Tag: Malware and Virus Protection

Embedded Sound Waves Could Damage Your Computer

It seems like a new attack vector emerges on a weekly basis, and this week is no exception.  The latest threat:  Emails containing specialized audio files whose acoustic vibrations can damage your computer’s hard drive. This is possibly damaging to the point of causing system failure, data corruption, and making it impossible to successfully reboot your machine.

As the researchers point out, “Intentional acoustic interference causes unusual errors in the mechanics of magnetic hard disk drives in desktop and laptop computers, leading to damage to integrity and availability in both hardware and software such as file system corruption and operating system reboots.  An adversary without any special-purpose equipment can co-opt built-in speakers or nearby emitters to cause persistent errors.”

It should be noted that as scary as this type of attack sounds, in practice, it is of limited value.  An increasing percentage of laptops and desktop PCs sold today come with SSDs for storage, which are not vulnerable to this type of attack.

In addition to that, not just “any” sound will do.  For the attack to be successful, the acoustic vibrations have to be strong enough to do real harm, and quiet enough that the attack is difficult to detect, lest it be aborted immediately.  The combination of those two factors make it unlikely that this one will gain widespread attention from the hacking community.  Nonetheless, it pays to be both mindful and vigilant, especially if you have an older PC or work in an office with older equipment.

The research team who discovered the new attack vector have created a new sensor fusion model that could be delivered through a firmware update.  Once updated, it would prevent unnecessary head parking in the hard drive, thus limiting the potential damage the attack could cause.  So far, there has been no word that PC manufacturers are considering making the necessary changes to their firmware.  Time will tell.

Hacked Routers Being Used To Spread Malware

Beware of compromised routers spreading malware.  This is according to both Kaspersky Labs and a recently released government report.

Using hacked routers to spread malware is nothing new.  Security insiders have known about it for years. However, since 2008, the number of instances where routers are being used to push malicious code has been steadily increasing. Researchers are observing marked increases in their use by APTs (Advanced Persistent Threat) around the world.

APTs are nothing new either, although their ranks have been growing in recent years.  Many are state-sponsored hacking groups with virtually unlimited resources. Some are simply tight-knit groups of hackers banding together under a single banner.

Many people view hackers as lone wolves and that there are millions of lone wolves hacking networks across the globe.  Increasingly though, these are becoming minor actors on the world stage.  The real threat is now well-organized groups of hackers who can execute highly coordinated globe-spanning attacks and create botnets comprised of tens, or even hundreds of thousands, of compromised computers.

In addition to identifying and calling attention to a little-known attack vector, the recent announcement underscores an important weakness in current cybersecurity thinking.  Most people are still laboring under the faulty assumption that they’re facing individual hackers operating out of a dark room in someone’s basement.

While those types of threats are no doubt present, it’s false to assume that’s where the biggest danger lies.  If you get hacked, it’s just as likely (perhaps even more likely) that you’re actually facing a well-organized group who may have more resources at their disposal than your entire IT department.  While you’re preparing to fight a skirmish, the barbarians are coming to your gates with an army.  Most people are simply planning to fight the wrong type of battle, and that could prove to be a devastating mistake.

TicketFly Customer Information May Have Been Hacked

<img class=”alignnone size-full wp-image-7987 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/ticketfly-hacked-resized.jpg” alt=”” width=”300″ height=”225″ />Another week, another high-profile data breach, but this one can be filed under “Missed Opportunity.”  The site in question is “TicketFly,” which is a web-based event ticket sales website owned by a company called Eventbrite. The TicketFly website was down since May 31st, and the normal homepage had been replaced by an image of Guy Fawkes with the message “Your Security Down I’m Not Sorry.”

The page formerly contained links that pointed to compromised customer information, but those have subsequently been removed by the company, which is still scrambling to recover.

Unfortunately, TicketFly was given every opportunity to avoid the incident altogether.  The hacker responsible for taking the site down goes by the handle “IsHakdz,” and claims that he contacted TicketFly, warning them of serious security flaws that would allow a hacker to take control of the site and all of the company’s databases.  He asked for 1 Bitcoin to reveal the technical details.  When the company failed to respond, he decided to show them he was serious, and did exactly as he claimed he could do.

While you might question the hacker’s actions, his motives seemed pure enough, and the reality is that many companies have “Bug Bounty” programs where they pay researchers who find critical security flaws.  The bounty payouts are typically less than a bitcoin, but the idea is the same.  Unfortunately, TicketFly didn’t have such a program and even after having been warned of the flaws in their system, they took no meaningful action until the hacker forced them to do so.

While it’s not impossible to envision a scenario in which this hacker would resell the data he was able to get his hands on, the actions of this particular individual seem to point in the opposite direction.  Even so, if you’ve made a purchase on the TicketFly database, it’s better to be safe than sorry, and carefully monitor the payment card you used to make the purchase. It goes without saying that you should change your TicketFly password immediately.

