Tag • #malware

chevron_right

Russian Cyberattack against Ukrainian Power Grid Prevented

Bruce Schneier · news.movim.eu / Schneier · Wednesday, 13 April, 2022 - 16:27

A Russian cyberweapon, similar to the one used in 2016, was detected and removed before it could be used.

Key points:
ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
We assess with high confidence that the APT group Sandworm is responsible for this new attack

News article .

EDITED TO ADD: Better news coverage from Wired .

chevron_right

Developer Sabotages Open-Source Software Package

Bruce Schneier · news.movim.eu / Schneier · Monday, 21 March, 2022 - 15:22 · 2 minutes

This is a big deal :

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
[…]
The node-ipc update is just one example of what some researchers are calling protestware. Experts have begun tracking other open source projects that are also releasing updates calling out the brutality of Russia’s war. This spreadsheet lists 21 separate packages that are affected.
One such package is es5-ext , which provides code for the ECMAScript 6 scripting language specification. A new dependency named postinstall.js , which the developer added on March 7, checks to see if the user’s computer has a Russian IP address, in which case the code broadcasts a “call for peace.”

It constantly surprises non-computer people how much critical software is dependent on the whims of random programmers who inconsistently maintain software libraries. Between log4j and this new protestware, it’s becoming a serious vulnerability. The White House tried to start addressing this problem last year, requiring a “software bill of materials” for government software:

…the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.

It’s not a solution, but it’s a start.

chevron_right

Hundreds of scam apps hit over 10 million Android devices

WIRED · news.movim.eu / ArsTechnica · Saturday, 2 October, 2021 - 10:50 · 1 minute

Enlarge / Never put a GriftHorse on your phone. (credit: John Lamparsky | Getty Images)

Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars.

Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like "Handy Translator Pro," "Heart Rate and Pulse Tracker," and “Bus - Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to "confirm" their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It's a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.

The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it's significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.

Read 7 remaining paragraphs | Comments

index?i=UOgrXnww4t4:uXscYr35SV4:V_sGLiPBpWU

index?i=UOgrXnww4t4:uXscYr35SV4:F7zBnMyn0Lo

chevron_right

Man robbed of 16 bitcoin hunts down suspects, sues their parents

Tim De Chant · news.movim.eu / ArsTechnica · Friday, 27 August, 2021 - 18:27

Man robbed of 16 bitcoin hunts down suspects, sues their parents

Enlarge (credit: KeremYucel / iStock )

Andrew Schober was almost all-in on cryptocurrency. In 2018, 95 percent of his net wealth was invested in the digital tokens, which he hoped he could sell later to buy a home and support his family.

But then disaster struck. Schober had downloaded an app called “Electrum Atom” after clicking a link on Reddit, mistakenly thinking it was a bitcoin wallet. Instead, it was malware that allowed hackers to steal 16.4552 bitcoin when he tried moving some of his tokens. At the time, they were worth nearly $200,000. Today, they would be worth over $750,000.

Distressed, Schober didn’t eat or sleep for days. He vowed to track down the culprits. After years of private investigations costing more than $10,000, Schober thinks he has found the thieves, and he’s suing their parents to get his bitcoin back. Krebs on Security first reported on the lawsuit.

Read 11 remaining paragraphs | Comments

index?i=bHCF6ZlOLCs:w3g7usao8ck:V_sGLiPBpWU

index?i=bHCF6ZlOLCs:w3g7usao8ck:F7zBnMyn0Lo

chevron_right

Apple M1-native malware has already begun to appear

Jim Salter · news.movim.eu / ArsTechnica · Wednesday, 17 February, 2021 - 18:31 · 1 minute

Enlarge / GoSearch22 isn't, technically speaking, any sort of "virus." But it's certainly not anything you'd want on your shiny new M1 Mac. (credit: Pete Linforth )

Last year, Apple released Macbooks and Mac Minis powered by a new ARM CPU—the Apple M1. A few months later, malware authors are already targeting the new hardware directly. Wired interviewed Mac security research Patrick Wardle, who discovered an M1-native version of the long-running, Mac-targeted Pirrit adware family.

