A new unique banking malware dubbed CamuBot poses itself like a security module from the bank to gain victim’s trust and tempt them into installing the malware on their device.
The threat actor’s actively targeting the companies and public sector organizations using a number of social engineering techniques to bypass the security controls.
Security researchers from IBM spotted the CamuBot malware is more sophisticated and designed with a new code. It is different from the common banking trojans and it is blended with a number of social engineering techniques for device take over.
Unique Banking Malware Targets Business Bank Account Customers
The attack start’s with some basic reconnaissance, they use to call the person who is holding the Business Bank Account and identify them as the bank employee and ask the victim’s to navigate to the URL to ensure their security module is up to date.
It is a fake page to trick the victim’s so it comes up as negative and ask’s them to install a new security module. Also, it advises the victim’s to run the security module as an admin user and to close any other running programs.
To gain user’s trust it shows the banking logo and the modules install into the victim’s device silently. It also establishes a proxy module and add’s itself into the firewall to make it appear trusted.
The executable, name of the file and the URL are not a static one, they continue to change for every installation. Communication established through Secure Shell (SSH)-based SOCKS proxy.
Once the installation completed it pop-up a screen and redirects victim’s to a phishing page that designed like a banking portal. The phishing page asks victim’s to input his or her credentials and attackers make use of it. Attackers hang up after the account takeover.
According to IBM X-Force researchers, if there is any endpoint the malware is used to install additional drivers for the device, then attackers ask to enable remote sharing if the victim authorizes then it enables attackers to intercept to intercept one-time passwords. By having the one-time passwords the attackers can initiate a fraudulent transaction.
The delivery of CamuBot is personalized, at this time, CamuBot targets business account holders in Brazil and not in any other geographies said X-Force researchers.
App stores, especially Apple’s, have a reputation regarding security. That reputation took a hit over the weekend with the revelation that some of the most popular Mac App Store apps were gathering ng up user data and remotely uploading them to the developer’s servers.
The apps which appeared to originate from Trend Micro (in hindsight, scummy unaffiliated developers), included apps like Unarcvhers and Cleaner, intended to help users unzip files or clean up their desktop ended up gathering browsing data and installed app data, collating it into a zip file and uploading to a remote server. At no point was user consent requested, nor where users alerted that this happening behind the scenes.
After this came to light, Apple pulled the apps from the store. It is unknown how many users downloaded these ‘tools’ and had their data scraped over the lifetime of the apps.
A similar situation happened in the then Windows-Store with Torrenty, an app which would install adware once downloaded, It slipped past app store verification but was struck down once media reports brought it under scrutiny.
Despite cases like this, however, App Stores are safer than the wild internet as curtain — even one that is many times perfunctory — can still screen dangerous apps more often than not.
Vulnerabilities in mPOS (mobile point-of-sale) machines could allow malicious merchants to defraud customers and attackers to steal payment card data, Positive Technologies researchers have found.
The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money.
mPOS vulnerabilities
The vulnerabilities have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe: Square, SumUp, iZettle, and PayPal.
mPOS devices work by communicating through a Bluetooth connection to a mobile application, which then sends data to the payment provider’s server. By intercepting the transaction it is possible to manipulate the amount value of magstripe transactions.
A fraudulent merchant can gain access to the traffic, modify the amount that is presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. Still only 58.5 percent of debit and credit cards in the U.S. are EMV-enabled, and, lower still, 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat.
A number of the mPOS devices were also vulnerable to Remote Code Execution (RCE) attacks. With this vulnerability, it is possible to gain access to the whole operating system of the reader.
In addition, it is possible to send arbitrary commands to some of the readers and influence the purchaser’s behavior. For example, fraudulent merchants can force customers to use a more vulnerable payment method (such as magstripe) or say that a payment was declined, encouraging the customer to make multiple payments.
What to do?
The vulnerabilities were disclosed to all of the vendors and manufacturers, and Positive Technologies is assisting the affected parties to close the issues that were identified.
“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments,” noted Leigh-Anne Galloway, Cyber Security Lead at Positive Technologies.
“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Fellow researcher Tim Yunusov says that anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless.
