Viry a Červi

Firefox fixes fullscreen fakery flaw – get the update now!

Sophos Naked Security - 16 Listopad, 2022 - 20:51
What's so bad about a web page going fullscreen without warning you first?

WASP malware stings Python developers

The Register - Anti-Virus - 16 Listopad, 2022 - 20:30
Info-stealing trojan hides in malicious PyPI packages on GitHub

Malware dubbed WASP is using steganography and polymorphism to evade detection, with its malicious Python packages designed to steal credentials, personal information, and cryptocurrency.…

Kategorie: Viry a Červi

Cloud vendors should take some responsibility for stolen compute, says Canalys CEO

The Register - Anti-Virus - 16 Listopad, 2022 - 15:45
Crypto winter also attributed to semiconductor slumps in recent quarters

Canalys Forums APAC  Canalys CEO Steve Brazier has proposed that cloud vendors should have similar accountability to credit card companies when accounts are hacked and used to mine cryptocurrency.…

Kategorie: Viry a Červi

Swiss bankers warn: Three quarters of retail Bitcoin investors are in the red

The Register - Anti-Virus - 16 Listopad, 2022 - 09:30
Little fish lured into the market help whales cash out

Somewhere between 73 and 81 percent of retail Bitcoin buyers are likely to be into the negative on their investment, according to research published Monday by the Bank of International Settlements (BIS).…

Kategorie: Viry a Červi

Boosting telcos’ 5G cyber resilience

The Register - Anti-Virus - 16 Listopad, 2022 - 04:09
ZTE reveals its open, transparent approach to minimizing cyber security risks in telecommunications networks

Sponsored Feature  The widespread, global deployment of 5G telecommunications equipment and systems is already well underway. The GSMA forecasts that by 2025, 29 percent of the mobile connections in Europe – including those linking mission-critical infrastructure such as remotely operated power grids – will be made through 5G.…

Kategorie: Viry a Červi

Eggheads show how network flaw could lead to NASA crew pod loss. Key word: Could

The Register - Anti-Virus - 16 Listopad, 2022 - 00:45
Houston, we have a PCspooF problem

A vulnerability in network technology widely used in space and aircraft could, if successfully exploited, have disastrous effects on those critical systems, according to academics.…

Kategorie: Viry a Červi

Shocker: EV charging infrastructure is seriously insecure

The Register - Anti-Virus - 15 Listopad, 2022 - 22:30
What did we learn from the IoT days? Apparently nothing.

If you've noticed car charging stations showing up in your area, congratulations! You're part of a growing network of systems so poorly secured they could one day be used to destabilize entire electrical grids, and which contain enough security issues to be problematic today. …

Kategorie: Viry a Červi

Log4Shell-like code execution hole in popular Backstage dev tool

Sophos Naked Security - 15 Listopad, 2022 - 20:49
Good old "string templating", also known as "string interpolation", in the spotlight again...

Securing the mail

The Register - Anti-Virus - 15 Listopad, 2022 - 14:30
Making the business case for email encryption

Webinar  Every now and again the dangers of using personal and unencrypted email services makes it to the top of the news agenda. It happened to Hilary Clinton in the States, and it's been all over the front pages in the UK following the resignation of British Home Secretary Suella Braverman after she used her personal email account six times for government business.…

Kategorie: Viry a Červi

DTrack activity targeting Europe and Latin America

Kaspersky Securelist - 15 Listopad, 2022 - 11:00

Introduction

DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.

DTrack allows criminals to upload, download, start or delete files on the victim host. Among those downloaded and executed files already spotted in the standard DTrack toolset there is a keylogger, a screenshot maker and a module for gathering victim system information. With a toolset like this, criminals can implement lateral movement into the victims’ infrastructure in order to, for example, retrieve compromising information.

As part of our crimeware reporting service, we published a new private report about recent Dtrack activity. In this public article we highlight some of the main findings shared in that report. For more information about our crimeware reporting service, please contact crimewareintel@kaspersky.com.

So, what’s new?

DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts.

First stage – implanted code

DTrack unpacks the malware in several stages. The second stage is stored inside the malware PE file. To get it, there are two approaches:

  • offset based;
  • resource based.

The idea is that DTrack retrieves the payload by reading it from an offset within the file or by reading it from a resource within the PE binary. An example of a decompiled pseudo function that retrieves the data using the offset-based approach can be found below.

