Readers like you help support my blog. When you make a purchase using links on our site, we may earn an affiliate commission! Thank you!

Sunday, March 29, 2020

Hackers sending malware infected USBs with Best Buy Gift Cards

By  WAQAS HACKREAD 

The infamous FIN7 hacking group is behind this
campaign.

The IT security researchers at Trustwave SpiderLabs have identified a new and tricky attack campaign utilizing especially designed USB dongle that acts as a keyboard. In their research, the Trustwave shared details of one of its clients in the US who received malicious USB dongle shipped to their company as a gift card from Best Buy.

The incident has received so much attention that the FBI had to issue a warning stating that this is the work of cybercrime syndicate known as Fin7, and it is specifically targeting businesses by sending them infected USB devices.

See: Employee infects US govt network with malware after visiting 9,000 porn sites

The attack work in such a way that once these devices are plugged into the PC it downloads and runs a JavaScript backdoor. This technique is usually associated with security researchers for training purposes and it is perhaps the first time that hackers have attempted to use it on a large scale.

According to Trustwave SpiderLabs’ vice president Ziv Mador, the company was notified about this campaign from one of their team members’ business associate, and that a US-based hospitality sector firm received the malicious USB dongle in February.

The USB drive was intelligently packaged by the attackers as the company that received the Best Buy $50 gift card with the drive revealed that the package contained a genuine-looking letter bearing the logo of Best Buy.


Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick. Thank you again for choosing us!, said the letter sent to the company.

Here is a full preview of the letter:


Image provided by Trustwave

Furthermore, they were asked to spend the amount on different items, and the list of items was supposedly stored on the USB drive, which the recipient has to plug into the device to check the list. However, the recipient was well-trained and didn’t do as directed and instead, sent the device for further analysis.

Researchers maintain that this USB drive is an Arduino microcontroller ATMEGA32U4 and infected with GRIFFON malware. The USB is designed to behave like a USB keyboard primarily because such keyboards are compatible with almost all kinds of systems and injecting malicious commands is easier.

In this campaign, the USB drive executes an array of obscured PowerShell commands to upload the device’s system configuration data on a C&C server operated by the attacker(s) and wait for more instructions from the attacker(s).


How the attack works – Image via Trustwave

Researchers urge that businesses must not insert any USB devices that they receive unexpectedly into their systems no matter how attractively it has been disguised or how large the attached gift card is.

See: 8 Technologies That Can Hack Into Your Offline Computer and Phone

While this time it is the FIN7 hacking group sending out malicious USBs, in May 2017, IBM sent off USB sticks infected with malware while in September 2018, Schneider electric also shipped USB drives loaded with malware. In January 2018, Police in Taiwan distributed malware-infected USBs as cybersecurity quiz prizes – oh the irony!

If you care for your business, you need to educate yourself and employees on cyber security. Check our in-depth post explaining how a USB could become a security risk for your device and impact your business

Phishing Attack Says You're Exposed to Coronavirus, Spreads Malware

By Lawrence Abrams March 29, 2020 12:12 PM 0



A new phishing campaign has been spotted that pretends to be from a local hospital telling the recipient that they have been exposed to the Coronavirus and that they need to be tested.

With the Coronavirus pandemic affecting all corners of the world, we continue to see phishing actors try to take advantage of the fear and anxiety it is provoking to scare people into opening malicious email attachments.

In a new low, a threat actor is pretending to be from a local hospital telling the recipient that they have been in contact with a colleague, friend, or family member who has tested positive for the COVID-19 virus.

The email then tells the recipient to print the attached EmergencyContact.xlsm attachment and bring it with them to the nearest emergency clinic for testing.
Coronavirus-themed phishing email

The text of this email reads:Dear XXX You recently came into contact with a colleague/friend/family member who has COVID-19 at Taber AB, please print attached form that has your information prefilled and proceed to the nearest emergency clinic. Maria xxx The Ottawa Hospital General Campus 501 Smyth Rd, Ottawa, ON K1H 8L6, Canada


When a user opens the attachment. they will be prompted to 'Enable Content' to view the protected document.
Malicious attachment

If a user enables content, malicious macros will be executed to download a malware executable to the computer and launch it.

This executable will now inject numerous processes into the legitimate Windows msiexec.exe file. This is done to hide the presence of the running malware and potentially evade detection by security programs.

