image
A previously undocumented modular loader has emerged as a lucrative tool for cybercriminals in a variety of campaigns. Researchers say the “highly competitive” loader, dubbed Buer, is intended for use by actors seeking a turn-key, off-the-shelf solution. Researchers say they have spotted the loader being actively sold in prominent underground marketplaces since August 2019. Consequently, Buer has made an appearance in several malicious email campaigns and via exploit kits, to then download various strains of malware – from the TrickBot banking trojan to the KPOT information stealer. “The new loader has robust geotargeting, system profiling and anti-analysis features and is currently being marketed on underground forums with value-added setup services,” said researchers with Proofpoint on Wednesday. Buer in the Wild Researchers first came across Buer in the wild in a slew of malicious August email messages, purporting to be replies to earlier legitimate email messages. The emails contained Microsoft Word attachments that used macros to download a next-stage payload. Upon further analysis, researchers found the naming convention for this payload (verinstere222.xls or verinstere33.exe), was frequently associated with the Dreambot variant of Ursnif. However, they were surprised to find that the payload instead droppe Buer, an undocumented loader not previously observed in the wild. “In the following weeks over September and October, Proofpoint researchers and other members of…

Source

image
A freshly-discovered wiper malware dubbed “ZeroCleare” has been deployed to target the energy and industrial sectors in the Middle East. According to IBM’s X-Force Incident Response and Intelligence Services (IRIS), ZeroCleare (so-named because of the program database pathname of its binary file) was involved in a recently spotted APT attack in which it compromised a Windows machine via a vulnerable driver. ZeroCleare then pivoted to spread to other devices on the network – setting up the groundwork for a potentially catastrophic attack. IRIS analysis showed that ZeroCleare shares certain characteristics with the infamous Shamoon malware in that it overwrites the master boot record (MBR) and disk partitions on Windows-based machines, using a legitimate utility. This renders infected machines inoperable. “As Shamoon did before it, the tool of choice in the attacks is EldoS RawDisk, a legitimate toolkit for interacting with files, disks and partitions,” according to an analysis, posted on Wednesday. “Nation-state groups and cybercriminals frequently use legitimate tools in ways that a vendor did not intend to accomplish malicious or destructive activity.” The vulnerable driver was used to bypass the Windows operating system safeguards that prevent unsigned drivers from running on 64-bit machines – a control that is designed to only allow drivers which have been signed by Microsoft to run on the device. “Since ZeroCleare relies on the EldoS RawDisk driver, which is not a…

Source

image
You can’t protect your privacy if you don’t know how it’s being violated. That’s the essence of a report by the Electronic Frontier Foundation that shines a bright disinfecting light on how corporations are collecting data on consumers. Think Facebook-like data collection on steroids and you begin to grasp the scope of the problem. “I think on mobile, we’re still in this Wild West Era where people don’t understand the kind of tracking that’s happening when they use apps on their phone,”Bennett Cyphers with the Electronic Frontier Foundation (EFF) told Threatpost. “And there aren’t really a lot of ways to rein it in either, even if you do know what’s happening.” Threatpost caught up with Cyphers for a podcast (see below) to better understand his 17,300-word in-depth report “Behind the One-Way Mirror“. In his overview with Threatpost he discusses the “identifiers” behind data collection – the ways that companies identify consumers who they’re collecting the data from. Cyphers notes that consumers and regulators are struggling to understand who is collecting data, how that data is being shared and how it’s being stored. Identifiers, he said, are part of a new corporate surveillance state that includes mobile and physical tracking via “invisible pixel images, browser fingerprinting, social widgets, mobile tracking, and face recognition [that] companies employ to collect information about who we are, what we like, where we go, and who our friends are.” Unfortunately, according…

Source

image
Prosecutors in the Netherlands are asking for three years in prison for a Dutch politician who hacked into women’s personal iCloud accounts and stole nude photos and other personal digital material belonging to them, then leaked some of it online. The public prosecutor of the North Holland Public Prosecution Service has requested that Mitchel van der K., a member of the VVD political party in the Netherlands, face three years in prison for hacking into personal accounts of “women from his own environment, and of women he knew from the media,” according to a translated version of the request, which was made public during the case’s pre-sentencing process. Van der K was part of what the media dubbed “The Fappening,” or “Celebgate,” in which the personal accounts of women, including some celebrities, were hacked and personal photos and other digital material—most of it sexually provocative–found on those accounts was publicly disseminated on social media.Van der K’s victims in the Netherlands included Dutch YouTube star Laura Ponticorvo and Dutch field hockey star Fatima Moreira de Melo. Celebrities in the United States also were part of the global incident, in which personal, nude photos from the iCloud accounts of celebrities including Jennifer Lawrence and Kirsten Dunst were leaked online. In response, Dunst publicly criticized iCloud for the breach. In response to the hacks, Apple patched a vulnerability in its Find My iPhone app that likely was used by attackers in the…

Source

image
One of the more curious behaviors of Apple's new iPhone 11 Pro is that it intermittently seeks the user's location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company's own privacy policy. The privacy policy available from the iPhone's Location Services screen says, "If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations." The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching "Location Services" to "off"). When one does this, the location services indicator — a small diagonal upward arrow to the left of the battery icon — no longer appears unless Location Services is re-enabled. The policy continues: "You can also disable location-based system services by tapping on System Services and turning off each location-based system service." But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically…

