Mining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency.
Security researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helped cybercriminals made more than $63,000 worth of Monero (XMR) in just three months.
According to a report published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers.
Although ESET's investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like cryptocurrency.
The vulnerability (CVE-2017-7269) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0—the web server in Windows Server 2003 R2.
Therefore, hackers are only targeting unpatched machines running Windows Server 2003 to make them part of a botnet, which has already helped them made over $63,000 worth of Monero.
Since the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. You can learn more about the vulnerability here.
The newly discovered malware mines Monero that has a total market valuation of about $1.4 billion, which is far behind Bitcoin in market capitalisation, but cybercriminals’ love for Monero is due to its focus on privacy.
Unlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today.
If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured properly.
One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices into spying tools that could track your every move, including inferring sexual activity.
Dubbed CovertBand, the attack has been developed by four researchers at the University of Washington's Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall.
The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio source.
The attacking approach involves remotely hijacking of smart devices to play music embedded with repeating pulses that track one's position, body movements, and activities both near the device and through walls.
To do so, the attackers would first trick victims into installing a third-party Android app on their smart device that does not require rooting.
Once installed, the malicious app secretly uses the AudioTrack API to play the acoustic signals at 18-20 kHz and to mask this high-frequency sound, the app 'covered' Covertband's pulses by playing songs or other audio clips over them that act as a sonar.
These sound waves would then bounce off people and objects, which is picked up by a microphone.
The app then uses AudioRecord API to record the signals simultaneously on two microphones to achieve 2D tracking. The recorded data is then received by the attacker on a laptop over Bluetooth for offline processing.
Since the attack requires access only to a speaker and microphone, an attacker could leverage a lot of smart devices that already exist in the victim's home to spy on unsuspecting targets.
"A remote adversary who compromises one of these [smart] devices, perhaps via a Trojan application in an app store or via a remote exploit, could use our methods to remotely glean information about an individual's home activities. An attacker could also find more surreptitious ways to execute such an attack," said the researchers.
"For example, a streaming music app with voice control has all the permissions (speaker and microphone) needed to execute our attack. As a simple example, an attacker could utilise the advertising library embedded inside a music application to determine whether the user is near the phone when an ad is played."
The researchers demonstrated how the CovertBand attack could potentially enable an attacker to differentiate between different types of people's movements even when they are in different body positions and orientations.
The researchers experiment specifically focuses on two classes of motion:
According to the research paper [PDF], these motions would be differentiated by looking at the spectrograms, but are sufficient enough to potentially enable privacy leakage.
"For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target's culture and cultural norms or might vary depending on the target's public visibility, e.g., celebrity status or political status," the research paper reads.
The new documents leaked by former NSA contractor Edward Snowden has exposed a United States secretive facility located near a remote town in Australia's Northern Territory for covertly monitoring wireless communications and aiding US military missions.
The leaked documents have come from the massive trove of classified material stolen by Snowden from the US National Security Agency (NSA) in 2013 that exposed the extent of the US government's global surveillance programs.
The newly released classified documents, obtained by The Intercept, contained references to a secretive facility, which was codenamed "Rainfall," but is officially known as the Joint Defence FacilityPine Gap.
The documents reveal that the Joint Defence Facility Pine Gap, located outside Alice Springs, deployed cutting-edge satellite technology for detailed geolocation intelligence that helps the US military locate targets for special forces and drone strikes.
The use of unmanned air vehicles, generally known as drones, by the U.S. military has previously been blamed for hundreds of civilian deaths in countries like Pakistan, Afghanistan, Yemen, Syria, and Somalia.
As outlined in a secret intelligence document, Pine Gap's aim is to "support the national security of both the U.S. and Australia. The [facility] contributes to verifying arms control and disarmament agreements and monitoring military developments."
However, in reality, Pine Gap has a far broader mission with powerful capabilities than the Australian or U.S. government has ever publicly acknowledged.
Pine Gap finds Targets for U.S. Drone Strikes
The satellites used by the Pine Gap are described as being "geosynchronous"—likely positioned high in orbit at over 20,000 miles above the earth's surface—which are equipped with powerful surveillance technology to monitor wireless communications on the ground, like those sent and received by mobile phones, radios, and satellite uplinks.
According to the leaked documents, these satellites collect "strategic and tactical military, scientific, political, and economic communications signals," and also keep eyes on any missile or weapon tests in targeted countries, steal intel from foreign military data systems, and provide surveillance support to United States forces.
