Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw
5.4.2018 securityaffairs Vulnerebility
On April 3, Microsoft Out-Of-Band Security Update to address the CVE-2018-0986 vulnerability affecting the Microsoft Malware Protection Engine (MMPE).
Microsoft Malware Protection Engine is the core component for malware detection and cleaning of several Microsoft anti-malware software. It is currently implemented in Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.
The CVE-2018-0986 flaw could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.
The CVE-2018-0986 vulnerability rated as ‘critical’ was discovered by Thomas Dullien, white hat hacker at the Google Project Zero.
“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.“reads the security advisory published by Microsoft.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,”
According to the experts, it is quite easy to exploit the flaw, an attacker can deploy the malicious code inside JavaScript files hosted on the website then it needs to trick the victim into visiting it. Another attack scenario sees the hackers send the malicious code as attachment of an email sent to the victim, or via an instant messaging client.
The attack doesn’t need user interaction because the Microsoft Malware Protection Engine automatically scans all incoming files.
Experts pointed out that Windows Defender is enabled by default on Windows 10.
Microsoft has addressed the flaw in MMPE version 1.1.14700.5, the security patch is going to be delivered without needing user interaction.
“For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.14700.5 or later.
If necessary, install the update Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.” states Microsoft.
“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”
Thousands of compromised Magento websites delivering Malware
5.4.2018 securityaffairs Cryptocurrency Virus
Hackers compromised hundreds of Magento e-commerce websites to steal credit card numbers and install crypto-mining malware.
According to the security firm Flashpoint, hackers launched brute-force attacks against Magento installs, they used a dictionary composed of common and known default Magento credentials.
“Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.” reads the analysis published by Flashpoint.
“The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials.”
The security firms revealed that at hackers already compromised at least 1,000 Magento admin panels, most of the victims are in the US and Europe and operate in the education and healthcare industries.
The threat actors behind this campaign are also targeting other popular e-commerce-processing CMS such as Powerfront CMS and OpenCarts.
According to the experts, it quite easy to find discussions on crime forums about how to compromise CMS platforms
The lack of proper security measures makes it easy for crooks to compromise websites, sometimes just using a simple script.
“Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.” continues the post.
When hackers successfully compromised a Magento installation, they can inject malicious code into the core file to perform a wide range of malicious activities, such as stealing payment card data from the website.
The attackers can also use the compromised Magento installs to mine cryptocurrency by using a malware such as the Rarog cryptocurrency miner.
The compromised sites return an exploit masquerades as a phony Adobe Flash Player update, once the victims will launch it a malicious JavaScript is executed, its function is to download malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.
“Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner.” continues the analysis.
“The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.”
Flashpoint, with the support of law enforcement, is notifying victims of the security breaches.
Magento admins are recommended to review CMS account logins and adopt mitigation measured against brute-force attacks, for example by limiting the number of attempts or enforcing two-factor authentication.
Several U.S. Gas Pipeline Firms Affected by Cyberattack
4.4.2018 securityweek Cyber
Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology.
Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit.
EDI is a platform used by businesses to exchange documents such as purchase orders and invoices. In the case of energy firms, the system is used to encrypt, decrypt, translate, and track key energy transactions. Latitude says it provides EDI and other technology services to more than 100 natural gas pipelines, storage facilities, utilities, law firms, and energy marketers across the U.S.US gas pipeline companies hit by cyberattack
Bloomberg reported that the incident also affected Boardwalk Pipeline Partners, Chesapeake Utilities Corp.’s Eastern Shore Natural Gas, and ONEOK, Inc. However, ONEOK clarified that its decision to disable the third-party EDI service was a “purely precautionary step.”
“There were no operational interruptions on ONEOK's natural gas pipelines,” the company stated. “Affected customers have been advised to use one of the alternative methods of communications available to them for gas scheduling purposes.”
Few details are known about the cyberattack, but Latitude did tell Bloomberg that it did not believe any customer data had been compromised and no other systems appeared to have been impacted. A status update provided by Latitude on its website on Tuesday informed customers that the initial restoration of EDI services had been completed and the company had been working on increasing performance.
SecurityWeek has reached out to Latitude Technologies and Energy Services Group for more information about the attack and will update this article if they respond.
