Tag Archives: Malware

Android Malware Uses Screen Overlay to Steal Credentials and Credit Cards

Malware is like any other piece of software.  Version one is usually pretty crappy – want vendors like to affectionately call a “minimum viable product”.  Sometime minimal is loosely defined.

In this case the malware is called GINP.  The trojan has been in the wild since June.  In the five months since,  it has evolved.  It started out as a Google Play Verifier.  It stole incoming and outgoing text messages.

A later version added an “overlay” – a layer over the top of the screen that popped up when you opened an app like Facebook, WhatsApp or a bunch more.  That overlay asked for a credit card and that information went to the attackers.

The next version added code to make it harder to detect the app.

Then it morphed.  Today it is going after Spanish banks – 24 apps from 7 banks right now, but it looks like that is just a start.

You can imagine what the hackers might do with online banking credentials.

The overlays can mimic whatever they want to – they cover the whole screen.

One downside to the technique is that it requires the user to give it a specific permission generally used for apps for handicapped people called the “accessibility” permission.

Even if this app does not morph to US banks, users should be careful.

Look at what permissions an app is asking for – don’t just blindly say yes.

Look for telltale signs.  This malware is going to make it look  like you have been logged out of the app and need to log back in.  It will also ask for credit card info.  Don’t do that if it doesn’t seem right.

Turn on two factor authentication.  That way, at least, if they have your credentials, they don’t have the second factor. 

Be selective about what apps you install – and uninstall apps that you do not use any more.

Nothing is bulletproof, but make it harder for the bad guys.  Source: CSO Online

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

Facebooktwitterredditlinkedinmailby feather

Security News For The Week Ending May 3, 2019

U.S. Trains UAE Spies to Spy on Americans

Reuters has written an expose on how the State Department granted a U.S. Company an ITAR license to train UAE spies on hacking.  The plan, which got out of control, what to constraint the UAE spies, but once they were trained, they fired their U.S. trainers and started spying on royalty around the Middle East and even Americans in the U.S.  The FBI has been investigating since 2016, with no charges.

The challenge is that if we said no to training them, they would likely go to the Chinese.  If we indict them, they are less likely to be our friends and instead work with the Russians and Chinese. It is a bit of a lose-lose situation.

Read the Reuters article here and listen to Stewart Baker (formerly of the NSA and DHS)  interview the journalists (the second half of this podcast) here.

 

Over 500% Increase in Ransomware Attacks Against Businesses

In contrast to the FBI stats from the other day,  Malwarebytes Q1 2019 report paints a different picture.  The FBI stats only reflect what is reported to them, while Malwarebytes stats reports what their endpoint protection software is actually seeing, whether reported or not.

While they show that consumer detections were down by 24% year over year, business detections were up 235%, indicating that attackers are going after business targets – where the data is juicier and they might pay to get it back.

In the commercial world, different than the consumer world, ransomware is up 189% since Q4 2018 and 508% since Q1 2018.  This means that businesses are definitely being targeted.

One thing that is not clear from the report, but likely this includes both successful and failed ransomware attacks since this is an endpoint security product collecting the data.  Source: Bleeping Computer.

Scott County Schools Suffers $3.7 Million Business EMail Compromise Loss

In case you were wondering how that $1.3 BILLION Business Email Compromise number happens – A small school district in Kentucky got suckered into paying a social engineer $3.7 million instead of paying the correct vendor.  Sounds like they need some training and I bet they get some –  after the horse and their money is out of the barn.  Source: KnowBe4.

 

Supply Chain Risk is a Major Problem

Germany based CityComp, who has clients such as SAP, BT and Oracle, was hacked earlier this month.  The hacker asked for $5,000 which was not paid.  The hacker claims to have over 500 gig of data in 312,000 files.  Which is set to be released.  Because a vendor was hacked.  In part because their client’s vendor cyber risk management program did not impart the seriousness of cybersecurity.  Supply chain risk is a critical problem which is not being adequately handled.  Read the details at The Register.

 

Google Adds New Option to Auto-Delete Some History

Google says that they will begin rolling out a couple of changes with respect to privacy.  Although they are small changes, any change in this direction is a good thing.

Google will allow you to specify how long they should keep your app activity and location data, but there are only three options – until you delete it, for 18 months or for 3 months.

You could before and still can turn it off completely, but that makes certain Google functions less useful in some people’s view.

Ultimately a small, but good, move.  Source: The Hacker News.

 

Global Security Officials Meet to Hammer Out 5G Security

The United States and security officials 30 European Union and NATO countries as well as Japan, Australia and Germany are meeting in Prague to figure out how to combat security threats in 5G cell networks.  China and Russia were not invited!