Source

image
The Department of Homeland Security plans to extend facial recognition checks to all travelers entering and leaving the U.S. – including previously-exempt U.S. citizens. The proposed ruling, outlined in a recent filing that was first reported this week by TechCrunch, signifies a rapid expansion of the DHS’ use of facial recognition checks at the U.S. border. Previously, the DHS facial recognition checks applied to only non-U.S. citizens traveling to and from the U.S. The checks would scan passenger faces and match them with photos that the government has on file. “The Department of Homeland Security is required by statute to develop and implement a biometric entry-exit data system,” according to the DHS filing. “To facilitate the implementation of a seamless biometric entry-exit system that uses facial recognition and to help prevent persons attempting to fraudulently use U.S. travel documents and identify criminals and known or suspected terrorists, DHS is proposing to amend the regulations to provide that all travelers, including U.S. citizens, may be required to be photographed upon entry and/or departure.” Facial recognition checks have been implemented at various airports through the “Biometric Exit” program, first introduced by the U.S. Customs and Border Protection (CBP) in 2015. As of April, the program was operational in 17 airports and the agency reportedly plans to expand that number to 20 by 2021. The DHS did not respond to a request for comment from Threatpost…

Source

image
Biometric security – which uses fingerprints, voice or facial recognition or retina identification to authenticate users to services – has crossed the chasm into the mainstream, thanks to the prevalence of features like fingerprint readers on laptops and FaceID for iPhones. However, researchers say that information security issues affecting these systems are significant, and must be addressed. Kaspersky researchers found that in the third quarter, one in three (37 percent) of computers within the firm’s telemetry that collect, process and store biometric data were targeted by malware attacks. The malware in question included spyware and remote access trojans (RATs), which accounted for 5.4 percent of all computers analyzed; followed by malware used in phishing attacks (5.1 percent), ransomware (1.9 percent) and trojan bankers (1.5 percent). “It should be noted that other types of malware also included malicious programs designed to steal banking data (1.5 percent). It is not likely that these malicious programs were intended for stealing biometric data,” according to Kaspersky’s analysis, released Monday. “However, it can be expected that mass-distributed malware designed to steal biometric data from banks and financial systems will appear in the near future.” As for the source of the attacks, standard protocol reigned – most campaigns observed in the third quarter came in the form of typical phishing emails containing links to malicious websites or attached Office…

Source

image
A full 80 percent of Android apps are encrypting their traffic by default, according to a Transport Layer Security (TLS) adoption update from Google. That percentage is even greater for apps targeting Android 9 and higher, with 90 percent of those encrypting traffic by default, the tech giant said on Tuesday. TLS is a cryptographic protocol standard ratified by the Internet Engineering Task Force that provides end-to-end communications security over networks by scrambling data in transit, preventing hackers from reading it, intercepting it or tampering with it. TLS can be enabled for any internet communication or online transaction, such as a connection between a mobile shopping website and a user’s mobile browser, or between a banking app and the bank’s backend servers. The security of those connections is then verified via secure TLS certificates. As of October 2019, a third (33 percent) of Android devices run Android 9 (Pie), the latest version of the operating system. That makes it the most popular Android version. According to Google, apps targeting Android 9 or higher automatically have a policy set by default that prevents unencrypted traffic for every domain; and, since November 1, all apps on Google Play must target at least Android 9. “We’re excited to see that progress encrypting mobile application data on networks is mirroring the great progress happening with websites,” said Josh Aas, executive director of the open-source Let’s Encrypt project, told Threatpost….

Source

image
Google has released an update stomping out three critical-severity vulnerabilities in its Android operating system — one of which could result in “permanent denial of service” on affected mobile devices if exploited. The vulnerabilities are part of Google’s December 2019 Android Security Bulletin, which deployed fixes for critical, high and medium-severity vulnerabilities tied to 15 CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 22 critical and high-severity vulnerabilities. “The most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted message to cause a permanent denial of service,” according to Google’s Monday update. That DoS flaw, CVE-2019-2232, has been addressed for devices running on versions 8.0, 8.1, 9 and 10 of the Android operating system, Google said. The other two critical flaws (CVE-2019-2222 and CVE-2019-2223) exist in Android’s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android devices running on operating systems versions 8.0, 8.1,9 and 10 have been addressed for these two bugs, which could enable a remote attacker using a crafted file to execute code within the context of a privileged process. Click to enlarge. Also fixed were three high-severity elevation-of-privilege flaws (CVE-2019-9464, CVE-2019-2217 and…

Source

image
Empower Your Suppliers Against Attack The average business shares data with a complex network of third parties, depending on their operational needs. In a survey of security and risk professionals, Forrester learned that the average business has 4,700 third-party partners with some access to corporate data. Third-party relationships extend your attack surface in ways that are hard to monitor and control. Just 14 percent of the respondents to Forrester’s survey said they were confident they could effectively track all their third parties. Among the most insidious and potentially damaging of these threats is account takeover (ATO), where cybercriminals obtain email and password combinations and use them to gain unauthorized access to corporate networks. This provides criminals a springboard for a variety of attack types. Data collected from the criminal underground suggests there is a constant risk of ATO to large enterprises. SpyCloud research into risk among Fortune 1000 companies showed a total of 23 million exposed corporate credentials with a high rate of password reuse. It’s important for businesses of all sizes to not only view their suppliers’ attack surface as their own but also extend some of their security protections to them. Doing so empowers suppliers to remediate the risks that threaten partner organizations. Here is a rundown of 3 attack types that pose a risk to your business via your third-party ecosystem: Business Email Compromise 2019 saw significant…

Source