“This looks like a financially-motivated cyberattack, likely by cybercriminals, but we've seen in the past that cybercriminals often collaborate with nation-states and share hacking tools with each other,” said Phil Neray, VP of Industrial Cybersecurity at CyberX, a critical infrastructure and industrial cybersecurity firm based in Boston. “It's easy to imagine a ransomware attack that uses nation-state tools to hijack ICS/SCADA systems and hold the pipeline hostage for millions of dollars per day.”
Bryan Singer, director of Security Services at IOActive, has described some worst-case scenarios that could result from attacks targeting pipeline operators.
“A lot of pipelines have 24-48 hour capacity within the pipelines. If hackers find a way to poison the product, you could have downstream impact for months or more. You could have gas compressors or lift stations where there’s a fire or explosion, and where you have to scramble to cap the ends before the fire spreads out. If it’s an oil rig, it could certainly be tougher to contain,” Singer told SecurityWeek.
“Hackers can cause some intermediate problems at first, but if they have access long enough, there’s a possibility that airports could go down (they often rely on fuel delivered directly) and gas stations could run out of gas. If they’re able to maintain an attack for a couple days, there can be very large downstream impact. We’re mostly out of winter, but if we don’t have power, we’re in need of that heat,” he added.
Back in 2012, the Department of Homeland Security (DHS) warned that malicious actors had been targeting the natural gas industry. While critical infrastructure operators in general have since become more aware of the risks posed by cyberattacks, many organizations are still unprepared.
In the case of the oil and gas industry in the United States, a study commissioned last year by German engineering giant Siemens showed that this sector is largely unprepared to address cybersecurity risks in operational technology (OT) environments.
Female Suspect Dead, Several Hurt in YouTube Shooting
4.4.2018 securityweek Incindent
Chaos Amid Shooting at YouTube Headquarters
[UPDATE] Gunfire erupted at YouTube's offices in California Tuesday, leaving at least three people injured and sparking a panicked escape before the suspected shooter -- a woman -- apparently committed suicide.
Amid a chaotic scene in the city of San Bruno, a woman believed to be the shooter was found dead at the scene of the Google-owned video sharing service.
"We have one subject who is deceased inside the building with a self-inflicted wound," San Bruno Police Chief Ed Barberini told reporters. "At this time, we believe it to be the shooter."
Barberini mentioned "four victims" but it was not immediately clear if that included the shooter.
There was no immediate word on any motive.
Shootings by women are an extremely rare occurrence in the United States where the overwhelming majority of gun violence is carried out by men.
According to an FBI study that looked at 160 incidents involving one or more shooters in public places between 2000 and 2013 -- just six of the people who opened fire were women, a share of 3.8 percent.
Amid conflicting reports on casualties, Barberini said the injured "have been transported and are being treated for injuries that are treatable."
He said police had sealed off the building as they pursued the investigation and searched for any additional possible victims.
- Frantic escape -
Employees recounted frantic scenes as they fled YouTube's headquarters near San Francisco, with one saying he saw blood on the floor as he escaped.
"We were sitting in a meeting and then we heard people running because it was rumbling the floor. First thought was earthquake," employee Todd Sherman tweeted.
Sherman said that as he headed for an exit "someone said that there was a person with a gun," and added "at that point every new person I saw was a potential shooter."
Sherman's tweets continued: "I looked down and saw blood drips on the floor and stairs. Peeked around for threats and then we headed downstairs and out the front."
One image posted by a Twitter user showed employees being led out of the building with their hands up, with no further explanation.
Another YouTube employee, Vadim Lavrusik, tweeted: "Active shooter at YouTube HQ. Heard shots and saw people running while at my desk. Now barricaded inside a room with coworkers."
Later, Lavrusik said he had escaped to safety.
Witnesses reported helicopters on the scene as well as police SWAT teams.
The White House said President Donald Trump had been briefed and that his administration was monitoring the ongoing situation in San Bruno.
Shortly afterward, Trump tweeted, "Our thoughts and prayers are with everybody involved. Thank you to our phenomenal Law Enforcement Officers and First Responders that are currently on the scene."
YouTube headquarters is located some 30 miles (50 kilometers) from the main Google campus in Mountain View.
