Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Saturday, March 28, 2020

How to stop trolls from taking over your Zoom call

Zoombombing can be prevented, but it’s not as easy as it should be
By Casey Newton@CaseyNewton Mar 27, 2020, 3:37pm EDT


Photo by Andrew Lichtenstein/Corbis via Getty Images


Zoom is an easy-to-use videoconferencing tool with a generous free tier. With people around the world isolating indoors to protect themselves against the spread of the coronavirus, it has never been more popular.

But its popularity has also attracted trolls. The phenomenon of “Zoombombing,” in which an uninvited guest uses Zoom’s screen-sharing feature to broadcast porn and shock videos, has been on the rise. Most Zoom meetings have a public link that, if clicked, allow anyone to join. Trolls have been collecting these links and sharing them in private chat groups, and then signing on to other people’s calls to cause mischief.

There’s an easy way to stop this from happening, but Zoom makes it needlessly difficult to find. If you schedule a meeting from the web interface, you won’t see the option to disable screen sharing. Instead:
Click on “Settings” in the left-hand menu
Scroll down to “Screen sharing” and under “Who can share?” click “Host Only”
Click on “Save”

Once you save your settings, future meetings that you start will have sharing disabled by default.

If you forget to change the setting before you start your meeting, there’s a way to modify your settings after it starts:
Once your Zoom meeting is running, click the caret to the right of the green “Share Screen” button in the center of the bottom row of icons
Click “Advanced Sharing Options...”
A dialog box will pop up allowing you to switch screen sharing availability from all participants to the host only.

And what if you’re creating a meeting from your mobile device?

To disable screen sharing after you’ve started your meeting:
Tap the More (...) button at the bottom right corner of the screen
Tap “Meeting Settings”
If you’re using an iPhone, scroll down to “Allow Participants to Share” and switch the toggle off.
If you’re using an Android phone, find “Lock Share” and switch the toggle on.

Friday, March 27, 2020

OpenWrt: Σοβαρό σφάλμα επιτρέπει πλήρη πρόσβαση στο σύστημά σας



By SecNews 26 Μαρτίου 2020, 19:15



Ένας ερευνητής ασφαλείας ανακάλυψε σοβαρό σφάλμα στο λειτουργικό σύστημα OpenWrt το οποίο επιτρέπει στους επιτιθέμενους να εισάγουν κακόβουλο λογισμικό στα ευάλωτα συστήματα.

Το OpenWrt είναι ένα λειτουργικό σύστημα βασισμένο στο Linux που χρησιμοποιείται κυρίως σε ενσωματωμένες συσκευές και routers για τη δρομολόγηση του network traffic και υπάρχει σε εκατομμύρια συσκευές σε όλο τον κόσμο.

Το σφάλμα, το οποίο ονομάστηκε RCE, επιτρέπει στον package manager να αγνοεί το SHA-256 checksum, με αποτέλεσμα να επιτρέπει στον εισβολέα να παρακάμψει τον έλεγχο των .ipk πακέτων. Ο ερευνητής Guido Vranken, εξήγησε ότι βρήκε αυτήν την ευπάθεια τυχαία όταν προετοίμαζε ένα task για το opkg.

Για να εκμεταλλευτεί κάποιος το σφάλμα, πρέπει πρώτα να στείλει τα μολυσμένα πακέτα από ένα web server. Στη συνέχεια, πρέπει να δημιουργηθεί επικοινωνία μεταξύ της συσκευής και του downloads.openwrt.org και ο εισβολέας πρέπει να έχει τη δυνατότητα να αλλάξει το DNS Server, για να μπορεί το downloads.openwrt.org να αντιστοιχεί σε έναν server ο οποίος είναι υπό τη διαχείριση του εισβολέα. Στην πραγματικότητα, το opkg του ΟpenWrt επιτρέπει στους επιτιθέμενους να αποκτήσουν πλήρη πρόσβαση σε ολόκληρο το σύστημα.

Κατά τη διάρκεια της επίθεσης, ο hacker πρέπει να έχει ένα έγκυρο και signed package index από το downloads.openwrt.org, ενώ τα κακόβουλα πακέτα πρέπει να έχουν το ίδιο μέγεθός όπως αυτό το οποίο αναφέρεται στο index.

Η ευπάθεια πλέον έχει διορθωθεί και οι χρήστες καλούνται να αναβαθμίσουν το σύστημά τους στην πιο πρόσφατη έκδοση του OpenWrt. Η αναβάθμιση γίνεται με τις ακόλουθες εντολές:cd /tmp
opkg update
opkg download opkg
zcat ./opkg-lists/openwrt_base | grep -A10 "Package: opkg" | grep SHA256sum
sha256sum ./opkg_2020-01-25-c09fe209-1_*.ipk

"Corona antivirus" infects victims with malware


"Corona antivirus" infects victims with malware


By Anthony Spadafora 2 days ago

New site claims its antivirus software can protect users from getting the coronavirus




(Image credit: Malwarebytes)


Cybercriminals continue to leverage the ongoing coronavirus outbreak for their own gain by launching numerous scam campaigns which use Covid-19 as a lure to trick users into installing a variety of malware and data stealers.

