The Hacker News — Cyber Security, Hacking, Technology News

Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cybercriminals to spread malware.

Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users worldwide.

Dubbed Nigelthorn, the malware is rapidly spreading through socially engineered links on Facebook and infecting victims’ systems with malicious browser extensions that steal their social media credentials, install cryptocurrency miners, and engage them in click fraud.

The malware was pushed through at least seven different Chrome browser extensions—all were hosted on Google's official Chrome Web Store.

These malicious Chrome browser extensions were first discovered by researchers at cybersecurity firm Radware, after a "well-protected network" of one of its customers, an unnamed global manufacturing firm, got compromised.
According to a report published by Radware, the malware operators are using copies of legitimate Google Chrome extensions and injecting a short obfuscated malicious script into them to bypass Google's extension validation checks.

Researchers named the malware "Nigelthorn" after one of the malicious extensions which was the copy of popular 'Nigelify' extension designed to replace all pictures on a web page with gifs of 'Nigel Thornberry.'

Nigelthorn Propagates Through Links Sent Over Facebook

Nigelthorn is spreading through socially engineered links on Facebook, which if clicked redirects victims to fake YouTube page, asking them to download a malicious Chrome extension, to continue playing the video.

Once installed, the extension executes a malicious JavaScript code that makes victims' computers part of a botnet.

A similar malware, dubbed Digimine, emerged last year that also worked by sending socially engineered links over Facebook Messenger and installed a malicious extension, allowing attackers to access the victims' Facebook profile and spread the same malware to their friends' list via Messenger.

We recently wrote about another similar malware campaign, dubbed FacexWorm, that was also distributed by sending socially engineered links over Facebook Messenger and redirected users to fake YouTube page, asking them to install a malicious Chrome extension.

NigelThorn Steals Password for Facebook/Instagram Accounts

The new malware majorly focuses on stealing credentials for victims' Facebook and Instagram accounts and collecting details from their Facebook accounts.

This stolen information is then used to send malicious links to friends of the infected person in an effort to push the same malicious extensions further. If any of those friends click on the link, the whole infection process starts over again.

NigelThorn also downloads a publicly available, browser-based cryptocurrency mining tool as a plugin to trigger the infected systems to start mining cryptocurrencies, including Monero, Bytecoin or Electroneum.

Over the period of just 6 days, the attackers appeared to generate approximately $1,000 in cryptocurrencies, mostly Monero.

Nigelthorn is also persistent as to prevent users from removing the malicious extensions, it automatically closes the malicious extension tab each time the user opens it prevents removal.

The malware also blacklists a variety of clean-up tools offered by Facebook and Google and even prevents users from making edits, deleting posts and making comments.

List of Malicious Chrome Extensions

Here's the name of all seven extensions masquerading as legitimate extensions:

• Nigelify
• PwnerLike
• Alt-j
• Fix-case
• Divinity 2 Original Sin: Wiki Skill Popup
• Keeprivate
• iHabno

Although Google has removed all of the above-listed extensions, if you have installed any of them, you are advised to immediately uninstall it and change passwords for your Facebook, Instagram and as well as for other accounts where you are using the same credentials.

Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.

If you receive a link for a video, even if it looks exciting, sent by someone (or your friend) on Facebook messenger—just don't click on it without taking a second thought.

Cybersecurity researchers from Trend Micro are warning users of a malicious Chrome extension which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials.

Dubbed FacexWorm, the attack technique used by the malicious extension first emerged in August last year, but researchers noticed the malware re-packed a few new malicious capabilities earlier this month.

New capabilities include stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to cryptocurrency scams, injecting miners on the web page for mining cryptocurrency, and redirecting victims to the attacker's referral link for cryptocurrency-related referral programs.

It is not the first malware to abuse Facebook Messenger to spread itself like a worm.

Late last year, Trend Micro researchers discovered a Monero-cryptocurrency mining bot, dubbed Digmine, that spreads through Facebook messenger and targets Windows computers, as well as Google Chrome for cryptocurrency mining.
Just like Digmine, FacexWorm also works by sending socially engineered links over Facebook Messenger to the friends of an affected Facebook account to redirect victims to fake versions of popular video streaming websites, like, YouTube.

