13 hours ago

Flaw in Trend Micro OfficeScan Antivirus Led to Hack on Mitsubishi Electric, Source

Chinese hackers used a now-patched zero-day in the Trend Micro OfficeScan antivirus during their attacks on Mitsubishi Electric. Early last week, the Japanese electronics vendor and defense contractor said it was hacked in June 2019 and that hackers gained access to its internal network from where they stole roughly 200 MB of files. The stolen data primarily related to information on employees and not to its business dealings and partners. The hackers exploited CVE-2019-18187, a directory traversal and arbitrary file upload vulnerability in the Trend Micro OfficeScan antivirus, according to a source. Japanese media said the attack was the work of a Chinese state-sponsored cyber-espionage group known as Tick. (ZDNet)
22 hours ago

Sneaky macOS Shlayer Trojan Affects One in Ten Devices, Uses Standard Techniques to Push Fake Adobe Flash Update

A relatively crude piece of macOS malware, the Shlayer Trojan,  affects one in ten Mac devices and accounts for nearly a third of macOS malware detections, according to a Kaspersky Lab report that details the top ten macOS malware infections. The relatively garden variety adware effectively uses well-trod techniques, including convincing people to click on a bad link and pushing a fake Adobe Flash update. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they drive visitors toward a malicious download. Kaspersky counted more than 1,000 partners distributing the Shlayer software, with one of the partners owning 700 domains redirecting users to Shlayer download landing pages. (Wired)
22 hours ago

Mozilla’s Add-On Review Team Bans, Removes 197 Firefox Add-Ons for Malicious Code, Stealing User Data, or Hiding Source Code

Over the past two weeks, Mozilla’s add-on review team has banned and removed from the Mozilla Add-on (AMO) portal 197 Firefox add-ons that were executing malicious code, stealing user data, or using obfuscation to hide their source code. The add-ons have also been disabled in the browsers of the users who already installed them. Most of the banned add-ons were developed by 2Ring, a provider of B2B software because they were downloading and executing code from a remote server. Mozilla’s rules say add-ons must self-contain all their code, and not download code dynamically from remote locations. But 30 add-ons were banned for exhibiting malicious behavior, including the FromDocToPDF add-on, which Mozilla engineers said was loading remote content into Firefox’s new tab page. Another add-on,  Fake Youtube Downloader was banned for attempting to install other malware in users’ browsers. Other add-ons, such as EasySearch for Firefox, EasyZipTab, FlixTab, ConvertToPDF, and FlixTab Search, were banned for intercepting and collecting user search terms, a clearly bannable offense. A batch of still other add-ons was banned for using obfuscated code, a technique through which add-on developers make their code hard to read, to hide malicious behavior. (ZDNet)
2 days ago

As Questions Swirl Around Forensic Evidence Tying Hack of Bezos’ Phone to Saudi Crown Prince, Trump Administration Refuses to Say Whether It Will Investigate Further

Analysis by cyber forensics experts claims that a report tying the hacking of Jeff Bezos’ phone to the WhatsApp account of Saudi Crown Prince Mohammed bin Salman relied heavily on circumstantial evidence to make its case. They say the audit by business advisory firm FTI Consulting left several major technical questions about the incident unexplained and in need of more examination. Although representatives of the U.N. have called for the U.S. to investigate the hack of Bezos’ firm, the Trump Administration has refused to say whether it has any plans to investigate, calling Saudi Arabia an “important ally.” (Wall Street Journal)
3 days ago

Researchers at First Pwn2Own Event Focusing on Industrial Control Security Take Home $280,000, Incite Team Top Winner

Researchers who took part this week in the Zero Day Initiative’s Pwn2Own Miami hacking competition, which for the first time focused on industrial control at the S4 industrial control system security conference, have earned a total of $280,000 for exploits targeting industrial control systems (ICS) and associated protocols. Participants were given three months to study the industrial control system software that would serve as the contest’s targets, developing their hacking techniques ahead of the competition. Over the three-day competition, contestants successfully hacked every one of the eight industrial control system applications put before them, with hackers offered as much as $25,000 if they could exploit the target software to achieve remote code execution on the victim machines. The winner of this event was the Incite Team, whose members were researchers Steven Seeley and Chris Anastasio. They earned a total of $80,000 for exploits targeting the Triangle Microworks SCADA Data Gateway, Inductive Automation Ignition, Rockwell Automation Studio 5000, the OPC Foundation’s OPC UA .NET standard, and Iconics Genesis64. (Wired)
3 days ago

