Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Saturday, April 4, 2020

Microsoft: Emotet Took Down a Network by Overheating All Computers


By Sergiu Gatlan April 3, 2020 03:25 PM 0



Microsoft says that an Emotet infection was able to take down an organization's entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment.

"After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services," DART said.

"The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week."
All systems down within a week

The Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in their case study — five days after the employee's user credentials were exfiltrated to the attacker's command and control (C&C) server.

Before this, the threat actors used the stolen credentials to deliver phishing emails to other Fabrikam employees, as well as to their external contacts, with more and more systems getting infected and downloading additional malware payloads.

The malware further spread through the network without raising any red flags by stealing admin account credentials authenticating itself on new systems, later used as stepping stones to compromise other devices.

Within 8 days since that first booby-trapped attachment was opened, Fabrikam's entire network was brought to its knees despite the IT department's efforts, with PCs overheating, freezing, and rebooting because of blue screens, and Internet connections slowing down to a crawl because of Emotet devouring all the bandwidth.
Emotet attack flow (Microsoft DART)

"When the last of their machines overheated, Fabrikam knew the problem had officially spun out of control. 'We want to stop this hemorrhaging,' an official would later say," DART's case study report reads.

"He’d been told the organization had an extensive system to prevent cyberattacks, but this new virus evaded all their firewalls and antivirus software. Now, as they watched their computers blue-screen one by one, they didn’t have any idea what to do next."

Based on what the official said following the incident, although not officially confirmed, the attack described by Microsoft's Detection and Response Team (DART) matches a malware attack that impacted the city of Allentown, Pennsylvania in February 2018, as ZDNet first noticed.

At the time, Mayor Ed Pawlowski said that the city had to pay nearly $1 million to Microsoft to clean out their systems, with an initial $185,000 emergency-response fee to contain the malware and up to $900,000 in additional recovery costs, as first reported by The Morning Call.
Emotet infection aftermath and containment procedures

"Officials announced that the virus threatened all of Fabrikam’s systems, even its 185-surveillance camera network," DART's report says.

"Its finance department couldn’t complete any external banking transactions, and partner organizations couldn’t access any databases controlled by Fabrikam. It was chaos.

"They couldn’t tell whether an external cyberattack from a hacker caused the shutdown or if they were dealing with an internal virus. It would have helped if they could have even accessed their network accounts.

"Emotet consumed the network’s bandwidth until using it for anything became practically impossible. Even emails couldn’t wriggle through."

Microsoft's DART — a remote team and one that would deal with the attack on site — was called in eight days after the first device on Fabrikam's network was compromised.

DART contained the Emotet infection using asset controls and buffer zones designed to isolate assets with admin privileges.

They eventually were able to completely eradicate the Emotet infection after uploading new antivirus signatures and deploying Microsoft Defender ATP and Azure ATP trials to detect and remove the malware.

Microsoft recommends using email filtering tools to automatically detect and stop phishing emails that spread the Emotet infection, as well as the adoption of multi-factor authentication (MFA) to stop the attackers from taking advantage of stolen credentials.
Emotet infection chain (CISA)
Emotet infections can lead to severe outcomes

Emotet, originally spotted as a banking Trojan in 2014, has evolved into a malware loader used by threat actors to install other malware families including but not limited to the Trickbot banking Trojan (a known vector used in the delivery of Ryuk ransomware payloads).

Emotet was recently upgraded with a Wi-Fi worm module designed to help it spread to new victims via nearby insecure wireless networks.

Recently, in January 2020, the Cybersecurity and Infrastructure Security Agency (CISA) warned government and private organizations, as well as home users, of increasing activity around targeted Emotet attacks.

In November 2019, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also warned of the dangers behind Emotet attacks, saying at the time that the malware "provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware."

Emotet ranked first in a 'Top 10 most prevalent threats' ranking published by interactive malware analysis platform Any.Run at the end of December 2019, with triple the number of sample uploads submitted for analysis when compared to the next malware in the top, the Agent Tesla info-stealer.

CISA provides general best practices to limit the effect of Emotet attacks and to contain network infections within an Emotet Malware alert published two years ago and updated earlier this year.

Discord Turned Into an Account Stealer by Updated Malware


By Lawrence Abrams April 3, 2020 06:07 PM



A new version of the popular AnarchyGrabber Discord malware has been released that modifies the Discord client files so that it can evade detection and steal user accounts every time someone logs into the chat service.

AnarchyGrabber is a popular malware distributed on hacking forums and in YouTube videos that steals user tokens for a logged-in Discord user when the malware is executed.

These user tokens are then uploaded back to a Discord channel under the attacker's control where they can be collected and used by the threat actor to log in as their victims.

The original version of the malware is in the form of an executable that is easily detected by security software and only steals tokens while it is running.
Modify Discord client files to evade detection

To make it harder to detect by antivirus software and to offer persistence, a threat actor has updated the AnarchyGrabber malware so it modifies the JavaScript files used by the Discord client to inject its code every time it runs.

This new version is given the very original name of AnarchyGrabber2 and when executed will modify the %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file to inject JavaScript created by the malware developer.

For example, the index.js file normally looks like the following image for an unmodified Discord client.
Unmodified index.js file

When AnarchyGrabber2 is executed, the index.js file will be modified to inject additional JavaScript files from a 4n4rchy subfolder as shown below.
AnarchyGrabber2 modified index.js file

With these changes, when Discord is started the additional malicious JavaScript files will be loaded as well.

Now, when a user logs into Discord, the scripts will use a webhook to post the victim's user token to a threat actor's Discord channel with the message "Brought to you by The Anarchy Token Grabber".
Stealing a Discord user token

MalwareHunterTeam, who found this new variant and shared it with us, told BleepingComputer that "skids are sharing them everywhere."

What makes these Discord client modifications such a problem is that even if the original malware executable is detected, the client files will be modified already.

As security software does such a poor job detecting these client modifications, the code will stay resident on the machine without the user even knowing their accounts are being stolen.
Discord needs to do client integrity checks

This is not the first time a Discord malware has modified the client's JavaScript files.

In October 2019, BleepingComputer broke the news that a Discord malware was modifying the client files to turn the client into an information-stealing Trojan.

At the time, Discord had stated that they would look into ways to prevent this from happening again, but unfortunately, those plans never happened.

The proper way these modifications can be detected is for Discord to create a hash of each client file when a new version is released. If a file is modified, then the hash for that particular file will change.

Discord can then perform a file integrity check on startup and if a file has been detected, display a message like the one below that was created by BleepingComputer.
Discord File Check Mockup

Until Discord adds client integrity into their client's startup, Discord accounts will continue to be at risk from malware that modifies the client files.

BleepingComputer has contacted Discord about this malware and the file integrity checks but has not heard back as of yet.