One of the secret NSA documents analysed by the Australian Broadcasting Corporation (ABC) suggeststhat the facility's role is not only to collect signals, but also to analyse them, as it "detects, collects, records, processes, analyses and reports" on almost everything—from surface-to-air missiles to anti-aircraft artillery and fighter aircraft.
One mission even pilfered communications from the former Soviet Union, China, East Asia, South Asia, the Middle East, Eastern Europe, and territories in the Atlantic Ocean.
In 2013, the Sydney Morning Herald reported that Pine Gap played a major role in controversial U.S. drone strikes, which had also resulted in the deaths of hundreds of innocent civilians.
Trump Administration Doubled the Drone Strikes
Richard Tanter, the University of Melbourne’s professor who has previously studied Pine Gap, told the publication that "Pine Gap will be contributing hugely in real-time to those operations, as well as in preparation for them."
"So whether or not the Australian government thinks that an attack on North Korea is either justified or a wise and sensible move, we will be part of that. We'll be culpable in terms of the consequences," Tanter asserted.
Under Trump administration, drone strikes and special operations raids have doubled, while simultaneously loosening battlefield rules to prevent civilian deaths in such air attacks.
However, David Rosenberg, who worked inside Pine Gap as a team leader of weapon signals analysis for at least 18 years until 2008, confirms the facility's geolocation capability, claiming that preventing civilian casualties is a high priority.
"One thing I can certainly tell you the governments of Australia, and the United States would, of course, want to minimise all civilian casualties," Rosenberg says. "Pine Gap does help to provide limitation of civilian casualties by providing accurate intelligence."
It is not at all surprising to see Australia working closely with its U.S. counterparts to help conduct global surveillance since it is a key member of the "Five Eyes" alliance—alongside the US, UK, New Zealand and Canada—all openly shares secret intelligence reports.
A SQL Injection vulnerability has been discovered in one of the most popular Wordpress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely.
The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related to the number of users online on their sites, the number of visits and visitors, and page statistics.
Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website's database and possibly gain unauthorized access to websites.
SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of the database.
The SQL injection vulnerability in WP Statistics plugin resides in multiple functions, including wp_statistics_searchengine_query().
"This vulnerability is caused by the lack of sanitization in user-provided data," researchers said. "Some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this should not be a problem if those parameters were sanitized."
"One of the vulnerable functions wp_statistics_searchengine_query() in the file 'includes/functions/functions.php' is accessible through WordPress' AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode()."
This function does not check for additional privileges, which allows website subscribers to execute this shortcode and inject malicious code to its attributes.
The researchers at Sucuri privately disclosed the flaw to the WP Statistics team and the team had patched the vulnerability in its latest version WP Statistics version 12.0.8.
So, if you have a vulnerable version of the plugin installed and your website allowing user registration, you are definitely at risk, and you should install the latest version as soon as possible.
A critical vulnerability has been discovered in Systemd, the popular init system and service manager for Linux operating systems, that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.
The vulnerability, designated as CVE-2017-9445, actually resides in the 'dns_packet_new' function of 'systemd-resolved,' a DNS response handler component that provides network name resolution to local applications.
According to an advisory published Tuesday, a specially crafted malicious DNS response can crash 'systemd-resolved' program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service.
Eventually, large DNS response overflows the buffer, allowing an attacker to overwrite the memory which leads to remote code execution.
This means the attackers can remotely run any malware on the targeted system or server via their evil DNS service.
"In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small," explains Chris Coulson, Ubuntu developer at Canonical.
"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it."
This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year.
Of course, systemd-resolved must be running on your system for it to be vulnerable.
The bug is present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.
Security patches have been rolled out to address the issue, so users and system administrators are strongly recommended to install them and update their Linux distros as soon as possible.
Intelligence agency findings describe hackers seeking to obtain messages and send them to intermediary who also had deep ties to Trump backer Newt Gingrich
WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.
Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.
The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user.
"The new table allows certain rules to be created using the "iptables" command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed," CIA's leaked user manual reads.
Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system.
However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels.
"OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain," WikiLeaks says.
Security researchers have discovered a macOS malware program that’s likely part of the arsenal used by the Russian cyberespionage group blamed for hacking into the U.S. Democratic National Committee last year.
The group, which is known in the security industry under different names, including Fancy Bear, Pawn Storm, and APT28, has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent.
X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan.
It’s not entirely clear how the malware is being distributed because the Bitdefender researchers only obtained the malware sample, not the full attack chain. However, it’s possible a macOS malware downloader dubbed Komplex, found in September, might be involved.
Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted webpages.
