Delving into PoSeidon malware

News of data breaches that have been occurring through card usage at infected point of sale (PoS) systems at retailers has become common now-a-days. There being a huge market for stolen credit card information, the companies are being targeted with newer and sophisticated malwares.

How do these malwares exactly work? During investigation of the cases of breaches, CISCO security solutions have discovered the working mechanism a new malware family which has been nicknamed PoSeidon malware.

The infection of the PoS system possibly arises from a keylogger which after getting installed deletes the profile log in information i.e passwords stored on the system. This forces the user to type down the information which gets recorded by the keylogger and sent back to the server which can then access the system remotely to infiltrate it with the Loader malware to steal card information.

What the Loader does is, it tries to get itself installed in the PoS system as a service that is run as Winhost, so that it can survive reboots of the system. This step is called persistence by which it maintains hold on the system. It then connects to the hardcoded command and control servers, which then sends the second executable part of the malware called the FindStr.

It also simultaneously installs another keylogger. FindStr goes through data on the infected system to look for number sequences that start with 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) or 3 with a length of 15 digits (AMEX).

It then runs the Luhn algorithm to verify whether its card information or not and sends the information along with data from keylogger to the exfiltration servers from where it can be harvested for further usage.

The malware can also update itself depending on communication from external server. Further investigation shows that developers are working to use these in other newer projects.Faced with such persistent threats organizations need to be vigilant and adopt a threat-centric approach to provide security during the full attack continuum – before, during, and after an attack.

Flaw in Sync photos feature on Facebook mobile app


A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.

Crypto currency miner ‘quietly’ bundled with μTorrent, users cry foul


Are you in a hurry to install the newest version of μTorrent? Be careful of what you hit agree to.

Users of μTorrent are fuming after it came to notice that the newest version of the popular file sharing app (version 3.4.2) is coming covertly bundled with Epic Scale which uses a portion of the CPU cycles to mine crypto-currency Litecoin. One Litecoin is worth $1.89.

The complaints in the forum imply that the users had 
no indication of the software being installed, and the reactions ranged from discontent to outraged “good bye μtorrent”.

Users are furious that the processing power of their computers are being utilized without their knowledge.
Bit Torrent has released an official statement that 

Epic Scale is not installed without the consumer’s permission. They further added that like other software companies, they have partner packages in the install path which are strictly optional.
Epic Scale which euphemistically proclaims “Your computer has the power to change the world” denied allegations of the sly installations and said it is included in Bit Torrent clients.
It's website explains,
Epic Scale uses your computer’s idle time to do genomics research, protein folding, image rendering, cryptocurrency mining, and more, then we give a majority of the profits to charities like Watsi (life-changing surgeries), and Immunity Project (HIV vaccine). We do not spy on your browsing behavior or scan your files or anything like that.”

Epic Scale's CEO,Tim Olson stated that they will shift from mining Litecoin to working for full time science research projects.

Philanthropic initiatives aside, the troubling fact remains that it is flagged as a risk and blocked by trackers and firewall. It is difficult to uninstall according to users; in addition to the Removal via Add/Remove Programs, all residual files in the program drive has to be removed manually. Epic  Scale however maintains that it is not a spyware.
It is to be noted that since BitTorrent varies the bundled partner software for each download, not all users will get Epic Scale.
The furore on the forum, prompted Epic Scale to damage control mode. The site has been updated with clear instructions on how to uninstall the code, and the company has promised to display clearer opting out options in the future.
For those who are having troubles uninstalling, can visit Epic Scale's uninstall instructions, or email its support address for help in removing the software.

National Grocers investigate unauthorized access to customer payment information


The latest retailer to be hit with a data breach incident in the United States is National Grocers after sources in the financial industry confirmed to KrebsonSecurity that they had identified a pattern of fraud on debit and credit cards of customers who buy their groceries at the 93 various outlets, across 15 states, of the organic and natural grocery chain.

According to US investigative reporter, Brian Kerbs, the Point of Sale Systems (POS) were breached by the hackers at various outlets sometime in December, 2014. This was possible because of the company's weak security if its database
s.

