image
Facebook has booted hundreds of Iran-linked pages, groups and accounts from its social media platform that it claimed were promoting misinformation. According to Facebook, it removed 783 pages, groups and accounts that engaged in “coordinated inauthentic behavior” that were misleading users about who they are and what they are doing. The pages, some of which had 2 million followers, repurposed Iranian state media’s reporting on topics such as the conflicts in Syria and Yemen and the role of the U.S., Saudi Arabia, and Russia, Facebook said. “This activity was directed from Iran, in some cases repurposing Iranian state media content, and engaged in coordinated inauthentic behavior targeting people across the world, although more heavily in the Middle East and South Asia,” said Nathaniel Gleicher, head of cybersecurity policy at Facebook in a Thursday post. “These were interconnected and localized operations, which used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing.” Facebook said there were multiple sets of activity dating back to 2010 and localized for specific countries or regions (including Afghanistan, Egypt, France, Germany, Saudi Arabia, Syria, US, and more). Click to Expand. The page admins and owners for these accounts would typically purport to be locals of the countries they were sharing stories about, often using fake accounts, and posted news stories on current events. That included commentary on topics like Israel-Palestine relations; as well as the conflicts in Syria and Yemen. Some of the removed pages were vastly popular – at least one page had about 2 million account followers, and one of the groups racked up 1,600 accounts. The accounts would also host events, and Facebook said that eight events were supposedly hosted. “We identified some of these accounts through our continued investigation into Iranian coordinated inauthentic behavior we found and removed last year,” said Gleicher. “Our investigation was aided by open source reporting and information provided to us by our industry peers. We have shared information about our investigation with US law enforcement, the US Congress, and policymakers in impacted countries.” Click to Expand. The latest crackdown on “coordinated inauthentic behavior” comes as Facebook tries to bar on misinformation and other political meddling efforts on its platform. After announcing in October it would expand content policing on the site by cracking down on accounts aimed at voter suppression and penalizing pages spreading political disinformation, Facebook has removed hundreds of pages and accounts that it said have spread spam or disinformation. In November, Facebook barred an additional 115 accounts (including 30 Facebook accounts and 85 Instagram accounts). In October it said that had collectively removed more than 800 pages and accounts showing inauthentic behavior. In August, it made a 652-page dent in a sizable alleged Iran-backed influence campaign that stretches back to 2017, with some pages in operation since 2013. And in July, Facebook said that it removed 32 pages from its platform involved in “coordinated” inauthentic behavior. “To ensure that we stay ahead in rooting out abuse we’re investing heavily in building better technology, hiring more people and working more closely with law enforcement, security experts and other technology companies,” said Gleicher.

Source

image
TheMoon, an IoT botnet targeting home routers and modems, is entering a new phase, as it were: It has added a previously undocumented module that allows it to be sold as-a-service to other malicious actors. This has already had significant real-world consequences, according to CenturyLink Threat Research Labs, with the detection of a video ad fraud operator using TheMoon on a single server to impact 19,000 unique URLs on 2,700 unique domains over a six-hour period. It has also been seen being used for credential brute-forcing, general traffic obfuscation and more. TheMoon is a modular botnet active since 2014, which targets vulnerabilities in residential routers within broadband networks. According to researchers, it exploits target broadband modems or routers developed by companies such as Linksys, ASUS, MikroTik and D-Link, with the most recent exploit added last May targeting GPON routers. It spreads like a worm, and has been seen incorporating as many as six IoT exploits at a time in an effort to increase its footprint. The researchers said that the new module is only deployed on MIPS devices, a common microprocessor architecture typically found in residential gateways and modems. It allows the compromised device to be used as a SOCKS5 proxy. This means that it can be used maliciously to circumnavigate internet filtering or obscure the source of internet traffic, allowing the botnet author to sell its proxy network as a service to others. “TheMoon is a stark reminder that the threat from IoT botnets continues to evolve,” said Mike Benjamin, head of CenturyLink Threat Research Labs. “Not only does TheMoon demonstrate the ability to distribute malicious modules of differing functionality, but it’s designed to function like a botnet-as-a-service, enabling other malicious actors to use it for [their own] uses.” Netlab 360 has previously documented various TheMoon modules that can act as traffic proxies at the behest of a command-and-control (C2) server. “Traffic flowing through the proxy network is roughly divided into plaintext and ciphertext, and the traffic is not high,” Netlab360 analysts said in a recent overview of TheMoon. “In the plain text, it is related to pornography, gambling, mining, etc., and a small part looks like a portal site; the traffic in the ciphertext section is related to e-commerce or online mailboxes. The time distribution is not obvious, it seems that traffic occurs 24 hours.” This new iteration is different, according to CenturyLink. “Previous modules with proxy functionality only allowed the C2 to send proxy requests; the new module allows the botnet author to sell its proxy network as-a-service to others,” CenturyLink analysts said in a Thursday posting on the botnet. “The proxy port appears to be a randomly chosen port above 10,000 and was observed changing multiple times per day. Originally this proxy port was unauthenticated, allowing anyone to route traffic through an infected device. In April 2018, the actors changed their proxies to use authentication.” In the video ad fraud example, CenturyLink analysts saw a quickly swelling attack. “What we saw during this particular six-hour period was one operator leveraging TheMoon to conduct video ad fraud, essentially making it appear that thousands of people were clicking on video ads,” Benjamin told Threatpost. “Specifically, the operator used a single server to impact 19,000 unique URLs on 2,700 unique domains in that short time.” CenturyLink, as a communications provider, blocked TheMoon infrastructure on its ISP network, in addition to notifying other network owners of potentially infected devices, so the activity of TheMoon dropped off as a result. “That said, the threat of IoT botnets with varying capabilities remains a powerful one,” Benjamin noted. “It’s likely this actor will attempt to infect new devices in the future by adding additional exploits to the existing toolkit.” The CenturyLink analysis also points out that there’s a substantial market for proxy botnets targeting broadband networks to route traffic for attacks like credential brute-forcing and ad fraud. “The always-on nature of IoT devices and the ability to masquerade as normal home users make broadband networks prime targets for these types of attacks,” according to the firm.

