Author: Charley Nash

Cryptojackers, trojanised crypto-currency miners, continue to spread across computers globally, while also becoming stealthier and increasingly avoiding detection.

The new analysis was published by Microsoft’s 365 Defender Research Team on Thursday.

The technical write up reads: “In the past several months, Microsoft Defender Antivirus detected cryptojackers on hundreds of thousands of devices every month.”

“These threats also continue to evolve: recent cryptojackers have become stealthier, leveraging living-off-the-land binaries (LOLBins) to evade detection.”

Cryptojackers are using different tactics to force a device to mine for cryptocurrency without a user’s knowledge or consent, the report found. The most common ones are potentially unwanted applications (PUAs) or malicious executable files placed on the devices and using system resources to mine cryptocurrencies.

As well as this, Microsoft added that the tools are often created using the Javascript programming language and can infiltrate systems via browser. They warned that some cryptojackers are fileless and, in this case, perform mining in a device’s memory and achieve persistence by misusing legitimate tools and LOLBins.

Microsoft explained: “This approach allows attackers to achieve their goals without relying on specific code or files. Moreover, the fileless approach enables cryptojackers to be delivered silently and evade detection. These make the fileless approach more attractive to attackers.”

The malware can be detected by analysing its engagement with the hardware.

“Through its various sensors and advanced detection methodologies, including its integration with Intel TDT, Microsoft Defender Antivirus sees cryptojackers that take advantage of legitimate system binaries on more than 200,000 devices daily.”

 

The post Cryptojackers Continue to Spread Across Computers Globally appeared first on IT Security Guru.

Amazon have patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user’s device to access sensitive information and camera recordings.

The Ring app for Android has over 10 million downloads.

Application security firm Checkmarx explained that it identified a cross-site scripting (XSS) flaw that said it could be weaponised as part of an attack chain to trick victims into installing a malicious app.

The app could then be used to extract the user’s Authorisation Token, that can be leveraged to extract the session cookie by sending this information alongside the device’s hardware ID, which is also encoded in the token, to the endpoint “ring[.]com/mobile/authorize.”

With this cookie, an attacker could sign in to the victim’s account without having to know their password and access all personal data associated with the account.

This is achieved by querying the below endpoints:

  • account.ring[.]com/account/control-center – Get the user’s personal information and Device ID
  • account.ring[.]com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – Access the Ring device data and recordings

Checkmarx said that they reported the issue to Amazon on 1st May 2022 and a fix was available on 27th May 2022 in version 3.51.0. There is no evidence that the issue had been exploited.

 

The post Ring App Vulnerability Urgently Patched by Amazon appeared first on IT Security Guru.

On Wednesday, Apple released security updates for iOS, iPadOS and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise devices.

The issues were:

  • CVE-2022-32893 – An out-of-bounds issue in WebKit which potentially lead to the execution of arbitrary code by processing a specially crafted web content
  • CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Apple have said that they have addressed both the issues with improved bounds checking, adding it’s aware that the vulnerabilities “may have been actively exploited” already.

No information was disclosed regarding these attacks.

The latest update brings the total number of zero-days patched by Apple to six since the start of the year:

  • CVE-2022-22587 (IOMobileFrameBuffer)
  • CVE-2022-22620 (WebKit)
  • CVE-2022-22674 (Intel Graphics Driver)
  • CVE-2022-22675 (AppleAVD)

Both the vulnerbailities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th gen and later, iPad mini 4 and later, and iPod touch (7th generation).

 

The post Two Critical Vulnerabilities Patched by Apple appeared first on IT Security Guru.

Last week, Advanced, a key NHS IT partner was hit by a ransomware attack. The IT company has said that it could take three to four weeks for systems to resume normal service.

Advanced runs several key systems within the health service. One of its most important clients is the NHS 111 service.

The UK Government tried to downplay the seriousness of the incident last week by claiming “minimal disruption.” However, reports suggested that it disrupted patient referrals, emergency prescriptions, ambulance dispatches, out-of-hours appointment bookings.

An update was published by Advanced on 10th August which said that they were working with Microsoft DART, Mandiant, and the National Cyber Security Centre (NCSC) to investigate and remediate, with no further incidents detected and the original breach contained.

The statement said: “With respect to the NHS, we are working with them and the NCSC to validate the additional steps we have taken, at which point the NHS will begin to bring its services back online. For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days.”

“For other NHS customers and care organisations our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks. We are working tirelessly to bring this timeline forward, and while we are hopeful to do so, we want our customers to be prepared. We will continue to provide updates as we make progress.”

Advanced also disclosed that other services are also impacted by the attack, including its care home management software (Caresys) and patient record software (Carenotes).

No ransomware group has publicly claimed responsibility for the attack. It is also not yet know whether or not data was stolen.

Before bringing its systems back online, Advanced said they were implementing extra blocking rules, scanning all impacting systems and ensuring they are fully patched, conducting 24/7 monitoring, resetting credentials, and deploying additional endpoint detection and response agents.