The shooting, which follows a series of deadly gun incidents at schools and elsewhere, comes amid heated debate on gun control measures in the United States.
An estimated 1.5 million people participated in demonstrations March 24 calling for stricter firearms measures following a deadly shooting in Parkland, Florida.
Organizers of the March for Our Lives sent a message of solidarity to the employees hit by Tuesday's shooting, tweeting "Our hearts are with you, @YouTube."
Panera Bread left millions of customer records exposed online for months
4.4.2018 securityaffairs Incindent
The website belonging to the Panera Bread restaurant chain, Panerabread.com, exposed personal information in plain text for months.
The company has more than 2,100 retail locations in the United States and Canada, its customers could order food online for pickup in stores or for delivery.
Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.
On Monday, the popular security expert Brian Krebs reported a bug affecting the Panera’s website that left millions of customer records exposed in plain text.
Exposed data included names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards.
The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.
The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.
In a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.
Houlihan verified that the issue was not fixed and on April 2nd reported it to Brian Krebs.
“Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.” states the blog post published by Krebs.
This incident is disconcerting for many aspects, such as the response of the company and the way it managed customers’ data.
Only after Brian Krebs contacted Panera Bread, the company took the website offline.
“It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.” continues Krebs.
“It’s also unclear whether any Panera customer account passwords may have been impacted.”
Panera told Fox Business that the data leak affected only about 10,000 records but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.
In a written statement, Panera declared it had fixed the problem within less than two hours of being notified by Brian Krebs, but the expert correctly asked why Panera did not explain why it has taken eight months to fix the issue after Houlihan reported it.
New KevDroid Android Backdoor Discovered
3.4.2018 securityweek Android
Security researchers have discovered a new Android Remote Access Trojan (RAT) that can steal a great deal of information from infected devices.
Dubbed KevDroid, the mobile threat can steal contacts, messages, and phone history, while also able to record phone calls, Talos reports. Two variants of the malware have been identified so far.
One of the variants exploits CVE-2015-3636 to gain root access, but both implement the same call recording capabilities, taken from an open-source project on GitHub.
Once it has infected a device, the first KevDroid variant can gather and siphon information such as installed applications, phone number, phone unique ID, location, stored contacts information, stored SMS, call logs, stored emails, and photos.
Large in size, the second variant of the malware was hosted at the same URL in February, and has been observed using SQLite databases to store data. It includes the same data gathering capabilities, along with camera recording, audio recording, web history stealing, file stealing, and the ability to gain root on the device.
An ELF file embedded in the APK attempts to exploit the CVE-2015-3636 vulnerability using code available on GitHub to obtain root permission. By gaining higher privileges, the malware can perform more in-depth actions, including stealing files from other applications.
“If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim. The social aspect of a mobile device results in a large amount of data residing on the device. This can be sensitive data, such as photographs, passwords, banking information or social engineering,” Talos notes.
Attackers could also blackmail victims using images or information deemed secret, could steal credentials and multi-factor tokens (SMS MFA), and could also engage in banking/financial fraud using their access to privileged information. Should the infected device be used in corporate environments, a KevDroid attack could lead to cyber espionage, Talos says.
While analyzing the threat, the security researchers also discovered a Windows-targeting RAT hosted on the same C&C server. They called the malware PubNubRAT, because of it uses the PubNub global data stream network (DSN) as a C&C and leverages PubNub API to send orders to the compromised systems.
“Using legitimate services is always challenging for defenders. It's hard to identify malicious communications hidden in legitimate network flows (especially if the requests use encryption via HTTPS),” Talos notes.
A RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object is used for infection. The document is written in Korean and contains information on Bitcoin and China.
Once it has infected a system, the malware can steal files, download files, execute commands, kill processes, and take screenshots.
According to Talos, they started the investigation into these malware families because of a possible link to Group 123, but the evidence they discovered was too weak to identify a clear connection with the group.
“We do not have a strong link between the two malware samples and Group 123. The TTP overlaps are tenuous — using public cloud infrastructure as a C2 server is something other malware has used before as a technique, not just Group 123. Additionally, the C2 server is hosted in Korea, and this malware has been known to target Korean users. However, this information cannot lead us to a strong link,” Talos concludes.
