Search This Blog

Latest News

Pinterest soon to join the Online Classes Plethora

  With 400 Million monthly active users (a 30% increase from last year), Pinterest is gaining foot among millennials and Gen Z. And their s...

All the recent news you need to know

Fake Minecraft Modpacks On Google Play Deliver Millions of Abusive Ads and Disrupt Normal Phone Usage

 

Scammers have now begun taking advantage of the Minecraft sandbox video clip game’s wild accomplishment by building Google Play applications.
These applications surface to be Minecraft modpacks, but in its place supply abusive ads, as per researchers. Because Minecraft was designed in Java, it was easy for third-party developers to create compatible applications or these “modpacks” to enhance and customize the gaming experience for players. 

The reason why the game is so popular is basically the fact it builds certain skills within the players which have also been touted by parents and educators as beneficial (especially for kids). Since July, Kaspersky researchers have found more than 20 of these apps and determined that they have been downloaded on more than a million Android devices. 

Among those 15,000 Minecraft mods lurk at least 20 that Kaspersky researchers were able to identify as malicious. Google Play has removed all but five of the malicious titles, Kaspersky said: Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE and Darcy Minecraft Mod are still up and available.

As per Kaspersky, once the modpack malware is installed on the Android device, it only allows itself to be opened once, and once opened, the app is glitchy and useless — exactly how it’s intended to work. 

“The frustrated user closes the app, which promptly vanishes. More precisely, its icon disappears from the smartphone’s menu. Because the ‘modpack’ seemed glitchy from the start, most users, especially kids and teens, won’t waste time looking for it,” a report reads by researchers.

“The sample we examined automatically opened a browser window with ads every two minutes, greatly interfering with normal smartphone use. In addition to the browser, the apps can open Google Play and Facebook or play YouTube videos, depending on the [command-and-control] server’s orders. Whatever the case, the constant stream of full-screen ads makes the phone practically unusable,” the report continued. 

Researchers said reinstalling the browser or messing with the settings would be the next likely troubleshoot, but that won’t get rid of the malware either. 

First, the user needs to identify the malicious app. The device will display a full list of apps under settings, (Settings → Apps and notifications → Show all apps). Delete the app from this list and the malware should be gone.

“Fortunately, the misbehaving modpacks get removed entirely with deletion and do not try to restore themselves.” However, researchers suggest that in order to avoid malicious apps for the parents and kids they should know where to look. For instance, they pointed out that although two of the malicious modpacks have different publishers, the descriptions are identical, “down to the typos.” 

The app ratings also offer a clue something is fishy. Kaspersky pointed out that the average rating was in the three-star neighborhood, but that’s because there were extreme reviews on either end of the spectrum, one-star or five-stars. 



Users complain that the app doesn't work and just deletes itself

“That kind of spread suggests that bots are leaving rave reviews, but real users are very unhappy,” the report added. “Unfortunately, in this case, the cybercriminals are targeting kids and teenagers, who may not pay attention to ratings and reviews before installing an app.”

Russian expert warned about the dangers of password theft during video conferencing

Anton Kardanov, head of the information security sector at AT Consulting, warned that motion recognition systems can be used by cybercriminals to steal the personal data of users during video conferences. According to him, a special algorithm can read the movement of hands over the keyboard if they fall into the field of view of the camera, which poses risks to the user's privacy.

“The Artificial intelligence (AI) algorithm with high precision can restore the typed text if the video shows the movement of the arms and shoulders," said Mr. Kardanov.

It is reported that the program first removes the background and turns the image into gray tones, and then focuses on the hands — as a result, the algorithm leaves only the contours of the hands and shoulders and monitors their movements. They are used to restore the text typed on the keyboard.

Thus, an attacker can recognize passwords, passport data, Bank card numbers, and other information that the user types on the keyboard during a video call.

Meanwhile, Maxim Smirnov, commercial Director of IVA Technologies, believes that visual recognition of hand movements and, in particular, text typed on the keyboard is quite realistic, but developers will have to work hard on the quality and accuracy of the technology, which is not an easy task.

"Remote work and video conferences are our new reality, as well as new opportunities for fraudsters and new threats to users", said Sergey Zabula, head of the group of system engineers for working with partners, Check Point Software Technologies in Russia.

