Search Results for “Catalin Cimpanu”

July 25, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Three Chinese Individuals Allegedly Working for Chinese Ministry of State Security via APT17 Get Doxed by Intrusion Group

The online group of anonymous cybersecurity analysts known as the Intrusion Group has doxed a third cyber-espionage hacking group linked to the Chinese government, exposing details about three individuals it thinks are behind China’s APT17, also known as Deputy Dog and Axiom. Intrusion Truth doxed a man running four Chinese companies and believed to be an officer of the Chinese Ministry of State Security (MSS), along with two hackers both who are believed to have worked for the named companies. All three are located in the city of Jinan, the capital of China’s Shandong province and are allegedly operating as contractors for the Jinan bureau of the MSS, for which they carried out on-demand hacking operations. The group previously revealed the secret identities of individuals part of two Chinese hacker groups APT3 and APT10 in May 2017 and August 2018.

October 17, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Malware Operators Are Using Steganography to Embed DLLs Inside WAV Files to Install XMRig Cryptocurrency Miners

Two reports published in the last few months show that malware operators are experimenting with using WAV audio files to hide malicious code using a technique known as steganography or the art of hiding information in plain sight, in another data medium. Most instances of malware operators using steganography revolved around using image file formats, such as PNG or JEPG. But back in June, a Symantec discovered a Russian cyber-espionage group known as Waterbug (or Turla) using WAV to hide malware. Now BlackBerry Cylance reports it saw something similar to what Symantec saw a few months before. But what Cylance discovered was an ordinary crypto-mining malware operation using the operation hiding DLLs inside WAV files. Malware already present on the victim’s machine would read the WAV file, extract the DLL bit by bit, and then run it, installing a cryptocurrency miner application named XMRrig.

August 23, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Valve Ships Fixes for Bugs Found by Researcher Banned From Bounty Program, Says Turning Him Away Was a ‘Mistake’

Gaming company Valve said it has shipped fixes for flaws a security researcher, Vasily Kravets, found in the Steam client, updated its bug bounty program rules, and has called turning away Kravets’ report in the first place “a mistake.” The company, and HackerOne, where Valve ran its bug bounty program, have come under criticism by the security community for the way they handled Kravets’ report of a local privilege escalation (LPE) bug in the Steam gaming client, telling them it was out of scope and they had no intention of fixing the problems he surfaced. Kravets disclosed the vulnerability and was banned from Valve’s bug bounty program. Valve updated its HackerOne program to specifically state that LPEs are in bounds. The company is reviewing this particular situation to determine the appropriate actions.

September 10, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
State-Sponsored Espionage Group Stealth Falcon Is Using a New, More Stealth Backdoor That Abuses Windows BITS to Steal Data, Compromise Computers Remotely

A state-sponsored cyber-espionage group called Stealth Falcon, first reported by Citizen Lab, which has in the past used a very stealthy backdoor written in PowerShell, is now using an even more stealth malware strain called Win32/StealthFalcon that abuses the Windows Background Intelligent Transfer Service (BITS) to download and run additional code on infected hosts, or to exfiltrate data to remote servers, according to researchers at ESET. ESET researchers cited Amnesty International Senior Technologist Claudio Guarnieri, who claimed that the Stealth Falcon hacker group appears to be a private cyber-security contractor named DarkMatter. The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. ESET has seen a small number of targets for the backdoor in UAE, Saudi Arabia, Thailand, and the Netherlands.

Related: GeekWire, The Hacker News, Threatpost, Cyber Security Review, SC Magazine, Security Affairs, Infosecurity Magazine, ESET


September 9, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
None of the Municipalities Hit by Coordinated Ransomware Attacks in Texas Ended Up Paying the Ransom

The coordinated ransomware attack that hit 22 Texas local governments in mid-August resulted in none of the impacted municipalities paying ransom demands, Texas state officials say. The Texas Department of Information Resources (DIR) said that more than half of the impacted entities are now back to operations, as usual, more than three weeks after the attacks hit. The towns dodged the payments by restoring impacted systems from backups, while other rebuilt networks from scratch.