The company said in its response that it was looking into 'a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.' The company has also not received any information of misuse of the data that has been put at risk, by and individual or financial institution. In wake of the event, the grocery chain has decide to speed up plans to install to Point of Sale systems that provide end-to-end encryption to add more layers of security to their network.


“These upgrades provide multiple layers of protection for cardholder data. The company is in the process of installing this new system at all 93 Natural Grocers stores in 15 states. The company takes data security very seriously and is committed to protecting its customers’ information. This is all the information the company is able to provide at this time, as the investigation into the incident is ongoing," the company's emailed statement concluded.

Many big retailers in the US such as Home Depot, Supervalu, Neiman Marcus and Target have been hit by hackers in recent times. The new POS systems conduct a transaction through the more secure Europay, MasterCard and Visa (EMV) standard, which is the latest technique being used to safeguard against card fraud at POS systems.

In October 2014, Obama signed an executive order for a speedier adoption of the EMV standards across USA. The federal government has been tasked with the charge of leading by example in securing customer transactions and sensitive data, throughout the whole of United States.

Russian Hackers use Windows 0-Day exploit to hack NATO, Ukraine

Russian Hackers, dubbed the "sandworm team", have been found exploiting a previously unknown vulnerability in Microsoft's Windows Operating systems, reports iSight.

The group has used this zero-day exploit to hack computers used by NATO, Ukraine Government, European Telecommunications firms, Energy sectors and US academic organization.

The attack starts with a spear-phishing email containing a malicious power point document that exploits the vulnerability and infects victims machine with a malware.

"The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files."the report reads.

".. When handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources... This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands"

The vulnerability is reportedly affecting all versions of the windows operating systems from Vista SP1 to Windows 8.1.  It also affects Windows servers 2008 and 2012.

A Bug in Bug Tracker "Bugzilla" exposes Private Bugs


A critical vulnerability in the popular web-based Bug tracking tool "Bugzilla" allows hackers to view the details of any undisclosed vulnerabilities.

Bugzilla is an open source bug tracking program developed by Mozilla and being used by many large organizations including RedHat, Linux Kernel, Gnome, Apache.

Vulnerability researchers at Check Point Software Technologies reported the bug to Mozilla that allows anyone to register with email address of the targeted domain (for example, admin@mozilla.com) and bypass email validation.

Researcher exploited the vulnerability and managed to create administrator accounts for the Mozilla.org, Mozilla.com and Bugzilla.org.

Gervase Markham from Mozilla wrote a detailed technical post.  The attack method appears to be "HTTP Parameter Pollution(HPP)" technique.

OWASP Definition for HPP:
"Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values."
Patch:
Mozilla has released a security update that not only patches this privilege escalation vulnerability but also few other bugs including Cross Site scripting and Information Leak.

Yahoo says ShellShock vulnerability is NOT the cause of the servers hack

Researcher Jonathan Hall says he found evidence that Romanian hackers used the recent "ShellShock" vulnerability to hack a number of high profile websites including Yahoo, WinZip.

Hall said he informed Yahoo, WinZip and FBI about the issue.

Yahoo earlier today said their servers were compromised by the ShellShock vulnerability.  But, Yahoo's Chief Information Security Officer Alex Stamos published a statement in Hacker News that the breach is not a result of 'Shell Shock'.

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers." Stamos wrote.

"These attackers had mutated their exploit, [and] this mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."

The company claimed hackers did not gain access to any user data and the affected servers are used to provide live streaming for its sports service that don't store user data.

In response, Hall said in his blog "The Yahoo! infiltration WAS from the 'Shellshock' vulnerability, and it did NOT originate on the sports servers / API’s".

Jimmy Johns hit by Point of Sale(POS) Malware

Jimmy John's is the latest company hit with Point-Of-Sale(POS) information breach. 

The Illinois based sandwich shop said it learned of the hack on July 30 and immediately hired security experts to help with the investigation.

In July, Brian Krebs reported that multiple financial institutions were seeing fraud on cards that had all recently been used at Jimmy John's locations.  He also reported that the stores are using pos systems made by a third party vendor Signature Systems Inc.  At the time,  the breach was not confirmed.  After nearly two months, the company confirmed it.

According to the company's statement, hackers stole log-in credentials from its POS vendor and used them to gain access to Jimmy John's POS systems.

The Signature Systems also confirmed the breach that attackers gained access to user name and password that they used to remotely access the POS systems.

The attackers then installed a malware which is designed to capture payment card data from cards that were swiped through terminals.

The information including card number, verification code, expiration date and card holder's name are at risk. The company says the information entered online such as email ids,passwords are not affected.

The incident affected approximately 216 Jimmy John's stores.

jQuery.com reportedly hacked to serve malware


JQuery.com, the official website of the popular javascript library JQuery(used by nearly 70% of top 10,000 websites), had reportedly been compromised and had served credential stealing malware. 

RiskIQ announced that they had detected a malicious script in jquery.com that redirects visitors to a website hosting the RIG Exploit kit.

The redirector domain(jquery-cdn[dot]com) used in this attack has been registered on September 18, the same day on which the attack was detected by RiskIQ.  RiskIQ believes that this domain was intended specifically to blend into the website.

The good news is that RiskIQ found no indication suggesting that the JQuery library itself has been affected.  Otherwise, many additional websites using the JQuery CDN to load the JQuery library would also have been affected.

The people at JQuery.com says they found no logs or evidence that their server was compromised.

"So far the investigation has been unable to reproduce or confirm that our servers were compromised. We have not been notified by any other security firm or users of jquery.com confirming a compromise." JQuery.com blog post reads.

About 5 million Gmail IDs and passwords leaked

Around 5 million Gmail user names and related passwords have been leaked in Russian Bitcoin security forum.

Is Google got hacked?
No, the leak was not the result of a security breach of Google systems.  The dump is said to have been obtained from other websites.

So, if you have used the same password used anywhere else, your gmail account could be compromised.

Google's response
"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords." Google wrote.

What You should do?
  • There are few websites available online to check whether your gmail ID have been compromised or not.  My suggestion is don't use them.  I suggest everyone to change the password.(I believe most of the people keep the same password for years, so it's better to change now).
  • If you have not enabled 2-step-factor feature, it is good to enable it.
  • Never use the gmail password in any other websites.

Security breach at Bartell Hotels affects over 40,000 individuals


Bartell Hotels announced that it had detected potential unauthorized access by a third-party attacker to its customer's financial data.

The payment card processing systems used at five Bartell Hotels were compromised.

The five impacted hotels are Best Western Plus Island Palms Hotel & Marina, The Dana on Mission Bay, Humphreys Half Moon Inn & Suites, Pacific Terrace Hotel and the Days Hotel–Hotel Circle

The official statement says the security breach occurred between February 16,2014 and May 13,2014.  The breach involves theft of certain credit card data including names of customers and credit card numbers.

According to SC Magazine, the data breach affects between 40,000 and 45,000 individuals.  About 16,000 individuals who provided their email ids to the Bartell are currently informed of the breach.

The company is offering free credit monitoring and identity protection to the affected individuals.

UPS store at 51 locations hit with Malware, Customers' Card data at risk

UPS Store, a subsidiary of UPS, said that 51 US Stores in 24 States were hit with a malware which was not detected by current Antivirus software.

The breach puts customers who used a credit or debit card at one of the affected locations between January 20,2014 and August 11 at risk.

Customer information that may have been exposed in this breach includes names, postal addresses, email addresses and payment information.

The company hired an IT Security firm to conduct forensic investigation after receiving a notification about a "broad-based malware intrusion" from US Government.

The UPS Store said it eliminated the malware as of August 11.  The company is offering identity protection and credit card monitoring services to impacted customers.


