Tag Archives: with

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files

You have always been warned not to share remote access to your computer with untrusted people for any reason—it’s a basic cybersecurity advice, and common sense, right?

But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.

A critical vulnerability has been discovered in Microsoft’s Windows Remote Assistance (Quick Assist) feature

Mac Software Mines Cryptocurrency in Exchange for Free Access to Premium Account

Nothing comes for free, especially online.

Would you be okay with allowing a few paid services to mine cryptocurrencies using your system instead of paying the subscription fee?

Most free websites and services often rely on advertising revenue to survive, but now there is a new way to make money—using customers’ computer to generate virtual currencies.

It was found that a scheduling app,

Biggest-Ever DDoS Attack (1.35 Tbs) Hits Github Website

On Wednesday, February 28, 2018, GitHub’s code hosting website hit with the largest-ever distributed denial of service (DDoS) attack that peaked at record 1.35 Tbps.

Interestingly, attackers did not use any botnet network, instead weaponized misconfigured Memcached servers to amplify the DDoS attack.

Earlier this week we published a report detailing how attackers could abuse Memcached,

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries


Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.

A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.

Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.

Besides using ‘unusual’ DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.

“We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests,” Forcepoint researchers said in a blogpost published Thursday. 

“Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.”

The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.

It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it’s unclear “at present whether this is a reflection of the malware still being in a relatively early stage of development/testing.”

Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint’s tests have shown that the malware is indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.

It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it’s just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” LogMeIn noted. 

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as “nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications,” but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.

Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.

15-Year-Old Schoolboy Posed as CIA Chief to Hack Highly Sensitive Information


Remember “Crackas With Attitude“?

A notorious pro-Palestinian hacking group behind a series of embarrassing hacks against United States intelligence officials and leaked the personal details of 20,000 FBI agents, 9,000 Department of Homeland Security officers, and some number of DoJ staffers in 2015.

Believe or not, the leader of this hacking group was just 15-years-old when he used “social engineering” to impersonate CIA director and unauthorisedly access highly sensitive information from his Leicestershire home, revealed during a court hearing on Tuesday.

Kane Gamble, now 18-year-old, the British teenager hacker targeted then CIA director John Brennan, Director of National Intelligence James Clapper, Secretary of Homeland Security Jeh Johnson, FBI deputy director Mark Giuliano, as well as other senior FBI figures.

Between June 2015 and February 2016, Gamble posed as Brennan and tricked call centre and helpline staff into giving away broadband and cable passwords, using which the team also gained access to plans for intelligence operations in Afghanistan and Iran.

The teenager also taunted his victims and their families, released their personal details, bombarded them with calls and messages, downloaded and installed pornography onto their computers and took control of their iPads and TV screens.

He also made hoax calls to Brennan’s home and took control of his wife’s iPad.

At one point, Gamble also sent DHS secretary Johnson a photograph of his daughter and said he would f*** her, phoned his wife, leaving a voicemail message which said: “Hi Spooky, am I scaring you?,” and even managed to get the message “I own you” on the couple’s home television.

Gamble was arrested in February 2016 at his council home in Coalville and last October he pleaded guilty to 8 charges of “performing a function with intent to secure unauthorised access” and 2 charges of “unauthorised modification of computer material.”

Gamble said he targeted the US government because he was “getting more and more annoyed about how corrupt and cold-blooded the US Government” was and “decided to do something about it.

Gamble’s defence said he was technically gifted but emotionally immature and has an autistic spectrum disorder, at the time of his offending, he had the mental development of a 12 or 13-year-old.

Also, the defence said, at no point did Gamble attempt to profit from his actions.

Out of 10 counts, Gamble previously admitted 8 charges of performing a function with intent to secure unauthorised access.

The teenager will be sentenced when the hearing resumes at a later date.

Two other members of Crackas With Attitude hacking group, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Skype Finally Adds End-to-End Encryption for Private Conversations

Good news for Skype users who are concerned about their privacy.

Microsoft is collaborating with popular encrypted communication company Signal to bring end-to-end encryption support to Skype messenger.

End-to-end encryption assured its users that no one, not even the company or server that transmits the data, can decrypt their messages.

Signal Protocol is an open source cryptographic protocol that has become an industry-wide standard—which is used in Apple iMessage, Facebook Messenger, Whatsapp, and Google Allo for secure messaging.

