Author: Suman Raj

A new unique banking malware dubbed CamuBot poses itself like a security module from the bank to gain victim’s trust and tempt them into installing the malware on their device.

The threat actor’s actively targeting the companies and public sector organizations using a number of social engineering techniques to bypass the security controls.

Security researchers from IBM spotted the CamuBot malware is more sophisticated and designed with a new code. It is different from the common banking trojans and it is blended with a number of social engineering techniques for device take over.

Unique Banking Malware Targets Business Bank Account Customers

The attack start’s with some basic reconnaissance, they use to call the person who is holding the Business Bank Account and identify them as the bank employee and ask the victim’s to navigate to the URL to ensure their security module is up to date.

It is a fake page to trick the victim’s so it comes up as negative and ask’s them to install a new security module. Also, it advises the victim’s to run the security module as an admin user and to close any other running programs.

To gain user’s trust it shows the banking logo and the modules install into the victim’s device silently. It also establishes a proxy module and add’s itself into the firewall to make it appear trusted.

The executable, name of the file and the URL are not a static one, they continue to change for every installation. Communication established through Secure Shell (SSH)-based SOCKS proxy.

Once the installation completed it pop-up a screen and redirects victim’s to a phishing page that designed like a banking portal. The phishing page asks victim’s to input his or her credentials and attackers make use of it. Attackers hang up after the account takeover.

According to IBM X-Force researchers, if there is any endpoint the malware is used to install additional drivers for the device, then attackers ask to enable remote sharing if the victim authorizes then it enables attackers to intercept to intercept one-time passwords. By having the one-time passwords the attackers can initiate a fraudulent transaction.

The delivery of CamuBot is personalized, at this time, CamuBot targets business account holders in Brazil and not in any other geographies said X-Force researchers.

Virus-free. www.avg.com

App stores, especially Apple’s, have a reputation regarding security. That reputation took a hit over the weekend with the revelation that some of the most popular Mac App Store apps were gathering ng up user data and remotely uploading them to the developer’s servers.

The apps which appeared to originate from Trend Micro (in hindsight, scummy unaffiliated developers), included apps like Unarcvhers and Cleaner, intended to help users unzip files or clean up their desktop ended up gathering browsing data and installed app data, collating it into a zip file and uploading to a remote server. At no point was user consent requested, nor where users alerted that this happening behind the scenes.

After this came to light, Apple pulled the apps from the store. It is unknown how many users downloaded these ‘tools’ and had their data scraped over the lifetime of the apps.

A similar situation happened in the then Windows-Store with Torrenty, an app which would install adware once downloaded, It slipped past app store verification but was struck down once media reports brought it under scrutiny.

Despite cases like this, however, App Stores are safer than the wild internet as curtain — even one that is many times perfunctory — can still screen dangerous apps more often than not.

Virus-free. www.avg.com

Manufacturing businesses are seeing higher-than-normal rates of cyberattack-related reconnaissance and lateral movement activity.

This is due to the convergence of IT with IoT devices and Industry 4.0 initiatives, according to a new report from AI-powered attack detection specialists Vectra

"The disconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of industrial internet-of-things (IIoT) devices, has created a massive, attack surface for cybercriminals to exploit," says Chris Morales,head of security analytics at Vectra.

State

affiliated attackers accounted for 53 percent of attacks on manufacturing,according to the 2018 Verizon Data Breach Industry report. The most common types of data stolen were personal (32 percent), secrets (30 percent) and credentials (24 percent).

Analysis of data from Vectra’s Cognito threat detection and hunting platform shows a much higher volume of malicious internal behaviours in manufacturing, which is a strong indicator that attackers are already inside the network. There is also an unusually high volume of reconnaissance behaviour, which indicates that attackers are mapping out manufacturing networks in search of critical assets. A high level of lateral movement is another strong indicator that the attack is proliferating inside the network.

The study shows a growth in data smuggling — where an internal host device controlled by an outside attacker acquires a large amount of data from one or more internal servers and then sends a payload to an external system — between January and June too.

Research analysts at Terbium Labs released a list of the most common activities seen on the Dark web indicate a breach, or other unwanted incident, has taken place.

Despite increased security budgets and better defences, organizations are losing the battle against cyber attacks. According to the 2018 cost of Data Breach Study: Global Overview by Ponemon Institute and IBM Security, data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year.

