Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Friday, March 27, 2020

"Corona antivirus" infects victims with malware


"Corona antivirus" infects victims with malware


By Anthony Spadafora 2 days ago

New site claims its antivirus software can protect users from getting the coronavirus




(Image credit: Malwarebytes)


Cybercriminals continue to leverage the ongoing coronavirus outbreak for their own gain by launching numerous scam campaigns which use Covid-19 as a lure to trick users into installing a variety of malware and data stealers.

In the latest scam, discovered by Malwarebytes, cybercriminals have set up a website advertising “Corona Antivirus - World's best protection” which tries to trick users into installing antivirus software that supposedly has the capabilities to protect users from becoming infected with the virus in real life. The creators of the site have even provided more details on how their solution works, saying:

“Our scientists from Harvard University have been working on a special AI development to combat the virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the app is running.”
Beware these new coronavirus email scams
Malware strains using coronavirus to avoid detection
Phones from US government came packed with Chinese malware



While most users will likely understand that there is no way for any type of software to protect them from becoming infected with the coronavirus, there is a possibility that some will fall for this scheme as the cybercriminals behind it have taken the necessary steps to make their website appear legitimate.

BlackNET RAT

Once a user installs the application available on the Corona Antivirus site, their computer will be infected with malware. The installation file, which contains the commercial packer Themida, will turn a user's PC into a bot ready to receive commands.

After inspecting the command and control server, Malwarebytes discovered a control panel for the BlackNET botnet. The full source code for the BlackNET toolkit was published on GitHub a month ago and some of its features include deploying DDoS attacks, taking screenshots, stealing Firefox cookies, stealing saved passwords, implementing a keylogger, executing scripts and stealing Bitcoin wallets, among others.

While working from home, it is important that all users keep their computers up to date and exercise caution when downloading and installing new programs to avoid falling victim to the many coronavirus-themed scams that are currently making their way around the web.

After investigating the Corona Antivirus site, Malwarebytes informed CloudFlare of its discovery and the CDN took immediate action to flag the website as a malicious.

Thursday, March 26, 2020

Home office is where the heart is…





James Shepperd23 Mar 2020


Home office is where the heart is…

Or is it… home office is where the hurt is?

Usually I am quite happy to have home office, in my division at ESET (IT company) we are permitted two per month. It’s not a lot but maybe that is why I look forward to it. My kids are at school, my wife is at work and my colleagues are behind a virtual wall that I control! (-;

Or, I should probably say, that was home office. With COVID-19 restrictions in place, home office has… certainly changed, a lot! For starters, both my kids and wife are home. Then, my team… well it just got a lot bigger. The number of ESET staff and departments I connect with has virtually multiplied by a factor of three, at least it feels like it. It’s not that I am bitter, just well, its not fun and games anymore.

VPN
Shields up! With only 2 home offices per month, I simply relied on my company provided Virtual Privacy Network (VPN) as a significant enough safeguard, but after reading this blog on home office security measures end to end, which I requested; I took a look at my router settings. Oh, looks like I have some security improvements to make. Anyway, with my VPN turned on I can access some otherwise restricted marketing resources, which have their own protection protocols. In simply terms a VPN lets you to make a secure connection to another network over the Internet, access region or security-restricted websites, shield your browsing activity. Now that I, along with every other marketer in the company is accessing these files from their home networks I can see why there is the added layer of protection.

Passwords
Best Practice Aside from the little notebook with the hard copy of passwords I keep buried under my..., I use a password manager, which can store all my needed credentials in one place, under one “master password”. Just as a reminder, create a strong password or passphrase, keep the password(s) secure and consider a second (factor) method of protection that helps prevent unwanted access.
Even strong passwords can fall victim to malicious actors using keyloggers and other technology to crack your online accounts. So, strongly consider using a product like ESET Smart Security Premium that integrates several privacy protection features including password management and protection against keylogging via Two Factor Authentication (2FA).