Dubbed Private Conversations, the new feature which is about to be introduced in Skype will offer end-to-end encryption for audio calls, text, and multimedia messages like videos and audio files.

“Skype Private Conversations give you enhanced security through end-to-end encryption with an additional layer of security for conversations between you and your friends and family,” the company announced

“Private Conversations can only be between you and one other contact. This is not supported in groups.”

How to Start Skype End-to-End Encrypted Calls and Chats

Private Conversations is already available to the Skype Insider program—a platform that allows Skype users to test new features before they rolled out to the rest of its over 300 million of users worldwide.

To initiate a new secure communication with your Skype contact, you need to tap or click on the (+) icon, select ‘New Private Conversation’ and then select the contact you would like to start the secure communication with.

A Private Conversation will have a lock icon next to your Skype contact’s name. Preview messages from Private Conversations will not appear in the chat list or notifications.

Unlike WhatsApp, end-to-end encryption feature is not enabled by default in Skype and users need to select ‘New Private Conversation’ from the app’s “Compose” menu, or from another user’s profile to initiate a secure communication—it’s like Facebook Messenger’s Secret Conversations, which is also based on of Signal.

Unfortunately, Private Conversations also doesn’t currently support video calling, but this is secured by the standard encryption that Microsoft already provides with its Skype service.

Also, even with Private Conversations enabled, Skype will still be able to access some information (metadata) about your secure communications, like when you initiate them, and how long the conversation last.

Skype Insider users can test Private Conversations using Skype build version for iOS, Android, Linux, Mac, and Windows Desktop.

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites


Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors.

One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.

In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.

The plugin was configured to automatically pull an updated “backdoored” version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official WordPress repository without site admin consent.


This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.

“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence blog post. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”

Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin repository, therefore “triggering the same automatic update process removes all file system traces of the backdoor,” making it look as if it was never there and helping the attacker avoid detection.


The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.

In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.

While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named “Stacy Wellington” using the email address “scwellington[at]hotmail.co.uk.”

Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

What’s interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that the WordFence researchers found in Captcha.

WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked the author from publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha version 4.4.5.

WordFence has promised to release in-depth technical details on how the backdoor installation and execution works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.

THN Weekly Roundup — Top 10 Stories You Should Not Miss


Here we are with our weekly roundup, briefing this week’s top cybersecurity threats, incidents, and challenges, just in case you missed any of them.

Last week has been very short with big news from the theft of over 4,700 Bitcoins from the largest cryptocurrency mining marketplace to the discovery of a new malware evasion technique that works on all versions of Microsoft’s Windows operating system.

Besides this, the newly discovered Janus vulnerability in the Android operating system and a critical remote code execution (RCE) vulnerability in Malware Protection Engine (MPE) for which Microsoft released an emergency patch made their places in our weekly roundup.

I recommend you to read the entire news (just click ‘Read More’ because there’s some valuable advice in there as well).

So, here we go with the list of this Week’s Top Stories:

Process Doppelgänging: New Malware Evasion Technique

A team of researchers, who previously discovered AtomBombing attack, recently revealed a new fileless code injection technique that could help malware authors defeat most of the modern anti-virus solutions and forensic tools.

Dubbed Process Doppelgänging, the method takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader, and works on all versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

To know How Process Doppelgänging attack works and why Microsoft refused to fix it, Read More.

Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures

A newly discovered vulnerability, dubbed Janus, in Android could let attackers modify the code of Android apps without affecting their signatures, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.

Although Google has patched the vulnerability this month, a majority of Android users would still need to wait for their device manufacturers to release custom updates for them, apparently leaving a large number of Android users vulnerable to hackers for next few months.

To know more about the vulnerability, how it works and if you are affected, Read More.

Pre-Installed Keylogger Found On Over 460 HP Laptop Models

Once again, Hewlett-Packard (HP) was caught pre-installing a keylogger in more than 460 HP Notebook laptop models that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

When reported last month, HP acknowledged the presence of the keylogger, saying it was actually “a debug trace” which was left accidentally, and affected users can install updated Synaptics touchpad driver to remove it manually.

To know how to check if your HP laptop is vulnerable to this issue and download compatible drivers, Read More.

New Email Spoofing Flaw Affects Over 30 Popular Email Clients

Researchers discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.

Dubbed MailSploit, the vulnerabilities affect popular email clients including Apple Mail (for macOS, iOS, and watchOS), Mozilla Thunderbird, Yahoo Mail, ProtonMail, several Microsoft email clients, and others.

