How Just Visiting A Site Could Have Hacked Your iPhone or MacBook Camera
If you use Apple iPhone or MacBook, here we have a piece of alarming news for you.
Turns out merely visiting a website — not just malicious but also legitimate sites unknowingly loading malicious ads as well — using Safari browser could have let remote attackers secretly access your device’s camera, microphone, or location, and in some cases, saved passwords as well.
Apple recently paid a $75,000 bounty reward to an ethical hacker, Ryan Pickren, who practically demonstrated the hack and helped the company patch a total of seven new vulnerabilities before any real attacker could take advantage of them.
The fixes were issued in a series of updates to Safari spanning versions 13.0.5 (released January 28, 2020) and Safari 13.1 (published March 24, 2020).
Source: The hacker news / Bleeping computer / Dark reading / Threatpost / Security week / Ryan Pickren`s blog
Link: https://thehackernews.com/2020/04/hacking-iphone-macbook-camera.html
Link: https://threatpost.com/apple-safari-flaws-webcam-access/154476/
Link: https://www.securityweek.com/apple-awards-researcher-75000-camera-hacking-vulnerabilities
Link: https://www.ryanpickren.com/webcam-hacking-overview
Firefox Zero-Day Flaws Exploited in the Wild Get Patched
Mozilla patched two Firefox browser zero-day vulnerabilities actively being exploited in the wild. The flaws, both use-after-free bugs, have been part of “targeted attacks in the wild,” according to a Mozilla Foundation security advisory posted Friday. Both bugs have critical ratings and allow remote attackers to execute arbitrary code or trigger crashes on machines running versions of Firefox prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1. The bugs impact Firefox browser versions running on Windows, macOS and Linux operating systems. Details are scant on how either bug (CVE-2020-6819 and CVE-2020-6820) are specifically being exploited by adversaries. Tracked as CVE-2020-6819, this bug is a use-after free vulnerability tied to the browser component “nsDocShell destructor”. The Firefox nsDocShell is a client of the nsI-HttpChannel API, a function of the browser related to reading HTTP headers. The second vulnerability, tracked as CVE-2020-6820, is also a use-after-free bug actively being exploited in the wild. In this case, the attackers are targeting the Firefox browser component ReadableStream, an interface of the Streams API. The Streams API is “responsible for breaking a resource that you want to receive over a network down into small chunks,” according to Mozilla.
Source: Threatpost / Security week / Mozilla security advisory / Helpnet security
Link: https://threatpost.com/firefox-zero-day-flaws-exploited-in-the-wild-get-patched/154466/
Link: https://www.securityweek.com/mozilla-patches-two-firefox-vulnerabilities-exploited-attacks
Link: https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Link: https://www.helpnetsecurity.com/2020/04/06/firefox-vulnerabilities-exploited/
Unveiled: How xHelper Android Malware Re-Installs Even After Factory Reset
Remember xHelper?
A mysterious piece of Android malware that re-installs itself on infected devices even after users delete it or factory reset their devices—making it nearly impossible to remove.
xHelper reportedly infected over 45,000 devices last year, and since then, cybersecurity researchers have been trying to unfold how the malware survives factory reset and how it infected so many devices in the first place.
In a blog post published today, Igor Golovin, malware analyst at Kaspersky, finally solved the mystery by unveiling technical details on the persistence mechanism used by this malware, and eventually also figured out how to remove xHelper from an infected device completely.
Source: The hacker news / Threatpost
Link: https://thehackernews.com/2020/04/how-to-remove-xhelper-malware.html
Link: https://threatpost.com/xhelper-russian-nesting-doll-android-malware/154519/
Zoom Caught in Cybersecurity Debate — Here’s Everything You Need To Know
Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal. The app has skyrocketed to 200 million daily users from an average of 10 million in December — along with a 535 percent increase in daily traffic to its download page in the last month — but it’s also seen a massive uptick in Zoom’s problems, all of which stem from sloppy design practices and security implementations. Zoom may never have designed its product beyond enterprise chat initially, but with the app now being used in a myriad number of ways and by regular consumers, the company’s full scope of gaffes have come into sharp focus — something it was able to avoid all this time.
Source: The hacker news
Link: https://thehackernews.com/2020/04/zoom-cybersecurity-hacking.html
Microsoft: Emotet Took Down a Network by Overheating All Computers
Microsoft says that an Emotet infection was able to take down an organization’s entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment.
