Loading...

Follow Security Affairs on Feedspot

Continue with Google
Continue with Facebook
or

Valid
Security experts at Emsisoft released a second decryptor in a few days, this time announced a free decryptor for the ZeroFucks ransomware.

A few days ago, the experts at Emsisoft released a free decryptor for the Ims00rry ransomware, now the malware team announced the released of a decryptor for the ZeroFucks ransomware.

Victims of the ZeroFucks ransomware don’t have to pay the ransom, they only need to download the decryptor form the link below:

ZeroFucks ransomware encrypts files with AES-256 and replaces the extension in the filename with “.zerofucks” (i.e. “myphoto.jpg” is changed to “ myphoto.zerofucks”.

When the ransomware encrypts files the following GUI is displayed to the victims, crooks demand a €400 ransom worth of Bitcoins.

“All your important files have been encrypted.
If you want your files back, you need to pay €400 in Bitcoins.
After the payment is received, we will give you access to unlock your files.
Click on the Payment button to get more info.” reads ransom note.

“If you don’t pay within 48 hours, the price will be doubled.
After another 24 hours, the price will be doubled again.
If you don’t pay within 96 hours your files will be destroyed.”

Enjoy it!

Pierluigi Paganini

(SecurityAffairs – ZeroFucks, malware)

The post Emsisoft releases a second decryptor in a few days, this time for ZeroFucks ransomware appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Once again thank you!

For nearly a year, Brazilian users have been targeted with router attacks
NCSC report warns of DNS Hijacking Attacks
SAP Patch Day – July 2019 addresses a critical flaw in Diagnostics Agent
A flaw could have allowed hackers to take over any Instagram account in 10 minutes
Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw
Emsisoft released a free decryptor for the Ims00rry ransomware
Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code
La Porte County finally opted to pay $130,000 Ransom
The npm installer for PureScript package has been compromised
A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files
DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape
iOS URL Scheme expose users to App-in-the-Middle attack
Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram
Mysterious hackers steal data of over 70% of Bulgarians
Sprint revealed that hackers compromised some customer accounts via Samsung site
Anti-Debugging Techniques from a Complex Visual Basic Packer
Expert was awarded $10,000 for disclosing XSS flaw to Tesla
Turla APT group adds Topinambour Trojan to its arsenal
CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites
Experts detailed new StrongPity cyberespionage campaigns
Experts spotted a rare Linux Desktop spyware dubbed EvilGnome
Scraping the TOR for rare contents
The Problem With the Small Business Cybersecurity Assistance Act
Dutch police arrested the author of Dryad and Rubella Macro Builders
Israel surveillance firm NSO group can mine data from major social media
Poland and Lithuania fear that data collected via FaceApp could be misused
Slack resetting passwords for roughly 1% of its users
Former NSA contractor sentenced to 9 years for stealing classified data

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 223 – News of the week appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Hackers breached at least 62 college and university networks exploiting a flaw in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP.

US Department of Education warned that hackers have breached at least 62 college and university networks by exploiting a vulnerability in the Ellucian Banner Web Tailor module of the Ellucian Banner ERP.

The module is used by colleges and universities to customize their web applications.

The vulnerability, tracked as CVE-2019-8978, was discovered by the security expert Joshua Mulliken, it affects the authentication process used by the two modules of the ERP, including the Ellucian Banner Enterprise Identity Services used to manage user accounts.

“An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s).” reads the security advisory published by the expert.

The vulnerability could be exploited by a remote attacker to hijack users’ accounts.

“A user’s unique identifier, UDCID, is leaked via a cookie and it could lead to account compromise if this identifier is captured or otherwise known, in the case tested the UDCID was known to be the institutional ID printed on ID cards. The UDCID could be used to exploit a race condition that would provide an attacker with unauthorized access.” continues the advisory. “For a student, the attacker could drop them from their courses, reject financial aid, change their personal information, etc. For a professor, this could lead to an inability to manage their courses, allow a malicious student to put in false final grades, etc. For an administrator, an attacker could change users information, place false holds on student accounts, etc.”