To watch the PoC video released by the researchers and know more about the vulnerabilities, Read More.

Largest Crypto-Mining Exchange Hacked; Over $80 Million in Bitcoin Stolen

Last week was the golden week in Bitcoin’s history when the price of 1 BTC touched almost $19,000, but the media hype about the bitcoin price diminishes the hack of the largest Bitcoin mining marketplace.

NiceHash mining marketplace confirmed a breach of its website, which resulted in the theft of more than 4,736 Bitcoins, which now worth nearly $80 million.

The service went offline (and is still offline at the time of writing this article) with a post on its website, confirming that “there has been a security breach involving NiceHash website,” and that hackers stole the contents of the NiceHash Bitcoin wallet.

To know more about the Bitcoin hack, Read More.

Microsoft Issues Emergency Windows Security Update

A week before its December Patch Tuesday updates, Microsoft released an emergency security patch to address a critical remote code execution vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim’s PC.

The vulnerability (CVE-2017-11937) impacts Windows 10, Windows 8.1, Windows 7, Windows RT 8.1, and Windows Server, and affects several Microsoft’s security products, including Windows Defender, Microsoft Security Essentials, Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016.

To know more about the vulnerability, Read More.

Security Flaw Left Major Banking Apps Vulnerable to MiTM Attacks Over SSL

Scientists discovered a critical implementation flaw in major mobile banking apps—for both iOS and Android—that left banking credentials of millions of users vulnerable to man-in-the-middle attacks.

Attackers, connected to the same network as the victim, could have leveraged vulnerable banking apps to intercept SSL connection and retrieve the user’s banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature.

To know how attackers could have exploited this vulnerability to take over your bank accounts, Read More.

Massive Data Breach Exposes Personal Data On 31 Million Users

While downloading apps on their smartphones, most users may not realize how much data they collect on them, and app developers take advantage of this ignorance, wiping off more data on their users than they actually require for the working of their app.

But what if this data falls into the wrong hand?

The same happened last week, when a massive trove of personal data (over 577 GB) belonging to more than 31 million users of the famous virtual keyboard app, called AI.type, leaked online for anyone to download without requiring a password.

To know more about the data breach incident and what information users lost, Read More.

Critical Flaw in Major Android Tools Targets Developers

An easily-exploitable vulnerability discovered in Android application developer tools, both downloadable and cloud-based, could allow hackers to steal files and execute malicious code on vulnerable systems remotely.

The vulnerability was discovered by security researchers at CheckPoint, who also released a proof of concept (PoC) attack, dubbed ParseDroid, along with a video to demonstrate how the attack works.

To watch the video and know how this vulnerability can be exploited, Read More.

Uber Paid Florida Hacker $100,000 to Keep Data Breach News Secret

It turns out that a 20-year-old Florida man, with the help of another, was responsible for the massive Uber data breach in October 2016 and was paid an enormous amount by the ride-hailing company to destroy the data and keep the data breach incident secret.

Last week, Uber announced that a massive data breach last year exposed personal data of 57 million customers and drivers and that it paid two hackers $100,000 in ransom to destroy the information.

To know more about the data breach at Uber and the hackers, Read More.

Feds Shut Down ‘Longest-Running’ Andromeda Botnet


In a coordinated International cyber operation, Europol with the help of international law enforcement agencies has taken down what it called “one of the longest-running malware families in existence” known as Andromeda.

Andromeda, also known as Win32/Gamarue, is an infamous HTTP-based modular botnet that has been around for several years now, and infecting computers with it’s malicious intentions ever since.

The primary goal of Andromeda bot is to distribute other malware families for mass global malware attacks.

The botnet has been associated with at least 80 malware families, and in the last six months, it was detected (or blocked) on an average of more than 1 million machines per month.

Last year, law enforcement agencies took down the criminal infrastructure of the infamous Avalanche botnet in a similar massive international cyber operation. Avalanche botnet was used as a delivery platform to spread other malware families, including Andromeda.

While investigating into the Avalanche botnet, information obtained by the German authorities was shared with the Federal Investigation of Bureau (FBI) via Europol, which eventually helped the international agencies to tear down Andromeda just last week.


In a joint operation, the international partners took down servers and more than 1,500 web domains which were being used to distribute and control Andromeda malware.

“This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale,” Steven Wilson, the Head of Europol’s European Cybercrime Centre (EC3), said.

