Tag Archives: There

Thousands of Government Websites Hacked to Mine Cryptocurrencies

cryptojacking-website-hacked

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.

Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors’ computers to mine cryptocurrency for attackers.

The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

Users who visited the hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.

It turns out that hackers managed to hijack a popular third-party accessibility plugin called “Browsealoud,” used by all these affected websites, and injected their cryptocurrency-mining script into its code.

Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.

The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.

The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

The full list of affected websites can be found here.

After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.

Here’s what Texthelp’s chief technology officer Martin McKay said in a blog post:

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.”

“Texthelp has in place continuously automated security tests for Browsealoud – these tests detected the modified file, and as a result, the product was taken offline.”

This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.

The company also assured that “no customer data has been accessed or lost,” and that its customers will receive a further update as soon as the security investigation gets completed.

Pre-Installed Password Manager On Windows 10 Lets Hackers Steal All Your Passwords

keeper-windows-10-password-manager-hacking

If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely.

Starting from Windows 10 Anniversary Update (Version 1607), Microsoft added a new feature called Content Delivery Manager that silently installs new “suggested apps” without asking for users’ permission.

According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called “Keeper,” on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network.

Ormandy was not the only one who noticed the Keeper Password Manager. Some Reddit users complained about the hidden password manager about six months ago, one of which reported Keeper being installed on a virtual machine created with Windows 10 Pro.

Critical Flaw In Keeper Password Manager

Knowing that a third-party password manager now comes installed by default on Windows 10, Ormandy started testing the software and took no longer to discover a critical vulnerability that leads to “complete compromise of Keeper security, allowing any website to steal any password.”

“I don’t want to hear about how even a password manager with a trivial remote root that shares all your passwords with every website is better than nothing. People really tell me this,” Ormandy tweeted.

The security vulnerability in the Keeper Password Manager was almost identical to the one Ormandy discovered and reported in the non-bundled version of the same Keeper plugin in August 2016 that enabled malicious websites to steal passwords.

“I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works,” Ormandy said.

To explain the severity of the bug, Ormandy also provided a working proof-of-concept (PoC) exploit that steals a user’s Twitter password if it is stored in the Keeper app.

Install Updated Keeper Password Manager

Ormandy reported the vulnerability to the Keeper developers, who acknowledged the issue and released a fix in the just released version 11.4 on Friday by removing the vulnerable “add to existing” functionality.

Since the vulnerability only affects version 11 of the Keeper app, which was released on December 6 as a major browser extension update, the vulnerability is different from the one Ormandy reported six months ago.

Keeper has also added that the company has not noticed any attack using this security vulnerability in the wild.

As for Windows 10 users, Ormandy said users wouldn’t be vulnerable to the password theft unless they open Keeper password manager and enable the software to store their passwords.

However, Microsoft still needs to explain how the Keeper password manager gets installed on the users’ computers without their knowledge.

Meanwhile, users can use this registry tweak to disable Content Delivery Manager in order to prevent Microsoft from installing unwanted apps silently on their PCs.

OnePlus Secretly Collects Way More Data Than It Should — Here’s How to Disable It

oneplus-telemetry-data

There is terrible news for all OnePlus lovers.

Your OnePlus handset, running OxygenOS—the company’s custom version of the Android operating system, is collecting way more data on its users than it requires.

A recent blog post published today by security researcher Christopher Moore on his website detailed the data collection practice by the Shenzhen-based Chinese smartphone maker, revealing that OxygenOS built-in analytics is regularly sending users’ data to OnePlus’ servers.

Collecting basic device data is a usual practice that every software maker and device manufacturers do to identify, analyse and fix software issues and help improve the quality of their products, but OnePlus found collecting user identification information as well.

Moore simply started intercepting the network traffic to analyse what data his OnePlus device sends to its servers, and found that the data collected by the company included:

  • User’ phone number
  • MAC addresses
  • IMEI and IMSI code
  • Mobile network(s) names
  • Wireless network ESSID and BSSID
  • Device serial number
  • Timestamp when a user locks or unlocks the device
  • Timestamp when a user opens and closes an application on his phone
  • Timestamp when a user turns his phone screen on or off

It is clear that above information is enough to identify any OnePlus user.

“Wow, that is quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities,” Moore said.

“It gets even worse. These event data contain timestamps of which activities were fired up in which in applications, again stamped with the phone’s serial number.”

Moreover, there’s no direct option available to disable this data collection behaviour.

This same issue was also publicly reported to OnePlus in July last year by another security researcher and software engineer, who goes by the online moniker “Tux,” but the problem got ignored by OnePlus as well as others.

Moore also reported this issue to OnePlus support, but the team did not provide any solution to address it, while OnePlus did not yet respond.

However, the good news is that Jakub Czekański, an Android developer, today introduced a permanent solution to disable this data collection practice even without rooting your smartphone.

You can directly connect your OnePlus device in USB debugging mode to a computer, open adb shell and enter this command — pm uninstall -k –user 0 net.oneplus.odm — in order to get rid of OnePlus’ excess data collecting practice.

Powered by WPeMatico