“After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s core services,” DART said. “The virus avoided detection by antivirus solutions through regular updates from an attacker-controlled command-and-control (C2) infrastructure, and spread through the company’s systems, causing network outages and shutting down essential services for nearly a week.”
Source: Bleeping computer / Dark reading / Bruce Schneier on security
Link: https://www.schneier.com/blog/archives/2020/04/emotat_malware_.html
NASA under ‘significantly increasing’ hacking, phishing attacks
NASA has seen “significantly increasing” malicious activity from both nation-state hackers and cybercriminals targeting the US space agency’s systems and personnel working from home during the COVID-19 pandemic. Mitigation tools and measures set in place by NASA’s Security Operations Center (SOC) successfully blocked a wave of cyberattacks, the agency reporting double the number of phishing attempts, an exponential increase in malware attacks, and double the number of malicious sites being blocked to protect users from potential malicious attacks.
Source: Bleeping computer
Drug testing firm sends data breach alerts after ransomware attack
Hammersmith Medicines Research LTD (HMR), a research company on standby to perform live trials of Coronavirus vaccines, has started emailing data breach notifications after having their data stolen and published in a ransomware attack. This attack occurred on March 14th, 2020, when the Maze Ransomware operators stole data hosted on HMR’s network and then began to encrypt their computers. After the ransom was not paid, the Maze operators published some of the stolen data on their “News” site on March 21st to further extort HMR into making a payment.
Source: Bleeping computer
Interpol: Ransomware attacks on hospitals are increasing
The INTERPOL (International Criminal Police Organisation) warns that cybercriminals are increasingly attempting to lockout hospitals out of critical systems by attempting to deploy ransomware on their networks despite the currently ongoing COVID-19 outbreak. This doesn’t come as a surprise even though some operators behind various ransomware strains have told BleepingComputer last month that they will stop targeting health and medical organizations during the pandemic. Since then, Maze released data stolen from a drug testing company encrypted before their statement of not targeting healthcare, while Ryuk continues to attack hospitals despite most of them being flooded with new COVID-19 cases every day.
Source: Bleeping computer / Infosecurity magazine
Link: https://www.infosecurity-magazine.com/news/interpol-covid19fighting-hospitals/
80% of all exposed Exchange servers still unpatched for critical flaw
Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions. This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials. Microsoft patched this RCE bug on the February 2020 Patch Tuesday and tagged it with an “Exploitation More Likely” exploitability index assessment, hinting at the vulnerability being an attractive target for attackers.
Source: Bleeping computer / Threatpost / Rapid7 blog
Link: https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/
Link: https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/
‘War Dialing’ Tool Exposes Zoom’s Password Problems
As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.
Source: Krebs on security
Link: https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
Cybercriminals Hide Malware & Phishing Sites Under SSL Certificates
Cybercriminals are increasingly relying on SSL certificates to lull people into a false sense of security when clicking malicious links. The assumption that HTTPS links and the accompanying lock icon protect employees from attack can threaten businesses without sufficient SSL inspection. Nearly 52% of the top 1 million websites were available over HTTPS in 2019, Menlo Security researchers report. Nearly all (96.7%) user-initiated online visits are served over HTTPS; however, only 57.7% of URLs in emails are HTTPS links. This means a web proxy or next-gen firewall — which many businesses have long relied on for online access visibility and control, researchers note — could miss the threats present on malicious websites if SSL inspection is not enabled.
Source: Dark reading
Chinese APT Groups Targeted Enterprise Linux Systems in Decade-Long Data Theft Campaign
Five related threat groups that for the past decade have been systematically stealing intellectual property from US companies seemingly on behalf of the Chinese government appear poised to do even more damage amid the COVID-19 pandemic. The groups have successfully targeted companies in multiple critical industries via cross-platform attacks on back-end servers that are often used to store sensitive data. The attackers have focused especially on enterprise Linux servers because many of these systems are not typically as well protected as other key infrastructure, researchers at BlackBerry said in a report on the cyber espionage activities of the five groups.
Source: Dark reading / Infosecurity magazine
Link: https://www.infosecurity-magazine.com/news/linux-servers-under-attack-for-a/
FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks
Researchers say, two cybercriminal groups, FIN6 and the operators of the TrickBot malware, have paired up together to target several organizations with TrickBot’s malware framework called “Anchor.” The two threat groups joining forces is a “new and dangerous twist” in an existing trend of cybercrime groups working together, say researchers with IBM X-Force. The FIN6 group (also known as “ITG08”) has historically gone after brick-and-mortar point-of-sale (PoS) data and e-commerce sites in the U.S. and Europe. Meanwhile, TrickBot is a malware strain that started out as a banking trojan, and over time gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps.