Affected versions are Banner Enterprise Identity Services 8.3 and later, Ellucian addressed the vulnerability in May.

Unfortunately, threat actors started exploiting the CVE-2019-8978 flaw in the wild.

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.” reads the alert published on the Federal Student Aid.

The educational institutions that were targeted by the attacks exploiting the vulnerability have reported that threat actors are using scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.

Officials reported that attackers created at least 600 fake or fraudulent student accounts within a 24-hour period. The malicious activity is continuing over multiple days resulting in the creation of thousands of fake student accounts. The bad news is that some of the accounts created in the attacks were involved in criminal activity.

Officials warn that for those organizations that have not implemented network segregation attackers could access students’ financial aid data.

Ellucian denies that the creation of fake accounts is related to the vulnerability in its ERP.

“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct,” read a statement published by the company. “The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products.”

“Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals,”

The company recommends implementing reCAPTCHA capabilities to the admission process.

Pierluigi Paganini

(SecurityAffairs – Ellucian Banner Web, ERP)

The post Hackers breach 62 US colleges by allegedly exploiting Ellucian Banner Web flaw appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
The airline company WizzAir informed its customers that it had reset the account passwords due to a technical issue in the system.

The airline company WizzAir had reset the account passwords of its users due to a technical issue in its system.

In an email message sent to the customers, the company explained that it has discovered and suffered “some temporary technical irregularity.”

The company did not disclose technical details of the incident, for this reason, some users speculate that the root cause of the problem was a hack. In compliance with EU privacy regulation GDPR, the company must provide a full and detailed account of the incident within 72 hours.

Fortunately, it seems that the company was not hacked.

“It appears that these assumptions are nothing to fret about. BleepingComputer has learned from a company representative that personal data belonging to customers was not affected in any way.” reported BleepingComputer.

The company only provided the following comment:

“We can confirm that we have sent an email today to our customers about the detection of a temporary technical irregularity in our system. At no point was any personal data compromised and resetting the passwords on the WIZZ accounts was a precautionary action. Safety remains a priority for Wizz Air, and that includes the security of our passengers’ data.” – reads the statement sent by WizzAir.

Following the notification message, people with a WizzAir account will receive a new email with instructions about how they can regain access to all features of the Wizz account.

Pierluigi Paganini

(SecurityAffairs – WizzAir)

The post WizzAir informed customers it forced a password reset on their accounts appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
The principal Twitter account of Scotland Yard, which has more than 1.2 million followers, was hacked and tweeted a series of bizarre messages on Friday night.

Hackers took over the Scotland Yard’s principal Twitter account and tweeted a dozen bizarre messages on Friday night, some of the tweets referred to the British rapper Digga D.

Digga D, real name Rhys Herbert, was jailed last year aged 17 along with other four members of his gang after they were caught with baseball bats and machetes, the police discovered they were planning to attack another gang.

The messages were expressing anti-police sentiment and calling for the jailed rapper to be released.

“Free Digga D,” states one of the Tweet. 

Below the message posted by the Met police Supt, Roy Smith after the breach:

We are aware that the @metpoliceuk has been subject to unauthorised access and our media team are working hard to delete the messages and ensure the security of the account. Please ignore any Tweets until we verify that it is back under official control. RT

— Supt Roy Smith (@roysmithpolice) July 19, 2019

London’s Metropolitan Police confirmed that hackers also targeted emails and news pages.

Scotland Yard pointed out that its IT infrastructure had not been compromised, the incident only affected the press office’s online provider, MyNewsDesk. The MyNewsDesk service automatically spreads content to the Met’s website and Twitter account once it is published. It also sends emails to subscribers.

“Unauthorised messages appeared on the news section of our website,” states Scotland Yard. “We apologise to our subscribers and followers for the messages they have received.“

“We are confident the only security issue relates to access to our MyNewsDesk account. We have begun making changes to our access arrangements to MyNewsDesk,” .