Example of DTrack offset-oriented retrieval function

After retrieving the location of the next stage and its key, the malware then decrypts the buffer (with a modified RC4 algorithm) and passes control to it. To figure out the offset of the payload, its size and decryption keys, DTrack has a special binary (we have dubbed it ‘Decrypt config’) structure hidden in an inconspicuous part of the PE file.

Second stage – shellcode

The second stage payload consists of heavily obfuscated shellcode as can be seen below.

Heavily obfuscated second stage shellcode

The encryption method used by the second layer differs for each sample. So far, we have spotted modified versions of RC4, RC5 and RC6 algorithms. The values of the third stage payload and its decryption key are obtained by reading Decrypt config again.

One new aspect of the recent DTrack variants is that the third stage payload is not necessarily the final payload; there may be another piece of binary data consisting of a binary configuration and at least one shellcode, which in turn decrypts and executes the final payload.

Third stage – shellcode and final binary

The shellcode has some quite interesting obfuscation tricks to make analysis more difficult. When started, the beginning of the key (used to decrypt the final payload) is searched for. For example, when the beginning of the key is 0xDEADBEEF, the shellcode searches for the first occurrence of 0xDEADBEEF.

Chunk decryption routine example

Once the key is found, the shellcode uses it to decrypt the next eight bytes after the key, which form yet another configuration block with final payload size and its entry point offset. The configuration block is followed by an encrypted PE payload that starts at the entry point offset after decryption with the custom algorithm.

Final payload

Once the final payload (a DLL) is decrypted, it is loaded using process hollowing into explorer.exe. In previous DTrack samples the libraries to be loaded were obfuscated strings. In more recent versions they use API hashing to load the proper libraries and functions. Another small change is that three C2 servers are used instead of six. The rest of the payload’s functionality remains the same.

Infrastructure

When we look at the domain names used for C2 servers, a pattern can be seen in some cases. For example, the actors combine a color with the name of an animal (e.g., pinkgoat, purplebear, salmonrabbit). Some of the peculiar names used in the DTrack infrastructure can be found below:

Domain IP First seen ASN pinkgoat.com 64.190.63.111 2022‑03‑03 15:34 AS47846 purewatertokyo.com 58.158.177.102 2022‑05‑20 16:07 AS17506 purplebear.com 52.128.23.153 2021‑01‑08 08:37 AS19324 salmonrabbit.com 58.158.177.102 2022‑05‑20 09:37 AS17506 Victims

According to KSN telemetry, we have detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States, indicating that DTrack is spreading into more parts of the world. The targeted sectors are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.

Conclusions

The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.

IOCs

C2 domains
pinkgoat[.]com
purewatertokyo[.]com
purplebear[.]com
salmonrabbit[.]com

MD5
1A74C8D8B74CA2411C1D3D22373A6769
67F4DAD1A94ED8A47283C2C0C05A7594

Country that still uses fax machines wants to lead the world on data standards at G7

The Register - Anti-Virus - 15 Listopad, 2022 - 10:43
Aiming for somewhere between US 'Wild West' and EU's strict GDPR

Even though Japan lags behind the rest of the developed world in digital transformation, it hopes to create global data flow standards for discussion at next year's G7 meetings.…

Kategorie: Viry a Červi

Data sovereignty and compliance need help

The Register - Anti-Virus - 15 Listopad, 2022 - 10:00
It’s a critical issue which our poll suggests influences the choice of on and off prem hosting platforms

Reader Survey Results  Back in September, we asked readers of The Register about data sovereignty. It's a concept about which we see more and more conversation among businesses, and increased awareness is also bringing corresponding concerns about the perils and pitfalls of not taking it seriously.…

Kategorie: Viry a Červi

Russia-based Pushwoosh tricks US Army and others into running its code – for a while

The Register - Anti-Virus - 15 Listopad, 2022 - 02:30
Russian data trackers … what could possibly go wrong?