Two Factor Authentication
“Open Sesame” and… While my VPN is a prerequisite for accessing our intranet and a number of applications that can be found there, for more sensitive applications I am challenged at the “gate”. What I mean is that my login is quickly followed by a request for a single time passcode.

The companion app for our intranet platform pings my mobile phone with the authenticator, I enter the code and “I’m in!”. When I first came to the company, I used to mutter under my breath about accessing various admin dashboards or restricted forums with 2FA. I saw it as just another barrier or headache. But in the years since, especially working on our offer for small and medium businesses and small or home office clients I have seen up close how social media or whole websites get disrupted, events that cause serious reputational damage. I don’t want that kind of damage on my name. These days I even use 2FA on my personal email account after it got hacked.

Kids and Home Office
The Pain, now on to a more personal note, my kids interfering with my perfect home office vibe! The Corona virus has upped the ante on my multitasking skills. My kids have to learn – my wife and I are their new substitute teachers. We also have to work. So it means, teach and work at the same time. So, my top tip, keep them on their usual schedule.

Mornings: Wake at 6:30 am, we have a bite to eat and then put on our masks and glasses and then take a brisk 20min walk through the park behind our house. This gets everyone going and ready to start their daily assignments, which come via email. I know many of you won’t have empty parks behind your houses, but if you have an area near bye with low numbers of people (at 6:45-7:00 am they should be empty), then the benefit to mood and focus is (to me) worth the risk.

By 8:00 am, I am at my desk, and the kids have started with any assignments. Our rule is that they have to finish their first block of assignments by 11:00 am, the lunch time I had pre-COVID-19. I found that by addressing my needs first I am able to be more patient and adaptable with covering their needs.

Meals, well… when I shop, I buy a lot of fruit for snacks and when making sandwiches or cooking warm meals have started making double portions to ensure we have enough leftovers. They are starting to accept that we aren’t going to the store so often and they will get leftovers at least once every day. Smiley (-:

Afternoons: After lunch, I disengage from my work and review any questions, lost assignments, or missing workbook issues. Before sinking myself into that task I make sure to lock my PC (Ctrl+Alt+Del). That prevents my kids from accidentally loosing my work… or publishing anything to the company’s social media.

My wife: She has a busy job, lots of calls, video chats etc. This is a challenge. Back to my 8:00am – 11:00am sprint. During those hours he tries to be available for the kids, in the afternoon I am up. This trade off doesn’t mean we are in full teacher mode, but it allows one of us to accept a period of interruption, knowing that later, we will have higher quality work time. When we both know we’ll be engaged on conference calls or whatever… that is when some scheduled online educational games and snacks come in handy.








Oh, and the daily device wipe down: Since my hands haven’t completely fallen off, yet… I also take the opportunity to wipe down my keyboard, mouse and trackpad. If you’ve got tablets, I’d do those to with (screen safe) cleaner or in a pinch simply a damp rag. I start with our devices and move on to doorknobs and high traffic surfaces.

Promises: I promised this personal view on my secure home office to the Public Relations team at ESET. After saying “YES”, I started to feel vulnerable. “My security practices are gonna be visible to all my colleagues and the wider public.” But, there is hope.

Only via critique can you learn better practices and maybe the Corona virus can achieve what GDPR and countless internet security awareness campaigns have yet to do, raise people’s appreciation for basic security measures.

Wednesday, March 25, 2020

Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme


Over 50 Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme



March 24, 2020Ravie Lakshmanan
More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

Dubbed "Tekya," the malware in the apps imitated users' actions to click ads from advertising networks such as Google's AdMob, AppLovin', Facebook, and Unity, cybersecurity firm Check Point Research noted in a report shared with The Hacker News.

"Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on)," the researchers said.


While the offending apps have been removed from Google Play, the find by Check Point Research is the latest in an avalanche of ad fraud schemes that have plagued the app storefront in recent years, with malware posing as optimizer and utility apps to perform phony clicks on ads.


