POS Firm Hacked, Malware Deployed at 130+ Outlets

By: Phil Muncaster

A Point of Sale (POS) solutions provider has revealed it was hacked last month, leading to data slurping malware being placed on the networks of multiple clients across the US.

Minnesota-based North County Business Products said in an updated notice this week that the incident may have resulted in the theft of card data from customers at over 130 locations.

Among the list of businesses affected are a significant number of Dunn Brothers Coffee, Zipps Sports Grill and Someburros outlets.

“On January 4, 2019, North Country learned of suspicious activity occurring within certain client networks. North Country immediately launched an investigation, working with third-party forensic investigators to determine the nature and scope of the event,” it revealed.

“On January 30, 2019, the investigation determined that an unauthorized party was able to deploy malware to certain of North Country’s business partners restaurants between January 3, 2019, and January 24, 2019, that collected credit and debit card information. Specific information potentially accessed includes the cardholder’s name, credit card number, expiration date, and CVV.”

It should be noted that not all of the locations listed were affected for the full 22 days.

It’s unclear exactly how the hackers breached North County’s systems initially, or what POS malware strain was used to infect the networks of its clients.

More: https://www.infosecurity-magazine.com/news/pos-firm-hacked-malware-deployed-1/

Huddle House hit with point-of-sale data breach

By: Doug Olenick

The Huddle House restaurant chain reported it has closed a point-of-sale data breach that existed one of its third-party vendors from August 2017 until now.

The malware resided on a third-party system and exposed payment card information at some of the chain’s corporate and franchised locations. The company became aware of the situation when it was informed by law enforcement and its credit card processor that some of the locations were infected with malware. The information possibly involved includes cardholder name, credit/debit card number, expiration date, cardholder verification value, and service code.

“Criminals compromised a third-party point of sale (POS) vendor’s data system and utilized the vendor’s assistance tools to gain remote access—and the ability to deploy malware—to some Huddle House corporate and franchisee POS systems,” the company said in a statement.

At this time Huddle House does not know how many people nor which locations were affected, but it is warning customers who used a payment card at any of its locations from August 1, 2017, to today that their information may be at risk.

More: https://www.scmagazine.com/home/security-news/data-breach/huddle-house-hit-with-point-of-sale-data-breach/

Alcatel Smartphone Pre-Installed App Infected with Malware

By: Julia Sowells

An official Alcatel app, available through Google Play Store, has been found to be malware infected.

It’s in a pre-installed weather app on Alcatel smartphones that the malware has been found. ZDNetreports, “A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs.”

The infected app is the “Weather Forecast-World Weather Accurate Radar” app, which has been developed by Chinese firm TCL Corporation, which owns the Alcatel, Blackberry and Palm brands. TCL Corporation installs “Weather Forecast-World Weather Accurate Radar” as a default app on Alcatel smartphones. It’s also available, for all Android users, on Google Play Store; reports say that it has been downloaded and installed over 10 million times. It was last year that the app got infected.

The ZDNet report details, “But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week.”

The infected was detected by researchers at UK-based mobile security firm Upstream, during July-August 2018, when they found suspicious traffic originating from the Alcatel smartphones belonging to their customers.

A recent report by Upstream reads, “Over July and August 2018, through Secure-D, we observed a higher than usual number of transaction attempts in Brazil and Malaysia coming from a series of Alcatel Android smartphones (Pixi 4 and A3 Max models). Those suspicious requests were initiated by the same application named com.tct.weather in both Brazil & Malaysia.”

It further explains, “This com.tct.weather Android application is pre-installed on many Alcatel devices and is also available for download on Google Play. It provides “accurate forecasts and timely local weather alerts”. It has been downloaded by more than 10,000,000 users from Google Play. Similar transaction attempts coming from Alcatel devices and the application com.tct.weather were also blocked in Nigeria, South Africa, Egypt, Kuwait and Tunisia.”

More: https://hackercombat.com/alcatel-smartphone-pre-installed-app-infected-with-malware/

GandCrab ransomware and Ursnif virus spreading via MS Word macros

By: Swati Khandelwal

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware.

Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware.

Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors.

Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom in digital currency to unlock them. Its developers ask payments primarily in DASH, which is more complex to track.

MS Docs + VBS macros = Ursnif and GandCrab Infection

The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.

If successfully executed, the malicious VBS macro runs a PowerShell script, which then uses a series of techniques to download and execute both Ursnif and GandCrab on the targeted systems.

More: https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html

Crypto-Mining, Banking Trojans Top Malware Threats

By: Kacy Zurkus

Crypto-mining malware has again topped the threat index, with Coinhive holding strong in the number one malware threat for the 13th consecutive month, according to the latest Global Threat Index for December 2018, published by Check Point.

The threat index looks at the most common active malware variants and trends as cyber criminals evolve toward crypto-mining and multipurpose malware.