It should be noted that FacexWorm extension has only been designed to target Chrome users. If the malware detects any other web browser on the victim's computer, it redirects the user to an innocuous-looking advertisement.

How Does the FacexWorm Malware Work

If the malicious video link is opened using Chrome browser, FacexWorm redirects the victim to a fake YouTube page, where the user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video.

Once installed, FacexWorm Chrome extension downloads more modules from its command and control server to perform various malicious tasks.

"FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened," the researchers said.

"Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage."

Since the extension takes all the extended permissions at the time of installation, the malware can access or modify data for any websites the user opens.

Here below I have listed a brief outline of what FacexWorm malware can perform:

• To spread itself further like a worm, the malware requests OAuth access token for the Facebook account of the victim, using which it then automatically obtains the victim's friend list and sends that malicious, fake YouTube video link to them as well.
• Steal the user's account credentials for Google, MyMonero, and Coinhive, when the malware detects that the victim has opened the target website’s login page.
• FacexWorm also injects cryptocurrency miner to web pages opened by the victim, which utilizes the victim computer's CPU power to mine Cryptocurrency for attackers.
• FacexWorm even hijacks the user's cryptocurrency-related transactions by locating the address keyed in by the victim and replacing it with the one provided by the attacker.
• When the malware detects the user has accessed one of the 52 cryptocurrency trading platforms or typed keywords like "blockchain," "eth-," or "ethereum" in the URL, FacexWorm will redirect the victim to a cryptocurrency scam webpage to steal user's digital coins. The targeted platforms include Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info.
• To avoid detection or removal, the FacexWorm extension immediately closes the opened tab when it detects that the user is opening the Chrome extension management page.
• The attacker also gets a referral incentive every time a victim registers an account on Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, or HashFlare.

So far, researchers at Trend Micro have found that FacexWorm has compromised at least one Bitcoin transaction (valued at $2.49) until April 19, but they do not know how much the attackers have earned from the malicious web mining.

Cryptocurrencies targeted by FacexWorm include Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

The FacexWorm malware has been found surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain. But since Facebook Messenger is used worldwide, there are more chances of the malware being spread globally.

Chrome Web Store had removed many of the malicious extensions before being notified by Trend Micro researchers, but the attackers keep uploading it back to the store.

Facebook Messenger can also detect the malicious, socially engineered links and regularly block the propagation behavior of the affected Facebook accounts, researchers said.

Since Facebook Spam campaigns are quite common, users are advised to be vigilant when clicking on links and files provided via the social media site platform.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named "BeatCoin."

BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi.

For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline.

Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.

If you are new to this topic, we recommend reading our previous articles, detailing how highly-motivated attackers can use specially designed malware to exfiltrate data from an air-gapped computer via light, sound, heat, electromagnetic, magnetic, infrared, and ultrasonic waves.
For BeatCoin experiment, Dr. Guri deployed malware on an air-gapped computer that runs a Bitcoin wallet application and then performed each attack vector one-by-one to transmit the wallet keys to a nearby device over covert channels.

"In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code," the paper [PDF] reads. "The malware can be pre-installed or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade."

Results shown in the above chart suggests AirHopper, MOSQUITO, and Ultrasonic techniques are the fastest way to transmit a 256-bit private key to a remote receiver, whereas, Diskfiltration and Fansmitter methods take minutes.

Guri has also shared two videos. The first one demonstrates exfiltration of private keys from an air-gapped computer, which hardly took a few seconds to transmit data to a nearby smartphone using ultrasonic waves.
In the second video, the researcher transmitted private keys stored on a Raspberry Pi device to the nearby smartphone using the RadIoT attack—a technique to exfiltrate data from air-gapped internet-of-things (IoT) and embedded devices via radio signals.

"The radio signals - generated from various buses and general-purpose input/output (GPIO) pins of the embedded devices - can be modulated with binary data. In this case, the transmissions can be received by an AM or FM receiver located nearby the device."

In the last research published earlier this month, Guri’s team also demonstrated how hackers could use power fluctuations in the current flow "propagated through the power lines" to covertly exfiltrate highly sensitive data out of an air gapped-computer.

Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage.

Dubbed "Orangeworm," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

According to a new report published by Symantec on Monday, the Orangeworm hacking group has been active since early 2015 and targeting systems of major international corporations based in the United States, Europe, and Asia with a primary focus on the healthcare sector.

"We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare," Symantec said.

After getting into the victim's network, attackers install a trojan, dubbed Kwampirs, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data.

While decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots.

Kwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target.
If the victim is of interest, the malware then "aggressively" spread itself across open network shares to infect other computers within the same organisation.

To gather additional information about the victim's network and compromised systems, the malware uses system's built-in commands, instead of using third-party reconnaissance and enumeration tools.

Above shown list of commands help attackers to steal information including, "any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer."

Besides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics.

However, these industries also somehow work for healthcare, like manufacturers that make medical devices, technology companies that offer services to clinics, and logistics firms that deliver healthcare products.
Although the exact motive of Orangeworm is not clear and there's no information that could help determine the group's origins, Symantec believes the group is likely conducting espionage for commercial purposes and there's no evidence that it's backed by a nation-state.

"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking," Symantec said. "Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack."

The highest percentage of victims has been detected in the United States, followed by Saudi Arabia, India, Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France, and several other countries across the globe.

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.

"All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors," Meshkov says.

After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:

• AdRemover for Google Chrome™ (10 million+ users)
• uBlock Plus (8 million+ users)
• [Fake] Adblock Pro (2 million+ users)
• HD for YouTube™ (400,000+ users)
• Webutation (30,000+ users)

Also Read: Someone Hijacks A Popular Chrome Extension to Push Malware

The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.

To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.

"These commands are scripts which are then executed in the privileged context (extension's background page) and can change your browser behavior in any way," Meshkov says.

"Basically, this is a botnet composed of browsers infected with the fake Adblock extensions," Meshkov says. "The browser will do whatever the command center server owner orders it to do."

The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

Also Read: Malicious Chrome Extension Hijacks CryptoCurrencies and Wallets

Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

So, you are advised to install as few extensions as possible and only from companies you trust.

Last year, the popular system cleanup software CCleaner suffered a massive supply-chain malware attack of all times, wherein hackers compromised the company's servers for more than a month and replaced the original version of the software with the malicious one.

The malware attack infected over 2.3 million users who downloaded or updated their CCleaner app between August and September last year from the official website with the backdoored version of the software.

Now, it turns out that the hackers managed to infiltrate the company's network almost five months before they first replaced the official CCleaner build with the backdoored version, revealed Avast executive VP and CTO Ondrej Vlcek at the RSA security conference in San Francisco on Tuesday.

6-Months Timeline of CCleaner Supply Chain Attack

Vlcek shared a brief timeline of the last year's incident that came out to be the worst nightmare for the company, detailing how and when unknown hackers breached Piriform, the company that created CCleaner and was acquired by Avast in July 2017.

March 11, 2017 (5 AM local time)—Attackers first accessed an unattended workstation of one of the CCleaner developers, which was connected to Piriform network, using remote support software TeamViewer.

The company believes attackers reused the developer's credentials obtained from previous data breaches to access the TeamViewer account and managed to install malware using VBScript on the third attempt.

March 12, 2017 (4 AM local time)—Using the first machine, attackers penetrated into the second unattended computer connected to the same network and opened a backdoor through Windows RDP (Remote Desktop Service) protocol.

Using RDP access, the attackers dropped a binary and a malicious payload—a second stage malware (older version) that was later delivered to 40 CCleaner users—on the target computer's registry.

March 14, 2017—Attackers infected the first computer with the older version of the second stage malware as well.

April 4, 2017—Attackers compiled a customised version of ShadowPad, an infamous backdoor that allows attackers to download further malicious modules or steal data, and this payload the company believes was the third stage of the CCleaner attack.

April 12, 2017—A few days later, attackers installed the 3rd stage payload on four computers in the Piriform network (as a mscoree.dll library) and a build server (as a .NET runtime library).

