image
The very first Pwn2Own hacking competition that exclusively focuses on the industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products. The contest hosts at Trend Micro’s Zero Day initiative (ZDI) have allocated more than $250,000 in cash and prizes for the contest, which is testing eight targets across five categories. So far, two teams are the big winners. The Horst Goertz for IT-Security team (Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi) and the Flashback team (Pedro Ribeiro and Radek Domanski) both have $75,000 in winnings going into Day Three. On Day One, overall, there were six successful hacking attempts and two partially successful attempts against eight hacking targets, according to ZDI. On Day Two, there were three successful hacks and two partials against four total targets. Prizes and Categories The categories include Control Servers, which covers server solutions that provide connectivity, monitoring and control across disparate programmable logic controllers (PLCs) and other field systems. The specific targets in this category include control servers from Iconics and Inductive Automation. OPC Unified Architecture (OPC UA) Servers is another category, encompassing two targets: The Unified Automation ANSI C Demo Server and the OPC Foundation OPC UA .NET Standard. OPC UA serves as the universal translator protocol in the ICS world, used by almost all ICS products to send data…

Source

image
Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month. Beta versions of iOS 13.3.1 include a new setting that lets users disable the "Ultra Wideband" feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature. In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user's location even when all applications and system services are individually set never to request this data. Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone's settings menu. Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices. The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband. Apple also stressed it doesn't use the UWB feature to collect user location data, and that this location checking resided "entirely on the device." Still, it's nice that iPhone 11 users will now have a disable the feature if they want. Spotted by journalist Brandon…

Source

image
A recently uncovered threat actor, dubbed Vivin, has made thousands of U.S. dollars through a large-scale cryptomining campaign. Vivin is unique due to its longevity — the threat actor has been active since at least 2017 — and researchers with Cisco Talos point to Vivin as a good example of why cryptomining malware isn’t going anywhere, despite a loss in the value of Monero over the past few years. “Cryptomining…really hasn’t changed all that much on the threat landscape,” Nick Biasini, a threat researcher at Cisco Talos, told Threatpost. “This type of an activity is really going to continue for the foreseeable future. I mean, money’s the name of the game in a lot of these instances, and even though it’s not generating a huge amount of revenue, it’s guaranteed money. And for a lot of these actors, that’s really all their goal is, is to make money. So this remains a very viable way to do that.” Listen to Threatpost’s full interview with Cisco Talos below for more information on Vivin, or download direct here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/12852248/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Below is a lightly-edited transcript of the interview. Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast everybody. This is Lindsey O’Donnell-Welch…

Source

image
The sLoad malware downloader, a PowerShell-based trojan first spotted in May 2018, has a new, polished version that comes with “more powerful features, posing even higher risk,” Microsoft researchers are warning. After discovering it being used in several campaigns over the holidays, researchers have dubbed the new sLoad version “Starslord,” based on strings in the malware code. Starslord, a downloader that installs itself to the system, connects to a remote server, and downloads additional malware onto the infected system. In this, it follows an attack chain similar to the original version. However, version 2.0 includes a new anti-analysis trick and the ability to track the stage of infection on every affected machine. “sLoad’s multi-stage attack chain…and its polymorphic nature in general make it a piece malware that can be quite tricky to detect,” Sujit Magar, with Microsoft’s Defender ATP research team, said in a Tuesday analysis. “Now, it has evolved into a new and polished version, Starlord, which retains sLoad’s most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.” The latest sLoad version comes on the heels of a previous Microsoft December research paper describing the downloader’s attack techniques, suggesting that the developers behind the malware are trying to shake off any analysis, Microsoft warned. Threatpost has reached out to Microsoft for more details regarding the victims and…

Source

image
Misconfigured Microsoft cloud databases containing 14 years of customer support logs have exposed 250 million records to the open internet. The account info dates back as far as 2005 and is as recent as December 2019 — and exposes Microsoft customers to phishing and tech scams. The Comparitech security research team said that it ran across five Elasticsearch servers that had been indexed by search engine BinaryEdge, each with an identical copy of the database. The database contained a wealth of phishing- and scam-ready information in plain text, including: Customer email addresses, IP addresses and physical locations, descriptions of customer service claims and cases, case numbers, resolutions and remarks, and internal notes marked “confidential.” In short, it’s everything a cybercriminal would need to mount a convincing and large-scale fraud effort, Comparitech researcher Paul Bischoff wrote in a posting on Wednesday. “The data could be valuable to tech support scammers, in particular,” he said. “Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.” Other personally identifiable information (PII) – email aliases (i.e., names), contract numbers and, crucially, payment…

