Mobile Banking Malware Rose 58% in Q1

By: Kacy Zurkus

The first quarter of 2019 saw a significant spike in mobile banking malware that steals both credentials and funds from users’ bank accounts, according to researchers at Kaspersky Lab.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” today’s press release stated.

Researchers reportedly uncovered 29,841 different modifications of banking Trojans during the first three months of the year, up from 18,501 in Q4 2018. “As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies,” researchers wrote.

“Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.”

The report also noted that a new version of Asacub malware, which was first noted in 2015, accounted for more than half of all banking Trojans that attacked users. Over the past two years, attackers have modified its distribution scheme, which resulted in a spike of the malware in 2018, when it was reportedly used to attack 13,000 users a day. Though distribution has since declined, the malware remains a significant threat, with researchers observing Asacub used to target 8,200 users a day on average.

More: https://www.infosecurity-magazine.com/news/mobile-banking-malware-rose-58-in-1/

SikurOS protects Whatsapp against Hackers attack

By: sikur

SikurOS was conceived to be a secure and robust operating system for devices that need to provide a security level higher than the existing in the market today.

Applying security features directly in the operating system can cause an undesired effect from the usability point of view, some may say. However, creating protection mechanisms where the attackers usually come in seem to be the most appropriate approach. Old fashioned attacks, like buffer overflow exploitation, configure situations that could easily be mitigated by doing direct implementations in the operating system. User’s current favorite Apps (like instant messaging ones), which have a massive number of users suffer from this kind of attack, opening user’s devices to the hackers.

Delivering the operating system based protection concept, while keeping product usability and flexibility, although it seems to be a hard task, it became an obsession to Sikur R&D team. The SIKURPhone was born from this need, usually neglected by security solution providers; and this concept came from past brainstorms, due to an innovative mindset of always pursuing excellence and the desire of being ahead of its time. After putting the product in the frontline, not only to the users but also to specialized bug bounty programs, confirms Sikur’s care of generating high value while guaranteeing its users’ data integrity.

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

ESET descobre malware que assume o controle total da comunicação por e-mail

By: TI Inside Online

A ESET descobriu o LightNeuron, um backdoor do Microsoft Exchange que pode ler, modificar ou bloquear qualquer e-mail que passe pelo servidor, incluindo escrever novas mensagens e enviá-las ,sob a identidade de qualquer usuário legítimo da escolha dos invasores. O malware é controlado remotamente por meio de anexos em formato PDF e JPG ocultos em mensagens recebidas pelos usuarios.

O LightNeuron atende aos servidores de e-mail Microsoft Exchange pelo menos desde 2014. Os pesquisadores da ESET identificaram três organizações diferentes vítimas da ameaça, incluindo um ministério de relações exteriores em um país da Europa Oriental e uma organização diplomática regional no Oriente Médio. No Brasil, no entanto, não se tem conhecimento ainda de qual organização teria sido afetada.

O LightNeuron é o primeiro malware conhecido a usar incorretamente o mecanismo do Microsoft Exchange. “Na arquitetura do servidor de e-mail, o LightNeuron pode operar com o mesmo nível de confiança que os produtos de segurança, como filtros de spam. Como resultado, esse malware oferece ao invasor controle total sobre o servidor de e-mail e, portanto, sobre toda a comunicação do usuário”, explica Matthieu Faou, pesquisador de malware da ESET que conduziu a investigação.

Os pesquisadores da ESET coletaram evidências sugerindo que o LightNeuron pertence ao grupo de espionagem Turla, também conhecido como Snake. Este grupo e suas atividades são amplamente investigados pela ESET. “Acreditamos que os profissionais de segurança de TI devem estar cientes dessa nova ameaça”, diz Faou.

Para fazer com que os e-mails de comando e controle (C&C) pareçam inocentes, o LightNeuron usa esteganografia para ocultar seus comandos em imagens PDF ou JPG válidas. A capacidade de controlar a comunicação por e-mail torna o LightNeuron uma ferramenta perfeita para vazar documentos e também para controlar outras máquinas locais por meio de um mecanismo de C&C, o que é muito difícil de detectar e bloquear.