“ITG08’s [FIN6’s] partnership with the TrickBot gang to use its Anchor malware framework is the latest example of a cybercriminal group that has repeatedly demonstrated its ability to adopt new malware and adapt to changing circumstances that threaten the group’s ability to obtain illicit proceeds,” said Ole Villadsen, threat analyst with IBM X-Force in a Tuesday analysis.
Source: Threatpost
Link: https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/154508/
Cybersecurity During COVID-19
Three weeks ago (could it possibly be that long already?), I (Bruce Schneier) wrote about the increased risks of working remotely during the COVID-19 pandemic.
Source: Bruce Schneier on security
Link: https://www.schneier.com/blog/archives/2020/04/cybersecurity_d.html
How Has the Coronavirus Pandemic Impacted Cybersecurity Professionals?
Just as it is no surprise that criminals are taking advantage of the global coronavirus (COVID-19) health crisis, so it is no surprise that cybersecurity professionals are feeling the pressure. Ninety-five percent say they are facing additional challenges with increased attacks and new work-from-home demands. Check Point Software, together with Dimensional Research, surveyed 411 global IT and security professionals from companies with more than 500 employees to test the pulse of this increased pressure. “The results,” it says in a blog, “are sobering.” Direct attacks are up all round, with 71% of respondents having seen an increase.
Source: Security week / Checkpoint blog
Link: https://www.securityweek.com/how-has-coronavirus-pandemic-impacted-cybersecurity-professionals
Misconfigured Containers Again Targeted by Cryptominer Malware
Attackers are searching for containers that expose a misconfigured port for the Docker API to add another container to do their bidding and run malicious code to mine cryptocurrency, container security firm Aqua Security stated in an April 3 advisory. The campaign appears to target containers that allow Docker commands to be executed without authentication, with — in some cases — more than a hundred scans targeting each IP address on the Internet every day. A search using the port-scanning service Shodan revealed that some 6,000 IP addresses may have vulnerable installations of Docker, says Idan Revivo, head of cybersecurity research for Aqua Security. “We can’t say from those 6,000 images how many are infected for sure, but we can see from the volumes that this is a very aggressive attack,” he says. “Someone is putting a lot of effort into scanning the Internet on a daily, and perhaps hourly, basis.”
Source: Dark reading / Security week / Threatpost / Trendmicro / Infosecurity magazine
Link: https://www.securityweek.com/kinsing-linux-malware-deploys-crypto-miner-container-environments
Link: https://threatpost.com/self-propagating-malware-docker-ports/154453/
Link: https://www.infosecurity-magazine.com/news/docker-crypto-malware/
The 7 Deadly Sins of OSINT
OSINT investigations can range from simple, containing one target on one account, to the very complex, such as multiple targets spanning various platforms and locations. Likewise, a target of an OSINT investigation can take extreme measures to conceal their real identity, or they may unknowingly leave a large trail of breadcrumbs that lead an investigator straight to their doorstep.
Source: Secjuice
Link: https://www.secjuice.com/the-7-deadly-sins-of-osint/
Penetration Testing for Beginners (1)
There is no handbook or a checklist of actions for engaging in penetration test, but what can help is the knowledge of methodologies, tools, and protective techniques that expand your knowledge to detect, identify, assess, and operate effectively in the face of a cyber attack. In principle, the starting point is pretty much always the same, identify the target and choose how best to proceed in the face of it.
Source: Secjuice
Link: https://www.secjuice.com/penetration-testing-for-beginners-part-1-an-overview/
Increase in RDP Scanning
Back in January, I published a post “Network Security Perspective on Coronavirus Preparedness.” One of the items I pointed out was the need to plan for remote work, and how VPNs may present a resource constraint. As so often, some organizations ended up “winging it” last minute and ended up with less than optimal solutions.
At the end of March, Shodan posted that it had detected a marked increase in exposed RDP services [1]. The initially reported number was adjusted downward later, but there is still an increase in exposed RDP servers, which is attributed to organizations quickly enabling remote access.
Source: SANS internet storm center
Link: https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994/