Skip to content

New Adobe Flash Vulnerability Lets Hackers Plant Malicious Software on Your PC

October 16, 2017

Affects all unpatched Linux, Mac, Chrome OS and Windows PCs

As long as Adobe’s Flash Player plugin is still alive and installed on your personal computer, it will only cause damage to it.
Adobe Flash is often described as a security vulnerability, as it it’s full of security flaws and Adobe won’t patch them as fast as they should

The latest, as reported by Reuters, is said to let hackers plant malicious software on your personal computer.
The malware was discovered by security firm Kaspersky Lab and it’s called FinSpy or FinFisher, which is usually used for surveillance by law enforcement agencies.

According to the report, Kaspersky Lab was actively tracking a hacker group called BlackOasis, which apparently managed to install malicious software on computers using the security vulnerability in the Adobe Flash Player plugin, before connecting those computers back to servers in Netherlands, Switzerland, or Bulgaria.

The BlackOasis group is using FinSpy to target UN (United Nations) officials and Middle Eastern politicians, as well as regional news correspondents, activists, and opposition bloggers, but victims were also reported in the United Kingdom, Russia, Africa, Iraq, Iran, and Afghanistan.

Adobe Flash will die in 2020

Adobe Systems said earlier this year that it would put its vulnerable and buggy Adobe Flash Player plugin to sleep for good more than two years from now, in 2020, but, until then, people are still vulnerable to attacks and malware like FinSpy, so Adobe needs to do a better job at keeping their software up-to-date, at all times.

They already released a security update to fix the said issue allowing hackers to plant malicious software, which affected the popular Google Chrome, Microsoft Edge, and Internet Explorer web browsers.
However, users also need to make sure they keep their apps and operating systems up-to-date, always, if they don’t want hackers to hold their data for ransom.



WPA2 Going the Way of WEP After Wi-Fi Researchers Find Critical Flaw

October 16, 2017

It’s a massive problem that’s going to get bigger

The WPA2 (Wi-Fi Protected Access II) protocol that’s used by most Wi-Fi networks today has been compromised, and a way to intercept traffic between computers, phones, and access points has been found.

Today’s Internet and network connections rely on specific tools that are taken for granted, most of the time.
From time to time, a way to compromise these protocols sends everybody running for the fences.
Let’s just remember the OpenSSL problem, for just a moment.

Now, a similar problem has been identified in the WPA2 protocol that’s used by Wi-Fi networks.
Whenever you connect your device to a Wi-Fi network, you are probably using the WPA2 security protocols, and you feel safe.
Well, you shouldn’t feel safe at all.
It turns out that the protocol is vulnerable and that communications between client and host can be intercepted.

WPA2 has been KRACKed

Security researchers have discovered a way to compromise the communications between a host and client that’s using the WPA2 protocol.
According to a notification sent by US-CERT, via Ars Technica, says that “the impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.”

The moniker for the attack is currently “KRACK,” although it not official just yet.
And, as usual, there are good news and bad news, and the bad ones outweigh all the rest.
The following vulnerabilities have been noted: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.

This means that we should start to see patches for these problems soon, but it’s important to know that many of the devices we’re using today, like routers, for example, won’t get these patches.

How to protect yourself

If you’re worried about your router, there is nothing that you can really do about it.
Check to see that if you get an update and if not be prepared to get a new one that’s protected.

The same goes for phones, tablets, PC, and all the rest.
If you have an old device that’s not receiving updates anymore, you’re going to be exposed to this issue as well.

It’s important to mention that if you’re using a Wi-Fi network to browse a HTTPS secured website, you should be fine, but anything else is problematic.

Please keep in mind that this new KRACK attack is a major one and that you need to keep an eye on patches and your security for now on, for the devices you own and are using the WPA2 protocol.


More details have surfaced regarding the newly discovered vulnerabilities, and researchers have published all the details and proof of concept on what is now the official website.


Yahoo: All Our 3 Billion Users Were Hacked

October 4, 2017
tags: ,

Company admits that more users were actually hacked in 2013

The Yahoo hack saga continues, this time with more information provided by the company itself, who reckoned in a statement that more users were actually hacked in 2013 than it previously revealed.

Yahoo said in September 2016 that 500 million accounts got hacked in 2013 as part of what it described as a state-sponsored attack, albeit absolutely no specifics on the hacking group or the country behind the breach were provided.

Yahoo, however, released an updated statement in December to bump the figure to 1 billion, saying that it discovered evidence that twice as many accounts were hacked than it initially thought.

3 billion accounts compromised

And now the company returns with another statement, revealing that its original investigation actually pointed to a wrong number.
So the hack didn’t affect 500 million or 1 billion accounts, but 3 billion records, which represented the entire userbase of Yahoo at that time.
This means that all Yahoo users in 2013 were exposed following the breach.

Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected,” Yahoo said in the latest statement.

It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts.
The company required all users who had not changed their passwords since the time of the theft to do so

The only good thing here is that the breach didn’t expose information like bank accounts, credit card data, or passwords, with hackers managing to compromise accounts using stolen Yahoo source code.

If there still are any Yahoo users out there, it goes without saying that they must change their passwords as soon as possible, even though it’s pretty clear that this is an advice coming way too late given the hack happened in 2013. Judging from its statement, Yahoo believes that it reacted well by “taking action to protect accounts” and confirming the breach 3 years after it happened.


Not sure which ransomware has infected your PC? This free tool could help you find the right decryption package

September 27, 2017

A new tool analyses the ransom note and the encrypted file in order to offer the appropriate decryption tool – if it exists.

The success of ransomware means the number cyber criminals are looking to cash in on the file-encrypting malware appears to be ever increasing, whether they build it themselves or buy it from distributors in underground online marketplaces.

With new ransomware variants appearing all the time – recent new discoveries include PrincessLocker and Defray – and malicious developers continually updating tried and tested ransomware families such as Locky, it can be difficult for the average user to understand what they’ve been infected with should they fall victim to an attack.

Especially, as one recent report claims, there’s been a 750 percent increase in ransomware families since 2015.

In order to help victims Bitdefender has released a free software suite that identifies which family and sub-version of ransomware has locked the victim’s data and leads them to the appropriate decryption tool – if it exists.

The Bitdefender Ransomware Recognition Tool analyses the ransom note and the encrypted file samples to identify the strain of ransomware and suggest a decryption tool based on indicators of confidence.
If the ransomware has an associated decryption tool, the platform provides a link to it in order to allow the victim to retrieve the files for free.

Ransomware has become one of the most prolific criminal businesses to date.
The immediate payoff and the huge amounts of money have made ransomware a very common occurrence
,” Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender told ZDNet.

Our new tool aims at helping as many people get back their data without paying for the ransom in order to minimise the impact on the user, as well as to minimise the profitability of such businesses“.

While also involved with No More Ransom – the collaborative partnership involving law enforcement and cyber security firms coming together to provide a decryption tool portal for ransomware families – Bitdefender wants to reduce the number of steps victims need to take before getting their hands on a decryption tool.

Bitdefender Ransomware Recognition wants to be a standalone tool that does the identification and then automatically downloads the proper decryption tool, if one is available.
We plan to release more decryption utilities in the near future in order to cover all potentially decryptable infection case
,” said Botezatu.

However, one of the reasons ransomware is so successful is because the crytography behind the more sophisticated families is hard to crack – which means researchers aren’t able to break them down and reverse engineer them to create a decryption tool.


This malware just got more powerful by adding the WannaCry trick to its arsenal

September 25, 2017

The Retefe banking trojan is now using the EternalBlue exploit that helped spread WannaCry to make attacks more effective.

A trojan banking malware campaign has returned and now it’s leveraging EternalBlue — the leaked NSA surveillence exploit — to target Swiss financial institutions.

Developed by the NSA but revealed to the world by a hacking group, the EternalBlue Windows security flaw exploits a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using worm-like capabilities.

It was by using the EternalBlue exploit that May’s WannaCry ransomware attack was able to spread so quickly.
The tool was soon adopted by cybercriminal groups looking to make their malware more powerful — and now it’s being used to steal credentials and cash from Swiss banks by the group behind the Retefe malware.

Active since 2013, the Retefe banking trojan isn’t as notorious as the likes of Dridex, but targets banks in the UK, Switzerland, Austria, Sweden, and Japan.
It has also been known to target Mac users.

Unlike other banking trojans, which rely on webinjects to hijack online banking sessions, Retefe routes traffic to and from the target banks through proxy servers hosted on the TOR network.
These proxy sites host phishing pages designed to look like the the targeted bank’s login page in order to steal credentials from victims, providing access to accounts for theft and fraud.

Retefe is typically delivered via phishing emails containing malicious Microsoft Office documents containing embedded Package Shell Objects — although some contain malicious macros instead.
If the user runs the file, a PowerShell command will run the malicious payload and install the code.

Now researchers at Proofpoint have discovered that the payload contains the configuration for EternalBlue, with code taken from a publically available proof-of-concept for the exploit posted in a dump on GitHub.
The tool is now used to download the PowerShell script which installs Retefe.

While the addition of EternalBlue, malware can spread across networks.
This particular installation of the exploit lacks the module responsible for infinitely spreading the malware as WannaCry did.

However, researchers note that the attackers behind Retefe could be merely experimenting with EternalBlue for now — and that they could roll out the leaked exploit in full force in future.

It is possible that the addition of limited network propagation capabilities may represent an emerging trend for the threat landscape as 2018 approaches,” wrote Proofpoint researchers.

Indeed, those behind Retefe aren’t the only threat actors looking to leverage EternalBlue to make malware more powerful.
The attack group behind the Trickbot malware has also been experimenting with deploying the exploit.

