News & Updates

Enlarge (credit: Bethesda)

LOS ANGELES—A true The Elder Scrolls game on mobile? Not exactly. Recently-announced The Elder Scrolls Blades from Bethesda Game Studios is not a massive, free-roaming, systems-based super RPG. Instead, it’s a casual dungeon crawler with a gorgeous presentation—and more bells and whistles than your typical mobile RPG.

I’m a passionate fan of the franchise, and I played the new mobile game for about a half an hour at Bethesda’s E3 booth this week. In a similar way to spinoffs The Elder Scrolls Online and The Elder Scrolls Legends, I recognized the franchise’s DNA but I also recognized that the growing game studio is trying something different here.

That’s not necessarily a bad thing. The streamlined game has top-notch visuals, the combat draws influences from the right places, and it feels entirely native to the device on which it runs. The game I played intrigued me, but I didn’t get a sense of what might keep someone coming back for days or weeks after the initial download. Judging from the modes described in the initial announcement, that could be because the most interesting mode—the one in which you play through a story to build a town with non-player characters (NPCs) in it—wasn’t on display at the show.

Read 13 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The GitHub account of the Syscoin cryptocurrency was compromised by hackers that replaced the official Syscoin Windows client with a tainted version.

The Syscoin clients allow users to mine Syscoin cryptocurrency or manage Syscoin funds.

Syscoin Windows client

The other versions in the v3.0.4.1 release were not replaced, this means that Mac and Linux clients were not replaced by the hackers.

The tainted version of the Syscoin Windows client contained the Arkei data stealer (aka Trojan:Win32/Feury.B!cl), a malicious code used to steal passwords and wallet private keys.

The Syscoin development team is warning users downloaded the Syscoin Windows client version 3.0.4.1 between June 09, 2018 10:14 PM UTC and June 13, 2018 10:23 PM UTC that their machines might be infected.

“The Syscoin developers found that a malicious, unsigned copy of the Windows Syscoin 3.0.4.1 installer was made available via the Syscoin Github release page on June 9th, 2018 due to a compromised GitHub account. This installer contained malicious code. (Trojan:Win32/Feury.B!cl)” reads the security notice published by the development team.

“The virustotal scan of the malicious file named “re.exe” that is saved to the local temp folder (C:UsersuserAppDataLocalTemp) upon running the fake installer: https://www.virustotal.com/#/file/b105d2db66865200d1b235c931026bf44428eb7327393bf76fdd4e96f1c622a1/detection

The Syscoin team discovered the security breach after receiving a warning from users that Windows Defender SmartScreen, AVG and Kaspersky was marking downloads of the Syscoin Windows client as a virus.

The affected executables are:

  • syscoincore-3.0.4-win32-setup.exe
  • syscoincore-3.0.4-win64-setup.exe

Syscoin team removed the malicious files and issued a security notice that includes the instructions to determine the installation date:

  • Right-click on syscoin-qt.exe in C:Users[USERNAME]AppDataRoamingSyscoinCore or view in detailed list mode and make a note of the modified date.
  • OR go to Settings->Apps and make a note of the installation date.

If the modified/installation date is between June 9th, 2018, and June 13th, 2018, the team suggests users taking the following actions:

  • Backup any important data including wallets onto another storage medium outside of the affected computer. Treat this data cautiously as it may contain infectious code.
  • Run an up-to-date virus scanner on your system to remove the threat.
  • Passwords entered since the time of the infection should be changed from a separate device after ensuring the threat has been removed.
  • Funds in unencrypted wallets or wallets that had been unlocked during the infection period, should be moved to a newly generated wallet on a secure computer.

The Syscoin team announced additional measures to protect its users and their assets such the usage of two-factor authentication (2FA) for its developers and routine (file signature) checks of the files available for download to detect any modification of the repository.

“We are working with Github to improve the release page experience to provide information regarding the modifying account as well as the last modification date of a release. This would allow users to detect if certain binaries were updated for potentially malicious purposes.” concludes the notice.

“All individuals responsible for Github releases should enable 2FA and ensure they have deterministic signature hashes for files on a regular basis.”

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – Syscoin Windows client, cryptocurrency)


The post Syscoin Github has been breached, hacker replaced Syscoin Windows client with tainted version appeared first on Security Affairs.

Source: Security affairs

Researchers observed a spike in the number of cyber-attacks targeting Singapore during the Trump-Kim Summit, from June 11 to June 12.