Friday, April 3, 2020

Zoom's Web Client is Down, Users Report 403 Forbidden Errors

By Sergiu Gatlan April 3, 2020 11:20 AM



Zoom users are currently reporting that they are unable to use the Zoom web client or start and attend webinars, with reports saying that the web client is throwing '403 Forbidden' errors.

Other reports mention time out errors saying that "Your connection has timed out and you cannot join the meetings. Verify your networkk connectivity and try again."

Based on user reports on DownDetector, Zoom users from the US East Coast and Western Europe are most affected by these ongoing issues,

According to the platform's status page, the Zoom web client is under maintenance and, as detailed on the company's dev forum, Zoom is "working to get the Zoom Web Client and Zoom Web SDK back online."
Zoom outage map (DownDeetector)

A Zoom spokesperson confirmed the web client outage, and advised users to download and install the desktop application until the issues are resolved.

"Our team is currently aware of issues with users joining Zoom meetings and webinars using Zoom’s web client," a statement from a Zoom spokesperson says.

"In the interim, we recommend downloading and installing Zoom from zoom.us/download to connect to your meeting. We are working on it and will post further information and updates on status.zoom.us shortly.

"Sorry for the inconvenience. Thank you very much for your patience."
Zoom timeout error (aleksandr.borovsky)

Software company Zoom provides users with a cloud-based communication platform that can be used for video conferencing, online meetings, and chat and collaboration via mobile, desktop, and telephone systems.

Zoom has seen a quick increase of new monthly active users since the start of 2020, with millions of employees and students who are now working and learning from home using the platform.

Zoom has gained around 2.22 million new users this year alone, while only 1.99 million were added last year. In total, it now has over 12.9 million monthly active users, with Bernstein Research analysts saying last month that Zoom saw a user growth of about 21% since the end of 2019 as reported by CNBC.

Facebook Messenger: Η desktop εφαρμογή είναι πλέον διαθέσιμη!


ByPohackontas  3 Απριλίου 2020, 15:50

Το Facebook Messenger μόλις κυκλοφόρησε μια desktop εφαρμογή για MacOS και Windows, η οποία παρέχει στους χρήστες τη δυνατότητα να συνομιλούν μέσω βίντεο από τον υπολογιστή τους, διατηρώντας έτσι την επικοινωνία και την επαφή τους με φίλους, οικογένεια και άλλα πρόσωπα σε κάθε γωνιά του πλανήτη.

Αυτή την περίοδο, οι άνθρωποι χρειάζονται και χρησιμοποιούν περισσότερο από ποτέ την τεχνολογία, τόσο για την δουλειά τους όσο και για να επικοινωνούν με άτομα από το επαγγελματικό και το προσωπικό τους περιβάλλον, ακόμα και αν δεν μπορούν να βγουν από το σπίτι τους. Ενδεικτικά, τον προηγούμενο μήνα σημειώθηκε περισσότερο από 100% αύξηση των χρηστών που χρησιμοποιούν τον browser του desktop τους για φωνητικές κλήσεις και βίντεο στο Messenger. Τώρα που υπάρχουν εφαρμογές για MacOS και Windows, έρχεται στο desktop σας η καλύτερη εκδοχή του Facebook Messenger, η οποία προσφέρει απεριόριστες και δωρεάν ομαδικές βιντεοκλήσεις.

Σε αυτό το σημείο, αξίζει να αναφερθούν ορισμένα highlights της νέας εφαρμογής Messenger:

Ομαδικές βιντεοκλήσεις σε μεγαλύτερη οθόνη: Έχετε τη δυνατότητα να επικοινωνήσετε με την οικογένεια και τους φίλους σας, να συμμετάσχετε σε ένα workout ή να ψυχαγωγηθείτε.

Εύκολη σύνδεση: Δεν χρειάζεται να γνωρίζετε το email ή τον αριθμό τηλεφώνου κάποιου, αφού οι φίλοι που έχετε στο Facebook έχουν Messenger.

Multitasking: Μπορείτε να έχετε εύκολη πρόσβαση στις συνομιλίες σας ενώ μπαινοβγαίνετε στην εφαρμογή, κάνοντας παράλληλα άλλα πράγματα στον υπολογιστή σας.

Ειδοποιήσεις: Μπορείτε να λαμβάνετε ειδοποιήσεις για νέα μηνύματα, ώστε να βρίσκετε απευθείας τη συζήτηση που αναζητάτε. Μπορείτε να επιλέξετε να απενεργοποιήσετε (mute) ή να αναβάλλετε (snooze) τις ειδοποιήσεις.
Οι συνομιλίες συγχρονίζονται στο κινητό και τον υπολογιστή σας: Με αυτόν τον τρόπο, δεν θα χάνετε ποτέ μια κλήση ή ένα μήνυμα, ανεξάρτητα από τη συσκευή που χρησιμοποιείτε.
Όλα όσα σας αρέσουν στο Messenger θα τα έχετε σε μεγαλύτερη οθόνη, συμπεριλαμβανομένων των GIF και του dark mode που υπάρχουν στη συνομιλία.


Μπορείτε να κατεβάσετε την εφαρμογή από το Microsoft Store ή το Mac App Store. Αυτή η desktop εφαρμογή του Facebook Messenger εγγυάται να διευκολύνει την καθημερινή σας επικοινωνία με οικεία και άλλα πρόσωπα, ώστε να συνεχίσετε να κοινωνικοποιείστε ακόμα και κατά το “social distancing” που επιβάλλουν οι υφιστάμενες συγκυρίες.

HBO: Δωρεάν πρόγραμμα 500 ωρών στα HBO NOW και HBO GO!


By Pohackontas
3 Απριλίου 2020, 15:20

Το HBO δήλωσε ότι θα παρέχει δωρεάν πρόγραμμα 500 ωρών στις υπηρεσίες streaming HBO NOW και HBO GO, χωρίς να απαιτείται συνδρομή, ξεκινώντας από σήμερα, Παρασκευή 3 Απριλίου. Με αυτόν τον τρόπο, το HBO δίνει στους ανθρώπους ακόμη περισσότερους λόγους να παραμείνουν στο σπίτι και να τηρήσουν τα μέτρα του “social distancing” που συνιστώνται, σε μία προσπάθεια να σταματήσει η εξάπλωση του COVID-19.




Στα σόου που μπορεί να παρακολουθήσει το κοινό δωρεάν μέσα από τις υπηρεσίες streaming HBO NOW και HBO GO συγκαταλέγονται μερικές από τις καλύτερες τηλεοπτικές εκπομπές που έγιναν ποτέ, όπως “The Sopranos” και “The Wire”, καθώς και άλλες πολύ καλές εκπομπές του HBO όπως οι “Veep” και “Six Feet Under”.




