Ransomware is old school - Crypto-mining is the new trend

A single hijacked box can typically mine about 25 cents of Monero a day. Multiply that over tens of thousands of machines, and it adds up to a nice little earner

Criminals are cutting out the middle person – the human victim – and infecting machines with remote-controlled malware that quietly mines alt-coins and slips the digital dosh back to its masters.

Criminals are shifting from coining it with ransomware to raking it in directly with stealthy miners.


Here is the fun part
The Talos team found one inept CPU-cycle thief who was installing open-source mining code called NiceHash Miner, which is on GitHub. The crook forgot to change the default settings in the app, meaning that any coinage mined when to the software's developer, not the idiot sticking it on other people's systems.


https://www.theregister.co.uk/2018/02/01/monero_mining_malware/

Want to hack into systems exposed to Internet - No skills needed just run "AutoSploit" Script.

It crawls the internet looking for machines that are possibly vulnerable to attack – typically due to unpatched security bugs – and automatically takes over them for you

The software, posted publicly on GitHub this week by someone calling themselves Vector, is called AutoSploit. It makes mass hacking exceedingly easy. After collecting targets via the Shodan search engine – an API key is required – the Python 2.7 script attempts to run Metasploit modules against them.

https://www.theregister.co.uk/2018/01/31/auto_hacking_tool/

Have you updated your Cisco VPN device(s) - A critical vulnerability with CVSS score of 10 has been fixed

On January 29, Cisco released a high-urgency security alert for customers using network security devices and software that support virtual private network connections to corporate networks. Firewalls, security appliances, and other devices configured with WebVPN clientless VPN software are vulnerable to a Web-based network attack that could bypass the devices’ security, allowing an attacker to run commands on the devices and gain full control of them. This would give attackers unfettered access to protected networks or cause the hardware to reset. The vulnerability has been given a Common Vulnerability Scoring System rating of Critical, with a score of 10—the highest possible on the CVSS scale.

https://arstechnica.com/information-technology/2018/01/cisco-drops-a-mega-vulnerability-alert-for-vpn-devices/

What is JackPotting? - You make the ATM give you a lot of cash (like a Slot Machine)

Thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash 


The Secret Service alert explains that the attackers typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.


https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Meltdown, Spectre patch drama continues - first they said "PATCH it is critical", then "WAIT it will break", then "GO AHEAD" then, Intel says "oops we did not test our patches properly" and today Microsoft wants to uninstall one of its patches.

Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715).

The update —KB4078130— targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions.


https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-windows-out-of-band-update-that-disables-spectre-mitigations/

If you own ASUS router then it is time to act (I mean patch)

ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices

However
The attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet



https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/

Its a wonderful (Scary) world (Keylogger in wordpress sites)

What is typed in the forms is sent to the hackers even before the user has clicked on the “log in” button.


Many web surfers almost certainly don’t realise that the reason that their laptop’s fan is running at full blast is because the website they are viewing is tied up with the complex number-crunching necessary to earn the digital currency.

But, in a twist, this particular attack isn’t just interested in mining Monero. While the website’s front-end is digging for cryptocurrencies, the back-end is secretly hosting a keylogger

https://hotforsecurity.bitdefender.com/blog/keylogger-found-on-thousands-of-wordpress-based-sites-stealing-every-keypress-as-you-type-19501.html

How bad can it get - Well, Cybercriminals Selling Social Security Numbers of Infants (for $300 worth of bitcoin )

Why - For those who indulge in fraudulent tax return 

Though a majority of people start thinking about filing their tax returns between March and April or later but for the Dark Web hooligans, the earlier a fraudulent tax return is filed the better would be the outcome.

In order to file a fake tax return, the trickster need to obtain the exact same information that is required to be entered when filing for the real tax return and what they need is easily available on the dark web all they need is to pay in bitcoin

https://www.hackread.com/cybercriminals-selling-social-security-numbers-infants-dark-web/

Have you heard of cryptocurrency called “SpriteCoin” . It is a new ransomware scam .

The  malware that infects Windows-based computers and locks its files on the system and does not download blockchain. Then it asks for a monetary ransom in order to decrypt the locked files, which usually is in Bitcoin but in this scam, cybercriminals ask ransom payment to be paid in Monero, an open-source cryptocurrency

Currently, 1 Monero is around $322 while the ransomware scam asks victims to pay 0.3 Monero which is almost $100.


https://www.hackread.com/spritecoin-cryptocurrency-ransomware-spy-steal-saved-passwords/