In the latest scam, discovered by Malwarebytes, cybercriminals have set up a website advertising “Corona Antivirus - World's best protection” which tries to trick users into installing antivirus software that supposedly has the capabilities to protect users from becoming infected with the virus in real life. The creators of the site have even provided more details on how their solution works, saying:

“Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.”
Beware these new coronavirus email scams
Malware strains using coronavirus to avoid detection
Phones from US government came packed with Chinese malware



While most users will likely understand that there is no way for any type of software to protect them from becoming infected with the coronavirus, there is a possibility that some will fall for this scheme as the cybercriminals behind it have taken the necessary steps to make their website appear legitimate.

BlackNET RAT

Once a user installs the application available on the Corona Antivirus site, their computer will be infected with malware. The installation file, which contains the commercial packer Themida, will turn a user's PC into a bot ready to receive commands.

After inspecting the command and control server, Malwarebytes discovered a control panel for the BlackNET botnet. The full source code for the BlackNET toolkit was published on GitHub a month ago and some of its features include deploying DDoS attacks, taking screenshots, stealing Firefox cookies, stealing saved passwords, implementing a keylogger, executing scripts and stealing Bitcoin wallets, among others.

While working from home, it is important that all users keep their computers up to date and exercise caution when downloading and installing new programs to avoid falling victim to the many coronavirus-themed scams that are currently making their way around the web.

After investigating the Corona Antivirus site, Malwarebytes informed CloudFlare of its discovery and the CDN took immediate action to flag the website as a malicious.

Thursday, March 26, 2020

Home office is where the heart is…





James Shepperd23 Mar 2020


Home office is where the heart is…

Or is it… home office is where the hurt is?

Usually I am quite happy to have home office, in my division at ESET (IT company) we are permitted two per month. It’s not a lot but maybe that is why I look forward to it. My kids are at school, my wife is at work and my colleagues are behind a virtual wall that I control! (-;

Or, I should probably say, that was home office. With COVID-19 restrictions in place, home office has… certainly changed, a lot! For starters, both my kids and wife are home. Then, my team… well it just got a lot bigger. The number of ESET staff and departments I connect with has virtually multiplied by a factor of three, at least it feels like it. It’s not that I am bitter, just well, its not fun and games anymore.

VPN
Shields up! With only 2 home offices per month, I simply relied on my company provided Virtual Privacy Network (VPN) as a significant enough safeguard, but after reading this blog on home office security measures end to end, which I requested; I took a look at my router settings. Oh, looks like I have some security improvements to make. Anyway, with my VPN turned on I can access some otherwise restricted marketing resources, which have their own protection protocols. In simply terms a VPN lets you to make a secure connection to another network over the Internet, access region or security-restricted websites, shield your browsing activity. Now that I, along with every other marketer in the company is accessing these files from their home networks I can see why there is the added layer of protection.

Passwords
Best Practice Aside from the little notebook with the hard copy of passwords I keep buried under my..., I use a password manager, which can store all my needed credentials in one place, under one “master password”. Just as a reminder, create a strong password or passphrase, keep the password(s) secure and consider a second (factor) method of protection that helps prevent unwanted access.
Even strong passwords can fall victim to malicious actors using keyloggers and other technology to crack your online accounts. So, strongly consider using a product like ESET Smart Security Premium that integrates several privacy protection features including password management and protection against keylogging via Two Factor Authentication (2FA).

Two Factor Authentication
“Open Sesame” and… While my VPN is a prerequisite for accessing our intranet and a number of applications that can be found there, for more sensitive applications I am challenged at the “gate”. What I mean is that my login is quickly followed by a request for a single time passcode.

The companion app for our intranet platform pings my mobile phone with the authenticator, I enter the code and “I’m in!”. When I first came to the company, I used to mutter under my breath about accessing various admin dashboards or restricted forums with 2FA. I saw it as just another barrier or headache. But in the years since, especially working on our offer for small and medium businesses and small or home office clients I have seen up close how social media or whole websites get disrupted, events that cause serious reputational damage. I don’t want that kind of damage on my name. These days I even use 2FA on my personal email account after it got hacked.

Kids and Home Office
The Pain, now on to a more personal note, my kids interfering with my perfect home office vibe! The Corona virus has upped the ante on my multitasking skills. My kids have to learn – my wife and I are their new substitute teachers. We also have to work. So it means, teach and work at the same time. So, my top tip, keep them on their usual schedule.

Mornings: Wake at 6:30 am, we have a bite to eat and then put on our masks and glasses and then take a brisk 20min walk through the park behind our house. This gets everyone going and ready to start their daily assignments, which come via email. I know many of you won’t have empty parks behind your houses, but if you have an area near bye with low numbers of people (at 6:45-7:00 am they should be empty), then the benefit to mood and focus is (to me) worth the risk.

By 8:00 am, I am at my desk, and the kids have started with any assignments. Our rule is that they have to finish their first block of assignments by 11:00 am, the lunch time I had pre-COVID-19. I found that by addressing my needs first I am able to be more patient and adaptable with covering their needs.

