Ειδοποιήσεις

Sextortion scams are when an attacker sends emails to people stating that their computer is hacked and that the attackers have been recording the screen and webcam as the user visits adult sites. The scammers then blackmail the recipients by stating they will release the videos if they do not receive a payment in bitcoins.

In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.

These scams have become very profitable, with scammers making over €50K in one week, and this new variant is no different. This new variant was first seen targeting victims in the Netherlands where the scammers made €40,000.

After learning about this new campaign, a security researcher has been monitoring these scams and found that the subject of these emails is “[email address] + 48 hours to pay”.

For example, if my email address was example@example.com, the subject of the sextortion email would read “example@example.com 48 hours to pay” and sender of the email would be my own email account. You can see an image example of the English sextortion scam below.

 

Many victims have been falling for this scam and sending payments to the attacker.

It is important for users to learn about these new scams as they have been very successful in scaring recipients into making payments. Therefore, if you receive an email like this, do not freak out and simply delete the email and then perform a thorough scan of your computer using an antivirus program.

Mail providers can protect their domains using SPF and DMARC records

Sending spoofed emails so that they appear to be from someone else is nothing new. Phishers, scammers, and jokesters have been doing this for many years. With that said, mail providers can do a better making it harder for attackers to spoof email addresses using the domains they manage.

By using DNS records like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC), domain owners can lock down their domains to make it harder for external users to spoof domains under their control.

These frameworks are free to generate and when used properly can make a huge dent in preventing email abuse and spam. DMARC can also be configured so that you receive reports of spam campaigns utilizing your domain so that you can monitor what malicious activity is being performed.

1. To prevent sending spoofed email:

  1. Create an SPF-All(hard fail) record with only the mail servers that are allowed to send mail on behalf of your domain.
  2. Configure DKIM on your mail servers and publish the key in a DKIM Selector record in DNS.
  3. Create a DMARC record with value p=reject.
  4. Create SPF records for each subdomain.
  5. Create SPF records for mailserver HELO names.
  6. Create SPF hard fail(-all) and DMARC p=reject records for al non-mail and unused domains.

2. To prevent receiving spoofed email:

  1. Check SPF results on incoming mailservers (hard fail = reject, soft fail = spam).
  2. Whitelists SMTP servers that are allowed to mail on behalf of their domain, block the rest.
  3. Check DKIM results on incoming mailservers (failure = reject).
  4. Check DMARC results on incoming mailservers (use P= policy published in DNS).
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

With the October 2018 Patch Tuesday release Microsoft has fixed 49 vulnerabilities, 12 of which are rated “critical.”

The only zero-day in this batch is CVE-2018-8453, an elevation of privilege vulnerability affecting Windows.

Attackers must first gain access to the system, but then this vulnerability allows them to run arbitrary code in kernel mode and, ultimately, to install programs; view, change, or delete data; or create new accounts with full user rights.

The vulnerability has been reportered by Kaspersky Lab in August. They say that they detected a very limited number of attacks using this vulnerability against victims in the Middle East.

“During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453,” the company noted.

The three previously disclosed flaws are as follows:

  • CVE-2018-8423 is a remote code execution vulnerability in the Microsoft JET database engine and can be triggered when a victim is tricked into opening a malicious JET Database Engine file.
  • CVE-2018-8531 is a memory corruption vulnerability in the Azure IoT Hub Device Client SDK that can allow an attacker to execute arbitrary code in the context of the current user.
  • CVE-2018-8497 is an elevation of privilege vulnerability that exists in the way that the Windows Kernel handles objects in memory.

None of these are being currently exploited in the wild.

Prioritizing patches

Animesh Jain, Product Manager, VM Signatures at Qualys, advises administrators to prioritize Browser and Scripting Engine patches for workstations (i.e., any system that is used for email or to access the internet via a browser), as most of the critical vulnerabilities this month are in the Chakra Scripting Engine, Internet Explorer, and Edge.

The Hyper-V patches should also be implemented as soon as possible, as they plug two remote code execution holes that would allow an authenticated user on a guest system to run arbitrary code on the host system.

Trend Micro Zero Day Initiatives’ Dustin Childs pointed out the patch for a vulnerability in Exchange Server that has first been discovered eight years ago. CVE-2010-3190 is a RCE bug that exists in the way that certain applications built using Microsoft Foundation Classes (MFC) handle the loading of DLL files.

“Often referred to as ‘binary planting’ or ‘DLL preloading attacks,’ this class of bugs has [previously] received close to 30 bulletins in total to fix various components. This month, Microsoft identified Exchange Server as another component that requires similar DLL preloading protections,” Childs noted.

“If you have a version of Exchange prior to Exchange Server 2016 Cumulative Update 11, you’ll also need the Visual Studio 2010 patch from MS11-025. This patch accompanies two command injection fixes impacting Exchange this month, which means another rough month of testing and patching for Exchange admins.”

As usual, Adobe followed Microsoft by releasing security updates for several of its products (Flash, Framemaker, Adobe Digital Editions, and the Adobe Technical Communications Suite) but as the Flash update doesn’t contain any security fixes, Microsoft didn’t have to incorporate any.

 

The information contained in this website is for general information purposes only. The information is gathered from HelpNet Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A new phishing campaign spotted this September shows increased sophistication from the operators, who take over email accounts and insert a banking trojan in conversation threads.

The malware comes through replies to existing discussions, a powerful social engineering approach likely to guarantee a high rate of success because it relies on the familiar context the victim already trusts.

