letter." As a result, there was a failure in the cable car."

    https://www.bleepingcomputer.com/new...fter-it-opens/

  25. #675
    Member
    harrybarracuda's Avatar
    Join Date
    Sep 2009
    Last Online
    Today @ 02:53 PM
    Posts
    54,581
    Marriott breach, up to 500 million customers.

    Marriott said Friday that hackers have had access to the reservation systems of many of its hotel chains for the past four years, a breach that exposed private details of up to 500 million customers while underscoring the sensitive nature of records showing where and when people travel — and with whom.


    The breach of the reservation system for Marriott’s Starwood subsidiaries was one of the largest in history, after two record-setting Yahoo hacks, and was particularly troubling for the nature of the data that apparently was stolen, security experts said. That includes familiar information — such as names, addresses, credit card numbers and phone numbers — and also rarer prizes for hackers, such as passport numbers, travel locations and arrival and departure dates.

    The potential value of such information on such a large percentage of the world’s travelers triggered speculation that Marriott may have been the target of nation-state hackers seeking to track the movements of diplomats, spies, military officials and business executives. Yet even if the hackers were mere criminals in search of profit, such data offered the raw material for a range of possible misdeeds, including identity theft.
    https://www.washingtonpost.com/busin...=.a948594a0ae3

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •