Cisco Warns Of a Suspected Russian Plan to Attack Ukraine

Cisco CEO Chuck Robbins.

The U.S. government said on Wednesday that it would look to wrestle a huge number of infected routers and storage gadgets from the control of the so-called hackers against whom the security researchers had cautioned that they were intending to utilize the "botnet" to attack Ukraine.

A federal judge in Pennsylvania gave the FBI, consent to seize an internet domain that experts charge a Russian hacking group known as Sofacy was utilizing to control the infected gadgets.

The order enables them to guide the gadgets to effectively communicate with a FBI-controlled server, which will be further utilized to query location to pass on to experts around the world who can remove the malware from the infected hardware.

 “This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Assistant Attorney General for National Security John Demers said in a statement.

. The U.S. government declared the takedown exertion after Cisco System Inc (CSCO.O) at an opportune time on Wednesday discharged a report regarding the hacking campaign that it said focused solely on gadgets from Linksys, MikroTik, Netgear Inc (NTGR.O), TP-Connection and QNAP.

The majority of infections from the VPN Filter malware were in Ukraine, which led Cisco to believe that Russia was planning an attack on that nation. Cisco even imparted the technical details to the United States and Ukraine governments and in addition to the rivals who offer security software, equipment and services.


  • CSCO.O
  • NTGR.O

Ukraine's SBU state security service reacted to the report by saying that it demonstrated that Russia was preparing a large-scale cyber-attack before the Champions Leagues soccer last, due to be held in Kiev on Saturday. Cyber security firms, governments and corporate security teams closely monitor occasions and events in Ukraine, where a portion of the world's most expensive and ruinous cyber-attacks have been propelled.

In addition to this, Russia has denied assertions by countries including Ukraine and Western cyber security firms that it is behind a massive worldwide hacking program that has included endeavors to target and harm Ukraine's economy and meddling in the 2016 U.S. presidential election.

Facebook Wants Your Naked Photos To Combat 'Revenge Porn'

Facebook will soon ask its users to upload naked photos of themselves to the social media website in order to stop revenge porn.

On Tuesday, the social network announced that they are testing their new initiative to fight “revenge porn,” it will stop its users from “proactively” uploading scandalous pictures of their former sexual partner online without his or her consent.

The new feature will scan through the images and then ensure that these kinds of images are not uploaded to the site. This technique is an attempt to stop so-called revenge porn.

To stop that, the site will ask its users to upload any images they think might be able to used to harm them. The images will then be assigned a digital fingerprint so that any attempts to upload them can be stopped.

According to Facebook,  for uploading pictures there will be a “secure, one-time upload link,” which will be reviewed by a “handful of specially trained members of our Community Operations Safety Team."

Facebook's Global Head of Safety, Antigone Davis said in a post " people who worry that someone might want to harm them by sharing an intimate image can proactively upload it so we can block anyone else from sharing it on Facebook, Instagram, or Messenger:

  • Anyone who fears an intimate image of them may be publicly can contact one of our partners to submit a form.
  • After submitting the form, the victim receives an email containing a secure, one-time upload link.
  • The victim can use the link to upload images they fear will be shared.
  • One of a handful of specifically trained members of our Community Operations Safety Team will review the report and create a unique fingerprint, or hash, that allows us to identify future uploads of the images without keeping copies of them on our servers.
  • Once we create these hashes, we notify the victim via email and delete the images from our servers – no later than seven days.
  • We store the hashes so any time someone tries to upload an image with the same fingerprint, we can block it from appearing on Facebook, Instagram or Messenger."

 Facebook has started testing phase for users in the U.S., United Kingdom, Canada, and Australia. 

Pirate Bay to be blocked by ISP Telenor

  • Telenor, the Norwegian Internet Service Provider (ISP), who for long has refrained from blocking access to the Swedish file-sharing website, The Pirate Bay, despite demands from the music and film industry associations, has now decided to voluntarily block the pirate website, reports TorrentFreak.

The development isn't the result of a direct court order against the company, rather its final consolidation with Bredbandsbolaget, an ISP owned by Telenor that was previously ordered to block the infamous torrent site. Bredbandsbolaget was acquired by Telenor in 2005.

Those visiting The Pirate Bay right now can see error 522 message powered by Cloudflare stating that:

“This page is currently offline. However, because the site uses Cloudflare’s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version.” It could be so because the server was overloaded or down, its firewall was blocking requests or misconfiguration with DNS and IP addresses.

Back in 2014, Universal Music, Sony Music, Warner Music, Nordisk Film and the Swedish Film Industry filed a lawsuit against Bredbandsbolaget, one of Sweden’s largest ISPs.

The copyright holders had asked the Stockholm District Court to direct the ISP to block access to The Pirate Bay as well as streaming site Swefilmer, as they believed that the provider knowingly assisted the pirated users in accessing the pirate platforms. However, the ISP opposed the entertainment companies’ demand to block content and services and fought back by sensing a determined response to the Court.

According to IsItDownRightNow, The Pirate Bay went offline at 22:45 PT, Pacific Time and the scale of this outage can be seen affecting users around the world. However, its dark web version on Tor is still up and running.

Intel finds another chip exploit

Just when we thought that we were past the myriad of Spectre and Meltdown CPU flaws, Intel (along with Google and Microsoft) has today shed light on a new strain of Spectre-style vulnerabilities called Speculative Store Bypass or Variant 4. While close to eight new variants of Spectre were discovered recently, this is the fourth one to be disclosed by the popular chipmaker.

Variant 4 (CVE-2018-3639) is also a side channel analysis security flaw, but it uses a different process to extract information, and the most common use is in web browsers.

“Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, said in a post on Monday.

The Spectre and Meltdown vulnerabilities led to frantic work by Intel and its computer-maker partners to put in place software code to protect systems.

The biggest maker of computer processors acknowledged that its processors are vulnerable to another dangerous speculative execution side channel flaw that could give attackers unauthorized read access to memory. However, Intel has classified this Variant 4 exploit as a medium-risk vulnerability and added that it shouldn’t affect most users as mitigations rolled out for the ‘first strain’ of Spectre exploit would work against this as well.

In its blog post, Intel says a potential way to exploit the chip-related vulnerability would be to try to access information via code run inside a web browser. The attacks concerning the same are known to work only in a ‘language-based runtime environment’ like a web browser but the company is not aware of a successful browser exploit.

“In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers,” read the blog post.

The chipmaker has worked with its OEM partners and has already pushed the beta microcode update for Speculative Store Bypass to them. In the blog post, it adds,

BMW preparing to counter security threats

A nagging fear of security flaws grips even the top car models much to the major concern of the entire automobile sector these days. The crux of it is a recent technical report by Tencent Keen Security Lab where the Chinese security firm made vulnerability disclosure in a few BMW models asking the automobile giant to counter the impending threat at this stage to avoid a huge collapse in the entire system.

Tencent Keen Security Lab, which conducted an in-depth study for nearly a year has revealed 14 vulnerable points in the renowned car models which include BMW 5 Series, BMW 7 Series, BMW i Series, BMW X Series and BMW 3 Series. In its compact technical report, the Chinese security firm has disclosed 14 vulnerable areas in the top model cars before BMW took up the issue on priority basis.

The German multinational company and manufacturer of luxury automobiles and motorcycles swung into action in the light of the new revelations of security flaws. The experts have observed that any hacker can strike a BMW car simply with the help of a local GSM mobile and that an attacker may get an easy access to UDS communication, infotainment along with other components of a BMW car.

The entire technical findings have suggested BMW modify the entire component settings apart from a drastic change in the firmware portion which is the best possible way to leave the hackers clueless.

BMW is already in process to devise an effective mechanism to keep the component setting updating asking the new owners and its service centers across the globe to be aware of this course of action to help them get out of the blues in the store. 

3 new attacks by Wicked Mirai botnet

In April 2018, a report revealed how university students developed what would become the WannaCry ransomware.

But before it attacked millions of devices, WannaCry was the Mirai botnet–a DDoS army that was used by, among others, university students that wanted an edge in Minecraft.

This another variant of the Mirai botnet has appeared on the scene, but this one has a twist. The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.

This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices. The original Mirai used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.

This botnet, known for its devastating ransomware WannaCry, has recently added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

Fortinet’s FortiGuard Labs team analyzed the botnet and found that the exploits it uses are matched to the ports it uses.

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”

Multilingual Malware Targets Android Devices for Phishing Attacks

A blog post titled 'Roaming Mantis uses DNS hijacking to infect Android smartphones' was published in April 2018, by the Kaspersky Lab, which spoke particularly about this Malware.

The malware i.e. Roaming Mantis utilizes Android malware which is intended to spread by means of DNS hijacking and targets Android gadgets specifically. This activity is said to be found for the most parts in Asia (South Korea, Bangladesh and Japan) in view of the telemetry data by the Kaspersky Lab.

Potential victims were supposedly redirected by DNS hijacking to a pernicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed by the users manually. The application in reality contained an Android Trojan-Banker.

Not long after their publication it was drawn out into the open that various other researchers were also additionally concentrated on this malware family. In May though, while the Roaming Mantis also known as MoqHao and XLoader, was being monitored, the scientists at the Kaspersky Lab observed some very significant changes in their M.O.

“The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition to that, the criminals also added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

According to Kaspersky Lab's researcher Suguru Ishimaru, the last crusade including Roaming Mantis was likewise dissected by the Kaspersky Lab and the discoveries were point by point in its blog post "The Roaming Mantis campaign evolved significantly in a short period of time."

The attacks have been extended to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Initially the malware was dispersed in five dialects only however now the range has been extended by utilizing an automatic translator. The full rundown of dialects is available here : 

Roaming Mantis is likewise said to be well-equipped for stealing private and sensitive data and necessary related  information from Apple and Android phones while cryptocurrency mining is performed by the accretion of a special script present  in the malware's HTML source code, which gets executed at whatever point the browser is opened.

Beware of ZipperDown

Yet another stunning revelation fetches no less fear of vulnerability in the cyber world forcing the security experts to step in. 
A recent programming error has suggested a zipper down, a new vulnerability that could infect the App Store applications. After careful experiments, Pangu Team has jumped in to this conclusion where the use of the code in question might erase the users data.  
The experts at the Chinese iOS jailbreakers who had an in-house research and analysis found 10 per cent iPhone apps in the store to be affected by the bug--responsible for overwriting an app’s data. 
Without any details they precisely claimed to have discovered that the bug in question, beyond doubt, might infect the Andriod Smartphones.

Those who arrived at the disturbing conclusion, have yet to put the entire findings in public domain. But they have agreed to allow the app developers across the globe to know the details privately if need be. 
They said the app developers might find it useful to examine the vulnerability if exists. Before jumping into the conclusion, the Chinese iOS jailbreakers have named many iOS apps which they found more or less vulnerable. 
With the help of a newly developed mechanism, popularly known as Janus, Pangu Team had scanned 168,951 apps where 15,978 were learnt to have been found vulnerable. 
The experiments have more or less concluded that the vulnerability question depends on the users’ app permission. The researchers and experts have scanned a few highly used made in China apps which include QQ Music, Kwai, Weibo, MOMO and NetEase Music. 
In a bid to keep the impending vulnerability at bay at least for the time being, the experts have advised users to put in place a virtual private mechanism since it would help their devices stay safe and to get rid of the attack.

Students Hack Student Information System; Change Attendance, Grades, and Lunch Balance Data

Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.

The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.

The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.

“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”

The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.

While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”

“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.

In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.

“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.

200 Million Data sets sold on 'dark web'

A data security firm has allegedly found a group of a hacker who is operating out of China has been seen selling the data of around 200 million Japanese users on the so-called dark web.

According to a FireEye iSIGHT Intelligence report, in December last year,  they spotted an underground Chinese-language website that was selling the sets of IDs, passwords and email addresses, and other important information.

It appears that the data have been assembled from hacking files of up to 50 smaller Japanese online retailers and gaming websites, and put up for sale as one big giant archive.

The BleepingComputer website has reported that "the price for the entire archive is ¥1,000 CNY ($150.96 USD). Several actors commenting on the forum thread where the suspected Chinese hacker was selling his data commented that they've bought the PII cache but did not receive their files. It is unclear if these comments are true, or if these were made by other data sellers trying to sabotage their competition."

The researchers say that they traced the hacker's online presence on a QQ social network ID that also gave a link to another hacker's social ID.

"This QQ address is connected to an individual living in China's Zhejiang province," researchers said.