September 6, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Metasploit ‘Weaponized’ Exploit for BlueKeep Windows Vulnerability Now Available, Advanced Enough to Achieve Remote Code Execution

Rapid 7, the developers behind the open-source Metasploit penetration testing framework, released today a weaponized exploit for the BlueKeep Windows vulnerability which, unlike previously released BlueKeep exploits, is advanced enough to achieve code execution on remote systems. BlueKeep is a vulnerability in the Remote Desktop Protocol (RDP) service in older versions of the Windows operating system (Windows XP, Windows 2003, Windows 7, Windows Server 2008, and Windows Server 2008 R2) and is “wormable” or self-propagating in the way the damaging WannaCry malware spread in May 2017, making it potentially highly damaging. Microsoft patched BlueKeep in May 2019 and the software giant, along with a number of organizations, including the NSA and DHS, among others, urged patch implementation due to the dangerous nature of the vulnerability. The Metasploit model, however, is somewhat diminished in its danger because it only works in a “manual” mode, meaning it needs user interaction to execute correctly and it only works against 64-bit versions of Windows 7 and Windows 2008 R2, but not the other Windows versions that were also vulnerable to BlueKeep. Currently, 700,000 systems are vulnerable to BlueKeep exposed on the internet, and possibly millions more inside firewalled networks.

Related: Ars Technica, Bleeping Computer, Computer World, Metasploit Project

Tweets:@malwaretechblog @malwaretechblog @metasploit @zerosum0x0 @hackerfantastic @campuscodi @charlesdardaman @campuscodi @campuscodi @malwaretechblog @gossithedog @gossithedog

Ars Technica: Exploit for wormable BlueKeep Windows bug released into the wild
Bleeping Computer: Public BlueKeep Exploit Module Released by MetaSploit
Computer World: Heads up: A free, working exploit for BlueKeep just hit
Metasploit Project: Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708)

@malwaretechblog: Metasploit publicly released a BlueKeep RCE. Looks like heap spray method where system crashes if correct address isn't allocated, but still RCE.
@malwaretechblog: Now that BlueKeep RCE is out, I'm publishing my old RCE write up.
@metasploit: Today we released a community-developed exploit module PR for #BlueKeep (CVE-2019-0708). We expect to continue refining the exploit over time in collaboration with contributors. Some important notes on exploitation and detection from @busterbcook :
@zerosum0x0: BlueKeep via SMBLoris + IP Frags ?
@hackerfantastic: RDP exploit for BlueKeep is now in metasploit, 1 million exposed hosts according to @binaryedgeio @rapid7 with exploit techniques by @zerosum0x0 - fire in the hole! ?
@campuscodi: Metasploit team releases weaponized BlueKeep exploit-exploit can achieve code execution -works manually, meaning on a system-by-system basis -not wormable in its current state -ideal for lateral movement in its current form
@charlesdardaman: Every single script kiddie today #BlueKeep
@campuscodi: -the BlueKeep Metasploit module only works with 64-bit versions of Windows 7 and Windows 2008 R2 -work for XP/2003 support is underway -the highlighted part is easy to acquire, I've been told -you end up with a scenario of "press 2 to hack"
@campuscodi: Despite having nearly four months to patch, there are still 700,000 systems that are vulnerable to BlueKeepBinaryEdge search for recently spotted BlueKeep-vulnerable hosts: bluekeep.vulnerable:true created_at:[2019-08-01 TO 2019-08-30]
@malwaretechblog: Really got to question Rapid7's decision to drop BlueKeep on a Friday. Hopefully the script kiddies will wait till Monday before they start nuking corporate networks.
@gossithedog: I made this scientifically accurate graph of how companies approached patching BlueKeep vulnerability facing the internet
@gossithedog: That sound is hear is 400 people with fake GitHub exploits for BlueKeep rushing to grab the code and put it in their exploits and say they knew all along.