Following the public release of the leaked NSA hacking tools, Microsoft released patches designed to protect users from falling victim to attacks using EternalBlue.

However, as demonstrated by the extent which WannaCry spread, many organisations simply aren’t applying the critical updates released to prevent them from becoming victims of attacks leveraging the tools.


Why free VPNs are not a risk worth taking

September 18, 2017

Here’s a question. If you’re not paying for your VPN service, where is the provider getting the money to run it? The answer might cause you to lose some sleep.

TANSTAAFL. If you’ve read your Heinlein, you know it’s an acronym for “There ain’t no such thing as a free lunch.”

Think about Facebook.
We use it for free, but in return for that attention, Facebook catalogs vast amounts of information about us, which it uses for targeted advertising.
Google became one of the world’s most profitable companies on the back of “giving away” free search (along with little ads on the side).
The result was almost total dominance of the digital advertising industry.

All of that brings us to VPN services.
Let’s do a two minute recap of what a VPN is, first.
VPN (or Virtual Private Network) is a term used for services that allow you to encrypt your internet traffic between your computer and a destination computer on the VPN service.
This is particularly necessary when using something like a hotel’s open Wi-Fi service, so that other guests can’t watch all your traffic and steal juicy bits, like credit card numbers and passwords.

Here’s the thing: Running a VPN service is expensive.
You need either servers and data lines, or you’re paying a cloud vendor like Amazon for every bit received, sent, and stored.
Either way, it costs money.
So, think about this: If you’re running a free VPN service, how do you pay for all that expense?

You… In the back of the room, I see your hand up. “Ads,” you say. Yep, that’s a possibility.
Some free VPN services plaster ads on your browser display and sell those to whomever will pay.

I see another hand. “Stolen data.” That’s a possibility, too.
If you were a criminal organization or a terrorist ring, and you wanted to pick up a lot of credentials quickly, one easy way would be to open up a free VPN and wait for people to just hand you their secret information.
As P.T. Barnum is said to have said, “There’s a sucker born every minute.”

TASBEM. In other words, TANSTAAFL.

OK, one more. “Lead in for upgrade sales.” Yeah, that works, too.
Some vendors will offer a small amount of free access and when you eat up that bandwidth, they’ll ask you to upgrade.
Try before you buy is a proven method for selling services, it’s perfectly legitimate, and it’s often good for both the vendor and the customer.

You may also see some universities, activists, and other well-meaning groups offer free VPNs, but the problem is that they are resource constrained.
That means that you’re bound to see either slowdowns or stoppages because they can’t afford the resources needed to provide the service.
Some of those groups might also harvest information as you use their services, for use sometime in the future to further whatever their agendas might be.

The bottom line, though, is this: It’s just not worth risking your personal and financial data on a free VPN service.
The VPN services I rated range from about $6 to $12 per month, or about $40 to $120 per year.
It’s usually a better deal to pay for the whole year at once.

The cost of identity theft keeps going up, both in out-of-pocket expenses and in the time and hassle to clean up the mess.
When it comes to a service that’s designed to transfer your personal credentials and keep them safe, isn’t it worth spending just a few bucks to save potentially thousands of dollars, hundreds of hours, and an unmeasurable amount of stomach acid?


CCleaner Compromised to Gather and Transmit Information About Its Users

September 18, 2017

The app was compromised for almost a month

Piriform, the company that makes the popular CCleaner application, just announced that their application was hijacked and used to gather information about its users and send it to an unknown party.

Hackers usually prefer to penetrate insufficiently secured servers and get the data they want in that manner, but that usually means that webmasters and programmers were not doing their job.
Compromising the code for an application to gather information about user’s devices before that app is distributed is on a different level.

Piriform hasn’t said anything about how their systems were penetrated or how the executable was modified before launch, but they did reveal everything that’s been going on, and it’s not a pretty sight.
In fact, if you read the short description of the event, it’s even more terrifying.

An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems, ” wrote Paul Yung, VP for Products at Piriform.

What was the application doing?

It turns out that the attack was supposed to take part in two stages, but the attackers never really reached the second stage.
Two versions of CCleaner were affected, 5.33.616 for the 32-bit desktop release, and 1.07.3191 for the Cloud variant.
If we think about it that was probably the intention; to leave the 64-bit version alone since it would have attracted too much attention.

As for the information collected by CCleaner and sent to an IP address, that’s not much we can do about that.
Paul Young explained that the name of the computer, the list of installed software along with the Windows updates, the list of running processes, the MAC address of the first three adaptors, and some other information regarding processes running as administrator, were all collected, encrypted and sent away

Avast Threat Labs helped with the investigation, but the legalities are still ongoing.
The authorities have been notified, and an update has been released for all users, no matter the platform.
It remains to be seen if anything more will surface in the coming days about the location of the attackers or their actual goal.