now browsing by tag


#sextrafficking | GOP report claims Hunter Biden paid women linked to ‘prostitution or human trafficking ring’ | #tinder | #pof | #match | romancescams | #scams

[ad_1] Among the deluge of explosive claims tucked inside the new Senate Republican report about Hunter Biden’s business dealings is the allegation that the Democratic presidential nominee’s son has a […] View full post on National Cyber Security

Six terrorists linked to RAW arrested in Karachi | #teacher | #children | #kids | #parenting | #parenting | #kids

KARACHI: Six terrorists having connection to the Indian spy agency Research and Analysis Wing (RAW) have been arrested in Karachi foiling a major terrorist plot according to the District West […] View full post on National Cyber Security

#cybersecurity | hacker | APT40 hackers linked to 13 alleged front companies in Hainan, China

Source: National Cyber Security – Produced By Gregory Evans The mysterious research group Intrusion Truth has unleashed a new series of reports claiming that 13 businesses based in the southern island province of Hainan, China are collectively a front for reputed Chinese state-sponsored hacking group APT40. The alleged front companies all purport to be science and […] View full post on

Malicious Google Play Apps Linked to SideWinder APT

Source: National Cyber Security – Produced By Gregory Evans

The active attack involving three malicious Android applications is the first exploiting CVE-2019-2215, Trend Micro researchers report.

Researchers have discovered an attack exploiting CVE-2019-2215, which leverages three malicious apps in the Google Play store to compromise a target device and collect users’ data.

This threat is linked to the SideWinder advanced persistent threat (APT) group, report Trend Micro’s Ecular Xu and Joseph Chen in a blog post. Sidewinder, a group detected by Kaspersky Labs in the first quarter of 2018, primarily targets Pakistani military infrastructure and has been active since at least 2012. Security researchers believe the threat group is associated with Indian espionage interests and has a history of targeting both Windows and Android devices.

CVE-2019-2215 was disclosed in October 2019 by Maddie Stone of Google’s Project Zero. The zero-day local privilege escalation vulnerability affected hundreds of millions of Android phones at the time it was published. A patch was released in December 2017 for earlier Android versions; however, new source code review indicated newer versions of the software were vulnerable.

The use-after-free vulnerability is considered “high severity” and requires a target to download a malicious application for potential exploitation. An attacker would have to chain CVE-2019-2215 with another exploit to remotely infect and control a device via the browser or another attack vector. The bug allows for a “full compromise” of a vulnerable device, Stone explained.

While it was “highly likely” the bug was being used in attacks last October, this marks the first known active campaign using it in the wild, Xu and Chen report. This particular vulnerability exists in Binder, the main interprocess communication system that exists in Android, and the three malicious apps used in the attack were disguised as photography and file manager tools.

Android apps Camero, FileCrypt Manager, and callCam are believed to be related to the SideWinder group and have been active on Google Play since March 2019, based on one of the apps’ certificate information. All have since been removed from the Play store.

CallCam is the payload app and is installed in two stages, the researchers explain. First a DEX file — an Android file format — is downloaded from the command-and-control server. The downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility. Camero and FileCrypt Manager both act as droppers. After downloading the DEX file from the C2 server, they call extra code to download, install, and launch the callCam app.

Researchers note the C2 servers used are suspected to be part of SideWinder’s infrastructure. Further, a URL linking to one of the apps’ Google Play pages is on one of the C2 servers.

SideWinder relies on device rooting as one of its tactics to deploy callCam without alerting the victim. The malware retrieves a specific exploit from the C2 server depending on the DEX the dropper downloads. This approach only works on Google Pixel (Pixel 2 and Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F0 (CPH1881), and Redmi 6A devices.

Over the course of its investigation, Trend Micro was able to download five exploits from the C2 server and found they used CVE-2019-2215 and MediaTek-SU to gain root privileges. Once they achieve this, the malware installs callCam, enables accessibility permissions, and launches.

Another approach is using the accessibility permission, a technique used by the FileCrypt Manager on Android phones running Android 1.6 or higher. After launch, FileCrypt asks the user to enable accessibility. When granted, this displays a full-screen overlay that says it requires further setup. In the background, the app is calling code from the DEX file so it can download more apps and install callCam. It enables the accessibility permission and launches the payload.

“All of this happens behind the overlay screen, unbeknownst to the user,” Xu and Chen write.

After launch, the callCam icon is hidden on the target device and collects data in the background to send to the C2 server. This information includes location, battery status, files stored on the device, list of installed apps, account data, Wi-Fi data, and information related to the device, sensor, and camera. It also pulls data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. CallCam encrypts all of this stolen data using RSA and AES encryption, and uses SHA256 to verify the data’s integrity and customize the encoding routine.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

Source link

The post Malicious Google Play Apps Linked to SideWinder APT appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | PureLocker ransomware built for targeted attacks, linked to MaaS dealer

Source: National Cyber Security – Produced By Gregory Evans

A newly discovered ransomware called PureLocker is targeting the production servers of enterprises, while exhibiting some behavior that’s very unusual for most malicious encryptors.

Among its quirky features: it’s written in the PureBasic programming language, which helps it avoid conventional anti-malware detection engines; it’s very picky about who it infects, only executing if the victim machine passes a series of checks; and it appears to be used as a later stage of a larger multi-stage attack.