Updated  US government agencies including the Army and Centers for Disease Control and Prevention pulled apps running Pushwoosh code after learning the software company – which presents itself as American – is actually Russian, according to Reuters.…

Kategorie: Viry a Červi

GitHub sets up private vulnerability reports for public repos to avoid 'naming and shaming'

The Register - Anti-Virus - 14 Listopad, 2022 - 23:00
No need for ignominy when a flaw is found

GitHub is offering a scheme for security researchers to privately report vulnerabilities found in public repositories.…

Kategorie: Viry a Červi

“Gucci Master” business email scammer Hushpuppi gets 11 years

Sophos Naked Security - 14 Listopad, 2022 - 20:24
Learn how to protect yourself from big-money tricksters like the Hushpuppis of the world...

Another crypto shocker: Major player actually corrects $400m mistake instead of cratering

The Register - Anti-Virus - 14 Listopad, 2022 - 13:30
Fellow crypto-exchange Gate.io spots error, returns funds

Over the weekend it was revealed that cryptocurrency exchange company Crypto.com accidentally sent over $400 million to another cryptocurrency exchange and was miraculously able to get it back.…

Kategorie: Viry a Červi

Advanced threat predictions for 2023

Kaspersky Securelist - 14 Listopad, 2022 - 09:00

It is fair to say that since last year’s predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be prepared for cybersecurity incidents. A useful exercise in that regard is to try to foresee the future trends and significant events that might be coming in the near future.

We polled our experts from the GReAT team and have gathered a small number of key insights about what APT actors are likely to focus on in 2023. But first, let’s examine how they fared with the predictions for 2022.

What we predicted in 2022 Mobile devices exposed to wide attacks

Although 2022 did not feature any mobile intrusion story on the scale of the Pegasus scandal, a number of 0-days have still been exploited in the wild by threat actors. Last June, Google’s TAG team released a blog post documenting attacks on Italian and Kazakh users that they attribute to RCS Lab, an Italian offensive software vendor. In another publication, Google also followed up on the activities of a similar vendor named Cytrox that had leveraged four 0-day vulnerabilities in a 2021 campaign.

The cyber-offense ecosystem still appears to be shaken by the sudden demise of NSO Group; at the same time, these activities indicate to us that we’ve only seen the tip of the iceberg when it comes to commercial-grade mobile surveillance tooling. It’s also likely that the remaining actors will make every effort to reduce their public exposure from now on, limiting our visibility into their activities.

From a different angle, reporting from The Intercept revealed mobile surveillance capabilities available to Iran for the purposes of domestic investigations that leverage direct access to (and cooperation of) local telecommunication companies. Looking back at past leaks of private companies providing such services, such as in the case of Hacking Team, we learned that many states all over the world were buying these capabilities, whether to complement their in-house technologies or as a stand-alone solution they couldn’t develop. This reveals a likely blind spot for defenders and endpoint vendors: in a number of cases, perhaps even the majority, attackers have no need for 0-days and malware deployment to gain access to the information they need. This story also raises questions about whether attackers who have breached telecommunication companies would also be able to leverage these legal interception systems.

Verdict: some incidents, but no major event ❌

Private sector supporting an influx of new APT players

The previous discussion covered a number of private companies that have filled the void left by NSO and have made a business of providing offensive software to their customers. In 2022, the GReAT team tracked several threat actors leveraging SilentBreak’s toolset as well as a commercial Android spyware we named MagicKarakurt. One question mark here is that it’s difficult to tell whether we’re seeing new APT actors being bootstrapped by commercial toolsets, or established ones updating their TTPs.

BruteRatel, an attack tool comparable to CobaltStrike, remains on our radar when it comes to APT adoption. A recent leak has put it in the hands of cybercrime actors and it is very likely that by the end of the year we will see it involved in APT cases too.

A worrying trend we did not explicitly mention is underlined by a Meta report published shortly after last year’s predictions. In the report, they describe the emergence of a “surveillance-for-hire” sector composed of companies all around the world that provide cyber-offensive services for (hopefully) law-enforcement customers. In practice, Facebook found that not only criminals or terrorists were targeted by such groups, but journalists, dissidents and human rights activists as well. Our own research confirms that mercenary threat actors such as DeathStalker were very active in 2022.


Source: Meta

Verdict: prediction fulfilled ✅

More supply chain attacks

Following the SolarWinds incident, we foresaw that attackers would notice the enormous potential of the supply chain attack vector. In 2022, we spotted malicious Python packages distributed through the PyPI archive (CheckPoint also detected 10 of them). As Cisco Talos notes, Python is not alone in this: NPM, NuGet or RubyGems are all potential candidates for such attacks and all it would take for a catastrophic event would be the compromise of a single developer’s credentials. Doubling down on developer-specific threats, IBM presented noteworthy research at this year’s edition of BlackHat, evidencing how source code management or continuous integration systems could be leveraged by attackers.

