Monday, 11 December 2017

German Secret Service Warns Against Fake Profiles On LinkedIn

The German secret service BfV warns against fake profiles on LinkedIn that would be used by Chinese intelligence services to gather information about politicians and policymakers. Over a period of nine months more than 10,000 Germans were approached via the fake profiles, according to the BfV.

The profiles occur as headhunters, consultants or scientists with the names "Rachel Li" and "Alex Li". They claim to have, among other things, vacancies at a Dutch HR company. After contact has been made, the fake profiles try to collect information about habits, hobbies and political interests. "Chinese intelligence services are active on networks such as LinkedIn and in this way try to gather information and find sources of information," said a spokesperson.

Many of the profiles are provided with photographs of attractive men and women. One of the photos would even be taken directly from an online fashion catalog, according to Reuters . The fake profiles have mainly provided for European diplomats and politicians. German citizens are called upon to report suspicious profiles and not to share valuable personal information via social media. "This is an extensive attempt to infiltrate certain parliaments, ministries and government agencies," says Hans-Georg Maassen, head of the BfV.

Conficker Worm Still Active On 150,000 Computers After 9 Years

The Conficker worm that infected nine million computers at its peak has been operating on 150,000 computers since its first appearance on 21 November 2008, anti-virus company Trend Micro said. Conficker is distributed in a variety of ways, including a vulnerability in the Windows Server service, shared network folders, and the Autorun feature of Windows.

The vulnerability in the Windows Server service was patched by Microsoft on October 23, 2008. In January 2009, Conficker also started distributing itself through the Autorun feature of Windows, something for which Microsoft released an update in February 2011. According to Trend Micro, Conficker is mainly active in China, Brazil and India. These three countries together account for more than half of all infections. Most infections were found in government systems, followed by production companies and health care.

After an infection, Conficker tries to connect every day with all kinds of domains to see if there are new instructions from the makers. ICANN, the organization that is responsible for the distribution of ip numbers and domains, has, however, taken measures so that these domains can not be registered. Thus, the infected computers can not be used for criminal purposes.

According to Trend Micro, Conficker can also be labeled as "background malware" that is mainly active on legacy systems. "Although it is not as interesting to the general public as more modern malware such as WannaCry and Petya, it remains a persistent threat and will remain so as long as unsupported, unpatched legacy systems are still part of corporate networks," says researcher the virus fighter .

Sunday, 10 December 2017

Strong Increase Of Phishing Sites That Use Https

Not only legitimate websites use https more and more, phishing sites also have more and more access to a secure connection. There is even a strong increase in the number of https phishing sites, according to security company PhishLabs . In the third quarter of this year almost 25 percent of the observed phishing sites had a https connection.

A quarter earlier was still about 12 percent, while a year ago less than 3 percent of the phishing sites had a ssl certificate. According to the security company, there are two reasons why there is an increase in https usage among phishing sites. The first reason is that phishing sites are regularly offered via hacked, legitimate websites. When a legitimate website with a ssl certificate is hacked, the phishing page that is offered via the website will also have a secure connection.

The second reason according to PhishLabs is that criminals register domains for their phishing site and then enable https themselves. This then happens via certificate authorities that offer free ssl certificates, such as Let's Encrypt and Comodo. In this way, the phishing site looks more legitimate, says Crane Hassold of PhishLabs. Chrome automatically displays the "Safe" message at https sites. This refers to the secure connection, but end users think the website they are visiting is safe, Hassold notes.

"The misunderstanding about the meaning of https among the general public and the confusing appointment of https websites in browsers are the main reasons why it is a popular preference of phishers in hosting phishing sites," Hassold continues. "Combined with the rapid growth of https among website owners, we expect the number of https phishing sites to grow further."

Explanation How To Remove The Microphone From Your iPhone And MacBook

Those who do not want to risk using a hacked iPhone or MacBook as a listening device can choose to remove the built-in microphone. Calls can then only be made by connecting a headset with a microphone, for example.

"There is no reason why these devices need those sensors to function," says Kyle Wiens from repair company iFixit opposite Wired . "And taking them apart to remove the microphone is not more difficult than repairing them." Users can switch off the microphone or even insert a cut-off jack in the microphone socket if it is already present, but according to experts this does not offer sufficient protection.

