Alerts

The maintainers of the Trezor multi-cryptocurrency wallet service reported a phishing attack against some of its users that occurred during the weekend.

The attack appears more complex respect a simple phishing campaign, hackers may have powered a DNS poisoning attack or a BGP hijacking to redirect users to a rogue phishing site that mimic the legitimate one.

“DNS poisoning or BGP hijacking point toward DNS poisoning or BGP hijacking” explains the Trezor team.

Hackers redirected legitimate traffic for the official wallet.trezor.io domain to a rogue copy of the website.

The team launched an investigation to shed the light on the attack. The experts spotted the incident after users reported HTTPS certificate error while landing on web wallet portal.

The error alerted the users, this kind of error suggests users are visiting a rogue website that attempts to pose as a legitimate one.

The users quickly reported the anomaly to the team of maintainers that confirmed the phishing attack and published a security advisory to warn users about the phishing attacks.

Late night yesterday, many inquiries about an invalid SSL certificate have been received, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.

The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.

The company also reported two other issues for the bogus website:

The first issue was an error message that was different from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.

The second issue was that the fake website was asking users to provide a copy of their “recovery seed,” Trezor warns that users should never enter the recovery seed on a PC or app.  If the attackers obtain the recovery seed they can take over the accounts.

The company took down the malicious website with the support of the hosting provider.

At the time it is not clear if the attackers stole user funds.

 

So how should I recognize the original Trezor Wallet?

Look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)

Always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.

Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Wallet will never ask you for your recovery seed. Only your device may, but it will do so securely.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cryptojacking is one of the latest malware threats you have to watch out for. It’s a growing problem and it’s starting to become one of the biggest tech scams out there.

With the current cryptocurrencies explosion, this new kind of profit-generating practice is quickly spreading. While cryptomining is a completely legal way to earn cryptocurrencies, cryptojacking is another story. It’s a new scheme by cybercriminals to profit off your gadget without your knowledge.

And it looks like it’s not strictly infecting computers and smartphones anymore. Nasty cryptomining malware was discovered in these best-selling Amazon products as well. Read on and learn more about this latest threat, how to spot and remove it, and how to prevent your gadgets from getting reinfected.

An Android worm has been spotted spreading to a number of popular Amazon products, mainly the Fire line of streaming devices like the Amazon Fire TV box and the Fire Stick.

The worm is not targeting Fire TV gadgets exclusively but Amazon’s Fire operating system is based on Android so these gadgets are also vulnerable to the same Android malware.

According to AFTVNews, the malware appears to be a variant of ADB.Miner, an Android worm that scans vulnerable gadgets on the web then infects them with a stealthy cryptomining virus.

However, instead of automatically infecting vulnerable devices, the Fire TV variant is installed through a side-loaded app named “Test” (package name is “com.google.time.time”).

Once it gets a foothold on your network, ADB.Miner will search for other vulnerable gadgets in your network including Android-based smartphones, tablets, smart TVs and set-top boxes that have publicly accessible Android Debug Bridges (ADB).

How can third-party apps make their way into Amazon’s supposedly closed Fire TV ecosystem anyway?

Similar to other Android gadgets, you can also turn on a Fire TV’s developer options like “ADB debugging” and “Apps from Unknown Sources.”

ADB debugging is a network tool Android ADB used for a variety of tasks including installing and debugging apps while turning on “Apps from Unknown Sources” allows you to install side-loaded apps to your Fire TV.

Why would anyone download and install this sketchy third-party app to their Fire TV gadgets? Well, according to AFTVNews, it’s an app that promises access to pirated movies and TV shows.

Symptoms of a cryptojacking infection on your Fire TV

Why is cryptojacking dangerous for your gadget? Well, it can make your gadget work overtime, relentlessly straining your gadget’s processor and cause it to overheat. It can also use up your data bandwidth without your knowledge.

You may find your Fire TV gadget to be unusually slow, with apps taking longer to load. Videos you’re attempting to stream may stutter and buffer all the time.

In some cases, infected Fire TV gadgets will show a notification that says “Test” together with the green Android robot icon. This screen also causes videos and apps to stop, making the gadget virtually unusable.

And that’s not all. Aside from secretly installing cryptomining software, the malware also scans your network and the internet for more victims it can infect. It’s exactly how a virus is supposed to operate.

How to spot ADB.Miner on your Fire TV

Another quick way to check if your gadget is infected is to check your installed apps and see if an app called “Test” is present. Keep in mind that this malicious app is stealthy and it won’t appear in your Fire TV’s app section nor its application management systems.

To spot it, you’ll need to install an app called Total Commander from the official Amazon app store.

Once installed, open Total Commander, go to the “Installed Apps” section then check if an app called “Test” is listed.

How to remove the malware

Factory reset – If you do suspect that your Fire TV is infected, the best way to get rid of the malware is to perform a factory reset. To avoid reinfection, make sure all your Android and Fire TV gadgets in your home network that may likewise be infected are unplugged.