Mais: http://tiinside.com.br/tiinside/13/05/2019/

 

TinyPOS: Handcrafted Malware in Assembly Code

By: Kacy Zurkus

Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint.

Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the malware TinyPOS.

Of the samples analyzed, 95% were loaders used to distribute malware to systems. In addition, researchers found that system compromises can go months without detection due to the small code size (2.7kb). Though researchers suggested that protecting against these attacks is not difficult, the issue for many organizations is that they are using old, outdated POS software and hardware that can do a lot of damage.

The samples were grouped into four categories: loaders, mappers, scrapers and cleaners, wrote Robert Neumann, senior security researcher at Forcepoint. “The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.”

That attackers are targeting POS systems is nothing new, particularly because they collect large amounts of personal data. Because of their vulnerabilities, Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, said POS systems have long been a prime target for cyber-criminals.

More: https://www.infosecurity-magazine.com/news/tinypos-handcrafted-malware-in-1/

Cinco tendências para o setor de telecomunicações na América Latina

By: Hector Silva

 

A tecnologia e suas formas de interação estão em constante mudança. Com 2019 já em curso, destaco aqui cinco previsões para os setores de tecnologia e telecomunicações na América Latina e o que podemos esperar.

Operações de rede mais rápidas e eficientes graças à automação inteligente As redes estão se tornando mais inteligentes graças aos avanços de rede mais proativos. Embora muitas operadoras na América Latina continuem contando com processos antigos e trabalhando de forma reativa, novos progressos tecnológicos vêm criando redes e sistemas capazes de prever falhas e fazer alterações sem a necessidade de intervenção humana, antes mesmo que o problema aconteça. Esse é um passo fundamental em direção a uma verdadeira Rede Adaptativa™, que aumenta a eficiência, reduz custos e ajuda os operadores a alcançarem os resultados esperados, mesmo frente a constantes mudanças de demanda.

A automação inteligente gera também economia nos processos de lançamento dos produtos no mercado, o que é em si um grande diferencial frente à concorrência. Em vez de depender que indivíduos determinem os erros no sistema, fluxos de trabalho automatizados responsáveis por identificar erros no sistema já ajudaram a Ciena a economizar 67% em custos operacionais, aumentar em 15% a aceleração de receita e alcançar retorno sobre os investimentos 5,4 vezes mais rápido.

Primeiros passos em direção ao 5G e a divisão do bolo                                                     A Verizon vai ser uma das primeiras operadoras de rede móvel do mundo a oferecer 5G comercial ainda este ano. A última geração de rede móvel vai focar em uma grande variedade de novas tecnologias, entre elas SDN, NFV, automação inteligente e análise. Um dos principais recursos do 5G vai ser “dividir” a rede física para garantir a performance de rede de ponta a ponta para serviços críticos, como cidades inteligentes, realidade virtual e aumentada. Embora os serviços comerciais de 5G na América Latina estejam a anos de distância, a longa jornada para a 5G pode começar agora com a implantação das tecnologias necessárias.

Os serviços de comunicação de resposta a emergências podem receber uma “fatia do bolo” do 5G para garantir que essas redes nunca falhem. Essa será uma ferramenta essencial para cidades inteligentes, pois ela dará prioridade a serviços essenciais. Acredita-se que o 5G será a maior inovação do setor de telecomunicações da próxima década e, quanto mais as operadoras se movimentarem hoje, mais fácil será a transição no futuro.

Crescente necessidade de proteger dados físicos                                                             A América Latina nunca sofreu tantos ataques cibernéticos como em 2018. Executivos do setor estão começando a perceber o tamanho do risco representados por eles e outros tipos de malware e estão reforçando suas políticas de segurança para proteger dados sigilosos. As principais instituições financeiras do Chile foram vítimas de grandes ataques cibernéticos e perderam milhões de dólares no processo. Outros países como Colômbia, Equador, México e Venezuela são alvos cada vez mais frequentes de ataques de malware: segundo um estudo da ESET, 45% das empresas nesses países já foram afetadas.