Software-defined Global Network as a Service Firm Meta Networks Emerges From Stealth
3.4.2018 securityweek Safety
Meta NaaS Provides a Software-defined Virtual 'Overlay' to Existing Disjointed Physical Networks
Emerging from stealth with $10 million in seed funding led by Vertex Ventures and the BRM Group, Tel Aviv-based Meta Networks has launched Meta NaaS -- a secure software-defined virtual private network aimed at redefining the concept of distributed, cloud-employing corporate networks.
The advent of public and private cloud services and offerings, together with the growth of mobile computing and remote working, plus the tendency for most companies to combine all of these with their own on-premise resources has had one major and well-recognized effect: there is no longer a physical network perimeter that can be defined and protected. Solutions generally require point products for every device, aimed at protecting the device and its communication to other parts of the network. This rapidly becomes very complex with multiple points of possible failure.
Meta Networks Meta NaaS provides a software-defined virtual 'overlay' to existing disjointed physical networks. It is user-centric, draws on the principle of zero-trust, and brings together all aspects of remote users, mobile devices, separate branch offices, on premise data centers and cloud apps within one single software-defined overlay. It creates a new perimeter in the cloud.
Like Google's BeyondCorp, the user is key. Every user device is given a unique permanent identity at the packet level, but is also given access to an always-on virtual private network (VPN). A global distribution of PoPs ensures high performance in accessing and using the VPN from any location, and all corporate traffic from corporate users is securely sent to the NaaS before being delivered to its destination. This includes both internal resources and internet traffic -- and security is handled in the NaaS rather than at the device.
"It's worldwide," Etay Bogner, CEO and founder of Meta Networks, told SecurityWeek. "You don't have to install any appliances. You connect separate offices through their existing routers. On top of the network we are deploying best network security. So instead of having the firewall deployed as an appliance in a specific physical location, we have the firewall functionality within the cloud in every one of the PoPs, and we apply security at those locations."
The effect is to provide security in even hostile environments -- mobile employees working in internet cafes or airport waiting lounges are as secure and productive as if they were still in the office.
Meta NaaS interoperates with other cloud-delivered security solutions, supporting a best-breeds security stack for the enterprise. It delivers identity-based policy routing and packet-level identity verification; and since it is cloud-based, it promises cloud advantages: agility, scalability and cloud economics.
"Meta NaaS is a new zero-trust paradigm for the 'virtual private network' that revolves around users rather than physical topology. This shift enables enterprises to effectively restore the perimeter by protecting all employee traffic -- both corporate and internet -- all of the time," said Bogner. "What elevates our technology is the cloud-native global backbone and the comprehensive, identity-based network security architecture designed to support millions of users efficiently."
"Meta NaaS is built around network users, not a physical business location," comments Ramon Snir, senior developer at Dynamic Yield, an existing customer. This is an advantageous approach for organizations like ours that have applications in data centers and clouds around the world, as well as an increasingly mobile workforce."
Bogner is keen to stress that this is not a new rip and replace technology. "Enterprises already have existing investment in on premise security. That doesn't have to be ripped out," he told SecurityWeek. But at the same time, when licenses lapse, they don't have to be replaced. Meta NaaS provides a road map towards a cloud-only security policy.
"Over time," added Amy Arie, Meta Networks' CMO, "the NaaS will offer greater security at lower cost."
The concept can be seen in its implementation by MyHeritage. The firm has 100 sales reps around the world, with applications housed in two data centers on different continents. Without Meta Naas, this required VPNs in each data center and an IT overhead in maintaining 100 clients -- and for the reps to understand which data center they needed. With Meta NaaS it is a single connection to the NaaS. The VPN is always operational, and access policies are maintained in the NaaS.
"Compared to managing VPNs in each of our data centers," said Moshe Magal, IT team leader at MyHeritage, "the Meta NaaS solution is much simpler and more convenient both for our IT team and our users."
Meta Networks is the fourth firm founded by serial entrepreneur, Etay Bogner. His first was SofaWare, a network security vendor that was ultimately acquired by Check Point Software. The second was Neocleus, a virtualization vendor acquired by Intel. The third is Stratoscale, an AWS compatible infrastructure and services firm.