To factory reset a Fire TV, navigate to its Settings section >> select Device >> then select “Reset to Factory Defaults.” After the factory reset, your Fire TV will reboot. Now make sure you that you keep the developer option “ADB debugging” off.

To prevent accidental malware installs from unauthorized sources, it is recommended that you turn off “Apps from Unknown Sources” as well.

Uninstall the malicious app – Although you can uninstall the malicious “Test” app with Total Commander, it’s not recommended since it is still unclear what other modifications ADB.Miner does to your Fire TV gadgets. If you are pretty sure that your gadget is infected, please perform a factory reset instead.

How to protect your Android gadget from ADB.Miner

As it mentioned earlier, to protect all your Android-based smartphone, tablet, smart TV and set-top box (not just Fire TVs) from ADB.Miner, make sure your gadget’s ADB interface is set to “Off.”

And as usual, beware of installing applications straight off the web and not from the official Amazon App Store and Google Play Store. Also, look out for surprise app permission requests that might pop out and never grant them!

And lastly, with the assortment of legitimate sites that offer free movies, accessing these illegal piracy sites and apps is not worth it. To keep your gadgets safe, just avoid piracy sites and apps in general.

 

The information contained in this website is for general information purposes only. The information is gathered from Komando while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A years-old vulnerability has been discovered in the way several security products for Mac implement Apple’s code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers.

Josh Pitts, a researcher from security firm Okta, discovered that several third-party security products for Mac—including Little Snitch, F-Secure xFence, VirusTotal, Google Santa, and Facebook OSQuery—could be tricked into believing that an unsigned malicious code is signed by Apple.

Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered.

However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by Apple.

It should be noted that this issue is not a vulnerability in MacOS itself but a flaw in how third-party security tools implemented Apple’s code-signing APIs when dealing with Mac’s executable files called Universal/Fat files.

The exploitation of the vulnerability requires an attacker to use Universal or Fat binary format, which contains several Mach-O files (executable, dyld, or bundle) written for different CPU architectures (i386, x86_64, or PPC).

“This vulnerability exists in the difference between how the Mach-O loader loads signed code vs. how improperly used Code Signing APIs check signed code and is exploited via a malformed Universal/Fat Binary,” Pitts explained.

Pitts also created several malformed PoC Fat/Universal files for developers to use in order to test their products against this vulnerability.

Successful attacks exploiting this technique could allow attackers to gain access to personal data, financial details and even sensitive insider information, in some cases, claimed researchers.

Here’s the list of affected vendors, alongside associated security products and CVEs::

  • VirusTotal (CVE-2018-10408)
  • Google—Santa, molcodesignchecker (CVE-2018-10405)
  • Facebook—OSQuery (CVE-2018-6336)
  • Objective Development—LittleSnitch (CVE-2018-10470)
  • F-Secure—xFence and LittleFlocker (CVE-2018-10403)
  • Objective-See—WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer and others (CVE-2018-10404)
  • Yelp—OSXCollector (CVE-2018-10406)
  • Carbon Black—Cb Response (CVE-2018-10407)

The researcher first notified Apple of the vulnerability in March, but Apple stated that the company did not see it as a security issue that they should directly address.

“Apple stated that documentation could be updated and new features could be pushed out, but ‘third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result’,” Pitts said.

After hearing from Apple, Okta contacted CERT/CC and then notified all known affected third-party developers, who are working on security patches that will likely be released soon.

Google acknowledged and already released security update for its Santa in late April. So, users are recommended to upgrade to the latest Santa v0.9.25.

Facebook has also fixed this issue in the latest version of its OSquery, which is already available for download. F-Secure has also rolled out an automatic update to xFENCE users in order to patch the vulnerability.

If you are using one of the above-listed tools, you are advised to check for updates in the coming days and upgrade your software as soon as they are released to guard against attacks exploiting the vulnerability.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

In our everyday life we read about security breaches related news on platforms like social media, news channel etc., What the heck is malware? Malware is malicious computer programs which have the ability to partially or totally harm your system.

It can be Rnsomware, Trojan horses, Worms, Spyware etc. The internet is full of such malicious viruses. It can reach you in the form of script, emails, audio, javascript or other formats.

This post is all about the ways to stay cyber safe, eliminating malware and other bugs. The key points for maintaining a high level guard for your system is as follow. Implementing and following these rules can help you to achieve maximized security for your system.

Backup Protection:

If you have not cloned your data in multiple secure places, then you need a backup. Data is the most significant unit of a company or person’ work. Data is generated in every phase of operations. Data security is important for cyber security; therefore, you need to have a backup to retrieve your data, no matter what the condition is.

You can create a backup of your data over the cloud, or you can keep a backup in local. Storing data in cloud will be more easy and fruitful on the grounds of use, configure or cost. A cloud service provider will take care of all these services. You just have to upload your data to the cloud. The best part is some service providers keep copies of your data in multiple zones. The benefit of storing it in multiple places is that there are threats also involved in data centres. Hackers always search for a single minor loophole in the system, and if data from one zone is compromised, then it can be recovered from other distributed zone.