UK’s Met Police Will Start Using Live Facial Recognition in Controversial Move Decried by Privacy, Civil Liberties Advocates

The UK’s largest police force, the Metropolitan police, announced that it would start using live facial recognition, a controversial decision that has sparked significant objections by privacy and civil liberties groups. After two years’ of trials, the Met will start using facial recognition cameras next month, which will be linked to a database of suspects. Johanna Morley, a senior technologist with the Met, said the system was 70% effective at spotting wanted suspects. It falsely identified someone as wanted one in a thousand times, she said. (The Guardian)
3 days ago

Russian Crook Who Ran Payment Card Fraud Sites Pleads Guilty in U.S. District Court, Faces Up to 15 Years in Prison

A 29-year-old Russian hacker Aleksei Burkov pleaded guilty before Senior U.S. District Judge T.S. Ellis III to charges related to his operation of two websites devoted to the facilitation of payment card fraud, computer hacking, and other crimes. Burkov operated an online marketplace for buying and selling stolen credit card and debit card numbers called Cardplanet, which roughly hosted 150,000 payment card details between the years 2009 and 2013. He also masterminded a separate invite-only forum website for elite cybercriminals where they advertised stolen personal identity information, malicious software, and other illegal services, like money laundering and hacking services. Burkov was arrested at Israel’s Ben-Gurion Airport in late 2015 and extradited to the United States in November 2019 after he lost his appeal against extradition in the Israeli Supreme Court and the Israeli High Court of Justice. He is facing a prison sentence of up to 15 years, which will be announced by the federal court in Alexandria on 8th May 2020. (The Hacker News)
3 days ago

LastPass Accidentally Removed Its Extension From Chrome Web Store, Caused Outage for Users, Is Now Available Again After Chrome Review Process

An accidental outage was caused by LastPass on Wednesday when the company mistakenly removed the LastPass extension from the Chrome Web Store, leading to users seeing 404 errors when trying to download and install it on their devices. As of yesterday, the LastPass extension’s Chrome Web Store entry was still inaccessible, although LastPass later issued a notice saying the extension is now available again after clearing Google’s Chrome Store review process. While the unexpected and accidental removal led to hundreds, if not thousands of reports from users, the ones who already had the extension installed were not affected by this incident. (Bleeping Computer)
3 days ago

Controversial Facial Recognition Company Clearview AI Lied About Cracking Terrorism Case, Has Ties to Far-Right Figures, Is Banned From Scraping Twitter Photos and Is Under Fire From Lawmakers

Peter Thiel-backed facial recognition company Clearview AI, which has amassed billions of photos and promotes its service to police departments nationwide, falsely claimed to crack a case of alleged terrorism in the New York City subway last year, according to the New York City Police Department. The NYPD said it identified the suspect “using the Department’s facial recognition practice where a still image from a surveillance video was compared to a pool of lawfully possessed arrest photos.” Moreover, Clearview founder Ton-That is linked to various Trump allied far-right figures, including Rudy Giuliani, Michael Cernovich, Chuck Johnson, Pax Dickinson, the details of which go back some years. Also, Twitter has ordered Clearview to stop scraping images from its site, while lawmakers, including Ed Markey (D-MA), have demanded answers from the company about its partnerships with local law enforcement. (Buzzfeed News)
3 days ago

Mysterious Hijacker Uninstalls Phorpiex Spam-Bot Malware From Infected Hosts, Tells Users to Install Antivirus and Update Computers

A mysterious entity appears to have hijacked the backend infrastructure of the Phorpiex (Trik) botnet. It is uninstalling the spam-bot malware from infected hosts, while also showing a popup telling users to install an antivirus and update their computers, according to pop-ups that appeared on users’ screens as spotted by Check Point researchers. Yaniv Balmas, Head of Cyber Research at Check Point, has several theories of what could be happening. The malware operators might have decided to quit and shut down the botnet on their terms, or the popups could be a law enforcement action. Also, a vigilante security researcher might be taking matters into his own hands, or a rival malware gang might be sabotaging the Phorpiex crew by destroying their botnet. Another antivirus vendor speculates that a rival botnet operator has hijacked the Phorpiex botnet out of envy. (ZDNet)
3 days ago

