New Virus Decides If Your Computer Good for Mining or Ransomware

Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable.

While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currencies.

Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency.

However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency mining as a method of extracting money using victims' computers.

Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.

Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing.

The document includes a PDF icon, which if clicked, launches a malicious executable on the victim's computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing.

How Malware Decides What To Do

However, in the background, the malware then performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware then performs more checks to decide the final infection payload, i.e., ransomware or miner.

1.) Installs Ransomware—if the target system has a 'Bitcoin' folder in the AppData section.
Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.

2.) Installs cryptocurrency miner—if 'Bitcoin' folder doesn't exist and the machine has more than two logical processors.
If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.

Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.

3.) Activates worm component—if there's no 'Bitcoin' folder and just one logical processor.
This component helps the malware to copy itself to all the computers located in the local network using shared resources.

"For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user," the researchers note.

Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender.
What's more? There's A Spyware Feature As Well

"Another interesting fact is that the malware also has some spyware functionality – its messages include a list of running processes and an attachment with a screenshot," the researchers say.

This malware variant is targeting users primarily in Russia (95.5%), while a small number of infection has been noticed in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well.

The best way to prevent yourself from being a victim of such attacks in the first place is never to open suspicious files and links provided in an email. Also, always keep a good backup routine and updated anti-virus software in place.

Source:   TheHackerNews 

Samsung Messages bug may share your entire gallery without permission

Users of Samsung's Messages app are facing a weird issue. Several of them have confirmed their entire galleries of photos has been sent to a random contact, and the scary part is the whole process happened without leaving a trace (meaning the sent photos didn't show up at their end).

So... S9s have been sporadically sending the entire contents of one's gallery to a contact via SMS, and it doesn't show up on your side. Might be worth checking logs on your carrier's site, because it happened on my T-Mobile Note8

Last night around 2:30 am, my phone sent her my entire photo gallery over text but there was no record of it on my messages app. However, there was record of it on tmobile logs. Why would this happen?

It's been confirmed to be the Samsung Messages app

The bug reportedly appeared after the latest update of the Samsung Messages app. So irrespective of the Samaung device you're using as well as your carrier, you're affected if you have the update.

The only workaround currently available is to deny storage access to the app, something which you can do by heading to Settings -> Apps -> Samsung Messages -> Permissions -> Storage. There's no word from Samsung on the matter so far.


Source:  GSMArena 

Unpatched WordPress Flaw Gives Attackers Full Control Over Your Site

Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.

Discovered by researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.

The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image.

Researchers find that the thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with limited-privileges of at least an author to delete any file from the web hosting, which otherwise should only be allowed to server or site admins.

The requirement of at least an author account automatically reduces the severity of this flaw to some extent, which could be exploited by a rogue content contributor or a hacker who somehow gains author's credential using phishing, password reuse or other attacks.

Researchers say that using this flaw an attacker can delete any critical files like ".htaccess" from the server, which usually contains security-related configurations, in an attempt to disable protection.

Besides this, deleting "wp-config.php" file—one of the most important configuration files in WordPress installation that contains database connection information—could force entire website back to the installation screen, allegedly allowing the attacker to reconfigure the website from the browser and take over its control completely.

However, it should be noted that since the attacker can't directly read the content of wp-config.php file to know the existing "database name," "mysql username," and its "password," he can re-setup the targeted site using a remote database server in his control.

Once complete, the attacker can create a new admin account and take complete control over the website, including the ability to execute arbitrary code on the server.

"Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server," researchers say."

In a proof-of-concept video published by the researchers, as shown above, the vulnerability worked perfectly as described and forced the site to re-installation screen.

However, as of now, website admins should not panic due to this vulnerability and can manually apply a hotfix provided by the researchers.

We expect the WordPress security team would patch this vulnerability in the upcoming version of its CMS software.

Source:  TheHackerNews 

New Malware Family Uses Custom UDP Protocol for C&C Communications

Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.

According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.

However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK.

While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group's arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server.

To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different infection vectors, including malicious macros inside Microsoft Office Excel file, HTA Loader, and DLL Loader, which includes decoy files.

"These decoys contain details from public news articles focused primarily on political news and events," researchers explain.

"Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook."

Moreover, PLAINTEE downloads and installs additional plugins from its C&C server using the same custom UDP protocol that transmits data in encoded form.

"These families made use of custom network communication to load and execute various plugins hosted by the attackers," researchers say. "Notably the PLAINTEE malware’ use of a custom UDP protocol is rare and worth considering when building heuristics detections for unknown malware."

On the other hand, DDKONG has been in use by the hacking group since February 2017 and doesn't have any custom communication protocol like PLAINTEE, though it is unclear whether one threat actor or more only use this malware.

According to researchers, the final payload of both malware families suggests that the purpose of both malware is to conduct cyber espionage on their political targets; instead of stealing money from their targets.

Since RANCOR group is primarily targeting non-tech-savvy users, it is always advised to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Moreover, most importantly, make use of behavioral-based antivirus software that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

Source:  TheHackerNews 

WPA3 Standard Officially Launches With New Wi-Fi Security Features

The Wi-Fi Alliance today officially launched WPA3—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous KRACK attacks.

WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.

However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed KRACK (Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic.

Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2's technical shortcomings from the ground.

What is WPA3? What New Security Features WPA3 Offers?

WPA3 security standard will replace the existing WPA2 that has been around for at least 15 years and widely used by billions of devices every day.

The new security protocol provides some big improvements for Wi-Fi enabled devices in terms of configuration, authentication, and encryption enhancements, making it harder for hackers to hack your Wi-Fi or eavesdrop on your network.