As discussões em torno da segurança de rede e segurança de dados devem ganhar ainda mais força em 2019, especialmente em relação à necessidade de desenvolver novas proteções de rede. As organizações precisam usar métodos abrangentes de segurança para garantir a confidencialidade, a integridade e a disponibilidade dos dados em suas redes.  Para evitar tantas ameaças cibernéticas, será necessário reforçar as políticas anti-phishing e introduzir criptografia e outras medidas de segurança, como autenticação em dois fatores. Apesar de útil para garantir maior eficiência e otimização, a Inteligência Artificial (IA) também está sendo usada por criminosos cibernéticos para roubar informações. Ao mesmo tempo, o uso da tecnologia nos pontos certos da rede pode detectar mutações em códigos antigos de malware e ajudar a mitigar os ataques. A criptografia ponta a ponta vai ganhar cada vez mais importância na proteção da privacidade e na segurança das informações, e vai ser usada para todos os dados transferidos pelas redes de fibra óptica.

Mais: http://tiinside.com.br/tiinside/services/20/04/2019/cinco-tendencias

US Government Warns of New North Korean Malware

By: Phil Muncaster

Officials at the US Department of Homeland Security (DHS) have issued another warning about North Korean malware, this time a new variant dubbed “Hoplight.”

The backdoor trojan malware is linked to the notorious Hidden Cobra group, also known as the Lazarus Group.

“This artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim machine including OS version, volume information, and system time, as well as enumerate the system drives and partitions,” the alert warned.

“The malware is capable of the following functions: Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host; Upload and Download Files.”

The malware uses a public SSL certificate for secure communications from South Korean web giant Naver, and employs proxies to obfuscate its activity.

“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” the report claimed.

This is the latest in a long line of alerts warning of new North Korean malware, now in the double-digits.

It urges IT teams to follow best practices in cybersecurity including keeping systems and AV tools up-to-date and patched, disabling file and printer sharing, enforcing strong passwords, restricting user permissions, scanning for suspicious email attachments and more.

More: https://www.infosecurity-magazine.com/news/us-government-warns-north-korean-1-1/

FIN6 Shifts From Payment Card Theft to Ransomware

By: Scott Ferguson

FIN6, a cybercrime group that has focused on attacking point-of-sale devices to steal credit card numbers, now also is waging ransomware attacks that target businesses with either LockerGoga or Ryuk, according to a new analysis from security firm FireEye.

Since 2016, FIN6 has been stealing credit card data to sell on the darknet to other groups looking to commit fraud. By targeting the hospitality and retail industries, the group is believed to have collected about 20 million payment cards worth $400 million, FireEye reports.

Security researchers at several firms, including IBM, have concluded that FIN6 has ties to Russia.

Now, FIN6 – or at least some members associated with cybercriminal gang – have begun to switch tactics, deploying ransomware throughout the networks that they are attacking, FireEye researchers note in a blog.

Newer Ransomware Strains

One strain of ransomware that FIN6 is using, according to FireEye, is Ryuk, which was used against the Chicago-based Tribune Publishing company in late 2018. The other is Lockergoga, the ransomware used against the Norwegian firm Norsk Hydro in March, causing at least $40,000 in financial damage. It’s also suspected in other attacks in Europe and the U.S., according to security researchers.

The reason for using these newer strains of ransomware might be that the FIN6 group is attempting to evade security protections that have been put in place to guard against more well-known, widely deployed malware, FireEye tells Information Security Media Group.

“Given that this ransomware is being manually deployed post-compromise and needs only the barest functionality (encrypt files, drop ransom note, evade anti-malware protections), the benefit of using a malware that is largely unknown and for which anti-malware detections are poor likely outweighs the benefit of [using other] well-known ransomware that may be better detected or integrate unnecessary functionality,” FireEye says in a statement provided to ISMG. “FIN6 may believe that Ryuk and LockerGoga have lower prevalence and therefore might be less likely to be detected.”

The report also notes: “FireEye has observed what appears to be a gradual decline in the volume of FIN6-attributable point-of-sale intrusions preceding this shift, but we can definitely not rule out the possibility that this activity is ongoing in parallel. FIN6 typically monetizes intrusions. Targeting payment card data limits the scope of potential targets and requires additional time and resources.”