According to Richard George, a former technical director of the NSA who was involved in the design of the secure BlackBerry of President Obama, the trick with the microphone jack is not enough. A malicious application could bypass the fake microphone and still enable the real microphone. Anyone who wants to be sure of his case can also remove the microphone or have it done.

In the case of a MacBook, this appears to be fairly simple. So iFixit even has a manual for it. The microphone can also easily be connected again. The same operation with the iPhone is a lot more difficult and permanent. The iPhone also has four built-in microphones. Once again, iFixit offers extensive instructions for doing this yourself. A repair company that Wired spoke costs 75 dollars and says twice for privacy-oriented customers.

Last year whistleblower Edward Snowden advised that people who do not want to be spied or tapped would be wise to remove the microphone and camera from their smartphone. Recently, however , the Public Prosecutor announced that legitimate users have no reason to "demolish" the microphone from their device. The verdict was made in connection with the investigation into Ennetcom, a company that supplied custom BlackBerry smartphones to communicate encrypted. The microphone was removed from these phones.

Saturday, 9 December 2017

Mac Malware Hidden Lotus Uses Unicode To Disguise Itself

Researchers have discovered a malware copy for macOS that uses a Roman Unicode character to disguise itself. The malware in question occurs as a PDF file and also has .pdf as an extension. In reality, however, it is an application, which is also displayed by the Finder.

The "d" in .pdf appears not to be a normal d, but a Roman numeric D in lowercase, which shows the number 500. In addition, a Mac application does not need .app as an extension to be treated as an application. An application in macOS is simply a folder with a special internal structure called a bundle. A folder with the correct structure is still a folder, but when it is provided with the .app extension, it immediately becomes an application. The Finder treats it as a single file instead of a folder, and double-clicking starts the application instead of opening the folder.

When double-clicking on a file or folder, LaunchServices will first look at the extension. In the case of a known extension, it is opened with the corresponding application. When it comes to a file with an unknown extension, the user gets the question what he wants to do. However, when it is a folder with an unknown extension, LaunchServices first looks at the bundle structure if it is present. In the case of the now discovered Mac malware, it appears that they have the correct structure of an app. Because the malware actually has an unknown extension, LaunchService looks at the internal structure and therefore considers it as an application.

However, users still get a warning from macOS to see if they want to open an application that comes from the internet, as anti-malware company Malwarebytes says . In case users open the file anyway, they can get infected with the HiddenLotus backdoor. Attackers have access to the system through this backdoor. According to Malwarebytes, HiddenLotus is a variant of the OceanLotus backdoor that was used against Vietnamese Mac users, among others.

Virustotal Link:



Saturday, 2 December 2017

Researcher Discovers Keylogger In HP Keyboard Driver

A researcher with the alias ZwClose has discovered a keylogger in an HP keyboard driver that malware could use. The keylogger was in the SynTP.sys file. This is part of the Synaptics Touchpad driver installed on hundreds of HP laptops.

Although the keylogger was turned off by default, it could have been enabled via an adjustment to the Windows Registry. The investigator warned HP and the manufacturer confirmed the presence of the keylogger. It was code that was actually meant for debugging the driver and was left behind. HP has now released an update to remove the code.

The update can be downloaded from the HP and Windows Update website , the researcher says. All affected models are listed on the HP website. It involves almost 500 different laptops. According to HP, the presence of the keylogger did not ensure that the self or Synaptics had access to customer data. Earlier this year, a keylogger was also found in an HP audio driver .

Thursday, 26 October 2017

Infrastructure Behind BadRabbit Ransomware Since 2016 Active

The infrastructure used last Tuesday to spread the BadRabbit ransomware has been active since 2016, says Dutch security researcher Yonathan Klijnsma from security company RiskIQ. During the attack the attackers used a large number of hacked websites.

These websites showed a popup to visitors that they needed to install an update for Adobe Flash Player. In fact, it was a Petya ransomware variant that encrypted files on the hard drive and overwritten the Master Boot Record from the hard drive. As a result, the operating system can no longer be started. Furthermore, BadRabbit tries to spread on SMB via a list of commonly used passwords and intercepting login credentials via SMB.

On the hacked websites, code was sent to an injection server that showed the malicious popup on the websites. One of these injection servers was first observed last September. In addition, various hacked websites have been compromised since last year. RiskIQ counted 63 hacked websites where the attackers had access. The security company claims, however, that it can go for more websites.