Between mid-April and July—During this period, the attackers prepared the malicious version of CCleaner, and tried to infiltrate other computers in the internal network by installing a keylogger on already compromised systems to steal credentials, and logging in with administrative privileges through RDP.

July 18, 2017—Security company Avast acquired Piriform, the UK-based software development company behind CCleaner with more than 2 billion downloads.

August 2, 2017—Attackers replaced the original version of CCleaner software from its official website with their backdoored version of CCleaner, which was distributed to millions of users.

September 13, 2017—Researchers at Cisco Talos detected the malicious version of the software, which was being distributed through the company's official website for more than a month, and notified Avast immediately.

The malicious version of CCleaner had a multi-stage malware payload designed to steal data from infected computers and send it back to an attacker-controlled command-and-control server.

Although Avast, with the help of the FBI, was able to shut down the attackers' command-and-control server within three days of being notified of the incident, the malicious CCleaner software had already been downloaded by 2.27 million users.

Moreover, it was found that the attackers were then able to install a second-stage payload on 40 selected computers operated by major international technology companies, including Google, Microsoft, Cisco, Intel, Samsung, Sony, HTC, Linksys, D-Link, Akamai and VMware.

However, the company has no proofs if the third stage payload with ShadowPad was distributed to any of these targets.

"Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer." Avast said.

"The oldest malicious executable used in the Russian attack was built in 2014, which means the group behind it might have been spying for years."

Based on their analysis of the ShadowPad executable from the Piriform network, Avast believes that the malicious attackers behind the malware have been active for a long time, spying on institutions and organizations so thoroughly.

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication.

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—"To better experience the browsing, update to the latest chrome version."
It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.

"The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker."

If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, "Account No.exists risks, use after certification."

Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.
To convince users into believing that they are handing over this information to Google itself, the fake page displays users' Gmail email ID configured on their infected Android device, as shown in the screenshots.

"After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit," researchers said. "Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English."

Since Roaming Mantis malware app has already gained permission to read and write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for victims' accounts.

While analysing the malware code, Researchers found reference to popular South Korean mobile banking and gaming applications, as well as a function that tries to detect if the infected device is rooted.

"For attackers, this may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system," the researchers said.

What's interesting about this malware is that it uses one of the leading Chinese social media websites (my.tv.sohu.com) as its command-and-control server and sends commands to infected devices just via updating the attacker-controlled user profiles.
According to Kaspersky's Telemetry data, the Roaming Mantis malware was detected more than 6,000 times, though the reports came from just 150 unique users.

You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

You should also disable router's remote administration feature and hardcode a trusted DNS server into the operating system network settings.

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.

As its name suggests, Early Bird is a "simple yet powerful" technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.

The Early Bird code injection technique "loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected," the researchers said.

The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

How Early Bird Code Injection Works

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.

Here's a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.

• Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
• Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
• Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
• Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.

According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.

• "TurnedUp" backdoor, developed by an Iranian hacking group (APT33)
• A variant of "Carberp" banking malware
• "DorkBot" malware

Initially discovered by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.
Dates back to 2012, DorBot is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users' credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims' computers.

Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.

Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and business networks worldwide.

From small to mid-range businesses, Microsoft Office 365 remains the most widely used and fastest-growing work office suite, so it's no surprise that it has become a primary target for viruses, ransomware, and phishing scams.

In fact, most strains of ransomware target Microsoft productivity apps such as Word, Excel and encrypt sensitive data to hold the company hostage until the ransom is paid.

Now, to combat such cyber attacks, Microsoft has announced some new security features for Office 365 that can help users mitigate the damage done by ransomware and other malware infections.

The new features were initially introduced for OneDrive for Business, but that the company is now rolling them out to anyone who has signed up for an Office 365 Home or Personal subscription, Microsoft Office blog says.

Here below I have briefed the list of new features:

File Recovery and Anti-Ransomware

• Files Restore—Microsoft Office 365 now allows users to restore entire OneDrive to a previous point in time within the last 30 days. This feature can be used to recover files from an accidental mass delete, file corruption, ransomware, or any catastrophic event.