More: https://www.bankinfosecurity.com/report-fin6-shifts-from-payment-card-theft-to-ransomware-a-12358

Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware

By: Swati Khandelwal

What could be worse than this, if the software that’s meant to protect your devices leave backdoors open for hackers or turn into malware?

Researchers today revealed that a security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China’s biggest and world’s 4th largest smartphone company, was suffering from multiple issues that could have allowed remote hackers to compromise Xiaomi smartphones.

According to CheckPoint, the reported issues resided in one of the pre-installed application called, Guard Provider, a security app developed by Xiaomi that includes three different antivirus programs packed inside it, allowing users to choose between Avast, AVL, and Tencent.

Since Guard Provider has been designed to offer multiple 3rd-party programs within a single app, it uses several Software Development Kits (SDKs), which according to researchers is not a great idea because data of one SDK cannot be isolated and any issue in one of them could compromise the protection provided by others.

“The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions,” the security firm says.

“While minor bugs in each individual SDK can often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off.”

 

xiaomi antivirus for android

It turns out that before receiving the latest patch, Guard Provider was downloading antivirus signature updates through an unsecured HTTP connection, allowing man-in-the-middle attackers sitting on open WiFi network to intercept your device’s network connection and push malicious updates.

More: https://thehackernews.com/2019/04/xiaomi-antivirus-app.html?fbclid=IwAR29C9Pesa–Tw72HK8rsvvSGtqKVFUdb2MOK1iZ4yO6dki1SQT7_j-9TLw&&m=1

Planet Hollywood Owner Suffers Major POS Data Breach

By: Phil Muncaster

Earl Enterprises, the parent company of Planet Hollywood and other US restaurant chains, has admitted suffering a 10-month breach of customer payment card data.

The firm said in a notice on Friday that hackers installed POS malware at a number of restaurants including those operating under the brand names Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria.

“The malicious software was designed to capture payment card data, which could have included credit and debit card numbers, expiration dates and, in some cases, cardholder name,” it explained.

“Although the dates of potentially affected transactions vary by location, guests that used their payment cards at potentially affected locations between May 23, 2018 and March 18, 2019 may have been affected by this incident. Online orders paid for online through third-party applications or platforms were not affected by this incident.”

There was no indication from the hospitality firm how many customers had been affected, but reports suggest it could be over two million.

Security researcher Brian Krebs has claimed that the breach is linked to the appearance of 2.15 million stolen cards on the dark web back in February.

More: https://www.infosecurity-magazine.com/news/planet-hollywood-owner-major-pos-1/

Israeli Fintech Firms Targeted by Cardinal RAT Malware

By: Kevin Jones

According to a blog post from threat research department Unit 42 of cyber security company Palo Alto Networks published on March 19, an upgraded cardinal RAT malware targets Israeli fintech companies that work with forex and crypto trading.

Since April 2017, Cardinal RAT has been identified when examining attacks against two Israel-based fintech companies engaged in developing forex and crypto trading software. Per the report, Unit 42 first encountered an older version of the malware in question, the software is a Remote Access Trojan (RAT), allows the attacker to remotely take control of the system.

This updated malware hinders its analysis and evades detection. The researchers explain the complicated techniques employed by the malware, though the payload does not vary significantly compared to the original in terms of modus operandi or capabilities.

The malware acts as a reverse proxy and collects victim data, executes commands, updates the settings, and even uninstalls itself. It then recovers passwords, logs keypresses, downloads and executes files, captures screenshots, updates itself and cleans cookies from the browsers. Unit 42 noted the malware attacks employing who is engaged in forex and crypto trading, and based in Israel.

A possible connection between Cardinal RAT and a JavaScript-based malware called EVILNUM was discovered. The research team feels that it is used in attacks on similar organizations. When looking at files submitted by the same customer Unit 42 reportedly identified EVILNUM. It proves somewhat like that this malware is used in attacks against fintech organizations.

More: https://hackercombat.com/israeli-fintech-firms-targeted-by-cardinal-rat-malware/