Source

image
Cynet launched in December 2019 the State of Breach Protection 2020 Survey. Based on the responses from 1,536 individuals, they now share the survey report that includes common practices, priorities, and preferences of security leaders as they strive to secure their organization from a breach (download the full survey report here). One of the main challenges facing security executives is how to prepare and respond to threats they face in today’s continually changing landscape. They need to consider questions such as: Which attacks pose the greatest risk? What security products would best prepare them to face these threats; how to build a strong team of in-house security professionals, or alternatively, whether they are better off outsourcing the security operations, or finding a balance between the two? What level and kinds of automation can help them as part of their breach protection workflows? And more. The State of Breach Protection 2020 survey also provides information such as: Not consolidating gets in the way of achieving successful protection. According to the survey, organizations that deploy and utilize advanced security products find managing a multi-product security stack to be the biggest obstacle in achieving their goal protection level. The main focus of many organizations in 2020 is advanced protection projects. Most organizations that already deploy the basic AV, firewall, email security products, plan to add on EDR/EPP, Network traffic analysis or SIEM…

Source

image
A new variant of the Muhstik botnet has appeared, this time with scanner technology that for the first time can brute-force web authentication to attack routers using Tomato open-source firmware, researchers have found. Researchers at Palo Alto Networks’ Unit 42 discovered the new variant harvesting vulnerable routers and IoT devices in early December, they reported in a blog post Tuesday. Muhstik, showing a wormlike self-propagating capability that can infect Linux servers and IoT devices, has been active since March 2018. “The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing,” researchers wrote in their report. The default in this case being “admin:admin” and “root:admin.” “We captured the Tomato router web authentication brute-forcing traffic,” wrote Palo Alto researchers who co-authored the blog Cong Zheng, Yang Ji and Asher Davila. Tomato firmware, a Linux-based, non-proprietary malware known for its stability, VPN-pass through capability, and advanced quality-of-service control, is typically used by multiple router vendors and also installed manually by end users, researchers said. To estimate the infected volume of devices, researchers searched for fingerprints of Tomato routers in Shodan, which identified more than 4,600 Tomato routers exposed on the internet and thus vulnerable to the latest Muhstik attack. Indeed, botnet developers increasingly compromising IoT devices installed…

Source

image
When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll. Last week, Threatpost conducted a reader poll and almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea. The debate comes on the heels of PoC code being released last week for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability. Some argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks. Security Motivator Many security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not. “Rather than…

Source

image
A prolific phishing gang known as 16Shop has added PayPal customers to its target set. According to researchers at the ZeroFOX Alpha Team, the latest version of the group’s phishing kit is designed with a number of features that are aimed to steal as much personally identifiable information (PII) as possible from users of the popular money-transfer service, including login credentials, geolocation, email address, credit-card information, phone number and more. In investigating the kit’s infrastructure, researchers uncovered that to establish contact, the kit sends a POST request to a command-and-control (C2) server, with a password, domain and path as a form of operational security. Stolen information is subsequently exfiltrated via SMTP to an attacker-controlled email inbox. It can be used to create phishing pages in English, Japanese, Spanish, German and Thai. The researchers were able to intercept traffic between the kit and the C2 server, and gain access to the server panel that 16Shop rents to users. They found that it’s so user-friendly that users could use it to deploy phishing pages without needing to understand any of the underlying protocols or technology. “Much like a SaaS [software-as-a-service] product, user experience and dashboard analytics are keys to success,” ZeroFOX said in a posting on the new kit, on Tuesday. “The 16Shop kit panel is professionally done, with reactive elements and data updating in real time. Whether its login credentials collected,…

Source

image
Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts. Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week). Also, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 — a day earlier than it had expected to. The versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615). When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix announced it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until “late January.” However, in the…

Source