The Hacker News — Cyber Security, Hacking, Technology News

Security researchers have been warning about a simple technique that cyber criminals and email scammers are using in the wild to bypass most AI-powered phishing detection mechanisms implemented by widely used email services and web security scanners.

Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners.

According to cloud security company Avanan, Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique.
Like Microsoft Office 365, many emails and web security services use natural language processing and other artificial intelligence-based machine learning techniques to identify malicious or phishing emails faster.

The technology helps security companies to analyze, understand and derive meaning from unstructured text embedded in an email or web page by identifying text-based indicators, like email scams mimicking a popular company, phrases used to request for payments or password resets, and more.
However, by adding random zero font-size characters between the indicator texts present in a phishing email, cybercriminals can transform these indicators into an unstructured garbage text, hiding them from the natural language processing engine.

Therefore, the email looks normal to a human eye, but Microsoft reads the entire garbage text, even if some words are displayed with a font size of "0."

"Microsoft can not identify this as a spoofing email because it cannot see the word 'Microsoft' in the un-emulated version," reads Avanan's blog post. "Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user."

Besides the ZeroFont technique, Avanan also detected hackers using other similar tricks that involve Punycode, Unicode, or Hexadecimal Escape Characters in their phishing attacks.

Last month, researchers from the same company reported that cybercriminals had been splitting up the malicious URL in a way that the Safe Links security feature in Office 365 fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site.

Remember the 'Olympic Destroyer' cyber attack?

The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia.

Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018, held in South Korea, using a destructive malware that purposely planted sophisticated false flags to trick researchers into mis-attributing the campaign.

Unfortunately, the destructive malware was successful to some extent, at least for a next few days, as immediately after the attack various security researchers postmortem the Olympic Destroyer malware and started attributing the attack to different nation-state hacking groups from North Korea, Russia, and China.

Later researchers from Russian antivirus vendor Kaspersky Labs uncovered more details about the attack, including the evidence of false attribution artifacts, and concluded that the whole attack was a masterful operation in deception.
Now according to a new report published today by Kaspersky Labs, the same group of hackers, which is still unattributed, has been found targeting organisations in Russia, Ukraine, and several European countries in May and June 2018, specifically those organizations that respond to and protect against biological and chemical threats.

New Attack Shares Similarities With Olympic Destroyer

During their investigation, researchers found that the exploitation and deception tactics used by the newly discovered campaign share many similarities with the Olympic Destroyer attack.

"In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past," the researchers said. "They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection."

Just like Olympic Destroyer, the new attack also targets users affiliated with specific organisations using spear-phishing emails that appear as coming from an acquaintance, with an attached document.

If the victims open the malicious document, it leverages macros to download and execute multiple PowerShell scripts in the background and install the final 3rd-stage payload to take remote control over the victims' system.

Researchers found that the technique used to obfuscate and decrypt the malicious code is same as used in the original Olympic Destroyer spear-phishing campaign.

The second-stage script disables Powershell script logging to avoid leaving traces and then downloads the final "Powershell Empire agent" payload, which allows fileless control of the compromised systems over an encrypted communication channel.

Hackers Target Biological and Chemical Threat Prevention Laboratories

According to the researchers, the group has attempted to gain access to computers in countries, including France, Germany, Switzerland, Russia, and Ukraine.
Researchers found evidence of hackers primarily targeting people affiliated with an upcoming biochemical threat conference, called Spiez Convergence, held in Switzerland and organized by Spiez Laboratory.

Spiez Laboratory played an essential role in investigating the poisoning in March of a former Russian spy in the UK. The U.K. and the U.S. both said Russia was behind the poisoning and expelled dozens of Russian diplomats.

Another document targeted Ministry of Health in Ukraine.

It is not yet known that who behind these attacks, but Kaspersky advises all biochemical threat prevention and research organizations to strengthen their IT security and run unscheduled security audits.

BitTorrent, the company which owns the popular file-sharing client uTorrent, has quietly been sold for $140 million in cash to Justin Sun, the founder of blockchain-focused startup TRON.

TRON is a decentralized entertainment and content-sharing platform that uses blockchain and distributed storage technology. It allows users to publish content without having to use third-party platforms such as YouTube or Facebook, and trades in Tronix (TRX) cryptocurrency.

Since BitTorrent is one of the most recognizable brands in the world for decentralized computing and peer-to-peer (P2P) networking, and TRON aims to establish a truly decentralized Internet, BitTorrent would be of great use for Sun to help achieve that goal.

There were reports that the two were in negotiations for at least a month, and just yesterday, Variety reported that BitTorrent Inc. was sold to Sun last week, but the report did not disclose the deal price.

Now, TechCrunch is reporting that TRON's founder has agreed to pay $140 million to acquire BitTorrent, without revealing any further details on how exactly Sun would utilize the company for TRON's business.

Sun first started talking to BitTorrent about a possible acquisition late last year and even signed a letter of intent to acquire the company in January with a 'no-shop' clause, which meant BitTorrent was not allowed to negotiate any other deals while the letter was valid.

