image
Data privacy dominated the week of news ending Feb. 1. News headlines included both Facebook and Google finding themselves in hot water over distributing data-sucking apps on iOS devices. A severe flaw was also found in kid-tracking IoT smartwatches that could expose sensitive information for 35,000 children. Also this week was a new data dump of 2.2 billion compromised credentials discovered on the Dark Web, This was labeled “Collections #2-5.” Threatpost editors Lindsey O’Donnell and Tara Seals discuss these top news stories and more in this week’s Threatpost news wrap. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8482943/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) For direct download click here.

Source

image
Ah, the Super Bowl. For some, this Sunday’s show down between the Los Angeles Rams and the New England Patriots will be about gathering family and friends around for a great American pastime: The Super Bowl party. Some are just in it for the commercials. Some see a gambling opportunity; and for fans of the two teams playing, it’s the culmination of everything they’ve been hoping for since September. And for cybercriminals, Super Bowl LIII is a massive fraud and infrastructure attack opportunity, and a perfect chance to attack those streaming the event. Consumer Frauds and Scams The ZeroFOX team said that it has found several instances this week of advertisements to place online sports bets and discussions about online betting for the Super Bowl, many of them fraudulent. Other common scams that are making the rounds are offers for tickets to see the game in Atlanta, cheap hotel rooms in the Peach City, and discounted official merchandise and jerseys. “Watch out for those offering great deals on things like tickets, places to stay or that cool jersey you’ve been eyeing – be sure to take extra steps to verify that you’re getting what you’re paying for,” said Kirsten Ashbaugh, threat analyst on the ZeroFOX Alpha Team, in a report shared with Threatpost. “And if you do decide to place a wager, check the relevant state laws to make sure you’re in the clear.” Although sports betting, including online betting, has become legal in some states over the past year, it may not be legal or accessible depending on where one lives. “Only a handful of states have legalized this type of betting, and not all of them offer the ability to bet online,” Ashbaugh said. “The ones that do may restrict even online betting to those physically within state boundaries. If you do decide to partake, be sure to check if your state allows you to bet online, and look to make sure the website or app you’re using is reputable.” On the fraudulent ticket and travel front, game day ticket sales last week increased 65 percent, but instances of fraud attacks also spiked, according to data from Forter sent to Threatpost. The firm identified two types of criminals that have been actively trying to exploit both ticketing sites and football enthusiasts ahead of the big game: Foreign fraudsters and domestic “legacy” fraudsters. Forter’s analysis found that most fraud comes from outside of the U.S., making up 3.8 percent of total attempted Super Bowl ticket purchases. And when it comes to domestic threats, a New York-based crime ring has been targeting the ticketing industry and the Super Bowl specifically. “The culprit uses sophisticated technology to alter IP address and fake their location, and frequently changes personal account details to avoid detection,” a Forter spokesperson explained via email. “So far, this scam has led to one massive failed attempt at purchasing $10,000 worth of Super Bowl tickets.” Those looking for last-minute tickets should thus be on high alert. “Sellers may offer tickets that either are fake, created falsely online, or they could be reselling tickets that someone else is already planning on using,” ZeroFOX’s Ashbaugh noted. “You could get to the gate and be out of luck. It’s also a good idea to never post pictures on social media or elsewhere of your tickets to events like the Super Bowl, because people could use those photos or the ticket number to create fake tickets.” Infrastructure Risks One of the other concerns at the Super Bowl involves the critical applications and networks that support the event, hosted both locally and in the cloud. Broadcast networks, industrial control systems, civil-service networks and other related systems are also all at risk, according to Daniel Smith, a researcher at Radware. He noted in a Thursday posting that there’s a precedent for the concern: “While there hasn’t been a recent attack of scale reported against the Super Bowl, last year we did witness a piece of malware named Olympic Destroyer that targeted and disrupted the opening ceremonies and entry into the 2018 Winter Olympics.” Also, today’s stadiums, theaters, arenas and amphitheaters are target-rich environments, he added. They require small cells, WiFi and distributed antennae system (DAS) deployments to serve fans with modern, interactive game-watching enhancements. Often, the technologies designed to enhance the spectators’ experience are easily exploited to harvest information from attendees, according to Smith. It’s an attractive cybercrime opportunity, given the sheer amount of data traffic that these systems support. Extreme Networks reported that last year’s attendees at Super Bowl LII in Minnesota transferred 16.32 Terabytes of data with a peak rate of 7.867 Gbps. “This Super Bowl, like years before, will bring large crowds once again that will demand connectivity and are expected to consume record breaking volumes this year,” Smith said. “This is an enormous demand for connectivity and the technology involved could poses a security risk for event organizers, partners, sponsors and attendees as their activities in the stadium begin to produce more digital oil: data.” Infected Streams Last year, the Big Game drew an estimated 103 million viewers and saw record-breaking streaming traffic, according to NBC. Super Bowl LII had an average online viewership of 2 million, a 15 percent gain over the 2017 event. The stream was available on NBC Sports app, NBCSports.com and the Yahoo Sports app, among others. At its peak, the online audience clocked in at 3.1 million concurrent streams. It’s safe to say that this year’s digital audience will likely improve on that. So as the Los Angeles Rams face off against the New England Patriots this year, cybercriminals will be looking to take advantage of the thirst for multimedia and streaming access to the game. In the era of “cord-cutting,” those without television packages will look for ways to watch Super Bowl LIII digitally, as will those who have to work or who will otherwise not be in front of a TV. Against this backdrop, cybercriminals have been focused on spreading malicious software via unsanctioned streams, designed to harvest and steal personal information. “On Super Bowl Sunday, millions of sports fans worldwide will descend onto the internet eagerly searching for a free stream,” Ray Walsh, digital privacy expert at BestVPN.com, said via email. “The result is every hacker’s dream. This year, hackers are expected to have set up more infected streams than ever before. Anybody arriving on an infected page to hit the ‘Click Here to Watch the Super Bowl in HD’ button is in for a nasty surprise. Malware, spyware, trojans and ransomware are all going to be on the menu — which means that sports fans are going to end up with serious infections.” Fans should instead stick to watching official HD streams, he added, to avoid misery.