Meals, well… when I shop, I buy a lot of fruit for snacks and when making sandwiches or cooking warm meals have started making double portions to ensure we have enough leftovers. They are starting to accept that we aren’t going to the store so often and they will get leftovers at least once every day. Smiley (-:

Afternoons: After lunch, I disengage from my work and review any questions, lost assignments, or missing workbook issues. Before sinking myself into that task I make sure to lock my PC (Ctrl+Alt+Del). That prevents my kids from accidentally loosing my work… or publishing anything to the company’s social media.

My wife: She has a busy job, lots of calls, video chats etc. This is a challenge. Back to my 8:00am – 11:00am sprint. During those hours he tries to be available for the kids, in the afternoon I am up. This trade off doesn’t mean we are in full teacher mode, but it allows one of us to accept a period of interruption, knowing that later, we will have higher quality work time. When we both know we’ll be engaged on conference calls or whatever… that is when some scheduled online educational games and snacks come in handy.








Oh, and the daily device wipe down: Since my hands haven’t completely fallen off, yet… I also take the opportunity to wipe down my keyboard, mouse and trackpad. If you’ve got tablets, I’d do those to with (screen safe) cleaner or in a pinch simply a damp rag. I start with our devices and move on to doorknobs and high traffic surfaces.

Promises: I promised this personal view on my secure home office to the Public Relations team at ESET. After saying “YES”, I started to feel vulnerable. “My security practices are gonna be visible to all my colleagues and the wider public.” But, there is hope.

Only via critique can you learn better practices and maybe the Corona virus can achieve what GDPR and countless internet security awareness campaigns have yet to do, raise people’s appreciation for basic security measures.

Wednesday, March 25, 2020

Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme


Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme



March 24, 2020Ravie Lakshmanan
More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

Dubbed "Tekya," the malware in the apps imitated users' actions to click ads from advertising networks such as Google's AdMob, AppLovin', Facebook, and Unity, cybersecurity firm Check Point Research noted in a report shared with The Hacker News.

"Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on)," the researchers said.


While the offending apps have been removed from Google Play, the find by Check Point Research is the latest in an avalanche of ad fraud schemes that have plagued the app storefront in recent years, with malware posing as optimizer and utility apps to perform phony clicks on ads.


Malware Abuses MotionEvent API to Simulate User Clicks
Stating that the campaign cloned legitimate popular apps to gain an audience, the newly discovered 56 apps were found bypassing Google Play Store protections by obfuscating its native code and relying on Android's MotionEvent API to simulate user clicks.

Once an unwitting user installed one of the malicious apps, the Tekya malware registers a receiver, an Android component that's invoked when a certain system or application event occurs — such as a device restart or when the user is actively using the phone.



The receiver, when it detects these events, then proceeded to load a native library named "libtekya.so" that includes a sub-function called "sub_AB2C," which creates and dispatches touch events, thereby mimicking a click via the MotionEvent API.


An Ongoing Problem of Mobile Ad Fraud
Mobile ad fraud manifests in different ways, including threat actors planting malware-laced ads on user phones or embedding malware in apps and online services to generate clicks fraudulently to receive payouts by advertising networks.


Mobile security vendor Upstream's analysis of 2019 data revealed that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Nearly 23 percent of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment, and shopping apps.

Google, for its part, has been actively trying to stop rogue Android apps from infiltrating the Google Play Store. It has leveraged Google Play Protect as a means to screen potentially harmful applications and also forged an "App Defense Alliance" in partnership with cybersecurity firms ESET, Lookout, and Zimperium to reduce the risk of app-based malware.

To safeguard yourself from such threats, it's recommended that you stick to the Play Store for downloading apps and avoid sideloading from other sources. More importantly, scrutinize the reviews, developer details, and the list of requested permissions before installing any app.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours



By Ionut Ilascu March 24, 2020 06:26 PM 1






Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied.

The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running.
Affected drives

The current issue affects drives in HPE server and Storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage.
HPE Model Number HPE SKU HPE SKU DESCRIPTION HPE Spare Part SKU HPE Firmware Fix Date
EK0800JVYPN 846430-B21 HPE 800GB 12G SAS WI-1 SFF SC SSD 846622-001 3/20/2020
EO1600JVYPP 846432-B21 HPE 1.6TB 12G SAS WI-1 SFF SC SSD 846623-001 3/20/2020
MK0800JVYPQ 846432-B21 HPE 800GB 12G SAS MU-1 SFF SC SSD 846624-001 3/20/2020
MO1600JVYPR 846436-B21 HPE 1.6TB 12G SAS MU-1 SFF SC SSD 846625-001 3/20/2020


The company says that this is a comprehensive list of impacted SSDs it makes available. However, the issue is not unique to HPE and may be present in drives from other manufacturers.

If the SSD in these products runs a firmware version older than HPD7, they will fail after being powered on for 40,000 hours; this translates into 4 years, 206 days, 16 hours and it is about half a year shorter than the extended warranty available for some of them.

When the failure point is reached, neither the data nor the drive can be recovered. Preventing such a disaster is possible in environments with data backup setups.

HPE learned about the firmware bug from a SSD manufacturer and warns that if SSDs were installed and put into service at the same time they are likely to fail almost concurrently.