This year the report found that the average total cost of a data breach ($3.86 million), the average cost for each lost or stolen record ($148), and the average size of data breaches have all increased beyond the 2017 report averages. In fact, the costs of the largest breaches can reach into the hundreds of millions of dollars in damage. Ultimately, the inevitability of attacks and ongoing risk exposure of sensitive data has prompted organizations to seek new ways to proactively monitor for lost or stolen data.

The following top 10 list outlines activities, in no particular order, that take place on the dark web that organizations should be most watchful of:

1. Doxing of VIP. Dark web and clear web sites like Pastebin are a dumping ground for personal, financial, and technical information with malicious intent.

2. Full PANs, BINs, payment cards for sale. There is a robust economy for payment cards on the dark web. Sellers update markets with new cards regularly, sometimes daily.

3. Guides for opening fraudulent accounts. The dark web offers guides for sale containing detailed, step-by-step instructions on how to exploit or defraud an organization. The appearance of the guide has a dual impact: fraudsters learn how to take advantage of an organization’s systems and processes and the criminals’ attention is focused on the target company.

4. Proprietary source code. A leak of source code can enable competitors to steal intellectual property and allow hackers to review the code for potential vulnerabilities to be exploited.

5. Dump of a database. Third-party breaches can put organizations at risk by revealing employee credentials that can unlock other accounts or provide fodder for phishing attacks.

6. Template to impersonate a customer account. The dark web is full of account templates that allow fraudsters to pose as customers of financial institutions, telecommunications companies and other service providers. These templates are then used to solicit loans, open accounts, or as part of a broader scheme for identity theft or fraud.

7. Connections between employees and illicit content. Posts doxing individuals who engage in illegal activities on the dark web, such as child exploitation, can draw undue negative attention to their employers or affiliated organizations.

8. W2s and tax-fraud documents. Before tax season each year there is a rush of activity on the dark web gather compromised identity information in order to file fraudulent tax returns before the legitimate taxpayer can. This tax fraud is enabled by the sale of W2s and other tax fraud-specific documents, which can be tied back to the employers where those documents came from originally.

9. Secure access and specialty passes: While most of the materials on the dark web are for generalized personal information, vendors sometimes offer special access materials. These can range from the benign, e.g., amusement park tickets, to the more concerning, e.g., military IDs.

10. Inexpert dark web searching. Security vendors not properly immersed in the dark web can expose an organization to harm by simply searching for information related to the company. For example, one security vendor searched for a CISO’s name so many times on the now-defunct dark web search engine, Grams, that the full name made it to the front page “trending” section of the site.

Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.

Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.

Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.

“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.

Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.

Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.

In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.

Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.

Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.

After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought.

Thermal image of “passw0rd” 20 seconds after entry

Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk from UC Irvine’s Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack the Thermanator.

“It’s a new attack that allows someone with a mid-range thermal camera to capture keys pressed on a normal keyboard, up to one minute after the victim enters them,” describes Tsudik. “If you type your password and walk or step away, someone can learn a lot about it after-the-fact.”

Their paper, “Thermanator: Thermal Residue-Based Post Factum Attacks On Keyboard Password Entry,” outlines the rigorous two-stage user study they conducted, collecting thermal residues from 30 users entering 10 unique passwords (both weak and strong) on four popular commodity keyboards.

As noted in the paper, results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as one minute after entry. The study further revealed that hunt-and-peck typists are particularly vulnerable.

Kaczmarek, Ozturk and Tsudik suggest some mitigation strategies, such as swiping your hands over the keyboard after password entry or selecting characters with the mouse. Regardless, based on the study results, they conclude that “Thermanator Attacks” represent a new credible threat for password-based systems, noting that “as formerly niche sensing devices become less and less expensive, new side-channel attacks move from ‘Mission: Impossible’ towards reality.”

Example of thermal emanations being recorded

Developing a de-authentication prototype for “Lunchtime Attacks”

The same research team also recently developed a novel technique aimed at mitigating “Lunchtime Attacks.” Such attacks occur when an insider adversary takes over an authenticated state of a careless user who has left his or her computer unattended.