Kronos: A new Banking Trojan for sale in Underground forums

Researchers from Trusteer have discovered a new Banking Trojan dubbed as "Kronos" which is being sold in the Underground forum.

The malware is being sold for $7,000 and the cyber criminals are offering one week test for the price of $1,000 with full access to the command and control server without any limitation.

Similar to other banking Trojans, this new malware also capable of doing form grabbing and HTML Injection.

Kronos has user-mode rootkit(ring3) capabilities that will help this trojan to defend itself from other pieces of malware, will work in both 32bit and 64 bit Operating systems.

It is also designed to evade antivirus software and bypass Sandbox. The malware use encryption to communicate with the C&C server.

Trusteer said it has not yet analyzed the malware sample in order to validate the seller’s claims, all the information provided are based on the advertisement in the underground forum.

Hacking Any Facebook Accounts using REST API

Stephen Sclafani , a Security Researcher, has discovered a critical security vulnerability in the Social Networking giant Facebook that allowed him to hack any facebook accounts.

Stephen just need your user ID, he can hack into your account and read private messages, view email addresses, create or delete notes, on top of that he can update status and upload photos and tag you friends,  on behalf you. 

"A misconfigured endpoint allowed legacy REST API calls to be made on behalf of any Facebook user using only their user ID" Stephen explained in his blog.

The Facebook REST API is said to be predecessor of Facebook’s current Graph API.  He managed to send request to server using this API such that it will update status on behalf of victim.


Stephen found this bug in April 23 and reported to Facebook.  After getting notification, Facebook permanently fixed the bug on April 30th. Facebook awarded $20,000 bounty to him for finding and reporting this bug.

Dominos Pizza hacked, details of 650k customers stolen

Hackers who claimed to have compromised the database server of Domino's Pizza have demanded a ransom of €30,000 to prevent the public disclosure of customer's data.

The hacker group going by the name of Rex Mundi said they hacked into the servers of Domino's Pizza France and Belgium.

The hackers have managed to download more than 592,000 customer records from Dominos France and 58,000 records from Belgian website.

They claim the compromised database contained sensitive information such as customer's full names, addresses, phone numbers, delivery instructions, email IDs and passwords.

The group gave a deadline of 8PM CET for Dominos to pay them.

"If they do not do so, we will post the entirety of the data in our possession on the Internet." The group said.

Domino's France posted a series of tweets in which it acknowledged the hack and recommended users to change their passwords.

Game Over for GameOver Zeus and Cryptolocker malware that stole millions

Image Credits: Symantec

The U.S Department of Justice announced that FBI and other international Law enforcements have disrupted two of the world's most notorious botnets: GameOver Zeus and Cryptolocker ransomware.

Game Over Zeus is one of the most notorious botnets which first emerged in September 2011 responsible for millions of infections worldwide.  It is based on the original Zeus malware, attempts to steal financial information from the victim.

According to the United States Department of Justice report, the cybercriminals behind the GameOver Zeus have stolen more than $100 million.

Evgeniy Mikhailovich Bogachev, 30-year-old Russian, has been charged for his alleged role as an admin of the Gameover Zeus botnet.

Cryptolocker is a particularly nasty piece of malware that encrypts all files on the infected machine, then demands a ransom to unlock it.  If the files are important one and no backup is there, victims don't have choice other than paying ransom to get a key to unlock.

DOJ report suggests that more than 200k computers have been infected by this ransomware as of April.  The malware appeared in September 2013, within two months cyber criminals collected more than $27 million.

Symantec has also released a tool to remove GameOver malware completely from your computer.  You can download it from here.

"Using TrueCrypt is not secure" , End of TrueCrypt Development

Today, security enthusiasts woke up with a shocking news that TrueCrypt has ended its development and warns users that the tool used for encrypting drive is not safe to use.

Users who try to access the official TrueCrypt website are being redirected to the official sourceforge page of Truecrypt(truecrypt.sourceforge.net/).  The page displays the following message:

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

The message continued "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information)."