September 4, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Android Phones Made by Samsung, Huawei, LG, and Sony Vulnerable to SMS-Based Message Attacks That Allow Hackers to Re-Route Email or Web Traffic Through Malicious Servers

A vulnerability to advanced phishing attacks in certain modern Android-based phones, including models by Samsung, Huawei, LG, and Sony, allows hackers to fake a special kind of SMS message and trick users into modifying device settings, researchers at Check Point discovered. As a result, the attackers can re-route device owners’ email or web traffic through a malicious server. The attack vector is about OMA CP (Open Mobile Alliance Client Provisioning) instructions, also known as provisioning messages, through which mobile operators can send network settings to customer devices as special SMS messages. The researchers were able to send OMA CP messages to the manufacturers’ Android devices which accepted these messages, even if they didn’t come from a trusted source, with Samsung phones the least secure of the devices. Three of the vendors have patched or are in the process of patching this attack vector with Sony the sole vendor that didn’t ship a fix. Check Point claims that Sony refused to acknowledge the vulnerability.

Related:, The Next WebSecurityWeek, Trusted Reviews, Techradar, The Register – Security, Help Net Security, Verdict, Help Net Security, Threatpost, The Mac Observer, Check Point, iTnews – Security, GBHackers On Security, TechJuice, TechNadu, Cybersecurity Insiders, SC Magazine Android SMS Phishing Can Stealthily Enable Malicious Settings
The Next Web: Hackers are now attacking Android users with advanced SMS phishing techniques
SecurityWeek: Vulnerability in Network Provisioning Affects Majority of All Android Phones
Trusted Reviews: When will your phone get the Android 10 update?
Techradar: Over a billion Android phones vulnerable to phishing attack
The Register – Security: Blindly accepting network update texts could have pwned your mobe, say researchers
Help Net Security: Security hole opens a billion Android users to advanced SMS phishing attacks
Verdict: Over a billion Android smartphones exposed to SMS phishing attacks
Help Net Security: Security hole opens a billion Android users to advanced SMS phishing attacks
Threatpost: Half of Android Handsets Susceptible to Clever SMS Phishing Attack
The Mac Observer: A Billion Android Phones Exposed to Phishing Attacks
Check Point: Advanced SMS Phishing Attacks Against Modern Android-based Smartphones
iTnews – Security: Android phones vulnerable to provisioning SMS hijacking
GBHackers On Security: Hackers Remotely Control Email & Browser by Just Sending an SMS and Change the Settings Over the Air
TechJuice: Google officially releases Android 10 for Pixel phones
TechNadu: An SMS Message Could Be Enough to Hack Your Android Phone
Cybersecurity Insiders: Globally operating billions of Android phones are vulnerable to OTA Phishing Attacks
SC Magazine: Millions of Android phones vulnerable to phishing attacks | SC Media

September 3, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Criminals Stole $1.65 Million From German Bank by Cloning Debit Cards and Then Cashing Out Across Brazil

Criminals have stolen more than €1.5 million (around $1.65 million) from German Oldenburgische Landesbank (OLB) by cloning customer debit cards and then cashing out user funds across Brazil, despite the original cards being protected by EMV (chip-and-PIN) technology. The bank said that 2,000 customers were affected by the thefts which only involved Mastercard debit cards issued by OLB and has blocked all the cards and is issuing replacements. One cybersecurity expert, Manuel Pintag, claims that Brazil and Mexico are “the largest EMV card cloning laboratories.”

Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Business Email Compromises Overtook Ransomware, Data Breaches in Cyber Insurance Claims in 2018, AIG

Business email compromise (BEC) overtook ransomware and data breaches as the main reason companies filed a cyber insurance claim in the EMEA (Europe, the Middle East, and Asia) region last year, according to insurance giant AIG. BEC-related insurance filings accounted for nearly a quarter (23%) of all cyber-insurance claims the company received in 2018, while ransomware accounted for 18% of all cyber-insurance claims in the region. Data breaches caused by hackers and data breaches caused by employee negligence each accounted for 14% of the claims.

September 1, 2019
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Company Behind Foxit PDF Reader App Breached, User Data, Including Passwords, Stolen

Foxit Software, the company behind the Foxit PDF reader app, said that hackers breached its servers and stole user information. Based on an email that Foxit sent to affected customers, the hackers likely breached the company’s backend server and stole user data including email addresses, passwords, real names, phone numbers, company names, and IP addresses from which users logged into their accounts. It’s unclear if the user passwords were hashed and salted and therefore better encrypted against cracking methods that produce plaintext passwords. Foxit didn’t say when the breach occurred.