image
Two Iran-backed APTs could be working together on a sprawling, three-year campaign to compromise high-value organizations from the IT, telecom, oil and gas, aviation, government and security sectors in Israel and around the world, according to a report by researchers at ClearSky. They maintain, APT34/OilRig and APT33/Elfin appear to be linked to the campaign (which they dubbed Fox Kitten). The offensive has resulted in the establishment of a highly developed and persistent infrastructure of access to company networks, which has been used for reconnaissance and espionage, they said. However, it’s also the perfect launchpad for the deployment of destructive malware such as ZeroCleare and Dustman, researchers noted, both of which have been linked to the APTs. “Aside from malware, the campaign enfolds an entire infrastructure dedicated to ensuring the long-lasting capability to control and fully access the targets chosen by the Iranians,” researchers said in an analysis over the weekend. According to the analysis, Fox Kitten’s objective has been to develop and maintain access routes to the targeted organizations, establishing persistent footholds within them; stealing information; and pivoting from within to additional targets via supply-chain attacks. The Fox Kitten Toolset The campaign has used a range of tools, including some based on open-source code and some custom weapons. Target Set — Click to Enlarge The initial infection vector has been the exploitation of recently…

Source

image
Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code. This phony reloadable rewards card conceals stolen credit card data written to a barcode. The barcode and other card data printed on the card have been obfuscated. Image: U.S. Secret Service. Earlier this month, the Secret Service documented a recent fraud incident in Texas involving a counterfeit club membership card containing a barcode, and a card expiration date and CVV printed below the barcode. "Located underneath the barcode are instructions to the cashier on the steps necessary to complete the transaction," reads an alert the Secret Service sent to law enforcement agencies. "They instruct the cashier to select card payment, scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number." The instructions on the phony rewards card are designed to make the cashier think it’s a payment alternative designed for use exclusively at Sam's Club and WalMart stores. When the transaction goes through, it’s recorded as card-not-present purchase. "This appears to be an evolution of the traditional card-not-present fraud, and early…

Source

image
Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin. The ThemeGrill Demo Importer plugin is owned by ThemeGrill, which offers various templates for website outlines. This WordPress plugin helps users import and manage ThemeGrill templates on their sites. As of last week, the plugin had 200,000 active installations. According to WebARX, who discovered the flaw, on Tuesday that number has dipped to 100,000 installs. It is unclear at this time what accounts for the drop in the number of WordPress plugin installs. Researchers disclosed a flaw in the plugin this week, which allows unauthenticated, remote attackers to execute some administrator functions – without checking if they are an administrator. One such function is the capability to wipe the entire database of the vulnerable website, bringing it to its default state and clearing website databases of existing posts and user roles. And, after carrying out this action, an attacker would also then be logged in as an administrator – giving them complete control over the website. “This is a serious vulnerability and can cause a significant amount of damage,” according to WebARX researchers in a post this week. “Since it requires no suspicious-looking payload … it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.”…

Source

image
A new e-mail based extortion attack threatens users of Google’s AdSense banner-ad program with creating online behavior that will warrant them an account suspension—perhaps a permanent one–from Google if they don’t pay the attackers in bitcoin. The scam—revealed in a post by security writer and researcher Brian Krebs on his blog KrebsOnSecurity—demands $5,000 worth of the cryptocurrency in return “for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account,” Krebs wrote in a blog post. “In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate,” he said. AdSense is a program that website publishers use to serve targeted banner ads to their audiences, with Google providing ad administration, sorting and maintenance. Krebs said he said discovered the scam from a reader who maintains a number of sites that receive what he characterized as “a fair amount of traffic.” The reader received an email that began by quoting from a message an AdSense user might receive from the program’s automated system if it detects a site is violating the program’s terms by seeking to benefit from automated clicks. While at first the reader in question dismissed the message as baseless, he noticed in a review of his recent AdSense traffic statistics showed that detections in his…

Source

image
Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium. TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing. “Software and network vulnerabilities are often the more-obvious focus of organizations’ security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,” Katie Teitler, senior analyst at TAG Cyber, said via email. “This could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.” Unsigned Firmware Updates: A Growing Problem Firmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable. “Many peripheral devices do not verify that firmware is properly signed with a high-quality public/private…