Researchers at F5 Labs have observed a spike in the number of cyber-attacks targeting Singapore from June 11 to June 12, in the wake of the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel.

Experts remarked that typically Singapore is not a top attack destination, and the skipe of the number of attacks coincides with Trump-Kim Jong-un meeting.

Most of the attacks originated from Russia (88% of overall attacks) and frankly speaking, I’m not surprised due to the importance of the Trump-Kim summit.

According to F5 Labs and Loryka, 97% of all the attacks that originated from Russian from June 11 to June 12 targeted Singapore.

“From June 11 to June 12, 2018, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.” reads the analysis published by F5 Labs. “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel.”

The cyber attacks hit almost any computer system, from VoIP phones to IoT devices. The attacks began out of Brazil targeting port SIP 5060 of IP phones where communications are transmitted in clear text.

After an initial attack that lasted for a couple of hours, researchers observed a reconnaissance activity originated from the Russian IP address 188.246.234.60 that is owned by ASN 49505, operated by Selectel; the scans targeted a variety of ports.

None of the attacks was carried out to spread malware.

“The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest.” continues the analysis.

“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”

Singapore was hit by 40,000 attacks in just 21 hours, starting at 11:00 p.m. on June 11 through 8:00 p.m. June 12, local time.

The experts highlighted that only 8% were exploit attacks, while 92% were reconnaissance scans for potential targets.

34% of the attacks originated from Russia, the list of top attackers includes China, the US, France, and Italy.

Singapore attacks Trump-Kim Summit

Trump-Kim Summit

During the summit time frame, Singapore was the top destination of cyber-attacks, it received 4.5 times more attacks than countries like the U.S. and Canada.

The SIP port 5060 was targeted 25 times more than Telnet port 23, hackers were attempting to gain access to insecure communication systems or VoIP server and to compromise IoT devices to spy on communications.

“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 Labs concludes.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – Trump-Kim Summit, Russia)


The post Singapore was hit by an unprecedented number of attacks during the Trump-Kim Summit appeared first on Security Affairs.

Source: Security affairs

Enlarge / Founder & CEO of Theranos, Elizabeth Holmes. (credit: Getty | Gilbert Carrasquillo)

Federal prosecutors have indicted Theranos founder Elizabeth Holmes and the company’s former president Ramesh “Sunny” Balwani with nine counts of wire fraud and two counts of conspiracy to commit wire fraud. Prosecutors claim that the pair defrauded investors, doctors, and patients while promoting and running their now disgraced blood-testing startup.

In the new court filing—submitted Thursday, June 14 in federal court in San Jose, and unsealed on Friday—prosecutors allege that Holmes and Balwani engaged in a scheme to mislead investors about the state and capabilities of the company’s blood-testing technology and defrauded them out of more than $100 million. The prosecutors also allege that the pair defrauded doctors and patients by knowingly misleading them with false advertising and marketing that stated that their company could provide accurate and reliable health tests on just drops of blood from a finger-prick with their proprietary technology.

Later investigations, sparked by reporting by the Wall Street Journal, revealed that Theranos’ blood testing tech was flawed and faulty. The findings led to a dizzying downward spiral of lawsuits, regulatory sanctions, and tens of thousands of blood tests results being corrected or voided.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / Michael Cohen leaving the United States District Court Southern District of New York on May 30, 2018 in New York City. A letter today revealed that the FBI had recovered over 700 pages of messages and call logs from encrypted messaging apps on one of two BlackBerry phones belonging to Cohen. (credit: Getty Images)

In a letter to the presiding judge in the case against Michael Cohen, President Donald Trump’s long-time personal attorney, the US Attorney’s Office for the Southern District of New York revealed today that it had obtained additional evidence for review—including a trove of messages and call logs from WhatsApp and Signal on one of two BlackBerry phones belonging to Cohen. The messages and call logs together constitute 731 pages of potential evidence. The FBI also recovered 16 pages of documents that had been shredded, but it has not yet been able to complete the extraction of data from the second phone.

The letter to Judge Kimba Wood stated that “the Government was advised that the FBI’s original electronic extraction of data from telephones did not capture content related to encrypted messaging applications, such as WhatsApp and Signal… The FBI has now obtained this material.”