"The group behind the BadRabbit ransomware has been active for quite some time," said Klijnsma. The researcher speaks of a long-term campaign that could possibly be set up for something other than BadRabbit. "Although the BadRabbit ransomware is brand new, we can track the distribution industry by the beginning of 2016, which shows that victims had been compromised a lot before before the ransomware hit and the news cycle began. The campaign could originally be set up for something other than BadRabbit. " Security company Symantec claims that 86 percent of the infections occurred in Russia and it mainly concerns companies.

Wednesday, 25 October 2017

Security Company Develops DDE Feature Patch In Microsoft Office

A security company has developed an unofficial patch for the DDE feature in Microsoft Office where cybercriminals are currently exploiting abuse. Dynamic Data Exchange (DDE) is a feature that was added to older Windows versions and is still used in many places. The feature allows you to inject data from, for example, an Excel document into a Word document.

In the event that the Excel document is updated, this will be immediately visible in the Word document. However, the DDE feature also makes it possible to call a malicious application instead of Excel or a benign application that performs malicious commands. To perform the called application, the user must first give permission to two dialog boxes.

However, this does not seem to be a problem, as the functionality is currently being used by cyber criminals. Microsoft is not currently planning to resolve the issue through a security update. However, the Windows 10 Fall Creators Update features the Windows Defender Exploit Guard that can block attacks via the DDE feature. Since Microsoft did not get a patch for the time being, security company ACROS decided to look into the possibilities to develop a patch.

The result is a " micro-patch " for Office 2007, 2010, 2013, 2016 and 365, both the 32-bit and 64-bit versions. The patch causes the DDE feature not to invoke the specified application. Microsoft Word will still display the two dialog boxes, but if the user click here yes, the called application will not be executed. To install the micro patch, the free 0patch Agent software must run on the system. This is an unofficial patch and the use is at your own risk. ACROS has previously developed micro-vulnerability vulnerabilities in Windows and Foxit Reader, among other things.

Researchers Crack Google's Audio Captcha

Researchers have managed to crack Google's audio captcha with an average of 85 percent accuracy, allowing bots to automatically create accounts on websites and place spam messages. To distinguish robots from people, captcha's often need to solve puzzles and distorted texts. The captcha of Google also allows users to resolve an audio captcha.

The audio captcha consists of multiple digits read in different speeds, accents and pitches with background noise. Researchers at the University of Maryland devised an attack targeting Google's audio captcha. To crack the audio captcha, the researchers developed " unCaptcha ", software that downloads the captcha audio file and then splits the parts with voice.

The split audio fragment of each digit is then sent to six free online audio transcription services, including Google's. Based on the different results, which figure was read in the audio clip. The results are then entered 'organic' by the software in the captcha window. On average, the software knows how to solve the captcha with 85 percent accuracy. After the researchers published their research ( pdf ), Google has taken various measures that limit the effectiveness of unCaptcha.

Assault Modifies Dns Coinhive Using Reused Password

An attacker succeeded in adjusting the coinhive dns yesterday, making websites using the cryptominer a JavaScript file of the attacker's being. Coinhive is a cryptominer that uses the computer's computing power to cryptocurrency Monero through the browser. To do this, the computer performs a cryptographic calculation.

Owners of websites that want to use Coinhive must point to a coinhive JavaScript file on their website. This file is then uploaded by the visitor's browser, after which the computing power of their computer is used to perform the cryptographic calculation. The attacker was able to access the Coinhive Cloudflare account. Cloudflare is Coinhive's dns provider.

Then, the attacker changed the DNS settings, which forwarded requests for to another server. This server turned a custom version of the JavaScript file. This caused the attacker to benefit from the calculations made by website visitors, rather than the websites running Coinhive.

According to Coinhive , the Cloudflare account has been hacked through an unsafe password probably stolen at Kickstarter's hack in 2014. "Since then, we learned hard lessons about security and used two-factor authentication and unique passwords for all services, but have failed to update our years-old Cloudflare account," said Coinhive. We are now looking at ways to offset affected websites.