Source

image
A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google's AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher's ads with so much bot and junk traffic that Google's automated anti-fraud systems suspend the user's AdSense account for suspicious traffic. A redacted extortion email targeting users of Google's AdSense program. Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google's systems might send if they detect your site is seeking to benefit from automated clicks. The message continues: "Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we're about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP's in rotation — a nightmare for every AdSense publisher. More also we'll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site." The message goes on to warn that while the targeted site's ad revenue will be briefly increased, "AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent." "Next an ad serving limit will be placed…

Source

image
The controversy over Huawei’s involvement in the 5G telecom gear market ratcheted up a notch this week. U.S. officials said they have evidence that the Chinese equipment giant has had access to backdoors inside mobile carrier networks for more than 10 years. Officials are trying to make the case that the U.S. and its allies should ban Huawei from supplying infrastructure for 5G networks going forward, due to what they say is the possibility of widespread, Beijing-backed espionage. Huawei rejected the allegations, and other countries around the world are continuing to build networks using the vendor’s gear despite the U.S. position on the vendor. But security experts say that 5G supply-chain concerns should be taken seriously – whether it’s in the context of Huawei or not. “A backdoor to a lawful intercept interface could yield a treasure trove of information to a malicious actor — including the current location of a target, details including when and where a call was placed, and even the ability to eavesdrop or listen into a current call,” Russ Mohr, engineer and Apple evangelist at MobileIron, told Threatpost. “A backdoor is an extremely valuable resource to a bad actor, and it is likely that it would be much more valuable as an asset to collect data than as a mounting point for an attack — although it may provide an opportunity to inject ransomware into a 5G network targeting a mobile carrier.” Latest Allegations The feds told the Wall Street Journal that Huawei can make…

Source

image
Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Google’s Chrome Web Store. Browser extensions are used for customizing web browsers, modifying user interfaces, blocking ads and managing cookies. But researchers said that the malicious extensions they discovered are instead part of a massive malvertising campaign that also harvested browser data. Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages. “These extensions were commonly presented as offering advertising as a service,” according to Jamila Kaya, an independent security researcher, and Jacob Rickerd, with Duo Security, in a Thursday analysis. “[Security researcher Jamila Kaya] discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and… identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.” Researchers believe that the actor behind this campaign was active since January 2019, with activity escalating between March and June. After researchers…

Source

image
In May 2013, the U.S. Justice Department seized Liberty Reserve, alleging the virtual currency service acted as a $6 billion financial hub for the cybercrime world. Prompted by assurances that the government would one day afford Liberty Reserve users a chance to reclaim any funds seized as part of the takedown, KrebsOnSecurity filed a claim shortly thereafter to see if and when this process might take place. This week, an investigator with the U.S. Internal Revenue service finally got in touch to discuss my claim. Federal officials charged that Liberty Reserve facilitated a "broad range of criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking." The government says from 2006 until the service's takedown, Liberty Reserve processed an estimated 55 million financial transactions worth more than $6 billion, with more than 600,000 accounts associated with users in the United States alone. While it's clear that the digital currency system for years was the go-to money-moving vehicle for many engaged in dodgy online activities, it also was favored by users primarily because it offered a relatively anonymous way to send irrevocable transfers globally with low fees. Indeed, the two stories I wrote about the closure of Liberty Reserve in 2013 remain among the most-read on this site, and have generated an enormous volume of emails from readers who saw many thousands of dollars held in legal…

Source

image
A malicious email campaign aimed at iPhone owners is making the rounds this week, using a bouquet of different themes to scam victims, just in time for Valentine’s Day – including a fake dating app. The gambit begins far afield from romance however, with an email from “Nerve Renew,” claiming to offer a miracle cure for neuropathy. The interesting thing about this is that the email body is a picture, completely static. “You cannot copy the contents and paste it elsewhere,” according to a Friday post from researchers at Bitdefender, who uncovered the campaign. “The sender wants to keep us inside the email body, clicking the malicious links inside.” Those malicious links include a fake “unsubscribe” button at the bottom as well as the link behind the picture – clicking anywhere on the email body, either intentionally or inadvertently, will cause the scam to execute. Clicking the unsubscribe button takes users to a page that asks them to enter their email addresses – likely to validate whether those addresses are actually active. Once the email body is clicked, the victim is taken on “a seemingly endless redirect loop,” until neuropathy is left far behind, and the victim lands on what purports to be a dating app for Apple’s iPhone. Immediately, “Anna” starts sending invitations to connect via a phone call. If the recipient takes the bait and calls, the person will be connected to a premium number and will be charged per-minute for the call. “It’s a trap! The girl in the…

Source