Tsudik, Kaczmarek and Ozturk have come up with an unobtrusive and continuous biometic-based “de-authentication,” i.e., a means of quickly terminating the secure session of a previously authenticated user after detecting that user’s absence.

The paper, “Assentication: User De-Authentication and Lunchtime Attack Mitigation with Seated Posture Biometric,” presents a hybrid biometic based on the user’s seated posture pattern. By instrumenting the seat and lower back of a standard office chair with 16 tiny pressure sensors, they found a way to capture a unique combination of physiological and behavioral traits to provide continuous user authentication (and de-authentication). Results from user experiments involving a cohort of 30 subjects show that Assentication yields very low false accept and false reject rates.

Hackers on this planet have no dearth of malicious malwares to strike leaving millions of Internet users and bank account holders high and dry.

Of late, they have taken resort to a PDF sample which they want to be in use for crypto mining and to act as Ransomware forcing the top cyber security experts to step in to counter the threat that deepens on every passing day.

Named as Rakhni ransomware family, the newly developed malicious PDF sample is being released for the users to infect many systems as the hackers keep using it for crypto mining purpose causing much concern in the entire cyber world.

Armed with this malware with added futures, the hackers are learnt to have been maximizing their targets in Russia apart from India, Kazakhstan, Ukraine and Germany.

The malware in question comes through the spam emails with attached documents which infects an user once the document is unfolded to be saved.

It strikes as soon as the user double clicks the document attached in the PDF file. Some doubtful message lines suggest the infection process much to the pleasure of the hackers on the wait with fake identity.

The malware, then would decide the further course of action whether to download the cryptor or not. The downloading process undergoes a few technical procedure to reach the cryptor level from the infected users.

The normal processes of the system stand canceled before the infected system starts performing the cryptor.

According to the experts, the files from the infected systems are taken into a encryption algorithm for encryption and the attackers on the wait, would receive mails asking them to decrypt the files.

Significantly, two commands would be in force to complete the malicious system. Firstly, there would be a command to start the crypto currency monero process while the second one would be to mine the original one.

Hacker himself got hacked.

It turns out that most samples of the LokiBot malware being distributed in the wild are modified versions of the original sample, a security researcher has learned.

Targeting users since 2015, LokiBot is a password and cryptocoin-wallet stealer that can harvest credentials from a variety of popular web browsers, FTP, poker and email clients, as well as IT administration tools such as PuTTY.

The original LokiBot malware was developed and sold by online alias "lokistov," a.k.a. "Carter," on multiple underground hacking forums for up to $300, but later some other hackers on the dark web also started selling same malware for a lesser price (as low as $80).

It was believed that the source code for LokiBot was leaked which might have allowed others to compile their own versions of the stealer.

However, a researcher who goes by alias "d00rt" on Twitter found that someone made little changes (patching) in the original LokiBot sample, without having access to its source code, which let other hackers define their own custom domains for receiving the stolen data.

Hackers Are Actively Spreading "Hijacked" Versions of LokiBot

The researcher found that the C&C server location of the malware, where the stolen data should be sent, has been stored at five places in the program four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.

The malware has a function, called "Decrypt3DESstring", that it uses to decrypt all the encrypted strings and get the URL of the command-and-control server.

The researcher analyzed the new LokiBot samples and compared them with the old original sample, and found that Decrypt3DESstring function in new samples has been modified in a way that it always return value from the XOR-protected string, instead of Triple DES strings.

These changes allowed anyone with a new sample of LokiBot to edit the program, using a simple HEX editor, and add their own custom URLs for receiving the stolen data.

However, it is not clear why the original malware author also stored the same C&C server URL in a string encrypted by the less secure XOR cipher, even when it was unnecessary.

A lot of different LokiBot samples currently distributed in the wild and available for sale on the underground market at a very low price have also been patched in the same way by several hackers.

Meanwhile, the original author of LokiBot has already launched its new version 2.0 and selling it online on many forums.

The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.

A Department of Homeland Security-funded product designed to better protect mobile-phone users from phishing is becoming available to government and private-sector clients, the department said Thursday.

DHS’s Science and Technology Directorate, which partially funded the tools made by mobile security company Lookout, hailed the product’s ability to block phishing attempts and detect malware lurking in mobile applications. The beefed-up product, Lookout Mobile Endpoint Security, is now available for Android and iOS operating systems, the department said.

