Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: cyber security news

Tag Archives: cyber security news

Home » Tag: cyber security news

Police make 61 arrests in global crackdown on dark web

Law enforcement agencies from the US, Canada and Europe, including the UK, have joined forces to target suppliers and buyers of illegal goods on dark web marketplaces and warn buyers of risks

nternational law enforcement agencies made 61 arrests and shut down 50 dark web accounts used for illegal activity in a joint operation, Europol has announced.

As a result of 65 search warrants, police were able to seize nearly 300kg of drugs, 51 firearms and more than €6.2m, including almost €4m in cryptocurrency.

By coordinating efforts and acting simultaneously, Europol said a strong signal has been sent to those active in selling and buying goods on the dark web that they can still be tracked down by police.

While the dark web is accessible only through special software such as the Tor browser and provides a safe environment for personal privacy and freedom, Europol said it is also a “fertile environment” for criminals and individual illegal activities.

“Investigating these illegal activities online has become a priority for law enforcement all over the world. While you may have a higher level of anonymity on the dark web, you still have an identity; dark web applications are not an invisibility cloak or an immunity vaccine against the law,” Europol said.

Europol’s executive director, Catherine De Bolle, said the dark web is not as dark as many users think. “When you buy or sell illegal goods online, you are not hidden from law enforcement and you are putting yourself in danger,” she said.

“This international coordinated approach demonstrates law enforcement’s determination to tackle crime on the dark web and to reduce the number of people who fall victim to criminals selling life endangering products or scamming them for their own gain.”

Europol warned that the risks are higher for anyone who uses the dark web to buy illegal goods anonymously, because anyone carrying out transactions on the dark web exposes their sensitive data to scammers who are only after money and personal details.

In addition, Europol said activity on the dark web exposes users’ devices to some of the most damaging malware around and exposes buyers to potential losses due to the non-delivery of goods as well as harm from lethal drugs, malfunctioning weapons and cyber crime services that work against the buyers.

UC Browser violates Google Play Store policies and raises security concerns by downloading extra modules

UC Browser and UC Browser Mini Android apps violate Google Play Store policies by downloading and installing extra app modules thereby exposing its users to MitM attacks.
This updating feature is present in the UC browser application since 2016.
What is the issue – UC Browser and UC Browser Mini Android apps violate Google Play Store policies by downloading and installing extra app modules thereby exposing its users to Man in the Middle (MitM) attacks.

Why it matters – It is to be noted that UC browser has been downloaded by over 500 million users.

The big picture

Doctor Web malware analysts uncovered a feature in UC browser that downloads extra app modules and runs executable codes on users’ devices. The researchers noted UC browser has the ability to download auxiliary software modules, bypassing Google Play servers.

Researchers described that in their analysis, UC Browser downloaded an executable Linux library from a remote server.
Upon downloading, the UC browser saved the Linux library to its directory and launched it for execution.
Worth noting

This updating feature is present in the UC browser application since 2016.
This feature can be exploited by attackers to perform Man in the Middle (MitM) attacks.
MitM attacks help attackers to leverage UC Browser and distribute malicious plug-ins.
“Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices,” researchers said.

How would an attack work?

UC Browser sends a request to the C&C server to download new plug-ins.
In response to the request, the UC browser receives a link to file.
Attackers can get hold of the requests from the UC browser since its communication to the C&C server is carried over an unsecured channel.
Attackers can then replace the commands with ones containing different addresses.
This makes the UC browser download new modules from the malicious server instead of its C&C server.
Doctor Web researchers also created a demo video showing how when a potential victim just wants to view a PDF document using UC Browser but the browser downloads a plug-in module from the C&C server.

What’s the conclusion – Upon detecting the potential dangerous feature in UC Browser and UC Browser Mini, Doctor Web analysts notified the developer of both browsers about the feature. Later, Doctor Web notified the issue to Google. However, both browsers are still capable of downloading new modules.

Over 110,000 Australians affected by cyberattack on Facebook last September


The hackers had gained access to a variety of data that includes the users’ movements, hometown, search history, email addresses and phone numbers.
The attack occurred due to three flaws in the website.
The massive Facebook cyberattack that occurred last year, has affected more than 110,000 Australians. The attack had affected roughly 29 million individuals worldwide.

The big picture – Internal documents from Freedom of Information Laws reveal that a total of 111,813 Australians were affected in the attack on Facebook in September, 2019. The hackers had gained access to a variety of data that includes the users’ movements, hometown, search history, email addresses and phone numbers.

About 47,912 had only their basic personal information compromised. This includes their names, emails and phone numbers. On their hand, some 62,360 users had their hometown, most recent check-ins, birth dates, education, work history, Facebook search history, names, email addresses, phone numbers, gender, relationship status and religion compromised.