“Restoration of data from backup will be required in non-fault tolerance modes (e.g., RAID 0) and in fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive [e.g. RAID 5 logical drive with two failed SSDs]” - HPE advisory

The new firmware can be installed by using the online flash component for VMware ESXi, Windows, and Linux.
Not as bad as last time

There is some good news, though. By checking the shipping dates from HPE and considering the 40,000 hours expiration limit, no affected SSD have failed because of this firmware bug.

HPE estimates that unpatched SSDs will begin to fail as early as October 2020. This gives plenty of time for admins to apply the corrected firmware.

Back in November, reports about storage drive failure came pouring on social media and forums, with ussers complaing about device collapsing in bulk, minutes apart.

Finding out the uptime of an affected drive is possible with the Smart Storage Administrator (SSA) utility, which offers the power-on time for every drive installed on the system.

Alternatively, users can run scripts that can check if the firmware on their SSDs has the 40,000 power-on-hours failure issue. The scripts work for certain HPE‌‌ SAS SSDs and are available for Linux, VMware and Windows. 

JohnC_21 - 4 hours ago 

The company said in a bulletin that the “issue is not unique to HPE and potentially affects all customers that purchased these drives.” HPE has not identified the SSD maker and refused to do so, saying: “We’re not confirming manufacturers.”

However, a Dell EMC urgent firmware update issued last month also mentioned SSDs failing after 40,000 operating hours and specifically identified SanDisk SAS drives. The update included firmware version D417 as a fix.

The fault fixed by the Dell EMC firmware concerns an Assert function which had a bad check to validate the value of a circular buffer’s index value. Instead of checking the maximum value as N, it checked for N-1. The fix corrects the assert check to use the maximum value as N.

It seems likely that the HPE drives are SanDisk drives as well.

https://blocksandfiles.com/2020/03/24/hpe-enterprise-ssd-40k-hours-flaw/

Tuesday, March 24, 2020

Sucuri is going to provide crisis responders with a free website firewall for one year during the coronavirus pandemic



Free Sucuri WAF for Medical & Social Services

MARCH 24, 2020CHASE WATTS

0SHARES
FacebookTwitterSubscribe


During the COVID-19 pandemic, there is concern about health systems worldwide. Many people in isolation or self-quarantine are looking for accurate medical information online on a daily basis.

As a result, it is crucial that public health and social service websites remain available. We want to prevent malicious users from abusing these types of websites. So, we decided to stand up and do something about it.

Free year of the Sucuri WAF for crisis responders

Sucuri is going to provide crisis responders with a free website firewall for one year during the coronavirus pandemic. We are offering website protection and increased performance for dedicated professionals and volunteer services who have been acting as crisis responders, such as:
Hospitals
Physicians
Emergency medical technicians
Food banks

All you need to do is submit an eligibility form to get a free year of the Sucuri WAF .

SUBMIT AN APPLICATION
Don’t let bad actors exploit our situation

Though some ransomware groups are claiming they will not be targeting health organizations, there are still bad actors online that will likely treat the COVID-19 outbreak as an opportunity. They do so at their own risk; a response from national cybersecurity units and ethical hackers is inevitable.


@mikko@mikko



Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
7,687
12:36 PM - Mar 18, 2020
Twitter Ads info and privacy
2,420 people are talking about this






When people flock to a website for help, some hackers and scammers can work to compromise the site and steal valuable data. Worse still, they could even use a distributed denial of service (DDoS) attack to shut it down completely.

This is not just a problem for health care and social services. Many organizations currently lack the IT resources required to address the cybersecurity challenges of rapidly shifting the workforce and business model to an online environment.


Security Under Swift Law@SwiftOnSecurity



We need a global suspension of malware activity right now. Security teams are getting pulled into assisting with Work-From-Home to keep isolation and save people’s lives. Come back 2x harder when this ends whatever. We can’t be doing this right now.
686
9:32 PM - Mar 19, 2020
Twitter Ads info and privacy
187 people are talking about this






For those who are new to working from home, we’ve released a post including security tips for remote workers.
How can Sucuri protect and speed up your website?

We keep our WAF updated with the latest and emerging threat definitions to block DDoS and other attacks by bad actors.

Traffic surges to a website can reduce availability. Our WAF mitigates traffic surges with the Anycast content delivery network (CDN). The Anycast CDN stores copies of a website on numerous points of presence (PoP) throughout the world, and then delivers content to an individual via the nearest PoP.

That improves a website’s availability during episodes of high traffic and speeds up content delivery by an average of 70%.
Count on our WAF for HIPAA compliance

We built our WAF with people in mind who must adhere to the U.S. Health Insurance Portability and Accountability Act (HIPAA). With your website behind our WAF, be confident you’re meeting standards for protected health information.

If you have any questions, feel free to chat with us. Stay safe!

Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions





March 23, 2020Mohit Kumar
Microsoft today issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities that could let hackers remotely take complete control over targeted computers.

According to Microsoft, both unpatched flaws are being used in limited, targeted attacks and impact all supported versions of the Windows operating system—including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support on January 14, 2020.

