News & Updates

By Waqas

Bitdefender, renowned IT security/antivirus firm, has identified that the latest strain of Xagent for Mac is being used as a backdoor for intruders. After the malware is installed via Komplex downloader, it looks for a debugger’s presence and if it isn’t found it waits for network connection to be enabled to contact its C&C servers. The attackers then activate […]

This is a post from Read the original post: Researchers Discover Yet Another Malware Designed to Compromise Mac Devices


Has Yahoo rebuilt your trust again?

If yes, then you need to think once again, as the company is warning its users of another hack.

Last year, Yahoo admitted two of the largest data breaches on record. One of which that took place in 2013 disclosed personal details associated with more than 1 Billion Yahoo user accounts.

Well, it’s happened yet again.
<!– adsense –>
Yahoo sent out another


Security experts at IBM published a report that includes precious details on the attack chain of the dreader Shamoon cyberweapon.

The dreaded Shamoon malware, aka Disttrack, has resurrected and government agencies and threat intelligence firms are investigating the recent strings of attacks leveraging the dangerous disk wiper.

We detected the Shamoon malware for the first time in August 15th, 2012, when the Saudi Arabia’s oil company, Saudi Aramco announced that its systems and its internal network were victims of a cyber-attack. According to the company, Shamoon infected more than 30,000 workstations.

On December 2016, security experts observed a new wave of attacks leveraging on the Shamoon malware. The malware experts from Palo Alto Networks and Symantec both reported an attack on a single Saudi company.

The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computers with an image of a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

In January, researchers at Palo Alto Networks discovered a new strain of the Shamoon 2 malware that was targeting virtualization products.

The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) believe Shamoon malware is pivot element in the information warfare between Saudi Arabia and Iran.

The malware experts have identified servers used to deliver Shamoon, they have broken onto the server used by the attackers and gathered more information to study the threat and its attack chain.

“This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations:” IBM reports.

  1. Attackers send a spear phishing email to employees at the target organization. The email contains a Microsoft Office document as an attachment.
  2. Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine.
  3. Attackers can now communicate with the compromised machine and remotely execute commands on it.
  4. The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network.
  5. Attackers study the network by connecting to additional systems and locating critical servers.
  6. The attackers deploy the Shamoon malware.
  7. A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped.


The attackers launched a spear-phishing campaign against the potential targets, they used to impersonate a trusted person, for example, the Saudi Arabia’s Ministry of Commerce and Investment or the Egyptian software company IT Worx.

The messages come with a Word document marked as a resume, health insurance paperwork, or password policy guidelines, anyway something of interest for the potential victim.

The documents include a malicious macro that starts the attack. When the victim executes the macro it launches two Powershell scripts.

  • The first script downloads and executes another PowerShell script from the via HTTP. The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from via HTTP, and runs that.
  • The second script creates a memory buffer using the VirtualAlloc library call, fetches shell code from via HTTP, copies it into the buffer, and executes the code using CreateThread. This thread then creates another buffer, fills it with a PowerShell script from via HTTP, and runs that, too.

“Based on observations associated with the malicious document, we observed subsequent shell sessions probably associated with Metasploit’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files: ntertmgr32.exe, ntertmgr64.exe and vdsk911.sys,” continues the report.

The researchers identified two web domains used to host malicious executables and launch the attacks.


  • Ntg-sa[.]com that spoofs the legit domain of Saudi petrochemical support firm Namer Trading Group.
  • maps-modon[.]club that spoofs, which is associated with the Saudi Industrial Property Authority,

This information is precious for system administrators that could check any connection to these domains and block it.

The experts discovered that attackers once infected the machine use them for reconnaissance, gathering information on the network and stealing sensitive information. Once completed this phase the attackers deploy the Shamoon payload.

Saudi Arabia is warning local organizations about the Shamoon malware, experts believe that the threat actor behind these operations will continue its activity temporarily disappearing and changing tactic.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – shamoon, cyber weapon)

The post IBM shares details on the attack chain for the Shamoon malware appeared first on Security Affairs.

