News & Updates

Researchers spotted a new widespread ransomware campaign leveraging emails with malicious attachments using Herbalife branded messages.

Researchers at security firm Barracuda have spotted a new widespread ransomware campaign leveraging emails with malicious attachments, some of them pretend to be sent by the l multi-level marketing nutrition company Herbalife.

More than 20 million Herbalife branded emails were sent in a 24 hour period, since then, crooks sent out messages at a rate of about two million attacks per hour.

Most of the messages are sent from Vietnam other significant sources are India, Columbia, and Turkey and Greece.

“The Barracuda Advanced Technology Group is actively monitoring an aggressive ransomware threat that appears to come in the largest volume from Vietnam.  Other significant sources of this attack include India, Columbia, and Turkey and Greece.  Other countries appear to be distributing the same attack in very low volumes.” reads the analysis published by Barracuda.  “So far we have seen roughly 20 million of these attacks in the last 24 hours, and that number is growing rapidly.”

HerbaLife spam

The attackers are using a Locky variant with a single identifier to track the infections.

“Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier. The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor,” continues the analysis. “In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them.”

The email attachment claims to be an invoice for an order placed through the company Herbalife. If the user opens the file, it will launch the ransomware dropper.

Attackers are also observing attachments that claim to impersonate invoicing from marketplace.amazon.uk.  The researchers are also seeing other variants of the malicious emails that have appeared claiming to be a “copier” file delivery.

Barracuda researchers are now seeing also a wrapper in this campaign that impersonates a voicemail message, using the subject line “New voice message [phone number] in mailbox [phone number] from [“phone number”] [<alt phone number>].”>].”

Researchers detected at least 6,000 different versions of the malicious script used by the attackers, a circumstance that suggests crooks are randomizing a portion of the attack code to avoid detection.

“There have been approximately 6,000 fingerprints, which tells us that these attacks are being automatically generated using a template that randomizes parts of the files.  The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead anti-virus engines.” continues the blog post.

The payloads delivered by the malicious emails and the domains used to host the second stage malware that infects the victim’s computer changed multiple times since the start of the ransomware campaign.

The researchers noted the attack code is checking the language files on a victim’s computer, suggesting the attackers are ready to target users worldwide.

All the messages come from a spoofed domain, making it appear as legitimate, give a look at the report for Indicators of Compromise (IoCs).

Due to the targets of the campaign experts believe the threat actors are primarily financially motivated,

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Herbalife, Locky ransomware)

medianet_width = “300”;
medianet_height = “250”;
medianet_crid = “733976884”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//contextual.media.net/nmedianet.js?cid=8CU5BD6EW’ + (isSSL ? ‘&https=1’ : ”);
document.write(”);
})();

The post Massive HerbaLife spam campaign spreads a variant of Locky ransomware appeared first on Security Affairs.

Source: Security affairs

Login credentials for 540K records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.

A few hours ago Verizon data was leaked online, and last week a similar incident affected the entertainment giant Viacom, in both cases data were found on an unsecured Amazon S3 server.

The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.

SVR Tracking device

The S3 bucket contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, such as VIN (vehicle identification number) and the IMEI numbers of GPS devices.

The exposed archive also includes information where the tracking device was hidden in the car.

“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.

Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.

“The experts discovered a Backup Folder named “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. ” continues the analysis.

It includes also:

  • 116 GB of Hourly Backups
  • 8.5 GB of Daily Backups from 2017
  • 339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.
  • Document with information on the 427 dealerships that use their tracking information.   

Since archive also included the position of the vehicles for the past 120 days.

The overall number of devices could be greater because many of the resellers or clients had large numbers of devices for tracking.

Kromtech reported the discovery to the SVR that promptly secured it. However, it is unclear whether the publicly accessible data was possibly accessed by hackers or not.

At the time, it is not clear if hackers accessed the data while they unsecured online.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – SVR Tracking, data leak)

medianet_width = “300”;
medianet_height = “250”;
medianet_crid = “733976884”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//contextual.media.net/nmedianet.js?cid=8CU5BD6EW’ + (isSSL ? ‘&https=1’ : ”);
document.write(”);
})();

The post Passwords and much more for 540,000 SVR Tracking accounts leaked online appeared first on Security Affairs.