Both vulnerabilities reside in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when open with a 3rd-party software but also used by Windows Explorer to display the content of a file in the 'Preview Pane' or 'Details Pane' without having users to open it.


The flaws exist in Microsoft Windows when the Adobe Type Manager Library improperly "handles a specially-crafted multi-master font - Adobe Type 1 PostScript format," allowing remote attackers to execute arbitrary malicious code on targeted systems by convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.


"For systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities," Microsoft said.
At this moment, though it's not clear if the flaws can also be triggered remotely over a web browser by convincing a user to visit a web-page containing specially-crafted malicious OTF fonts, there are multiple other ways an attacker could exploit the vulnerability, such as through the Web Distributed Authoring and Versioning (WebDAV) client service.


No Patch Yet Available; Apply Workarounds
Microsoft said it's aware of the issue and working on a patch, which the company would release to all Windows users as part of its next Patch Tuesday updates, on 14th April.


"Enhanced Security Configuration does not mitigate this vulnerability," the company added.

1) Disable the Preview Pane and Details Pane in Windows Explorer
Meanwhile, all Windows users are highly recommended to disable the Preview Pane and Details Pane feature in Windows Explorer as a workaround to reduce the risk of getting hacked by opportunistic attacks.


To disable the Preview Pane and Details Pane feature:


Open Windows Explorer, click Organize and then click Layout.
Clear both the Details pane and Preview pane menu options.
Click Organize, and then click Folder and search options.
Click the View tab.
Under Advanced settings, check the Always show icons, never thumbnails box.
Close all open instances of Windows Explorer for the change to take effect.
However, to be noted, while this workaround prevents malicious files from being viewed in Windows Explorer, it does not strict any legitimate 3rd-party software from loading the vulnerable font parsing library.


2) Disable the WebClient service
Besides this, it is also advised to disable Windows WebClient service to prevent cyberattacks through the WebDAV client service.


Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
Right-click WebClient service and select Properties.
Change the Startup type to Disabled. If the service is running, click Stop.
Click OK and exit the management application.
"After applying this workaround, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet," the Microsoft warned.


3) Rename or Disable ATMFD.DLL
Microsoft is also urging users to rename Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working.

Enter the following commands at an administrative command prompt:


For 32-bit system:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll

For 64-bit system:
cd "%windir%\system32"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
Restart the system.

Fake Corona Antivirus Software Used to Install Backdoor Malware



By Sergiu Gatlan March 23, 2020 07:12 PM 0






Sites promoting a bogus Corona Antivirus are taking advantage of the current COVID-19 pandemic to promote and distribute a malicious payload that will infect the target's computer with the BlackNET RAT and add it to a botnet.

The two sites promoting the fake antivirus software can be found at antivirus-covid19[.]site and corona-antivirus[.]com as discovered by the Malwarebytes Threat Intelligence team and researchers at MalwareHunterTeam, respectively.

While the former was already taken down since Malwarebytes' report, the one spotted by MalwareHunterTeam is still active but it had its contents altered, with the malicious links removed and a donation link added to support the scammers' efforts — spoiler alert, no donations were made until now.



"Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus," the site reads. "Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.

Last but not least, the malicious sites' makers also mention an update that will add VR sync capabilities to their fake antivirus: "We analyse the corona virus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

If anyone would fall this, they would end up downloading an installer from antivirus-covid19[.]site/update.exe (link is now down) that will deploy the BlackNET malware onto their systems if launched.

BlackNET will add the infected device to a botnet that can be controlled by its operators:

• to launch DDoS attacks
• to upload files onto the compromised machine
• to execute scripts
• to take screenshots
• to harvest keystrokes using a built-in keylogger (LimeLogger)
• to steal bitcoin wallets
• to harvest browser cookies and passwords.

The BlackNET RAT, which was rated as 'skidware malware' by MalwareHunterTeam, is also capable to detect if it's being analyzed within a VM and it will check for the presence of analysis tools commonly used by malware researchers, per c0d3inj3cT's analysis.
BlackNET command panel

The malware also comes with bot management features including restarting and shutting down the infected devices, uninstalling or updating the bot client, and opening visible or hidden web pages.

One of the sites promoting this bogus Corona Antivirus was spotted by MalwareHunterTeam on March 6, while the other was exposed by Malwarebytes' Threat Intelligence team in a report published today.

In somewhat related news, an HHS.gov open redirect is currently abused by attackers to deliver Raccoon info-stealing malware payloads onto targets' systems via a coronavirus-themed phishing campaign.

The actors behind these ongoing phishing attacks use the open redirect to link to a malicious attachment that delivers a VBS script previously spotted while being employed by the operators behind Netwalker Ransomware to deploy their payloads.

The World Health Organization (WHO), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Federal Trade Commission (FTC) have all warned about Coronavirus-themed phishing and attacks targeting potential victims from countries around the globe (1, 2, 3).

Monday, March 23, 2020

G SUITE 8 tips for getting it done when working from home


Hashim Director, Product Management, Hangouts Meet, Voice & Calendar


With many businesses considering how best to keep teams connected when not everyone can be in the same location, we’ve been asked by a number of our customers for recommendations for staying productive and on task. Here are some best practices for fostering collaboration when your teams find themselves working remotely.


