image
One in four respondents to a Threatpost reader poll said they were okay with sacrificing a portion of their personal privacy in exchange for some form of cellphone tracking that could – in theory – reduce coronavirus infection rates and save lives. While the majority of Threatpost readers were privacy absolutists, the coronavirus pandemic had some respondents siding – in spirit – with controversial tracking of U.S. citizens via their cellphones. When asked, “For coronavirus tracking, do you think public-health benefits outweigh privacy risks?” approximately 27 percent voted “Yes – Privacy and data-protection laws should not get in the way of saving lives.” Sixty-nine percent said, “No – A pandemic doesn’t give authorities the right to strip citizens of their privacy rights.” The poll results come as a report in The Wall Street Journal details how U.S. officials are already using mobile ad location data to study how COVID-19 spreads. The report said U.S. authorizes are using mobile ad location data to create a portal, containing geolocation data across 500 U.S. cities, in an attempt to help plan their pandemic response. The informal poll did reveal a slight change of heart when it came to privacy issues of others versus them. When asked, “If an app existed that told you who in your neighborhood was infected with the coronavirus, would you use it?” over a third (33.6 percent) of respondents said they would use it. Still, 58 percent said privacy implications were too…

Source

image
Google has registered a significant drop in government-backed cyberattacks against its properties and the people who use its products. Google sends out warnings if it detects that an account is a target of government-backed phishing or malware attempts. For 2019, the internet giant sent almost 40,000 warnings – which, while a large number, is still a nearly 25 percent drop from the year before. Nation-State Trends In terms of trends amongst the warnings, the analysis showed that main targets included, perhaps unsurprisingly, geopolitical rivals, government officials, journalists, dissidents and activists. In 2019, about 20 percent of accounts that received a warning were targeted multiple times by attackers. Google also uncovered that phishing and zero-day exploits continue to be APT weapons of choice. On the former front, Google researchers saw a growing trend emerge towards impersonating news outlets and journalists, especially when it comes to attackers from Iran and North Korea. “For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,” explained Toni Gidwani, security engineering manager at the company’s Threat Analysis Group (TAG), writing in an overview of nation-state trends, published last week. “In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign-policy expert before sending a malicious attachment in a follow up email.” On the zero-day front, TAG…

Source

image
Zoom has removed a feature in its iOS web conferencing app that was sharing analytics data with Facebook, after a report revealing the practice sparked outrage. According to the Motherboard report last week that originally disclosed the privacy issue, the transferred information included data on when a user opened the app, a user’s time zone, device OS, device model and carrier, screen size, processor cores and disk space. Zoom’s privacy policy did not clearly outline that it was transferring the data to Facebook. In a Friday post, Zoom that it has now removed the “Login with Facebook” software development kit (SDK) for iOS, which was the feature tied to the data sharing: “Our customers’ privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client, and have reconfigured the feature so that users will still be able to log in with Facebook via their browser,” according to Eric Yuan, founder of Zoom. Zoom shied away from saying that they intended to share this information, instead stating: “We were made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services.” The Facebook SDK for iOS is not an uncommon feature for apps; it allows Zoom users to more easily sign into the conferencing platform using their Facebook credentials. In the past, these types of SDKs have been misused to scrape data from mobile apps. Part of the issue for privacy advocates was…

Source

image
The Zeus Sphinx banking trojan is back after being off the scene for nearly three years. According to researchers Amir Gandler and Limor Kessem at IBM X-Force, Sphinx (a.k.a. Zloader or Terdot) began resurfacing in December. However, the researchers observed a significant increase in volume in March, as Sphinx’s operators looked to take advantage of the interest and news around government relief payments. First seen in August 2015, Sphinx is a modular malware based on the leaked source code of the infamous Zeus banking trojan, the researchers explained. Like other banking trojans, Sphinx’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, Sphinx dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. In terms of theme, Sphinx is joining the growing fray of COVID-19-themed phishing and malspam campaigns ramping up worldwide. In the March campaigns, the emails tell targets that they need to fill out an attached form to receive coronavirus relief from the government. In the latest campaigns, Sphinx is spreading via coronavirus-themed email sent to victims in the U.S., Canada and Australia, housed in malicious attachments named “COVID 19 relief,” according to an X-Force blog posting on Monday. “From a…

