Breaking News »

Latest Hacking News

DEA spends your tax dollars on zero-day exploits!

(pc-Google Images)
The Drug Enforcement Administration is in the hacking business. Newly released documents show the DEA spent $575,000 buying access to weaponized zero-day exploits sold by Hacking Team.

Hacking Team is known for providing hacking tools to government agencies. But it's not clear whether the DEA tried to take advantage of any zero-day exploits, and the agency implied it was not particularly successful with Hacking Team's solution.

Hacking Team notes that its Exploit Portal, which the DEA paid $575,000 for full access to, as noted above on page 89 of the 2012 invoice, contains at least three zero-day level exploits.

The DEA initiated payment for access to Cicom USA's hacking tools on August 20, 2012. Since 2012, the DEA has sporadically paid out a number of different invoices to Cicom USA.

But it's not clear whether the DEA tried to take advantage of any zero-day exploits, and the agency implied it was not particularly successful with Hacking Team's solution. Since 2012, the DEA deployed RCS on 17 targets, with only "one successful instance of remote deployment.

IoT malware Hajime battles Mirai, and here's how!

(pc-Google Images)
Symantec researchers have discovered a new worm, known as Hajime, infecting tens of thousands of IoT (Internet of Things) products which seems to have a single purpose - prevent Mirai from taking over.

The Mirai is a notorious malware that has infected countless IoT devices, turning them into bots for various for-hire DDoS attacks and more.

Hajime was first discovered by researchers in October of last year, spreading via unsecured devices that have open Telnet ports and use default passwords. This is pretty much the same technique Mirai uses to get into devices.

Unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

“There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” reads the analysis published by Symantec. 

Symantec has tracked infections all over the world as Hajime has been spreading quickly. Researchers have some questions about whether the individual behind Hajime is really a White Hat simply trying to secure devices.

Once on a device, Hajime truly works to secure it by blocking access to ports 23, 7547, 5555, and 5358, which are often exploited.

“Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access,” Symantec said.

Low-cost ransomware Karmen discovered

(pc-Google Images)
Security experts from threat intelligence firm Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. This service allows anyone to set up an account and customize their own ransomware campaign.

Like any typical ransomware infections, Karmen encrypts files on the infected PC using the strong AES-256 encryption protocol, making them inaccessible to the victim until he/she pays a large sum of money to obtain the decryption key from the attacker.

Karmen automatically deletes its decryptor if a sandbox environment or analysis software is detected on the victim's computer to make security researchers away from investigating the threat.

“Karmen Ransomware is sold as a standalone malware variant, only requiring a one-time upfront payment, allowing a buyer to retain 100 percent of payments from infected victims,” according to Recorded Future.

The ransomware is sold in both light and full versions, with the light version omitting sandbox identification functionality; therefore offering a much smaller file size.

The RaaS variant is based on the abandoned open-source ransomware building toolkit dubbed Hidden Tear and is being sold on Dark Web forums from Russian-speaking hacker named DevBitox for $175.

MS Word hacked with ransomware

Security experts of SophosLabs have uncovered terrifying new ransomware campaign that could hijack your PC and all its files, just by opening an email attachment. The malware was covered in Sopho Labs Naked Security blog.

The hackers send an attached pdf document to the target which will try to get opened through Acrobat Reader. Once opened in MS Word, the file asks you to enable editing through a social engineering attack. This runs a VBA macro, which downloads and runs the crypto ransomware which downloads and runs the Locky ransomware, locking the device. Once the malware hits the pc, hackers demand a large ransom to release the files.

The ransomware in this case appears to be a variant of infamous Locky malware, which wreaked havoc across the world earlier this year.

Most antivirus filters know how to recognize suspicious macros in documents, but hiding those document inside a PDF could be a successful way to sidestep it.

However as opposed to most hacking campaigns, this new ransomware hides not just within one malicious file, but dual layers, making it even tougher to detect.

There are things people can do to better protect themselves from this sort of thing:

This includes making and keeping regular back-ups of your files and ensuring a copy is kept somewhere off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

Users should also ensure their software is kept updated with regular security patches, as many malware attacks rely on exploiting bugs in programs such as Word. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit. In the case of this attack, users want to be sure they are using the most updated versions of PDF and Word.

Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!

Finally, everyone should always be cautious about opening attachments in emails, particularly those from addresses or people you don’t recognise. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.

Use Sophos Intercept X, which stops ransomware in its tracks by blocking the unauthorized encryption of files.

The news is the second malware campaign to target Microsoft Word in recent weeks.

Earlier this month, McAfee warned about a new type of exploit that was targeting all versions of Microsoft Office, including the version of Office 2016 that runs on Windows 10.