Massive Malware Attack Stemmed From Bittorent App

According to a Microsoft security researcher, a massive malware attack attempted to install a cryptocurrency mining software on more than 400,000 computers in less than twelve hours.  The failed campaign is noteworthy because of the attack vector used.  It was a supply chain attack implemented by compromising Bittorrent, a highly popular program used to share and download files.

Until recently, security professionals discounted the very possibility of supply chain attacks, regarding them as highly improbable occurrences.  The sad truth, however, is that they’re becoming increasingly common.  Over the past couple of years, we’ve seen a growing number of them, including CCleaner, which is a popular disk-maintenance program.  A poisoned version of it was delivered to more than two million of the software’s users.

In another supply chain attack, M.E. Doc (a tax and accounting application which is widely used in the Ukraine) was tainted and contained the NotPetya wiper worm, and shut down computers all over the world just last year.

Then there was a collection of Android apps that came preinstalled on phones from not one, but two different manufacturers that allowed hackers unfettered access to the data on those phones.  In fact, this is actually the second time Bittorrent has been hijajcked.  Last year, a tainted version of the client installed ransomware on Macintosh computers around the world.

Fortunately, this latest attack was not successful, although Microsoft researcher reported that Windows Defender blocked more than 400,000 attempts to infect computers between March 1st and March 6th, with the actual Bittorrent infection occurring sometime between February 12 and February 19.  In this instance, the threat was regional, with most of the computers being located in Russia, Turkey, and the Ukraine.

While this was the latest supply chain attack, it certainly won’t be the last. Worst of all, these kinds of attacks are notoriously hard to prevent because updates coming from trusted sources are often installed without question.

Major Server Ring Distributing Malware Taken Down

Score one for the good guys.  A researcher from BrilliantIT was recently able to figure out how infected computers would connect to EITest’s command and control server, and using that information, was able to bring down their entire network.

If you haven’t heard of EITest before, the true significance of that statement might not be registering.

EITest first appeared in 2011.  In its original incarnation, it was little more than an annoyance.  It was a collection of compromised servers used to direct web traffic to poisoned websites, where the owners could infect unsuspecting users with their homegrown malware.

In 2013, EITest’s owners got savvy, relentlessly grew their network to more than 52,000 compromised machines and started renting their network out to hackers around the world to drive traffic to their poisoned websites. This unleashed a torrent of wildly destructive malware.  Ever since, it’s been a thorn in the side of IT professionals everywhere.

Using the crack discovered by BrilliantIT, researchers were able to redirect all traffic to a sinkhole, effectively shutting the network down altogether.

Since then, it appears that the hackers have made one halfhearted attempt to regain control of their network, and then apparently gave up on the idea.

While this is undeniably good news, EITest isn’t the only traffic distribution network on the Dark Web, and even if the hackers have given up on the idea of recovering access to their old network, there’s nothing stopping them from building a whole new one.  That’s not to undercut the significance of the victory here, but rather, merely to point out that it’s a temporary win and reprieve, at best.  They’ll be back.  They always come back.

Good news is rare on the security front, and when it is found, we should all take a moment to celebrate.  Kudos to the team at BrilliantIT!

Attackers Targeting Job Seekers Via Listings And Recruitment

Cyber-criminals around the world are increasingly focusing their attention on job seekers.  According to the security firm Flashpoint, there has been a notable uptick in ploys involving phony job listings that attempt to get job seekers to give up personal information.

Perhaps the biggest surprise is the fact that this is only now becoming a growing threat.  After all, from the cyber-criminal’s point of view, it’s low hanging fruit.  Job seekers expect that they’ll be asked for all types of personal information when applying for positions, after all.

As long as the criminals take the time to make their offers appear legitimate, most applicants wouldn’t think twice about sending in their resume (complete with physical address and phone number), and then, a bit later in the process, their social security number and other personal and confidential information.

According to Flashpoint analyst David Shear, it’s not just personal information the criminals are after, however.  Increasingly, criminals are seeking to engage the services of the people who “apply,” by using them as unwitting money mules, or using them as part of an intricate money laundering scheme.

On top of that, it’s all too easy for the criminal to respond to an applicant’s inquiry with an email containing an attachment (usually a poisoned PDF).  Again, since the applicant thinks he (or she) has replied to a legitimate offer for employment, odds are excellent that they’ll open the attachment without hesitation.

At that point, whatever payload the poisoned file contained is installed onto their computer, which can have devastating consequences, depending on the nature of the malware the criminals want to install.

Shear also notes that he and his team have seen an increase in the number of inquiries on the Dark Web asking after compromised business accounts, and offers this explanation as to why: “Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.”

All that to say, job seekers beware.  It seems that no low is too low where these criminals are concerned.

New InvisiMole Malware Turns Your System Into A Video Camera

Another week, another new threat.  This time, in the form of a new strain of malware that researchers are calling InvisiMole.  The new threat was discovered by researchers at ESET, who found it on a number of hacked computers in Russia and the Ukraine.

While the researchers have yet to trace the software back to the group that developed it, based on the available evidence, the campaign appears to be tightly targeted and highly selective.  Only a few dozen computers have been found to be infected, although all impacted systems are both high-profile and high-value.