The lure for installing the malware is an attached document which, once launched, springs a routine for retrieving the latest version of Ursnif malware. It runs only on systems running Windows Vista and above and avoids machines with Russian or Chinese locales.

Although the malicious replies come from someone known to the victim, there are red flags that should make them look suspicious: sudden change of language from French to English, genericity of the message, or an odd-looking signature at the end of the message.

A deeper inspection of the email reveals that there is no spoofing of the “return-path” or “reply-to” headers. Instead, the victim would send the replies to the original account, suggesting that the threat actor can log into it.

Security researchers from Trend Micro believe that the malware-laced replies come from the US and they discovered that many messages were sent out in September from multiple accounts of the same host.

What we can assume from the headers is that the attacker has somehow gotten hold of an authentic account and is using this account for the BEC-like scam,” Trend Micro writes in a report.

The investigators noticed that these attacks were similar to what Cisco Talos detected in an earlier campaign that dropped the Ursnif banking trojan, also known as Gozi.

Malware targets organizations in various sectors

Apart from gathering details about the system, the software available, the processes running, the drivers installed and the network devices present, Ursnif also looks for email credentials, cookies, and certificates.

Its old functionality for stealing financial information via web injection has not been removed.

An analysis of the malware variant showed that it uses the Tor network to communicate with the command and control (C2) servers and its main goal is to steal information.

The recent phishing operation seems to focus on organizations in the education, financial and energy sectors in North America and Europe.

It is not limited to these regions and verticals, though, as it has been seen in Asia and Latin America, attacking victims in real estate, transportation, and manufacturing industries.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A known vulnerability in MikroTik routers is potentially far more dangerous than previously thought.

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year.

The vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical because the new hacking technique used against vulnerable MikroTik routers allows attackers to remotely execute code on affected devices and gain a root shell. The vulnerability impacts Winbox—a management component for administrators to set up their routers using a Web-based interface—and a Windows GUI application for the RouterOS software used by the MikroTik devices.

The vulnerability allows “remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.”

New Hack Turned ‘Medium’ MikroTik Vulnerability Into ‘Critical’

However, the new attack method found by Tenable Research exploits the same vulnerability and takes it to one step ahead.

A PoC exploit, called “By the Way,” released by Tenable Research Jacob Baines, first uses directory traversal vulnerability to steal administrator login credentials from user database file and the then writes another file on the system to gain root shell access remotely. In other words, the new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads or bypass router firewall protections. The technique is yet another security blow against MikroTik routers, which was previously targeted by the VPNFilter malware and used in an extensive cryptojacking campaign uncovered a few months ago.

New MikroTik Router Vulnerabilities

Besides this, Tenable Research also disclosed additional MikroTik RouterOS vulnerabilities, including:

  • CVE-2018-1156—A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.
  • CVE-2018-1157—A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.
  • CVE-2018-1159—A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.
  • CVE-2018-1158—A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.

The vulnerabilities impact Mikrotik RouterOS firmware versions before 6.42.7 and 6.40.9.

Tenable Research reported the issues to MikroTik in May, and the company addressed the vulnerabilities by releasing its RouterOS versions 6.40.9, 6.42.7 and 6.43 in August. While all the vulnerabilities were patched over a month ago, a recent scan by Tenable Research revealed that 70 percent of routers (which equals to 200,000) are still vulnerable to attack.

The bottom line: If you own a MikroTik router and you have not updated its RouterOS, you should do it right now. Also, if you are still using default credentials on your router, it is high time to change the default password and keep a unique, long and complex password.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A media report today revealed details of a significant supply chain attack which appears to be one of the largest corporate espionage and hardware hacking programs from a nation-state.

According to a lengthy report published today by Bloomberg, a tiny surveillance chip, not much bigger than a grain of rice, has been found hidden in the servers used by nearly 30 American companies, including Apple and Amazon.

The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.

The report, based on a 3-year-long top-secret investigation in the United States, claims that the Chinese government-affiliated groups managed to infiltrate the supply chain to install tiny surveillance chips to motherboards which ended up in servers deployed by U.S. military, U.S. intelligence agencies, and many U.S. companies like Apple and Amazon.

“Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline,” the report said.

“Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code.”

The chips suspected to have been added to help Chinese government spy on American companies and their users—basically a “hardware hack” that according to the publication is “more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.”

“Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches,” the report said.

The publication claims that Apple and Amazon found these chips on their server motherboards in 2015 and reported it to US authorities, though both Apple and Amazon strongly refute the claims.

Apple, Amazon, and Super Micro Refute the Bloomberg Report

Apple told Bloomberg that the company has never found malicious chips, “hardware manipulations,” or vulnerabilities purposely planted in any of its servers, or it “had any contact with the FBI or any other agency about such an incident.”

Apple ended its relationship with Super Micro in 2016. To its best guess, Apple said that the Bloomberg reporters confused their story with a previously-reported 2016 incident in which the company found an infected driver on a single Super Micro server in one of its labs.

“While there has been no claim that customer data was involved, we take these allegations seriously, and we want users to know that we do everything possible to safeguard the personal information they entrust to us,” Apple says. “We also want them to know that what Bloomberg is reporting about Apple is inaccurate.”

Amazon also says it is “untrue” that the company knew of “a supply chain compromise,” or “servers containing malicious chips or modifications in data centers based in China,” or that it “worked with the FBI to investigate or provide data about malicious hardware.”

Meanwhile, Supermicro and Chinese Ministry of Foreign Affairs have also strongly denied Bloomberg’s findings by releasing lengthy statements. Here you can find a full list of official statements from Amazon, Apple, Supermicro and Chinese Ministry of Foreign Affairs.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.