Check If Your PC Is Vulnerable To The Spectre And Meltdown Bugs - Portaable app (single EXE) available from Gibson Research Corp

https://www.grc.com/inspectre.htm

RFC Credit Card / Passport / IDs Skimming - What is it all about and do the protection really work? Watch this highly informative video (no login/account needed)

https://www.facebook.com/SophosSecurity/videos/10155345347100017/

Malware infected Gas Pumps!! What can they do? You pay more for your fuel

Russian authorities have identified an extensively distributed malware campaign targeting electronic gas stations using software programs at the pumps. Until now, dozens of gas stations have been attacked as customers are conned into paying more for fuel than what has actually been pumped into their vehicle tanks

Russian. Zayev is a hacker and he has been charged with creating software programs for the primary purpose of swindling gas station customers and defrauding them with malware installed on the pumps.

https://www.hackread.com/hacker-used-malware-to-hike-prices-for-gas-station-customers/

Reminder - Do not forget to Patch Apple OS and Firefox

Meltdown, Spectre saga continues - Intel is now advising its customers and partners to halt the installation of patches for its Broadwell and Haswell microprocessor systems

We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed,"


https://www.darkreading.com/vulnerabilities---threats/intel-says-to-stop-applying-problematic-spectre-meltdown-patch-/d/d-id/1330871

Instead of treating Spectre as a bug, Intel is offering Spectre protection as a feature.

The decision to address the flaw with an opt-in flag rather than activating defenses by default has left Linux kernel steward Linus Torvalds apoplectic.

Known for incendiary tirades, Torvalds does not disappoint. In a message posted to the Linux kernel mailing list on Sunday, he wrote, "As it is, the patches are COMPLETE AND UTTER GARBAGE."

"All of this is pure garbage. Is Intel really planning on making this shit architectural?" he asked. "Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here – talk to your managers."


https://www.theregister.co.uk/2018/01/22/intel_spectre_fix_linux/

Unbeleivable - Oman's stock exchange had both its username and password as "admin"

For several months, Oman's stock exchange, one of the largest stock exchanges in the Middle East, was reportedly vulnerable to hacking

ZDNet reported that a security researchers found that a primary Huawei router for Oman's stock exchange had both its username and password as "admin".

It is not uncommon for many routers to have the same username and password combination set as default. However, unless manually changed, leaving the combination as is, would reportedly allow hackers to gain administrator privileges, which in turn would give them complete control over the device.

The vulnerable router's IP address buried in a list of Telnet credentials that were leaked last year

For More:
http://www.ibtimes.co.uk/security-gaffe-left-omans-stock-exchange-vulnerable-hackers-months-1655820

"GhostTeam" Malware - Steals facbook Credentials

Vietnamese adware dubbed “GhostTeam” was found hiding in 53 Google Play apps disguised as utility apps, seeks administrative privileges and looks to steal a user's Facebook credentials 

The malware also uses anti-sandboxing defenses and will only retrieve payload, disguised as “Google Play Services,” if it detects it's not in an emulator or virtual environment.

For More:
https://www.scmagazine.com/vietnamese-adware-dubbed-ghostteam-spotted-in-several-google-play-apps/article/737779/

25 common passwords of 2017

Top 10 

1. 123456 
2. password 
3. 1234567
4. qwerty
5. 12345
6. 123456789 
7. letmein
8. 1234567
9. football
10. iloveyou

Rest in the link

https://www.wombatsecurity.com/blog/worst-passwords-of-2017-deja-vu-all-over-again?utm_content=65637682&utm_medium=social&utm_source=twitter

Mac Users Beware - OSX/MaMi malware - It evades anti-virus detection, keep an eye on victim’s activity by taking screenshots, execute different commands, generate simulated mouse events, download and upload files, etc.

Mac Users Beware - OSX/MaMi malware , It evades anti-virus detection, keep an eye on victim’s activity by taking screenshots, execute different commands, generate simulated mouse events, download and upload files, etc.

The malware is capable of installing a new root certificate and hijacking the DNS servers then manipulating Internet traffic and redirecting it to a malicious server

Currently, it is unclear how OSX/MaMi targets and infects macOS

You can manually check if your device is infected with OSX/MaMi by going into DNS settings. If the DNS is set to 82.163.143.135 and 82.163.142.137 your device is infected

For More
https://www.hackread.com/macos-malware-hijacks-dns-settings-takes-screenshots/

6 basic rules to secure IoT

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security



Rule #1: Avoid connecting your devices directly to the Internet

Rule #2: If you can, change the thing’s default credentials

Rule #3: Update the firmware

Rule #4: Check the defaults
If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page,
Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network.

Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities

Rule #6: Consider the cost
cheaper usually is not better. There is no direct correlation between price and security.


For More:
https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/

Fact is stranger than fiction - Hawaii’s missile alert agency keeps its password on a Post-it note

As Business Insider describes, evidence has come to light that some of the organisation’s staff might be in the habit of sticking Post-it notes containing passwords onto their computer monitors.