Source: Security affairs

Security researchers have discovered a new Mac malware allegedly developed by APT28 Russian cyber espionage group who is believed to be responsible for 2016 presidential election hacking scandal.

A new variant of the X-Agent spyware is now targeting Apple macOS system that has previously been used in cyber attacks against Windows, iOS, Android, and Linux devices.

The malware is designed to


Yahoo notifies users that hackers are forging “cookies” or files used in the authentication process to access their accounts, instead of stealing passwords

Yahoo confirmed it was notifying some users of sophisticated cyber attacks aimed to compromise their accounts.

The hackers are adopting hacking methods to forge “cookies” or files used in the authentication process, instead of stealing their passwords.

The IT giant disclosed the alarming data in response to the massive data breach disclosed last year that created serious problems for the company.

Yahoo has sent the notifications to “a reasonably final list” of users that were potentially affected, the message sent via email reads:

“we believe a forged cookie may have been used in 2015 or 2016 to access your account.”

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” the company said in a statement.

“The investigation has identified user accounts for which we believe forged cookies were taken or used.”

The attackers forged cookies that “could allow an intruder to access users’ accounts without a password,” said the email to users. The notification was signed by Bob Lord, Yahoo’s chief information security officer.

Yahoo disclosed on Sept. 22, 2016 the incident announcing that at least 500 million Yahoo accounts were stolen from the company in 2014. Media speculated the involvement of state-sponsored hacked.


In October, a former company executive revealed the number of affected user accounts in the Yahoo data breach may be between 1 Billion and 3 Billion.

In December Yahoo admitted crooks have stolen details of more than a billion user accounts. In 2013, hackers broke into the systems of Yahoo and accessed one billion user accounts containing names, addresses, phone numbers, and hashed passwords easy to crack. The passwords were protected with MD5 hashing algorithm that is easy to crack, the leaked data also include some encrypted and cleartext security questions and answers have been compromised too.

The data breaches suffered by Yahoo had an impact on the sale of the company to telecom giant Verizon for $4.8 billion. Initially, Verizon requested a discount of 1 Billion of the price, now it seems that the two companies had agreed to discount the price by $250 million to $300 million following disclosure of the data breach.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – cybercrime, data breach)

The post Yahoo notifies users hackers are forging “cookies” to take over their accounts appeared first on Security Affairs.

Source: Security affairs

(credit: Clever Cupcakes)

Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo’s mail service that allowed an attacker—most likely a “state actor,” according to Yahoo—to use a forged “cookie” created by software stolen from within Yahoo’s internal systems to gain access to user accounts without a password.

Yahoo informed some users in e-mails this week that “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” The messages are regarding possible breaches using the cookie vulnerability in 2014.

The Associated Press’ Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.

Read 3 remaining paragraphs | Comments



Just over a year ago, the US Supreme Court declined to clear up the nationwide legal confusion regarding whether the Constitution requires authorities to get a probable-cause court warrant to obtain cell-site location data records of suspects under investigation.

The federal circuit courts of appeal and the lower courts have been all over the map when it comes to this bread-and-butter privacy issue. Even AT&T has said it was confused about the law, and it has demanded clarity on the issue. To that end, a bipartisan group of federal lawmakers proposed legislation Wednesday that seeks to answer the question once and for all: the government would need probable-cause warrants to obtain geolocation data on suspects.

“Outdated laws shouldn’t be an excuse for open season on tracking Americans, and owning a smartphone or fitness tracker shouldn’t give the government a blank check to track your movements,” Sen. Ron Wyden, a democrat of Oregon, said of the legislation he’s co-sponsoring.

Read 7 remaining paragraphs | Comments


The Russian-speaking black hat hacker Rasputin, hacked systems of more than 60 universities and U.S. government agencies.

According to the threat intelligence firm Recorded Future, a Russian-speaking black hat hacker, known as ‘Rasputin‘, hacked systems of more than 60 universities and U.S. Government agencies.