This change is likely because of the way the messages are stored by the applications, not because the FBI had to break any sort of encryption on them. WhatsApp and Signal store their messages in encrypted databases on the device, so an initial dump of the phone would have only provided a cryptographic blob. The key is required to decrypt the contents of such a database, and there are tools readily available to access the WhatsApp database on a PC.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

You don’t have to go home, but you can’t stay at the NIH. (credit: Maya83)

The National Institutes of Health has terminated a controversial $100-million study on the health effects of daily drinking that was largely funded by the alcohol industry. The announcement comes after internal NIH investigations found evidence of scientific bias, policy violations, and inappropriate engagement with industry representatives.

The findings—announced by the NIH on Friday, June 15—largely support recent investigations by the press that suggested NIH officials and the study’s lead researchers had inappropriately wooed industry and pitched the study as “necessary if alcohol is to be recommended as part of a healthy diet.”

Five of the world’s largest alcoholic beverage companies, namely Anheuser-Busch InBev, Diageo, Pernod Ricard, Heineken, and Carlsberg, subsequently agreed to pitch in $67.7 million for the study. Those funds would be provided indirectly through a nongovernmental foundation that raises funds for the NIH.

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Trend Micro spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT.

Security experts at Trend Micro have spotted a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater cyber-espionage campaign.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

The attacks have been mistakenly associated with the FIN7 group, when Palo Alto discovered the first campaign reported that a C&C server delivering the FIN7-linked DNSMessenger tool was involved in MuddyWater attacks as well.

The new campaign discovered by the experts presents many similarities with previous ones conducted by the same threat actor, attackers attempted to distribute a backdoor through weaponized Word documents that execute PowerShell scripts.

“In May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload.” reads the analysis published by Trend Micro.

“One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files.”

Unlike previous campaigns, the samples don’t directly download the malicious scripts because they are encoded in the document itself.

MuddyWater New

The bait document used in the campaign claims to be a reward or a promotion, a circumstance that suggests the hackers are targeting entities in other industries,

Once the victim opens the document, he is enticed into enabling the macro to view its full content.

“Once the macro is enabled, it will use the Document_Open() event to automatically execute the malicious routine if either a new document using the same template is opened or when the template itself is opened as a document0.” continues the analysis.

The code executes two PowerShell scripts, with the second is used by attackers to drop various components on the compromised machine.

 

The final payload delivered in the last campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

The backdoor can execute a broad range of commands, including gather browsing history from installed browsers, exfiltrate passwords found in the browser, read and write files, execute shell commands, log keystrokes and capture screenshots.

“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro concludes.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini 

(Security Affairs – MuddyWater, APT)


The post A new MuddyWater Campaign spreads Powershell-based PRB-Backdoor appeared first on Security Affairs.

Source: Security affairs

Enlarge (credit: Disney)

Apple announced today that it signed a multi-year content partnership with actress, philanthropist, and talk-show host Oprah Winfrey. The partnership is the latest in a series of moves Apple has made to bolster its original programming efforts. Winfrey’s content will be released as part of Apple’s lineup, but it’s still unclear when and where Apple will debut the bulk of its planned original content.

Monetary details of the deal have not be disclosed. According to a report by The Hollywood Reporter, the partnership is non-exclusive, as Winfrey will remain chairman and CEO of OWN, her cable network backed by Discovery.

Apple’s statement says that Winfrey will create content that embraces “her incomparable ability to connect with audiences around the world.” Reports suggest that Winfrey may not only make a certain type of content for Apple—the deal supposedly covers movies, TV shows, books, applications, and more. Snagging a partnership with Winfrey is one of Apple’s biggest gets yet in terms of talent, especially considering Netflix and Amazon were reportedly also in talks with the star.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Aurich Lawson)

The Department of Justice announced Friday that Ross Ulbricht’s alleged right-hand man—Roger Thomas Clark, also known as “Variety Jones”—has been extradited to the United States after being in custody in Thailand for more than 2.5 years.

Federal prosecutors allege that the 54-year-old Canadian was paid “at least hundreds of thousands of dollars” to work for Ulbricht. Over two years ago, Ulbricht was sentenced to life in prison for owning and operating the notorious Silk Road website, an online marketplace for drugs or other illicit materials. The operation is now defunct.

In September 2016, in an exclusive jailhouse interview with Ars, Clark told us that he would not be going to the US. “They don’t have shit on me,” he added.

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/