The post Solver-Aided Constant-Time Circuit Verification appeared first on Malware Devil.
The first quarter of 2021 went by so quickly! The whirlwind of 2020 brought its challenges, yet as we dive into 2021 — more resilient and mutually committed to our common goals — I am confident that LogRhythm can tackle…
The post The Latest LogRhythm Employee Initiatives appeared first on LogRhythm.
The post The Latest LogRhythm Employee Initiatives appeared first on Security Boulevard.
The post The Latest LogRhythm Employee Initiatives appeared first on Malware Devil.
The post 2021-04-01 – Quick post: IcedID (Bokbot) activity appeared first on Malware Devil.
The post Top 12 hacker tips to secure your SPA from Crowdsource appeared first on Malware Devil.
The post nOtWASP bottom 10: vulnerabilities that make you cry appeared first on Malware Devil.
The post Solver-Aided Constant-Time Circuit Verification appeared first on Malware Devil.
The post [Rockstar Games] high – SocialClub Account Take Over Through Import Friends feature (1500.00USD) appeared first on Malware Devil.
The post Who Contains the Containers? appeared first on Malware Devil.
When it comes to information security and stressing the importance of cyber risk management, getting the whole company (especially the C-suite) on the same playing field becomes paramount. There’s no question that when diving into it for the first time, cyber security can be a daunting function. There are countless acronyms, concepts, and approaches that can be difficult to wrangle into layman’s terms. There becomes this struggle of trying to explain these nebulous concepts while emphasizing the significance of mature risk posture and proactive security strategies to keep the company’s assets and their clients secure.
The post The Guide to Presenting Information Security’s Business Value appeared first on Security Boulevard.
The post The Guide to Presenting Information Security’s Business Value appeared first on Malware Devil.
When it comes to information security and stressing the importance of cyber risk management, getting the whole company (especially the C-suite) on the same playing field becomes paramount. There’s no question that when diving into it for the first time, cyber security can be a daunting function. There are countless acronyms, concepts, and approaches that can be difficult to wrangle into layman’s terms. There becomes this struggle of trying to explain these nebulous concepts while emphasizing the significance of mature risk posture and proactive security strategies to keep the company’s assets and their clients secure.
The post The Guide to Presenting Information Security’s Business Value appeared first on Security Boulevard.
The post The Guide to Presenting Information Security’s Business Value appeared first on Malware Devil.
The information and cybersecurity industry has no shortage of regulations, and many organizations simply rundown the list of requirements, load them into an excel spreadsheet and check the boxes to demonstrate they are in compliance. But is being compliant the same as being secure?
Join this podcast with special guest Lee Parrish who shares an analogy that illustrates why being compliant is not the same as being secure, and how we can change an organization’s orientation to keep the focus on security – check it out…
The post CISO Stories Podcast: The Colonoscopy of CyberSecurity appeared first on Security Boulevard.
The post CISO Stories Podcast: The Colonoscopy of CyberSecurity appeared first on Malware Devil.
The post Breaking Down the Latest O365 Phishing Techniques appeared first on Security Boulevard.
The post Breaking Down the Latest O365 Phishing Techniques appeared first on Malware Devil.
Dear Readers, this has been long overdue, but at last I give you a more responsive, mobile-friendly version of KrebsOnSecurity. We tried to keep the visual changes to a minimum and focus on a simple theme that presents information in a straightforward, easy-to-read format. Please bear with us over the next few days as we hunt down the gremlins in the gears.
We were shooting for responsive (fast) and uncluttered. Hopefully, we achieved that and this new design will render well in whatever device you use to view it. If something looks amiss, please don’t hesitate to drop a note in the comments below.
NB: KrebsOnSecurity has not changed any of its advertising practices: The handful of ads we run are still image-only creatives that are vetted by me and served in-house. If you’re blocking ads on this site, please consider adding an exception here. Thank you!
The post New KrebsOnSecurity Mobile-Friendly Site appeared first on Malware Devil.
Some legacy models of QNAP network attached storage devices are vulnerable to remote unauthenticated attacks because of two unpatched vulnerabilities.
Read More
The post Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack appeared first on Malware Devil.
A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps–it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data–but the infrastructure behind the malware obscures its developer’s primary motivations.
First spotted by the research team at Zimperium zLabs, the newly found malware is already detected by Malwarebytes for Android. It does not have a catchy name, but because of its capabilities and its method for going unnoticed, we are calling it Android/Trojan.Spy.FakeSysUpdate, or in this blog, “FakeSysUpdate” for short.
FakeSysUpdate is not available on the Google Play store, and it is currently unclear how it is being delivered to Android devices. Even more obscured is the visibility of the app to victims.
Once FakeSysUpdate is implanted on a device, it disguises itself to its victims by masquerading as a generic “System Update” application. In fact, when a threat actor uses FakeSysUpdate to steal targeted information from an infected, asleep device, FakeSysUpdate will also send a fraudulent notification posing as a “System Update” that is “Searching for update.”