Κινηματογραφικές ταινίες όπως το “Pokémon Detective Pikachu”, το “Crazy, Stupid, Love” και οι “πολύτιμοι λίθοι” των καταλόγων, όπως το “Empire of the Sun”, περιλαμβάνονται στα docuseries, μαζί με το “McMillion $” και το “The Case Against Adnan Syed” ως δωρεάν προσφορές. Το κοινό που θέλει να παρακολουθήσει το αναμφισβήτητα καλύτερο σόου που έγινε ποτέ – The Wire – μπορεί να κατεβάσει τις εφαρμογές HBO NOW ή HBO GO ή να επισκεφτεί το HBONOW.com ή το HBOGO.com.




Το HBO ανακοίνωσε ότι οι εκπομπές θα είναι διαθέσιμες για δωρεάν streaming από σήμερα. Αυτή η προσφορά που περιλαμβάνει δωρεάν πρόγραμμα 500 ωρών, παρέχεται για πρώτη φορά από το HBO. Ο κατάλογος του περιεχομένου του HBO που θα είναι διαθέσιμο για δωρεάν streaming χωρίς να απαιτείται συνδρομή περιλαμβάνει τα εξής:

9 Σειρές

• Ballers (5 Seasons)
• Barry (2 Seasons)
• Silicon Valley (6 Seasons)
• Six Feet Under (5 Seasons)
• The Sopranos (7 Seasons)
• Succession (2 Seasons)
• True Blood (7 Seasons
• Veep (7 Seasons)
• The Wire (5 Seasons)

10 docuseries και ντοκιμαντέρ

• The Apollo
• The Case Against Adnan Syed
• Elvis Presley: The Searcher
• I Love You, Now Die: The Commonwealth v. Michelle Carter
• The Inventor: Out for Blood in Silicon Valley
• Jane Fonda in Five Acts
• McMillion$
• True Justice: Bryan Stevenson’s Fight for Equality
• United Skates
• We Are the Dream: The Kids of the MLK Oakland Oratorical Fest

Και 20 κινηματογραφικές ταινίες της Warner Bros

• Arthur
• Arthur 2: On the Rocks
• Blinded By the Light
• The Bridges of Madison County
• Crazy, Stupid, Love
• Empire of the Sun
• Forget Paris
• Happy Feet Two
• Isn’t It Romantic?
• The Lego Movie 2: The Second Part
• Midnight Special
• My Dog Skip
• Nancy Drew and the Hidden Staircase
• Pan
• Pokémon Detective Pikachu
• Red Riding Hood
• Smallfoot
• Storks
• Sucker Punch
• Unknown

U.S. Government: Update Chrome 80 Now, Multiple Security Concerns Confirmed



 Davey Winder Senior Contributor
Cybersecurity




Update Google Chrome now, U.S. federal agency says. AFP VIA GETTY IMAGES

The Cybersecurity and Infrastructure Security Agency (CISA) has advised users to update Google Chrome as new high-rated security vulnerabilities have been found. Here’s what you need to know.

CISA, a standalone federal agency under the U.S. Department of Homeland Security (DHS) oversight, is responsible for protecting "the Nation’s critical infrastructure from physical and cyber threats." In an April 1 posting, CISA confirmed that Google Chrome version 80.0.3987.162 "addresses vulnerabilities that an attacker could exploit to take control of an affected system," be that Windows, Mac or Linux. It went on to state that it "encourages" users and administrators to apply the update.
Center for Internet Security also issues Google Chrome update advisory

It's not just CISA that is warning about the need to update Google Chrome. The Center for Internet Security (CIS) is a non-profit entity that works to safeguard both private and public organizations against cyber threats. In a multi-state information sharing and analysis center (MS-ISAC) advisory, it has also warned of multiple vulnerabilities in Google Chrome. The most severe of these could allow an attacker to achieve arbitrary code execution within the context of the browser. What does that actually mean? The answer is it depends upon the privileges that have been granted to the application. Still, in a worst-case scenario, the attacker would be able to view data, change data or delete data.
Are these vulnerabilities being exploited right now?

Although, at the time of writing, there have been no in-the-wild reports of these vulnerabilities being exploited by threat actors, that does not reduce the potential impact upon users who do not ensure the security update is applied as soon as possible. All it would take for an attacker to exploit the vulnerabilities is to get the user to visit, by way of a phishing attack or even redirection from a compromised site, a maliciously crafted web page. 

What is known about these high-rated security vulnerabilities in Google Chrome?

As is often the case, precise detail of the vulnerabilities is not being disclosed at this stage so as to allow the update to roll out to as many users as possible first. However, what is known is that there are three high-rated vulnerabilities discovered by external researchers that have been allocated Common Vulnerabilities and Exposures (CVE) identification numbers CVE-2020-6450, CVE-2020-6451 and CVE-2020-6452.


CVE-2020-6450 is described as being a use-after-free vulnerability in WebAudio, reported by Man Yue Mo of the Semmle Security Research Team on March 17.

CVE-2020-6451 is another use-after-free vulnerability in WebAudio, also reported by Man Yue Mo but five days earlier.

CVE-2020-6452 was reported, according to the Google Chrome update release blog, by a user just known as 'asnine' on March 9. This one is a heap-buffer overflow in the media component. 
MORE FROM FORBESGoogle Confirms 40,000 Nation-State Cyber Attack Warnings IssuedBy Davey Winder

A further five security vulnerabilities were discovered by the Google internal security team using a combination of internal audits and fuzzing. Fuzz testing is an automated method that prods code with unexpected inputs in order to reveal potential leaks or crashes that could be exploited by a threat actor. The precise nature of these vulnerabilities has not been disclosed by Google at this point.
Update your Google Chrome browser now to protect against these vulnerabilities

Google has said that the Chrome update will roll out over the coming days and weeks, but you really shouldn't wait for your browser to update automatically.

You can check to see what version you currently have by going to Help|About Google Chrome, which revealed that my copy had not been updated this morning, for example. The good news is that checking to see what version you have will also prompt an update to the latest version. You will need to relaunch the browser once the update has been installed and will then be protected against all of the vulnerabilities as mentioned earlier.

How to Find & Fix the Japanese Keyword Hack





APRIL 2, 2020  ART MARTORI

If you’re wondering how to find and fix the Japanese keyword hack, get started by identifying a real-life example. First, open Google Translate, and then get the Japanese characters for the search term buy Ralph Lauren. Copy and paste that into your favorite search engine, and take a look at the results.A website dedicated to technology news from Africa… and Ralph Lauren gear?

Your results may vary, but one of the results in this recent search was a technology news website from Africa. Seems like an odd marketing strategy for them, right?

It’s very likely we just identified an example of the Japanese keyword hack. Read on to learn more about finding and fixing this common type of website infection.
What is the Japanese keyword hack?

The Japanese keyword hack is a type of SEO spam (which we discussed earlier). With these scams, bad actors hijack the search engine ranking of legit websites by compromising them, and then injecting spammy keywords and links.


