Tag Archives: they

Thousands of Government Websites Hacked to Mine Cryptocurrencies

cryptojacking-website-hacked

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.

Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors’ computers to mine cryptocurrency for attackers.

The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

Users who visited the hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.

It turns out that hackers managed to hijack a popular third-party accessibility plugin called “Browsealoud,” used by all these affected websites, and injected their cryptocurrency-mining script into its code.

Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.

The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.

The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

The full list of affected websites can be found here.

After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.

Here’s what Texthelp’s chief technology officer Martin McKay said in a blog post:

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.”

“Texthelp has in place continuously automated security tests for Browsealoud – these tests detected the modified file, and as a result, the product was taken offline.”

This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.

The company also assured that “no customer data has been accessed or lost,” and that its customers will receive a further update as soon as the security investigation gets completed.

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

pos-malware-dns

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.

A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.

Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.

Besides using ‘unusual’ DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.

“We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests,” Forcepoint researchers said in a blogpost published Thursday. 

“Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.”

The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.

It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it’s unclear “at present whether this is a reflection of the malware still being in a relatively early stage of development/testing.”

Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint’s tests have shown that the malware is indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.

It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it’s just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” LogMeIn noted. 

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as “nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications,” but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.

Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.

FormBook—Cheap Password Stealing Malware Used In Targeted Attacks

It seems sophisticated hackers have changed the way they conduct targeted cyber operations—instead of investing in zero-days and developing their malware; some hacking groups have now started using ready-made malware just like script kiddies.

Possibly, this could be a smart move for state-sponsored hackers to avoid being attributed easily.

Security researchers from multiple security firms, including Arbor Networks and FireEye, independently discovered a series of malware campaigns primarily targeting aerospace, defence contractors and manufacturing sectors in various countries, including the United States, Thailand, South Korea and India.

What’s common? All these attack campaigns, conducted by various hacking groups, eventually install same information and password stealer malware—dubbed FormBook—on the targeted systems.

FormBook is nothing but a “malware-as-as-service,” which is an affordable piece of data-stealing and form-grabbing malware that has been advertised in various hacking forums since early 2016.

Anyone can rent FormBook for just $29 per week or $59 per month, which offers a range of advanced spying capabilities on target machines, including a keylogger, password stealer, network sniffer, taking the screenshots, web form data stealer and more.

According to the researchers, attackers in each campaign are primarily using emails to distribute the FormBook malware as an attachment in different forms, including PDFs with malicious download links, DOC and XLS files with malicious macros, and archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.

password-stealer

Once installed on a target system, the malware injects itself into various processes and starts capturing keystrokes and extracts stored passwords and other sensitive data from multiple applications, including Google Chrome, Firefox, Skype, Safari, Vivaldi, Q-360, Microsoft Outlook, Mozilla Thunderbird, 3D-FTP, FileZilla and WinSCP.

FormBook continuously sends all the stolen data to a remote command and control (C2) server which also allows the attacker to execute other commands on the targeted system, including start processes, shutdown and reboot the system, and stealing cookies.

“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective,” FireEye says.

“The malware author calls this technique “Lagos Island method” (allegedly originating from a userland rootkit with this name).”

According to the researchers, FormBook was also seen downloading other malware families such as NanoCore in the last few weeks.

The attackers can even use the data successfully harvested by FormBook for further cybercriminal activities including, identity theft, continued phishing operations, bank fraud and extortion.

FormBook is neither sophisticated, nor difficult-to-detect malware, so the best way to protect yourself from this malware is to keep good antivirus software on your systems, and always keep it up-to-date.

Powered by WPeMatico

Self-Driving Cars Can Be Hacked By Just Putting Stickers On Street Signs

self-driving-car-hacking

Car Hacking is a hot topic, though it’s not new for researchers to hack cars. Previously they had demonstrated how to hijack a car remotely, how to disable car’s crucial functions like airbags, and even how to steal cars.

But the latest car hacking trick doesn’t require any extra ordinary skills to accomplished. All it takes is a simple sticker onto a sign board to confuse any self-driving car and cause accident.

Isn’t this so dangerous?

A team of researchers from the University of Washington demonstrated how anyone could print stickers off at home and put them on a few road signs to convince “most” autonomous cars into misidentifying road signs and cause accidents.

According to the researchers, image recognition system used by most autonomous cars fails to read road sign boards if they are altered by placing stickers or posters over part or the whole road sign board.

In a research paper, titled “Robust Physical-World Attacks on Machine Learning Models,” the researchers demonstrated several ways to disrupt the way autonomous cars read and classify road signs using just a colour printer and a camera.

self-driving-car-hacking-trick

By simply adding “Love” and “Hate” graphics onto a “STOP” sign (as shown in the figure), the researchers were able to trick the autonomous car’s image-detecting algorithms into thinking it was just a Speed Limit 45 sign in 100 percent of test cases.

The researchers also performed the same exact test on a RIGHT TURN sign and found that the cars wrongly classified it as a STOP sign two-thirds of the time.

The researchers did not stop there. They also applied smaller stickers onto a STOP sign to camouflage the visual disturbances and the car identified it as a street art in 100 percent of the time.

“We [think] that given the similar appearance of warning signs, small perturbations are sufficient to confuse the classifier,” the researchers told Car and Driver. “In future work, we plan to explore this hypothesis with targeted classification attacks on other warning signs.”

The sign alterations in all the experiments performed by the researchers were very small that can go unnoticed by humans, but since the camera’s software was using an algorithm to understand the image, it interpreted the sign in a profoundly different way.

This small alteration to the signs could result in cars skipping junctions and potentially crashing into one another.

The research were carried out by the researchers from the University of Washington, the University of Michigan Ann Arbor, Stony Brook University and the University of California Berkeley, and credit researchers, including Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song.

Although the researchers did not reveal the manufacturer whose self-driving car they used in their experiments, threats to self-driving cars have once again made us all think of having one in future.

Powered by WPeMatico