Source

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts.

Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on

Source

image
Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year. Uncovered by Palo Alto Networks' Unit 42 security research team, CookieMiner also covertly installs coin mining software onto the infected Mac machines to secretly mine for additional cryptocurrency by consuming the targeted Mac's system resources. In the case of CookieMiner, the software is apparently geared toward mining “Koto,” a lesser-known, privacy-oriented cryptocurrency which is mostly used in Japan. However, the most interesting capabilities of the new Mac malware is to steal: Both Google Chrome and Apple Safari browser cookies associated with popular cryptocurrency exchanges and wallet service websites. Usernames, passwords and credit card information saved in the Chrome web browser. Cryptocurrency wallet data and keys. iPhone's text messages of victims stored in iTunes backups. When talking about the targeted cryptocurrency exchanges and wallet services, CookieMiner was found targeting Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having “blockchain” in its domain and using cookies to track their users temporarily. By leveraging the combination of stolen login credentials, web cookies, and SMS data, it would be possible for an attacker to even bypass two-factor authentication for exchange sites and steal cryptocurrencies from the victim's accounts and wallets. “If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login,” the researchers explained in their blog post published Thursday. “However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.” It should be noted that researchers have not yet found any evidence of the attackers successfully withdrawing funds from any user's wallet or account, but are speculating based on the malware's behavior. What's more? CookieMiner also uses the EmPyre backdoor for post-exploitation control, allowing attackers to send commands to the infected Mac computers for remote control. EmPyre is a Python post-exploitation agent that checks if the Little Snitch application firewall is running on the victim's machine and if it finds one, it will stop and exit. The agent can also be configured to download additional files. Although it is unclear how the CookieMiner malware is pushed to the victims at the first place, it is believed that the users are tricked into downloading tainted software onto their machines which delivers the malware. Palo Alto Networks has already contacted targeted cryptocurrency exchanges and wallet services, along with Apple and Google, and reported the issue. Since the researchers believe that the CookieMiner campaign is still active, the best way to prevent falling victim to such malware attacks is to avoid saving your credentials or credit card information within your web browsers and, not to mention, avoid downloading apps from third-party platforms. You should also consider clearing your cookies when visiting the banking or financial accounts, and “keep an eye on their security settings and digital assets to prevent compromise and leakage,” researchers advised. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
By Waqas The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a dangerous new Mac malware capable of targeting devices for multi-purposes including stealing cryptocurrency. Dubbed CookieMiner by researchers; the Mac malware is a variant of OSX.DarthMiner, another nasty piece of malware known for targeting MacOS. But, CookieMiner aims at much more than its predecessor. See: 400% increase in […] This is a post from HackRead.com Read the original post: New Mac Malware steals iPhone text messages from iTunes backups