“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority,” he added.
Manufacturing businesses are seeing higher-than-normal rates of cyberattack-related reconnaissance and lateral movement activity.
This is due to the convergence of IT with IoT devices and Industry 4.0 initiatives, according to a new report from AI-powered attack detection specialists Vectra
"The disconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of industrial internet-of-things (IIoT) devices, has created a massive, attack surface for cybercriminals to exploit," says Chris Morales,head of security analytics at Vectra.
State
affiliated attackers accounted for 53 percent of attacks on manufacturing,according to the 2018 Verizon Data Breach Industry report. The most common types of data stolen were personal (32 percent), secrets (30 percent) and credentials (24 percent).
Analysis of data from Vectra’s Cognito threat detection and hunting platform shows a much higher volume of malicious internal behaviours in manufacturing, which is a strong indicator that attackers are already inside the network. There is also an unusually high volume of reconnaissance behaviour, which indicates that attackers are mapping out manufacturing networks in search of critical assets. A high level of lateral movement is another strong indicator that the attack is proliferating inside the network.
The study shows a growth in data smuggling — where an internal host device controlled by an outside attacker acquires a large amount of data from one or more internal servers and then sends a payload to an external system — between January and June too.
HP has plugged two critical vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting many of its InkJet printers and is urging users to implement the provided firmware updates as soon as possible.
The vulnerabilities, discovered and reported by a still unnamed third-party researcher, can be triggered via a maliciously crafted file sent to an affected device. Such a file can cause a stack or static buffer overflow, which could allow remote code execution.
The list of affected devices is long and encompasses the Pagewide Pro, DesignJet, OfficeJet, DeskJet and Envy product lines.
Updates can be downloaded and installed directly from the printer or from the HP website (instructions on how to do it can be found here).
HP’s print security bug bounty program
The company did not mention whether the vulnerabilities it plugged were flagged as part of the newly revealed bug bounty program it launched with Bugcrowd in May, but it’s likely that they were.
For the moment, the program is still private.
According to CSO Online, 34 researchers were invited to participate in it. They have been told to limit their efforts to endpoint devices (all HP enterprise printers) and to concentrate on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws.
Vulnerability reporting is to be done through Bugcrowd, which will verify bugs and reward researchers based on the severity of the flaw and awards up to $10,000.
“Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment,” HP noted.
Shivaun Albright, HP’s Chief Technologist of Print Security, said that the company is already keeping security in mind while developing printers, but they want to see whether they have missed anything.
Citing Bugcrowd’s most recent State of Bug Bounty Report, HP pointed out that the top emerging attackers are focused on endpoint devices, and the total print vulnerabilities across the industry have increased 21 percent during the past year.
Research analysts at Terbium Labs released a list of the most common activities seen on the Dark web indicate a breach, or other unwanted incident, has taken place.
Despite increased security budgets and better defences, organizations are losing the battle against cyber attacks. According to the 2018 cost of Data Breach Study: Global Overview by Ponemon Institute and IBM Security, data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year.
This year the report found that the average total cost of a data breach ($3.86 million), the average cost for each lost or stolen record ($148), and the average size of data breaches have all increased beyond the 2017 report averages. In fact, the costs of the largest breaches can reach into the hundreds of millions of dollars in damage. Ultimately, the inevitability of attacks and ongoing risk exposure of sensitive data has prompted organizations to seek new ways to proactively monitor for lost or stolen data.
The following top 10 list outlines activities, in no particular order, that take place on the dark web that organizations should be most watchful of:
1. Doxing of VIP. Dark web and clear web sites like Pastebin are a dumping ground for personal, financial, and technical information with malicious intent.
2. Full PANs, BINs, payment cards for sale. There is a robust economy for payment cards on the dark web. Sellers update markets with new cards regularly, sometimes daily.
3. Guides for opening fraudulent accounts. The dark web offers guides for sale containing detailed, step-by-step instructions on how to exploit or defraud an organization. The appearance of the guide has a dual impact: fraudsters learn how to take advantage of an organization’s systems and processes and the criminals’ attention is focused on the target company.