• Ransomware detection & recovery—Office 365 had also introduced a new security feature that detects ransomware attacks and alerts you through an email, mobile, or desktop notification while helping you restore your OneDrive to a point before the malware compromised files.

Security and Privacy Features

Office 365 has added three new features to help keep your confidential or personal data (such as tax documents, family budgets, or a new business proposal) secure and private when sharing them online.

• Password protected sharing links—This feature allows you to set a password for your shared file and folders, preventing unauthorized access even if your recipient accidentally forwards protected documents to others.

• Email encryption—This feature allows users to send/receive end-to-end encrypted emails in Outlook over a secure connection, providing additional protection to minimize the threat of being intercepted.

• Prevent forwarding—Microsoft now enables you to restrict your email recipients from forwarding or copying emails you send to them from Outlook. Besides this, any MS Office document attached to your emails will remain encrypted even after downloading, so if the recipient shares your attachment with others, they will not be able to open it.

Advanced Protection from Viruses and Cybercrime

• Advanced link checking in Word, Excel, and PowerPoint—Office 365 also offers built-in real-time web protection, which monitors every link you click in Word, Excel, and PowerPoint and notifies you if it is suspicious.

File Recovery and Anti-Ransomware features began rolling out starting today and will be available to all Office 365 users soon, while features to help keep your information secure and private (including password protected sharing links, email encryption, and prevent forwarding) will start rolling out in the coming weeks.

Advanced link checking and advanced attachment scanning are already available in MS Outlook that protects you from previously unseen viruses and phishing scams in real-time. However, advanced link checking in Word, Excel, and PowerPoint will roll out in the second half of 2018.

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender."

Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.

Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.

Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "Group 123," primarily known for targeting South Korean targets.

The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:

• record phone calls & audio
• steal web history and files
• gain root access
• steal call logs, SMS, emails
• collect device' location at every 10 seconds
• collect a list of installed applications

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim's phone calls, one of the variants even exploits a known Android flaw (CVE-2015-3636) to get root access on the compromised device.

All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.

"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.

"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."

Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.

How to Keep Your Smartphone Secure

Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.

Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:

• Never install applications from 3rd-party stores.
• Ensure that you have already opted for Google Play Protect.
• Enable 'verify apps' feature from settings.
• Keep "unknown sources" disabled while not using it.
• Install anti-virus and security software from a well-known cybersecurity vendor.
• Regularly back up your phone.
• Always use an encryption application for protecting any sensitive information on your phone.
• Never open documents that you are not expecting, even if it looks like it's from someone you know.
• Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
• Keep your device always up-to-date with the latest security patches.

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.

Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles.

Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.

At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.

However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users' computers.

"A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability," the researchers explain in a blog post published today.

Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.
Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.

"The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe."

Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.

It then immediately downloads CoinMiner component from its C&C server, and start using victims' computers mine cryptocurrencies for the attackers.

Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.

The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.

Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Security researchers claimed to have discovered 13 critical Spectre/Meltdown-like vulnerabilities throughout AMD's Ryzen and EPYC lines of processors that could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.

All these vulnerabilities reside in the secure part of the AMD's Zen architecture processors and chipsets—typically where device stores sensitive information such as passwords and encryption keys and makes sure nothing malicious is running when you start your PC.

The alleged vulnerabilities are categorized into four classes—RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY—and threaten wide-range of servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors.

Discovered by a team of researchers at Israel-based CTS-Labs, newly disclosed unpatched vulnerabilities defeat AMD's Secure Encrypted Virtualization (SEV) technology and could allow attackers to bypass Microsoft Windows Credential Guard to steal network credentials.

Moreover, researchers also claimed to have found two exploitable manufacturer backdoors inside Ryzen chipset that could allow attackers to inject malicious code inside the chip.
Researchers successfully tested these vulnerabilities against 21 different AMD products and believe that 11 more products are also vulnerable to the issues.

Though AMD is currently investigating the accuracy of these flaws, Dan Guido, the founder of security firm Trail of Bits, who got early access to the full technical details and PoC exploits, have independently confirmed that all 13 AMD flaws are accurate and works as described in the paper.