Beneath the surface, FakeSysUpdate can let a malicious actor steal highly sensitive information while also granting them dangerous control of a victim’s device.
According to Zimperium zLabs, the malware can allow a threat actor to monitor GPS locations, record phone calls, record ambient audio, take photos from the front-facing and rear-facing cameras on a device, observe the device’s installed applications, inspect bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser, and steal SMS messages, phone contacts, and call logs.
If you’ve read our coverage on these types of capabilities in the past, you might think that FakeSysUpdate is just the latest stalkerware-type app on the market. After all, the threats of stalkerware are near identical–pinpointed GPS locations that can reveal a domestic abuse survivor’s location after escape, stolen text messages that can uncover a survivor’s safety planning, and broad, non-consensual invasions of privacy that can harm anyone.
But the inner workings of FakeSysUpdate potentially betray the common uses of stalkerware.
First, according to the researchers at Zimperium zLabs, once the malware is installed on a device, the device is registered with the Firebase Command and Control (C2), upon which a threat actor can send commands through the Firebase messaging service to, for instance, steal a device’s contacts list, record microphone audio, or take a picture using the device’s cameras.
At issue here is who can send the C2 commands. If the commands can be sent by the apps users’, so they can spy on their victims, then it looks like a stalkerware-type app. If the commands can only be issued by the app’s creators, then there’s a good chance that FakeSysUpdate is not stalkerware, but information-gathering spyware. Unlike stalkerware, most (but not all) spyware doesn’t care who its victims are–it is simply looking for information that can be used for extortion or to facilitate further attacks with malware.
That’s contrary to many of the stalkerware-type apps that we see, which are, for lack of a better word, “user-friendly.” They do not require a high-tech proficiency to use or understand. They do not have illegible interfaces. Instead, these apps have familiar layouts, intuitive designs, and easy-to-use commands. For many apps, it’s as simple as logging into a web platform, clicking a menu item, and browsing through private photos without any consent.
Which brings us to the second point: If this piece of malware isn’t being advertised–or if it isn’t really known–as a stalkerware-type app, then it’s less likely that it’s been built as one.
Stalkerware-type apps do not hide in the shadows. They flood Google results for anyone searching how to spy on their romantic partners. They place sponsored articles in major city newspapers (yes, really). The more egregious ones even advertise themselves specifically on their so-called abilities to “catch” cheating partners.
Without knowing how FakeSysUpdate is being advertised–which relates to our lacking information on how it is primarily being delivered to devices–we cannot definitively ascertain its purpose.
Despite the uncertainty, though, one thing is clear: This piece of malware could be devastating. Whether for malicious information gathering or for non-consensual surveillance of a romantic partner, these invasions of privacy are flat-out wrong.
We thank Zimperium zLabs for discovering this malware and for bringing it to the public’s attention.
The post Android “System Update” malware steals photos, videos, GPS location appeared first on Malware Devil.
A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps–it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data–but the infrastructure behind the malware obscures its developer’s primary motivations.
First spotted by the research team at Zimperium zLabs, the newly found malware is already detected by Malwarebytes for Android. It does not have a catchy name, but because of its capabilities and its method for going unnoticed, we are calling it Android/Trojan.Spy.FakeSysUpdate, or in this blog, “FakeSysUpdate” for short.
FakeSysUpdate is not available on the Google Play store, and it is currently unclear how it is being delivered to Android devices. Even more obscured is the visibility of the app to victims.
Once FakeSysUpdate is implanted on a device, it disguises itself to its victims by masquerading as a generic “System Update” application. In fact, when a threat actor uses FakeSysUpdate to steal targeted information from an infected, asleep device, FakeSysUpdate will also send a fraudulent notification posing as a “System Update” that is “Searching for update.”
Beneath the surface, FakeSysUpdate can let a malicious actor steal highly sensitive information while also granting them dangerous control of a victim’s device.
According to Zimperium zLabs, the malware can allow a threat actor to monitor GPS locations, record phone calls, record ambient audio, take photos from the front-facing and rear-facing cameras on a device, observe the device’s installed applications, inspect bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser, and steal SMS messages, phone contacts, and call logs.
If you’ve read our coverage on these types of capabilities in the past, you might think that FakeSysUpdate is just the latest stalkerware-type app on the market. After all, the threats of stalkerware are near identical–pinpointed GPS locations that can reveal a domestic abuse survivor’s location after escape, stolen text messages that can uncover a survivor’s safety planning, and broad, non-consensual invasions of privacy that can harm anyone.
But the inner workings of FakeSysUpdate potentially betray the common uses of stalkerware.
First, according to the researchers at Zimperium zLabs, once the malware is installed on a device, the device is registered with the Firebase Command and Control (C2), upon which a threat actor can send commands through the Firebase messaging service to, for instance, steal a device’s contacts list, record microphone audio, or take a picture using the device’s cameras.