The post Recovery From NHS Attack Could Take Weeks appeared first on IT Security Guru.

Interpol has launched a new awareness campaign that aims to urge individuals not to become money mules, after 15 suspects were arrested in connection with a major romance scam conspiracy.

The international policing organisation’s Financial Crime and Anti-Corruption Centre (IFCACC) said the two-week global campaign aims to highlight the critical role mules play in modern crime.

The campaign will use the hashtag #YourAccountYourCrime on social media in an attempt to remind people that they are responsible for keeping their own bank accounts safe and that moving money on behalf of others could land them in trouble.

The campaign will cover how the industry works, the risks associated and how to avoid becoming a money mule.

Police have arrested over a dozen suspected money mules recently, linked to a Japanese man who they believe is responsible for a major romance fraud campaign.

Earlier this month, Hikaru Morikawa, 58, arrived at Kansai airport before being arrested in Ghana, according to reports. Morikawa is suspected of mastermining a group of romance scammers who posed as women on dating sites to tick victims into handing over money.

According to Interpol, the group is thought to have made around 400 million yen ($3m) from their scams.

“Criminals will go to great lengths to recruit money mules, because they play an essential role in distancing themselves from authorities and escaping detection. Money mule schemes can be disguised as employment, romantic relationships or investments, or simply as helping out a friend,” said Stephen Kavanagh, Interpol executive director of police services.

“At the end of the day, however, moving money for someone else, especially across borders, is risky business. Money mules, whether complicit or not, help perpetuate the criminal cycle and could face prosecution.”

The awareness campaign is being launched as part of Project TORAID, an Interpol initiative targeting financial crime funded by the Japanese government.

The post Campaign Launched to Stop People From Becoming Money Mules appeared first on IT Security Guru.

Hackers have found that a robot dog carrying a submachine gun has a kill switch that can be accessed using a tiny handheld hacking tool.

The discovery was posted on Twitter by hackers going by the handles KF@d0tslash and MavProxyUser on GitHub and Twitter.

“Good news!” KF@d0tslash said on Twitter. “Remember that robot dog you saw with a gun!? It was made by @UnitreeRobotic. Seems all you need to dump it in the dirt is @flipper_zero. The PDB has a 433mhz backdoor.”

One of the Unitree robot dogs was visible in the video being connected to a power source by d0tslash. A Flipper Zero, multitool device that can communicate wirelessly across RFID, Bluetooth, NFC, and other bands, is used to gain control of the bot.

Additionally, when activated by the hacker, the mechanical dog seizes up and collapses.

According to the hackers, every dog ships with a remote cut-off switch attached to its power distribution board, or the part of a machine that routes power from the batter to its various systems.

This kill switch scans the 433 MHz band for a specific signal to turn the robot off. The wireless remote that instantly turns off some of the Unitree robots is included in the box.

The post Unitree Robot Gun Carrying Dog Disabled by Remote Hacking Tool appeared first on IT Security Guru.

Action has been taken against two cyber espionage operations in South Africa, according to Meta. Action has been taken against Bitter APT and APT36.

The announcement was made by the company last Thursday in its Quarterly Adversarial Threat Report, Second Quarter 2022.

In the report, Meta’s Global Threat Intelligence Lead, Ben Ninmo, and Director of Threat Disruption, David Agranovich, provided insight into the risks Meta saw worldwide and across multiple policy violations.

The report stated: “We took action against a group of hackers — known in the security industry as Bitter APT — that operated out of South Asia, and targeted people in New Zealand, India, Pakistan and the United Kingdom.”

Regarding the operation, Meta said that while the group was relatively low in sophistication and operational security it was well resourced and persistent.

“Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware.”

The group would have used malicious domains, compromised websites, link-shortening services, and third-party hosting providers to distribute their malware.

In terms of tactics, techniques, and procedures (TTPs), Bitter would have likely used a mix of an iOS application, social engineering, an Android malware Meta called Dracarys, and adversarial adaption.

The company said that its investigation connected activity related to APT36 with state-linked actors in Pakistan.

“[The group] targeted people in Afghanistan, India, Pakistan, UAE and Saudi Arabia, including military personnel, government officials, employees of human rights and other non-profit organizations and students.”

Meta said that APT36’s TTP were relatively low in sophistication.

“This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities.”

“As such, APT36 is known for using a range of different malware  families, and we found that in this recent operation it had also trojanized (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy.”

According to Meta, these low-cost tools require less technical knowledge to deploy, however they yield good results for attackers.

“It democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower. It also allows these groups to hide in the ‘noise’ and gain plausible deniability when being scrutinized by security researchers.”

The post Meta Take Action Against Two Cyber Espionage Operations in South Africa appeared first on IT Security Guru.

Twilio, the communications giant, has confirmed that hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials.

The company, based in San Francisco, allows users to build voice and SMS capabilities, such as two-factor authentication (2FA), into applications, said that it became aware that someone gained “unauthorised access” to information related to some Twilio customer accounts on 4th August. These findings were published in a blog post on Monday 9th.