Source

image
The digital world we now inhabit creates unprecedented opportunities – both for good and for ill. One of these possibilities is swarm-based tools that can be used to either attack or defend the network. This possibility, or set of possibilities, has arisen due to dramatic advances in swarm-based intelligence and technologies. For example, a new methodology was announced by scientists in Hong Kong that uses natural swarm behaviors to control clusters of nano-robots. These micro-swarms can be directed to perform precise structural changes with a high degree of reconfigurability, such as extending, shrinking, splitting and merging. A potential upshot of these capabilities is the creation of large swarms of intelligent bots—swarmbots—that can operate collaboratively and autonomously. They are composed of clusters of compromised devices with specialized skillsets that can work collectively to solve problems, the commoditization of fuzzing—a process for discovering zero-day vulnerabilities in hardware and software interfaces and applications—and machine learning poisoning: training automated security devices to intentionally overlook certain threats. Currently, hackers-for-hire build custom exploits for a fee, and even new advances such as ransomware-as-a-service requires black hat engineers to stand up different resources, such as building and testing exploits and managing back-end C2 servers. But when it becomes possible to deliver autonomous, self-learning swarms-as-a-service, the amount of direct interaction between a hacker-customer and a black hat entrepreneur drops dramatically. Exploits a la Carte Swarm technology expands attack possibilities in alarming ways. Resources in a swarm network could be allocated or reallocated to address specific challenges encountered in an attack chain. Criminal consumers could preselect different types of swarms to use in a custom attack, such as: Pre-programmed swarms that use machine learning to break into a device or network That perform AI fuzzing to detect Zero-Day exploit points Designed to move laterally across a network to expand the attack surface That can evade detection and/or collect and exfiltrate specific data targets Designed to cross the cyber/physical device divide to take control of a target’s physical as well as networked resources This type of advanced technology brings us closer to a world in which swarmbots can overwhelm existing defenses. These swarm networks will raise the bar in terms of the technologies needed to defend organizations. Defending Against the Swarm The digital economy necessitates the interplay of data, applications and workflows within every transaction, device and bit of data – across every aspect of business, government or personal environments. As a result, cybersecurity can no longer be treated as an overlay, after-market IT project. Instead, security needs to be woven into workflows and network and application development strategies tied to specific business outcomes from the outset. In today’s digital marketplace, ensuring a proactively secured business or service is the linchpin to establishing digital trust and creating value. To make this a reality, three things need to happen: Broad deployment: Security must be deployed broadly and consistently across all ecosystems—which also includes the ability to dynamically adapt as network environments expand or change—to establish a single point of visibility and control. Deep integration: Security must be deeply integrated into the extended technology landscape to ensure complete visibility and control—even across multiple networked ecosystems that are constantly in flux—to better correlate data and to detect and even anticipate both known and unknown threats. Automation: Security must be automated and integrated across devices and applications so it can respond to threats effectively and in a coordinated fashion at machine speeds. Swarm technology may be a game changer if organizations don’t change their tactics. The world is in the midst of the most disruptive period of innovation in history—with no sign of slowing down. Organizations need to act now to both stay ahead of bad actors and capture the business advantage that comes to those who don’t wait for someone else to innovate. (Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet. He has more than 15 years of cyber security experience to his work helping customers formulate security strategy.)

