Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.

Flaw in Sync photos feature on Facebook mobile app


A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.

LAX Police investigating credit card breach at Tom Bradley International Airport

Police have begun investigating what appears to be a credit card fraud at one of the shopping vendors at the Tom Bradley International Airport.

The police are being reclusive on the matter and haven failed to comment what led them to finding out about the credit card breach. They have also refused to tell the press about which shopping vendor might have been compromised for card payments. No suspects have been identified as of yet by the police.

The Tom Bradley International Airport is the sixth busiest airport in the world, and the third in United States. The terminal has three levels and 18 gates and 39 airlines operate out of their. There are dozens of vendors present throughout the airport.

LAX Police have asked anyone who finds unauthorized charges on their card statements at the airport terminal after March 4 to call  (424) 646-6100 immediately.

Fake Facebook: Don't give your details away


A new phishing scam designed to steal your Facebook data has come to light. You might be receiving a mail or a message on social media asking you to recover your Facebook account, before it is permanently closed.

The scam is focused on getting Facebook credentials, along with phone number and date of birth of a user. The scam came to light beacuse of the bad English in the message.

Aside from that, the page where you enter your details (the phishing page) is hosted on cloud sharing website Dropbox, allowing for all data you input to be conveniently for the hacker or hackers.

The details are then posted online on a .PHP page, preferably to be sold. No official word is yet out from Facebook on the matter, but www.blog.malwarebytes.org has cautioned users to be careful before responding to any such message, suspected to be from hackers.

Hackers won $317,500 on day one of Pwn2Own 2015

Hackers have been awarded a total of $317,500 USD, for finding three bugs in Adobe Flash, three bugs in Adobe Reader, three bugs in the Windows operating system, two bugs in Internet Explorer, and two bugs in Mozilla Firefox, on the first day of Pwn2Own 2015, sponsored by HP’s Zero Day Initiative (ZDI) and Google’s Project Zero at the CanSecWest security conference in Vancouver, Canada.

Peter, Jihui Lu, and Zeguang Zhao of Team509, and wushi of KeenTeam were awarded $60,000 for exploiting flash by a heap overflow remote code execution vulnerability, and won additional of $25,000 for achieving system-level code execution by leveraging a local privilege escalation in the Windows kernel through TrueType fonts.

Nicolas Joly used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker, and won $30,000.

Nicolas won another $60,000 for his exploitation of Adobe Reader through a stack buffer overflow, which lead to info leak and remote code execution.

Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) earned $30,000 for targeting Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug, and $25,000 bonus for the SYSTEM escalation.

Mariusz Mlynski knocked out Mozilla Firefox through a cross-origin vulnerability, and execute a logical flaw to escalate to SYSTEM in Windows. Awarded $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation. 360VulcanTeam won $32,500 USD for exploiting 64-bit Microsoft Internet Explorer 11 for medium-integrity code through an uninitialized memory vulnerability.

Google intrduces new review process for apps, age based rating system for all apps on Play Store soon


Google has decided to make change to its app submission process by adding human approval as a new step. Starting a couple of months back, a team of reviewers at Google started reviewing all applications before they were allowed to go live on the Play Store.

“We started reviewing all apps and games before they’re published – it’s rolled out 100%, and developers haven’t noticed the change.” said Purnima Kochikar, Director of Business Development for Google Play. After implementing the new review system, Google has still maintained its superiority in speed over rivals, Apple. Developers are able to get their apps live within a few hours of its submission on the Play Store, unlike Apple which has lengthy review process.

The reason Google has been so successful at this is its autmoated software that can detect only malware, but also sexual content and infringement of copyrights. Kochikar was not very coclusive about what all Google can detect through its automated detection softwares.

She said, “We’re constantly trying to figure out how machines can learn more,” explains Kochikar. “So whatever the machines can catch today, the machines do. And whatever we need humans to weigh in on, humans do.”

Google also lauched a new age based rating system for the Play Store that is supposed to come into effect in May. The system will be based on the scales provided by a given region’s official rating authourity. App developers will be required to fill in a questionnaire about the objectionable content in their app before submission and return the most appropriate rating for the app.