Set up your team for remote work

Make sure your team has the right tools and processes set up before you transition from working at the office to working from home. Once they’re set up, here are a few extra steps you can take in advance:



1. Create a team alias to easily stay in touch. An email list that includes all your team members lets you quickly share information, and a chat room can be used for faster-moving discussions.


2. Check sharing permissions on important documents so collaborators can edit and comment as needed. You might even consider creating a shared drive where your team can store, search, and access files from any device.


3. Schedule meetings now so you can stay in contact later. Set up calendar invites, create an agenda ahead of time, and attach relevant docs to the invite. It’s also a good idea to make sure everyone is familiar with video conferencing.



Keep your team connected and organized each day

Now that your team is set up and everyone’s ready to work from home, it’s important to keep everyone on the same page. Now that your team is set up and ready to work from home, here are some ways to keep everyone on the same page.

4. Hold daily meetings to stay connected with your co-workers. Working at home can be isolating for some, and video conferencing is a great way to keep people engaged. Try to be visible on camera when appropriate, present relevant content, and ask questions to spark conversations. When time zones prevent everyone from joining a meeting, record it—after making sure that participants feel comfortable being recorded!

5. Share goals and updates regularly. Whether it’s through a chat group or in a shared document that everyone updates, a record of what’s being accomplished is a great way to feel connected, keep everyone up to date, and follow-up on action items. You can also set up an internal site to consolidate important information and resources into a central hub for your team, or to share information with your organization more broadly.

6. Continue to practice good workplace etiquette. Just because your team isn’t at the office doesn’t mean they’re not busy. Check calendars before scheduling meetings, and when you reach out via chat, start by asking if it’s a good time to talk. You can also proactively inform your co-workers of your own availability by setting up working hours in Calendar. That way, if a team member tries to schedule a meeting with you outside of your working hours, they’ll receive a warning notification.


Getting your work done on the Wi-Fi at home

Sharing space—and an internet connection—at home means you might need to be mindful of the needs of others in your household. Here are a few tips.

7. Don’t spend all day on video. There are many tools at your disposal for staying in touch with your team, whether it's a chat room, a shared document, a short survey, or a quick conference call. Pick what works best—especially if you’re sharing an internet connection.

8. Find the right set-up for you. You might need to try a few different configurations before you discover how to stay focused and not distract others. Here are six tips for better video calls including how to turn on live captioning so you can read a transcript of the meeting in real time. These are just a few of the ways the G Suite team is thinking about staying focused and collaborative. For more information, watch these videos with tips on working from home, and check out the latest updates in our Learning Center article on tips for working remotely.

Sunday, March 22, 2020

SCAMS Coronavirus scams, found and explained





SCAMS
Coronavirus scams, found and explained

Posted: March 20, 2020 by David Ruiz
Last updated: March 19, 2020


Coronavirus has changed the face of the world, restricting countless individuals from dining at restaurants, working from cafes, and visiting their loved ones. But for cybercriminals, this global pandemic is expanding their horizons.

In the past week, Malwarebytes discovered multiple email scams that prey on the fear, uncertainty, and confusion regarding COVID-19, the illness caused by the novel coronavirus. With no vaccine yet developed, and with much of the world undergoing intense social distancing measures and near-total lockdown procedures, threat actors are flooding cyberspace with emailed promises of health tips, protective diets, and, most dangerously, cures. Attached to threat actors’ emails are a variety of fraudulent e-books, informational packets, and missed invoices that hide a series of keyloggers, ransomware, and data stealers.

The problem expands beyond pure phishing scams.

On March 14, Twitter user @dustyfresh published a web tracker that found 3,600 coronavirus- and COVID-19-related hostnames that sprung up in just 24 hours.

On March 17, security researcher and python developer @sshell_ built a tool, hosted by the team at ThugCrowd, that provides real-time scans for potentially malicious, coronavirus-related domains. Just click the link and watch possible scam sites get registered every minute.

Further, RiskIQ reportedly tracked more than 13,000 suspicious, coronavirus-related domains last weekend, and more than 35,000 domains the next day, too.

Much of these numbers mean nothing without real, useful examples, though. Yes, coronavirus scams and scam sites are out there, but what do they look like, and how do they work? We’re here to explain.

Here are some of the many email scams that Malwarebytes spotted in the wild, with full details on what they say, what they’re lying about, and what types of malware they’re trying to install on your machines. The good news? Malwarebytes protects against every threat described.
Impersonating the World Health Organization

Earlier this week, we found an email phishing campaign sent by threat actors impersonating the World Health Organization (WHO), one of the premier scientific resources on COVID-19. That campaign, which pushed a fake e-book to victims, delivered malicious code for a downloader called GuLoader. That download is just the first step in a more complex scheme.


As we wrote:


“GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.”

Unfortunately, this GuLoader scam is just one of many in which threat actors posed as WHO professionals as a way to trick victims into downloading malicious attachments.