Malware Abuses MotionEvent API to Simulate User Clicks
Stating that the campaign cloned legitimate popular apps to gain an audience, the newly discovered 56 apps were found bypassing Google Play Store protections by obfuscating its native code and relying on Android's MotionEvent API to simulate user clicks.

Once an unwitting user installed one of the malicious apps, the Tekya malware registers a receiver, an Android component that's invoked when a certain system or application event occurs — such as a device restart or when the user is actively using the phone.



The receiver, when it detects these events, then proceeded to load a native library named "libtekya.so" that includes a sub-function called "sub_AB2C," which creates and dispatches touch events, thereby mimicking a click via the MotionEvent API.


An Ongoing Problem of Mobile Ad Fraud
Mobile ad fraud manifests in different ways, including threat actors planting malware-laced ads on user phones or embedding malware in apps and online services to generate clicks fraudulently to receive payouts by advertising networks.


Mobile security vendor Upstream's analysis of 2019 data revealed that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Nearly 23 percent of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment, and shopping apps.

Google, for its part, has been actively trying to stop rogue Android apps from infiltrating the Google Play Store. It has leveraged Google Play Protect as a means to screen potentially harmful applications and also forged an "App Defense Alliance" in partnership with cybersecurity firms ESET, Lookout, and Zimperium to reduce the risk of app-based malware.

To safeguard yourself from such threats, it's recommended that you stick to the Play Store for downloading apps and avoid sideloading from other sources. More importantly, scrutinize the reviews, developer details, and the list of requested permissions before installing any app.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours



By Ionut Ilascu March 24, 2020 06:26 PM 1






Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied.

The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running.
Affected drives

The current issue affects drives in HPE server and Storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage.
HPE Model Number HPE SKU HPE SKU DESCRIPTION HPE Spare Part SKU HPE Firmware Fix Date
EK0800JVYPN 846430-B21 HPE 800GB 12G SAS WI-1 SFF SC SSD 846622-001 3/20/2020
EO1600JVYPP 846432-B21 HPE 1.6TB 12G SAS WI-1 SFF SC SSD 846623-001 3/20/2020
MK0800JVYPQ 846432-B21 HPE 800GB 12G SAS MU-1 SFF SC SSD 846624-001 3/20/2020
MO1600JVYPR 846436-B21 HPE 1.6TB 12G SAS MU-1 SFF SC SSD 846625-001 3/20/2020


The company says that this is a comprehensive list of impacted SSDs it makes available. However, the issue is not unique to HPE and may be present in drives from other manufacturers.

If the SSD in these products runs a firmware version older than HPD7, they will fail after being powered on for 40,000 hours; this translates into 4 years, 206 days, 16 hours and it is about half a year shorter than the extended warranty available for some of them.

When the failure point is reached, neither the data nor the drive can be recovered. Preventing such a disaster is possible in environments with data backup setups.

HPE learned about the firmware bug from a SSD manufacturer and warns that if SSDs were installed and put into service at the same time they are likely to fail almost concurrently.


“Restoration of data from backup will be required in non-fault tolerance modes (e.g., RAID 0) and in fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive [e.g. RAID 5 logical drive with two failed SSDs]” - HPE advisory

The new firmware can be installed by using the online flash component for VMware ESXi, Windows, and Linux.
Not as bad as last time

There is some good news, though. By checking the shipping dates from HPE and considering the 40,000 hours expiration limit, no affected SSD have failed because of this firmware bug.

HPE estimates that unpatched SSDs will begin to fail as early as October 2020. This gives plenty of time for admins to apply the corrected firmware.

Back in November, reports about storage drive failure came pouring on social media and forums, with ussers complaing about device collapsing in bulk, minutes apart.

Finding out the uptime of an affected drive is possible with the Smart Storage Administrator (SSA) utility, which offers the power-on time for every drive installed on the system.