4. Proprietary source code. A leak of source code can enable competitors to steal intellectual property and allow hackers to review the code for potential vulnerabilities to be exploited.
5. Dump of a database. Third-party breaches can put organizations at risk by revealing employee credentials that can unlock other accounts or provide fodder for phishing attacks.
6. Template to impersonate a customer account. The dark web is full of account templates that allow fraudsters to pose as customers of financial institutions, telecommunications companies and other service providers. These templates are then used to solicit loans, open accounts, or as part of a broader scheme for identity theft or fraud.
7. Connections between employees and illicit content. Posts doxing individuals who engage in illegal activities on the dark web, such as child exploitation, can draw undue negative attention to their employers or affiliated organizations.
8. W2s and tax-fraud documents. Before tax season each year there is a rush of activity on the dark web gather compromised identity information in order to file fraudulent tax returns before the legitimate taxpayer can. This tax fraud is enabled by the sale of W2s and other tax fraud-specific documents, which can be tied back to the employers where those documents came from originally.
9. Secure access and specialty passes: While most of the materials on the dark web are for generalized personal information, vendors sometimes offer special access materials. These can range from the benign, e.g., amusement park tickets, to the more concerning, e.g., military IDs.
10. Inexpert dark web searching. Security vendors not properly immersed in the dark web can expose an organization to harm by simply searching for information related to the company. For example, one security vendor searched for a CISO’s name so many times on the now-defunct dark web search engine, Grams, that the full name made it to the front page “trending” section of the site.
Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.
Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.
Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.
“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.
Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.
Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.
In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.
Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.
Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.
Though more router manufacturers are making routers easier to set up and configure—even via handy little apps instead of annoying web-based interfaces—most people probably don’t tweak many options after purchasing a new router. They log in, change the name and passwords for their wifi networks, and call it a day.
While that gets you up and running with (hopefully) speedy wireless connectivity, and the odds are decent that your neighbor or some random evil Internet person isn’t trying to hack into your router, there’s still a lot more you can do to boost the security of your router (and home network).
Advertisement
Before we get into our tips, one quick caveat: Wireless routers all have different interfaces, different ways they name their settings, and different settings you can adjust. For this article, I’ll be poking around the interface of a TP-Link Archer C7. You’ll want to explore around your router’s web-based configuration screen (or app) to make sure you’ve adjusted all the right settings, but it’s possible you won’t be able to do everything we’ve detailed below.
Accessing your router’s settings
If your router doesn’t have an easy-to-use app for configuring its settings—like what you typically encounter when buying a mesh-networking system—you’ll probably access its settings by pulling up a web browser (on a device that’s connected to your router) and typing in your router’s IP address:
On a Windows system, pull up the command prompt and type in ipconfig. The IP address that’s listed as your default gateway is likely your router’s IP address.
If you’re on a Mac, pull up System Preferences > Network, and click on Advanced in the bottom-right corner. Click on the TCP/IP option toward the top of the next window and look for your router’s IP address.
If you’re on your iPhone, tap on Settings, then Wi-Fi, and tap on the “i” icon next to the wifi network you’re connected to. Your router’s IP address should be listed right there.
Step One: Update your firmware
Some routers bury firmware updates deep in their settings menus; some might even notify you about a new firmware update the moment you log into their apps or web-based user interfaces. However you find the option, you’re going to want to make sure that your router is running the most up-to-date firmware.
Advertisement
If you’re lucky, your router will be able to download new firmware updates directly from its manufacturer. You might have to click on a button (or two) to start this process, or this might happen automatically—routers that do the latter are great, because most people don’t really think about “checking to see if my favorite tech gear has updated firmware” on a regular basis, if ever.
It’s also possible that your router will require you to upload new firmware yourself. If so, you’ll have to download the right firmware from the router’s manufacturer—likely on a support page for your router—and manually update the router by browsing for this firmware file and starting the update process yourself. You’ll have to do this each time you want to update your router with new firmware, which means you’ll have to check for new firmware fairly regularly, perhaps a few times a year. It’s a laborious process that’s easily forgotten, but it’s also important if you want to keep your router protected from external threats.