On March 18, we uncovered an email campaign that pushed victims into unwittingly downloading an invasive keylogger called Agent Tesla. The keylogger, which experienced a reported 100 percent increase in activity across three months in 2018, can steal a variety of sensitive data.

As cybersecurity researchers at LastLine wrote: “Acting as a fully-functional information stealer, [Agent Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail, Facebook, etc.) attacks.”

The Agent Tesla campaign that we tracked on Wednesday involved an email with the subject line: Covid19″ Latest Tips to stay Immune to Virus !!

The email came to individuals’ inboxes allegedly from the WHO, with a sender email address of “sarah@who.com.” Notice that the sender’s email address ends with “.com” when legitimate WHO email addresses instead end with “.int.”


The email alleges to include a PDF file about “various diets and tips to keep us safe from being effected with the virus.” It is signed by a “Dr. Sarah Hopkins,” a supposed media relations consultant for the WHO.

A quick online search reveals that the WHO has a public website for contacting its media relations representatives, and that none of those representatives is named Sarah Hopkins. Also, note how “Dr. Hopkins” has a phone number that doesn’t work, at +1 470 59828. Calling the number from a US-based phone resulted in an error message from the mobile service provider.

Interestingly, the above scam is just one example of an email campaign that both impersonates the WHO and attempts to deliver Agent Tesla.

On the same day we found the above-mentioned Agent Tesla scam, we found another that mirrored its tactics and payload.

The second Agent Tesla scam arrives in individuals’ inbox with the email subject line “World Health Organization/Let’s fight Corona Virus together”

Already, savvy readers should spot a flaw. The unnecessary space placed between the words “Corona” and “Virus” mirrors a similar grammatical error, an unnecessary hyphen, in the GuLoader scam we covered on Malwarebytes Labs this week.


The entire body of the email reads, in verbatim:


We realise that the spread of the COVID-19 coronavirus may leave you feeling concerned, so we want to take a moment to reassure you that your safety and well-being remains our absolutely top priority.


Please be assured that our teams are working hard and we are monitoring the situation and developments closely with the health and governmental authorities of all countries we operate in. See attached WHO vital information to stay healthy.


we personally thank you for your understanding and assure you that we will do our utmost to limit disruptions this event brings to your travel plans while keeping your well-being our top priority.

This campaign attempts to trick victims into downloading a fake informational packet on coronavirus, with the file title “COVID-19 WHO RECOMMENDED V.gz.” Instead of trustworthy information, victims are infected with Agent Tesla.

While this campaign does not include as many smoke-and-mirror tactics, such as a fake media representative and a fake phone number, it can still do serious damage simply by stoking the fears surrounding COVID-19.

Finally, we found a possible WHO impersonator pushing the NetWire Remote Access Trojan (RAT). RATS can allow hackers to gain unauthorized access to a machine from a remote location.

As we explain in our Threat Center profile on RATs, these types of Trojan can have devastating effects:

If Remote Access Trojan programs are found on a system, it should be assumed that any personal information (which has been accessed on the infected machine) has been compromised. Users should immediately update all usernames and passwords from a clean computer, and notify the appropriate system administrator of the potential compromise. Monitor credit reports and bank statements carefully over the following months to spot any suspicious activity on financial accounts.

The NetWire campaign included a slapdash combo of a strange email address, an official-looking WHO logo inside the email’s body, and plenty of typos.


Sent from “Dr. Stella Chungong” using the email address “brennan@caesars.com,” the email subject line is “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.” The body of the text reads:


To whom it may concern,


Go through the attac=ed document on safety measures regarding the spreading of Corona-virus.


Common symptoms include fever, cough, shortness in breath, and breathi=g difficulties.


Regards.

Dr. Stella Chungong


Specialist whuan=virus-advisory

The litany of misplaced “=” characters should immediately raise red flags for potential victims. These common mistakes show up in a wide variety of malicious email campaigns, as threat actors seem to operate under the mindset of “Send first, spellcheck later.”
Other malspam campaigns

Most of the coronavirus scams we spotted online are examples of malspam—malicious spam email campaigns that cross the line from phony, snake-oil salesmanship into downright nefarious malware delivery.

Here are a number of malspam campaigns that our threat intelligence team found since March 15.

First up is this strange email titled “RE: Due to outbreak ofCoronavirus,” which arrives to users’ inboxes from the vague sender “Marketing,” with an email address of “info@bcsl.co.ke.” A Google search reveals that bcsl.co.ke appears to point to Boresha Credit Service Limited, a debt collector based in Kenya.


The short email reads:


Hello,


We have been instructed by your customer to make this transfer to you.


we are unable to process your payment as the SWIFT CODE in your bank account information is wrong,


please see that enclosed invoice and correct SWIFT CODE so we can remit payment ASAP before bank close.”

Again, scrutinizing the details of the email reveals holes in its authenticity.

The email is signed by “Rafhana Khan,” a supposed “Admin Executive” from the United Arab Emirates. The email sender includes this extra bit of info that leads us nowhere: TRN No. 100269864300003.

What is a TRN, and why would it be included? At best, we can assume this is the individual’s “tax registration number,” but think about the last time anyone signed an email with the US equivalent—their tax identification number. You’ve probably never seen that before, right? That’s because tax IDs are meant to be private, and not shared in email signatures. We can assume that the threat actors included this bogus bit of info to add some imaginary credibility. Really, it’s just nonsense.