That in itself is far from ideal, but what’s even worse is that these Post-it note passwords have been caught on camera by the media, and available for anybody to view on the internet

For More:
https://hotforsecurity.bitdefender.com/blog/hawaiis-missile-alert-agency-keeps-its-password-on-a-post-it-note-19461.html

Serverless Architecture - Top 10 Security issues (compiled by Puresec)

When you develop applications using serverless architectures, you relieve yourself from the daunting task of having to constantly apply security patches for the underlying operating system and application servers.

If you are a developer - this sounds like heaven, right? Hold on...there’s a fly in the ointment. You are still responsible for designing robust applications and making sure that your code doesn’t introduce application layer vulnerabilities

Serverless architectures introduce a new set of issues that must be taken into consideration when securing such applications

For More:
https://www.puresec.io/blog/serverless-top-10-released

Have you patched MS office - Zyklon Malware might be looking to exploit it

Have you patched MS office - Zyklon Malware might be looking to exploit it

Remember:
Patching is one solution that is MOST EFFECTIVE against MALWARE


Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services.


 Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients.

Vulnerabilities being exploited

1) .NET Framework RCE Vulnerability (CVE-2017-8759)—this remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch for this flaw in September updates.

2) Microsoft Office RCE Vulnerability (CVE-2017-11882)—it’s a 17-year-old memory corruption flaw that Microsoft patched in November patch update allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.

3) Dynamic Data Exchange Protocol (DDE Exploit)—this technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption


For More Info:
https://thehackernews.com/2018/01/microsoft-office-malware.html

Can a single Link in a message crash your iPhone or Mac? - YES it can

A malicious link that is capable of crashing iOS and macOS when received through Apple's Messages app

ChaiOS bug's code gives your Apple device a brainstorm. Ashamed about the mess it gets itself in, Messages decides the least embarrassing thing to do is to crash.

Nasty. But, thankfully, more of a nuisance than something that will lead to data being stolen from your computer or a malicious hacker being able to access your files.

Readers with long memories will recall that Apple users have been bedevilled by text bomb vulnerabilities like this in the past.

For instance, in 2013 it was found that Macs and iPhones could be crashed by a simple string of Arabic characters, and in 2015 an attack dubbed "Effective Power" saw a sequence of characters allow mischief-makers to remotely reboot iPhones.


https://www.grahamcluley.com/chaios-bug-crash-ios-macos-messages/

"FruitFly" Malware (Mac/Windows) went unnoticed for 13 years

Phillip R. Durachinsky, of North Royalton, Ohio, is alleged to have used Mac malware known as “Fruitfly” to remotely control victims’ computers, access and upload files, grab screenshots, log keystrokes, and surreptitiously spy via infected computer’s webcams

Durachinsky is said to have used malware he created between 2003 and January 2017 to steal personal data, tax records, passwords, and “potentially embarrassing communications.”

https://www.welivesecurity.com/2018/01/13/fruitfly-malware-spied-mac-users-13-years-man-charged/

Funny and Ridiculous - Taiwan’s cybercrime-fighting investigators recently handed out malware-infected USB sticks to… winners of a cybersecurity quiz

Taiwan’s Criminal Investigation Bureau has apologised after handing out 54 infected flash drives at a data security expo hosted by the government from 11-15 December. An event which had the noble aim of raising awareness of cybercrime.

According to the Criminal Investigation Bureau, the infections have been traced back to a single PC at an external contractor. It seems that a random sample of the USB drives were plugged into the infected PC in order to test their storage capacity, and the malware was unwittingly transmitted to 54 of them at that time.



https://hotforsecurity.bitdefender.com/blog/cybersecurity-quiz-winners-rewarded-with-malware-infected-usb-sticks-19448.html

Whatsapp bug can lead to eavesdropping (now I know why I receive so many likes for my selfies)

"Anyone who controls the app's servers could insert new people into private group chats without needing admin permission,"

The server can simply add a new member to a group with no interaction on the part of the administrator


http://www.ehackingnews.com/2018/01/whatapp-group-chat-bug-can-allow-anyone.html

2018 is on a bad start, Intel has a new CRITICAL (AMT) vulnerability

The flaw is a critical one and organizations need to think of remedies quickly because a system can be compromised in less than a minute.

