Tag Archives: have

Hackers Exploiting ‘Bitmessage’ Zero-Day to Steal Bitcoin Wallet Keys

bitmessage-bitcoin-hacking

Bitmessage developers have warned of a critical ‘remotely executable’ zero-day vulnerability in the PyBitmessage application that was being exploited in the wild.

Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate authorities.

Those who unaware, PyBitmessage is the official client for Bitmessage messaging service.

According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described as a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, and Windows and has been exploited against some of their users.

“The exploit is triggered by a malicious message if you are the recipient (including joined chans). The attacker ran an automated script but also opened, or tried to open, a remote reverse shell,” Bitmessage core developer Peter Šurda explained in a Reddit thread.

“The automated script looked in ~/.electrum/wallets [Electrum wallets], but when using the reverse shell, he had access to other files as well. If the attacker transferred your Bitcoins, please contact me (here on Reddit).”

Moreover, hackers also targeted Šurda. Since his Bitmessage addresses were most likely considered to be compromised, he suggested users not to contact him at that address.

“My old Bitmessage addresses are to be considered compromised and not to be used,” Šurda tweeted.

Šurda believes that the attackers exploiting this vulnerability to gain remote access are primarily looking for private keys of Electrum bitcoin wallets stored on the compromised device, using which they could/might have stolen bitcoins.

Bitmessage developers have since fixed the vulnerability with the release of new PyBitmessage version 0.6.3.2.

So, if you are running an affected version of PyBitmessage, you are highly recommended to upgrade your software to version 0.6.3.2.

Since the vulnerability affects PyBitmessage version 0.6.2 and not PyBitmessage 0.6.1, alternatively you can also consider, as suggested by Šurda, downgrading your application to mitigate yourself from potential zero-day attacks.

Although the developers did not reveal more details about the critical vulnerability, Šurda advised users to change all their passwords and create new Bitmessage keys, if they have any suspicion of their computers being compromised.

Binary files for Windows and OSX are expected to become available on Wednesday.

The investigation into these attacks is still ongoing, and we will update this article with more information as it becomes available.

Stay Tuned! Stay Safe!

Russian Scientists Arrested for Using Nuclear Weapon Facility to Mine Bitcoins

bitcoin-mining

Two days ago when infosec bods claimed to have uncovered what’s believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant.

It seems that now they have to run a story themselves with such headlines on their website because Russian Interfax News Agency yesterday reported that several scientists at Russia’s top nuclear research facility had been arrested for mining cryptocurrency with “office computing resources.”

The suspects work as engineers at the Russian Federation Nuclear Center facility—also known as the All-Russian Research Institute of Experimental Physics—which works on developing nuclear weapons.

The center is located in Sarov, Sarov is still a restricted area with high security. It is also the birthplace of the Soviet Union’s first nuclear bomb.

In 2011, the Russian Federation Nuclear Center switched on a new supercomputer with a capacity of 1 petaflop, making it the twelfth most powerful in the world at the time.

According to Russian media reports, the engineers had tried to use one of Russia’s most powerful supercomputers housed in the Federal Nuclear Center to mine Bitcoins.

The suspects were caught red-handed while attempting to connect the lab’s supercomputer to the internet, which was supposed to be offline to ensure security, the nuclear center’s security department was alerted.

Once caught, the engineers were handed over to the Federal Security Service (FSB).

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency. 

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,” Zalesskaya added, without revealing the exact number of employees detained.

The Federal Security Service (FSB) has yet to issue a statement on the arrests and criminal charges.

Cryptocurrency has gained tremendous popularity over the past year. Mining a single Bitcoin is not an ice cakewalk, as it requires an enormous amount of computational power and huge amounts of energy.

According to media reports, Russia is becoming a hotbed of cryptocurrency mining due to its low-cost energy reserves. One Russian businessman, Alexey Kolesnik, reportedly also bought two power stations exclusively to generate electricity for Bitcoin-mining data centers.

Secure VPN Services — Get 91% Off On Lifetime Subscriptions

best-secure-vpn-service

Since most of us rely upon the Internet for day-to-day activities, hacking and spying have become a prime concern today, and so have online security and privacy.

The governments across the world have been found to be conducting mass surveillance and then there are hackers and cybercriminals who are always looking for ways to steal your sensitive and personal data from the ill-equipped networks, websites, and PCs.

Even most online services and websites today collect your personal data, including search histories, location data, and buying habits, and makes millions by sharing them with advertisers and marketers.

In short, we have no or very little online privacy.

This is why schools, colleges, hospitals and other small and big businesses are moving towards adopting a solution that allows them to store and access their personal data securely. The solution: Virtual Private Network.

Virtual Private Network, or VPN, serves as an encrypted tunnel that secures your computer’s Internet connection and protects you from bad guys getting into your network to steal your sensitive data.