Source

image
By Waqas We all want to look perfect in the pictures that we post online and beauty camera apps are our best bet in order to fine-tune our pictures. However, according to the findings of Trend Micro researchers, these kinds of applications are performing more functions than what we think they are. Reportedly, some of the Android […] This is a post from HackRead.com Read the original post: Selfie stealing malware found in popular Android beauty camera apps

Source

image
It has been a busy year for data breaches already, and January isn’t even officially over. This past week has been no exception. In past seven days, in addition to the Airbus news that we previously reported, Discover Financial, IT management giant Rubrik, the City of St. John in New Brunswick, Canada and the State Bank of India all reported exposures. Discover Cards Discover Financial has reported a “possible merchant data breach” that could have compromised user accounts to the State of California Attorney General’s office, in compliance with that state’s data breach rules. There are two separate notifications, available here and here. “We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review,” the company said in a media statement issued on Twitter. “We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.” The credit-card issuer said that it has alerted cardholders to a data breach that appears to have taken place on August 13, 2018, but it hasn’t said how much personal information was compromised or how many individuals are affected. Anthony James, chief strategy officer at CipherCloud, told Threatpost in a prepared statement that the length of time between the breach occurring and being found is typical. “Discover’s breach is very typical of the news we hear continually concerning financial firms and credit processors,” he said. “In today’s environment attackers will get into your networks. That’s a fait accompli. We also expect that it will take months even before a card processor such as Discover is even aware of the intrusion and possible breach What we don’t expect to hear is that the databases and credit-card data are, amazingly, unencrypted.” Discover is mailing out new cards to those it believes are affected. “We should be realistic – the costs for Discover will be a rounding error, and have already been built into their Q4 provisions (up 18 percent over Q4 2017),” Colin Bastable, CEO of Lucy Security, said via email. “The 176 million card-carrying U.S. consumers are generally inured to the consequences of these breaches – between them, they have some 985 million credit and store cards, and the card issuers are very good at shipping out replacement cards. The real problem is that these thefts are not victimless crimes – real money is involved. Crime rings and governments are stealing from the American consumer and using it to finance more crime.” A Pair of Misconfigured Servers Meanwhile, two other major data exposures revealed this week are the result of misconfigured servers, which is a scourge that shows no sign of going away. Rubrik, the IT security and cloud data management giant, exposed a whole cache of customer information, improperly stored in an Amazon Elacsticsearch database. The exposed server wasn’t protected with a password, allowing access to pretty much anyone on the internet. The company pulled the server offline Tuesday. According to reports, the tens of gigabytes of exposed data goes back to October, and includes customer names, contact information, contents of customer service emails, customer IT/cloud set-up and configuration information, and email signatures with names, job titles and phone numbers. “It seems like almost every day we hear about another company that’s left an Elasticsearch server unprotected, leaving sensitive data exposed, and now we’re seeing it happen with IT vendors,” said Balaji Parimi, CEO, CloudKnox Security, via email. “There’s a simple reason these vulnerabilities are so prevalent: the complexity of multi-cloud environments, combined with a lack of visibility into who can do what. When combined, this leads to overprivileged identities operating in environments where security team can’t answer simple questions like: ‘what privileges does each service account or employee have?’, and ‘what actions have they performed?’. These vulnerabilities are rarely malicious – they result from lack of visibility into what people are doing in extremely complex environments,” Parimi said. In other news, the State Bank of India, the largest financial institution in that country of nearly one and a half billion people, also said this week that it failed to secure a server with a password, leaving the financial information for millions of customers exposed as a result of “human error.” The database contained text messages, account balances, recent transactions, partial bank account numbers and customers’ phone numbers, impacting an undisclosed number of people. CipherCloud’s James noted, “Financial institutions are under constant cyberattack. That, of course, is no surprise to any of us. Instead, the data exposure at the State Bank of India Mumbai data center isn’t due to an attacker – it is due to misconfiguration and errors in administration. Right now we are seeing a surge in data exposure and breach due to these administrative errors.” Third-Party Supplier Credit-Card Breach And finally, credit-card information from about 6,000 people in the Canadian city of St. John was seen being sold on the Dark Web thanks to a payment card skimmer being installed on the third-party parking system that it uses. The malware collected credit-card information for 18 months from those paying parking tickets before being discovered. “Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud,” explained Ryan Wilk, vice president of Customer Success at NuData Security. “More recently, we’ve seen a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless. The loss of credit card data is a worry for everyone. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.” *Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert *Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source