This lets hackers take advantage of the visibility to promote any number of scams. In our example of the Japanese keyword hack, people searching for Ralph Lauren gear will almost certainly get ripped off if they click on the spammy links and make a purchase.

When a website gets hit with the Japanese keyword hack, it’s crucial to clean the infection immediately. As we just saw, the immediate consequences are obvious. But the longer this hack remains in place, the more damage it does. Let’s take a sec to examine that scenario.
What happens after a Japanese keyword hack?

Like any SEO spam infection, delaying cleanup of the Japanese keyword hack can have long-term consequences. When you look at the time and expense involved with leaving those consequences unchecked, taking immediate actions makes sense.
Your reputation gets damaged — Imagine customers search for your site because they’re attracted by your hard-earned reputation. What are the odds they’ll stay if they see an unfamiliar message in a language they don’t speak?
Your hosting gets suspended — Hosting companies are very sensitive about infected websites. Nobody wants to be the source of dangerous content. Web hosts may suspend sites with SEO spam, so nobody can visit them.
You get blacklisted by Google — Google also seeks to avoid the Japanese keyword hack (along with SEO spam in general). When a hacked site is detected, Google adds it to their blacklist, which will negatively impact a website’s traffic.
How to find the Japanese keyword hack

To find the Japanese keyword hack, start with scanning your website. You’ll discover there are numerous remote-side scanners out there, which comb through the pages your visitors can see to hunt for malware.

We believe our own SiteCheck is one of the best, along with UnmaskParasites. Both of these remote scanners are free and simple to use — all you do is type in the web address of your site, and then let them go to work.


The ultimate tool for finding the source of the Japanese keyword hack is a server-side scanner, which looks not only at public-facing pages, but also in the files and databases people can’t see.

For example, our Website Security Platform includes regular server-sider scans, as well as an array of features engineered to thwart infections like the Japanese keyword hack. In addition to the tools we just discussed, make sure to get on Google Search Console for a comprehensive view of your website’s overall health.
How to fix the Japanese keyword hack

Now that we’ve learned how to find the Japanese keyword hack, let’s figure out how to fix it. This basically comes down to deleting all the content hackers created, and then closing any vulnerabilities they used to access the website.

This is a highly involved process you can either attempt to do yourself or have a professional handle for you. For most people, the latter solution is recommended.

That’s because a poorly executed cleanup leads to a site getting reinfected. And as we saw earlier, the costs and damage only increase the longer a website remains infected. Reputable companies like Sucuri, however, typically offer a money-back guarantee in case a cleanup isn’t totally satisfactory.
Closing thoughts on the Japanese keyword hack

The Japanese keyword hack is bad news for any individual or organization operating a website. This common form of SEO spam defaces your site, damages your reputation, and can even cut off traffic you’ll never recover. And the longer it remains in place, the harder it is to get things back to normal.


Meanwhile, bad actors keep working away. Our security researchers are always discovering new kinds of SEO spam that most folks have yet to learn about, which target all types of CMS’s and tech providers. This makes securing your site from SEO spam injections all the more important.

When it comes to finding and fixing the Japanese keyword hack, the best strategy is avoiding it entirely. A security apparatus like the Sucuri Web Application Firewall (WAF) is truly a fire-and-forget solution in this instance. That’s because it’s constantly updated by security researchers in order to identify and block even the latest threats. All you need to do is set up your site behind the WAF, and then enjoy the peace of mind.

Thursday, April 2, 2020

Νέα COVID-19 malware διαγράφουν αρχεία και επηρεάζουν το MBR του PC σας



By Digital Fortress 2 Απριλίου 2020, 12:44



Η πανδημία του COVID-19 έχει προκαλέσει πολλά προβλήματα σε όλο τον κόσμο. Τα σημαντικότερα από αυτά είναι η υγεία και η οικονομία. Ωστόσο, δεν πρέπει να ξεχνάμε και τους κακόβουλους hackers, που βρίσκουν ευκαιρία να κάνουν επιθέσεις, τώρα που υπάρχει αυτή η γενικότερη ανησυχία. Υπάρχουν για παράδειγμα, κάποια λογισμικά, που έχουν ονομαστεί COVID-19 malware, και καταστρέφουν τα συστήματα, είτε διαγράφοντας αρχεία είτε καθιστώντας απροσπέλαστο το master boot record (MBR) του υπολογιστή.

Έχουν εντοπιστεί τουλάχιστον πέντε διαφορετικά COVID-19 malware. Ορισμένα έχουν ήδη χρησιμοποιηθεί και έχουν μολύνει χρήστες, ενώ άλλα φαίνεται να έχουν δημιουργηθεί μόνο ως δοκιμές ή για πλάκα.

Το κοινό στοιχείο όλων αυτών των malware είναι ότι σχετίζονται με τον COVID-19 και στοχεύουν πιο πολύ στην καταστροφή των συστημάτων και λιγότερο στο οικονομικό κέρδος.

MBR-rewriting malware

Κάποια από τα πιο επικίνδυνα COVID-19 malware, που εντοπίστηκαν τον περασμένο μήνα, είναι δύο που καθιστούν απροσπέλαστο το master boot record (MBR) του υπολογιστή.

Σίγουρα χρειάστηκαν προηγμένες τεχνικές γνώσεις για τη δημιουργία αυτών των COVID-19 malware.

Το πρώτο MBR-rewriter ανακαλύφθηκε από έναν ερευνητή ασφαλείας και αναλύεται λεπτομερώς σε μια αναφορά από την SonicWall. Το malware έχει το όνομα COVID-19.exe και μολύνει έναν υπολογιστή σε δύο στάδια.

Στο πρώτο στάδιο, εμφανίζεται απλώς ένα ενοχλητικό παράθυρο, που οι χρήστες δεν μπορούν να κλείσουν, επειδή το COVID-19 malware έχει ήδη απενεργοποιήσει το Windows Task Manager.


Ενώ οι χρήστες ασχολούνται με αυτό το ενοχλητικό παράθυρο, το κακόβουλο πρόγραμμα σιωπηλά επηρεάζει το MBR. Στη συνέχεια, επανεκκινεί τον υπολογιστή και ξεκινάει το νέο MBR, αποκλείοντας τους χρήστες σε μια pre-boot οθόνη.

Οι χρήστες μπορούν τελικά να αποκτήσουν ξανά πρόσβαση στους υπολογιστές τους, αλλά θα χρειαστούν ειδικές εφαρμογές που θα χρησιμοποιηθούν για την ανάκτηση του MBR.


Ένα άλλο αντίστοιχο malware, που είναι ακόμα πιο εξελιγμένο, λέγεται “CoronaVirus ransomware“. Η κύρια λειτουργία του συγκεκριμένου COVID-19 malware είναι να κλέψει τους κωδικούς πρόσβασης από έναν μολυσμένο υπολογιστή και στη συνέχεια να μιμηθεί το ransomware για να εξαπατήσει τον χρήστη και να καλύψει τον πραγματικό σκοπό του.