Apple M1, malware, and you

ARM CPUs have a very different Instruction Set Architecture (ISA) than traditional x86 desktop and laptop CPUs do, which means that software designed for one ISA can't run on the other without help. M1 Macs can run x86 software with a translation layer called Rosetta, but native M1 apps of course run much faster—as we can see by comparing Rosetta-translated Google Chrome to the M1 native version.

When it comes to malware, Apple users have long benefited from the minority status of their platform. Ten years ago, macOS's operating system market share was only 6.5 percent, and few malware authors bothered to target it at all—but today, that market share is approaching 20 percent. That increase in popularity has brought malware vendors along with it; the macOS malware ecosystem is still tiny and relatively crude compared to the one plaguing Windows, but it's very real.

Read 10 remaining paragraphs | Comments

index?i=1QKAyMepn0k:ZwpJ4x5zNHs:V_sGLiPBpWU

index?i=1QKAyMepn0k:ZwpJ4x5zNHs:F7zBnMyn0Lo

chevron_right

Android barcode scanner with 10 million+ downloads infects users

Dan Goodin · news.movim.eu / ArsTechnica · Monday, 8 February, 2021 - 19:46

Android barcode scanner with 10 million+ downloads infects users

Enlarge (credit: portal gda / Flickr )

A benign barcode scanner with more than 10 million downloads from Google Play has been caught receiving an upgrade that turned it to the dark side, prompting the search and advertising giant to remove it.

Barcode Scanner , one of dozens of such apps available in the official Google app repository, began its life as a legitimate offering. Then in late December, researchers with security firm Malwarebytes began receiving messages from customers complaining that ads were opening out of nowhere on their default browser.

One update is all it takes

Malwarebytes mobile malware researcher Nathan Collier was at first puzzled. None of the customers had recently installed any apps, and all the apps they had already installed came from Play, a market that despite its long history of admitting malicious apps remains safer than most third-party sites. Eventually, Collier identified the culprit as the Barcode Scanner. The researcher said an update delivered in December included code that was responsible for the bombardment of ads.

Read 7 remaining paragraphs | Comments

index?i=U7dJqz15pDM:ScDi9s7ao6A:V_sGLiPBpWU

index?i=U7dJqz15pDM:ScDi9s7ao6A:F7zBnMyn0Lo

chevron_right

Les policiers ont programmé l'autodestruction du malware Emotet

Marie Turcan · news.movim.eu / Numerama · Friday, 29 January, 2021 - 11:21

Après avoir saisi les commandes d'Emotet, les forces de l'ordre prévoient un grand nettoyage du malware pour le 25 avril 2021, à midi. [Lire la suite]

Abonnez-vous à notre chaîne YouTube pour ne manquer aucune vidéo !

L'article Les policiers ont programmé l’autodestruction du malware Emotet est apparu en premier sur Numerama .

chevron_right

Police Have Disrupted the Emotet Botnet

Bruce Schneier · news.movim.eu / Schneier · Thursday, 28 January, 2021 - 16:09 · 1 minute

A coordinated effort has captured the command-and-control servers of the Emotet botnet:

Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware . Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware regular themes include invoices, shipping notices and information about COVID-19 .
Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware .
[…]
A week of action by law enforcement agencies around the world gained control of Emotet’s infrastructure of hundreds of servers around the world and disrupted it from the inside.
Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations.
[…]
The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.

chevron_right

Up to 3 million devices infected by malware-laced Chrome and Edge add-ons

Dan Goodin · news.movim.eu / ArsTechnica · Wednesday, 16 December, 2020 - 19:58

Close up of address bar on internet browser

Enlarge (credit: Getty Images )

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday.

In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft.

Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer. In a post , the researchers wrote:

Read 7 remaining paragraphs | Comments

index?i=Ea0KTjTnG0g:8fJgws-arEc:V_sGLiPBpWU

index?i=Ea0KTjTnG0g:8fJgws-arEc:F7zBnMyn0Lo