image
French airplane and military aircraft behemoth Airbus SE has become the latest victim of a cyberattack leading to a data breach, with an incident detected on its “commercial aircraft business” information systems. It is only the latest high-profile data exposure to come to light in recent days, and it dovetails with the release of billions of records on the Dark Web as part of a data dump that’s being called “Collections #2-5.” The company said on Wednesday that the incident resulted in unauthorized access to employee data, but that there was no impact on Airbus’ commercial operations or intellectual property. “Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed,” the aviation giant said in a short notice on its website. “This is mostly professional contact and IT identification details of some Airbus employees in Europe.” Details are scant for now, in terms of how many employees are affected and how the incident took shape. Airbus said it has notified authorities in compliance with the General Data Protection Regulation (GDPR), and noted that investigators are trying to find out the origins of the incursion. Irra Ariella Khi, CEO of VChain, said that it seems likely that a review of Airbus’ data storage systems is in order. “The security breach against Airbus is another example that current processes for storing sensitive data are not fit for purpose,” he told Threatpost. “Holding data on centralized, vulnerable systems is making it easy for hackers. We urgently need to move to systems built using privacy by design principles – where data security and obscurity are built into the system – and data is not in a box that is inevitably breached. Personal data of employees, operatives, or passengers held by those operating in the aviation industry is highly sensitive. The industry is highly regulated for a reason: data security is vital for ensuring safety. Whatever the motivation of the attack is, we should not be making it so easy to access data.” Simon Whitburn, senior vice president of Cyber Security Services at Nominet, told Threatpost that if data protection authorities determine that Airbus was improperly handling personal data or storing it in weak repositories, it could result in a GDPR fine. “The data breach suffered by Airbus is another in a growing number of large corporations suffering an attack,” he said. “Where they have been fortunate is that it doesn’t seem to have impacted their commercial side as it did with British Airways last summer. However, they could still face a fine under GDPR regulations as the details of EU workers were exposed.” He added that preventing opportunistic attacks requires several layers of security measures. “Ensure that any outward facing servers are secured with strong passwords and multifactor authentication,” he explained. “Install a culture of cybersecurity within the organization itself, with training for all staff to help then spot suspicious emails and feel confident in asking their superiors to confirm instructions that they send over email. By having many layers to their security, it can help detect breaches at a much earlier stage as well.” Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks. Collections #2-5 While breaches continue to make headlines, a fresh compilation of some 2.2 billion stolen account records — dubbed Collections #2-5 — is being traded on the Dark Web, researchers say. Discovered by researchers at the Hasso Plattner Institute in Potsdam, Germany, the trove equals 845 gigabytes of stolen data and 25 billion records in all before de-duping. It contains roughly three times as many unique records as Collection #1, which Troy Hunt of HaveIBeenPwned found earlier in January. That tranche contained 773 million unique usernames and passwords. The German news site Heise.de reported that most of the ill-gotten credentials have been acquired via the well-known compromises of Yahoo and others that stretch back years. However, the Plattner Institute analysts told the outlet that 750 million credentials weren’t previously included in their database of leaked usernames and passwords; also, 611 million of them weren’t included in the Collection #1 dump. “2.2 billion records is a staggering number,” said Frederik Mennes, senior manager of Market & Security Strategy, Security Competence Center at OneSpan, via email. “Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication.” He added, “We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilized whenever and wherever possible. MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition). The passwords that are generated only last for a limited period of time, which makes it useless for hackers to intercept and reuse them.” Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert *Chris Vickery*. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source