Hacked Magento Sites Steal Card Data, Spread Malware
3.4.2018 securityweek Virus
Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports.
The open-source platform written in PHP has long stirred threat actors’ interest due to its popularity among online e-commerce sites. According to Flashpoint, members of entry-level and top-tier Deep & Dark Web forums have shown continued interest in the platform since 2016, and also targeted content management systems such as Powerfront CMS and OpenCart.
As part of the newly observed attacks, hackers are attempting to brute-force Magento administration panels. Once they gain access, malware capable of scraping credit card numbers is installed, along with crypto-currency miners.
At least 1,000 Magento admin panels have been compromised, Flashpoint says. The attackers attempt to log in using common and known default Magento credentials, once again proving that changing the credentials upon installation of the platform can prevent compromise.
After gaining control of the site’s Magento CMS admin panel, the attackers have unfettered access to the site and can inject any script they want. In this case, they injected malicious code in the Magento core file to access pages where payment data was processed. Because of that, they could intercept POST requests to the server containing sensitive data and redirect those to the attacker.
The compromised sites also revealed the use of an exploit masquerading as an Adobe Flash Player update. If launched, the fake update would run malicious JavaScript to download data-stealing malware called AZORult from GitHub. The malware then downloads the Rarog cryptocurrency miner.
The accounts hosting the malicious files have been active since 2017 and the security researchers observed that the attackers would update the files daily to avoid detection by signature- and behavior-based tools.
Most of the 1,000 compromised panels are in the education and healthcare industries in the United States and Europe. However, the researchers believe that the compromised sites they are aware of might be part of a larger sample of infected Magento panels.
To keep their sites and users protected, Magento admins are advised to review CMS account logins and enforce strong password-hygiene practices to mitigate their exposure to brute-force attacks. They should restrict the recycling of previously used passwords, enable two-factor authentication for sensitive systems and applications, and provide secure password managers to their users.
“The rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords,” Flashpoint notes.
Weak credentials in Internet of Things (IoT) devices have been long said to fuel botnets, but others where a good password hygiene isn’t enforced are as exposed as these devices. Even industrial control system (ICS) products contain default credentials and could be impacted.
New Monero-Mining Android Malware Discovered
3.4.2018 securityweek Android
A newly discovered malware family attempts to leverage the (limited) computing power of Android devices to mine for Monero crypto-currency, Trend Micro warns.
Dubbed HiddenMiner, the malware was developed with self-protection and persistence mechanisms that allow it to hide itself from the unwitting user and to abuse the Device Administrator feature to perform its nefarious activities.
The main issue with this threat, however, is the fact that it has no switch, controller, or optimizer in its code, meaning that it essentially continuously mines for Monero until all of the device’s resources are depleted. Because of that, the malware can cause the infected devices to overheat and potentially fail, Trend Micro's researchers point out.
HiddenMiner is used in an active campaign that has resulted in its operators already making several thousands of dollars as of last week (based on the known Monero mining pools and wallets connected to the malware).
HiddenMiner, Trend Micro says, is somehow similar to the Loapi Monero-mining Android malware, which has been previously observed causing a device’s battery to bloat. Furthermore, both Loapi and HiddenMiner use a similar technique to lock the device screen after revoking device administration permissions.
The new threat spreads via third-party application marketplaces and has been observed impacting only users in India and China so far. However, the security researchers say it might spread beyond these two countries as well.
The malware masquerades as a legitimate Google Play update application, featuring the Google Play icon and appearing on the Android device’s screen as com.google.android.provider. The miner then asks the user to activate it as a device administrator and continuously displays the pop-up window until the users grants it the requested permissions.
Once installed, HiddenMiner empties the app label and uses a transparent icon to hide itself from the user. As soon as the device administrator rights are enabled, it hides from the app launcher by calling setComponentEnableSetting() and starts the mining operation in the background.
The threat hides itself and automatically runs with administrator permissions until the next device boot, the same as the DoubleHidden Android adware does.
Furthermore, the malware includes anti-emulator capabilities that allow it to bypass detection and automated analysis. It leverages an Android emulator detector found on Github for that.