Source

image
Facebook has booted hundreds of Iran-linked pages, groups and accounts from its social media platform that it claimed were promoting misinformation. According to Facebook, it removed 783 pages, groups and accounts that engaged in “coordinated inauthentic behavior” that were misleading users about who they are and what they are doing. The pages, some of which had 2 million followers, repurposed Iranian state media’s reporting on topics such as the conflicts in Syria and Yemen and the role of the U.S., Saudi Arabia, and Russia, Facebook said. “This activity was directed from Iran, in some cases repurposing Iranian state media content, and engaged in coordinated inauthentic behavior targeting people across the world, although more heavily in the Middle East and South Asia,” said Nathaniel Gleicher, head of cybersecurity policy at Facebook in a Thursday post. “These were interconnected and localized operations, which used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing.” Facebook said there were multiple sets of activity dating back to 2010 and localized for specific countries or regions (including Afghanistan, Egypt, France, Germany, Saudi Arabia, Syria, US, and more). Click to Expand. The page admins and owners for these accounts would typically purport to be locals of the countries they were sharing stories about, often using fake accounts, and posted news stories on current events. That included commentary on topics like Israel-Palestine relations; as well as the conflicts in Syria and Yemen. Some of the removed pages were vastly popular – at least one page had about 2 million account followers, and one of the groups racked up 1,600 accounts. The accounts would also host events, and Facebook said that eight events were supposedly hosted. “We identified some of these accounts through our continued investigation into Iranian coordinated inauthentic behavior we found and removed last year,” said Gleicher. “Our investigation was aided by open source reporting and information provided to us by our industry peers. We have shared information about our investigation with US law enforcement, the US Congress, and policymakers in impacted countries.” Click to Expand. The latest crackdown on “coordinated inauthentic behavior” comes as Facebook tries to bar on misinformation and other political meddling efforts on its platform. After announcing in October it would expand content policing on the site by cracking down on accounts aimed at voter suppression and penalizing pages spreading political disinformation, Facebook has removed hundreds of pages and accounts that it said have spread spam or disinformation. In November, Facebook barred an additional 115 accounts (including 30 Facebook accounts and 85 Instagram accounts). In October it said that had collectively removed more than 800 pages and accounts showing inauthentic behavior. In August, it made a 652-page dent in a sizable alleged Iran-backed influence campaign that stretches back to 2017, with some pages in operation since 2013. And in July, Facebook said that it removed 32 pages from its platform involved in “coordinated” inauthentic behavior. “To ensure that we stay ahead in rooting out abuse we’re investing heavily in building better technology, hiring more people and working more closely with law enforcement, security experts and other technology companies,” said Gleicher.

Source

image
TheMoon, an IoT botnet targeting home routers and modems, is entering a new phase, as it were: It has added a previously undocumented module that allows it to be sold as-a-service to other malicious actors. This has already had significant real-world consequences, according to CenturyLink Threat Research Labs, with the detection of a video ad fraud operator using TheMoon on a single server to impact 19,000 unique URLs on 2,700 unique domains over a six-hour period. It has also been seen being used for credential brute-forcing, general traffic obfuscation and more. TheMoon is a modular botnet active since 2014, which targets vulnerabilities in residential routers within broadband networks. According to researchers, it exploits target broadband modems or routers developed by companies such as Linksys, ASUS, MikroTik and D-Link, with the most recent exploit added last May targeting GPON routers. It spreads like a worm, and has been seen incorporating as many as six IoT exploits at a time in an effort to increase its footprint. The researchers said that the new module is only deployed on MIPS devices, a common microprocessor architecture typically found in residential gateways and modems. It allows the compromised device to be used as a SOCKS5 proxy. This means that it can be used maliciously to circumnavigate internet filtering or obscure the source of internet traffic, allowing the botnet author to sell its proxy network as a service to others. “TheMoon is a stark reminder that the threat from IoT botnets continues to evolve,” said Mike Benjamin, head of CenturyLink Threat Research Labs. “Not only does TheMoon demonstrate the ability to distribute malicious modules of differing functionality, but it’s designed to function like a botnet-as-a-service, enabling other malicious actors to use it for [their own] uses.” Netlab 360 has previously documented various TheMoon modules that can act as traffic proxies at the behest of a command-and-control (C2) server. “Traffic flowing through the proxy network is roughly divided into plaintext and ciphertext, and the traffic is not high,” Netlab360 analysts said in a recent overview of TheMoon. “In the plain text, it is related to pornography, gambling, mining, etc., and a small part looks like a portal site; the traffic in the ciphertext section is related to e-commerce or online mailboxes. The time distribution is not obvious, it seems that traffic occurs 24 hours.” This new iteration is different, according to CenturyLink. “Previous modules with proxy functionality only allowed the C2 to send proxy requests; the new module allows the botnet author to sell its proxy network as-a-service to others,” CenturyLink analysts said in a Thursday posting on the botnet. “The proxy port appears to be a randomly chosen port above 10,000 and was observed changing multiple times per day. Originally this proxy port was unauthenticated, allowing anyone to route traffic through an infected device. In April 2018, the actors changed their proxies to use authentication.” In the video ad fraud example, CenturyLink analysts saw a quickly swelling attack. “What we saw during this particular six-hour period was one operator leveraging TheMoon to conduct video ad fraud, essentially making it appear that thousands of people were clicking on video ads,” Benjamin told Threatpost. “Specifically, the operator used a single server to impact 19,000 unique URLs on 2,700 unique domains in that short time.” CenturyLink, as a communications provider, blocked TheMoon infrastructure on its ISP network, in addition to notifying other network owners of potentially infected devices, so the activity of TheMoon dropped off as a result. “That said, the threat of IoT botnets with varying capabilities remains a powerful one,” Benjamin noted. “It’s likely this actor will attempt to infect new devices in the future by adding additional exploits to the existing toolkit.” The CenturyLink analysis also points out that there’s a substantial market for proxy botnets targeting broadband networks to route traffic for attacks like credential brute-forcing and ad fraud. “The always-on nature of IoT devices and the ability to masquerade as normal home users make broadband networks prime targets for these types of attacks,” according to the firm.

