image
Google was slapped with a lawsuit this week that alleges that it has been covertly collecting data of students via its G Suite for Education program, which offers its productivity services to students for free. Google’s G Suite for Education program (formerly known as Google Education) offers free tools for K-12 students, including free access to its Gmail, Calendar, Drive, Docs and other applications. As part of this program, 25 million students are also using Chromebook, Google’s laptop that’s targeted for classrooms. A new lawsuit filed by the state of New Mexico’s Attorney General, Hector Balderas, alleges that this free service has been slurping up data of the students using it – including minors under the age of 18, for which data collection warrants parental consent. “Google Education is now used by more than 80 million educators and students in the United States… essentially giving Google sole and exclusive access to millions of students’ digital lives and their personal data,” according to the lawsuit, filed on Thursday. “More valuable still, Google has captured generations of future customers who are trained to use Google’s platform as early as kindergarten.” The lawsuit alleges that Google has used the service to collect data of children using the service, including their physical locations, websites they visit, terms used in Google’s search engine and videos watched on YouTube. Also alleged, is that Google has collected personal contact lists, voice recordings,…

Source

image
Active exploits are targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims. Researchers at Wordfence who discovered the in-the-wild attacks said in a post Thursday that 50,000 of those attacks occurred before Duplicator creator Snap Creek released a fix for the bug last week on Feb. 12 – so it was also exploited in the wild as a zero-day. The Bug Duplicator is essentially a simple backup and site migration utility. It gives WordPress site administrators the ability to migrate, copy, move or clone a site. WordPress says that Duplicator has been downloaded more than 15 million times and is in active use for over one million sites. Unfortunately, Duplicator prior to version 1.3.28 and Duplicator Pro prior to version 3.8.7.1 contain an unauthenticated arbitrary file download vulnerability. According to a writeup from Tenable, “an unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the vulnerable version of the Duplicator plugin.” This would allow attackers to then download files outside of the intended directory. The only caveat is that an attacker would need “some knowledge of the target file structure or attempt to download commonly known files,” wrote Satnam Narang, researcher with Tenable. Narang said that two functions,…

Source

image
The RSA 2020 conference kicks off next week in San Francisco, this year with a theme looking at the “human element” of cybersecurity. As they prepare to cover the show, Threatpost editors Lindsey O’Donnell-Welch, Tom Spring and Tara Seals break down the biggest news, stories and trends that they expect to hear about at RSA 2020 this year: Top sessions and keynotes to pay attention to Threatpost’s planned set of exclusive video interviews Ethics and AI 5G security Trends in the industrial cybersecurity landscape and IT – OT convergence Connected medical device security issues Automotive IoT Listen to the podcast below or download direct here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/13249526/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Below find a lightly edited transcript of the podcast. Lindsey O’Donnell-Welch: Welcome back to the Threatpost Podcast. This is our big RSA preview podcast. We’ve got the RSA conference coming up next week in San Francisco. And today Friday the Threatpost team is preparing, so we’ve got Lindsey O’Donnell-Welch, myself and Tom Spring and Tara Seals with Threatpost here to talk about some of the biggest themes that we’re going to be looking out for at RSA. Tom and Tara, how’s it going? Tom: How’s it going, Lindsey? Tara: Hey,…

Source

image
Burning Man aficionados anxious to get their tickets squared away for the 2020 “experience” should beware: Fake concert organizers are offering passes in what researchers say is a very convincing and sophisticated scam effort. Burning Man, which bills itself as a “vibrant participatory metropolis generated by its citizens,” is scheduled to happen August 30 – September 7 in Black Rock Desert in Nevada. It attracts tens of thousands of people: Artists, music fans, celebrities, tech enthusiasts, off-gridders, hippies, new agers, old-school punks and more. It features a mix of communal villages, art installations, audio-visual presentations, and of course, setting large effigies on fire. Tickets are released in stages; snagging one requires pre-registration and luck, as they’re limited. Prices run between $495 – $1,400, with low-income registration available for $210 – and vehicle passes are required on top of that. To boot, no money is exchanged at Burning Man, so participants are expected to bring food, supplies, shelter and anything else they might need – all adding up to a potentially very expensive jaunt indeed. In other words, getting a ticket is a process and everyone’s looking to save money doing it. While scams looking to prey on fan desperation are common, researchers at Kaspersky said that a new wrinkle has emerged this year. Fraudsters have set up a fake website (see below) that closely mimics the official Burning Man site, in an effort to fool visitors into…

Source

image
A Denmark-based global facility-management company was hit with a major cyber attack this week that shut down its worldwide computer systems for a few days and disrupted operations across its global network of employees. ISS World cut off access to shared IT services across its customer sites and offices worldwide after it was the target of a malware attack on Monday, Feb. 17, the company said in a press statement. “The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems,” the company said.ISS was able to restore some systems early into the attack and said it initially did not see any evidence of the compromise of customer data. Still, the attack left the 43,000 employees of the company without access to email or other online services, according to reports. ISS—based Soburg, Denmark–provides turnkey facility-management services, such as cleaning, catering and security, to clients in more than 70 countries. Its global network of employees generally works not in offices but at client facilities to ensure day-to-day operations run efficiently. While ISS World is not officially sharing details of the attack, some reports suggest the attackers used ransomware, noting the immediate cut off of online services as a typical indicator of a cyber extortion scheme. Threat actors in these type of attacks often hijack company computer systems until the targeted firm pays a…