Cisco Issues Patches for High Severity Vulnerability in Its Firepower Management Center That Could Give Attacker Admin Privileges

Cisco reported a critical vulnerability in the web-based management interface of the Cisco Firepower Management Center (FMC), which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.  Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity. (Threatpost)
3 days ago

DHS, GE Warn That Attackers Can Exploit ‘MDhex’ Flaws to Take Over Patient Monitors, Telemetry Aggregation Servers

Researchers from healthcare security company CyberMDX disclosed six vulnerabilities collectively referring to as MDhex that impact seven GE Healthcare devices meant for patient vital signs monitoring. The devices are intended to collect data from sick patients and send them back to a telemetry server, monitored by clinical staff.  The flaws allow an attacker with access to a hospital’s network to take over vulnerable patient monitors and telemetry aggregation servers, and then silence alerts, putting patient lives at risk. The FDA and DHS also published security advisories meant to warn healthcare providers about the MDhex vulnerabilities and offering mitigations that hospitals and clinics can deploy to prevent attackers from exploiting the devices. GE plans to issue updates during the second quarter of 2020 to fix the flaws. (ZDNet)
4 days ago

Detailed Data on More Than 30,000 Cannabis Users Exposed via Unencrypted Amazon S3 Bucket Owned by Compliance Software Vendor

More than 30,000 cannabis users had sensitive personal information exposed online by a company that makes software used by weed dispensaries, researchers at vpnMentor report. The information, which included scans of driver’s licenses as well as the type and quantity of weed purchased, was discovered by the researchers on December 24 after they found an unencrypted Amazon S3 bucket owned by THSuite, the company that makes the software. Dispensaries use THSuite to help ensure compliance with state laws. Other data exposed for the 30,000 cannabis users include patient medical history, photographs of scanned government and employee IDs, full name, phone number, email address, date of birth, street address, medical ID number, signatures, cannabis strain and the quantity purchased, employee names and work schedule, and more. vpnMentor identified records belonging to at least three cannabis dispensaries: AmediCanna Dispensary, located in Maryland; Bloom Medicinals, located throughout Ohio; Colorado Grow Company, a recreational dispensary, although the entirety of THSuite’s client base might also be affected. (Motherboard)
4 days ago

Some Infosec Experts Express Skepticism Over Portions of the Forensic Report on Bezos’ Phone Hack

The report by cybersecurity firm FTI Consulting, which concluded that Jeff Bezos’ phone was hacked from the WhatsApp account of Saudi Crown Prince Mohammed bin Salman, has, in part, been met with skepticism by some cybersecurity experts. Former CISO of Facebook Alex Stamos says the report doesn’t go far enough and that FTI hasn’t figured out yet how to thoroughly test Bezos’ phone. Bill Marczak, a research fellow at Citizen Lab, a University of Toronto, and Matthew Green, an associate professor of computer science at Johns Hopkins, said that FTI should have been able to decrypt the encrypted video file downloader that contained the malicious file infecting Bezos’ phone. Cybersecurity expert Rob Graham and Cisco Talos’ Craig Williams question the report’s low level of traffic from the phone before the sudden burst of traffic that reflected the exfiltration from Bezos’ phone. (Cyberscoop)
4 days ago

CISA Warns of Increased Emotet Activity as Threat Group Behind the Email Malware Ramps Ups Campaigns Against Government, Military Targets

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned security teams to be alert to the rising threat of the powerful email malware Emotet as the threat group believed to behind Emotet, known as TA542, is ramping up campaigns against government and military targets. CISA is pushing routine cybersecurity hygiene tasks as protection against Emotet, including blocking email attachments commonly associated with malware (e.g.,.dll and .exe), blocking email attachments that cannot be scanned by antivirus software (e.g., .zip files) and implementing Group Policy Object and firewall rules. (Computer Business Review)