Tuesday, 24 October 2017

Ukraine And Russia Hit By Bad Rabbit Ransomware

Organizations in Ukraine and Russia have been hit by a new ransomware copy called Bad Rabbit, which would be a Petya ransomware variant that spread this summer, reports anti-virus company ESET. The malware would have infected hundreds of systems.

Among the victims are the Kiev metro, the Odessa airport and the Ukrainian ministries, according to the virus fighter. Anti-virus company Kaspersky Lab announces that most victims are in Russia. For example, the Russian press agency Interfax has been hit by the ransomware. The press office reports that the news services are not available because of the attack. "Based on our research, it is a targeted attack on corporate networks through methods similar to the ExPetr attack," said Kaspersky researcher Alex Perekalin. ExPetr is one of the names given to the Petya variant of this summer.

According to Kaspersky Lab, Bad Rabbit ransomware is spread through a number of hacked Russian media websites. ESET researcher Lukas Stefanko , Proofpoint researcher Darien Huss and the known anti-virus veteran Vesselin Vladimirov Bontchev warn that ransomware is on websites as an update for Flash Player . As soon as a user downloads and opens this so-called update, the Bad Rabbit ransomware will be activated on the system. Bad Rabbit tries to spread on the network. To do this, a list of common passwords is used, and Bad Rabbit tries to steal login data through the Mimikatz tool.

Bad Rabbit encrypts files and, like Petya, overwrites the Master Boot Record (MBR) of the hard drive. Therefore, the system becomes unusable. The ransomware claims victims 240 euros for decrypting the files. Whether victims pay the ransom to recover their files is still unknown. Organizations are advised to block executing files c: \ windows \ infpub.dat and c: \ windows \ cscc.dat and, if possible, disable Windows WMI service so that ransomware can not spread further .

Initially, ESET researcher Stefanko reported that the EternalBlue operation was also used. This does not appear to be the case at all. The article has been modified.

The attackers knew to hack several media and news sites. Then there was a malicious code that offered the so-called Flash Player update. Most infections have been observed in Russia, followed by Ukraine, Bulgaria and Turkey. According to ESET, all major companies are affected at the same time. "It is possible that the attackers already had access to the network and launched the attack through the websites at the same time as distraction," said Marc-Etienne M.Léveillé of ESET. He notes that there are no indications that employees of affected organizations have been stepped into the so-called Flash Player update. Anti malware company Malwarebytes announces that the attackers behind Bad Rabbit are likely to be responsible for the Petya / NotPetya variant of last June.

In the meantime, several technical analyzes of Bad Rabbit have appeared online. :

- Bitdefender

- Cisco


- Kaspersky Lab

- Malwarebytes

- McAfee

- Qualys

According to Costin Raiu of Kaspersky Lab, the attackers behind Bad Rabbit would have been working on setting up the network of hacked websites since July. The attackers had access to, inter alia, Russian, Turkish, German and Bulgarian websites.

Lenovo Provides Computers With FIDO Authenticators

Lenovo has provided various computer models of so-called FIDO authenticators that let users login their accounts via a fingerprint scan or click on a prompt on the screen. The Fast IDentity Online (FIDO) Alliance has set itself the goal of replacing the password with authentication methods that are "safer and user-friendly."

Lenovo is one of the FIDO members, among other things, Google, Microsoft, MasterCard and PayPal. The parties involved develop products and services that make use of the FIDO protocol. This would automatically recognize devices that support FIDO and allow users to replace passwords by another authentication method.

Lenovo now claims that it is the first PC manufacturer to integrate directly into Windows computers by FIDO certified authenticators. Instead of a password to log in, users can choose from an alternative. For example, a fingerprint scan can be logged through the Universal Authentication Framework (UAF). In addition, the system also supports Universal 2nd Factor (U2F).

In case a user has enabled two-factor authentication for his account, it is no longer necessary to enter a separate security key or SMS. The two-factor authentication is built directly into the computer. In the case of two-factor authentication via U2F, users get a prompt to confirm, after which they are logged in to their account. This login method is supported by Google, Facebook and Dropbox.

To support UAF and U2F, Lenovo uses Intel Online Connect and Intel Software Guard Extensions (Intel SGX) on the latest Intel processors. The functionality will be delivered with different computer models and available for all models delivered. Intel Online Connect is available for download from Lenovo's website and will be available through Lenovo System Update and Lenovo App Explorer.