Στην πραγματικότητα, δεν είναι ransomware. Απλά εμφανίζεται ως ransomware. Μόλις ολοκληρωθούν οι διαδικασίες κλοπής δεδομένων, το κακόβουλο λογισμικό μπαίνει σε μια φάση όπου επηρεάζει το MBR και μπλοκάρει τους χρήστες σε ένα ransomware μήνυμα, αποτρέποντας την πρόσβαση στους υπολογιστές τους. Οι χρήστες βλέπουν ένα σημείωμα που ζητά λύτρα και στη συνέχεια διαπιστώνουν ότι δεν μπορούν να έχουν πρόσβαση στους υπολογιστές τους. Επομένως, το τελευταίο πράγμα που σκέφτονται, είναι να ελέγξουν αν κάποιος έκλεψε τους κωδικούς πρόσβασης από τις εφαρμογές τους.


Σύμφωνα με τον ερευνητή ασφάλειας Vitali Kremez, το κακόβουλο λογισμικό περιείχε, επίσης, κώδικα που επέτρεπε τη διαγραφή αρχείων. Ωστόσο, δεν ήταν ενεργός στα δείγματα που ανέλυσαν.

Διαγραφή δεδομένων

Ωστόσο, οι ερευνητές ασφαλείας έχουν εντοπίσει και άλλα COVID-19 malware, που ειδικεύονται στη διαγραφή δεδομένων.

Το πρώτο εντοπίστηκε τον Φεβρουάριο. Το όνομα του κακόβουλου αρχείου είναι γραμμένο στα κινεζικά και πιθανότατα απευθύνεται σε Κινέζους χρήστες. Δεν είναι γνωστό αν έχουν πραγματοποιηθεί επιθέσεις ή αν γίνονται απλά δοκιμές.

Το δεύτερο εντοπίστηκε χθες. Ανέβηκε στο VirusTotal από κάποιον που βρίσκεται στην Ιταλία.

Οι ερευνητές θεωρούν ότι τα δύο malware δεν είναι πολύ αποτελεσματικά, καθώς έχουν λάθη και χρησιμοποιούν χρονοβόρες διαδικασίες για τη διαγραφή των αρχείων στα μολυσμένα συστήματα. Ωστόσο, αν χρησιμοποιηθούν σε επιθέσεις, μπορούν να “κάνουν τη δουλειά τους”.

LimeRAT Trojan: Διαδίδεται με τεχνική κρυπτογράφησης αρχείων Excel


By Pohackontas
1 Απριλίου 2020, 18:28

Μια νέα εκστρατεία διαδίδει το Trojan απομακρυσμένης πρόσβασης LimeRAT χρησιμοποιώντας μια παλιά τεχνική κρυπτογράφησης αρχείων Excel. Το LimeRAT είναι ένα απλό Trojan που έχει σχεδιαστεί για υπολογιστές Windows. Αυτό το malware μπορεί να εγκαταστήσει backdoors σε μολυσμένους υπολογιστές και να κρυπτογραφήσει αρχεία με τον ίδιο ακριβώς τρόπο όπως τα άλλα είδη ransomware, να προσθέσει υπολογιστές σε botnets και να εγκαταστήσει miners κρυπτονομισμάτων. 

Επιπλέον, το LimeRAT Trojan μπορεί να εξαπλωθεί μέσω συνδεδεμένων μονάδων USB, να απεγκατασταθεί εάν ανιχνευθεί μια εικονική μηχανή (VM), να “κλειδώσει” οθόνες και να κλέψει δεδομένα που αποστέλλονται στη συνέχεια σε ένα server εντολών και ελέγχου (C2) μέσω κρυπτογράφησης AES (Advanced Encryption Standard). Σε μια νέα εκστρατεία που ανακαλύφθηκε από την Mimecast, το Trojan εμφανίζεται ως payload σε έγγραφα Excel και διαδίδεται μέσω phishing μηνυμάτων. Οι ερευνητές ανέφεραν σε σχετική δημοσίευση στο blog της εταιρείας ότι τα έγγραφα Excel είναι μόνο για ανάγνωση – και όχι κλειδωμένα – καθώς το Excel τα κρυπτογραφεί χωρίς να απαιτεί από τους χρήστες να θέσουν κωδικό πρόσβασης.


Για να αποκρυπτογραφήσει το αρχείο, όταν ανοίξει, το Excel θα προσπαθήσει να χρησιμοποιήσει έναν ενσωματωμένο κωδικό πρόσβασης, το “VelvetSweatshop”, ο οποίος εφαρμοζόταν στο παρελθόν από τους προγραμματιστές της Microsoft. Εάν αυτό πετύχει, το Excel αποκρυπτογραφεί το αρχείο και επιτρέπει την εκκίνηση μακροεντολών και την έγχυση κακόβουλου payload, διατηρώντας παράλληλα το έγγραφο μόνο για ανάγνωση.

Συνήθως, εάν αποτύχει η αποκρυπτογράφηση μέσω του VelvetSweatshop, τότε οι χρήστες πρέπει να θέσουν κωδικό πρόσβασης. Ωστόσο, η λειτουργία που επιτρέπει μόνο την ανάγνωση ενός αρχείου παρακάμπτει αυτό το βήμα, μειώνοντας έτσι τα βήματα που απαιτούνται για να καταστεί δυνατή η πρόσβαση σε έναν υπολογιστή Windows. Σύμφωνα με τους ερευνητές, το πλεονέκτημα που έχει για έναν χάκερ η λειτουργία που επιτρέπει μόνο την ανάγνωση σε αρχεία Excel, είναι ότι δεν απαιτεί είσοδο χρήστη, ενώ το σύστημα του Microsoft Office δεν θα εμφανίσει κάποια προειδοποίηση παρά μόνο μία ειδοποίηση που θα λέει ότι το αρχείο είναι μόνο για ανάγνωση.

Η νέα εκστρατεία που έχει δημιουργηθεί για τη διάδοση του LimeRAT χρησιμοποιεί αυτή την τεχνική, η οποία πρωτοεμφανίστηκε το 2013 και παρουσιάστηκε σε μια διάσκεψη του Virus Bulletin. Επιπλέον, υπάρχει μία ευπάθεια που εντοπίζεται ως CVE-2012-0158, την οποία εκμεταλλεύονται οι χάκερς. Αξίζει να σημειωθεί ότι το θέμα αυτό έχει παρουσιαστεί πριν πολύ καιρό. Ωστόσο, η Sophos σημειώνει ότι οι χάκερς εξακολουθούν να εκμεταλλεύονται την εν λόγω ευπάθεια σε μια υπόθεση που θεωρείται “αξιοσημείωτη”. 