Change your router login and password
If you’re still using “admin / admin,” “admin / password,” or some variant of generic words to log into your router, change that. Even if your router manufacturer has given you a quirkier password that presumably differs for everybody, it’s important to use a login and password that’s tough to guess or brute-force.
Even if you’re stuck using “admin” as a user name to log in, make your password something complex, not something anyone can look up via a quick web search.
Use WPA2 to secure your wireless network
It almost goes without saying, but don’t use WEP when you’re setting up a password for your wifi network. Passwords “protected” with the WEP encryption are a lot easier to brute-force attack than those encrypted with WPA2. Even though you probably don’t have someone hanging out on your street corner, wardriving everyone’s wireless networks, there’s no reason to not use the stronger WPA2 protocol—unless you have an old device that simply can’t handle WPA2, which is unlikely. And whatever you do, don’t run an open (password-free) wifi network. My god.
Turn off WPS
On paper, WPS—or Wi-Fi Protected Setup—sounds great. Instead of having to type in a long, reasonably complex wifi password on a device, you can just type in a smaller PIN number, likely printed directly on your router.
Advertisement
Guess what? These PIN numbers are much easier to brute-force attack than a more complicated password or passphrase. While a number of routers will time out an attacker after they botch a certain number of password attempts, that hasn’t stopped more ingenious WPS attacks from surfacing. The easiest way to prevent these kinds of shenanigans is to just disable WPS entirely.
Yes, you’ll have to type in your password. Yes, it’ll be annoying. It’s an extra minute of your life. You’ll be fine. Or, if you truly cannot handle this process, check to see if your router allows you to use push-button WPS instead of PIN-based WPS. That way, you’ll have to physically press buttons on your router and any devices you want to connect, which will make it a lot trickier for someone to exploit WPS and break into your network.
Use a better DNS
Browse the web a little bit faster by switching away from your ISP’s DNS and using a service like Google DNS, Cloudflare, or OpenDNS. As an added bonus, you’ll also increase the likelihood that you actually make it to the websites you’re trying to visit without any man-in-the-middle attacks, popups, redirects, interstitials, or annoying “you made a typo in your web address so we’re going to redirect you to a webpage filled with spam and ads” that your ISP might use.
Advertisement
If you want to get really crafty, you can drop a service like OpenDNS on your kid’s laptop, enable parental controls to keep them off time-sucking websites like Tumblr and Reddit, and give yourself a different DNS provider (like Google DNS) to browse the web without any restrictions. Your child will hate you, but at least they’ll turn out to be a rocket scientist with 27 inventions instead of a Twitch streamer with 3 followers.
Consider using MAC filtering, annoying as it might get
While it’s easy for an attacker to spoof a MAC address, you can at least give yourself a little extra security by setting up your router to only allow devices to connect that appear on a whitelist. This filtering is based on each device’s MAC address—a long string of letters and numbers that looks something like “00-11-22-33-44-55.”
While this means that you’ll need to go in and add any new devices you purchase whenever you want them to be able to connect to your router, it also means that devices you don’t authorize won’t be able to do squat. Like I said, though, MAC addresses are easy to spoof, so if this tip gets more annoying than practical, feel free to disable MAC filtering. You’ll be OK.
Consider scheduling your wifi
If you work a pretty normal schedule during the week and you have no reason to remotely connect to your home devices, consider using your router’s scheduling mechanism—if it has one—to just turn off your wifi when you aren’t home.
Advertisement
This isn’t the most practical tip if you have a bunch of smarthome devices that need the Internet, like if you want to be able to turn the lights on and off to piss off your cat or you want to be able to watch a delivery driver drop off the expensive package you ordered. If you live a relatively simple life—no harm there—and nothing really needs Internet connectivity when you aren’t around, then why power up your wifi for no reason? It’s hard to hack into a network that doesn’t exist.
Disable potentially sketchy services
You probably don’t need to mess with your router’s settings when you aren’t actively connected to your wireless network. If your router has some kind of an option for “remote management” or “remote administration” make sure it’s disabled.
You should also consider disabling UPnP on your router, although this might give you a little grief when you’re gaming or running BitTorrent—to name two examples. Still, when an entire website is dedicated to the various ways one can exploit UPnP for nefarious purposes … maybe it’s time to go back to manually forwarding ports, if needed.