To prevent victims from removing the acquired device administrator privileges, HiddenMiner locks the device’s screen when the user attempts to perform this action. For that, it abuses a bug in Android releases prior to Android 7.0 Nougat, the security researchers say.
In newer Android releases, device admin applications can no longer lock the screen. This security improvement prevents other malware such as ransomware and information stealers from abusing the device admin privileges as well.
“HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications,” Trend Micro concludes.
Google Bans Crypto-Mining Chrome Extensions
3.4.2018 securityweek Cryptocurrency
Google on Monday announced that Chrome extensions designed to mine for crypto-currencies are no longer accepted in the Chrome Web Store.
While still focused on allowing the Chrome extensions ecosystem to evolve, Google also wants to keep users as safe as possible. Thus, a rise in the number of malicious Chrome extensions that mine for virtual coins without informing the users has sparked the Internet giant to ban all such extensions.
The scripts designed for mining purposes often require significant CPU power to perform their activity, and could result in severely diminished system performance or in increased power consumption. Called in-browser cryptojacking, such mining behavior is employed by many websites as well, often with heavy impact on user experience.
“Over the past few months, there has been a rise in malicious extensions that appear to provide useful functionality on the surface, while embedding hidden cryptocurrency mining scripts that run in the background without the user’s consent,” James Wagner, Extensions Platform Product Manager, says.
Starting Monday, Google no longer accepts extensions that mine crypto-currency in the Chrome Web Store. Furthermore, the company plans on removing all such extensions from the store in late June.
Extensions with blockchain-related purposes that do not attempt to mine for virtual coins will continue to be distributed through the Web Store.
Previously, Google allowed developers to submit for publication extensions designed for crypto-currency mining as long as the application was built for mining only and users were explicitly informed on this behavior.
However, the vast majority (90%) of the extensions containing mining scripts that were submitted for upload to the Chrome Web Store failed to comply with the company’s policies and ended up rejected or removed from the store.
“The extensions platform provides powerful capabilities that have enabled our developer community to build a vibrant catalog of extensions that help users get the most out of Chrome. Unfortunately, these same capabilities have attracted malicious software developers who attempt to abuse the platform at the expense of users,” Wagner points out.
Project Kalamata – Apple will replace Intel processors in Macs with its custom designed chips
3.4.2018 securityaffairs IT
In the wake of the discovery of severe flaws in Intel chips, so-called Meltdown andSpectre vulnerabilities, Apple announced it plans to use custom-designed ARM chips in Mac computers starting as early as 2020.
The move aims to replace the Intel processors running on its desktop and laptop systems like done for its own A-series custom chips that are used for iPhones and iPads.
“Apple Inc. is planning to use its own chips in Mac computers beginning as early as 2020, replacing processors from Intel Corp., according to people familiar with the plans.” states a report published by Bloomberg.
“The initiative, code named Kalamata, is still in the early developmental stages, but comes as part of a larger strategy to make all of Apple’s devices — including Macs, iPhones, and iPads — work more similarly and seamlessly together, said the people, who asked not to be identified discussing private information.”
According to Bloomberg, the Apple’s initiative was codenamed ‘Kalamata’ that was launched with the primary goal to have a uniform architecture across all of its product.
According to Bloomberg, the move is part of a larger initiative internally dubbed Marzipan to make Macs work more like iPhones and make iOS apps interoperable on Apple devices.
Currently, Apple shares 5% of its annual revenue with Intel and pay for exclusive deals to offer to its customers, the changeover would allow the company to improve performance for its systems and keep secret its projects.
According to Bloomberg, the new models of Mac Pro laptops arriving next year will include a chip designed by Apple. After the publication of the Bloomberg report, Intel’s stock price took a hit and dropped by 9.2 percent.
“Apple plans to add that chip to a new version of its Mac Pro, to be released by next year, and new Mac laptops this year, according to a person familiar with the matter.” added Bloomberg.
“Intel shares dropped as much as 9.2 percent, the biggest intraday drop in more than two years, on the news. They were down 6.4 percent at $48.75 at 3:30 p.m. in New York.”
Both companies, Apple and Intel, did not yet comment the Bloomberg report.
Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores
3.4.2018 securityaffairs Hacking
FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.
