Ειδοποιήσεις

A giant 87 gigabyte archive consisting of 773 million unique email addresses and their associated cracked, or dehashed, passwords has been spotted being promoted on an online hacking forum. This file is being called “Collection #1” and was designed to easily be used in credential stuffing attacks.

Credential stuffing is when attackers take lists of email address and their associated cracked/dehashed passwords and use them to try and log into different sites. If there is a matching account using the same credentials, the attackers will then gain access to your data and potentially financial assets.

This collection was discovered by security researcher and Have I Been Pwned creator Troy Hunt and consists of 2,800 different files containing the leaked account information from many different data breaches. While the original data from these data breaches may have had encrypted passwords, whoever compiled this collection converted them into dehashed passwords to make them easier to use in attacks.

It is important to note, though, that this is not a new data breach, but simply a compilation of older ones.

This compilation is being called “Colection #1” based on a folder name in a screenshot promoted these data breach files.

In a blog post, Hunt states that this collection contains 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses, and 21,222,975 unique passwords. The researcher further states that the oldest data appears to be from a breach in 2008.

After receiving the archive, Hunt loaded it into Have I Been Pwned so that subscribers would be notified of the latest breach and for new users to check if their accounts have been exposed.

For those not familiar with Have I been Pwned, it is a site where you can submit your email address and see the data breaches that your account was exposed. Below you can see a small snippet of the breaches that email address asd@asd.com was exposed in.

As always, it is important to create a unique password at every site that you create an account. As remembering unique passwords at every site can be difficult, it is also suggested that you use a password manager to help organize your passwords.

Using unique passwords causes data breaches to only affect the particular credentials for that site, rather than many sites that would have been affected if you used the same password everywhere.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers.

The newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.

SQLite is a lightweight, widely used disk-based relational database management system that requires minimal support from operating systems or external libraries, and hence compatible with almost every device, platform, and programming language.

SQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices, macOS and Windows apps, including major web browsers, such as Adobe software, Skype and more.

Since Chromium-based web browsers—including Google Chrome, Opera, Vivaldi, and Brave—also support SQLite through the deprecated Web SQL database API, a remote attacker can easily target users of affected browsers just by convincing them into visiting a specially crafted web-page.

“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability,” the researchers said in a blog post.

SQLite has released updated version 3.26.0 of its software to address the issue after receiving responsible disclosure from the researchers.

Google has also released Chromium version 71.0.3578.80 to patch the issue and pushed the patched version to the latest version of Google Chrome and Brave web-browsers.

Tencent researchers said they successfully build a proof-of-concept exploit using the Magellan vulnerability and successfully tested their exploit against Google Home.

Since most applications can’t be patched anytime sooner, researchers have decided not to disclose technical details and proof-of-concept exploit code to the public.

“We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible,” the researchers said.

Since SQLite is used by everybody including Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of other software, the Magellan vulnerability is a noteworthy issue, even if it’s not yet been exploited in the wild.

Users and administrators are highly recommended to update their systems and affected software versions to the latest release as soon as they become available.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

With WordPress 5.0 ‘Bebo’ out of the gate, the next job is to patch the flaws that have accumulated since the last Security and Maintenance release in July.

The update for that job is this week’s WordPress 5.0.1, which backports security fixes all the way to version 3.7, excepting a small number of documented compatibility issues.

The numbers don’t sound that bad – only seven flaws that needed fixing – but it includes some significant ones that deserve admin attention.

PHP unserialization

The best-publicised of the crop is probably that revealed by Secarma researcher Sam Thomas at August’s Black Hat conference, who spotted a way to feed malicious inputs to the PHP unserialization function.

Serialisation involves taking an object and converting it into plaintext – the danger arises when that is converted back into an object that has been maliciously-crafted.

It’s a type of flaw researchers are now investigating across other applications. In the context of WordPress, said Thomas:

Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension.

I’ve highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk.

XSS

Researcher Tim Cohen’s name appears on three flaws, starting with a cross-site scripting (XSS) vulnerability co-credited with Slavco Mihajloski that would allow an attacker to bypass MIME verification by uploading specially-crafted files on Apache-hosted sites.

The other two, also involving XSS, involve a way for contributors to edit new comments from higher-privileged users, and a way for specially-crafted URL inputs to generate an XSS in some plugins “in some situations.”

Yoast

Another that sticks out like a sore thumb is the new flaw spotted by Yoast that could, in rare circumstances, allow an attacker to access the user activation screen for new users displaying email addresses and passwords using a Google search (not to be confused with the recent Yoast flaw, CVE-2018-19370).

RIPS

Simon Scannell at PHP security company RIPS Technologies (who also recently discovered a WooCommerce flaw) discovered that authors could create posts of unauthorized types with specially crafted input.

 

A second one from RIPS, this time credited to Karim El Ouerghemmi, uncovered a weakness that could allow authors to delete files they weren’t authorised to delete.

Unless your site updates automatically, you can find WordPress 5.0.1 via Dashboard > UpdatesUpdate Now.