On Monday, the Wi-Fi Alliance launched two flavors of latest security protocol—WPA3-Personal and WPA3-Enterprise—for personal, enterprise, and IoT wireless networks.
Here are some key features provided by the new protocol:

1.) Protection Against Brute-Force Attacks

WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again.

2.) WPA3 Forward Secrecy

WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network.

3.) Protecting Public/Open Wi-Fi Networks

WPA3 strengthens user privacy in open networks through individualized data encryption, a feature that encrypts the wireless traffic between your device and the Wi-Fi access point to mitigate the risk of Man-in-the-Middle (MitM) attacks. To prevent such passive attacks, WPA3 could add support for Opportunistic Wireless Encryption (OWE).

4.) Strong Encryption for Critical Networks

Using WPA3 Enterprise, critical Wi-Fi networks handling sensitive information (such as government, , and industrial organizations), can protect their Wi-Fi connections with 192-bit encryption.

Wi-Fi Easy Connect

Alongside WPA3, the WiFi Alliance has also announced  a new feature, called Wi-Fi Easy Connect, that simplifies the process of pairing smart home gadgets (without any screen or display) to your router.

Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure.

With the support for Easy Connect, you will be able to pair your smart gadget with the router by simply scanning a QR code with your smartphone to have the Wi-Fi credentials automatically sent to the new smart device.

It should be noted that both WPA3 and Wi-Fi Easy Connect will not hit the mainstream right away. In fact, it is going to be a many-years-long process that will require new routers and smart gadgets to support WPA3.

Therefore, WPA2 will not stop working any time soon, and devices with WPA3 support will still be able to connect with devices that use WPA2 for the working of your gadgets, but WPA3 support will eventually become mandatory as adoption grows.

WPA3 is set to roll out later this year and is expected to hit mass adoption in late 2019, when it eventually become a requirement for devices to be considered Wi-Fi certified, according to the WiFi Alliance.


Source:  TheHackerNews 

Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.

Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.

Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.

Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.

New Biometric Metrics to Identify Spoofing and Imposter Attacks

Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user's input.

In brief, 'False Accept Rate' defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while 'False Reject Rate' records how often a biometric model accidentally classifies the user's biometric as incorrect.

Moreover, for user convenience some biometric scanners also allow users to authenticate successfully with higher false-acceptance rates than usual, leaving devices open to spoofing attacks.

Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.

In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.

"As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme," Vishwath Mohan, a security engineer with Google Android team, says.

"Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g., trying to sound or look like a target user)."

Google to Enforce Strong Biometric Authentication Policies

Based upon user's biometric input, the values of SAR/IAR metrics define if it is a "strong biometric" (for values lower than or equal to 7%), or a "weak biometric" authentication (for values higher than 7%).

While unlocking your device or an application, if these values fall under weak biometric, Android P will enforce strict authentication policies on users, as given below:

It will prompt the user to re-enter their primary PIN, pattern, password or a strong biometric if the device is inactive for at least 4 hours (such as when left at a desk or charging).

In case, you left your device unattended for 72-hours, the system will enforce policy mentioned above for both weak and strong biometrics.

For additional safety, users authenticated with weak biometric would not be able to make payments or participate in other transactions that involve a KeyStore auth-bound key.

Besides this, Google will also offer a new easy-to-use BiometricPrompt API that developers can use to set up a robust authentication mechanism in their apps to ensure maximum security of their users by completely blocking weak biometric authentication detected by two newly added metrics.

"BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on," Mohan said.

"A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices."

The new feature would positively prevent unauthorized access to devices from thieves, spies and law enforcement agencies as well by locking it down to cripple known methods to bypass biometric scanners.


Source:  TheHackerNews 

Google Solves Update Issue for Android Apps Installed from Unknown Sources

If you are wondering how to receive latest updates for an Android app—installed via a 3rd party source or peer-to-peer app sharing—directly from Google Play Store.

For security reasons, until now apps installed from third-party sources cannot be updated automatically over-the-air, as Google does not recognize them as Play Store apps and they do not show up in your Google account app list as well.

Late last year, Google announced its plan to set up an automated mechanism to verify the authenticity of an app by adding a small amount of security metadata on top of each Android application package (in the APK Signing Block) distributed by its Play Store

This metadata is like a digital signature that would help your Android device to verify if the origin of an app you have installed from a third-party source is a Play Store app and have not been tempered, for example, a virus is not attached to it.

From early 2018, Google has already started implementing this mechanism, which doesn't require any action from Android users or app developers, helping the company to keep its smartphone users secure by adding those peer-to-peer shared apps to a user's Play Store Library in order to push regular updates.

Additionally, Google yesterday announced a new enhancement to its plan by adding offline support for metadata verification that would allow your Android OS to determine the authenticity of "apps obtained through Play-approved distribution channels" while the device is offline.

"One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity," said James Bender, Product Manager at Google Play. "This will give people more confidence when using Play-approved peer-to-peer sharing apps."

It should be noted that this feature doesn’t protect you from the threat of installing apps from third-party sources; instead, it merely helps you receive latest updates for apps if their origin is Google Play Store.

Last year, as part of its mission, to secure Android ecosystem, Google also added built-in behavior-based malware protection for Android devices, called Google Play Protect, which uses machine learning and app usage analysis to weed out the dangerous and malicious apps.

Google Play Protect not only scans apps installed from official Play Store but also monitors apps that have been installed from third-party sources.

Moreover, Play Protect now also support offline scanning, which suggests that it will take care of newly introduced metadata verification as well.

Although Play Store itself is not completely immune to malware, users are still advised to download apps, especially published by reputable developers, from the official app store to minimize the risk of getting their devices compromised.



Source:  TheHackerNews