A second-stage downloader, SmokeLoader, first identified back in 2011, jumped to ninth place on the December top-10 list. “After a surge of activity in the Ukraine and Japan, its global impact grew by 20. SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker,” according to a press release.

“December’s report saw SmokeLoader appearing in the top 10 for the first time. Its sudden surge in prevalence reinforces the growing trend towards damaging, multipurpose malware in the Global Threat Index, with the top 10 divided equally between crypto-miners and malware that uses multiple methods to distribute numerous threats,” said Maya Horowitz, threat intelligence and research group manager at Check Point.

“The diversity of the malware in the Index means that it is critical that enterprises employ a multilayered cybersecurity strategy that protects against both established malware families and brand new threats.”

More:  https://www.infosecurity-magazine.com/news/crypto-mining-banking-trojans-top/

Hundreds of Thousands Download Spyware from Google Play

By: Ionut Arghire

Hundreds of thousands of users ended up with spyware on their devices after downloading seemingly legitimate applications from Google Play, Trend Micro security researchers have discovered. 

Detected as MobSTSPY, the malware, which can gather various information from the victims, isn’t new. For distribution, its operators chose to masquerade the threat as legitimate Android applications and submit them to Google Play.

Trend Micro discovered a total of six such applications, including FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, Flappy Bird, and Flappy Birr Dog. Available for download in Google Play in 2018, some of these were downloaded over 100,000 times by users from all over the world.

Once one of these applications has been installed on the victim’s device, the spyware can proceed to stealing information such as SMS conversations, call logs, user location, and clipboard items. The malware sends the collected information to the attacker’s server using Firebase Cloud Messaging.

Upon initial execution, the malware checks the device’s network availability, after which it reads and parses an XML configuration file from its command and control (C&C) server. Next, it collects information such as language used on the device, registered country, package name, manufacturer, etc.

The information is then sent to the C&C server for registration purposes. After this step has been completed, the malware waits for the server to send over commands to execute.

Based on the received commands, the spyware can not only steal SMS messages and call logs, but can also retrieve contact lists and files found on the device.

The malware can also perform a phishing attack to gather credentials from the infected device, the security researchers discovered. It can display fake Facebook and Google pop-ups, thus tricking the user into revealing their account details.

After the user provides the credentials, a fake pop-up informs them the log-in was unsuccessful, but at this point the malware has already stolen the credentials.

“Part of what makes this case interesting is how widely its applications have been

More: https://www.securityweek.com/hundreds-thousands-download-spyware-google-play

Suspected Ransomware Outbreak Disrupts US Newspapers

By: Mathew J. Schwartz


Tribune Media Suspects Ryuk Ransomware Hit Publishing and Production Systems

Production of newspapers owned by Chicago-based Tribune Publishing have been disrupted after malware began infecting the company’s publishing and printing systems.

Multiple sources quoted by Tribune newspapers have suggested that the malware infection, which began late on Thursday, involved ransomware known as Ryuk, which may tie to North Korean operators. But security experts say it’s far too soon to label Tribune’s ransomware outbreak as anything more than an opportunistic infection, and note that anyone can potentially obtain and use malware, irrespective of their identity, political affiliation or other motivations (see Stop the Presses: Don’t Rush Tribune Ransomware Attribution).

Tribune Publishing says the malware infection, which it discovered on Friday, compromised no financial information and had no impact on its websites, but did disrupt systems that it uses to publish and print its newspapers. All of its newspapers were affected.

“This issue has affected the timeliness and in some cases the completeness of our printed newspapers,” Tribune Publishing spokeswoman Marisa Kollias said in a statement released on Saturday, the Chicago Tribune reported. “Our websites and mobile applications however, have not been impacted.”

Kollias said the company is “making progress” with restoring systems. “There is no evidence that customer credit card information or personally identifiable information has been compromised,” she said.

Formerly known as Tronc, Tribune Publishing owns the Chicago Tribune, as well as Chicago suburban newspapers Lake County News-Sun and Post-Tribune; Los Angeles Times; The Baltimore Sun; the New York Daily News; Hartford Courant; Orlando Sentinel; the Capital Gazette in Annapolis, Maryland; The Morning Call in Allentown, Pennsylvania; and in Virginia, the Daily Press in Newport News, and The Virginian-Pilot in Norfolk.

More: https://www.bankinfosecurity.com/suspected-ransomware-outbreak-disrupts-us-newspapers-a-11911

Attackers Connect with Malware via Malicious Memes

By: Kacy Zurkus

A new type of malware has been found listening for commands from malicious memes posted on Twitter, according to new research from Trend Micro.

Cyber-criminals are using the social site as an unwilling conduit in communicating with its mothership through the use of steganography, a tactic that hides a payload inside an image in order to evade detection. The payload also instructs the malware to take a screenshot and collect system information from the infected computer, Aliakbar Zahravi wrote in a recent blog post.