Apart from this data, hackers also gained private Facebook messenger conversations of 1,595 users.

Why it matters – According to the correspondence, Facebook discovered the breach on September 25, 2018, but did not notify the OAIC on time. The firm only informed the agency after four days of the discovery of the incident. The attack occurred due to three flaws in the website. This allowed the attackers to sneak into a user’s Facebook page without entering the password.

Based upon what we’ve learned so far in our investigation, the attackers did not gain access to other personal information such as password information, identity documentation, financial information or payment card information,” the incident update said, the Guardian reported.

Decryption tool created for ransomware designed to boost PewDiePie subscriptions

A PewDiePie fan has taken his admiration of the popular video game commentator a little too far, creating a ransomware designed to increase the YouTube star’s subscriber count.

Fortunately, anti-malware company Emsisoft last week announced a new a decryption tool that restores machines infected by the unusual malware, named “PewCrypt.”

On its website, Emsisoft describes PewCrypt as a Java-based ransomware that AES and RSA to encrypt files, while adding the extension “.PewCrypt”. The creator’s ransom note asks the victim to subscribe to PewDiePie and warns that the malware creator will not issue a decrypter tool unless and until PewDiePie reaches 100 million subscribers.

“Were that not to happen, people would have no means of decrypting their data,” said Emsisoft researcher Michael Gillespie in an email interview with SC Media.

The ransom note also claims that if T-Series beats PewDiePie in total subscribers, “the private key will be deleted and you [sic] files gone forever [sic]”. T-Series is a record company that produces Bollywood music soundtracks and Indi-pop music, and has regularly been in competition with PewDiePie over who has the number-one YouTube channel.

Ultimately, PewCrypt’s creator went back on his threat and released his own version of a decrypter. But he also open-sourced the malware itself, allowing other actors to potentially adopt and modify PewCrypt to use it in the wild. Using two different variations of the username “JustMe,” the ransomware developer posted his work on both Twitter and GitHub.

According to Gillespie, the decrypter tool “JustMe” provided “was a command-line based decrypter that is not very user friendly. Also, the user would have to trust the person who initially infected them to not further infect them with more malware.”

Instead, victims can now use Emsisoft’s decryption tool, which was created by extracting and converting the private key to make a GUI decryptor, a company spokesperson explained. The spokesperson said that Emsisoft is not aware of a “huge number” of PewCrypt victims, “but there are definitely cases out there.”

In an unrelated development, BleepingComputer reported today that Emsisoft released another decryptor for Hacked Ransomware, aka HKCrypt. Discovered by BleepingComputer creator Lawrence Abrams discovered back in 2017, the ransomware displays a fake Windows Update while encrypting victims’ files with the RC4 algorithm and appending the extension “.hacked” to their names.

LockerGoga ransomware hits two more companies in the manufacturing sector

  • Hexion and Momentive are the two latest targets of the LockerGoga ransomware.
  • Windows systems of these chemicals manufacturing companies were encrypted.

Days after LockerGoga hit aluminum-manufacturing firm Norsk Hydro, it was found to have compromised computers belonging to two American chemical companies Hexion and Momentive.

According to an anonymous employee from Momentive, the attack was carried out on March 12. Due to the attack, all data was also reportedly lost from the systems.

Worth noting

  • As per a report by Motherboard, the ransomware had identical features to those observed in the previous attack on Norsk Hydro.
  • Momentive acknowledged the attack and has issued new email accounts to employees affected by the ransomware attack.
  • It has also ordered for replacement of hundreds of computers, due to the outage caused by the attack.
  • Hexion, on the other hand, has not disclosed any details of the attack but said that it was working towards a resolution on a ‘security incident’.
  • This is the third time LockerGoga has been targeted against manufacturing firms. The earlier two incidents involved European firms, Altran and Norsk Hydro.

New domain deployed

On top of issuing new email accounts to affected employees, Momentive also created a new domain to supplement these accounts.

“The company notes that it is using a new domain—momentiveco.com for new email addresses rather than momentive.com. Motherboard sent an email to a known Momentive email address that uses the old domain, momentive.com, but it bounced back. The error message noted that “due to a network event,” email services are currently unavailable,” Motherboard reported.

Limited number of infections

Unlike WannaCry and Petya, LockerGoga does not spread extensively in short periods and only focuses on disabling systems through Wi-Fi or Ethernet network adapters. This is evident in the Hexion-Momentive attack where only a fixed number of systems were infected.

Microsoft Announces Windows Defender ATP Antivirus for Mac

Brace yourself guys.