“The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”

Using sinkholing the now-seized domains, tactic researchers use to redirect traffic from the infected machines to a self-controlled system; authorities found over 2 million unique IP addresses from at least 223 countries associated with Andromeda victims with just 48 hours.

Further investigation also helped law enforcement authorities arrest a suspect in Belarus, who was allegedly involved in the Andromeda cybercrime gang.

Just last week, Europol seized more than 20,000 web domains for illegally selling counterfeit products, including luxury products, sportswear, electronics, pharmaceuticals and online piracy on e-commerce platforms and social networks in its fight against the online trade of counterfeit goods.

MS Office Built-In Feature Could be Exploited to Create Self-Replicating Malware


Earlier this month a cybersecurity researcher shared details of a security loophole with The Hacker News that affects all versions of Microsoft Office, allowing malicious actors to create and spread macro-based self-replicating malware.

Macro-based self-replicating malware, which basically allows a macro to write more macros, is not new among hackers, but to prevent such threats, Microsoft has already introduced a security mechanism in MS Office that by default limits this functionality.

Lino Antonio Buono, an Italian security researcher who works at InTheCyber, reported a simple technique (detailed below) that could allow anyone to bypass the security control put in place by Microsoft and create self-replicating malware hidden behind innocent-looking MS Word documents.

What’s Worse? Microsoft refused to consider this issue a security loophole when contacted by the researcher in October this year, saying it’s a feature intended to work this way only—just like MS Office DDE feature, which is now actively being used by hackers.

New ‘qkG Ransomware’ Found Using Same Self-Spreading Technique

Interestingly, one such malware is on its way to affect you. I know, that was fast—even before its public disclosure.

Just yesterday, Trend Micro published a report on a new piece of macro-based self-replicating ransomware, dubbed “qkG,” which exploits exactly the same MS office feature that Buono described to our team.

Trend Micro researchers spotted qkG ransomware samples on VirusTotal uploaded by someone from Vietnam, and they said this ransomware looks “more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild.”

The qkG ransomware employs Auto Close VBA macro—a technique that allows executing malicious macro when victim closes the document.


The latest sample of qkG ransomware now includes a Bitcoin address with a small ransom note demanding $300 in BTC as shown.

It should be noted that the above-mentioned Bitcoin address hasn’t received any payment yet, which apparently means that this ransomware has not yet been used to target people.

Moreover, this ransomware is currently using the same hard-coded password: “I’m QkG@PTM17! by TNA@MHT-TT2” that unlocks affected files.

Here’s How this New Attack Technique Works

In order to make us understand the complete attack technique, Buono shared a video with The Hacker News that demonstrates how an MS Word document equipped with malicious VBA code could be used to deliver a self-replicating multi-stage malware.

If you are unaware, Microsoft has disabled external (or untrusted) macros by default and to restrict default programmatic access to Office VBA project object model, it also offers users to manually enable “Trust access to the VBA project object model,” whenever required.


With “Trust access to the VBA project object model” setting enabled, MS Office trusts all macros and automatically runs any code without showing security warning or requiring user’s permission.

Buono found that this setting can be enabled/disabled just by editing a Windows registry, eventually enabling the macros to write more macros without user’s consent and knowledge.


As shown in the video, a malicious MS Doc file created by Buono does the same—it first edits the Windows registry and then injects same macro payload (VBA code) into every doc file that the victim creates, edits or just opens on his/her system.

Victims Will be Unknowingly Responsible for Spreading Malware Further

In other words, if the victim mistakenly allows the malicious doc file to run macros once, his/her system would remain open to macro-based attacks.

Moreover, the victim will also be unknowingly responsible for spreading the same malicious code to other users by sharing any infected office files from his/her system.

This attack technique could be more worrisome when you receive a malicious doc file from a trusted contact who have already been infected with such malware, eventually turning you into its next attack vector for others.

Although this technique is not being exploited in the wild, the researcher believes it could be exploited to spread dangerous self-replicating malware that could be difficult to deal with and put an end.

Since this is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code, neither the tech company has any plans of issuing a patch that would restrict this functionality.

Buono suggests “In order to (partially) mitigate the vulnerability it is possible to move the AccessVBOM registry key from the HKCU hive to the HKLM, making it editable only by the system administrator.”

The best way to protect yourself from such malware is always to be suspicious of any uninvited documents sent via an email and never click on links inside those documents unless adequately verifying the source.