Here's the brief explanation of all the vulnerabilities:

RYZENFALL (v1, v2, v3, v4) AMD Vulnerabilities

These flaws reside in AMD Secure OS and affect Ryzen secure processors (workstation/pro/mobile).

According to researchers, RYZENFALL vulnerabilities allow unauthorized code execution on the Ryzen Secure Processor, eventually letting attackers access protected memory regions, inject malware into the processor itself, and disable SMM protections against unauthorized BIOS reflashing.

Attackers could also use RYZENFALL to bypass Windows Credential Guard and steal network credentials, and then use the stolen data to spread across to other computers within that network (even highly secure Windows corporate networks).

RYZENFALL can also be combined with another issue called MASTERKEY (detailed below) to install persistent malware on the Secure Processor, "exposing customers to the risk of covert and long-term industrial espionage."

FALLOUT (v1, v2, v3) AMD Vulnerabilities

These vulnerabilities reside in the bootloader component of EPYC secure processor and allow attackers to read from and write to protected memory areas, such as SMRAM and Windows Credential Guard isolated memory.

FALLOUT attacks only affect servers using AMD's EPYC secure processors and could be exploited to inject persistent malware into VTL1, where the Secure Kernel and Isolated User Mode (IUM) execute code.

Like RYZENFALL, FALLOUT also let attackers bypass BIOS flashing protections, and steal network credentials protected by Windows Credential Guard.

"EPYC servers are in the process of being integrated into data centers around the world, including at Baidu and Microsoft Azure Cloud, and AMD has recently announced that EPYC and Ryzen embedded processors are being sold as high-security solutions for mission-critical aerospace and defense systems," researchers say. 

"We urge the security community to study the security of these devices in depth before allowing them on mission-critical systems that could potentially put lives at risk."

CHIMERA (v1, v2) AMD Vulnerabilities

These two vulnerabilities are actually hidden manufacturer backdoors inside AMD's Promontory chipsets that are an integral part of all Ryzen and Ryzen Pro workstations.
One backdoor has been implemented in firmware running on the chip, while the other in the chip's hardware (ASIC), and allow attackers to run arbitrary code inside the AMD Ryzen chipset, or to re-flash the chip with persistent malware.

Since WiFi, network and Bluetooth traffic flows through the chipset, an attacker could exploit the chipset's man-in-the-middle position to launch sophisticated attacks against your device.

"This, in turn, could allow for firmware-based malware that has full control over the system, yet is notoriously difficult to detect or remove. Such malware could manipulate the operating system through Direct Memory Access (DMA), while remaining resilient against most endpoint security products," researchers say.

According to the researchers, it may be possible to implement a stealthy keylogger by listening to USB traffic that flows through the chipset, allowing attackers to see everything a victim types on the infected computer.

"Because the latter has been manufactured into the chip, a direct fix may not be possible, and the solution may involve either a workaround or a recall," researchers warn.

MASTERKEY (v1, v2, v3) AMD Vulnerabilities

These three vulnerabilities in EPYC and Ryzen (workstation/pro/mobile) processors could allow attackers to bypass hardware validated boot to re-flash BIOS with a malicious update and infiltrate the Secure Processor to achieve arbitrary code execution.

Like RYZENFALL and FALLOUT, MASTERKEY also allows attackers to install stealthy and persistent malware inside AMD Secure Processor, "running in kernel-mode with the highest possible permissions," as well as bypass Windows Credential Guard to facilitate network credential theft.

MASTERKEY vulnerabilities also allow attackers to disable security features such as Firmware Trusted Platform Module (fTPM) and Secure Encrypted Virtualization (SEV).

It's notable that all these vulnerabilities require either low-privilege access, or administrative in some cases, on the targeted system to work.

CTS-Lab researchers gave just 24 hours to the AMD team to look at all vulnerabilities and respond before going public with their details—that's hell quick for any company to understand and patch the critical level issues properly.
While Intel and Microsoft are still managing its patches for Meltdown and Spectre vulnerabilities, the newly discovered vulnerabilities could create similar trouble for AMD and its customers.

So, let's wait and watch when the company comes up with fixes, though the researchers said it could take "several months to fix" all the issues.