“There has been no ‘hack’ of the Met Police’s own IT infrastructure. We are assessing to establish what criminal offences have been committed.”

US President Donald Trump caught the opportunity to attack the London Mayor Sadiq Khan, he retweeted an image of the hijacked Metropolitan Police account.

With the incompetent Mayor of London, you will never have safe streets! https://t.co/pJqL1NjyvA

— Donald J. Trump (@realDonaldTrump) July 20, 2019

UK authorities regained control of its account on Saturday.

Pierluigi Paganini

(SecurityAffairs – Scotland Yard, hacking)

The post Twitter account of Scotland Yard hacked and posted bizarre messages appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB) has been hacked, attackers stole data about internal projects.

Attackers have hacked SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB), and exfiltrated data about internal projects.

According to the Russian media, SyTech has been working with FSB since 2009, in particular, they contributed to several projects for FSB unit 71330 and for fellow contractor Quantum. The company earned 40 million rubles ($635,000) from public contracts in 2018. The latest project is the development of Nalog-3 for the Main Scientific Innovation Implementation Center.

“According to the data received, the majority of non-public projects of Sytech were commissioned by military unit No. 71330, which allegedly is part of the 16th directorate of the FSB of Russia.” states the website CrimeRussia.”This unit is engaged in electronic intelligence, experts form the International Center for Defense and Security in Tallinn believe.”

Some of the research projects accessed by the hackers were for Russia’s intelligence service, including one for deanonymizing Tor traffic.

On July 13, a hacker group named 0v1ru$ hacked into SyTech’s Active Directory server then compromised the entire infrastructure of the company, including JIRA instance.

The hackers exfiltrated 7.5TB of data and defaced the website of the company by publishing “yoba face.”

The hackers published images of the company’s servers on Twitter and also shared the data with another hacker crew known as Digital Revolution, that in 2018 breached the FSB contractor Quantum.

Все мы, журналисты, студенты и даже пенсионеры, находимся под навлюдением ФСБ. Присоединяйтесь к нам, как и 0V1ru$, защищая наше будущее! Они не заглушат наши голоса! @tjournal @Dobrokhotov @bbcrussian @unkn0wnerror pic.twitter.com/HUYDas7FSN

— DigitalRevolution (@D1G1R3V) July 18, 2019

The hackers provided the stolen data to BBC Russia, who verified the presence of other older projects for compromising other network protocols, including Jabber, ED2K, and OpenFT.

“Among the projects of Sytech there is the work on de-anonymization of users of the Tor-network, collection of information about Facebook, MySpace and LinkedIn users, hidden collection of information on the Web, a system for substituting Internet traffic, through which certain users could be redirected to special sites when requested portals from the “black list.” continues CrimeRussia.

“Sytech was also supposed to explore the possibilities of developing a complex of penetration and covert use of resources of peer-to-peer and hybrid networks, network protocols Jabber, OpenFT and ED2K, which were used by darknet users and hackers.“

The list of projects shared by BBCRussia includes:

  • Nautilus – a project for tracking the activity of users on the principal social media platforms (such as Facebook, MySpace, and LinkedIn).
  • Nautilus-S – a project for deanonymizing Tor traffic, it leverages on a network of rogue Tor nodes. In January 2014, researchers from Karlstad University in Sweden, presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. They discovered that a not specified Russian entity was eavesdropping nodes at the edge of the Tor network.
  • Reward – a project to covertly penetrate P2P networks.
  • Mentor – a project to spy on email communications managed by Russian companies.
  • Hope/Nadezhda  – a project to analyzed the overall Russian internet and its connections to the global WWW.
  • Tax-3 – a project to allow you to manually remove from the information system of the FTS data of persons under state protection.

Researchers identified 25 malicious servers, 18 of which were located in Russia, and running Tor version 0.2.2.37, the same one detailed in the leaked files.

SyTech took down its website after the hack.