The page suggests users to migrate any data encrypted by TrueCrypt to encrypted disks supported on their platform.  It also has provided steps for migrating to an encrypted BitLocker drive.

Many, including me, are not able to believe our own eyes.  It is uncertain whether it is official announcement from the development team or some one has hacked the Truecrypt website.

Matthew Green, who teaches cryptography at Johns Hopkins, researcher involved with the TrueCrypt audit, tweeted that he thinks the news is legitimate.

A new binary (Truecrypt v7.2) has been uploaded to sourceforge page in the last 24 hours.  Upon opening this binary, the following error message is being displayed:


The binary is not allowing users to "create new volume".  It only allows you to mount the volumes.  Users are advised not to download this latest version, as it may contain malicious code.

Spotify suffers Data Breach, You should upgrade the android app

Music Streaming Service Spotify is the latest high-profile company to report a Data breach.  Spotify has announced on its blog that it had been hacked.

According to the blog post, the breach affected only one user.  The affect user has been notified about the incident.  The company says the breach did not involve any password, financial or payment information.

"Based on our findings, we are not aware of any increased risk to users as a result of this incident." Oskar Stål, Chief Technology Officer at Spotify said in the blog post.

As an additional security measure, the company also recommends android users to upgrade their spotify application.  iOS and Windows Phone users do not need to take any actions.

"We apologise for any inconvenience this causes, but hope you understand that this is a necessary precaution to safeguard the quality of our service and protect our users." the blog post reads.

Avast community forum hacked, user names and passwords stolen

Antivirus firm Avast said it took its community forum offline following a hacking attack compromised its database.

User names, email addresses,nick names and passwords were compromised in this attack.  The breach did not involve any financial data, license or any other data.

While the passwords are hashed(SMF forum software uses SHA-1 with a salt to store passwords) , it will not take much time for a hacker to crack the hashes. The longer the password, the harder it is to crack.

According to Avast blog post, the security breach affects less than 0.2% (about 400,000) of Avast's 200 million users.

People who uses the same password on other websites are advised to change those passwords immediately. 

Until now, their forum used an open source community software called "Simple Machines Forum(SMF)".  It appears the Avast is using an outdated version of SMF.


Avast said it is now "We are now rebuilding the forum and moving it to a different software platform" which will be secure one.

Hacker surrenders, after Roger Ver puts $20,000 bounty on the Hacker


Be Careful who you are messing with, An attacker realized he picked a wrong victim when the victim decided to spend $20,000 to find him.

Roger Ver, the man known as "Bitcoin Jesus, who is the Angel investor in lots of Bitcoin startups, announced a 37.6BTC reward(about $20k) for information that leads to the arrest of the hacker who hijacked his Hotmail account and threatened to ruin his life.

It all started when the hacker managed to hijack an old Hotmail account of Roger by answering the security questions.

According to reddit, the attacker used the hotmail account to gain access to Roger's old facebook account and one of his domain accounts at register.com.  The attacker also attempts to hack his primary email account and domain name. 

The attacker using the screen name 'savaged' contacted Roger via Skype and demanded "37.63289114 BTC"

"I think we both know this won't be pleasent and let's be honest there is nothing you can do to have me caught, I've been around too long" The attacker said.

"Let's be honest I will sell [SSN REDACTED] + your information to fraudsters that will credit f*** you then get your moms social and credit f*** her too and ruin both your lives"

The hacker also claimed he is the one who hacked @UberFacts twitter account which has 6.7 M followers.

A Bounty on the Hacker:
But, Roger decided to follow a technique used in the movie called 'Ransom': Rather than giving the money to criminals, he posted he was putting a bounty on the hacker instead.



When the attacker learned of the bounty on his head, he got scared and deleted Roger's hotmail and gave the password for all other accounts and ran away.

"I just need to raise funds for my mother, but since you aren't going to help, all your passwords are: Nigger55" The person on the end of skype said.

"Goodbye, Sir, I am sincerely sorry I am just a middleman I was being told what to tell you."

Roger said in his tweets the things are back to control and not a single Bitcoin was stolen.