Search Results for “ThreatPost”


September 9, 2019
Tara Seals / Threatpost

Tara Seals / Threatpost  
China’s APT3 Reverse-Engineered NSA Equation Group Exploits to Create New Tools ‘UPSynergy’

The China-linked advanced persistent threat (APT) group known as APT3, also known as Buckeye or UPS Team, has built a full in-house battery of exploits and cybertools collectively dubbed “UPSynergy” which were likely gleaned from watching attacks by the National Security Agency’s Equation Group APT on target networks where APT3 also has a presence, researchers at Check Point report. APT3 equipped a reverse-engineered attack tool, named Bemstour, with an additional zero-day based on the NSA exploit called EternalRomance to gain remote code execution on a victim’s machine. The goal of Bemstour is to deploy a payload on the victim’s machine which is injected to a running process using an implant, which bears striking resemblance to the Equation group’s DoublePulsar tool.

 


October 12, 2019
Lindsey O'Donnell / Threatpost

Lindsey O'Donnell / Threatpost  
FIN7 Criminal Gang Continues to Develop New Techniques Despite Arrest of Several Members During 2018, New Dropper and Payload Aim at Better Evasion

New tools in the point-of-sale criminal gang FIN7’s arsenal show the group’s efforts at implementing new evasion techniques despite the arrest of several FIN7 members by U.S. authorities during 2018, researchers at FireEye report. The first is an in-memory-only dropper called BOOSTWRITE that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime, which uses new techniques, such as the adoption of valid certificates, to avoid traditional antivirus detection. The other new method is a new payload of BOOSTWRITE called RDFSNIFFER, which appears to have been developed to tamper with NCR Corporation’s “Aloha Command Center” client, a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. FireEye researchers said they provided this information to NCR.

October 8, 2019
Lindsey O'Donnell / Threatpost

Lindsey O'Donnell / Threatpost  
Microsoft Pushes Out Patches for 59 Vulnerabilities, Nine Deemed Critical Including Remote Desktop Bug That Could Allow Remote Attacker to Execute Code on Victims’ Machines

Microsoft released patches for 59 vulnerabilities, including nine critical vulnerabilities, as part of its October Patch Tuesday security update. One of the fixes addresses a critical Remote Desktop bug that could allow a remote attacker to execute code on victims’ machines. The patches encompass a wide range of products including  Microsoft Windows, Internet Explorer, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Microsoft Dynamics 365, Windows Update Assistant and Open Source Software.

Related: Appuals.com, WCCFtech, SC Magazine, SecurityWeek, Zero Day Initiative – BlogTalos Intel, gHacks, Born’s Tech and Windows WorldSecurity Affairs, Tenable Blog, The Hacker News, ISC.SANS.edu, Rapid7, Qualys Blog, BleepingComputer.com, The State of Security, TechNet Blogs


September 28, 2019
Tara Seals / Threatpost

Tara Seals / Threatpost  
New Spyware Masad Clipper and Stealer Uses Telegram Bots to Steal Cryptocurrency, Drop Additional Malware

A freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” is using Telegram bots as its command-and-control (C2) hub to harvest data, steal cryptocurrency and drop additional malware, while masquerading as a Fortnite aimbot and more, according to an analysis by Juniper Networks. The spyware targets Android and Windows users and sends the data it collects from victims to a Telegram bot that acts as its C2 server. The stolen information can include browser form data with usernames and passwords for various sites, along with contact information and credit-card data;  PC and system information; a list of installed software and processes; desktop files; screenshots; browser cookies; Steam gaming platform files; Discord and Telegram messages; and FileZilla files. It also automatically replaces cryptocurrency wallets from the clipboard with its own; and has the capability of downloading other malware.  Masad’s primary propagation mechanism is mimicking software utilities like ProxySwitcher, CCleaner, Utilman, Netsh, and Whoami. It also mimics an existing malware called Proxo Bootstrapper.

August 6, 2019
Tara Seals / Threatpost

Tara Seals / Threatpost  
Google Partners With ARM to Implement Memory-Tagging Extension Feature to Tackle Memory Safety Flaws in Android Platform

Google has partnered with mobile silicon-maker ARM to implement a hardware-based bug detection solution for one of the largest vulnerabilities in the Android platform, memory-safety flaws. The new feature, called the memory-tagging extension (MTE),  helps mitigate these kinds of bugs by enabling easier detection of them. It has two execution modes: Precise mode, which provides more detailed information about the memory violation and imprecise mode, which has lower CPU overhead and is more suitable to be always-on.