Multi-level Protection:

Whenever you use your credential for login or accessing some portal or information, then try to keep two tier or three tier authentication. Because a username and password credentials can be cracked through SQL injections or other malicious scripts. So using a one-time password, authenticator, confirmation mail, or other security practices can help you to keep your credentials secure.

Prefer SSL encryption:

The secured hypertext transfer protocols (HTTPs) provide a secure communication channel for the internet. It uses a secured shell layer for transferring data over the network.

User’s view: Whenever you try to access any web app, it asks you to submit your data as input like card information or other useful information. You first ensure whether the web page is encrypted with secure layer certificate or not. You can get it in uniform resource locator address section; even you can view if the connection is secure or not.

Strengthening Firewall:

A firewall works as a security guard to our system. It monitors all the incoming and outgoing traffic in your network depending on the configured security rules. Whenever any unauthorized program tries to get into your system, then your firewall will automatically inform you and prevent access to that malicious programs.

So try to keep your firewall strong by improving security in it. You can configure security groups to control inbound and outbound traffic.

Antivirus Protection:

Installing antivirus software in your machine will be a good habit for keeping it secure. Antivirus is a software program which detects, analyse and remove malicious code from your machine. There are so many effective and trusted antivirus programs are available in the online marketplace. You can choose the one which can be suitable according to your machine.

Secured Password:

Hackers can use brute force attack or dictionary attack for cracking your credentials or other useful information. So always keep your password twisted and with the combination of characters, numerals and special characters.

One more important aspect of the password is that avoid saving your password when using your credential to login. It can be compromised from there.

Regular Updates:

Regularly updating all the software on the machine is a good habit for creating security. Companies regularly send updates to the user for installation it in their system in order to improve security and fix bugs from the previous version of that software because enterprises always improve their systems by searching and fixing bug in it.

Follow news, blogs, and tips:

Now, you have done everything to secure your machine and data from hackers. One more awesome step is to keep yourself updated with hacking news, blogs, or videos. You can follow or go through the social media platforms like Facebook, Twitter etc. or other news channel programs. You can update yourself with the cyber events, trends and threats through security related groups, pages or websites.

Conclusion:

With so many cyber threats looming around, staying cyber safe is the prime concern. Cybersecurity is not about investing in expensive technologies, but it is about awareness of potential threats and wayouts to deal with them. Though can not eliminate cyber threats, you can surely prevent being aware of existing cyber trends.

Has been identified that even after having an advanced encryption scheme in place, more than 100 million Internet-of-Things (IoT) devices from thousands of vendors are vulnerable to a downgrade attack that could allow attackers to gain unauthorized access to your devices.

The issue resides in the implementation of Z-Wave protocol—a wireless, radio frequency (RF) based communications technology that is primarily being used by home automation devices to communicate with each other.

Z-Wave protocol has been designed to offer an easy process to set up pairing and remotely control appliances—such as lighting control, security systems, thermostats, windows, locks, swimming pools and garage door openers—over a distance of up to 100 meters (330 feet).

The latest security standard for Z-Wave, called S2 security framework, uses an advanced key exchange mechanism, i.e., Elliptic-Curve Diffie-Hellman (ECDH) anonymous key agreement protocol, to share unique network keys between the controller and the client device during the pairing process.

Even after Silicon Labs, the company who owns Z-Wave, made it mandatory for certified IoT devices to use the latest S2 security standard, millions of smart devices still support the older insecure version of pairing process, called S0 framework, for compatibility.

S0 standard was found vulnerable to a critical vulnerability in 2013 due to its use of a hardcoded encryption key (i.e. 0000000000000000) to protect the network key, allowing attackers in range of the targeted devices to intercept the communication.

After analyzing Z-Wave, security researchers from UK-based Pen Test Partners discovered that devices which support both versions of key-sharing mechanisms could be forced to downgrade the pairing process from S2 to S0.

Dubbed Z-Shave by the researchers, the downgrade attack makes it easier for an attacker in range during the pairing process to intercept the key exchange, and obtain the network key to command the device remotely.

Researchers found the vulnerability while comparing the process of key exchange using S0 and S2, wherein they noticed that the node info command which contains the security class is being transferred entirely unencrypted and unauthenticated, allowing attackers to intercept or broadcast spoofed node command without setting the security class.

Conexis L1 Smart Door Lock, is  a flagship product of British company Yale that ships for $360, for their exploit, and were able to downgrade its security, and eventually steal the keys and get permanent access to the Yale lock, and therefore the building protected by it, all without the actual user’s knowledge.

The S0 decryption attack was initially revealed by cybersecurity consulting company SensePost back in 2013, but at that time, Silicon Labs didn’t see this issue “as a serious threat in the real world” because it was limited to the timeframe of the pairing process.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.