Another aspect of supply chain security is the reliance on open-source software components that may contain vulnerabilities: this was the root cause of a Zimbra 0day massively exploited in the wild this year.

When it comes to stealthy malware pushed to customers in the form of a software update however, we are not aware of any significant event in 2022, so we’ll only count this prediction as partially accomplished.

Verdict: prediction partially fulfilled 🆗 (more cases, no major event)

Continued exploitation of remote work

The reasoning behind this prediction is that we expected that in 2022, companies would still be lagging behind the transformative effects the COVID-19 crisis had on work organization. In many cases, this led to a rushed deployment of remote access means for employees, in the form of appliances that could be misconfigured, or hadn’t received much security attention until now.

A massive number of vulnerabilities were patched in such devices this year (firewalls, routers, VPN software…) – whether or not each of these vulnerabilities were exploited in the wild before being discovered, they affect devices that are not typically updated in a timely fashion and become prime targets for hackers immediately after vulnerability details are published. Such discoveries usually lead to massive and indiscriminate exploitation, and compromised machines are sold on dark markets to secondary buyers for the purposes of ransomware deployment.

Our own telemetry also confirms that RDP brute-force attacks have remained predominant throughout 2022.

Verdict: prediction fulfilled ✅

Increase in APT intrusions in the META region, especially Africa

At the end of last year, we expected the rise of Africa to be one of the major geopolitical events of the year in lieu of the ever-increasing investment and relationships with China and the Middle East.

We have indeed seen an increase in the number of persistent, sophisticated attacks targeting various states in META and specifically Africa. Starting from the most recent publication about Metador targeting telecommunication companies, HotCousin expanding its operations to this region, the numerous campaigns deploying various IIS backdoors, DeathStalker and Lazarus attacking multiple industries there and a mysterious SSP-library backdoor discovered on governmental and non-profit entities, we saw quite a few new threats active in the region over the last year.

Statistically speaking, we released information about an increase of backdoor infections on the continent. While such raw statistics are difficult to interpret and are not necessarily linked to strong APT activity, it could correlate to the increase in APT attacks we’ve seen in the region in 2022.

One glaring example is Iran, which faced a series of spectacular hacks and sabotages. Its atomic energy agency, live television and steel industry have been targeted, among others.

Verdict: prediction fulfilled ✅

Explosion of attacks against cloud security and outsourced services

One of the major cyber-incidents of 2022 took place early this year: the Okta hack. Okta was breached through one of its service providers, Sitel, itself compromised via the insecure VPN gateway of a recently acquired company. Fortunately for them, the hacker appears to have been a lone 16-year-old. Unfortunately for us, it demonstrates how easy it must be for sophisticated attackers to penetrate (and, in all likelihood, remain undetected) major platforms. Okta is a widely used authentication services provider, and it is safe to assume that a hacker controlling their network would be able to infect any of their customers.

In related news, CISA released an advisory in May warning managed service providers that they saw an increase of malicious activity targeting their sector. Beyond this, we also saw reports of important data leaks related to misconfigured AWS S3 buckets, although those are nothing new. Overall, we count this prediction as having turned out to be accurate.

Verdict: prediction fulfilled ✅

The return of low-level attacks: bootkits are ‘hot’ again

In line with our predictions, we released two blog posts in 2022 introducing sophisticated low-level bootkits. The first one, in January, was MoonBounce; the other was CosmicStrand in July 2022. In both cases, we described new UEFI firmware bootkits that managed to propagate malicious components from the deepest layers of the machine up to Windows’ user-land. Amn Pardaz also released a report about a malicious program called iLOBleed, which affects a management module present on HP servers and should be counted in the same category. Such highly sophisticated implants remain rare, and witnessing three separate cases in a single year is significant.

Worthy of mention is Binarly’s excellent work on firmware vulnerability research with 22 high-severity vulnerabilities discovered in low-level components for 2022, indicating an enormous attack surface remains. As Gartner once put it: “There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.”