August 12, 2019
Lindsey O'Donnell / Threatpost

Lindsey O'Donnell / Threatpost  
Researchers Devise Method to Bypass Sleeping Victim’s FaceID by Modifying a Pair of Eyeglasses

An attack that allowed researchers to bypass a victim’s Apple FaceID on an iPhone and log into their phone simply by putting a pair of modified glasses on their face was demonstrated by Tencent researchers at Black Hat. By placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers tapped into a feature behind biometrics called “liveness” detection which renders a black area (the eye) with a white point on it (the iris) and discovered the liveness detection scans the eyes differently for users wearing glasses. They created a prototype set of glasses called X-glasses with black tape on the lenses and white tape on the inside and were able to unlock a mobile phone and ultimately transfer money through mobile payment. The obvious drawback for this technique is the victim must be unconscious, for one, and can’t wake up when the glasses are placed on their face.

August 13, 2019
Lindsey O'Donnell / Threatpost

Lindsey O'Donnell / Threatpost  
Bug in British Airways E-Ticketing System Could Expose Passengers’ Personal Information, Booking Details

A security bug discovered in British Airways’ e-ticketing system has the potential to expose passengers’ data, including their flight booking details and personal information, researchers at Wandera report. Check-in links being sent by British Airways to passengers via email contain passenger details in the URL parameters that direct the passenger from the email to the British Airways website. The links are unencrypted making passengers vulnerable to an attack that could expose their booking reference numbers, phone numbers, email addresses and more. British Airways says it’s aware of the issue and is taking “action to ensure our customers remain securely protected.” The airline also says it has no evidence to suggest any customers’ information has been taken.

August 16, 2019
Lindsey O'Donnell / Threatpost

Lindsey O'Donnell / Threatpost  
Apache Struts Issued Two Dozen Errors in Security Advisories Listing Incorrect Versions Impacted by Vulnerabilities

Apache Struts had two dozen errors in its security advisories which listed incorrect versions impacted by the vulnerabilities, according to researchers at Synopsis. The researchers investigated 115 releases of Apache Struts and correlated them against 57 existing Apache Struts security advisories that covered a total of 64 vulnerabilities. From there, they found that 24 security advisories incorrectly stated the impacted versions. They further found that previously-disclosed vulnerabilities affect an additional 61 versions that weren’t listed in the original security advisories. Impacted Apache Struts software versions that were part of the erroneous advisories range from versions 2.0.0 to 2.5.12. Apache Software Foundation said that the CVE entries have been updated to reflect corrections for impacted versions, as well as versions that contain the appropriate fixes.

August 21, 2019
Lindsey O'Donnell / Threatpost

Lindsey O'Donnell / Threatpost  
Microsoft Offers Up to $30,000 to Security Researchers for Finding Bugs in Beta Version of New Chromium-based Edge Browser

With the release of the beta of its new Chromium-based Edge Microsoft is offering rewards of up to $30,000 for researchers to hunt out vulnerabilities in the browser and is calling on security researchers to find the bugs in the beta version before officially pushing it live. The “Microsoft Edge Insider Bounty” program will offer up to $30,000 for eligible high-impact vulnerabilities and between $1,000 up to $30,000 for finding critical or important vulnerabilities in Dev and Beta channels.

August 23, 2019
Tom Spring / Threatpost

Tom Spring / Threatpost  
Cisco Warns of Six Critical Vulnerabilities in Wide Range of Products, Public Exploit Code Online for Two Remote Code Execution Bugs

Cisco Systems is warning of six critical vulnerabilities in a wide range of its products, including its Unified Computing System server line and its small business 220 Series Smart switches. In all instances of the vulnerabilities, a remote unauthenticated attacker could take over targeted hardware. Four of the critical bugs (CVE-2019-1938, CVE-2019-1935, CVE-2019-1974, and CVE-2019-1937) impact Cisco’s Unified Computing System (UCS) components. Each has a critical-severity rating and a CVSS score of 9.8. Two remote code execution bugs (CVE-2019-1913 and CVE-2019-1912) impact Cisco’s small business 220 Series Smart switches and have associated public exploit code available online, although there have been no reports of any exploits.