It’s the same process if you’re running an older version. However, if it happens to be a version near the 3.7 end of the scale it might be time to upgrade or face being left behind forever by WordPress development.

 

The information contained in this website is for general information purposes only. The information is gathered from Naked Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Even though Apple has always been especially proud of its App Store app review process, it seems that some apps which are not exactly malicious but do exhibit risky behavior escape its review team’s scrutiny occasionally.

This is the case of over a dozen iOS applications found in Apple’s App Store which were observed while transferring data to command-and-control servers known to have been used by the Android Golduck Loader.

Golduck Loader used as an adware distribution platform

The Golduck malware discovered by Appthority in multiple apps distributed through the Google Play store at the end of 2017 and it was used by its authors as an adware distribution platform, with possible device compromise capabilities.

Malware loaders are usually used by their masters to build botnet networks which can be later used for various purposes, either by including them in custom multi-stage infection chains they can use to drop second-stage payloads or by selling them to other bad actors as part of Malware-as-a-service (MaaS) schemes.

Although malware loaders act as a dropper for other malware strains such as Trojans and don’t come with their own data stealing or data corruption features, they can still be used by crooks as backdoors.

 

The apps also exfiltrated info to the Golduck C&C servers

This is what sparked the attention of Wandera’s Threat Research team which found out that the apps were manifesting a similar behavior to the Android apps infected with Golduck, injecting ads in an overzealous manner to multiple areas on the app’s main screen.

Wandera researchers identified regular communication between the various apps and a Golduck Command & Control server. Our security researchers discovered a secondary area being used to display ads that are not powered by Admob and instead, present content from a known malicious server.

Furthermore, these iOS apps were also sending multiple snippets of information to the Golduck C&C servers, ranging from IP addresses and location data to the device type and the number of ads displayed on the device.

Wandera’s security researchers found that 14 different retro games were communicating with the Golduck servers, all of them listed below:

Commando Metal: Classic Contra
Super Pentron Adventure: Super Hard
Classic Tank vs Super Bomber
Super Adventure of Maritron
Roy Adventure Troll Game
Trap Dungeons: Super Adventure
Bounce Classic Legend
Block Game
Classic Bomber: Super Legend
Brain It On: Stickman Physics
Bomber Game: Classic Bomberman
Classic Brick – Retro Block
The Climber Brick
Chicken Shoot Galaxy Invaders

Risky apps removed by Apple following reports

Furthermore, the entire list of over a dozen iOS apps found to exhibit this behavior were developed by only three developers: Nguyen Hue, Gaing Thi, and Tran Tu.

Apple has since removed all the iOS apps that were using Golduck’s C&C servers for adware distribution and data collection purposes, but it is to be expected that their developers will not give up on their idea very quickly.

They will, most probably, get their ad-ridden apps back on the iOS App Store in the very near future if they are able to circumvent the review team’s efforts.

Once that will happen, iOS users who trust all apps available in Apple’s App Store will be subject to various risks, as Wandera’s Threat Research team said in its analysis:

The C&C establishes what is essentially a ‘backdoor’ that a hacker could use in the future to directly communicate with the device and its user. For example, a hacker could easily use the secondary advertisement space to display a link that redirects the user and dupes them into installing a provisioning profile or a new certificate that ultimately allows for a more malicious app to be installed.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cybercriminals behind GandCrab have added the infostealer Vidar in the process for distributing the ransomware piece, which helps increase their profits by pilfering sensitive information before encrypting the computer files.

Following the trails of a malvertising campaign targeting users of torrent trackers and video streaming websites, malware researchers found that Fallout Exploit Kit was used to spread a relatively new infostealer called Vidar, which doubled as a downloader for GandCrab.

Using a rogue advertising domain, the threat actor triaged by geolocation the visitors of the compromised websites and redirected them to an exploit kit (EK).

Fallout was the most active, says Jérôme Segura of Malwarebytes, adding that it pushed Vidar – a commercial threat available for $700 specifically built for stealing passwords and forms from web browsers.

It can be configured to grab specific information, like payment card numbers or credentials stored in various applications. The variant examined by Malwarebytes included scraping capabilities for details from “an impressive selection of digital wallets.”

Once it starts running, Vidar searches for data specified in its configuration along and delivers it to the command and control (C2) server as a ZIP archive, notes Segura.

Its interface makes it easy for the operator to keep track of the victims, deliver instructions to the malware and check the type of data collected from each infected host.

 

Downloading GandCrab ransomware

Vidar can work as a malware dropper and in the case observed by Malwarebytes the second payload was GandCrab ransomware.

“Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04.”

5.04 is the latest revision of the ransomware and at the moment there is no possibility to decrypt the files it touches without paying the ransom or getting the decryption key from the threat actor.

Users affected by earlier versions of the ransomware can recover their files with a free GandCrab decryption tool that works with v1, v4, and v5 up to v5.02 of the malware.

Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. Even if the cybercriminals do not use the stolen data themselves, they can sell it on underground forums.

Users with computer files locked by GandCrab should now also consider changing the username/password combinations at least for the critical services and applicatons they’re using.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.