Rasputin victims

We met Rasputin in December 2016, when he was offering for sale stolen login credentials for a U.S. agency that tests and certifies voting equipment, the U.S. Election Assistance Commission (EAC). Rasputin uses to exploit SQL injection flaws to gain access to sensitive information that he can sell on cybercrime marketplaces.

Rasputin uses SQL injection vulnerabilities to compromise target systems and steal sensitive information that he offers for sale cybercrime black markets.

Record Future has been following Rasputin since 2015, according to the security firm he may also have tried to sell details about the SQL injection to a broker working on behalf of a Middle Eastern government.

Based on Rasputin’s historical criminal forum activity, the experts exclude he is sponsored by a foreign government.

Researchers at Recorded Future identified many of the Rasputins’ victims, including ten universities in the United Kingdom, over two dozen universities in the United States, and many US government agencies.

The hacker breached the systems of government agencies includes local, state and federal organizations. The list of victims includes the Postal Regulatory Commission, the Health Resources and Services Administration, the Department of Housing and Urban Development, and the National Oceanic and Atmospheric Administration.

There are plenty of free tools that can be used to find and exploit SQL injection vulnerabilities, including Havij, Ashiyane SQL Scanner, SQL Exploiter Pro, SQLI Hunter, SQL Inject Me, SQLmap and SQLSentinel.Rasputin has been using a SQL injection tool that he developed himself.

Rasputin doesn’t use free SQL injection scanners, he has been using a SQL injection tool that he developed himself instead.

“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases. ” reads the analysis published by Recorded Future.

Experts from Recorded Future highlighted that while the level of awareness of SQL injection vulnerabilities is high, the organizations lack basic secure coding practices.

Recorded Future pointed out that addressing these types of flaws can often be costly, for this reason companies use to postpone the fixing activities until the budget is available, but sometimes it is too late.

“SQLi vulnerabilities are simple to prevent through coding best practices. Over 15 years of high-profile data breaches have done little to prevent poorly programmed web applications and/or third-party software from being used by government, enterprises, and academia.” continues the analysis. “Some of the most publicized data breaches were the result of SQLi including large corporations like Heartland Payment Systems, HBGary Federal, Yahoo!, Linkedin, etc.”

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Rasputin, hacking)

The post Russian hacker Rasputin breaches over 60 Universities and Government Agencies appeared first on Security Affairs.

Source: Security affairs

Enlarge (credit: Toyota)

You would be forgiven for thinking that the Prius is ubiquitous; after all, Toyota has sold several million of them all around the world. Everywhere except China, it seems. According to Bloomberg, just 76 Priuses found homes in China during all of 2016, with only a single sale in the month of December.

It’s not that China doesn’t like hybrids. Demand was up for alternative powertrains in 2016, even if hybrids and electric vehicles still make up less than two percent of vehicle sales. No, this is down to the Prius itself.

One problem is its looks, which failed to appeal to Chinese tastes, according to Bloomberg’s analyst. But import fees were probably a more significant factor. Until 2015, Toyota built Priuses in China, but with no domestic production in 2016, any vehicles imported were subject to an extra 25 percent duty.

Read 2 remaining paragraphs | Comments


Enlarge / Nokia’s Flexi Multiradio 10 base station, affixed to a brick wall. In a new lawsuit, the product has been accused of infringing Blackberry patents. (credit: Nokia)

As it says goodbye to the smartphone business, BlackBerry is pushing ahead with an attempt to wring some cash from its patents.

The new salvo is a 96-page complaint (PDF) against Nokia, which accuses the Finnish telecom company of infringing 11 BlackBerry patents related to LTE- and UMTS/UTRAN-compliant products and services. The related products include Nokia’s Flexi line of base stations and its Liquid Radio software.

The patents include number 8,494,090, “Detecting the number of transmit antennas in a base station,” and No. 8,254,246, “Scattered pilot pattern and channel estimation system for MIMO-OFDM systems.”

Read 6 remaining paragraphs | Comments