In a cursory analysis, BleepingComputer saw that the malware performed the following behavior:
Search for and possibly steal cryptocurrency wallets.
Steals web browser cookies that could allow attackers to log in to sites with your account.
Gets a list of programs running on the computer.
Looks for open shares on the network with the net view /all /domain command.
Gets local IP address information configured on the computer.

During this crisis, it is important for everyone to be especially careful of any Coronavirus-related emails that they receive and to not open any attachments.

Instead, you should look up the number for the alleged sender and contact them via phone to confirm the email and the enclosed information.

Furthermore, if you are looking for the latest trust Coronavirus information you should go to the sites for the CDC, WHO, or your local health department instead rather than risk opening an attachment from a stranger.

Hackers Used Local News Sites to Install Spyware On iPhones

March 27, 2020Ravie Lakshmanan
A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.

According to research published by Trend Micro and Kaspersky, the "Operation Poisoned News" attack leverages a remote iOS exploit chain to deploy a feature-rich implant called 'LightSpy' through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.

Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim's device and load it with malware.


The APT group, dubbed "TwoSail Junk" by Kaspersky, is said to be leveraging vulnerabilities present in iOS 12.1 and 12.2 spanning all models from iPhone 6 to the iPhone X, with the attacks first identified on January 10, before intensifying around February 18.


Using Malicious Links as Bait to Install Spyware
The campaign uses fake links posted on multiple forums, all popular with Hong Kong residents, that claim to lead to various news stories related to topics that are either sex-related, clickbait, or news related to the ongoing COVID-19 coronavirus pandemic.



Clicking the URLs lead the users to legitimate news outlets that have been compromised as well as websites set up specifically for this campaign (e.g., hxxps://appledaily.googlephoto[.]vip/news[.]html) by the operators. In both situations, a hidden iframe is employed to load and execute malicious code.

"The URLs used led to a malicious website created by the attacker, which in turn contained three iframes that pointed to different sites," Trend Micro researchers said. "The only visible iframe leads to a legitimate news site, which makes people believe they are visiting the said site. One invisible iframe was used for website analytics; the other led to a site hosting the main script of the iOS exploits."



The malware in question exploits a "silently patched" Safari vulnerability, which when rendered on the browser leads to the exploitation of a use after free memory flaw (tracked as CVE-2019-8605) that allows an attacker to execute arbitrary code with root privileges — in this case, install the proprietary LightSpy backdoor. The bug has since been resolved with the release of iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1.

The spyware is not just capable of remotely executing shell commands and taking full control of the device. It also contains a variety of downloadable modules that allow for data exfiltration, such as contact lists, GPS location, Wi-Fi connection history, hardware data, iOS keychains, phone call records, mobile Safari and Chrome browser history, and SMS messages.


In addition, LightSpy targets messaging applications like Telegram, QQ, and WeChat to steal account information, contacts, groups, messages, and attached files.


A Surveillance Operation Targeting Southeast Asia
It is suspected the TwoSail Junk gang is connected to, or possibly the same, as the operators of "dmsSpy," an Android variant of the same malware that was distributed last year through open Telegram channels under the guise of Hong Kong protest calendar apps among others.

"dmsSpy's download and command-and-control servers used the same domain name (hkrevolution[.]club) as one of the watering holes used by the iOS component of Poisoned News," the researchers observed.

Once installed, these rogue Android apps harvested and exfiltrated contacts, text messages, the user's location, and the names of stored files.

"This particular framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia," Kaspersky researchers concluded.

Trend Micro, for its part, suggested the design and functionality of the campaign aim to compromise as many mobile devices as possible to enable device backdooring and surveillance.

To mitigate such threats, it's essential that users keep their devices up-to-date and avoid sideloading apps on Android from unauthorized sources.

Tekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times Worldwide From Google Play

By GURUBARAN S - March 27, 2020 0



Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
‘USER_PRESENT’ in order to detect when the user is actively using the device
‘QUICKBOOT_POWERON’ to allow code running after device restart


The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps
Package_name Gp Installs
caracal.raceinspace.astronaut 100000
com.caracal.cooking 100000
com.leo.letmego 100000
com.caculator.biscuitent 50000
com.pantanal.aquawar 50000
com.pantanal.dressup 50000
inferno.me.translator 50000
translate.travel.map 50000
travel.withu.translate 50000
allday.a24h.translate 10000
banz.stickman.runner.parkour 10000
best.translate.tool 10000
com.banzinc.littiefarm 10000
com.bestcalculate.multifunction 10000
com.folding.blocks.origami.mandala 10000
com.goldencat.hillracing 10000
com.hexa.puzzle.hexadom 10000
com.ichinyan.fashion 10000
com.maijor.cookingstar 10000
com.major.zombie 10000
com.mimochicho.fastdownloader 10000
com.nyanrev.carstiny 10000
com.pantanal.stickman.warrior 10000
com.pdfreader.biscuit 10000
com.splashio.mvm 10000
com.yeyey.translate 10000
leo.unblockcar.puzzle 10000
mcmc.delicious.recipes 10000
mcmc.delicious.recipes 10000
multi.translate.threeinone 10000
pro.infi.translator 10000
rapid.snap.translate 10000
smart.language.translate 10000
sundaclouded.best.translate 10000
biaz.jewel.block.puzzle2019 5000
biaz.magic.cuble.blast.puzzle 5000
biscuitent.imgdownloader 5000
biscuitent.instant.translate 5000
com.besttranslate.biscuit 5000
com.inunyan.breaktower 5000
com.leo.spaceship 5000
com.michimocho.video.downloader 5000
fortuneteller.tarotreading.horo 5000
ket.titan.block.flip 5000
mcmc.ebook.reader 5000
swift.jungle.translate 5000
com.leopardus.happycooking 1000
com.mcmccalculator.free 1000
com.tapsmore.challenge 1000
com.yummily.healthy.recipes 1000
com.hexamaster.anim 500
com.twmedia.downloader 100
com.caracal.burningman 50
com.cuvier.amazingkitchen 50
bis.wego.translate 0
com.arplanner.sketchplan 0
com.arsketch.quickplan 0
com.livetranslate.best 0
com.lulquid.calculatepro 0
com.smart.tools.pro 0
com.titanyan.igsaver 0
hvt.ros.digiv.weather.radar 0
md.titan.translator 0
scanner.ar.measure 0
toolbox.artech.helpful 0
toolkit.armeasure.translate 0


This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.

Πώς η τηλεργασία κάνει τους χρήστες πιο ευάλωτους στους χάκερς;


By Hack Unamatata 29 Μαρτίου 2020, 13:30

Ο Κοροναϊός έχει μολύνει περισσότερους από 450.000 ανθρώπους παγκοσμίως και τώρα οι ειδικοί στον τομέα της κυβερνοασφάλειας προειδοποιούν ότι η πανδημία θα μπορούσε να επηρεάσει και τα συστήματα των ηλεκτρονικών υπολογιστών
Πολλές εταιρείες που χειρίζονται συνήθως ευαίσθητες και εμπιστευτικές πληροφορίες στα γραφεία τους, συνιστούν στους υπαλλήλους την τηλεργασία, σε μία προσπάθεια να περιοριστεί η εξάπλωση του Κοροναϊού. 
Αυτό όμως μπορεί να τους κάνει πιο ευάλωτους σε χάκερς, ειδικά αν οι εργαζόμενοι περιηγηθούν σε συγκεκριμένα sites που ενδεχομένως να επισκέπτονται όταν δεν βρίσκονται υπό την επίβλεψη των αφεντικών τους, όπως για παράδειγμα τα porn sites. 
Το porn αποτελεί ένα από τα αγαπημένα εργαλεία των χάκερς και μπορεί να γίνει ακόμη πιο αποτελεσματικό εάν οι υπάλληλοι μιας εταιρείας αποφασίσουν ότι αυτό που αποκαλείται NSFW είναι μία ασφαλής επιλογή κατά την τηλεργασία ενόψει της πανδημίας του Κοροναϊού. Στην πραγματικότητα όμως το NSFW δεν είναι ασφαλές.


Σύμφωνα με τον Tyler Moffitt, αναλυτή ερευνητικών απειλών στην διαδικτυακή εταιρεία Webroot, τα sites για ενήλικες ήταν πάντα στις 3 καλύτερες κατηγορίες sites που φιλοξενούν κακόβουλο περιεχόμενο, έτσι είναι πολύ πιθανό να αυξηθούν οι κακόβουλες επιθέσεις, δεδομένου ότι οι άνθρωποι θα έχουν την τάση να επισκέπτονται πιο συχνά porn sites κατά τη διάρκεια της καραντίνας. Άλλωστε οι κυβερνοεγκληματίες εκμεταλλεύονται τις ευκαιρίες που τους παρουσιάζονται, ιδιαίτερα σε κρίσιμες περιόδους όπως η πανδημία του Κοροναϊού.

