Ειδοποιήσεις

Elsevier, publisher of scientific journals such as The Lancet, has left its users’ passwords and email addresses lying around online.

What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.

Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.

To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?

For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.

According to Motherboard’s Joseph Cox, the credentials were displayed on Kibana, a popular tool for visualizing and sorting data.

 

Motherboard verified that the credentials were valid by asking Hussein to reset his own password to a specific phrase fed to him by Motherboard. Cox writes:

A few minutes later, the plain text password appeared on the exposed server.

Elsevier secured the server after getting a heads-up from Motherboard and details from Hussein. An Elsevier spokesperson sent Motherboard a statement in which the publisher blamed a misconfigured server:

The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.

As others have pointed out, saying that the passwords are no longer exposed doesn’t explain why they were stored in plain text to begin with. Hopefully, Elsevier will pay attention to that, as well as to the misconfigured server that left them hanging on the line like a discarded beach towel.

 

If you’re an Elsevier user

Reset your passwords, and if you know you’ve used the same password on other website – change those too!

Also if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too.

 

The information contained in this website is for general information purposes only. The information is gathered from Naked Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store.

Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.

SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.

“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its contentleading to the fact that this campaign was not targeting a specific county or developed by the same developer.” reads the analysis published by the experts.

“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The domain ‘addroider[.]com’ was registered via GoDaddy the ownership is masqueraded by the privacy protection service, RiskIQ’s PassiveTotal reveals that the domain expired 7 months ago.  By accessing the domain users get a login page that appears similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.

Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.

Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.

“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.

“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

 

 

According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:

  1. Snow Heavy Excavator Simulator (10,000,000 downloads)
  2. Hoverboard Racing (5,000,000 downloads)
  3. Real Tractor Farming Simulator (5,000,000 downloads)
  4. Ambulance Rescue Driving (5,000,000 downloads)
  5. Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  6. Fire Truck Emergency Driver (5,000,000 downloads)
  7. Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  8. Car Parking Challenge (5,000,000 downloads)
  9. Speed Boat Jet Ski Racing (5,000,000 downloads)
  10. Water Surfing Car Stunt (5,000,000 downloads)

The full list of malware-infected apps is available here.

This is the campaign in order of time leveraging the Google store, previously reported massive attacks involved CopyCat and Gooligan malware.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The popular SSH client program PuTTY has released the latest version of its software that includes security patches for 8 high-severity security vulnerabilities.

PuTTY is one of the most popular and widely used open-source client-side programs that allows users to remotely access computers over SSH, Telnet, and Rlogin network protocols. Almost 20 months after releasing the last version of its software, the developers of PuTTY earlier this week released the latest version 0.71 for Windows and Unix operating systems.

According to an advisory available on its website, all previous versions of the PuTTY software have been found vulnerable to multiple security vulnerabilities that could allow a malicious server or a compromised server to hijack client’s system in different ways.

Below are listed all 8 vulnerabilities with brief information that PuTTY 0.71 has patched:

1) Authentication Prompt Spoofing

Since PuTTY doesn’t have a way to indicate whether a piece of terminal output is genuine, the user-interface issue could be exploited by a malicious server to generate a fake authentication prompt at the client side, prompting victims to enter their private key passphrases.

“If the server had also acquired a copy of your encrypted key file (which, for example, you might have considered safe to copy around because it was securely encrypted), then this would give it access to your private key,” the advisory explains.

2) Code Execution via CHM Hijacking

When a user launches the online help within the PuTTY GUI tools, the software tries to locate its help file alongside its own executable.

This behavior could allow an attacker to trick the user into executing malicious code on the client system via the hijacking CHM file.

“If you were running PuTTY from a directory that unrelated code could arrange to drop files into, this means that if somebody contrived to get a file called putty.chm into that directory, then PuTTY would believe it was the real help file, and feed it to htmlhelp.exe.”

3) Buffer Overflow in Unix PuTTY Tools

According to the advisory, if a server opens too many port forwardings, PuTTY for Unix does not bounds-check the input file descriptor it collects while monitoring the collections of active Unix file descriptors for activity, leading to a buffer overflow issue.

“We don’t know if this was remotely exploitable, but it could at least be remotely triggered by a malicious SSH server, if you enabled any of the options that allow the server to open a channel: remote-to-local port forwarding, agent forwarding or X11 forwarding,” the advisory says.

4) Reusing Cryptographic Random Numbers

This issue resides in the way cryptographic random number generator in PuTTY, occasionally using the same batch of random bytes twice.

“This occurred because of a one-byte buffer overflow in the random pool code. If entropy from an external source was injected into the random pool exactly when the current-position index was pointing at the very end of the pool, it would overrun the pool buffer by one byte and overwrite the low byte of the position index itself.”

5) Integer Overflow Flaw

All prior versions of PuTTY suffers an Integer overflow issue due to missing key-size check-in RSA key exchange.

A remote server can trigger the vulnerability by sending a short RSA key, leading to an integer overflow and uncontrolled overwriting of memory.

PuTTY developers are not sure if this flaw can be exploited to gain control over the client, but since the issue occurs during key exchange and happens before host key checking, the overflow can be induced by a MitM attack even if the middle man does not know the correct host key.