Verdict: prediction fulfilled ✅

States clarify their acceptable cyber-offense practices

The rise of hacker indictments as part of states’ retorsion measures led us to believe that each of them would be forced to clarify their vision of what acceptable behavior in cyberspace is. Indeed, since most states admit to having their own cyber-offense program, there is a need to clarify why their own activities are tolerable while those of their adversaries deserve legal action. We therefore expected various parties to release a sort of taxonomy indicating which types of ends would justify the means.

Shortly after the release of our predictions (yet still in 2021), the UK released its Integrated Review of Security, Defence, Development and Foreign Policy in which it describes its vision of what a “responsible democratic cyber power” should be. No other country followed suit. With many key “cyber powers” engaged one way or another in the Ukrainian conflict, cyber-diplomacy has unfortunately taken a back seat and we are seeing less transparency (as well as less calls for transparency) in the cyber realm. In the end, our assessment that the world was moving towards a clarification of cyber-policies didn’t come to pass.

Verdict: very limited fulfillment of the prediction ❌

APT predictions for 2023

And now, we turn our attention to the future. Here are the developments we think we could be seeing in 2023.

The rise of destructive attacks

2022 bore witness to brutal geopolitical shifts that will echo for years to come. History shows that such tensions always translate to increased cyber-activities – sometimes for the purpose of intelligence gathering, sometimes as a means of diplomatic signaling. With the antagonism between the West and the East having reached the maximum possible level short of open conflict, we unfortunately expect 2023 will feature cyberattacks of unprecedented gravity.

Specifically, we foresee that a record number of disruptive and destructive cyberattacks will be observed next year, affecting both the government sector and key industries. One caveat is that in all likelihood, a proportion of them will not be easily traceable to cyber-incidents and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations in order to provide plausible deniability for their real authors.

In addition, we also fear that a limited number of high-profile cyberattacks against civilian infrastructure (energy grid or public broadcasting for instance) will take place. A last point of concern is the safety of underwater cables and fiber distribution hubs in such a context, as they are particularly difficult to protect from physical destruction.

Mail servers become priority targets

In the past years, we have seen vulnerability researchers increasingly focus on emailing software. The reason is simple: they represent huge software stacks that must support many protocols and have to be internet-facing to operate properly. The market leaders, Microsoft Exchange and Zimbra have both faced critical vulnerabilities (pre-authentication RCEs) that were exploited, sometimes massively, by attackers before a patch was available.

We believe that research into mail software vulnerabilities is only getting started. Mail servers have the double misfortune of harboring key intelligence of interest to APT actors and having the biggest attack surface imaginable. 2023 will very likely be a year of 0-days for all major email software. We encourage system administrators to immediately set up monitoring for these machines, due to the unlikelihood that patching (even in a timely fashion) will be sufficient to protect them.

The next WannaCry

Statistically, some of the largest and the most impactful cyber epidemics occur every 6-7 years. The last incident of the sort was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.

Fortunately, vulnerabilities that enable the creation of worms are rare and far-between, and need to meet a number of conditions to be suitable (reliability of the exploit, stability of the target machine, etc.). It is extremely difficult to predict when such a bug will be discovered next, but we will take a wild guess and mark it up for next year. One potential reason increasing the likelihood of such an event is the fact that the most sophisticated actors in the world likely possess at least one suitable exploit of the sort, and current tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak (see below) could take place.

APT targeting turns toward satellite technologies, producers and operators

It is nearly 40 years since the US’s Strategic Defense Initiative (nicknamed “Star Wars”) contemplated extending military capabilities to include space technologies. While such things may have seemed a little far-fetched in 1983, there have been several instances where countries have successfully interfered with satellites orbiting the earth.

Both China and Russia have used ground-based missiles to destroy their own satellites. There have also been claims that China has launched a satellite with a grappling arm that could be used to interfere with orbiting equipment and that Russia may have developed the same technology. We have already seen the hijacking of satellite communications by an APT threat actor.

If the Viasat incident is any indication, it is likely that APT threat actors will increasingly turn their attention to the manipulation of, and interference with, satellite technologies in the future, making the security of such technologies ever more important.

Hack-and-leak is the new black (and bleak)

There is still much debate regarding whether “cyberwar” indeed took place in the context of the Ukrainian crisis. It is however clear that a new form of hybrid conflict is currently unfolding, involving (among many things) hack-and-leak operations.