Η Mimecast αναφέρει ότι οι χάκερς χρησιμοποιούν επίσης ένα σύνολο άλλων τεχνικών, σε μια προσπάθεια να εξαπατήσουν τα συστήματα των χρηστών, κρυπτογραφώντας το περιεχόμενο του υπολογιστικού φύλλου για να κρύψουν την εκμετάλλευση και το payload. Τέλος, η Microsoft έχει ενημερωθεί ότι η εν λόγω ευπάθεια χρησιμοποιείται και πάλι.

Coronavirus ‘Financial Relief’ Phishing Attacks Spike




Author:Lindsey O'Donnell
April 1, 2020 3:48 pm


A spate of phishing attacks have promised financial relief due to the coronavirus pandemic – but in reality swiped victims’ credentials, payment card data and more.


Researchers are warning of an upward surge in social-engineering lures in malicious emails that promise victims financial relief during the coronavirus pandemic.

The slew of campaigns piggy-back on news of governments mulling financial relief packages, in response to the economic stall brought on by consumers social distance themselves. This latest trend shows cybercriminals continuing to look to the newest developments in the coronavirus saga as leverage for phishing campaigns, targeted emails spreading malware and more.

“These campaigns use the promise of payments by global governments and businesses (specifically financial institutions) aimed at easing the economic impact of the ongoing pandemic to urge users to click links or download files,” said Proofpoint researchers, in analysis released Wednesday.


One credential-phishing campaign has been spotted primarily targeting U.S. healthcare and higher-education organizations (as well as the technology industry, including information-security companies), with a message purporting to be from their payroll departments.

The emails, titled “General Payroll !” explain that the Trump administration “is considering” sending most American adults a check to help stimulate the economy.

“The Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic,” says the message. “All staff/faculty & employee include student are expected to verify their email account for new payroll directory and adjustment for the month of March benefit payment.”

Researchers said that these emails come with plenty of red flags, including their “crude design,” with clear grammatical and spelling errors as can be seen above. The messages also use a basic web page that’s clearly branded by a free website maker for its phishing landing page.

The message asks recipients to verify their email accounts through a malicious link (called the “MARCH-BENEFIT secure link”) that directs them to a phishing page. This phishing page then asks for their usernames, email addresses and passwords tied to their employee benefits.



Researchers pointed to similar phishing campaigns in Australia and the U.K. In Australia, a campaign was discovered using emails claiming to be from a major Australian newspaper and using the subject line, “Government announces increased tax benefits in response to the coronavirus.” These email messages contain a PDF attachment with an embedded URL that leads to a phishing page, where victims are asked to input their Microsoft OneDrive credentials.

In the U.K., a large email campaign was uncovered targeting manufacturing, technology, transportation, healthcare, aerospace, retail, energy, technology, business services and hospitality companies. The campaign emails claim to be from a major (unnamed) United Kingdom bank. It offers 300 Singapore dollars (approximately $210 USD) as financial support, and tells the recipient to “Start Here” to claim the money by clicking on a link. That then leads them to the attacker-controlled landing page that asks for their name, address and credit-card number.

Another, smaller campaign targets technology and IT organizations, purporting to be from the World Health Organization (WHO) and the International Monetary Fund (IMF). These emails, sent with a subject line of “COVID 19 : Relief Compensation,” tells recipients they have been “randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak” and asks them to learn more by clicking on an fake Microsoft Excel-branded attachment that gathers emails and passwords.

Attackers continue to leverage coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams. Researchers warned that users should continue to be on the lookout for phishing emails playing into fears around the coronavirus pandemic.

Zeus Sphinx for instance was recently spotted joining the growing fray of COVID-19-themed phishing and malspam campaigns, using a government-assistance lure.

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale, and these recent payment-related lures underscore that threat actors are paying attention to new developments,” researchers said. “We anticipate threat actors will continue modifying their strategies as the news surrounding COVID-19 shifts.”

There's now COVID-19 malware that will wipe your PC and rewrite your MBR

Security researchers have discovered coronavirus-themed malware created to destroy users' computers.




By Catalin Cimpanu for Zero Day | April 2, 2020 -- 02:32 GMT (03:32 BST) | Topic: Coronavirus: Business and technology in a pandemic


With the coronavirus (COVID-19) pandemic raging all over the globe, some malware authors have developed malware that destroys infected systems, either by wiping files or rewriting a computer's master boot record (MBR).

With help from the infosec community, ZDNet has identified at least five malware strains, some distributed in the wild, while others appear to have been created only as tests or jokes.

The common theme among all four samples is that they use a coronavirus-theme and they're geared towards destruction, rather than financial gain.

MBR-rewriting malware

Of the four malware samples found by security researchers this past month, the most advanced were the two samples that rewrote MBR sectors.

Some advanced technical knowledge was needed to create these strains as tinkering with a master boot record is no easy feat and could easily result in systems that didn't boot at all.

The first of the MBR-rewriters was discovered by a security researcher that goes by the name of MalwareHunterTeam, and detailed in a report from SonicWall this week. Using the name of COVID-19.exe, this malware infects a computer and has two infection stages.


In the first phase, it just shows an annoying window that users can't close because the malware has also disabled the Windows Task Manager.

Image: SonicWall

While users attempt to deal with this window, the malware is silently rewriting the computer's master boot record behind their back. It then restarts the PC, and the new MBR kicks in, blocking users into a pre-boot screen.

Users can eventually regain access to their computers, but they'll need special apps that can be used to recover and rebuild the MBR to a working state.

Image: SonicWall

But there was a second coronavirus-themed malware strain that re-wrote the MBR. This one is a far more convoluted malware operation.

It posed as the "CoronaVirus ransomware" but it was only a facade. The malware's primary function was to steal passwords from an infected host and then mimic ransomware to trick the user and mask its real purpose.

However, it wasn't ransomware either. It only posed as one. Once the data-stealing operations ended, the malware entered into a phase where it rewrote the MBR, and blocked users into a pre-boot message, preventing access to their PCs. With users seeing ransom notes and then not being able to access their PCs, the last thing users would thing to do is to check if someone exfiltrated passwords from their apps.

Image: Bleeping Computer

According to analysis from SentinelOne security researcher Vitali Kremez and Bleeping Computer, the malware also contained code to wipe files on the user's systems, but this didn't appear to be active in the version they analyzed.

Furthermore, this one was also spotted twice, with a second version discovered by G DATA malware researcher Karsten Hahn, two weeks later. This time, the malware kept the MBR-rewriting capabilities but replaced the data wiping feature with a functional screen-locker.



Karsten Hahn@struppigel

At first this seems like a simple screenlocker, but it infects the MBR as well.
Same MBR as the Coronavirus ransomware found by @malwrhunterteam

The MBR is from a builder by someone called #WobbyChip. https://www.virustotal.com/gui/file/fba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad/detection …


40
6:00 PM - Mar 26, 2020
Twitter Ads info and privacy
24 people are talking about this

DATA WIPERS

But security researchers have spotted more than coronavirus-themed MBR-rewriters. They also spotted two data wipers.