Googel has said that it will keep an eye on the ratings being given out by the new questionnaire system to make sure that the developers are truthful while filling out the questionnaire. Their will be a grace period for applications which are currently their on the Play Store, but soon, new submissions and updates to the Play Store will require developers to fill out the questionnaire.

Cyberattack on Premera puts 11 million users at risk

Cyberattack on Premera has potentially exposed sensitive financial and medical records of roughly 11 million of its users.

The sophisticated cyberattack has affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions, Inc. and members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska. Even individuals who conduct business with Premera have been affected.

Premera, a leading health insurance company stores information like member or applicant’s name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information.

The attack on its IT systems was discovered on January 29, 2015, but the initial attack had occurred long back on May 5, 2014. The company kept the information under wraps in order to safeguard its users against aggravated attack from the hackers. 

Premera is working closely with Mandiant, one of the world’s leading firms in cybersecurity to investigate the case and to remove the infection caused by the attack on the systems. The Federal Bureau of Investigation who has been notified are also investigating the case.

The attack has left the attackers with a goldmine of information. Initial investigations have revealed that no data has been removed from the system or been put to inappropriate use till now. 

Premera President and CEO, Jeff Roe has issued a statement saying that the company is committed towards protection of the information of its users and as a part of the commitment, Premera will be providing two years of free credit monitoring and identity theft protection services through Experion to the affected individuals, starting March 17, 2015.

They will be contacting people only by letter and no emails or phone calls would be made asking for information. The company has warned individuals against unsolicited phone calls seeking information.

In addition Premera has also established a dedicated call center for enquiries on the matter. For users of Premera , who feel they have been affected but have not received a letter form the company by April 20, 2015 are urged to call the company at 1-800-768-5817.

Data Breach at Sacred Heart Health Systems


A security breach at one of the third-party vendors of Sacred Heart Health Systems has resulted in the exposure of health and personal information of approximately 14,000 patients.

Hackers were able to access patients’ names, dates of service, dates of birth, diagnoses and procedures, total charges, and physicians’ names, and 40 of the patients Social Security numbers were also compromised, through phishing attack by gaining access to the email account of an employee of the billing vendor.

The incident was first discovered on Dec. 3, 2014, and username and password of the employee was immediately shut down. On Feb 2,2015, Sacred Heart was notified of the attack.

 They immediately launched an internal investigation by engaging computer forensics experts, to conduct and analyze the incident and help to accurately identify affected ones, and they sent letters to all affected patients informing them about the hacking attack. The hacker has not been identified.

Employee email accounts of Children's National Health System targeted with Phishing emails


Children's National became a victim of a cyber-attack, after its employees responded to phishing emails by hackers believing they were legitimate.

The issue came to light on December 26 last year and Children's National believes that any potential unauthorized access of its employees email accounts could have taken place between July 26 and December 26 last year.

Children's National has come out to say that Patient History Information of various patients in the affected email accounts has been put at risk, and although it has not received any information regarding the misuse of this information, affected people are being informed to stay on the lookout for discrepancies in their insurance statement.

On learning of the incident, Children's National immediately secured the emails accounts of the affected employees and began an investigation into the matter. They hired an external forensics firm to carry out their investigation into the matter.

They implemented new safety features and reviewed its systems to upgrade the security of their network. They have also setup a dedicated call centre with a helpline number for getting in touch with the affected patients.

Data breach of Advantage Dental


An intruder had accessed internal membership information of more than 151,000 patients of an Advantage Dental, a Redmond-based provider that serves low-income patients at more than 30 clinics in Oregon, in late February, announced on Monday.

According to the Advantage Dental, there is unauthorized access to patients’ names, social security numbers, home addresses, phone numbers, and dates of birth, but treatment details, payment or other financial data were not accessed.

A malware obtained a username and password of Advantage employee’s computer that allows access to the membership database, which is separate from the database that contains financial and treatment information.

An intruder accessed the information continuously for three days from 23 Feb to 26 Feb. Internal IT specialists of Advantage Dental terminated the illegal access immediately upon discovery. Computers equipped with anti-virus software fails to detect new variations of a virus.

No patients have complained about the data being used for criminal activity. Advantage has made necessary security changes in all its clinics, and headquarters in Redmond to avoid further data breach.