For more detailed information about the vulnerabilities, you can head on to this paper [PDF] titled, "Severe Security Advisory on AMD Processors," published by CTS-Lab.

The team of security researchers—who last month demonstrated how attackers could steal data from air-gapped computers protected inside a Faraday cage—are back with its new research showing how two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.

Air-gapped computers are believed to be the most secure setup wherein the systems remain isolated from the Internet and local networks, requiring physical access to access data via a USB flash drive or other removable media.

Dubbed MOSQUITO, the new technique, discovered by a team of researchers at Israel's Ben Gurion University, works by reversing connected speakers (passive speakers, headphones, or earphones) into microphones by exploiting a specific audio chip feature.

Two years ago, the same team of researchers demonstrated how attackers could covertly listen to private conversations in your room just by reversing your headphones (connected to the infected computer) into a microphone, like a bug listening device, using malware.

Now, with its latest research [PDF], the team has taken their work to the next level and found a way to convert some speakers/headphones/earphones that are not originally designed to perform as microphones into a listening device—when the standard microphone is not present, muted, taped, or turned off.
Since some speakers/headphones/earphones respond well to the near-ultrasonic range (18kHz to 24kHz), researchers found that such hardware can be reversed to perform as microphones.

Moreover, when it comes to a secret communication, it's obvious that two computers can't exchange data via audible sounds using speakers and headphones. So, inaudible ultrasonic waves offer the best acoustic covert channel for speaker-to-speaker communication.

Video Demonstrations of MOSQUITO Attack

Ben Gurion's Cybersecurity Research Center, directed by 38-year-old Mordechai Guri, used ultrasonic transmissions to make two air-gapped computers talk to each other despite the high degree of isolation.

The attack scenarios demonstrated by researchers in the proof-of-concept videos involve two air-gap computers in the same room, which are somehow (using removable media) infected with malware but can not exchange data between them to accomplish attacker's mission.

The attack scenarios include speaker-to-speaker communication, speaker-to-headphones communication, and headphones-to-headphones communication.

"Our results show that the speaker-to-speaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of nine meters away from one another," the researchers say. 

"Moreover, we show that two (microphone-less) headphones can exchange data from a distance of three meters apart."

However, by using loudspeakers, researchers found that data can be exchanged over an air-gap computer from a distance of eight meters away with an effective bit rate of 10 to 166 bit per second.
It's not the first time when Ben-Gurion researchers have come up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap computers include:

• aIR-Jumper attack steals sensitive data from air-gapped PCs with the help of infrared-equipped CCTV cameras that are used for night vision.
• USBee can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors.
• DiskFiltration can steal data using sound signals emitted from the hard disk drive (HDD) of air-gapped computers.
• BitWhisper relies on heat exchange between two computers to stealthily siphon passwords and security keys.
• AirHopper turns a computer's video card into an FM transmitter to capture keystrokes.
• Fansmitter technique uses noise emitted by a computer fan to transmit data.
• GSMem attack relies on cellular frequencies.

Governments in Turkey and Syria have been caught hijacking local internet users' connections to secretly inject surveillance malware, while the same mass interception technology has been found secretly injecting browser-based cryptocurrency mining scripts into users' web traffic in Egypt.

Governments, or agencies linked to it, and ISPs in the three countries are using Deep Packet Inspection technology from Sandvine (which merged with Procera Networks last year), to intercept and alter Internet users' web traffic.

Deep packet inspection technology allows ISPs to prioritize, degrade, block, inject, and log various types of Internet traffic, in other words, they can analyze each packet in order to see what you are doing online.

According to a new report by Citizen Lab, Turkey's Telecom network was using Sandvine PacketLogic devices to redirect hundreds of targeted users (journalists, lawyers, and human rights defenders) to malicious versions of legitimate programs bundled with FinFisher and StrongPity spyware, when they tried to download them from official sources.
"This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default," the report reads.

A similar campaign has been spotted in Syria, where Internet users were silently redirected to malicious versions of the various popular application, including Avast Antivirus, CCleaner, Opera, and 7-Zip applications bundled with government spyware.