A new data breach made the headlines, the victim is Saks Fifth Avenue and Lord & Taylor stores. According to the parent company Hudson’s Bay Company (HBC), the security breach exposed customer payment card data, customer payment card data at certain Saks Fifth Avenue, the discount store brand Saks Off 5TH and Lord & Taylor stores in North America are impacted.
“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.” reads the official statement issued by Lord & Taylor.
“While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms,”
The hackers did not compromise the HBC’s e-commerce or other digital platforms, the company promptly informed authorities and hired security investigators to
“We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” continues the announcement.
The HBC issued the following statement:
“HBC has identified the issue, and has taken steps to contain it,” the company said in a statement. “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.”
The data breach was first reported by threat intelligence firm Gemini Advisory, which noticed the offer for sale of over five million stolen credit and debit cards on a cybercrime marketplace called JokerStash.
The researchers linked the security breach to the financially-motivated FIN7 APT group also known as Carbanak or Anunak.
The group continuously changed attack techniques and implemented new malware obfuscation methods. The FIN7 group has been active since late 2015, it was highly active since the beginning of 2017.
Fin7 was spotted early 2017 when it targeted personnel involved with the United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.
“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.” the company said in a post.
“Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,”
As of Sunday, only a small portion of compromised records have been offered for sale, crooks offered roughly 35,000 records for Saks Fifth Avenue and 90,000 records for Lord & Taylor.
“As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.” added Gemini.
At the time of writing HBC did not provide details on the extent of the security breach, it is still unclear how the hackers have stolen payment card data, experts believe hackers may have compromised point-of-sale systems.
“Based on the analysis of records that are currently available, it appears that all Lord & Taylor and 83 US based Saks Fifth Avenue locations have been compromised. In addition, we identified three potentially compromised stores located in Ontario, Canada. However, the majority of stolen credit cards were obtained from New York and New Jersey locations.” concluded Gemini.
Grindr shared people’ HIV status with other companies
3.4.2018 securityaffairs Security
An analysis conducted by the Norwegian research nonprofit SINTEF revealed that the popular Grindr gay dating app is sharing its users’ HIV status with two other companies.
Grindr gay-dating app made the headlines again, a few days ago an NBC report revealed that the app was affected by 2 security issues (now patched) that could have exposed the information of its more than 3 million daily users.
An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.
The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.
Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.
While the media were sharing the news, another disconcerting revelation was made by BuzzFeed and the Norwegian research nonprofit SINTEF, BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF, Grindr has been sharing data on whether its users have HIV with two outside companies, according to BuzzFeed and the Norwegian research nonprofit SINTEF.
“SVT and SINTEF conducted an experiment the 7th of February 2018 to analyse privacy leaks in the dating application Grindr. This was realised for the Sweedish TV program “Plus granskar“, that you may watch online.” reported SINTEF.
“We discovered that Grindr contains many trackers, and shares personal information with various third parties directly from the application.”
Profiles include sensitive information such as HIV status, when is the last time a user got tested, and whether they’re taking HIV treatment or the HIV-preventing pill PrEP.
“It is unnecessary for Grindr to track its users HIV Status using third-parties services. Moreover, these third-parties are not necessarily certified to host medical data, and Grindr’s users may not be aware that they are sharing such data with them.” added SINTEF.
The disconcerting aspect of this revelation is that Grindr has been sharing users’ HIV statuses and test dates with two companies that help optimize the app, called Apptimize and Localytics.
“The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.” BuzzFeed reports
“Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.”
In some cases, this data was not protected by encryption.
Hours after BuzzFeed’s report, Grindr told Axios that it had made a change to stop sharing users’ HIV status. The company’s security chief, Bryce Case, told Axios that he felt the company was being “unfairly … singled out” in light of Facebook’s Cambridge Analytica scandal and said that the company’s practices didn’t deviate from the industry norm.
Grindr’s chief technology officer, Scott Chen, pointed out that data was shared “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”
Anyway, Grindr doesn’t sell user data to third parties.
In a statement released Monday afternoon, Grindr confirmed that it would stop sharing the HIV data.
The company also confirmed to CNNMoney that it has already deleted HIV data from Apptimize, and is in the process of removing it from Localytics.