Hackers sponsored by Russia and North Korea are targeting COVID-19 researchers

Enlarge (credit: Getty Images)

Hackers sponsored by the Russian and North Korean governments have been targeting companies directly involved in researching vaccines and treatments for COVID-19, and in some cases, the attacks have succeeded, Microsoft said on Friday.

In all, there are seven prominent companies that have been targeted, Microsoft Corporate VP for Customer Security & Trust Tom Burt said. They include vaccine makers with COVID-19 vaccines in various clinical trial stages, a clinical research organization involved in trials, and a developer of a COVID-19 test. Also targeted were organizations with contracts with or investments from governmental agencies around the world for COVID-19-related work. The targets are located in the US, Canada, France, India, and South Korea.

“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law,” Burt wrote in a blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate—or even facilitate—within their borders. This is criminal activity that cannot be tolerated.”

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2H38aHy

Trickbot—the for-hire botnet Microsoft attacked—is scrambling to stay alive

Enlarge (credit: Aurich Lawson / Ars Technica)

Operators of Trickbot—a for-hire botnet that has infected more than 1 million devices since 2016—are looking for new ways to stay afloat after Microsoft and a host of industry partners took coordinated action to disrupt it last week.

In an update published on Tuesday, Microsoft Corporate VP for Security & Trust Tom Burt said the operation initially managed to take down 62 of the 69 servers Trickbot was known to be using to control its vast network of infected devices. Trickbot operators responded by quickly spinning up 59 new servers, and Microsoft was able to eliminate all of them except for one.

In all, the industrywide operation has taken down 120 of 128 servers identified as belonging to Trickbot. Now, Trickbot is responding by using a competing criminal group to distribute the Trickbot malware.

Read 10 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3dNE2vQ

FBI/DHS: Government election systems face threat from active Zerologon exploits

Enlarge (credit: Getty Images)

The FBI and the cybersecurity arm of the Department of Homeland Security said they have detected hackers exploiting a critical Windows vulnerability against state and local governments and that in some cases the attacks are being used to breach networks used to support elections.

Members of unspecific APTs—the abbreviation for advanced persistent threats—are exploiting the Windows vulnerability dubbed Zerologon. It gives attackers who already have a toehold on a vulnerable network access to the all-powerful domain controllers that administrators use to allocate new accounts and manage existing ones.

To gain initial access, the attackers are exploiting separate vulnerabilities in firewalls, VPNs, and other products from companies including Juniper, Pulse Secure, Citrix NetScaler, and Palo Alto Networks. All of the vulnerabilities—Zerologon included—have received patches, but as evidenced by Friday’s warning from the DHS and FBI, not everyone has installed them. The inaction is putting governments and elections systems at all levels at risk.

Read 3 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3nAWeNC

DHS warns that Emotet malware is one of the most prevalent threats today

Enlarge (credit: Getty Images)

The malware known as Emotet has emerged as “one of the most prevalent ongoing threats” as it increasingly targets state and local governments and infects them with other malware, the cybersecurity arm of the Department of Homeland Security said on Tuesday.

Emotet was first identified in 2014 as a relatively simple trojan for stealing banking account credentials. Within a year or two, it had reinvented itself as a formidable downloader or dropper that, after infecting a PC, installed other malware. The Trickbot banking trojan and the Ryuk ransomware are two of the more common follow-ons. Over the past month, Emotet has successfully burrowed into Quebec’s Department of Justice and increased its onslaught on governments in France, Japan, and New Zealand. It has also targeted the Democratic National Committee.

Not to be left out, US state and local governments are also receiving unwanted attention, according to the CISA, short for the Cybersecurity and Infrastructure Security Agency. Einstein—the agency’s intrusion-detection system for collecting, analyzing, and sharing security information across the federal civilian departments and agencies—has in recent weeks noticed a big uptick, too. In an advisory issued on Tuesday, officials wrote:

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2GNGMMY

Boom! Hacked page on mobile phone website is stealing customers’ card data

Enlarge / Computer hacker character stealing money online. Vector flat cartoon illustration (credit: GettyImages)

If you’re in the market for a new mobile phone plan, it’s best to avoid turning to Boom! Mobile. That is, unless you don’t mind your sensitive payment card data being sent to criminals in an attack that remained ongoing in the last few hours.