Source

image
The digital world we now inhabit creates unprecedented opportunities – both for good and for ill. One of these possibilities is swarm-based tools that can be used to either attack or defend the network. This possibility, or set of possibilities, has arisen due to dramatic advances in swarm-based intelligence and technologies. For example, a new methodology was announced by scientists in Hong Kong that uses natural swarm behaviors to control clusters of nano-robots. These micro-swarms can be directed to perform precise structural changes with a high degree of reconfigurability, such as extending, shrinking, splitting and merging. A potential upshot of these capabilities is the creation of large swarms of intelligent bots—swarmbots—that can operate collaboratively and autonomously. They are composed of clusters of compromised devices with specialized skillsets that can work collectively to solve problems, the commoditization of fuzzing—a process for discovering zero-day vulnerabilities in hardware and software interfaces and applications—and machine learning poisoning: training automated security devices to intentionally overlook certain threats. Currently, hackers-for-hire build custom exploits for a fee, and even new advances such as ransomware-as-a-service requires black hat engineers to stand up different resources, such as building and testing exploits and managing back-end C2 servers. But when it becomes possible to deliver autonomous, self-learning swarms-as-a-service, the amount of direct interaction between a hacker-customer and a black hat entrepreneur drops dramatically. Exploits a la Carte Swarm technology expands attack possibilities in alarming ways. Resources in a swarm network could be allocated or reallocated to address specific challenges encountered in an attack chain. Criminal consumers could preselect different types of swarms to use in a custom attack, such as: Pre-programmed swarms that use machine learning to break into a device or network That perform AI fuzzing to detect Zero-Day exploit points Designed to move laterally across a network to expand the attack surface That can evade detection and/or collect and exfiltrate specific data targets Designed to cross the cyber/physical device divide to take control of a target’s physical as well as networked resources This type of advanced technology brings us closer to a world in which swarmbots can overwhelm existing defenses. These swarm networks will raise the bar in terms of the technologies needed to defend organizations. Defending Against the Swarm The digital economy necessitates the interplay of data, applications and workflows within every transaction, device and bit of data – across every aspect of business, government or personal environments. As a result, cybersecurity can no longer be treated as an overlay, after-market IT project. Instead, security needs to be woven into workflows and network and application development strategies tied to specific business outcomes from the outset. In today’s digital marketplace, ensuring a proactively secured business or service is the linchpin to establishing digital trust and creating value. To make this a reality, three things need to happen: Broad deployment: Security must be deployed broadly and consistently across all ecosystems—which also includes the ability to dynamically adapt as network environments expand or change—to establish a single point of visibility and control. Deep integration: Security must be deeply integrated into the extended technology landscape to ensure complete visibility and control—even across multiple networked ecosystems that are constantly in flux—to better correlate data and to detect and even anticipate both known and unknown threats. Automation: Security must be automated and integrated across devices and applications so it can respond to threats effectively and in a coordinated fashion at machine speeds. Swarm technology may be a game changer if organizations don’t change their tactics. The world is in the midst of the most disruptive period of innovation in history—with no sign of slowing down. Organizations need to act now to both stay ahead of bad actors and capture the business advantage that comes to those who don’t wait for someone else to innovate. (Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet. He has more than 15 years of cyber security experience to his work helping customers formulate security strategy.)