As for the software itself, it’s a nasty piece of business capable of quietly taking control over an infected system’s video camera and capture audio. This allows them to both see and hear anything going on in the vicinity of the system.  Essentially then, InvisiMole turns your computer into a compromised Amazon Echo.

Based on the sophisticated design of the software and the fact that the researchers have yet to be able to trace it back to the source, it’s believed that it has been developed by (or at least in partnership with) an unknown state actor.  Although the current campaign is small and highly targeted, given its capabilities, InvisiMole could easily become a much more serious threat.

Even worse, it’s entirely possible that the original developers could lose control of the code, or that some other hacker group could reverse engineer it, causing it to spread far and wide.

Research into the software is still ongoing, and at this point ESET can’t say with certainty how the malicious payload is being delivered to target machines. Of course, at present, there is no antivirus software defense against it.  Stay on your guard.  You never know who might be watching.

New Malware Takes Screenshots and Steals Your Passwords

Recently, a new strain of malware called “SquirtDanger” has been found by researchers at Palo Alto Networks Unit 42, and it’s a particularly nasty one for a couple of reasons.  First and foremost, the owner of the malware isn’t orchestrating campaigns himself, but rather, selling his product as a commodity on the Dark Web.

That has troubling implications because the malware is quite advanced, and since it’s being sold to a broad cross-section of hackers, odds are excellent that it will be used in numerous campaigns that could affect a number of industries.

As for the software itself, it gives the hackers who purchase it a vast array of tools. It communicates back to its controller every minute, giving the hackers who use the malware a tremendous amount of useable data.

Among other things, SquirtDanger can take live-action screen shots of an infected device, steal passwords, and send, receive, or delete files on the target system.  It can also swipe directory information and drain the contents of cryptocurrency wallets, making it something of a “Jack-of-All-Trades” malware.

Also, there’s no single attack vector being used to infect machines with SquirtDanger. According to the research team, the most common means of infection is that the malware is disguised as a piece of legitimate software and installs when the poisoned executable file is run.

Researchers from Unit 42 had this to say on the matter: “Being infected with any type of malware represents significant danger to an individual or victim. However, because of the large list of capabilities this malware family includes, it would certainly be very bad for the victim.”

At latest count, the researchers have discovered 1,277 unique SquirtDanger samples in the wild, tied to 119 unique command and control servers that were widely geographically dispersed.  Odds are, there are many more samples that have yet to be discovered.  Be on your guard, it doesn’t appear that this threat will abate anytime soon.

The U.S. Is The Most At Risk Nation For Cyber Attacks

Being “number 1” isn’t always a good thing.  Rapid7 has just published their third annual “National Exposure Index,” and unfortunately, the United States has the dubious honor of being the nation most at risk for a cyber attack on its core services.  The group’s methodology for ranking national exposure comes down to tracking the number of exposed services and comparing this number to the nation’s total allocated IP address space.

Ranked in this way, the top four most vulnerable countries are:

  • The United States
  • China
  • South Korea
  • The UK

All told, these four nations control more than 61 million servers listed on at least one of the points surveyed by Rapid7.

Drilling down a bit more deeply, the report also contained this chilling fact:

“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL.  Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack.”

Given that this year has already given us the largest DDOS attack in the history of the internet, Rapid7’s findings should not be taken lightly.  The risks are very real, which is why the company is so strongly committed to the publication of their annual report.

As they put it:

“…national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.”

A lofty goal indeed.  Unfortunately, although the data is illuminating, there are no quick or easy answers here, especially in the United States.  Thus far, the U.S. has struggled to put together a cohesive digital security policy at the national level, which seems unlikely to change at least in the near future.

Another Vulnerability Found In Intel CPU’s

More bad news for Intel. Yet another security flaw has been identified in the processors the company makes.  This one is so newly discovered that the full technical details have yet to be released.  Here’s what we know so far, from a recent Intel announcement:

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch…Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other process through a speculative execution side channel that infers their value.”

In simpler terms, what this means is that a hacker could use this exploit to gain partial cryptographic keys used by other programs running on the target computer.

While related to the recent Spectre and Meltdown security flaws, this one is different in two ways.  First, it’s not quite as severe as the formerly discovered flaws in scope or scale.  To make use of this, one would require an incredibly exotic attack that would simply be beyond the capabilities of most hackers.

Also, it should be noted that where Spectre and Meltdown impacted dozens of chipsets dating back more than a decade, the “Lazy FP State Restore” flaw only impacts chips beginning at Sandy Bridge.

The other key difference is that the flaw in this case, does not reside in the hardware.  That’s good news for businesses of all shapes and sizes, because it means that when Intel and their hardware vendors have a patch ready, it will be quick and relatively painless to install it.

Unfortunately, since the initial discovery of Spectre and Meltdown, a number of variants of those flaws have emerged, and now this new one.  It’s unlikely that this will be the last we’ve seen of these types of issues, so if you’re using Intel equipment, brace yourself.  There’s likely more to come.