The email’s attached invoice, once again, pushes GuLoader to the potential victim.

Another spotted malspam example pushes neither GuLoader or Agent Telsa. Instead, it tries to trick users into downloading a malware called HawkEye, a credential stealer that has plagued users since at least 2013.

According to the cybersecurity news outlet Security Affairs, HawkEye “is offered for sale on various hacking forums as a keylogger and stealer, [and] it allows to monitor systems and exfiltrate information.”

The HawkEye scam comes packaged in an email with the subject line “CORONA VIRUS CURE FOR CHINA,ITALY” from the alleged sender “DR JINS (CORONA VIRUS).” Again, potential victims receive a short message. The entire email body reads:


Dear Sir/Ma,


Kindly read the attached file for your quick remedy on CORONA VIRUS.

The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.


On March 15, we also found an email scam targeting victims in the UK and pushing, yet again, GuLoader. This time, threat actors promised updated statistics on the number of confirmed coronavirus cases in the United Kingdom.

The malicious email comes from the sender “PHE” with the email address paris@mfa.go.ke, which, like one of the examples above, appears to come from Kenya.

Because threat actors have one, overplayed tactic in these types of campaigns—putting in low effort—the content of the email is simple and short. The email reads:


Latest figures from public health authorities on the spread of Covid-19 in the United Kingdom.


Find out how many cases have been reported near you.

There is no email signature, and not even a greeting. Talk about a lack of email etiquette.

Finally, we found another campaign on March 18 that targets Spanish-speaking victims in Spain. The email, titled “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-19,” pushes GuLoader.


The email is signed by “Adriana Erico,” who offers no phone number, but does offer a fax number at 93 784 50 17. Unlike the fake phone number we tested above, we could not test the authenticity of this fax number, because the Bay Area is under a shelter-in-place order, and, truthfully, I don’t own a fax machine in my home.
Protect yourself

Threat actors are always looking for the next crisis to leverage for their own attacks. For them, coronavirus presents a near-perfect storm. Legitimate confusion about accurate confirmed cases, testing availability, and best practices during social distancing makes for a fearful public, hungry for answers anywhere.

Like we said the last time we looked at COVID-19 scams, the best places for information remain the WHO and the US Centers for Disease Control and Prevention (CDC).

You can find updated statistics about confirmed COVID-19 cases from the WHO’s daily, situation reports here.

You can also find information on coronavirus myths at the WHO’s Myth Busters webpage, along with its Q&A page.

To help prevent the spread of the illness, remember, wash your hands for at least 20 seconds, refrain from touching your face, and practice social distancing by maintaining a distance of six feet from people not in your household.

This is difficult, this is new, and for many of us, it presents a life-altering shift. It’s important to consider that, right now, banding together as a global community is our best shot at beating this. That advice extends to the online world, too.

While coronavirus might have brought out the worst in cybercriminals, it’s also bringing out the best across the Internet. This week, a supposed “Covid19 Tracker App” infected countless users’ phones with ransomware, demanding victims pay $100 to unlock their devices or risk a complete deletion of their contacts, videos, and pictures. After news about the ransomware was posted on Reddit, a user decompiled the malicious app and posted the universal passcode to defeat the ransomware. The passcode was then shared on Twitter for everyone to use.

Stay safe, everyone.

Dark Mode Theme Finally Arrives For Facebook Desktop Users


Dark Mode Theme Finally Arrives For Facebook Desktop Users
By Kavvitaa S Iyer  -March 22, 2020




After months of wait for the dark mode theme, Facebook on Thursday finally rolled out the option to opt into a new streamlined desktop design that was first announced at the company’s annual developer conference in May 2019.

“Starting today, the majority of people on Facebook will have access to the new desktop design,” a spokesperson for the company told TechCrunch.

This new Facebook redesign interface is now available to a majority of the users and offers changes and features such as dark mode, tabbed home screen, a cleaner profile, centralised tabs for Facebook Watch, Marketplace, Groups and Gaming as well as larger fonts.

Further, there are additional shortcuts in a sidebar on the left. Stories have been moved above the “Update Status” box, pushing the status bar further down.


According to Facebook, the new dark mode option minimizes screen glare in low-light environments while maintaining contrast and vibrancy. Also, the new design site is intended not only to help users quickly find what they are looking for but also load the home page and subsequent pages faster.

The website also allows users to quickly create Events, Pages, Groups, and Ads, with the ability to preview how these will look on mobile before posting.

While Facebook will be rolling out the new streamlined desktop design as default for everyone later this year, it has already rolled out the design as an opt-in feature to “most users” starting this Thursday.

To enable the new design, you need to click on the “Settings” drop-down arrow and select “See New Facebook.”

In the same drop-down menu, there will be an option that allows you to switch been dark mode and the traditional colour scheme. You need to then select “Switch to New Facebook” for the dark mode.

If the new design doesn’t interest you, you can disable the option by going to the same menu and selecting “Switch to Classic Facebook.”