Phishing offers hackers a cheap and easy foothold into a network by exploiting people’s trust in the internet. The rate at which victims are falling for phishing attacks on mobile devices has grown an average of 85 percent annually since 2011, according to a study by Lookout, which is based in San Francisco.

DHS is trying to lessen the threat to mobile users, including those in government, by investing in Lookout’s technology, which the department said inspects all outbound network connections but does not read message content.

The technology will “greatly increase the security of the federal government’s mobile systems for mission-critical activities,” S&T program manager Vincent Sritapan said in a statement.

“Simply managing a mobile device is not enough to protect sensitive government information,” Sritapan added. “The device also must have mobile endpoint security that alerts IT and security personnel to potential attacks.”

The mobile-protection technology targets another common hacking scheme in which attackers lace popular mobile apps with malware. Last year alone, security specialists removed 700,000 malicious apps from the Google Play store.

In announcing the newly available product, DHS cast malicious apps as a clear and present danger to federal IT networks.

“Vulnerabilities discovered in new devices and apps may be used by hackers as vectors to access sensitive government information and attack legacy enterprise network systems,” the department said. Government mobile devices are an attractive avenue to attack backend systems containing data on millions of Americans and sensitive information relevant to government functions.

Lookout plans to add several security features to the mobile-security product, according to DHS, including greater detection of things like man-in-the-middel attacks.

Malware can read, intercept, or tamper with the traffic of any HTTPS-protected site.

Tens of thousands of Fortnite players have been infected by malware that hijacks encrypted Web sessions so it can inject fraudulent ads into every website a user visits, an executive with a game-streaming service said Monday.

Rainway CEO Andrew Sampson said in a blog post that company engineers first detected the mass infections last week when server logs reported hundreds of thousands of errors. The engineers soon discovered that the errors were the result of ads that somehow were injected into user traffic. Rainway uses a technique known as whitelisting that permits customers to connect only to approved URLs. The addresses hosting the fraudulent addresses—hosted on the adtelligent.com and springserve.com domains—along with unauthorized JavaScript that accompanied them made it clear the traffic was generated by malware infecting a large number of game players using the Rainway service. Rainway is a cloud-based service that lets people play PC games remotely, similar to PlayStation Now.

“As the errors kept flowing in, we took a glance at what these users had in common,” Sampson wrote. “They didn’t share any hardware, their ISPs were different, and all of their systems were up to date. However, one thing did stand out—they played Fortnite.”

Root certificate installed

Suspecting the malware was spread by one of the countless Fortnite cheating hacks available online that promise to give users an unfair advantage over other players, Rainway researchers downloaded hundreds of the hacks and scoured them for references to the rogue URLs. The researchers eventually found one Sampson declined to name that promised to allow users to generate free in-game currency called V-Bucks. It also promised users access to an “aimbot,” which automatically aims the character’s gun at opponents without any need for precision by the player. When the researchers ran the app in a virtual machine, they discovered that it installed a self-signed root certificate that could perform a man-in-the-middle attack on every encrypted website the user visited.

Sampson wrote: “Now, the adware began altering the pages of all Web requests to add in tags for Adtelligent and voila, we’ve found the source of the problem—now what?”

Rainway researchers reported the rogue malware to the unnamed service provider that hosted it. The service provider removed the malware and reported that it had been downloaded 78,000 times. In all, the malware generated 381,000 errors in Rainway’s logs. The researchers also reported the abuse to Adtelligent and Springserve. Adtelligent, Sampson said, didn’t respond, but Springserve helped to identify the abusive ads and remove them from its platform. Adtelligent officials didn’t immediately respond to a message seeking comment for this post. Officials from Epic Games, the maker Fortnite, declined to comment.

Sampson also said that Rainway implemented a defense known as Certificate pinning. Certificate pinning binds a specific certificate to a given domain name in order to prevent browsers from trusting fraudulent TLS certificates that are self-signed by an attacker or misissued by a browser-trusted authority. While the adoption of certificate pinning is a good defense-in-depth move, it unfortunately would do nothing to protect users against root certificates installed to perform man-in-the-middle attacks, as Google researchers have warned for years. That means the malware has the ability to read, intercept, or tamper with the traffic of any HTTPS-protected site on the Internet.

Virus-free. www.avg.com