Both were discovered by MalwareHunterTeam.

The first was spotted back in February. It used a Chinese file name, and most likely targeted Chinese users, although we don't have information if it was distributed in the wild or was just a test.

The second was spotted yesterday, and this one was found uploaded on the VirusTotal portal by someone located in Italy.

MalwareHunterTeam described both strains as "poor wipers" because of the inefficient, error-prone, and time-consuming methods they used to erase files on infected systems. However, they worked, which made them dangerous if ever spread in the wild.



MalwareHunterTeam@malwrhunterteam

"alcuni accorgimenti da prendere per il Covid-19\.zip" -> "Covid-19.exe" (60e9dfe954acf0b02a5b35f367cf36ae2bc9b12e02aa3085495c5d8c4c94611c) -> dropped "Covid-19.bat", which is a poor wiper...
Seen from Italy.
Not sure it worse if it was created as joke or seriously.@JAMESWT_MHT


7
7:23 PM - Apr 1, 2020
Twitter Ads info and privacy
See MalwareHunterTeam's other Tweets


It might seem weird that some malware authors create destructive malware like this, but it's not the first time that this happened. For every financially-motivated malware strain that security researchers discover, there's also one that was created as a joke, just for the giggles. Something similar happened during the WannaCry ransomware outbreak in 2017, when days after the original WannaCry ransomware encrypted computers all over the world, there were countless of clones doing the same thing for no apparent reason.

WinRAR: Κυκλοφόρησε η έκδοση 5.90 για Windows, Linux, Mac και Android



BySecNews 1 Απριλίου 2020



WinRAR: Κυκλοφόρησε η έκδοση 5.90 για Windows, Linux, Mac και Android: Το WinRAR 5.90 Final κυκλοφόρησε με πολλές βελτιώσεις επιδόσεων και διορθώσεις σφαλμάτων για τα λειτουργικά συστήματα Windows, Mac, Linux και Android.

Όσοι δεν το γνωρίζουν, το WinRar είναι ένα λογισμικό συμπίεσης και αποσυμπίεσης αρχείων από το RARLAB, το οποίο υποστηρίζει τις διανομές ARJ, BZIP2, CAB, GZ, ISO, JAR, LHA, RAR, TAR, UUE, XZ, Z, ZIP, ZIPX, 7z και 001.

Επίσης, υπάρχει και free trial του προγράμματος, δηλαδή μπορείτε να χρησιμοποιήσετε το WinRAR για συγκεκριμένο χρονικό διάστημα πριν το αγοράσετε.

Όπως ήδη αναφέραμε, το WinRAR 5.90 έρχεται με αρκετές βελτιώσεις στην απόδοση, όπως καλύτερη υποστήριξη της CPU και μεγαλύτερο αριθμό των threads. Παρακάτω θα δείτε αναλυτικά τις πιο σημαντικές αλλαγές οι οποίες υπάρχουν στη νέα έκδοση.
Μεγαλύτερη ταχύτητα συμπίεσης για επεξεργαστές με 16 και περισσότερους πυρήνες.
Υψηλότερη αναλογία συμπίεσης για τη μορφή RAR5.
Ο μέγιστος αριθμός των threads αυξάνεται από 32 στα 64. Η εντολή -mt μπορεί πλέον να πάρει τιμές από το 1 έως το 64.
Η παράμετρος “Multithreading” αντικαταστάθηκε από “Threads”. Εδώ μπορείτε να ορίσετε τον αριθμό των threads με τιμές από 1 έως τον αριθμό των threads που έχει ο επεξεργαστής σας.
Το WinRAR πλέον δείχνει το μέγεθος των συμπιεσμένων αρχείων.
Προστέθηκε πεδίο «Συνολικοί φάκελοι» στις παραμέτρους που εμφανίζονται από την εντολή “Info”.
Πλέον υπάρχει παράθυρο το οποίο εμφανίζει την πρόοδο και έχει κουμπί ακύρωσης για μορφές οι οποίες παίρνουν περισσότερο χρόνο. Π.χ: tar.gz και tar.bz2.
Δίνεται η δυνατότητα να αλλάζουμε το μέγεθος των παραθύρων.
Μεγάλη βελτίωση του αρχείου ανάκτησης μορφής RAR5.
Πλέον μπορεί να χρησιμοποιηθεί η εντολή ανάκτησης για αρχεία RAR5, χωρίς να εισάγουμε κωδικός.
Εάν δεν υπάρχει ο φάκελος της εντολής “Convert archives”, το πρόγραμμα προσπαθεί να τον δημιουργήσει. Αυτό δεν γινόταν στις παλαιότερες εκδόσεις του WinRAR.
Προστέθηκε υποστήριξη εξαγωγής για GZIP αρχεία.

Διορθωμένα σφάλματα:
Η εντολή “repair” η οποία έδειχνε ότι το αρχείο ανάκτησης δεν είναι έγκυρο, ενώ στη πραγματικότητα ήταν.
Το σφάλμα όπου το WinRAR αγνοούσε την επιλογή “quick open information” (αν αυτή ήταν “Do not add”) όταν αναζητούσε περιεχόμενα.
Η συντόμευση Ctrl+C πλέον λειτουργεί στο παράθυρο των σχολίων του αρχείου.
Το σφάλμα όπου το WinRAR αγνοούσε τη διαδρομή προορισμού στην επικεφαλίδα των αρχείων αν η επιλογή να δημιουργήσει ξεχωριστά έγγραφα για κάθε αρχείο ήταν ενεργή.

Wednesday, April 1, 2020

Indian Cybercrime Officials Release a List of Potentially Dangerous Coronavirus-related Domains


By CISOMAG - March 30, 2020




COVID-19 has affected several lives and businesses globally and is steadily increasing its spread. According to the government of India, the total number of active cases of Coronavirus in the country, as of March 30, 2020, is standing at,942and the death toll stands at 29. The government of India has been taking all the necessary precautions to contain the spread of the virus.

While the government and public are taking stringent actions against the transmission of COVID-19, opportunistic cybercriminals are taking advantage of the situation to exploit internet users. Multiple Coronavirus-related scams, phishing websites, malicious maps, and spam messages were reported often in recent times.

Recently, the cybercrime division of New Delhi, India, warned the public to be vigilant about malicious Coronavirus-related websites. The officials also tweeted a list of fake or potentially dangerous websites, urging people not to click on them.