Microsoft is going to release its Windows Defender ATP antivirus software for Mac computers.

Sounds crazy, right? But it’s true.

Microsoft Thursday announced that the company is bringing its anti-malware software to Apple’s macOS operating system as well—and to more platforms soon, like Linux.

As a result, the technology giant renamed its Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) in an attempt to minimize name-confusion and reflect the cross-platform nature of the software suite.

But wait, does your Macbook need antivirus protection? Of course!

For all those wondering if Mac even gets viruses—macOS is generally more secure than Windows, but in recent years cybercriminals have started paying attention to the Mac platform, making it a new target for viruses, Trojans, spyware, adware, ransomware, backdoors, and other nefarious applications.

Moreover, hackers have been successful many times. Remember the dangerous FruitFly malware that infected thousands of Mac computers, the recently discovered cryptocurrency-stealing malware CookieMiner and DarthMiner, and .EXE malware discovered last month?

Microsoft Defender ATP Antivirus for Mac

Microsoft has now come up with a dedicated Defender ATP client for Mac, offering full anti-virus and threat protection with the ability to perform full, quick, and custom scans, giving macOS users “next-generation protection and endpoint detection and response coverage” as its Windows counterpart.

“We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience,” Microsoft says in a blog post.

Microsoft also promised to add Endpoint Detection and Response, and Defender ATP’s new Threat and Vulnerability Management (TVM) capabilities in public preview next month.

TVM uses a risk-based approach to help security teams discovery, prioritize, and remediate known vulnerabilities and misconfigurations using a mixture of real-time insights, added context during incident investigations and built-in remediation processes through Microsoft’s Intune and System Center Configuration Manager.

For now, the tech giant has released Microsoft Defender ATP for Mac (compatible with macOS Mojave, macOS High Sierra, or macOS Sierra) in limited preview for businesses that have both Windows and Mac computer systems.

Like MS Office for Mac, Defender for Mac will also use Microsoft AutoUpdate software to get the latest features and fixes on time.

While Microsoft has announced its plans to launch Defender ATP for more platforms in the future, the company has not explicitly named those platforms.

Also, it is not clear if Microsoft is also planning to launch a consumer version of Microsoft Defender for Mac users in the future.

Microsoft’s business customers can sign up here for the limited preview.

In the attempt to make its security software available to more people, Microsoft just last week releasedWindows Defender extensions for Mozilla Firefox and Google Chrome as well.

The Best Ways to Ensure Cybersecurity in Your Physical Space

Cybersecurity Starts at Your Front Door

Let’s take a step back and ask a simple yet important question: was your physical security system designed to be cyber secure?

Many physical security infrastructures were developed and implemented without considering cybersecurity for our IoT driven world. Network and communication protocols for remote control and management had assumed closed, non-public networks. However, these systems evolved to be highly interconnected systems with open, public networks. This increases the risk of cyber threats to physical security. Research shows that the annual cost from cyber crime damage will reach $6 trillion by 2021. Therefore, it will become even harder to ensure that physical security assets work as intended and when needed.

ContentProvidedByBrivo

The challenge we now face is making physical security infrastructure management easier and more cost-effective while fulfilling cybersecurity standards. To evaluate the cybersecurity of your platform, your security managers and IT teams need to better understand how your physical security provider builds products, deploys applications, and manages their internal business in a way that keeps your company secure.

 

Best Practices for a Cyber Secure Physical Security Platform

  • Building Network Secure Products That Provide Real-Time Alerts

Network devices can be entry points for cyber attacks when they have open inbound ports and allow unauthorized inbound communication. Does your physical security platform have precautions like strong hardware security and secure data transmission with the cloud?

  • Deploying and Supporting Applications with Regular and Automatic Updates

Without proper support and active monitoring, you could face security breaches and costly service disruptions (especially for older, on-premise systems). Does your provider deliver 24/7 monitoring and provide redundancy, business continuity and risk management?

  • Managing Internal Operations with Your Security In Mind

Providers need to limit physical access to their data center as well as key areas like backup storage and servers to protect your data. Can your provider show evidence of successful third-party audits and vulnerability tests on their software, hardware and internal processes?

Using reliable, convenient, scalable and cyber-hardened technology, that provides a unified security platform that helps you prevent security breaches.

Read this checklist to learn more about best practices for integrating cybersecurity and physical security.

Call for Speakers for Florida Cyber Conference 2019

Cyber Florida has announced a Call for Speakers for Florida Cyber Conference 2019 (FLCyberCon).