“Website “Siteka” is not available – neither in its previous form, nor in the version with “Yob-face”. When you call the company on the answering machine, the standard message is turned on, in which you are invited to wait for the secretary’s response, but short beeps follow.” concludes BBC Russia.

Pierluigi Paganini

(SecurityAffairs – SyTech, data breach)

The post 0v1ru$ hackers breach FSB contractor SyTech and expose Russian intel projects appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
The former NSA contractor who pled guilty to stealing over 50TB of data from the Agency, was sentenced to nine years in prison

The former National Security Agency contractor Harold Thomas Martin III, who was accused and subsequently pled guilty to stealing over 50TB of classified NSA data, was sentenced to nine years in prison.

The man was arrested by the FBI in October 2016, the US DoJ charged Harold Thomas Martin with theft of secret documents and highly classified government material. According to a court complaint, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.

According to the Politico website, sources informed of the events reported that Kaspersky learned about Martin after he sent strange Twitter messages to two researchers of the firm in 2016, minutes before The Shadow Brokers began leaking the NSA dump online.

“The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. ” reported the Politico website.

“The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name ‘HAL999999999’ to send five cryptic, private messages to two researchers at the Moscow-based security firm,” Politico reports.

A first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with Kaspersky Lab CEO Eugene Kaspersky.

Kaspersky reported the events to the NSA that identified Martin and the FBI arrested him later.

The DoJ’s chief national security prosecutor John Carlin revealed that Martin was employed by Booz Allen Hamilton.  Booz Allen Hamilton is the same defense contractor that employed the notorious Edward Snowden at the time the whistleblower when he disclosed the mass surveillance program conducted by the NSA on a global scale.

The theft was the largest heist of classified government material in the history of the US.

Harold Thomas Martin III, a 54-year-old Navy veteran from Glen Burnie, he abused his top-secret security clearances to stole at least 50 terabytes of classified national defense data from government computers over two decades while working for a number of NSA departments between 1996 and 2016.

In March 2019, the man signed a guilty plea, even if the connection with the Shadow Brokers was ever proven.

At the time, federal prosecutors decided to drop the remaining 19 charges against Martin and recommended a 9-year prison sentence and three years of supervised release.

Now the judge sentenced Martin to nine years in prison, including time served, and three years of supervised release.

“Harold Martin apologized to the federal judge who sentenced him for a theft that prosecutors have called “breathtaking” in scope.” reported the AP agency.

“My methods were wrong, illegal and highly questionable,” Martin told U.S. District Judge Richard Bennett.

Pierluigi Paganini

(SecurityAffairs – NSA contractor, data breach)

The post Former NSA contractor sentenced to 9 years for stealing classified data appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
The Israeli surveillance firm NSO Group informed its clients that it is able to scoop user data by mining from major social media.

The Financial Times reported that the Israeli surveillance firm NSO Group informed its clients that it is able to mine user data from major social media. NSO is based in Herzliya, near Tel Aviv, and employs 600 people worldwide. The private equity firm Novalpina Capital has the majority of the shares in NSO Group.

“[NSO Group] told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch” reported the FT.

According to the AFP, an NSO spokesperson denied the allegation.

“There is a fundamental misunderstanding of NSO, its services and technology,” the spokesman said

“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”

The FT report cites documents it had viewed and descriptions of a product demonstration. According to the report, the surveillance capabilities of the company had “evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos”.

NSO pointed out that it does not operate its solutions, including the Pegasus spyware, instead, it only licenses them law enforcement and government agencies “for the sole purpose of preventing or investigating serious crime including terrorism”.

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

The NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.” 

Pierluigi Paganini

(SecurityAffairs – NSO Group, surveillance)

The post Israel surveillance firm NSO group can mine data from major social media appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Dutch authorities announced the arrest of a 20-year old man for allegedly developing Dryad and Rubella Macro Builders.

Dutch authorities announced have arrested a 20-year old man that is accused to be the author of Dryad and Rubella Macro Builders.