The only thing organizations can do to prevent their systems from exploitation, according to Sintonen, is setting a stronger AMT password or completely disable AMT


https://www.hackread.com/critical-intel-amt-flaw-lets-attackers-hack-laptops-mere-seconds/

NVIDIA GPUs could be MELTING too, I mean they could affected by Meltdown/Spectre

NVIDIA has detailed how its GPUs are affected by the speculative execution attacks and has started releasing updated drivers that tackle the issue. All its GeForce, Quadro, NVS, Tesla and GRID chips appear to be safe from Meltdown (aka variant 3 of the attacks), but are definitely susceptible to at least one version of Spectre (variant 1) and "potentially affected" by the other (variant 2).



https://www.engadget.com/2018/01/10/nvidia-gpu-meltdown-and-spectre-patches/?utm_content=65523484&utm_medium=social&utm_source=twitter

What is the difference between Apple and Chrome AD Blocking? Chrome’s adblocker has been created in partnership with the AD industry

Initially, many advertisers believed they had found a technological way around some of the restrictions put in place by ITP. Criteo, which took advantage of that loophole, had initially expected revenue to drop by only 9-13%, the company said. But in December, Apple closed that work-around on its mobile devices as part of the iOS 11.2 update, causing the ad-tech firm to update its projected impact to its current estimate of 22% “relative to our pre-ITP base case projections”.


Unlike Safari’s ITP, however, Chrome’s adblocker has been created in partnership with the ad industry. The feature only blocks what the company calls “intrusive ads”, such as autoplaying video and audio, popovers which block content, or interstitial ads that take up the entire screen.

More Here
https://www.theguardian.com/technology/2018/jan/09/apple-tracking-block-costs-advertising-companies-millions-dollars-criteo-web-browser-safari

Windows Meltdown-Spectre patches and antivirus compatibility spreadsheet

Get it  here.
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

Are you using WD MyCloud device? - It might have a few free features (I mean vulnerabilities)

1. A secret hard-coded backdoor that could allow remote attackers to gain unrestricted root access to the device. 
2. Cross-site request forgery
3. Command injection
4. Denial of Service
5. Information disclosure

Noteworthy, James Bercegay of GulfTech contacted the vendor and reported the issues in June last year. The vendor confirmed the vulnerabilities and requested a period of 90 days until full disclosure.

 On 3rd January (that's almost after 180 days), GulfTech publicly disclosed the details of the vulnerabilities, which are still unpatched

For More
https://thehackernews.com/2018/01/western-digital-mycloud.html

Everything you wanted to know about MELTDOWN and SPECTRE vulnerabilities (in layman language with Q&A)

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords 

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Check the Q&A section and it might address a few that you might have

https://spectreattack.com/

Microsoft has a patch for "Meltdown-Spectre" vulnerability but , don't rush and end up with BSOD. You need to update your AV

Test/Update (all) your systems.


By now Windows users should have received the patches Microsoft released yesterday to plug the widespread Meltdown bug and its companion Spectre, which expose most computers and phones to speculative execution side-channel attacks that affect chips from Intel, AMD, and Arm.

But if you're a Windows user and haven't received Microsoft's patches yet, Microsoft warns that the reason is your antivirus isn't compatible with its Windows update.


For More:
http://www.zdnet.com/article/windows-meltdown-spectre-patches-if-you-havent-got-them-blame-your-antivirus/

You only heard of Intel , Did you know even AMD and ARM microprocessors have a critical flaw too

Spectre forces an application to share its secrets, and is a more difficult attack to pull off.It affects Intel, AMD, and ARM processors on desktops, laptops, cloud servers, and smartphones.

Meltdown allows user applications to pilfer information from the operating system memory, as well a secret information of other programs. Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013).

For More:
https://www.darkreading.com/endpoint/critical-microprocessor-flaws-affect-nearly-every-machine/d/d-id/1330745

Hundreds of GPS services are vulnerable, most of which use open APIs and weak passwords, such as 123456 (really??)

New Term  "Trackmadeddon" - A security flaw in Location tracking devices.

The information exposed by the devices includes location history and current location, phone number, model, type and IMEI number of the device and audio recordings and images. Moreover, it is also possible to activate or deactivate certain features of a device (for e.g., geofence alerts) by sending out commands.

According to the research, 79 domains are still vulnerable, which means more than 6.3 million devices and 360 device models are vulnerable to data exposure.

For More:
https://www.hackread.com/security-flaws-in-gps-trackers-millions-of-data-at-risk/

Exploiting an 11-year-old bug in browsers' built-in password managers

Third-party tracking scripts found by researchers on these websites inject invisible login forms in the background of the webpage, tricking browser-based password managers into auto-filling the form using the saved user's information.


For More:
https://thehackernews.com/2018/01/browser-password-managers.html

One tiny, ugly bug. existed for fifteen years. Full system compromise - Happy New Year Mac Lovers

On the first day of 2018, a researcher using the online moniker Siguza released the details of the unpatched zero-day macOS vulnerability, which he suggests is at least 15 years old

The bug is a serious local privilege escalation (LPE) vulnerability that could enable an unprivileged user (attacker) to gain root access on the targeted system and execute malicious code. Malware designed to exploit this flaw could fully install itself deep within the system.


For More:
https://thehackernews.com/2018/01/macos-kernel-exploit.html