According to researchers from security firm Malwarebytes, Boom! Mobile’s boom.us website is infected with a malicious script that skims payment card data and sends it to a server under the control of a criminal group researchers have dubbed Fullz House. The malicious script is called by a single line that comprises mostly nonsense characters when viewed with the human eye.

(credit: Malwarebytes)

When decoded from Base64 format, the line translates to: paypal-debit[.]com/cdn/ga.js. The JavaScript code ga.js masquerades as a Google Analytics script at one of the many fraudulent domains operated by Fullz House members.

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2GCo6jx

A single text is all it took to unleash code-execution worm in Cisco Jabber

Enlarge (credit: Cisco)

Until Wednesday, a single text message sent through Cisco’s Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said.

The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that’s designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as “onanimationstart.”

Jumping through hoops

But even then, the filter still blocked content that contained <style>, an HTML tag that had to be included in a malicious payload. To bypass that protection, the researchers used code that was tailored to a built-in animation component called spinner-grow. With that, the researchers were able to achieve a cross-site scripting exploit that injected a malicious payload directly into the internals of the browser built into Jabber.

Read 10 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2F0XM1y

Hackers are exploiting a critical flaw affecting >350,000 WordPress sites

Enlarge (credit: StickerGiant / Flickr)

Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.

Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. While that restriction prevents hackers from executing commands on files outside of the directory, hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.

NinTechNet, a website security firm in Bangkok, Thailand, was among the first to report the in-the-wild attacks. The post said that a hacker was exploiting the vulnerability to upload a script titled hardfork.php and then using it to inject code into the WordPress scripts /wp-admin/admin-ajax.php and /wp-includes/user.php.

Read 8 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/32MdpSO

Russian tourist offered employee $1 million to cripple Tesla with malware

Enlarge (credit: Tesla)

Tesla’s Nevada Gigafactory was the target of a concerted plot to cripple the company’s network with malware, CEO Elon Musk confirmed on Thursday afternoon.

The plan's outline was divulged on Tuesday in a criminal complaint that accused a Russian man of offering $1 million to the employee of a Nevada company, identified only as “Company A,” in exchange for the employee infecting the company’s network. The employee reported the offer to Tesla and later worked with the FBI in a sting that involved him covertly recording face-to-face meetings discussing the proposal.

“The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the coconspirators’ ransom demand,” prosecutors wrote in the complaint.

Read 9 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/34EdVol

“DeathStalker” hackers are (likely) older and more prolific than we thought

Enlarge (credit: Getty Images)

In 2018, researchers from security firm Kaspersky Lab began tracking “DeathStalker,” their name for a hacker-for-hire group that was employing simple but effective malware to do espionage on law firms and companies in the financial industry. Now, the researchers have linked the group to two other pieces of malware including one that dates back to at least 2012.

DeathStalker came to Kaspersky’s attention for its use of malware that a fellow researcher dubbed “Powersing”. The malware got its name for a 900-line PowerShell script that attackers went to great lengths to obfuscate from antivirus software.

Attacks started with spear-phishing emails with attachments that appeared to be documents but—through a sleight of hand involving LNK files—were actually malicious scripts. To keep targets from getting suspicious, Powersing displayed a decoy document as soon as targets clicked on the attachment.

Read 9 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2YxWP7N

NSA and FBI warn that new Linux malware threatens national security

Enlarge (credit: Suse)

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands.

In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote.

Read 13 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3fWWZeX

More than 20GB of Intel source code and proprietary data dumped online

Enlarge (credit: Tillie Kottman)

Intel is investigating the purported leak of more than 20 gigabytes of its proprietary data and source code that a security researcher said came from a data breach earlier this year.

The data—which at the time this post went live was publicly available on BitTorrent feeds—contains data Intel makes available to partners and customers under NDA, a company spokeswoman said. Speaking on background, she said Intel officials don’t believe the data came from a network breach. She also said the company is still trying to determine how current the material is and that, so far, there is no signs the data includes any customer or personal information.