Source

image
By Waqas We all want to look perfect in the pictures that we post online and beauty camera apps are our best bet in order to fine-tune our pictures. However, according to the findings of Trend Micro researchers, these kinds of applications are performing more functions than what we think they are. Reportedly, some of the Android […] This is a post from HackRead.com Read the original post: Selfie stealing malware found in popular Android beauty camera apps

Source

image
It has been a busy year for data breaches already, and January isn’t even officially over. This past week has been no exception. In past seven days, in addition to the Airbus news that we previously reported, Discover Financial, IT management giant Rubrik, the City of St. John in New Brunswick, Canada and the State Bank of India all reported exposures. Discover Cards Discover Financial has reported a “possible merchant data breach” that could have compromised user accounts to the State of California Attorney General’s office, in compliance with that state’s data breach rules. There are two separate notifications, available here and here. “We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review,” the company said in a media statement issued on Twitter. “We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.” The credit-card issuer said that it has alerted cardholders to a data breach that appears to have taken place on August 13, 2018, but it hasn’t said how much personal information was compromised or how many individuals are affected. Anthony James, chief strategy officer at CipherCloud, told Threatpost in a prepared statement that the length of time between the breach occurring and being found is typical. “Discover’s breach is very typical of the news we hear continually concerning financial firms and credit processors,” he said. “In today’s environment attackers will get into your networks. That’s a fait accompli. We also expect that it will take months even before a card processor such as Discover is even aware of the intrusion and possible breach What we don’t expect to hear is that the databases and credit-card data are, amazingly, unencrypted.” Discover is mailing out new cards to those it believes are affected. “We should be realistic – the costs for Discover will be a rounding error, and have already been built into their Q4 provisions (up 18 percent over Q4 2017),” Colin Bastable, CEO of Lucy Security, said via email. “The 176 million card-carrying U.S. consumers are generally inured to the consequences of these breaches – between them, they have some 985 million credit and store cards, and the card issuers are very good at shipping out replacement cards. The real problem is that these thefts are not victimless crimes – real money is involved. Crime rings and governments are stealing from the American consumer and using it to finance more crime.” A Pair of Misconfigured Servers Meanwhile, two other major data exposures revealed this week are the result of misconfigured servers, which is a scourge that shows no sign of going away. Rubrik, the IT security and cloud data management giant, exposed a whole cache of customer information, improperly stored in an Amazon Elacsticsearch database. The exposed server wasn’t protected with a password, allowing access to pretty much anyone on the internet. The company pulled the server offline Tuesday. According to reports, the tens of gigabytes of exposed data goes back to October, and includes customer names, contact information, contents of customer service emails, customer IT/cloud set-up and configuration information, and email signatures with names, job titles and phone numbers. “It seems like almost every day we hear about another company that’s left an Elasticsearch server unprotected, leaving sensitive data exposed, and now we’re seeing it happen with IT vendors,” said Balaji Parimi, CEO, CloudKnox Security, via email. “There’s a simple reason these vulnerabilities are so prevalent: the complexity of multi-cloud environments, combined with a lack of visibility into who can do what. When combined, this leads to overprivileged identities operating in environments where security team can’t answer simple questions like: ‘what privileges does each service account or employee have?’, and ‘what actions have they performed?’. These vulnerabilities are rarely malicious – they result from lack of visibility into what people are doing in extremely complex environments,” Parimi said. In other news, the State Bank of India, the largest financial institution in that country of nearly one and a half billion people, also said this week that it failed to secure a server with a password, leaving the financial information for millions of customers exposed as a result of “human error.” The database contained text messages, account balances, recent transactions, partial bank account numbers and customers’ phone numbers, impacting an undisclosed number of people. CipherCloud’s James noted, “Financial institutions are under constant cyberattack. That, of course, is no surprise to any of us. Instead, the data exposure at the State Bank of India Mumbai data center isn’t due to an attacker – it is due to misconfiguration and errors in administration. Right now we are seeing a surge in data exposure and breach due to these administrative errors.” Third-Party Supplier Credit-Card Breach And finally, credit-card information from about 6,000 people in the Canadian city of St. John was seen being sold on the Dark Web thanks to a payment card skimmer being installed on the third-party parking system that it uses. The malware collected credit-card information for 18 months from those paying parking tickets before being discovered. “Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud,” explained Ryan Wilk, vice president of Customer Success at NuData Security. “More recently, we’ve seen a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless. The loss of credit card data is a worry for everyone. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.” *Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert *Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source