BitTorrent reportedly violated the clause and Sun ended up suing the company in January, but the lawsuit was eventually dropped, and Sun created a new company called Rainberry Acquisition Inc.

Around the same time, BitTorrent Inc. renamed its corporate entity to Rainberry Inc., and on the same day, both filed paperwork reflecting a merger.

Neither TRON nor BitTorrent has shared Sun's plans for the future of BitTorrent's technology, but reportedly the move is aimed at shielding TRON's technology from allegations of plagiarism.

Also, the technology can be used in creating a potential network to help TRON mine cryptocurrencies using BitTorrent's P2P architecture and its vast user base of over 170 Million, as its popular µTorrent client was previously caught doing so.

A 29-year-old former CIA computer programmer who was charged with possession of child pornography last year has now been charged with masterminding the largest leak of classified information in the agency's history.

Joshua Adam Schulte, who once created malware for both the CIA and NSA to break into adversaries computers, was indicted Monday by the Department of Justice on 13 charges of allegedly stealing and transmitting thousands of classified CIA documents, software projects, and hacking utilities.

Schulte has also been suspected of leaking the stolen archive of documents to anti-secrecy organization WikiLeaks, who then began publishing the classified information in March 2017 in a series of leaks under the name "Vault 7."

It is yet unconfirmed whether Schulte leaked documents to WikiLeaks and if yes, then when, but he had already been a suspect since January 2017 of stealing classified national defense information from the CIA in 2016.

According to the indictment, after stealing the classified documents, Schulte tried to cover his tracks by altering a computer operated by the US Intelligence Agency to grant him unauthorized access to the system in March and June of 2016 and then deleting records of his activities and denying others access to the system.

In March 2017, during when WikiLeaks began releasing some of the CIA's hacking tools, the FBI agents searched Schulte's apartment as part of an ongoing investigation to find the mastermind behind the Vault 7 leaks.
However, instead, the FBI found images of children being molested by adults on a server he created in 2009 while he was a student at the University of Texas. The maximum penalty for this is 130 years in prison.

Schulte was arrested in August 2017 with possession of child pornography, but prosecutors had been unable to bring charges of "disclosure of the classified information" against him until now.

However, now the revised indictment includes 13 counts of charges related to the theft and disclosure of the classified information to WikiLeaks and his possession of child pornography.

Here's the list of charges against him:

• illegal gathering of national defense information,
• illegal transmission of lawfully possessed national defense information,
• illegal transmission of unlawfully possessed national defense information,
• unauthorized access to a computer to obtain classified information,
• theft of Government property,
• unauthorized access of a computer to obtain information from a Department or Agency of the United States,
• causing transmission of a harmful computer program, information, code, or command,
• making material false statements to representatives of the FBI,
• obstruction of justice,
• receipt of child pornography,
• possession of child pornography,
• transportation of child pornography, and
• copyright infringement.

Schulte has pleaded not guilty to the child pornography charges and has repeatedly denied any of his involvement in the Vault 7 case.

The Vault 7 release was one of the most significant leaks in the CIA's history, exposing secret cyber weapons and spying techniques that the United States used to monitor or break into computers, mobile phones, televisions, webcams, video streams, and more.

For more information on the hacking tools and techniques, you can head on to our previous coverage of the Vault 7 leaks.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Security researchers are warning of almost a decade old issue with one of the Apple's macOS feature which was designed for users' convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.

Earlier this month, security researcher Wojciech Regula from SecuRing published a blog post, about the "Quick Look" feature in macOS that helps users preview photos, documents files, or a folder without opening them.

Regula explained that Quick Look feature generates thumbnails for each file/folder, giving users a convenient way to evaluate files before they open them.

However, these cached thumbnails are stored on the computer's non-encrypted hard drive, at a known and unprotected location, even if those files/folders belong to an encrypted container, eventually revealing some of the content stored on encrypted drives.

Patrick Wardle, chief research officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, "however the fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion."

To prove his claim, Regula created two new encrypted containers, one using VeraCrypt software and the second with macOS Encrypted HFS+/APFS drives, and then saved a photo in each of them.

As explained in his post, after running a simple command on his system, Regula was able to find the path and cached files for both images left outside the encrypted containers.

"It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path," Regula said.

In a separate blog post, Wardle demonstrated that macOS behaves same for the password-protected encrypted AFPS containers, eventually exposing even encrypted volumes to potential snooping.

"If we unmount the encrypted volume, the thumbnails of the file are (as previously mentioned) still stored in the user's temporary directory, and thus can be extracted," Wardle said. 

"If an attacker (or law enforcement) has access to the running system, even if the password-protected encrypted containers are unmounted (as thus their contents 'safe'), this caching 'feature' can reveal their contents."

Wardle also noted that if you connect a USB drive with your Mac computer, the system will create thumbnails of files residing on the external drive and store them on its boot drive.

Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.

Until and unless Apple resolves this issue in future, Wardles advises users to manually delete the QuickLook cache when they unmount an encrypted container.