FLCyberCon is invites experts, thought-leaders, and cyber specialists from all sectors to submit proposals for breakout sessions, panel discussions, demonstrations, case studies, interactive sessions and other unique learning opportunities for conference goers. To learn more or submit a proposal, visit FLCyberCon.com. The deadline to submit is April 26, 2019.

Planned for October 24 and 25, Florida Cyber Conference 2019 will be Cyber Florida’s sixth annual conference. The conference continues to grow year over year, with more than 1,100 registrations last year from industry, academia, government and the military. Attendees represent all aspects of cybersecurity, including students, veteran practitioners, C-suite executives, law enforcement and military personnel, researchers, teachers and professors, HR professionals, attorneys, small business owners and more.

“We live in a world where cybersecurity touches every aspect of our business and personal lives,” remarked Sri Sridharan, director of Cyber Florida. “It is not just an IT department concern anymore. Florida Cyber Conference is designed to provide valuable learning, professional growth, and networking opportunities for everyone who plays a role in cybersecurity—from IT professionals and cybersecurity practitioners, to decision makers, policy makers, recruiters and end users,” he said.

Content for FLCyberCon 2019 will be organized into six tracks: Cybersecurity 101, Social Engineering, Cybersecurity for the C-Suite, Emerging Technologies, Practitioner and Hands-on/Interactive Cybersecurity. Proposals will be anonymized and reviewed by an advisory panel based on the timeliness of the topic and value to the audience.

 

FEMA Improperly Shared Personal Information of Natural Disaster Victims

The Federal Emergency Management Agency wrongly released the personal information of 2.3 million survivors of devastating 2017 hurricanes and wildfires.
A Homeland Security Department’s Office of Inspector General report found the breach occurred when FEMA was working with a contractor that helps provide temporary housing to those affected by disasters.
The contractor was given names, last four digits of a Social Security number and how many people live in a household, which are are required to confirm eligibility and locate housing for victims. But FEMA also provided the contractor with bank names, electronic funds transfer numbers and bank transit numbers that were not required, the report said.
The report included information on 2.3 million people that were affected through Hurricanes Harvey, Irma, Maria and California wildfires.
The report also said that FEMA violated both federal privacy laws and Homeland Security policy by giving the extra data to the contractor.

FlawedAmmyy: A close look at the notorious activities and capabilities of the RAT

  • FlawedAmmyy derives its source code from version 3 of the Ammyy Admin remote desktop software.
  • The malware has been active since the beginning of 2016.

FlawedAmmyy RAT has been rated as one of the most remote access trojans in 2018. The malware, that is active since the beginning of 2016, has been observed to be used in highly targeted email attacks as well as massive cyberespionage campaigns.

According to Proofpoint, a majority of these campaigns affected the automotive industry, with many of them associated with TA505 threat actor group.

Creation of the RAT – FlawedAmmyy derives its source code from version 3 of the Ammyy Admin remote desktop software. Ammyy Admin is a popular remote access tool used by businesses and consumers to remote control and diagnostics on Microsoft Windows machines.

Although FlawedAmmyy was publicly available since 2016, the RAT came to the light in 2018. It includes several functionalities of the leaked version such as:

  • Remote Desktop control;
  • File system manager;
  • Proxy support;
  • Audio chat.

Capabilities – Upon infection, the RAT can enable potential attackers to perform a variety of malicious activities such as:

  • Gaining complete access to PCs’ camera and microphone
  • Captures screenshots;
  • Ability to access a variety of services, steal files and credentials;
  • Stealing customer data, proprietary information and more.

The FlawedAmmyy C2 protocol occurs over port 443 with HTTP.

Major instances – The notorious FlawedAmmyy RAT is delivered to the target via phishing emails. Some of the known attack campaigns where the RAT was distributed via phishing emails include:

  • The widespread ‘Pied Piper phishing campaign’ in December 2018. The campaign was used against multiple targets. Attackers were found using weaponized .pub (Microsoft Publisher) documents to spread the RAT.
  • The massive attack campaigns on March 5 and 6, 2018. The message in these campaigns contained zipped .url attachments which were used to deliver the RAT. The emails were sent with subjects such as ‘Receipt No 1234567’ to match with the number of the attached zip file.
  • The targeted attack on March 1, 2018 – Phishing emails containing an attachment 0103_022.doc was used to deliver the malware. The attached doc included macros which when opened, downloaded the FlawedAmmyy directly.
  • In January, 2018, the RAT was used against the automotive industry. Here, the phishing emails contained an attachment which read ‘16.01.2018.doc’. Once the doc was opened, it unleashed the malicious macros onto a victim’s machine.

Experts believe that attackers will continue to use FlawedAmmyy’s activeness to target more and more enterprises in the future.

Read More »