Researchers from Intezer and IBM X-Force IRIS analyzed the ransomware and detailed their findings in a joint blog post this week. “PureLocker is a rather unorthodox ransomware,” said Interzer security researcher Michael Kajiloti. “Instead of trying to infect as many victims as possible, it was designed to conceal its intentions and functionalities unless executed in the intended manner. This approach has worked well for the attackers who have managed to successfully use it for targeted attacks, while remaining undetected for several months.”

Much of PureLocker’s code is unique, but a certain portion, including its dropper program and its built-in evasion and anti-analysis functionalities, is borrowed from a backdoor malware called more_eggs, which is sold on cybercrime forums by a prominent malware-as-a-service provider. “These findings strongly suggest that the MaaS provider of ‘more_eggs’ has added a new malware kit to its offerings, by modifying the ‘more_eggs’ loader’s payload from a JScript backdoor to a ransomware,” the blog post concluded.

The more_eggs backdoor has been used in the past by financially motivated cybercriminal groups including the Cobalt Gang and FIN6. However, it has not been determined if one of these groups or another threat actor is responsible for distributing PureLocker.

The researchers only looked at samples that target Windows, but there are also PureLocker variants that can infect Linux-based machines as well. One Windows sample was disguised as C++ cryptography library called Crypto++, Kajiloti reported. From Oct. 13-30, the sample went almost completely undetected in VirusTotal scan results — a feat the researchers attributed to the use of PureBasic as a programming language.

“AV vendors have trouble generating reliable detection signatures for PureBasic binaries,” the blog post said. “In addition, PureBasic code is portable between Windows, Linux, and OS-X, making targeting different platforms easier.”

Shortly after installation, the malware goes through a thorough series of checks. It makes sure it’s not being analyzed or debugged, that its being executed by the command-line utility “regsrv32.exe,” that its file extension is .dll or .ocx, that the current year on the machine is 2019, and that it has administrator rights. If it does not pass all these checks, the malware exits and does not perform its attack.

If it does pass the checks, PureLocker encrypts primarily data files with AES and RSA algorithms and adds a .CR1 extension to them. It then secure-deletes the original files to thwart recovery efforts. The ransomware note threatens the victim that the private key will be erased in seven days, and leaves an email address to contact regarding payment.

Original Source link

The post #cybersecurity | hacker | PureLocker ransomware built for targeted attacks, linked to MaaS dealer appeared first on National Cyber Security.

View full post on National Cyber Security

#school | #ransomware | Hospital cyberattacks linked to heart attack deaths, study shows

Source: National Cyber Security – Produced By Gregory Evans Detecting and treating a heart attack is a race against time.Reuters A rise in ransomware attacks and data breaches against hospitals across the US may account for an uptick in heart attack deaths at those hospitals, according to a new study. Ransomware attacks are a rising […] View full post on

New #macOS #Backdoor #Linked to #Cyber-espionage #Group

A recently discovered macOS backdoor is believed to be a new version of malware previously associated with the OceanLotus cyber-espionage group, Trend Micro says.

Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia. Well-resourced and determined, the group uses custom-built malware and already established techniques.

Some of the group’s targets include human rights organizations, media organizations, research institutes, and maritime construction firms.

The newly discovered macOS backdoor, which Trend Micro detects as OSX_OCEANLOTUS.D, has been observed on machines that have the Perl programming language installed.

The malware is being distributed via malicious documents attached to emails. The document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

The document contains malicious, obfuscated macros with a payload written in Perl. The macro extracts an XML file from the Word document. This file is an executable acting as the dropper for the final payload, which is the backdoor.

The dropper, which has all of its strings encrypted using a hardcoded RSA256 key, is also used to establish the backdoor’s persistence on the infected systems. The dropper checks whether it runs as root or not, and uses different path and filename based on that.

The dropper sets the backdoor’s attributes to “hidden” and uses random values for the file date and time, and deletes itself at the end of the process.

The backdoor has two main functions, which collect platform information and sending it to the command and control (C&C) server. It can also receive additional C&C communication information, which is encrypted before being sent.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” Trend Micro concludes.


The post New #macOS #Backdoor #Linked to #Cyber-espionage #Group appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Public #sector executive #pay should be #linked to #cybersecurity

Source: National Cyber Security News

Cybersecurity is constantly in the headlines for all the wrong reasons.

Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.

You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders.

After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether.

Read More….


View full post on National Cyber Security Ventures

The CCleaner Attack Linked to State-sponsored Chinese Hackers

Source: National Cyber Security – Produced By Gregory Evans

Security researchers revealed that the CCleaner chain attack, which resulted in millions of users downloading a backdoored version of the CCleaner PC software utility, was linked to state-sponsored Chinese hackers. The attack started in July with compromising a CCleaner server, which let attackers inject backdoor code in two versions of…

The post The CCleaner Attack Linked to State-sponsored Chinese Hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Online dating apps including Tinder and Grindr linked to the rapidly increasing cases of STIs in Australia

STI levels are rising rapidly across Australia, and health experts are pointing the blame at dating apps like Tinder and Grindr. Chlamydia is currently the most widespread sexually transmitted infection, with 80,000 cases diagnosed a year in Australia – but gonorrhoea levels has doubled and even tripled in some regions. ‘For some people the fun is increased by taking sexual risks with people they meet on dating apps,’ Associate Professor David Whiley at the University of Queensland’s Centre for Clinical Research, told 9 News. Read More….

The post Online dating apps including Tinder and Grindr linked to the rapidly increasing cases of STIs in Australia appeared first on Dating Scams 101.

View full post on Dating Scams 101