At issue here is who can send the C2 commands. If the commands can be sent by the apps users’, so they can spy on their victims, then it looks like a stalkerware-type app. If the commands can only be issued by the app’s creators, then there’s a good chance that FakeSysUpdate is not stalkerware, but information-gathering spyware. Unlike stalkerware, most (but not all) spyware doesn’t care who its victims are–it is simply looking for information that can be used for extortion or to facilitate further attacks with malware.
That’s contrary to many of the stalkerware-type apps that we see, which are, for lack of a better word, “user-friendly.” They do not require a high-tech proficiency to use or understand. They do not have illegible interfaces. Instead, these apps have familiar layouts, intuitive designs, and easy-to-use commands. For many apps, it’s as simple as logging into a web platform, clicking a menu item, and browsing through private photos without any consent.
Which brings us to the second point: If this piece of malware isn’t being advertised–or if it isn’t really known–as a stalkerware-type app, then it’s less likely that it’s been built as one.
Stalkerware-type apps do not hide in the shadows. They flood Google results for anyone searching how to spy on their romantic partners. They place sponsored articles in major city newspapers (yes, really). The more egregious ones even advertise themselves specifically on their so-called abilities to “catch” cheating partners.
Without knowing how FakeSysUpdate is being advertised–which relates to our lacking information on how it is primarily being delivered to devices–we cannot definitively ascertain its purpose.
Despite the uncertainty, though, one thing is clear: This piece of malware could be devastating. Whether for malicious information gathering or for non-consensual surveillance of a romantic partner, these invasions of privacy are flat-out wrong.
We thank Zimperium zLabs for discovering this malware and for bringing it to the public’s attention.
The post Android “System Update” malware steals photos, videos, GPS location appeared first on Malware Devil.
Three days before the end of 2020 SlashNext Threat Labs observed a flurry of spear-phishing attacks targeting companies working to deliver Covid-19 vaccines and therapeutics to curb the pandemic. Many of these attacks continue and have been active during the first quarter of 2021 with more than 1,000 spear phishing domains belonging to the same […]
The post Thousands of Zero-Day Spear Phishing Attacks Continue to Target Covid-19 Pharmaceuticals first appeared on SlashNext.
The post Thousands of Zero-Day Spear Phishing Attacks Continue to Target Covid-19 Pharmaceuticals appeared first on Security Boulevard.
The post Thousands of Zero-Day Spear Phishing Attacks Continue to Target Covid-19 Pharmaceuticals appeared first on Malware Devil.
The post Intelligent Reflecting Surface for Wireless Communication Security and Privacy appeared first on Malware Devil.
The post Amnesiac DRAM: A Proactive Defense Mechanism Against Cold Boot Attacks appeared first on Malware Devil.
Introduction
Today’s diary is a forensic quiz for April 2021. This month’s quiz will also be a contest. The prize is a Raspberry Pi. Rules for the contest follow:
April 2021 Forensic Quiz Submission for the Subject: line.Material for this forensic quiz is located at this Github repository. This repository contains a zip archive containing a pcap of network traffic from the infected Windows host. The repository also contains another zip archive with malware and artifacts recovered from the infected Windows host. Be very careful with the malware and artifacts zip because it has actual malware from a recently-infected Windows computer. If you don’t know what you’re doing, do not download the malware and artifacts. I always recommend people do this quiz in a non-Windows environment, if possible.
Shown above: A meme about usernames and passwords on an infected Windows host.
Requirements
Analysis of the infection traffic requires Wireshark or some other pcap analysis tool. Wireshark is my tool of choice to review pcaps of infection traffic. However, default settings for Wireshark are not optimized for web-based malware traffic. That’s why I encourage people to customize Wireshark after installing it. To help, I’ve written a series of tutorials. The ones most helpful for this quiz are:
I always recommend participants use a non-Windows environment like BSD, Linux, or macOS. Why? Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware. If you’re using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap. Worst case? If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.
Analysis of the malware and artifacts should also be done in a non-Windows environment, unless you are a skilled malware analyst. However, reviewing the malware and artifacts in a non-Windows environment like Linux shouldn’t pose any problems. Feel free to search for (or submit) malware from this quiz on sites like:
Most of the above sites require some sort of account to log in and search for samples. Some of these sites provide free accounts that only require a valid email address. Alternatively, search Google or other search engines for the SHA256 hashes of malware samples from this quiz. You might get links from the above sites in your search results.
Active Directory (AD) Environment
The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname. The AD environment characteristics are:
Final Words
Again, the zip archive with a pcap of the traffic for this exercise is available in this Github repository. The winner of today’s contest and analysis of the infection will be posted in an upcoming ISC diary two weeks from today on Wednesday April 14th.
I think the Raspberry Pi is an older model like a Raspberry Pi 2 or Raspberry Pi 3, but I will find out and update or add a comment to this diary.
—
Brad Duncan
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post April 2021 Forensic Quiz, (Thu, Apr 1st) appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