Additionally, the VPN makes you sure that your real identity remains anonymous on the Internet so that no one can track the origin of your Internet connection back to you.

Isn’t it the great reason to use a VPN? Of course, Yes.

So if you are looking for an excellent and secure VPN service to start with, below find some of our best Deals from THN Store, offering popular VPNs at highly discounted prices with lifetime access.

1. VPNSecure: Lifetime Subscription (91% OFF)

If you’re searching for an affordable and reliable VPN service without any bandwidth limits, VPNSecure is a good option.

This premium service is compatible with all operating systems, easy to use and setup offers lightning-fast connection and provides ultimate safeguards against hackers and cyber-thieves.

With strict no-log record policy, VPNSecure has many servers located in more than 41 countries and counting.

The VPNSecure Lifetime Subscription is available for just $39 at THN Deals Store— isn’t this excellent deal, a one-time flat fee for a lifetime VPN subscription.

3. Windscribe VPN: Lifetime Pro Subscription (92%OFF)

Windscribe-VPN

Windscribe VPN is a combination of VPN and Browser-Based Privacy Suite, which not only encrypts your Internet activity and protect you from prying eyes but also keep you protected from being tracked by online sites you visit.

Windscribe VPN is the easiest to use and powerful VPN client you will ever use. No need to configure anything, just install and forget about it.

The VPN also includes a Firewall that disables all Internet connectivity, preventing IP leak in case of a disconnect.

Usually the lifetime subscription costs $900 per year, but The Hacker News readers can get Windscribe VPN Lifetime Subscription for just $69 — 92 percent off its retail value.

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

hacking-chinese-iron-tiger-apt

Security researchers have discovered a custom-built piece of malware that’s wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.

Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.

Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.

However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.

The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.

Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.

cyber-espionage-malware

If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting “down.pzchao.com,” which resolved to an IP address (125.7.152.55) in South Korea at the time of the investigation.

The threat actors behind the attack campaign have control over at least five malicious subdomains of the “pzchao.com” domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.

The payloads deployed by the threat actors are “diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system,” researchers noted.

The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a ‘java.exe’ file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.

For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.

PZChao’s final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.

The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:

  • Real-time and offline remote keystroke logging
  • Listing of all active processes and opened windows
  • Listening in on conversations via microphone
  • Eavesdropping on webcams’ live video feed
  • Allowing for remote shutdown and reboot of the system
  • Downloading binaries from the Internet to remote host
  • Modifying and stealing files and more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.

While the tools used in the PZChao campaign are a few years old, “they are battle-tested and more than suitable for future attacks,” researchers say.

Active since 2010, Iron Tiger, also known as “Emissary Panda” or “Threat Group-3390,” is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.

For further insights, you can read the detailed technical paper [PDF] published by Bitdefender.

Researcher Claims Hotspot Shield VPN Service Exposes You on the Internet

hotspot-shield-ip-leak

Virtual Private Network (VPN) is one of the best solutions you can have to protect your privacy and data on the Internet, but you should be more vigilant while choosing a VPN service which truly respects your privacy.

If you are using the popular VPN service Hotspot Shield for online anonymity and privacy, you may inadvertently be leaking your real IP address and other sensitive information.

Developed by AnchorFree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an estimated 500 million users around the world.

The service promises to “secure all online activities,” hide users’ IP addresses and their identities and protect them from tracking by transferring their internet and browsing traffic through its encrypted channel.

However, an ‘alleged’ information disclosure vulnerability discovered in Hotspot Shield results in the exposure of users data, like the name of Wi-Fi network name (if connected), their real IP addresses, which could reveal their location, and other sensitive information.

The vulnerability, assigned CVE-2018-6460, has been discovered and reported to the company by an independent security researcher, Paulos Yibelo, but he made details of the vulnerability to the public on Monday after not receiving a response from the company.

According to the researcher claims, the flaw resides in the local web server (runs on a hardcoded host 127.0.0.1 and port 895) that Hotspot Shield installs on the user’s machine.

This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests as well that in response could reveal sensitive information about the active VPN service, including its configuration details.

“http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details,” Yibelo claims.

“User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine,” the vulnerability description reads.

Yibelo has also publicly released a proof-of-concept (PoC) exploit code—just a few lines of JavaScript code—that could allow an unauthenticated, remote attacker to extract sensitive information and configuration data.

However, ZDNet reporter Zack Whittaker tries to verify researcher’s claim and found that the PoC code only revealed the Wi-Fi network name and country, but not the real IP address.

secure-fast-vpn-service-provider

In a statement, AnchorFree spokesperson acknowledged the vulnerability but denied the disclosure of real IP address as claimed by Yibelo.

“We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country,” the spokesperson told ZDNet.