The man lives in Utrecht, it created and distributed Rubella, Cetan and Dryad toolkits.

“Recently the high tech crime team (THTC) of the Dutch National Police Unit arrested a 20 year old resident of the Dutch city of Utrecht. He is suspected of large-scale production and selling of malware.” reads the announcement. “The young man offered programs with names like Rubella, Cetan and Dryad, enabling the buyer to include secret code or malware in amongst others  Word or Excel files.”

Both macro builders allow crooks to easily create malicious Office documents that are usually involved in hacking campaigns as a first-stage loader for other malware.

The Rubella Macro Builder crimeware kit appeared in the threat landscape on April 2018 and rapidly gained popularity in the cybercriminal underground. It allows crooks to generate a malicious payload for social-engineering spam campaigns, the author was offering it as a service for a three-month license of $120.

According to Flashpoint, Rubella is not particularly sophisticated, the builder is used to create Microsoft Word or Excel weaponized documents to use in spam email.

The macro might also purposely attempt to bypass endpoint security defenses. 

The Rubella Macro Builder is cheap, fast and easy to use, the malware it generated can evade antivirus detection.

According to Flashpoint experts, some popular criminal gangs used Rubella malware in their campaign, including the criminal crews behind the Panda and Gootkit banking malware.

The Dutch man was identified by law enforcement with the support of McAfee and another private company.

According to McAfee, Dryad and Rubella are very similar, and a conversation with the suspect revealed that the individual was behind both of them. 

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder.” reads a post published by McAfee. “McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation.”

The man was also promoting a variety of different products and services, ranging from stolen credit card data, a malware to steal funds from crypto wallets and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

The Dutch authorities also revealed that the man had in possession access credentials for thousands of websites. 

The police also seized around 20,000 Euro (around $22,000) in cryptocurrency such as Bitcoins. 

“Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. “concludes McAfee. “Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.”

Pierluigi Paganini

(SecurityAffairs – Macro builder, GDPR)

The post Dutch police arrested the author of Dryad and Rubella Macro Builders appeared first on Security Affairs.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Poland and Lithuania are probing the potential privacy and security risks of using a Russian-made app FaceApp.

Millions of people recently downloaded the FaceApp app and are taking part in the “#FaceApp Challenge” to show friends how they can look like when they will be old and grey. Many security experts are warning of the risks of using the popular app, threat actors could be potentially interested in data collected by FaceApp.

FaceApp was developed in 2017 by Wireless Lab, when it was downloaded 80 million times, but now thanks to the challenge it is becoming viral. Wireless Lab is a Russian firm based in the Skolkovo hub that is located near Moscow and is considered Russia’s Silicon Valley created by the Kremlin.

The app leverages neural networks to simulate people aging, it adds wrinkles, it turns teeth yellow and colors the hair with gray.

Source AGI

Poland’s digital affairs ministry is investigating into the app and it is evaluating the security risks posed by FaceApp to the personal data of its users.

“For several days in Poland and the world over, social media have been flooded by a wave of modified photos of ‘ageing’ users,” states Poland’s digital affairs ministry.

“Various experts point to possible risks related to inadequate protection of users’ privacy,”

Another EU country Lithuania is also investigating the potential risks posed by the use of the app on a large-scale.

According to deputy defense minister Edvinas Kerza the FaceApp authors had cooperated with other Russian internet companies which may not comply with European privacy and security regulations.

In the US, Senate Minority Leader Chuck Schumer called the FBI and the Federal Trade Commission to “look into the national security & privacy risks” associated with the use of FaceApp. 

FaceApp CEO Yaroslav Goncharov attempted to reassure privacy advocates by explaining that Russian authorities did not have access to any user data.

He pointed out that most of the photos collected by the users are deleted from its servers within 48 hours and that is not used for other purposes.

Pierluigi Paganini

(SecurityAffairs – FaceApp, cybersecurity)

The post Poland and Lithuania fear that data collected via FaceApp could be misused appeared first on Security Affairs.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview