Tag Archives: security

CCleaner malware outbreak is much worse than it first appeared

By Dan Goodin

The recent CCleaner malware outbreak is much worse than it initially appeared, according to newly unearthed evidence. That evidence shows that the CCleaner malware infected at least 20 computers from a carefully selected list of high-profile technology companies with a mysterious payload.

(credit: Talos)

Previously, researchers found no evidence that any of the computers infected by the booby-trapped version of the widely used CCleaner utility had received a second-stage payload the backdoor was capable of delivering. The new evidence—culled from data left on a command-and-control server during the last four days attackers operated it—shows otherwise. Of 700,000 infected PCs, 20 of them, belonging to highly targeted companies, received the second stage, according to an analysis published Wednesday by Cisco Systems’ Talos Group.

Because the CCleaner backdoor was active for 31 days, the total number of infected computers is “likely at least in the order of hundreds,” researchers from Avast, the antivirus company that acquired CCleaner in July, said in their own analysis published Thursday.

Read 8 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or you could get your own free WordPress site for free right now, here.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

Massive Equifax hack reportedly started 4 months before it was detected

By Dan Goodin

Enlarge / A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, US, on Friday, Sept. 15, 2017. (credit: Michael Nagle/Bloomberg via Getty Images)

Hackers behind the massive Equifax data breach began their attack no later than early March, more than four months before company officials discovered the intrusion, according to a report published Wednesday by the Wall Street Journal.

The first evidence of the hackers’ “interaction” with the Equifax network occurred on March 10, according to the report, which cited a confidential note that security firm FireEye sent to some Equifax customers. By then, a critical vulnerability in the Apache Struts Web application framework was already under active exploit on the Internet. Equifax officials have said the Struts flaw was the opening that gave attackers an initial hold in the targeted network.

Equifax has said that the breach that exposed sensitive data for as many as 143 million US consumers started on May 13 and lasted until July 30. The company didn’t disclose the breach until September 7.

Read 3 remaining paragraphs | Comments

Source:: Ars Tecnica

This is so typical of large corporations that put profits well ahead of actually serving customers. Everyone in the IT department management at this corporation should be replaced, ASAP.

Tim


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or you could get your own free WordPress site for free right now, here.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

Avast! There’s malware in that CCleaner software update

By Sean Gallagher

Enlarge

A software package update for a Windows utility product distributed by antivirus vendor Avast has been spreading an unsavory surprise: a malware package that could allow affected computers to be remotely accessed or controlled with what appears to be a legitimate signing certificate. The malware, which was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by an attacker who compromised the software “supply chain” of Piriform, which was acquired by Avast in July. There have been more than 2 billion downloads of CCleaner worldwide, so the potential impact of the malware is huge.

Software updates are increasingly being targeted by distributors of malware, because they provide a virtually unchecked path to infect millions—or even billions—of computers. A compromised software update server for Ukraine software vendor M.E.Doc was used to distribute the NotPetya ransomware attack in July. “Watering hole” attacks, such as the ones used against Facebook, Apple, and Twitter four years ago, are often used to compromise the computers used by software developers. When successful, they can give malware authors what amounts to the keys to the software developer’s kingdom—their compilation tools and signing certificates, as well as access to their workflow for software updates.

In a blog post this morning, Cisco Talos Intelligence’s Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams reported that Talos had detected the malware during beta testing of a new exploit-detection technology. The malware was part of the signed installer for CCleaner v5.3 and included code that called back to a command-and-control server as well as a domain-generation algorithm intended to find a new C&C server if the hard-coded IP address of the primary server was lost. Copies of the malicious software installer were distributed to CCleaner users between August 15 and September 12, 2017, using a valid certificate issued to Piriform Ltd by Symantec.

Read 3 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or you could get your own free WordPress site for free right now, here.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

Malicious apps with >1 million downloads slip past Google defenses twice

By Dan Goodin

Enlarge / One of the fee-based services ExpensiveWallpaper apps subscribed users to.

Researchers recently found at least 50 apps in the official Google Play market that made charges for fee-based services without the knowledge or permission of users. The apps were downloaded as many as 4.2 million times. Google quickly removed the apps after the researchers reported them, but within days, apps from the same malicious family were back and infected more than 5,000 devices.

The apps, all from a family of malware that security firm Check Point calls ExpensiveWall, surreptitiously uploaded phone numbers, locations, and unique hardware identifiers to attacker-controlled servers. The apps then used the phone numbers to sign up unwitting users to premium services and to send fraudulent premium text messages, a move that caused users to be billed. Check Point researchers didn’t know how much revenue was generated by the apps. Google Play showed the apps had from 1 million to 4.2 million downloads.

Packing heat

ExpensiveWall—named after one of the individual apps called LovelyWall—used a common obfuscation technique known as packing. By compressing or encrypting the executable file before it’s uploaded to Play, attackers can hide its maliciousness from Google’s malware scanners. A key included in the package then reassembled the executable once the file was safely on the targeted device. Although packing is more than a decade old, Google’s failure to catch the apps, even after the first batch was removed, underscores how effective the technique remains.

Read 3 remaining paragraphs | Comments

Source:: 1 million downloads slip past Google defenses twice” >Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or you could get your own free WordPress site for free right now, here.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

For 2nd time this year, Windows 0-day exploited to install Finspy creepware

By Dan Goodin

Enlarge / The WSDL parser, where the zero-day was located. (credit: FireEye)

On Tuesday, Microsoft patched a previously unknown vulnerability that researchers say was actively exploited by an undisclosed nation to install surveillance malware on one or more vulnerable computers.

The exploit, according to a blog post published Tuesday by security firm FireEye, was embedded in a Microsoft Word document. Once opened, the document exploited a zero-day vulnerability in Microsoft’s .Net framework. The exploit caused the targeted computer to install Finspy (sometimes “FinSpy”), a family of surveillance software that its controversial developer, UK-based Gamma Group, sells to governments throughout the world. Tuesday’s blog post said the document might have been used to infect an unnamed “Russian speaker.” The vulnerability, indexed as CVE-2017-8759, comes five months after FireEye disclosed a different zero-day being used to distribute Finspy.

“These exposures demonstrate the significant resources available to ‘lawful intercept’ companies and their customers,” FireEye researchers wrote. “Furthermore, Finspy has been sold to multiple clients, suggesting the vulnerability was being used against other targets.”

Read 4 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or you could get your own free WordPress site for free right now, here.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!