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled. Twitter has already taken the account offline as of December 13, 2018,” the blog said.

In late October, the malware authors posted malicious memes in two separate tweets. Using a Twitter account run by the malware operator, the malware listens for a command embedded in the memes. Once downloaded from the Twitter account onto the victim’s machine, the malware parses in order to act as the command-and-control (C&C) service for the malware, according to Zahravi.

More: https://www.infosecurity-magazine.com/news/attackers-connect-with-malware-via/

New Shamoon Malware Variant Targets Italian Oil and Gas Company

By: Swati Khandelwal

Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia’s largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East.

Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its servers were destroyed, mainly in the Middle East, including Saudi Arabia, the United Arab Emirates and Kuwait, but also in India and Scotland.

Saipem admitted Wednesday that the computer virus used in the latest cyber attack against its servers is a variant Shamoon—a disk wiping malware that was used in the most damaging cyber attacks in history against Saudi Aramco and RasGas Co Ltd and destroyed data on more than 30,000 systems.

The cyber attack against Saudi Aramco, who is the biggest customer of Saipem, was attributed to Iran, but it is unclear who is behind the latest cyber attacks against Saipem.

Meanwhile, Chronicle, Google’s cybersecurity subsidiary, has also discovered a file containing Shamoon sample that was uploaded to VirusTotal file analyzing service on 10th December (the very same day Saipem was attacked) from an IP address in Italy, where Saipem is headquartered.

However, the Chronicle was not sure who created the newly discovered Shamoon samples or who uploaded them to the virus scanning site.

More: https://thehackernews.com/2018/12/shamoon-malware-attack.html?m=1

América Latina registra 3,7 milhões de ataques de malware por dia, afirma Kaspersky Lab

By: TI Inside Online

A Kaspersky Lab registrou um aumento de 14,5% nos ataques de malware durante os últimos 12 meses na América Latina em relação a 2017– o que significa uma média de 3,7 milhões de ataques diários e mais de 1 bilhão no ano. Entre os países que registraram maior crescimento, a Argentina está no primeiro lugar com um aumento de 62%, seguido pelo Peru (39%) e México (35%). “Os resultados mostram que toda a região tem experimentado uma quantidade considerável de ciberameaças, com a grande maioria concentrada em roubo de dinheiro”, destaca Fabio Assolini, analista sênior de segurança da Kaspersky Lab.

Além dos malware, a Kaspersky Lab bloqueou mais de 70 milhões de ataques de phishing na América Latina entre novembro de 2017 e novembro de 2018; a média de ataques diário é de 192 mil, representando um crescimento de 115% quando comparado com o período anterior (novembro/2016 até novembro/2017). O ranking dos países mais atacados por phishing está diferente neste ano: o Brasil perdeu a liderança e agora figura em terceiro lugar no ranking, com um aumento de 110%. O México (120%) está na primeira posição e a Colômbia (118%) em segundo lugar.

Phishing e vulnerabilidade

O aumento constante dos números de ataques de phishing é uma das principais razões de comprometimento de contas. Isso porque, os usuários que clicam em links suspeitos, por muitas vezes, fornecem informações pessoais e logins de acesso. As violações de dados têm se tornado comuns e preocupantes, já que as pessoas revelam não apenas uma grande quantidade de informações sobre elas mesmas, mas também informam detalhes do cartão de crédito e conta corrente. Em posse destes, violações e acessos não-autorizados são os menores dos problemas, o maior deles serão os danos financeiros, pois a primeira coisa que o cibercriminoso fará será tentar efetuar compras em nome da vítima.

“Tipos de incidentes assim servem como um grande passo para que algumas mudanças importantes nas políticas de privacidade e no comportamento das pessoas sejam feitas em relação aos dados que são compartilhados”, diz Assolini. “É muito comum que os usuários utilizem as mesmas senhas para diferentes sites e o cibercriminoso testará a combinação em todos os serviços e redes sociais mais populares. Ao ter informações vazadas, a primeira e mais importante ação que deve ser feita é a troca das senhas em outros logins – mesmo que este não tenha sido comprometido.”


Por mais que Argentina, Brasil, Chile, Colômbia, México e Peru façam parte da América Latina e sejam visados por diferentes cibercriminosos, é preciso entender que os golpes têm se desenvolvido de maneiras distintas em cada país. Na Argentina, o caso Prilex voltou à tona quando um turista viajou ao Brasil e teve seu cartão de crédito clonado. “A primeira vez que identificamos esse grupo foi em um ataque à caixas eletrônicos direcionado aos bancos, principalmente no território brasileiro. Posteriormente, o grupo migrou seus esforços para sistemas de pontos de venda desenvolvidos por fornecedores brasileiros, clonando cartões de crédito, o que permitia a criação de um novo golpe totalmente funcional, habilitado inclusive para transações protegidas por chip e senha”, explica Assolini.