“We are investigating this situation,” company officials said in a statement. “The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data.”

Read 9 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3fF4mHv

Hackers obtained Twitter DMs for 36 high-profile account holders

Enlarge (credit: Kevin Krejci)

Hackers accessed direct messages for 36 high-profile account holders in last week’s epic compromise of Twitter, with one of the affected users being an elected official from the Netherlands, the social media company said late Wednesday. The company also said the intruders were able to view email addresses, phone numbers, and other personal information for all 130 hijacked accounts.

The mass-account takeover came to light last Wednesday when some of the world’s best-known celebrities, politicians, and executives began tweeting links to Bitcoin scams. A few hours later, Twitter officials said the incident was the result of it losing control of its internal administrative systems to hackers who either paid, tricked, or coerced one or more company employees. The officials said they would disclose any other malicious activities those responsible may have undertaken as an investigation continued.

A breathtaking impact

On Wednesday, Twitter provided its most troubling update so far. It said:

Read 8 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2WMZ71W

Twitter terminates DDoSecrets and falsely claims it may infect visitors

Enlarge (credit: Cory Doctorow / Flickr)

Four days after leak publisher DDoSecrets circulated private documents from more than 200 law enforcement agencies across the United States, Twitter has permanently suspended its account and falsely claimed that the site may infect users with malware.

“Your account, DDoSecrets, has been suspended for violating the Twitter rules,” this email, which Twitter sent to the account holders, said. The message cited rules against “distribution of hacked material” and went on to say:

We don’t permit the use of our services to directly distribute content obtained through hacking that contains private information, may put people in physical harm or danger, or contains trade secrets.

Note that if you attempt to evade a permanent suspension by creating new accounts, we will suspend your new accounts. If you wish to appeal this suspension, please contact our support team.

BlueLeaks

DDoSecrets describes itself as a “transparency collective, aimed at enabling the free transmission of data in the public interest.” On Friday, it published BlueLeaks, a 269-gigabyte trove of documents that KrebsOnSecurity reported was obtained through the hack of a Web development company that hosted documents on behalf of police departments. Some of the documents exposed police candidly discussing responses to demonstrations protesting the murder by a Minneapolis police officer of George Floyd, a Black man who was murdered while handcuffed.

Read 10 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2YwUg6B

Knoxville shuts down parts of its network after being hit by ransomware

Enlarge / The Knoxville City-County Building, overlooking the Tennessee River in Knoxville, Tennessee. (credit: Brian Stansberry)

The city of Knoxville, Tennessee, shut down large portions of its computer network on Thursday after being hit overnight by a ransomware attack, it was widely reported on Thursday.

The attack was first noticed by members of the Knoxville Fire Department around 4:30am Thursday, the Knoxville News Sentinel reported. Shortly after that, Knoxville’s Chief Operations Officer David Brace sent employees an email notifying them of the breach.

“Please be advised that our network has been attacked with ransomware,” he wrote. “Information Systems is currently following recommend[ed] protocols. This includes shutting down servers, our internet connections and PC’s. Please do not log in to the network or use computer applications at this time.”

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3hhUkyd

OpenZFS removed offensive terminology from its code

Enlarge / Replacements for outdated master/slave terminology tend to be considerably more accurate, as well as less offensive. (credit: Aurich Lawson)

On Wednesday evening, ZFS founding developer Matthew Ahrens submitted what should have been a simple, non-controversial pull request to the OpenZFS project: wherever possible without causing technical issues, the patch removed references to "slaves" and replaced them with "dependents."

This patch in question doesn't change the way the code functions—it simply changes variable names in a way that brings them in conformance with Linux upstream device-mapper terminology, in 48 total lines of code (42 removed and 48 added; with one comment block expanded slightly to be more descriptive).

But this being the Internet, unfortunately, outraged naysayers descended on the pull request, and the comments were quickly closed to non-contributors. I first became aware of this as the moderator of the r/zfs subreddit where the overflow spilled once comments on the PR itself were no longer possible.