Alternatively, users can run scripts that can check if the firmware on their SSDs has the 40,000 power-on-hours failure issue. The scripts work for certain HPE‌‌ SAS SSDs and are available for Linux, VMware and Windows. 

JohnC_21 - 4 hours ago 

The company said in a bulletin that the “issue is not unique to HPE and potentially affects all customers that purchased these drives.” HPE has not identified the SSD maker and refused to do so, saying: “We’re not confirming manufacturers.”

However, a Dell EMC urgent firmware update issued last month also mentioned SSDs failing after 40,000 operating hours and specifically identified SanDisk SAS drives. The update included firmware version D417 as a fix.

The fault fixed by the Dell EMC firmware concerns an Assert function which had a bad check to validate the value of a circular buffer’s index value. Instead of checking the maximum value as N, it checked for N-1. The fix corrects the assert check to use the maximum value as N.

It seems likely that the HPE drives are SanDisk drives as well.

https://blocksandfiles.com/2020/03/24/hpe-enterprise-ssd-40k-hours-flaw/

Tuesday, March 24, 2020

Sucuri is going to provide crisis responders with a free website firewall for one year during the coronavirus pandemic



Free Sucuri WAF for Medical & Social Services

MARCH 24, 2020CHASE WATTS

0SHARES
FacebookTwitterSubscribe


During the COVID-19 pandemic, there is concern about health systems worldwide. Many people in isolation or self-quarantine are looking for accurate medical information online on a daily basis.

As a result, it is crucial that public health and social service websites remain available. We want to prevent malicious users from abusing these types of websites. So, we decided to stand up and do something about it.

Free year of the Sucuri WAF for crisis responders

Sucuri is going to provide crisis responders with a free website firewall for one year during the coronavirus pandemic. We are offering website protection and increased performance for dedicated professionals and volunteer services who have been acting as crisis responders, such as:
Hospitals
Physicians
Emergency medical technicians
Food banks

All you need to do is submit an eligibility form to get a free year of the Sucuri WAF .

SUBMIT AN APPLICATION
Don’t let bad actors exploit our situation

Though some ransomware groups are claiming they will not be targeting health organizations, there are still bad actors online that will likely treat the COVID-19 outbreak as an opportunity. They do so at their own risk; a response from national cybersecurity units and ethical hackers is inevitable.


@mikko@mikko



Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
7,687
12:36 PM - Mar 18, 2020
Twitter Ads info and privacy
2,420 people are talking about this






When people flock to a website for help, some hackers and scammers can work to compromise the site and steal valuable data. Worse still, they could even use a distributed denial of service (DDoS) attack to shut it down completely.

This is not just a problem for health care and social services. Many organizations currently lack the IT resources required to address the cybersecurity challenges of rapidly shifting the workforce and business model to an online environment.


Security Under Swift Law@SwiftOnSecurity



We need a global suspension of malware activity right now. Security teams are getting pulled into assisting with Work-From-Home to keep isolation and save people’s lives. Come back 2x harder when this ends whatever. We can’t be doing this right now.
686
9:32 PM - Mar 19, 2020
Twitter Ads info and privacy
187 people are talking about this






For those who are new to working from home, we’ve released a post including security tips for remote workers.
How can Sucuri protect and speed up your website?

We keep our WAF updated with the latest and emerging threat definitions to block DDoS and other attacks by bad actors.

Traffic surges to a website can reduce availability. Our WAF mitigates traffic surges with the Anycast content delivery network (CDN). The Anycast CDN stores copies of a website on numerous points of presence (PoP) throughout the world, and then delivers content to an individual via the nearest PoP.

That improves a website’s availability during episodes of high traffic and speeds up content delivery by an average of 70%.
Count on our WAF for HIPAA compliance

We built our WAF with people in mind who must adhere to the U.S. Health Insurance Portability and Accountability Act (HIPAA). With your website behind our WAF, be confident you’re meeting standards for protected health information.

If you have any questions, feel free to chat with us. Stay safe!