image
The U.S. Justice Department is looking to retaliate against North Korea-linked hackers who have built up a massive global network of infected computers. The department announced on Wednesday that it would seek to map out the Joanap botnet, which has been built and controlled by North Korea-linked hackers since 2009, and eventually disrupt it by alerting impacted victims. In order to map out Joanap, law enforcement has been operating servers that mimicked peers in the botnet. By pretending to be infected peers, these computers collected “limited identifying and technical information” about other infected systems with Joanap (such as IP addresses, port numbers and connection time-stamps). This allows the government to build out a map of the infected systems and warn impacted victims – in the hopes of eventually eradicating the threat. “Computers around the world remain infected by a botnet associated with the North Korean regime,” said Assistant Attorney General Demers, in a statement. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.” The Botnet According to a 2018 US-CERT alert, the Joanap malware has been targeting multiple victims globally and in the United States since 2009 —including the media, aerospace, financial and critical infrastructure sectors. Joanap has been targeting computers running the Microsoft Windows operating system. Once the hackers gain access to these infected computers, they can carry out other malicious activities from the impacted infrastructure. Joanap, also known as “Hidden Cobra,” is a remote access tool that it is dropped on infected systems by the automated Brambul worm, which crawls from computer-to-computer and probes whether it can gain access using certain vulnerabilities. Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain root level (or near-total) access to infected computers and load additional malware onto infected computers, the government said. “Like other botnets, Joanap was designed to operate automatically and undetected on victims’ computers,” the government said. “Joanap uses a decentralized peer-to-peer communication system, rather than a centralized mechanism to communicate with and control the peers, such as a command-and-control domain.” Meanwhile, the Department of Homeland Security urges users and administrators to keep their operating systems and software up-to-date with the latest patches. “Most attacks target vulnerable applications and operating systems,” said DHS. “Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker,.” North Korean Impact Joanap has been tied to the well-known Lazarus Group, (also known as Hidden Cobra) the APT actor behind several wide-scale and damaging cyber attacks including WannaCry and the 2014 Sony Pictures Entertainment hack. The effort follows charges unsealed last year in which the United States charged a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions. In September, the DoJ charged Hyok and alleged in its 179-page complaint that he was involved in “a conspiracy to conduct multiple destructive cyberattacks around the world” as a member of the Lazarus Group, Those “destructive cyberattacks” illustrate just the level of impact that the infamous APT has had globally and in the U.S. over the past few years. They include robbing the Bangladeshi central bank of $81 million; hacking Sony Pictures Entertainment in retaliation for the film The Interview (which featured a parody of DPRK leader Kim Jon-Un); and creating the WannaCry ransomware that impacted victims in more than 150 countries.

Source

image
Google has found itself in hot water for a research app that may have violated Apple’s policies by collecting user data in exchange for gift cards. The tech giant said it has now disabled Screenwise Meter“audience measurement” app – which voluntarily collects data from users’ phones, browsers and even routers – from iOS devices. The app was using a similar method as the recently-highlighted “Facebook Research” app to sidestep the Apple App Store’s strict data collection policies, according to a TechCrunch report. This involved distributing the app via Apple’s developer enterprise program, meant for companies who want to create apps for their own employees. “The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize,” a Google spokesperson told Threatpost. “We have disabled this app on iOS devices.” Developer Enterprise Program The developer enterprise program enables companies to create apps for their own employees – so the apps don’t go through the public App Store. Apple has strict data-collection policies as part of its developer policies, which bar the collection of data about usage of other apps or data that’s not necessary for an app to function, as of June. “Apps should only request access to data relevant to the core functionality of the app, and should only collect and use data that is required to accomplish the relevant task,” according to Apple’s policy. It was discovered earlier this week that Facebook had used a similar method for its own A Tuesday TechCrunch report uncovered that the social-media giant has been paying users (between the ages of 13 to 35) up to $20 a month to install the app, referred to as Project Atlas, on iOS or Android. The app gave Facebook full data access – including how and when users utilize the apps on their phone, their internet browsing history, and even screenshots of their Amazon order-history page, according to the report. In response, Apple revoked Facebook’s enterprise iOS developer certificateand banned the app from its ecosystem. A Facebook spokesperson however told Threatpost that key facts about the market research program are being ignored. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research app,” the spokesperson said. “It wasn’t ‘spying,’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission, and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.” Apple did not respond to a request for comment from Threatpost about Google’s app. Screenwise Meter Google’s own app came to the forefront a day after Facebook’s app was banned from the iOS ecosystem. The app, which has been running since 2014, dishes out gift cards to users in exchange for their data across their mobile devices, web browsers, routers and even televisions. Screenwise Meter appears to still be available on Google Play, where a description of the app reads: “The Screenwise Meter mobile app is used to manage registered panelists’ participation in market research panels. If you are not a registered panelist with Google, this app will not function; please do not download or use this app. This app works in sync with external Screenwise measurement devices.” In order to download the app, Google gives users a special code and they can then go through the registration process using Apple’s Enterprise Certificate. This is a similar process to how Facebook’s research app was downloaded. According to the app’s panelist eligibility requirements, users must be 18 years or older while “household-invited secondary panelists” must be 13 years or older, with parental consent. A Google spokesperson told Threatpost that the app “is completely voluntary and always has been.” “We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time,” the spokesperson said.