Source: Security affairs

Nikon, one of the leading manufacturers of microscopes, also hosts an annual microscopy competition (and you can use any company’s microscopes to enter). We’ve shared some of our favorite images with you in years past, since they’ve been every bit as artistic as good photography and, in many cases, reveal important details about the natural world—details that we’d otherwise never be able to appreciate.

Most people will only get exposed to microscopy during high school biology, which is typically the realm of static slices of long-dead organisms, permanently pressed onto a glass side. But history’s first use of a microscope back in the 1600s involved watching living microbes flitting across the field of view. Microscopy doesn’t have to be static; in fact, the element of time can be incredibly informative.

And advancements in technology mean that we can do some amazing things with living samples, including labelling them in a rainbow of fluorescent colors, automating long time-lapse recordings, and more. And movies can tell us things that wouldn’t be possible to learn otherwise, like the process by which a material deforms and breaks, the coordination of cell divisions and migrations that assemble an embryo, and more.

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / Close-up of cables and LED lights in the data center of T-Systems, a subsidiary of Deutsche Telekom AG. (credit: Thomas Trutschel/Getty Images)

The Justice Department is demanding that a federal judge sanction Google for failing to abide by court orders to turn over data tied to 22 e-mail accounts. “Google’s conduct here amounts to a willful and contemptuous disregard of various court orders,” the government wrote (PDF) in a legal filing to US District Judge Richard Seeborg of California.

The government added in its Wednesday brief:

Google is entitled to have its own view of the law and to press that view before a court of competent jurisdiction. However, when faced with a valid court order, Google, like any other person or entity, must either comply with such an order or face consequences severe enough to deter willful noncompliance. The issue before this court is what sanction is sufficient to achieve that goal.

Google said it wasn’t complying with the order because it was on appeal. Google also said it was following precedent from a New York-based federal appellate court that ruled Microsoft doesn’t have to comply with a valid US warrant for data if the information is stored on overseas servers. Google is appealing the California warrant to the San Francisco-based 9th US Circuit Court of Appeals on the same grounds. However, neither Seeborg nor the 9th Circuit is bound by the 2nd Circuit Court of Appeals’ decision— which the government has appealed to the US Supreme Court. (The US circuit courts of appeal are not bound to follow rulings by their sister circuits, but they all must obey precedent from the Supreme Court.)

Read 11 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Cyber criminals behind the Retefe banking Trojan have improved it by adding a new component that uses the NSA exploit EternalBlue.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack and NotPetya massive attacks.

ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.

Investigations on WannaCry, for example, revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit. In August, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread, earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan also included an EternalBlue module as well.

Cyber criminals behind the Retefe banking Trojan have improved it by adding a new component that uses the NSA exploit EternalBlue.

“The Retefe banking Trojan has historically targeted Austria, Sweden, Switzerland and Japan, and we have also observed it targeting banking sites in the United Kingdom. While it has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, it is notable for its consistent regional focus, and interesting implementation.” states the analysis published by ProofPoint.

“Unlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,” 

Researchers have observed a wave of phishing messages using weaponized Microsoft Office documents. containing embedded Package Shell Objects, or Object Linking and Embedding Objects, that are typically Windows Shortcut “.lnk” files, researchers said.

Once the user opened the shortcut accepting the security warning, he triggers the execution of a PowerShell command that download of a self-extracting Zip archive hosted on a remote server.

retefe eternalblue

The Zip archive contains an obfuscated JavaScript installer that includes several configuration session parameters. According to the malware researchers, one of the parameters (“pseb:”) has been added to refer the execution of a script that implements the EternalBlue exploit. The configuration observed on September 5 included the feature to log the installation and the configuration of the victim.

“We first observed the “pseb:” parameter on September 5. The “pseb:” configuration implements the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept posted on GitHub. It also contains functionality to log the installation and victim configuration details, uploading them to an FTP server. On September 20, the “pseb:” section had been replaced with a new “pslog:” section that contained only the logging functions.” continues the analysis.

The malicious code downloads a PowerShell script from a remote server that includes an embedded executable that installs Retefe.

According to the experts, the threat actor behind this new version of Retefe conducting increasingly targeted attacks and included the EternalBlue exploit to improve the malware propagation.

On Sept.20, the “pseb:” section had been replaced with a new “pslog:” section that includes only the EternalBlue logging functions.