Read 9 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3cQUgCh

Honda halts production at some plants after being hit by a cyberattack

Enlarge (credit: Yonkers Honda / Flickr)

Honda halted manufacturing at some of its plants around the world on Tuesday after being hit by a cyberattack that’s widely reported to be ransomware.

“Honda has experienced a cyberattack that has affected production operations at some US plants,” the automaker told Ars. “However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”

Bloomberg News reported on Tuesday evening that production was suspended at car factories in Ohio and Turkey as well as at motorcycle plants in India and South America. The company, according to Bloomberg, was working to fix systems. The news outlet also said that Japanese operations weren’t affected and that other Honda plants in the United States have already resumed manufacturing.

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2XLwhA6

Iran- and China-backed phishers try to hook the Trump and Biden campaigns

Enlarge (credit: Marco Verch Professional Photographer and Speaker)

State-backed hackers from Iran and China recently targeted the presidential campaigns of Republican President Donald Trump and Democrat Joe Biden, a Google threat analyst said on Thursday.

The revelation is the latest evidence of foreign governments attempting to gain intelligence on US politicians and potentially disrupt or meddle in their election campaigns. An Iran-backed group targeted the Trump campaign and China-backed attackers targeted the Biden campaign, said Shane Huntley, the head of Google’s Threat Analysis Group on Twitter. Both groups used phishing emails. There’s no indication that either attack campaign succeeded.

Kittens and Pandas

Huntley identified the Iranian group that targeted Trump’s campaign as APT35, short for Advanced Persistent Threat 35. Also known as Charming Kitten, iKittens, and Phosphorous, the group was caught targeting an unnamed presidential campaign before, Microsoft said last October. In that campaign, Phosphorous members attempted to access email accounts campaign staff received through Microsoft cloud services. Microsoft said that the attackers worked relentlessly to gather information that could be used to activate password resets and other account-recovery services Microsoft provides.

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3dBR5zh

Apple fixes bug that could have given hackers unauthorized access to user accounts

Enlarge (credit: Apple)

Sign in with Apple—a privacy-enhancing tool that lets users log into third-party apps without revealing their email addresses—just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” app developer Bhavuk Jain wrote on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

Jain privately reported the flaw to Apple under the company’s bug bounty program and received a hefty $100,000 payout. The developer shared details after Apple updated the sign-in service to patch the vulnerability.

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3eSb2Cv

Cisco security breach hits corporate servers that ran unpatched software

Enlarge (credit: Prayitno / Flickr)

Six servers Cisco uses to provide a virtual networking service were compromised by hackers who exploited critical flaws contained in unpatched versions the open source software service relies on, the company disclosed on Thursday.

Got updates?

The May 7 compromise hit six Cisco servers that provide backend connectivity to the Virtual Internet Routing Lab Personal Edition (VIRL-PE), a Cisco service that lets customers design and test network topologies without having to deploy actual equipment. Both the VIRL-PE and a related service, Cisco Modeling Labs Corporate Edition, incorporate the Salt management framework, which contained a pair of bugs that, when combined, was critical. The vulnerabilities became public on April 30.

Cisco deployed the vulnerable servers on May 7, and they were compromised the same day. Cisco took them down and remediated them, also on May 7. The servers were:

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/36Dw6te

Meet unc0ver, the new jailbreak that pops shell—and much more—on any iPhone

Enlarge (credit: Maurizio Pesce / Flickr)

Hackers have released a new jailbreak that any user can employ to gain root access on any iPhone, regardless of the hardware as long as it runs iOS 11 or later.

Dubbed unc0ver, the exploit works only when someone has physical access to an unlocked device and connects it to a computer. Those requirements mean that the jailbreak is unlikely to be used in most malicious scenarios, such as through malware that surreptitiously gains unfettered system rights to an iPhone or iPad. The inability for unc0ver to survive a reboot also makes it less likely it will be used in hostile situations.

Rather, unc0ver is more of a tool that allows users to break locks Apple developers put in place to limit key capabilities such as what apps can be installed, the monitoring of OS functions, and various other tweaks that are standard on most other OSes. The jailbreak, for instance, allows users to gain a UNIX shell that has root privileges to the iPhone. From there, users can use UNIX commands to do whatever they’d like.

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3d8PpgK