This modus operandi involves breaching a target and releasing internal documents and emails publicly. Ransomware groups have resorted to this tactic as a way to apply pressure on victims, but APTs may leverage it for purely disruptive ends. In the past, we’ve seen APT actors leak data about competing threat groups, or create websites disseminating personal information. While it is difficult to assess their effectiveness from the sidelines, there’s no doubt they’re part of the landscape now and that 2023 will involve a high number of cases.

More APT groups will move from CobaltStrike to other alternatives

CobaltStrike, released in 2012, is a threat emulation tool designed to help red teams understand the methods an attacker can use to penetrate a network. Unfortunately, along with the Metasploit Framework, it has since become a tool of choice for cybercriminal groups and APT threat actors alike. However, we believe that a number of threat actors will begin to use other alternatives.

One of these alternatives is Brute Ratel C4, a commercial attack simulation tool that is especially dangerous since it has been designed to avoid detection by antivirus and EDR protection. Another is the open-source offensive tool Sliver.

In addition to off-the-shelf products abused by threat actors, there are other tools that are likely to be included in APT toolsets. One of these, Manjusaka, is advertised as an imitation of the Cobalt Strike framework. The implants of this tool are written in the Rust language for Windows and Linux. A fully functional version of the C&C written in Golang is freely available and can easily generate new implants with custom configurations. Another is Ninja, a tool that provides a large set of commands, which allows attackers to control remote systems, avoid detection and penetrate deep inside a target network.

Overall, we suspect that CobaltStrike is receiving too much attention from defenders (especially when it comes to the infrastructure), and that APTs will make attempts to diversify their toolsets in order to remain undetected.

SIGINT-delivered malware

It has been almost 10 years since the Snowden revelations shed light on the FoxAcid/Quantum hacking system used by the NSA. They involve leveraging “partnerships with US telecoms companies” to place servers in key positions of the internet backbone, allowing them to perform man-on-the-side attacks. This is one of the most potent attack vectors imaginable, as they allow victims to be infected without any interaction. In 2022, we saw another threat actor replicate this technique in China, and there is little doubt in our minds that many groups have worked tirelessly to acquire this capability. While deploying it at scale requires political and technological power available to few, it is likely that by now, Quantum-like tools would be implemented on the local level (i.e., at country level, by relying on national ISPs).

Such attacks are extremely hard to spot, but we predict that their becoming more widespread will lead to more discoveries in 2023.

Drone hacking!

Despite the flashy title, we’re not talking about hacks of unmanned aircrafts used for surveillance or even military support (although that could happen too). This final prediction concerns itself with the other way around: the use of commercial-grade drones to enable proximity hacking.

Year after year, drones available to the general public gain additional range and capabilities. It wouldn’t take too much work to mount one of them with a rogue Wi-Fi access point or an IMSI catcher; or sufficient tooling that would allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords. Another attack scenario would be using drones to drop malicious USB keys in restricted areas, in the hope that a passer-by would pick them up and plug them into a machine. All in all, we believe this to be a promising attack vector, likely to be used by bold attackers or specialists already adept at mixing physical- and cyber-intrusion.

See you next year to see how we fared!

Australia to 'stand up and punch back' against cyber crims

The Register - Anti-Virus - 14 Listopad, 2022 - 02:15
Creates 100-strong squad comprising cops and spooks with remit to disrupt ransomware ops

Australia's government has declared the nation is planning to go on the offensive against international cyber crooks following recent high-profile attacks on local health insurer Medibank and telco Optus.…

Kategorie: Viry a Červi

LockBit suspect cuffed after ransomware forces emergency services to use pen and paper

The Register - Anti-Virus - 12 Listopad, 2022 - 09:57
Plus: CISA has a flowchart for patching, privacy campaign goes after face search engine

In Brief  A suspected member of the notorious international LockBit ransomware mob has been arrested – and could spend several years behind bars if convicted.…

Kategorie: Viry a Červi

World Cup apps pose a data security and privacy nightmare

The Register - Anti-Virus - 11 Listopad, 2022 - 21:06
Unless you're fine with Qatar snoops remotely accessing your phone

With mandated spyware downloads to tens of thousands of surveillance cameras equipped with facial-recognition technology, the World Cup in Qatar next month is looking more like a data security and privacy nightmare than a celebration of the beautiful game.…

Kategorie: Viry a Červi
Syndikovat obsah