“This installation, however, lacks the the “pseb:” module responsible for further lateral spread via EternalBlue, thus avoiding an infinite spreading loop.” states ProofPoint.

Organizations should patch against the EternalBlue exploit, they should also block associated traffic in IDS systems and firewalls.

“Companies should also block associated traffic in IDS systems and firewalls and block malicious messages (the primary vector for Retefe) at the email gateway,” concludes Proofpoint.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – EternalBlue exploit, banking Trojan)

medianet_width = “600”;
medianet_height = “120”;
medianet_crid = “757750211”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//contextual.media.net/nmedianet.js?cid=8CU5BD6EW’ + (isSSL ? ‘&https=1’ : ”);
document.write(”);
})();

The post Retefe banking Trojan leverages EternalBlue exploit to infect Swiss users appeared first on Security Affairs.

Source: Security affairs

Enlarge / Nichelle Nichols (left, who played Lt. Uhura in The Original Series) and Sonequa Martin-Green (First Officer Michael Burnham) attend the premiere of CBS’s Star Trek: Discovery at The Cinerama Dome on September 19, 2017 in Los Angeles, California. (credit: Todd Williamson / Getty Images News)

Get yourself to a viewscreen: Sunday, September 24, 8:30pm ET is the moment that Star Trek fans have spent years waiting for.

The first episode of Star Trek: Discovery will broadcast on traditional television (your local CBS station) as a way to kickstart the series before it moves over entirely to CBS All Access, the company’s nearly-three-year-old paid online video service.

According to CBS, after the first broadcast of Episode 1 airs (“The Vulcan Hello”), the first two episodes will be made available on CBS All Access. A one-week trial is free, otherwise the service costs $6 per month or $10 per month with an ad-free version. All Access is available on all mobile platforms, Apple TV, Roku, Chromecast, Fire TV, and more.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / In Spettacolo, literally this town’s whole world is a stage. (credit: Jeff Malmberg, Chris Shellen)

The early moments of Spettacolo, the latest documentary from the team behind the acclaimed 2010 work Marwencol, may cause travel lust. As the film gets underway, old brick buildings serve as a backdrop for European architecture and vistas, practically begging viewers to hop on Airbnb, HomeAway, or some similar service just to survey the current options.

But like the unflinching Marwencol—a critically adored film that details the work of artist Mark Hogancamp, who suffered brain damage after being jumped in a bar and then created a 1/6th-scale backyard model of a WWII town as a form of self-therapy—Spettacolo wants to take its audience well beyond this surface. By the end of this charming but philosophical film—which debuts theatrically this month and recently screened at the Toronto International Film Festival—viewers may find themselves thinking twice about that next dream Airbnb rental.

Tradition via chance

Set in tiny Monticchiello in the Tuscany region of Italy, Spettacolo focuses on the Teatro Povero di Monticchiello (the Poor Theater). For 50 years, this town (population: 136) has staged a communal play that a majority of Monticchiello’s residents typically participate in. Don’t mistake this for your run-of-the-mill community theater production of Grease, though. The annual play in Monticchiello stands as part art, part therapy, part pleading Facebook wall post: rather than perform an existing work, every year residents hold town meetings to formulate a story about their current lives to produce and perform.

Read 14 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge

In the 2009 movie Star Trek, Captain Kirk and Sulu plummeted down toward the planet Vulcan without a parachute. “Beam us up, beam us up!” Kirk shouted in desperation. Then at the last second, after a tense scene of Chekov running top speed to the transporter room, their lives were saved moments before they hit the doomed planet’s rocky surface.

But can beaming out save someone’s life? Some would argue that having one’s “molecules scrambled,” as Dr. McCoy would put it, is actually the surest way to die. Sure, after you’ve been taken apart by the transporter, you’re put back together somewhere else, good as new. But is it still you on the other side, or is it a copy? If the latter, does that mean the transporter is a suicide box?

These issues have received a lot of attention lately given Trek’s 50th Anniversary last year and the series’ impending return to TV. Not to mention, in the real world scientists have found recent success in quantum teleporting a particle’s information farther than before (which isn’t the same thing, but still). So while it seems like Trek‘s transporter conundrum has never had a satisfying resolution, we thought we’d take a renewed crack at it.

Read 79 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/