The plan is to set up certain security conditions that Huawei and other Chinese vendors would likely not be able to meet.  Stay tuned for more details.  Go for it fellas.  They may have just played the Chinese.  Source: Reuters.

 

Facebooktwitterredditlinkedinmailby feather

Hackers Infect 500,000 Routers and Growing

Cisco has released an advisory that a half million consumer and small business routers and growing have been infected with malware dubbed VPNFilter.

The malware was detected infecting routers from:

  • Linksys
  • MikroTik
  • Netgear
  • TP-Link
  • and QNap storage devices

The researchers have not figured out a test that a consumer or small business can use to detect whether a particular router is infected or not.

On top of that, there is no “patch” that will inoculate a router against the malware.

The infections is affecting routers in 54 countries and has grown so quickly in the last month that the researchers decided to make their research public early.  They are continuing to study it.

The malware is very flexible in what it can do – including stealing credentials and destroying the router so that the user has to buy a new one.

Among other things, the malware can, apparently, steal files and also  run commands on your router which could lead to a whole variety of different compromises of your systems.

The FBI says that it has seized a server used by the attackers.  Gee, that means that they will hijack a new server and download a new version of the malware onto the compromised devices.  Given this control server was taken offline, it *MAY* mean that the hackers have to reinfect those devices, but apparently, that wasn’t too hard to do in the first place.

Information for this post came from Ars Technica.

OK, so given that, what do you do?

The article lists some of the routers affected.  Some of them, like the Linksys E1200 and E2500 and Netgear R7000 and R8000, are extremely popular.  If you have one of the routers listed in the article, you should raise your alert level.

Rebooting the router WILL NOT remove the malware.  Given that there is no easy way to detect the malware, Cisco is recommending that users of the listed routers perform a factory reset.  Beware if you do that you will lose the router’s configuration and someone will have to reprogram it.  This may involve sending out a service technician to your house or office.  This, right now, is the only known way to disinfect infected routers.

I  recommend putting a separate firewall between your ISP’s router and your internal computers.  This is another level of defense.  Two good firewalls are pfSense (which comes both as open source software and a commercial package) and the Ubiquiti Edge Router X.  Note that you will have to have some expertise or hire someone to configure  it.  This will however, give you an extra layer of protection.  And, since you are buying it, your ISP will not have the password to it.

Make sure that you change the default password in your existing router.  One possible way the infection is getting in is via default credentials.

Check to see if there are any patches to your router available from your router manufacturer.  If so, install them and repeat that process every month.

Unfortunately, unlike some attacks where there is an easy fix, this one is a bit of a dumpster fire and since it affects so many different devices, it is not likely to get fixed quickly.

 

Facebooktwitterredditlinkedinmailby feather

Malware Using More Stealthy Techniques To Avoid Detection

Dell SecureWorks, the counter threat service that Dell bought in 2011, is reporting on a new outbreak of the malware family STEGOLOADER, which has a different M.O., making it hard to detect.  All that persists on the machine in a small loader that downloads the core module.  This can be changed easily and might even have the ability to change itself to avoid detection.  That is all the anti virus software has to work with.

Once it loads this core module, that module downloads a picture.  Yes, a picture.  Potentially the picture could be any picture and the picture could be on any web site, including compromised legitimate sites.  Inside this picture, using steganography (hiding secrets in plain sight),  is the first piece of malware.  However, this malware is never written to disk.  If you reboot the machine, it just downloads it again.

Now the malware has a beachhead and can download other modules using this same technique.  If the anti virus software looks on the disk, there is no new files to scan.  If the software scans the downloaded file, all it sees is a picture.

The software is modular and downloads whatever modules it needs.  This allows for easy updates each time the core module is reloaded – for example, if the anti virus guys come up with a way to detect it, just morph it to avoid the detection.

The data (malware) that is extracted from the picture is compressed and encrypted just to make things more fun.  While the decryption key is hardcoded, different samples have different keys.

The malware is in constant contact with it’s control server, but those messages are also encrypted.  That way the control server can change the malware’s behavior as needed.

The malware can detect if it is being analyzed – like by being run inside a virtual machine – and if so, it  just shuts down.

Since it is modular, it can do many things, but one thing that it does do is steal passwords – like email passwords and SSH passwords.   Since it is running in memory, in your PC, link encryption like SSL does not make any difference.  Any passwords in memory are potential targets.

Trend Micro says that the main targets it is seeing is healthcare followed by finance and most of the infections are in the U.S.

Obviously, in either of these environments, stolen passwords can yield a lot of sensitive information.

This category of malware is difficult to detect, which is why it is becoming popular.  If people and companies want to stop this class of malware, it will require some out of the box thinking and the result may require users to make some adjustments.  Just part of the evolution of malware.

Information for this post came from here and here.

 

Facebooktwitterredditlinkedinmailby feather