Το Pornhub, που είναι το πιο δημοφιλές porn site, αναφέρει ότι η επισκεψιμότητα μπορεί όντως να αποδειχθεί επικίνδυνη σε συνδυασμό με την πανδημία του Κοροναϊού.

Αξίζει να σημειωθεί ότι τις τελευταίες δύο εβδομάδες έχουν αυξηθεί σημαντικά οι κυβερνοεπιθέσεις, με στόχο τους Αμερικανούς, καθώς η μεγαλύτερη κοινότητα χάκερς στον κόσμο εκτιμά ότι οι Αμερικανοί εργάζονται τώρα έξω από τα εταιρικά τείχη προστασίας τους.


Σύμφωνα με τον Tom Kellermann, επικεφαλής της στρατηγικής για την κυβερνοασφάλεια στην εταιρεία λογισμικού VMware, δεν είναι μόνο οι επισκέπτες τέτοιων sites που κινδυνεύουν να “χτυπηθούν” από χάκερς, δεδομένου ότι και η τηλεργασία από μόνη της επιφυλάσσει κινδύνους. 
Ο Kellermann επισημαίνει επίσης ότι τα εταιρικά τείχη προστασίας μπορούν να επεκταθούν στα σπίτια των εργαζομένων μέσω εικονικών ιδιωτικών δικτύων (VPNs), που ορισμένες εταιρείες έχουν σχεδιάσει για να εξασφαλίσουν μεγαλύτερη ασφάλεια κατά την εξ αποστάσεως εργασία.


Σύμφωνα με τον Peter Bauer, διευθύνοντα σύμβουλο της Mimecast, σημειώνονται συχνά απάτες που προωθούνται μέσω email παρουσιαζόμενες ως Costco, προσελκύοντας τους ανθρώπους για να προμηθευτούν προϊόντα σε κρίσιμες στιγμές. 
Οι χάκερς σαφώς και δεν θέλουν να πουλήσουν προϊόντα όπως χαρτί υγείας και Purell. Ο Bauer προειδοποιεί επίσης για μηνύματα email που υποτίθεται ότι προέρχονται από την ομοσπονδιακή κυβέρνηση, προσφέροντας επιταγές “ανακούφισης” αρκεί οι χρήστες να δώσουν στοιχεία των τραπεζικών τους λογαριασμών
Ο Bauer επισημαίνει ότι ορισμένοι χάκερς μπορεί να δραστηριοποιούνται σε μεγαλύτερο βαθμό τώρα επειδή ίσως αισθάνονται απελπισμένοι. Συγκεκριμένα, υπάρχουν πολλοί χάκερς των οποίων η καθημερινότητα έχει διακοπεί, συνεπώς ξοδεύουν πολύ περισσότερο χρόνο μπροστά από έναν υπολογιστή. 
Ο Bauer προβλέπει ότι οι κυβερνοεπιθέσεις θα συνεχιστούν για τουλάχιστον μερικές εβδομάδες ακόμη.


Ο Andy Ellis, επικεφαλής της Υπηρεσίας Ασφαλείας της Akamai Technologies, τόνισε ότι δεν υπάρχει τέλεια άμυνα για την αποφυγή των χάκερς, ωστόσο οι εργαζόμενοι μπορούν να περιορίσουν τον κίνδυνο εφαρμόζοντας την λεγόμενη “ψηφιακή υγιεινή”.  
Η καλή ψηφιακή υγιεινή μπορεί να περιλαμβάνει την εκκαθάριση παλαιών εγγράφων από το Dropbox ή το Google Drive. Η τακτική αλλαγή των κωδικών πρόσβασης μπορεί επίσης να βοηθήσει ενώ οι εμπειρογνώμονες συστήνουν τη χρήση συσκευών κατάλληλων για εργασία σε επιχειρήσεις, όποτε είναι δυνατόν, καθώς οι προσωπικές συσκευές ενδέχεται να έχουν ασθενέστερη προστασία.

 Μία ακόμη συμβουλή που δίνουν οι ειδικοί είναι οι χρήστες να μείνουν μακριά από porn sites