Source

image
A newly-discovered malware is targeting Mac users’ web cookies and credentials in hopes of withdrawing funds on their cryptocurrency exchange accounts. The malware, discovered this month and aptly named “CookieMiner,” collects cryptocurrency-related cookies – in addition to compromised credentials – and uses them to target exchanges, where cryptocurrencies can be traded for other assets, including other digital currencies. Using these stolen clues, the bad actor behind the malware is able to sidestep any multifactor authentication security measures in place and purport to be the victim – with the aim of eventually siphoning their funds from their accounts. “CookieMiner tries to navigate past the authentication process by stealing a combination of the login credentials, text messages and web cookies,” researchers at Palo Alto Networks’ Unit 42 group said in a Thursday report. “If the bad actors successfully enter the websites using the victim’s identity, they could perform fund withdrawals. This may be a more efficient way to generate profits than outright cryptocurrency mining.” It should be noted that researchers have not yet seen evidence of the malware author successfully withdrawing funds from an account, but are instead speculating based on the behavior of the malware. Researchers stressed that stealing cookies is an important step to bypassing login anomaly detection. If a bad actor merely uses a username and password, the website may issue an alert and request additional authentication — but if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host. Cookie-Snatching Malware The CookieMiner attack begins with a shell script that targets MacOS users. Researchers said that they believe the malware has been developed from OSX.DarthMiner, a script known to target the Mac platform that combines the EmPyre backdoor (a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture) and the XMRig cryptominer. Similar to DarthMiner, Cookieminer attackers used EmPyre for post-exploitation control, allowing them to send commands to remotely control the victims’ machines. Jen Miller-Osborn, deputy director of Threat Intelligence for Unit 42, told Threatpost that researchers are not certain how victims are first infected by the shell script, but they suspect victims download a malicious program from a third-party store. Once downloaded, the shell script copies the Safari browsers’ cookies to a folder and uploads the folder to a remote server. The attack targets cookies associated with cryptocurrency exchanges that include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet and any website having “blockchain” in its domain name, researchers said. “Best practice states cookies such as these should be time delimited, among other things, which keeps attacks abusing them from happening,” Miller-Osborn told Threatpost. “However, if an exchange is set up in a way for a cookie to persist for a long time or across sessions, this would conceivably work.” Other Malicious Behavior But that’s not all: The malware also performs an array of malicious functions when downloaded on victims’ systems. That includes stealing username, password and credit-card credentials in Chrome, snatching up text messages synced to the Mac, and installing coinmining software to mine cryptocurrency. After collecting web cookies, the malware turns its attentions to victims’ credentials, which can be gathered to bypass the security authentication methods put forth by the cryptocurrency exchange. CookieMiner downloads a Python script (called “harmlesslittlecode.py”) which can extract saved login credentials and credit-card information from Google Chrome’s local data storage. It does so through adopting decryption and extraction techniques from the code of Google Chromium, an open-source version of the Google Chrome browser, researchers said. “By abusing these techniques, CookieMiner attempts to steal credit-card information from major issuers, such as Visa, Mastercard, American Express and Discover,” researchers said. “The user’s saved login credentials are also stolen, including usernames, passwords and the corresponding web URLs.” Click to Expand. In addition, CookieMiner steals private keys for cryptocurrency wallets on the system and iPhone text messages backed up on the Mac via iTunes. Finally, the malware issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence, including deploying a program under the filename “XMRig2” for mining cryptocurrency. The cryptocurrency mined is called Koto, which is a ZCash-based anonymous cryptocurrency. But interestingly, the filename XMRig2 is usually used by Monero miners – researchers believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency. Researchers said that moving forward, cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage. “The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency,” they said. “If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.”

Source

European airplane maker Airbus admitted yesterday a data breach of its “Commercial Aircraft business” information systems that allowed intruders to gain access to some of its employees' personal information.

Though the company did not elaborate on the nature of the hack, it claimed that the security breach did not affect its commercial operations. So, there's no impact on aircraft production.

Source