image
Three men suspected of participating in a massive business email compromise (BEC) ring have been arrested in Lagos, Nigeria. A joint INTERPOL, Group-IB and Nigeria Police Force cybercrime investigation resulted in the arrest of the Nigerian nationals, believed to be responsible for distributing malware, carrying out phishing campaigns and extensive scams worldwide. In a BEC attack, a scammer impersonates a company executive or other trusted party, and tries to trick an employee responsible for payments or other financial transactions into wiring money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organization’s vendors, billing system practices and other information to help mount a convincing attack. The elements of this particular campaign are myriad, according to INTERPOL: The suspects are alleged to have developed phishing links and domains, then carrying out mass-emailing campaigns where they impersonated employees at various organizations. Upon successful social-engineering efforts, they then spread 26 distinct malware variants to victims, including spyware and remote access trojans (RATs), according to law enforcement. The samples included AgentTesla, Loki, Azorult, Spartan and the nanocore and Remcos RATs. While investigations are still ongoing, some 50,000 targeted victims have been identified so far. “These programs were used to infiltrate and monitor the systems of victim organizations and…

Source

image
Advanced persistent threat (APT) groups are actively exploiting a vulnerability in mobile device management security solutions from MobileIron, a new advisory warns. The issue in question (CVE-2020-15505) is a remote code-execution flaw. It ranks 9.8 out of 10 on the CVSS severity scale, making it critical. The flaw was patched back in June, however, a proof of concept (PoC) exploit became available in September. Since then, both hostile state actors and cybercriminals have attempted to exploit the flaw in the U.K., according to a new advisory by the National Cyber Security Centre (NCSC). “These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting,” said the NCSC in an advisory this week. “In some cases, when the latest updates are not installed, they have successfully compromised systems.” The NCSC said that the healthcare, local government, logistics and legal sectors have all been targeted – but others could also be affected. Separately, the Cybersecurity and Infrastructure Security Agency (CISA) in October warned that APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows Netlogon/Zerologon vulnerability (CVE-2020-1472). The Flaw The flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication. MobileIron provides a platform that allows enterprises to manage the end-user mobile devices…

Source

image
For close to two decades, organizations have allowed privileged employees to work remotely by offering remote access solutions as a part of the daily work environment. But until recently, working remotely was more of a luxury than a necessity. With the rise of COVID-19, many organizations moved their entire workforces home overnight. That emergency shift could remain the norm now that many organizations have discovered how seamless the transition was — on paper. They point to benefits like employee productivity combined with lower overhead. Yet, working from home is having an underestimated impact on network shape and traffic. Organizations are recognizing the severe security implications from a sudden reliance on the cloud, mobile devices and unfamiliar Wi-Fi network connections. This has been a cataclysm on networks worldwide, but it is hardly going noticed. Access to corporate resources is occurring from a greater number of endpoints and from further away than ever, and the visibility of corporate networks is at an all-time low. Hackers have taken advantage, and smart CISOs know that now is the time to rethink and possibly reinvent remote-access policy. Updating Remote Access Policies The first step in understanding whether your access policy is geared for a remote-reliant workforce is by auditing it against your organization’s security objectives. One common mistake that security teams make when designing and updating their security and remote-access policy is not…

Source

image
Imagine someone hacking into an Amazon Alexa device using a laser beam and then doing some online shopping using that person account. This is a scenario presented by a group of researchers who are exploring why digital home assistants and other sensing systems that use sound commands to perform functions can be hacked by light. The same team that last year mounted a signal-injection attack against a range of smart speakers merely by using a laser pointer are still unraveling the mystery of why the microelectro-mechanical systems (MEMS) microphones in the products turn the light signals into sound. Researchers at the time said that they were able to launch inaudible commands by shining lasers – from as far as 110 meters, or 360 feet – at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant. “[B]y modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio,” said researchers at the time. Now, the team– Sara Rampazzi, an assistant professor at the University of Florida; and Benjamin Cyr and Daniel Genkin, a PhD student and an assistant professor, respectively, at the University of Michigan — has expanded these light-based attacks beyond the digital assistants into other aspects of the connected home. They broadened their research to show how light can be used to manipulate a wider range of…

Source

image
Event-discovery application Peatix has disclosed a data breach, after ads for stolen user-account information were reportedly being circulated on Instagram and Telegram. In a data breach notice to affected users, Peatix said it learned on Nov. 9 that user account data had been improperly accessed. Upon further investigation, the company found that user names, email addresses,salted and hashed passwords, nicknames, preferred languages, countries and time zones had been compromised. “As part of our immediate recovery measures, we blocked unauthorized access to the database and are continuing to investigate with assistance from external security firms,” according to the data-breach notification. Peatix is an events application that connects people to various events and social-based communities. Since it first started in 2011, the application has grown to serve more than 50,000 interest groups worldwide – with a user base of 5 million. It’s unclear how many of those users were affected by the data breach or how the breach initially occurred; Threatpost has reached out to Peatix for further information. While Peatix uses payment processors such as PayPal and Stripe for managing user payments, full credit-card details are not stored on their databases, and Peatix said there is no evidence that this information has been compromised. “In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any…

Source

image
Scammers are taking advantage of the Minecraft sandbox video game’s wild success by developing Google Play apps which appear to be Minecraft modpacks, but instead deliver abusive ads, according to researchers. Since July, Kaspersky researchers have found more than 20 of these apps and determined that they have been downloaded on more than a million Android devices. Minecraft is a problem-solving game aimed at kids and teens where players create their own worlds. Its original version, called Java Edition, was first released by Mojang Studios in 2009. The skills players build playing Minecraft have been touted by parents and educators as beneficial for kids, which has likely contributed to the game’s success. According to PC Games, more than 200 million copies of Minecraft were sold as of May. Because Minecraft was designed in Java, it was easy for third-party developers to create compatible applications or “modpacks” to enhance and customize the gaming experience for players. Gamepedia said that today, there are more than 15,000 modpacks for Minecraft available. Among those 15,000 Minecraft mods lurk at least 20 that Kaspersky researchers were able to identify as malicious. Google Play has removed all but five of the malicious titles, Kaspersky said: Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE and Darcy Minecraft Mod are still up and available. Google has not responded to Threatpost’s request for comment. Malicious…

Source

image
Researchers have found serious security and privacy issues in 11 different smart doorbells, distributed via online marketplaces like Amazon and eBay, which could be exploited by attackers to physically switch off the devices. Smart doorbells, which connect to a smartphone and alert users when someone approaches their home, along with video footage, have been increasingly popular over the years. Matt Lewis, research director at NCC Group, told Threatpost during this week’s Threatpost podcast episode that these smart doorbells were discovered to have a slew of issues, including weak password policies, lack of data encryption and excessive collection of customer information. Listen to the full podcast, below, or download here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/16935908/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Also, check out our podcast microsite, where we go beyond the headlines on the latest news. “Our findings could cause issues for consumers and are indicative of a wider culture that favors shortcuts over security in the manufacturing process,” Lewis said. “However, we are hopeful that the much-anticipated IoT legislation will signal a watershed moment in IoT security. Until this comes into fruition, we must continue to work together to highlight the…

Source

image
Multiple Android mobile apps found in Google Play, including Baidu Search Box and Baidu Maps, were found by researchers to be leaking data that could be used to track users – even if they switch devices. The apps have each been downloaded millions of times, according to Palo Alto Unit 42 researchers. They’ve been removed from Google Play, but anyone with one of the offending apps still installed is at risk. Researchers found the apps in question to expose a range of information, including: Phone model; screen resolution; phone MAC address; wireless carrier; network (Wi-Fi, 2G, 3G, 4G, 5G); Android ID; International Mobile Subscriber Identity (IMSI); and International Mobile Equipment Identity (IMEI). Cybercriminals in turn can use a variety of sniffing tools – such as active and passive IMSI catchers — to “overhear” this information from cell phone users. “While some of this information, such as screen resolution, is rather harmless, data such as the IMSI can be used to uniquely identify and track a user, even if that user switches to a different phone and takes the number,” said researchers with Palo Alto Networks Unit 42, in a Tuesday posting. The IMEI is a unique identifier of the physical device and denotes information such as the manufacturing date and hardware specifications. The IMSI meanwhile uniquely identifies a subscriber to a cellular network and is typically associated with a phone’s SIM card, which can be transferred between devices. Both identifiers can be…

Source

image
Researchers have discovered a new backdoor written in the Go programming language (Golang), which turned their heads due to its heavy level of obfuscation. The backdoor, called Blackrota, was first discovered in a honeypot owned by researchers, attempting to exploit an unauthorized-access vulnerability in the Docker Remote API. What sets the backdoor apart is its use of extensive anti-detection techniques, which makes the malware extremely difficult to analyze – something that researchers said is not commonly seen with Golang-based malware. “Historically, we have seen malware written in Go that was at best stripped at compiling time, and at worst slightly obfuscated, without much difficulty in reverse-analysis,” said researchers with 360 Netlab, in a Tuesday posting. “Blackrota brings a new approach to obfuscation, and is the most obfuscated Go-written malware in ELF format that we have found to date.” Researchers named the malware Blackrota, due to its command-and-control (C2) domain name (blackrota.ga). Threatpost has reached out to 360 Netlab for further information regarding the specific vulnerability being targeted. The Malware The Blackrota backdoor is currently only available for Linux, in Executable and Linkable Format (ELF) file format, and supports both x86/x86-64 CPU architectures, said researchers. ELF is a common standard file format for executable files. Upon further investigation, researchers found that Blackrota is configured based on what they called a…

Source

image
Researchers have demonstrated for the third time how hacking into the key fob of a Tesla can allow someone to access and steal the car in minutes. The new attack again shows a security vulnerability in the keyless entry system of one of the most expensive electric vehicles (EVs) on the market. Researchers from the Computer Security and Industrial Cryptography (COIC), an Imec research group at the University of Leuven in Belgium, have “discovered major security flaws” in the key fob of the Tesla Model X, the small device that allows someone to automatically unlock the car by approaching the vehicle or pressing a button. The research team includes PhD student Lennert Wouters, who already has demonstrated two attacks on the keyless entry technology of the Tesla Model S that succeeded in unlocking and starting vehicles. Tesla sells some of the most state-of-the-art EVs available, ranging in cost from about $40,000 for the most basic models to more than $100,000 for a top-of-the-line Tesla Model X. The key fob for the Model X key uses Bluetooth Low Energy (BLE) to interface with a smartphone app to allow for keyless entry, which is where the vulnerabilities lie, researchers said in a press release published online about the hack. Indeed, the use of BLE is becoming more “prevalent” in key fobs so that the devices can communicate with people’s smartphones, researchers noted. The team detailed the two-stage proof-of-concept attack they staged using a self-made device built from…

Source