Advertisement
Some routers also let you set up an FTP server so you can transfer files in and out of your network. However, we live in an era when it’s easy to use any number of cloud storage providers—or file-uploading services—to share your files. You probably don’t need to run an FTP at home, and it’s a lot safer to disable this feature entirely (if your router supports it).
You also likely don’t need to access your router over SSH or Telnet—turn either off, if offered—nor do you probably need to access any USB-connected printers or storage when you aren’t at home. In short, if your router lets you do something from afar, consider turning the feature off (if you can). The fewer ways you can access your home network when you aren’t in it, the harder it’ll be for someone else to take advantage of a vulnerability and access your router (or your home network).
If you can, consider disabling your router’s cloud functionality as well. While it might be useful to be able to edit your router’s settings by logging into the manufacturer’s cloud service, it’s just one more open door that an attacker could use to compromise your router (or network). While you have no choice with some routers—typically mesh routers—it’s always better, and safer, to log into a router’s web-based UI manually from a device that’s connected to your home network, even though it’s a lot less convenient.
Consider a separate wifi network for guests and smart-home devices
I’ve been playing, testing, and reviewing routers for more than a decade, and I still have yet to meet someone who uses their router’s guest network feature. Heck, I don’t think I’ve ever even connected to a friend’s “guest network” in their home or apartment.
Advertisement
Still, the premise of a guest network is great, security-wise: Your router automatically sets up a second SSID for friends to use, and any device connecting to it is walled off from other devices on your primary network, either plugged into your router directly or connected wirelessly. (Most routers let you adjust whether you want guests to see everything, each other, or nothing, if you need to customize your setup a bit.)
A guest network comes with an added bonus, too; you can use it for all of your less-secure smart-home devices. If someone takes advantage of a vulnerability in your smart lightbulb and breaks into your network, there will still be a layer of protection between your hacked device and your desktop PC, smartphone, and laptop—to name a few examples. While you can also get crazy and segment off your network with separate SSIDs and VLANs, if your router supports it, this is an easier method that won’t give you a weekend’s worth of headaches (if you don’t know what you’re doing).
A prolific hacking group has struck again, this time stealing close to $1 million from Russia’s PIR Bank. The July 3 heist came about five weeks after the sophisticated hackers first gained access to the bank’s network by compromising a router used by a regional branch.
Singapore’s largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018.
SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics.
by Singapore’s Ministry of Health (MOH), along with the personal data, hackers also managed to stole ‘information on the outpatient dispensed medicines’ of about 160,000 patients, including Singapore’s Prime Minister Lee Hsien Loong, and few ministers.
“On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,” MOH said.
The stolen data includes the patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.
The Ministry of Health said the hackers “specifically and repeatedly” targeted the PM’s “personal particulars and information on his outpatient dispensed medicine.”
So far there’s no evidence of who was behind the attack, but the MOH stated that the cyber attack was “not the work of casual hackers or criminal gangs.” The local media is also speculating that the hack could be a work of state-sponsored hackers.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) also confirmed that “this was a deliberate, targeted, and well-planned cyberattack.”
PM Comments On SingHealth Healthcare Data Breach
Commenting on the cyber attack through a Facebook post
today, Singapore’s Prime Minister said he believes that the attackers are “extremely skilled and determined” and they have “huge resources” to conduct such cyber attacks repeatedly.
“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” Singapore PM said. “My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.”
The Singapore government has assured its citizens that no medical records were tampered, or deleted and that no diagnoses, test results, or doctors’ notes were stolen in the attack.
All affected patients will be contacted by the healthcare institution over the next five days.
Since the healthcare sector is part of the critical nation’s infrastructure, alongside water, electricity, and transport, it has increasingly become an attractive target for hackers.
In the past few years, we have reported several hacks and data breaches, targeting the healthcare sector. Just last month, it was revealed that
exposed its healthcare data in a massive data breach that targeted the country’s major healthcare organization.
The foremost thing to protect against any data breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will just have to remain mindful.