In Turkey, Sandvine PacketLogic devices were being used to block websites like Wikipedia, the sites of the Dutch Broadcast Foundation (NOS) and Kurdistan Workers' Party (PKK).

ISPs Injected Cryptocurrency Mining Scripts Into Users' Web Browsers

However, in Egypt, Sandvine PacketLogic devices were being used by a Telecom operator for making money by:

• Secretly injecting a cryptocurrency mining script into every HTTP web page users visited in order to mine the Monero cryptocurrency,
• Redirecting Egyptian users to web pages with affiliate ads.

In Egypt, these devices were also being used to block access to human rights, political, and news outlets like Al Jazeera, HuffPost Arabic, Reporters Without Borders, and Mada Masr, as well as NGOs like Human Rights Watch.

Citizen Lab researchers reported Sandvine of their findings, but the company called their report "false, misleading, and wrong," and also demanded them to return the second-hand PacketLogic device they used to confirm attribution of their fingerprint.

Citizen Lab started this investigation in September last year after ESET researchers published a report revealing that the downloads of several popular apps were reportedly compromised at the ISP level in two (unnamed) countries to distribute the FinFisher spyware.

Two days ago, Microsoft encountered a rapidly spreading cryptocurrency-mining malware that infected almost 500,000 computers within just 12 hours and successfully blocked it to a large extent.

Dubbed Dofoil, aka Smoke Loader, the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mines Electroneum coins, yet another cryptocurrency, for attackers using victims' CPUs.

On March 6, Windows Defender suddenly detected more than 80,000 instances of several variants of Dofoil that raised the alarm at Microsoft Windows Defender research department, and within the next 12 hours, over 400,000 instances were recorded.

The research team found that all these instances, rapidly spreading across Russia, Turkey, and Ukraine, were carrying a digital coin-mining payload, which masqueraded as a legitimate Windows binary to evade detection.

However, Microsoft has not mentioned how these instances were delivered to such a massive audience at the first place in this short period.

Dofoil uses a customized mining application that can mine different cryptocurrencies, but in this campaign, the malware was programmed to mine Electroneum coins only.

According to the researchers, Dofoil trojan uses an old code injection technique called 'process hollowing' that that involves spawning a new instance of a legitimate process with a malicious one so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

"The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe."

To stay persistence on an infected system for a long time to mine Electroneum coins using stolen computer resources, Dofoil trojan modifies the Windows registry.

"The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe," the researchers say. "It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key."

Dofoil also connects to a remote command and control (C&C) server hosted on decentralized Namecoin network infrastructure and listens for new commands, including the installation of additional malware.

Microsoft says behavior monitoring and Artificial intelligence based machine learning techniques used by Windows Defender Antivirus have played an important role to detect and block this massive malware campaign.

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.

Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.

This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.

Huddleston admitted to the court that he created his software knowing it would be used by other cybercriminals to break the law.

He initially started developing NanoCore in late 2012 with a motive to offer a low-budget remote management software for schools, IT-conscious businesses, and parents who desired to monitor their children's activities on the web.
However, Huddleston marketed and sold the NanoCore RAT for $25 in underground hacking forums that were extremely popular with cybercriminals around the world from January 2014 to February 2016. He then sold ownership of NanoCore to a third-party in 2016.

NanoCore RAT happens to be popular among cybercriminals on underground hacking forums and has been linked to intrusions in at least ten countries. Among the victims was a high-profile assault on Middle Eastern energy firms in 2015.

Huddleston also agreed with prosecutors that NanoCore RAT and available third-party plugins offered a full set of features including:

• Stealing sensitive information from victim computers, such as passwords, emails, and instant messages.
• Remotely activating and controlling connected webcams on the victims' computers in order to spy on them.
• Ability to view, delete, and download files.
• Locking infected PCs and holding them to ransom.
• Using infected PCs to launch distributed denial of service (DDoS) attacks on websites and similar services.

Shames used Net Seal to infect 3,000 people that were, in turn, used it to infect 16,000 computers, according to the DoJ.

In his guilty plea, Huddleston admitted that he intended his products to be used maliciously.

Besides the 33-month prison sentence handed down by judges on Friday, Huddleston also gets two years of supervised release.