Source

image
In 2018, KrebsOnSecurity unmasked the creators of Coinhive — a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals — as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means "cancer" in German). This week, the forum is celebrating its third annual observance of that protest to "fight Krebs," albeit with a Coronavirus twist. Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted a large number of ‘thank you' receipts from cancer research organizations that benefited from their fight cancer/krebs campaign. On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German forum pr0gramm[dot]com (not safe for work). I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform. Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”). They ended up raising more than a quarter-million dollars worth of donations…

Source

image
An unpatched bug in the latest version of Apple’s iOS is blocking virtual private network (VPN) applications from cloaking some private data transmitted between a device and the servers they are requesting data from. While the bug remains unpatched, Apple is suggesting steps users can take to reduce risk, researchers state. The bug, outlined in a report by ProtonVPN, impacts Apple’s most recent iOS 13.4. The flaw is tied to the way VPN security software loads on iOS devices. Post launch, VPN software is supposed to terminates all internet traffic and reestablishes connections as encrypted and protected. Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device’s IP address, exposing it for a limited window of time. “Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” researchers explained in a technical analysis of the flaw. The bug remains unpatched at a critical time when many are using VPNs under work-at-home and stay-at-home restrictions imposed due to the Covid-19 pandemic. “An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” according to the post. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.”…

Source

image
A critical flaw in a web server for the CODESYS automation software for engineering control systems could allow a remote, unauthenticated attacker to crash a server or execute code. The bug is rated 10 out of 10 on the CVSS v.2 vulnerability severity scale and requires little skill to exploit, the company said. It’s a heap-based buffer overflow – a class of vulnerability where the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed – and thus be made inaccessible to other processes. In this case, the bug (CVE-2020-10245) exists in the CODESYS web server, which is used to display CODESYS system visualization screens in a web browser. “This could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution,” according to the company’s advisory [PDF]. “As the web server is part of the CODESYS runtime system, this may result in unforeseen behavior of the complete runtime system.” CODESYS is a software suite used by automation specialists as a development environment for programming controller applications, often found in industrial environments, according to its website. Developed by the Germany-based company Smart Software Solutions (3S) to make the engineering of automated solutions more convenient, it’s a platform-independent development environment that is compatible with programmable logic controller (PLC) hardware and many other automation components available from hundreds of companies….

Source

image
Cybercriminals hacked the official website of Tupperware, the popular food container giant, injecting a payment card skimmer into its checkout page in hopes of stealing the credit-card details of online customers. The attackers targeted the official Tupperware[.]com website, which averages close to one million monthly visits, as well as various localized versions of the site. Researchers said they first identified the skimmer on March 20 — but there’s no indication of how long the site was compromised before that. Though Tupperware never responded to multiple attempts at contact by researchers, as of March 25, after research was publicly disclosed detailing the card skimmer, the malicious code was removed from the homepage. “Threat actors compromised the official tupperware[.]com site…by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process,” said researchers with Malwarebytes, in a Wednesday post. “This form collects customer-payment data via a digital credit card skimmer and passes it on to the cybercriminals, with Tupperware shoppers none-the-wiser.” Researchers first came across the card skimmer during a web crawl, when they identified a suspicious iframe — responsible for displaying the payment form fields presented to online shoppers — that was loaded on the Tupperware[.]com checkout page. Researchers said the iframe was loaded from deskofhelp[.]com, raising a few red flags. First, the webpage was newly…

Source

image
A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers. Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware. In this case, the campaign uses links posted on multiple forums that purport to lead to various news stories that would be of interest to Hong Kong residents, according to a pair of research notes from Kaspersky and Trend Micro. The links lead to both newly created websites set up specifically for this campaign by the operators, as well as legitimate sites that have been compromised. In both cases, a hidden iframe is used to load and execute malicious code. That code contains exploits for known and patched Apple iOS vulnerabilities – and has an endgame of installing a custom, proprietary backdoor spyware, dubbed LightRiver by Kaspersky and lightSpy by Trend Micro. The backdoor not only allows remote execution of shell commands, but it also contains a variety of…

Source

image
Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade. In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data. A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused. The FSB has not released a list of those apprehended, but the agency's statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names "Flint" and "Flint24." According to cyber intelligence firm Intel471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Silivanon (a.k.a. "Gabrik") were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel471 says Selivanon also was charged along with…

Source