Palo Alto Networks noted similarities between the Komplex downloader and a variant of the Carberp Trojan that APT28 is also known to have used. The command-and-control domain names used by the Trojan had also been associated with APT28’s activity.
The new X-Agent macOS version uses very similar domain names to the Komplex Trojan, with only their TLD different, the Bitdefender researchers said. There are also identical project path strings inside both the Komplex and X-Agent samples, suggesting they were created by the same author.
The X-Agent malware can load additional modules, which the Bitdefender researchers are still investigating. So far, they’ve found functionality that allows attackers to probe the system for hardware and software configurations, grab a list of running processes, execute additional files, get desktop screenshots, and harvest browser passwords. One module is designed to search for and steal iPhone backups stored on Macs, which can contain further sensitive information about the targeted users.
“Our past analysis of samples known to be linked to the APT28 group shows a number of similarities between the Xagent component for Windows/Linux and the macOS binary that currently forms the object of our investigation,” the Bitdefender researchers said in a blog post. “For one, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel.”
APT28 is considered to be one of the most sophisticated and successful cyberespionage groups in the world and it frequently uses zero-day exploits—exploits for previously unknown vulnerabilities. The group has been blamed for many hacking operations around the world over the years, and its selection of targets has frequently reflected Russia’s geopolitical interests. Security researchers believe that the group is likely tied to the Russian Military Intelligence Service (GRU).
IT WAS A busy week in security, but aren’t they all these days! It’s always something when yet another Yahoo hack ends up somehow not even cracking the top news.
What did? With the recent Customs and Border Patrol crackdown, we offered a guide on how to enter the US with your digital privacy intact. Privacy was on Edward Snowden’s mind as well, as he starts his new gig as the president of the Freedom of the Press Foundation, helping protect journalists from snooping spies. One thing that should help? Popular encrypted chat app Signal added videothis week, although it comes with a potential privacy tradeoff.
Secrecy was a central issue in the White House this week as well. Encrypted apps like Confide and Signal are helping staffers leak, but also may be helping them break the law. One thing that’s certain? Leaks themselves are as Americanas apple pie. Although secrecy still has its place; for instance, it’s probably not ideal to hold high-level national security conversations in full view in the Mar-a-Lago resort dining room https://stag-komodo.wired.com/2017/02/trump-north-korea-scif/.
Not everything touched on politics this week, thank goodness. IBM introduced a cybersecurity-focused voice assistant, called Havyn, that an 11-year-old helped invent. A chip-level flaw leaves millions of devices exposed to previously innocuous bugs. And if you’re using an Android app to control your car, well, read this quick-like.
And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
British police have arrested two men in the UK conspiring to hack into the computer networks of US tech giant Microsoft with plans to steal customers’ data from the software giant.
The suspects — 22-year-old from Sleaford and a 25-year-old from Bracknell — were arrested by the detectives from the Britain's South East Regional Organised Crime Unit (SEROCU) Thursday morning (22 June 2017).
The UK authorities arrested them from their home in Lincolnshire and Bracknell and seized a number of devices after searching their home.
While it is still unclear what systems were targeted, SEROCU believes the suspects are part of a larger international group that involved breaking into the Microsoft's network between January 2017 and March 2017 to scoop up the customer information.
"This group is spread around the world and therefore the investigation is being coordinated with our various partners," Rob Bryant, detective sergeant SEROCU's Cyber Crime Unit said while announcing the arrest. "We have made two arrests in the UK this morning and have seized a number of devices."
"We're still in the early stages of this investigation and will work with our partners to ensure that cyber criminals have no place to hide. It's too early to speculate on what information the group has accessed, however, after speaking with Microsoft we can confirm they didn't gain access to customer information."
Both the suspects, whose identities have not yet revealed by the police, are currently in custody and have been charged under the Britain's Computer Misuse Act for conspiracy to gain "unauthorised access" to protected computers belonging to Microsoft.
In response to the arrests, Tom Burt, Microsoft VP and deputy general counsel of the Digital Crimes Unit released a statement to BBC, saying:
"Today's action by authorities in the UK represents an important step...Stronger internet security depends on the ability to identify and prosecute cybercriminals. This requires not only a strong technical capability but the willingness to acknowledge issues publicly and refer them to law enforcement."
"No company is immune from cybercrime. No customer data was accessed, and we're confident in the integrity of our software and systems. We have comprehensive measures in place to prevent, detect, and respond to attacks."
SEROCU officials said they are working with Europol, the NCA's National Cyber Crime Unit, the FBI, the East Midlands Special Operations Unit (EMSOU), and Microsoft's cyber team to investigate the intrusions and bring culprits to justice.