The researcher also claims that he was able to leverage this vulnerability to achieve remote code execution.

Hotspot Shield also made headlines in August last year, when the Centre for Democracy and Technology (CDT), a US non-profit advocacy group for digital rights, accused the service of allegedly tracking, intercepting and collecting its customers’ data.

Nearly 2000 WordPress Websites Infected with a Keylogger

wordpress-hacking-keylogger

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors’ computers to mine digital currencies but also logs visitors’ every keystroke.

Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.

Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.

Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 WordPress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.

Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.

The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site’s administrator login page and the website’s public facing frontend.

wordpress-keylogger

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.

The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.

The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).

Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme’s functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme’s functions.php file.

The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.

Researchers said it’s likely that the majority of the websites have not been indexed yet.

“While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn’t even notice the original infection,” Sucuri researchers concluded.

If your website has already been compromised with this infection, you will require to remove the malicious code from theme’s functions.php and scan wp_posts table for any possible injection.

Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.

Nearly Half of the Norway Population Exposed in HealthCare Data Breach

healthcare-data-breach-medical-records

Cybercriminals have stolen a massive trove of Norway’s healthcare data in a recent data breach, which likely impacts more than half of the nation’s population.

An unknown hacker or group of hackers managed to breach the systems of Health South-East Regional Health Authority (RHF) and reportedly stolen personal info and health records of some 2.9 million Norwegians out of the country’s total 5.2 million inhabitants.

Health South-East RHA is a healthcare organisation that manages hospitals in Norway’s southeast region, including Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.

The healthcare organisation announced the data breach on Monday after it had been alerted by HelseCERT, the Norwegian CERT department for its healthcare sector, about an “abnormal activity” against computer systems in the region.

HelseCERT also said the culprits behind the data breach are “advanced and professional” hackers, although it is still unknown as to whether they were managed to exfiltrate data successfully and if so, how many people may have been impacted.

So far there’s also no evidence if the stolen data theft has had any consequences for or effects on patients’ safety. However, the healthcare organisation assured that security “measures had been taken to limit the damage caused by the burglary.

“We are in a phase where we try to get an overview. It’s far too early to say how big the attack is. We are working to acquire knowledge of all aspects, ” NorCERT director Kjetil Nilsen told Norwegian publication VG.

“Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities.”

Why Do Hackers Want Your Health Data?

Digital healthcare has been growing to satisfy the demands of connected healthcare technology that provides better treatment and improved patient care.

We know that any organisation with a computer is at risk from cyber-attacks both from criminals wanting to extort money and state-sponsored hackers wanting to cause chaos.

Since the healthcare sector is part of the critical national infrastructure, alongside water, electricity and transport, it becomes an attractive target for hackers.

Believe it or not, your medical records are worth more to hackers than your stolen credit card details on the dark web markets.

Financial data has a finite lifespan, but the information contained in health care records—which includes names, birth dates, policy numbers, diagnosis codes, social security number and billing information—has a much longer shelf life and is rich enough for identity theft.

Fraudsters can use this data to create fake identities to do all illegal kinds of stuff in your name, combine a patient number with a false provider number and file fake claims with insurers, and even file fake tax returns using your stolen addresses, phone numbers and employment history.

How to Protect Yourself After a Data Breach?

If you are a one of those affected by the healthcare breach, you will have to remain vigilant against fraud for the rest of your lives, because the risk of identity theft isn’t short term, unlike in case of credit cards fraud.

You may follow the following steps to protect yourself:

1) Monitor Your Accounts: Watch out if someone using your information do not ever try to take over or transfer money out of your existing accounts. Don’t forget that thieves with stolen details on you can get through your security questions, including the last four digits of your social and street address. Also, watch for any unauthorised activity or transfers on your current financial accounts.

2) File Your Taxes Early: With the stolen information in the hands, cyber thieves could hook your tax refund by filing your taxes early and claiming it for themselves. So, to avoid any such problems, file your taxes as early as possible.

3) Stay Vigilant: The foremost thing to protect against any breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will simply have to stay mindful forever.

Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware

Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware

Security researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office.

Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services.

Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients.

Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining.

Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build).

According to a recently published report by FireEye, the attackers behind the campaign are leveraging three following vulnerabilities in Microsoft Office that execute a PowerShell script on the targeted computers to download the final payload from its C&C server.

1) .NET Framework RCE Vulnerability (CVE-2017-8759)—this remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch for this flaw in September updates.

2) Microsoft Office RCE Vulnerability (CVE-2017-11882)—it’s a 17-year-old memory corruption flaw that Microsoft patched in November patch update allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.

3) Dynamic Data Exchange Protocol (DDE Exploit)—this technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption.

As explained by the researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrives with an attached ZIP file containing a malicious Office doc file.

Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer.

“In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded,” the FireEye researchers said.

“The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode.”

“The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework.”

Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.

What is Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as ‘Decimal Address,’ are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with “http://” following the decimal value.

For example, Google’s IP address 216.58.207.206 can also be represented as http://3627732942 in decimal values (Try this online converter).

The best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Most importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software—Microsoft Office, in this case—to increase the potential for successful infections.

Skygofree — Powerful Android Spyware Discovered

skygofree-android-malware

Security researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely.

Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years.

Since 2014, the Skygofree implant has gained several novel features previously unseen in the wild, according to a new report published by Russian cybersecurity firm Kaspersky Labs.

The ‘remarkable new features’ include location-based audio recording using device’s microphone, the use of Android Accessibility Services to steal WhatsApp messages, and the ability to connect infected devices to malicious Wi-Fi networks controlled by attackers.

Skygofree is being distributed through fake web pages mimicking leading mobile network operators, most of which have been registered by the attackers since 2015—the year when the distribution campaign was most active, according to Kaspersky’s telemetry data.

Italian IT Firm Behind Skygofree Spyware?

skygofree-android-malware

Researchers at Kaspersky Lab believe the hacker or hacking group behind this mobile surveillance tool has been active since 2014 and are based in Italy—the home for the infamous ‘Hacking Team’—one of the world’s bigger players in spyware trading.

“Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam,” said the report.

Kaspersky found several Italian devices infected with Skygofree, which the firm described as one of the most powerful, advanced mobile implants it has ever seen.

Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company “Negg” in the spyware’s code. Negg is also specialised in developing and trading legal hacking tools.

Skygofree: Powerful Android Spyware Tool

Once installed, Skygofree hides its icon and starts background services to conceal further actions from the user. It also includes a self-protection feature, preventing services from being killed.

As of October last year, Skygofree became a sophisticated multi-stage spyware tool that gives attackers full remote control of the infected device using a reverse shell payload and a command and control (C&C) server architecture.

According to the technical details published by researchers, Skygofree includes multiple exploits to escalate privileges for root access, granting it ability to execute most sophisticated payloads on the infected Android devices.

skygofree-android-malware-whatsapp

One such payload allows the implant to execute shellcode and steal data belonging to other applications installed on the targeted devices, including Facebook, WhatsApp, Line, and Viber.

“There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features,” the researchers said.

Skygofree’s control (C&C) server also allows attackers to capture pictures and videos remotely, seize call records and SMS, as well as monitor the users’ geolocation, calendar events and any information stored in the device’s memory.

Besides this, Skygofree also can record audio via the microphone when the infected device was in a specified location and the ability to force the infected device to connect to compromised Wi-Fi networks controlled by the attacker, enabling man-in-the-middle attacks.

The spyware uses “the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages,” Kaspersky said.

Kaspersky researchers also found a variant of Skygofree targeting Windows users, suggesting the authors’ next area of interest is the Windows platform.

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

LeakedSource Founder Arrested for Selling 3 Billion Stolen Credentials

leakedsource-operator-charged

Canadian authorities have arrested and charged an Ontario man for operating a website that collected ‘stolen’ personal identity records and credentials from some three billion online accounts and sold them for profit.

According to the Royal Canadian Mounted Police (RCMP), the 27-year-old Jordan Evan Bloom of Thornhill is the person behind the notorious LeakedSource.com—a major repository that compiled public data breaches and sold access to the data, including plaintext passwords.

Launched in late 2015, LeakedSource had collected around 3 billion personal identity records and associated passwords from some of the massive data breaches, including LinkedIn, VK.com, Last.Fm, Ashley MadisonMySpace, TwitterWeebly and Foursquare, and made them accessible and searchable to anyone for a fee.

LeakedSource was shut down, and its associated social media accounts have been suspended after the law enforcement raided its operator earlier last year.

However, another website with the same domain name hosted by servers in Russia is still in operation.

Bloom is accused of operating the notorious website and claimed to have earned nearly US$200,000 by selling stolen personal identity records and associated passwords for a “small fee” via his site.

Appeared in a Toronto court on Monday, January 15, Bloom charged with trafficking in identity information, mischief to data, unauthorised use of a computer, and possession of property obtained by crime, the RCMP said.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” the RCMP Cybercrime Investigative Team said in a statement.

“The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

Bloom was arrested and charged on December 22, 2017, as part of the RCMP’s national cybercrime division investigation, dubbed ‘Project Adoration.’

The RCMP said the Dutch national police and the United States’ FBI assisted in the operation, adding the case could not have been cracked without international collaboration.

Bloom is currently in custody and due back in court on February 16.

Cybersecurity lawyer Imran Ahmad told Reuters that Bloom could face a maximum sentence 10 years in prison.