Source

image
Researchers have caught eight malicious Android apps in the official Google Play app store marketplace distributing a new malware family. The “Haken” malware exfiltrates sensitive data from victims and covertly signs them up for expensive premium subscription services. The eight apps in question, which have since been removed, had collectively been downloaded 50,000 times. The apps were mostly camera utilities and children’s games, including “Kids Coloring,” “Compass,” “qrcode,” “Fruits coloring book,” “soccer coloring book,” “fruit jump tower,” “ball number shooter” and “Inongdan.” The apps legitimately function as advertised – but in the background covertly perform an array of malicious functions. “Haken has shown clicking capabilities while staying under the radar of Google Play,” said researchers with Check Point Research, in an analysis on Friday. “Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.” The downloaded Haken malware is what researchers call “clicker” malware, meaning that it mimics the user and clicks on anything that appears on the device’s screen. The impact of this on victims is two-fold: First, downloaded apps are able to sign users up for premium subscription services without them knowing. Second, this malware can access any sensitive information visible on the mobile screen – from work emails to work conversations over…

Source

image
Google has removed nearly 600 Android apps from the Play Store for serving up obnoxious, invasive ads that aren’t easily “x’d” out of. The internet giant said the enforcement action was a strike against mobile ad fraud. Google said Thursday that the apps violated its disruptive ads policy – and are therefore also banned from Google’s ad monetization platforms, Google AdMob and Google Ad Manager. One of the violating behaviors comes in the form of serving up “out-of-context ads” – where users are bombarded with ads in places and at times that they don’t expect. Free apps are often monetized by showing ads in-between levels on a game, for instance, or between menu areas – while users are actively using an app. However, many of the offending apps flagged by Google were found to be showing random, intrusive ads even when the apps weren’t being actively used. Or, if the user attempts to exit the app and navigate to the home screen, the expected flow is instead interrupted by an ad. Other things that Google considers foul play include commercials that impair or interfere with the usability of device functions – for instance displaying a pop-up that prevents the user from accessing anything else on the phone and which doesn’t go away even if the app is closed down. “Imagine being unexpectedly served a full-screen ad when you attempt to make a phone call, unlock your phone or while using your favorite map app’s turn-by-turn navigation,” said Per Bjorke, senior product manager for…

Source

image
A critical flaw in the High Availability (HA) service of Cisco Smart Software Manager On-Prem Base has been uncovered, which would open the door to remote attackers thanks to its use of a static, default password, even if the platform isn’t directly connected to the internet. Cisco Smart Software Manager On-Prem Base is used to manage a customer or partner’s product licenses, providing near real-time visibility and reporting of the Cisco licenses that an organization purchases and consumes. According to Cisco’s product literature, the platform is aimed at “customers who have strict security requirements and do not want their products to communicate with the central licensing database on Smart Software Manager over a direct Internet connection,” like financial institutions, utilities, service providers and government organizations. The hard-coded password is for “a [HA] system account [that] is not under the control of the system administrator,” Cisco said in an advisory issued Wednesday. Essentially, anyone who discovered the password (presumably available in installation guides or other documentation available online), could log onto this account and then, from there, connect to the Cisco Smart Software Manager On-Prem Base. The vulnerability (CVE-2020-3158), which has a score of 9.8 on the CVSS bug-severity scale, “could allow an unauthenticated, remote attacker to access a sensitive part of the system with a high-privileged account,” Cisco said. “A successful exploit…

Source

image
Researchers have uncovered a new business email compromise (BEC) threat actor, which they call Exaggerated Lion, targeting thousands of U.S. companies with money pilfering scams. The cybercrime ring is unique in its leveraging of Google’s cloud-based productivity suite, G Suite, and for its use of physical checks for collecting fraudulent payments – as opposed to wire transfers. While only recently discovered, Exaggerated Lion has been behind scams dating back to at least 2013, researchers said. Unlike other BEC organizations, which are centrally located in Nigeria, the threat group’s primary associates are also spread around multiple countries in Africa, including Nigeria, Ghana, and Kenya. After researchers uncovered the cybercrime ring, they observed it targeting nearly 2,100 U.S. companies in four months. “Exaggerated Lion’s M.O. has remained remarkably consistent over the years. They use very long domain names hosted on G Suite containing words that give the appearance that an email was sent from secure infrastructure,” said researchers with Agari in a report posted Thursday. “For Exaggerated Lion, their use of physical checks as a cashout mechanism sets them apart from other BEC groups and their evolution to creating fake documents that are commonly used in authentic business transactions to add legitimacy to their scams.” Researchers first started engaging with the threat group in April 2019 after observing an attempted attack on a customer’s Accounts Payable…

Source

image
Adobe has issued unscheduled patches for two critical vulnerabilities that, if exploited, enable an attacker to execute remote code on targeted devices. The two apps affected by the critical flaws are Adobe After Effects, a visual effects and motion graphics app used for post-production film making and video game production, and Adobe Media Encoder, an application to help with media processing requirements for audio and video. “Both vulnerabilities can be exploited by a remote, unauthenticated attacker via the internet, and both exist “due to a boundary error when processing untrusted input,” according to an analysis of the flaws after they were disclosed Wednesday evening. “A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.” Adobe After Effects has an out-of-bounds write flaw (CVE-2020-3765), which stems from write operations that then produce undefined or unexpected results. This could enable arbitrary code execution, according to Adobe’s update. Adobe After Effects versions 16.1.2 and earlier (for Windows) are affected. Users need to update to version 17.0.3, available on both Windows and macOS. While the vulnerability is critical in severity, the update has a priority 3 rating, which according to Adobe “resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators…

Source