Following domains are listed as potentially dangerous:
coronavirusstatus[.]space
coronavirus-map[.]com
canalcero[.]digital
coronavirus[.]zone
coronavirus-realtime[.]com
coronavirus[.]app
coronavirusaware[.]xyz
coronavirusaware[.]xyz
corona-virus[.]healthcare
survivecoronavirus[.]org
vaccine-coronavirus[.]com
coronavirus[.]cc
bestcoronavirusprotect[.]tk
coronavirusupdate[.]tk

The cybercrime officials also released a report, “Cybercrime Threat in Wake of Rampant Corona Virus,” in order to educate online users on how cybercriminals are capitalizing the Coronavirus outbreak. “Fake links related to the pandemic are sent by criminals claiming to be health authorities, with the aim of tricking victims into connecting to a specific webpage and to login their real email address and password. Scammers then use their credentials to access sensitive information and potentially to steal their money,” the report stated.

Cyberattacks via Malicious Coronavirus Map

Recently, a security researcher named Shai Alfasi discovered that threat actors are spreading malware disguised as “Coronavirus Map” to steal personal information like usernames, passwords, credit card numbers, and other sensitive information that is stored on the user’s browser. Attackers designed multiple websites related to Coronavirus information to prompt users to click/download an application to keep them updated about the situation. The website displays a map representing COVID-19 spread, which then generates a malicious binary file and installs it on the victim’s devices.

How to Secure Your Zoom Meetings from Zoom-Bombing Attacks


By Lawrence Abrams March 31, 2020



Since countries have begun enforcing shelter-in-place and stay-at-home orders during the Coronavirus pandemic, the Zoom video conferencing software has become a popular way to keep in touch with friends and family, and even to join online fitness classes.

However. with Zoom's rise in popularity, a type of attack called 'Zoom-bombing' has also seen more and more activity.

Zoom-bombing is when someone gains unauthorized access to a Zoom meeting to harass the meeting participants in various ways to spread and hate and divisiveness, or to record pranks that will be later shown on social media.

Just yesterday, the FBI released an advisory warning Zoom users that they should properly secure their browsers from Zoom-bombing attacks.

"The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language," the alert published by the FBI warned.

This guide will walk you through securing your Zoom meetings so that virtual get-togethers, meetings, exercise classes, and even happy hours are not Zoom-bombed by unauthorized users.
Privacy considerations when using Zoom

Before we get into learning how to use Zoom, it is important to consider the privacy ramifications of participating in Zoom meetings.

One of the most important things to remember is that a Host can record a Zoom session, including the video and audio, to their computer. Therefore, be careful saying or physically 'revealing' anything that you would not want someone else to potentially see or know about.

Meeting participants will know when a meeting is being recorded as there will be a 'Recording...' indicator displayed in the top left of the meeting as shown below.



It is also important to remember that a user can download their chat logs before leaving a meeting. These logs will only contain messages that you could see, but not the private chat messages of other users.

Finally, it has been reported that there is no true end-to-end encryption (E2E) between Zoom users' endpoints.

What this means is that only the communication between a meeting participant and Zoom's servers is encrypted, while the related meeting data traversing over Zoom's network is not.

This theoretically means that a Zoom employee could monitor a meeting's traffic and snoop on it, but Zoom has told The Intercept that there are safeguards in place to prevent this type of activity.

"Zoom has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including — but not limited to — the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone."
Securing your Zoom meetings

Now that you know the potential privacy risks of using Zoom, before scheduling a meeting with friends or coworkers, you can familiarize yourself with the various ways you can secure Zoom meetings using the steps below.
Add a password to all meetings!

When creating a new Zoom meeting, Zoom will automatically enable the "Require meeting password" setting and assign a random 6 digit password.



You should not uncheck this option as doing so will allow anyone to gain access to your meeting without your permission.
Use waiting rooms

Zoom allows the host (the one who created the meeting) to enable a waiting room feature that prevents users from entering the meeting without first being admitted by the host.

This feature can be enabled during the meeting creation by opening the advanced settings, checking the 'Enable waiting room' setting, and then clicking on the 'Save' button.
Enable waiting room setting

When enabled, anyone who joins the meeting will be placed into a waiting room where they will be shown a message stating "Please wait, the meeting host will let you in soon."

The meeting host will then be alerted when anyone joins the meeting and can see those waiting by clicking on the 'Manage Participants' button on the meeting toolbar.



You can then hover your mouse over each waiting user and 'Admit' them if they belong in the meeting.
Admit a person into the meeting
Keep Zoom client updated

If you are prompted to update your Zoom client, please install the update.

The latest Zoom updates enable Meeting passwords by default and add protection from people scanning for meeting IDs.

With Zoom being so popular at this time, more threat actors will also focus on it to find vulnerabilities. By installing the latest updates as they are released, you will be protected from any discovered vulnerabilities.
Do not share your meeting ID

Each Zoom user is given a permanent 'Personal Meeting ID' (PMI) that is associated with their account.

If you give your PMI to someone else, they will always be able to check if there is a meeting in progress and potentially join it if a password is not configured.

Instead of sharing your PMI, create new meetings each time that you will share with participants as necessary.
Disable participant screen sharing

To prevent your meeting from being hijacked by others, you should prevent participants other than the Host from sharing their screen.

As a host, this can be done in a meeting by clicking on the up arrow next to 'Share Screen' in the Zoom toolbar and then clicking on 'Advanced Sharing Options' as shown below.



When the Advanced Sharing Options screen opens, change the 'Who Can Share?' setting to 'Only Host'.



You can then close the settings screen by clicking on the X.
Lock meetings when everyone has joined

If everyone has joined your meeting and you are not inviting anyone else, you should Lock the meeting so that nobody else can join.

To do this, click on the 'Manage Participants' button on the Zoom toolbar and select 'More' at the bottom of the Participants pane. Then select the 'Lock Meeting' option as shown below.


Do not post pictures of your Zoom meetings

If you take a picture of your Zoom meeting than anyone who sees this picture will be able to see its associated meeting ID. This can then be used uninvited people to try and access the meeting.

For example, the UK Prime Minister Boris Johnson tweeted a picture today of the "first even digital Cabinet" and included in the picture was the meet ID.



This could have been used by attackers to try and gain unauthorized access to the meeting by manually joining via the displayed ID.
Manually join a meeting by ID

Thankfully, the virtual cabinet meeting was password-protected but does illustrate why all meetings need to use a password or at least a waiting room.
Do not post public links to your meetings

When creating Zoom meetings, you should never publicly post a link to your meeting.

Doing so will cause search engines such as Google to index the links and make them accessible to anyone who searches for them.

As the default setting in Zoom is to embed passwords in the invite links, once a person has your Zoom link they can Zoom-bomb your meeting.
Be on the lookout for Zoom-themed malware

Since the Coronavirus outbreak, there has been a rapid increase in the number of threat actors creating malware, phishing scams, and other attacks related to the pandemic.

This includes malware and adware installers being created that pretend to be Zoom client installers.
Malicious Zoom installer

To be safe, only download the Zoom client directly from the legitimate Zoom.us site and not from anywhere else.