So even if you trust the server you think you are connecting to, you are not safe.”

6, 7 and 8) Terminal DoS Attacks

Last three vulnerabilities in PuTTY allows a server to crash, or slow down client’s terminal by sending different text outputs.

Servers can send a long unbroken string of Unicode characters to the client’s terminal, which could lead to a denial-of-service attack by causing the system to allocate potentially unlimited amounts of memory.

The second DoS attack can be triggered by sending combining characters, double-width text, an odd number of terminal columns, and GTK to the client’s terminal in output.

In the third DoS attack, by sending width-2 characters used by Chinese, Japanese and Korean to the client, PuTTY’s terminal emulator can be forced to crash.

If you use PuTTY, make sure you download and use the latest version of it.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

One of the world’s largest producers of aluminum has been forced to shut down several of its plants across Europe and the U.S. after an “extensive cyber attack” hit its operations, leaving companies’ IT systems unusable.

According to a press release shared by Aluminum giant Norsk Hydro today, the company has temporarily shut down several plants and switched to manual operations, “where possible,” in countries including Norway, Qatar, and Brazil in an attempt to continue some of its operations.

The cyber attack, that began in the U.S.,was first detected by the company’s IT experts around late Monday evening CET and the company is working to neutralize the attack, as well as investigating to know the full extent of the incident.

“Hydro’s main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents,” the company says.

In an 18-minute-long video press conference, Norsk Hydro CFO Eivind Kallevik revealed that Norsk Hydro systems have been hit by a relatively new strain of ransomware malware, known as LockerGoga, which encrypts all files on the targeted computers and then demands a ransom to unlock them, just as other ransomware viruses do.

“The situation is quite severe. The entire worldwide network is down, affecting all production as well as our office operations,” Kallevik said.

During the press conference, the Norwegian National Security Authority (NNSA) also said that the agency is helping Norsk Hydro with the incident and cooperating with other sectors and international agencies.

According to the reports published local public broadcaster NRK and Reuters, says that according to researchers, LockerGoga is not a widely spread malware and was also used to target French engineering consultancy Altran Technologies earlier this year.

“It is too early to indicate the operational and financial impact, as well as timing to resolve the situation,” the company says.

Norsk Hydro is the latest victim of so-called ransomware attack that has crippled many major companies in the past few years.

At this time it’s unknown if the company has lost any significant data in the attack, and if yes, would it pay or already consider paying the ransom to the cybercriminals responsible for the attack whose identity is yet unknown.

But for now, the company said Hydro has cyber insurance and its main plan is to restore systems using back-up data.

Headquartered in Oslo, Norsk Hydro is one of the largest aluminum companies worldwide, with operations in some 50 countries around the world and active on all continents. The company’s shares went down around 1% at the time of writing due to the incident.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security researchers have uncovered a new variant of the infamous Mirai Internet of Things botnet, this time targeting embedded devices intended for use within business environments in an attempt to gain control over larger bandwidth to carry out devastating DDoS attacks.

Although the original creators of Mirai botnet have already been arrested and jailed, variants of the infamous IoT malware, including Satori and Okiru, keep emerging due to the availability of its source code on the Internet since 2016.

 

First emerged in 2016, Mirai is well known IoT botnet malware that has the ability to infect routers, and security cameras, DVRs, and other smart devices—which typically use default credentials and run outdated versions of Linux—and enslaves the compromised devices to form a botnet, which is then used to conduct DDoS attacks.

New Mirai Variant Targets Enterprise IoT Devices

Now, Palo Alto Network Unit 42 researchers have spotted the newest variant of Mirai that’s for the first time targeting enterprise-focused devices, including WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs.

The Mirai variant adds 11 new exploits to its “multi-exploit battery,” making it a total of 27 exploits, as well as a new set of “unusual default credentials” to use in brute force attacks against Internet-connected devices.

“These new features afford the botnet a large attack surface,” Unit 42 researchers reported in a blog post published Monday. “In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.”

While a remote code execution exploit for LG Supersign TVs (CVE-2018-17173) was made available in September last year, attack code exploiting a command-injection vulnerability in the WePresent WiPG-1000 was published in 2017.

Besides these two exploits, the new Mirai variant is also targeting various embedded hardware like:

  • Linksys routers
  • ZTE routers
  • DLink routers
  • Network Storage Devices
  • NVRs and IP cameras

After scanning and identifying vulnerable devices, the malware fetches the new Mirai payload from a compromised website and downloads it on a target device, which is then added to the botnet network and eventually can be used to launch HTTP Flood DDoS attacks.

Mirai is the infamous botnet that was responsible for some of the record-breaking DDoS attacks, including those against France-based hosting provider OVH and Dyn DNS service that crippled some of the world’s biggest sites, including Twitter, Netflix, Amazon, and Spotify.

Mirai-based attacks experienced sudden rise after someone publicly released its source code in October 2016, allowing attackers to upgrade the malware threat with newly disclosed exploits according to their needs and targets.

“These [new] developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches,” researchers said.

“And in the case of devices that cannot be patched, to remove those devices from the network as a last resort.”

So the takeaway? Make sure you change the default passwords for your internet-connected devices as soon as you bring them home or in office, and always keep them fully updated with new security patches.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.