Twilio has more than 150,000 corporate customers, including Uber and Facebook.

The threat actor has not yet been identified.

The attack used SMS phishing messages that claimed to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed. The text advised the target to log in using the spoofed web address provided.

Twilio said that these texts appeared to look legitimate and used specific jargon that companies use to secure access to their internal apps, such as “SSO”. Twilio stated that they worked with US carriers to stop the malicious messages, as well as registrars and hosting providers to shut down the malicious URLs used in the campaign.

The blog post added: “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks. Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions.”

It has not yet been disclosed as to how many customers have been affected or what data has been stolen.

The communication giant has said that since the attack it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for similar social engineering attacks. Affected customers are being contacted on an individual basis.

Erfan Shadabi, Cybersecurity Expert at comforte AG, noted: “Many of the data breaches we have seen in the past few months have human error lurking within their backstories. Phishing is a type of cybercrime in which victims are contacted by an attacker posing as a trustworthy entity in order to obtain sensitive information or data, such as login credentials, credit card details, or other personally identifiable information.

“One of the best approaches to mitigate such attacks is to adopt the Zero Trust framework.”

The post Twilio Suffers Phishing Based Data Breach appeared first on IT Security Guru.

A cyberattack, first identified last Thursday, has caused a “major” computer system outage affecting companies within the NHS, including the 111 call line.

Reportedly, a number of health and care systems delivered by business software and services provider Advanced are currently experiencing major outages.

Advanced has 26 NHS clients, according to Digital Health Intelligence, and they supply services to thousands of healthcare professionals. The company’s Adastra software works with 85% of NHS 111 services, where service remains affected as a result of the attack. Adastra is used to refer patients for care, including out-of-hours appointment bookings, emergency prescriptions, and ambulance dispatching.

Neither NHS England nor Advance would initially confirm reports that a cyberattack was to blame.

However, last Friday, Advance’s Chief Operating Officer Simon Short confirmed the incident occurred as a result of a cyberattack and said that the company had taken action which contained the attack, adding that “no further issues have been detected.”

An NHS England spokeswoman said NHS 111 services are still available and that there is “currently minimal disruption”, adding that “tried and tested contingency plans are in place for local areas who use this service”.

In 2017, the NHS was hit by a large cyberattack carried out by the ransomware gang WannaCry. Javvad Malik, Lead Security Awareness Advocate at KnowBe4, notes: “The 111 outage brings back many unfortunate memories of Wannacry which crippled the NHS. While no details have been released about the root cause of the 111 service outage, all signs would seem to indicate ransomware to be the cause.”

“One needs to look at the root causes of attacks and try to address them. This could be through implementing stronger authentication, having a patch management process in place, and running a security awareness and training programme for staff so that a culture of security is created whereby security issues can be quickly detected and responded to.”

Additionally, Jamie Akhtar, CEO and co-founder of CyberSmart, warns of an increased risk of attacks elsewhere following the incident: “It’s likely that we will see more attacks of this nature in the coming months. Classified by the NCSC as a ‘Category One’ attack, this situation does not bode well for the future of UK public sector cybersecurity. Although the NCA states that only a few servers were impacted and disruption was minimal, the consequences of attacks such as these can be devastating.”

Worryingly, research by Armis on NHS Trusts indicates that “suspicious activity” – including “exploit attempts, drive-by attacks, port scans, and connections to the dark web” – has risen since this April, with 80% of Trusts experiencing a record level of suspicious activities.

Andy Norton, European Cyber Risk Officer at Armis, notes that: “Trusts’ abilities to protect themselves from these threats have remained the same since pre-April.”

“What is clear from these figures is that NHS infrastructure is being targeted more heavily than ever before, so gaining visibility and understanding of all connected assets is vital to the health of these critical services.”

The post Attack on Supplier Leaves NHS Recovering Services appeared first on IT Security Guru.

Reportedly, a number of health and care systems delivered by business software and services provider Advanced are currently experiencing major outages.

Advanced has 26 NHS clients, according to Digital Health Intelligence. The company supply services to thousands of healthcare professionals. The company’s Adastra software works with 85% of NHS 111 services.

The following systems are currently experiencing major outages: Adastra, Carenotes, Caresys, Crosscare, Staffplan.

All outages are being treated as ‘critical incidents’ and with the ‘highest priority’ whilst under investigation.

On a status web page, the company says it has “identified an issue on infrastructure hosting products used by our health and care customers”.

“Advanced has initiated a Priority 1 Incident and deployed a highly experienced Priority Incident Team. Whilst the investigation is carried out Advanced has isolated all services and taken them offline to mitigate the risk of further impact. This means that customers will not be able to access their system and should revert to contingency measures.”

“Early intervention from our Incident Response Team has contained this issue to a small number of servers within our vast infrastructure limiting the impact.”

 

The post Multiple Health and Care Systems Provided by Advanced Hit by Outages appeared first on IT Security Guru.