Earlier, Group-IB also reported possible attacks using motion recognition technology. According to the company, you can protect yourself from scammers by hiding important information from the camera's field of view.

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Interview Spotlight: Israeli Hardware Solutions, Sepio Systems

On 19 November, E-Hacking News conducted an interesting interview with Sepio Systems. The company provides its customers with the highest level of visibility, policy enforcement, and Rogue Device Mitigation capabilities. The guest speaker for the interview was Mr.Bentsi Ben-Atar, CMO, and Co-Founder, Sepio Systems.

Founded in 2016 by veterans from the Israeli Intelligence Community, Sepio HAC-1 is the first platform that provides visibility, control, and mitigation to zero trust, insider threat, BYOD, IT, OT, and IoT security programs. Sepio is a strategic partner of Munich Re, the world’s largest reinsurance company, and Merlin Cyber, a leading cybersecurity federal solution provider.

1.       Can you please introduce yourself to our readers?

Bentsi Ben-Atar: I am one of the co-founders for Sepio Systems, the company was founded by a group of founders that have been working together for almost 30 years now. We have a strong background in cybersecurity and “rogue device management” in general.

2.       Can you please tell us about your company Sepio Systems?

The company deals with a very unique domain within the cybersecurity industry and that’s the issue of managing the hardware within the enterprises. What we have built is a solution that provides all the aspects related to hardware access control, we call it “HAC” and our solution is called “HAC-1.

We see that Enterprises are struggling with three elements of hardware access control. The first one is the fact they have limited visibility to whatever is connected and sometimes a very significant gap between what people think is connected and to what is actually connected. So, there are visibility gaps that need to be addressed and they need to be addressed regardless of the device itself.

Once you have visibility and now you are aware of your assets, then you can move to the policy enforcement features of your enterprises. It means that now you can apply certain policies while you are working from home and a different policy while you are at the office.

And once you have these two pillars in place then you can move into the more interesting part of the solution, and those are the security aspects. You know what devices are connected, you know how to disable or mitigate any risk associated with it. Now you need to provide the Rogue Device Mitigation.

 

3.       Please explain to us about Hardware Access Control.

Hardware Access Control is the term used to describe a solution that manages all aspects of hardware devices. Hardware devices may be network elements possibly controlled by NAC (Network Access Control or a USB peripheral connected to an endpoint (controlled by EPS/EDR). HAC does not distinguish devices by its interface and provides an aggregated holistic approach to hardware asset management.

 

4.       What are Rogue Devices and what is their impact on the enterprises?

Rogue devices are devices that are either hardware manipulated or firmware manipulated devices that are introduced into the enterprises. The main channels for the attack vehicles are either the supply chain which is a significant risk for enterprises as hardware screening is a huge challenge. The other popular attack vehicle is the human factor, in that case, human beings will always be the weakest links because people can be threatened, they could be paid off, they could be extorted. I think that history along the way has shown that any human being has a weak point. If you, as a cybercrime organization can extort a certain bank, gain access to a certain system, in most of the cases you will get away with that.

 

5.       Why do you think that these “Rogue Attacks” are on the rise?

We see a growing number of attacks that are based on hardware tools. From the attacker's perspective, they have the option of either going head to head against existing cybersecurity products, or they can find an alternative path to the enterprises. There are a lot of hardware-based attacks happening all around the world on critical infrastructures like banks, data centres, retail, etc. It doesn’t get to the public eye in most cases due to several reasons.

First, companies in most cases are very reluctant to admit the fact that they have been breached through this domain because it also implies on their level of physical security and no one wants to admit that someone was able to plug in a rogue device. On the other hand there are a lot of attacks that create a signature that may be wrongfully attributed to other types of attacks.

One of the demos that we really love to do is using and demoing the vulnerability of wireless keyboards and mouse, these devices can be easily manipulated and spoofed. For example, let’s say you’re sitting in your home or office, there could be a guy sitting in the next building, it doesn’t have to be next to your endpoint. By using a very simple publicly available payload that runs on a raspberry pi, you can actually spoof the communication between that wireless keyboard and mouse. You can do a remote keylogging, and most importantly, you can point that endpoint to a certain URL that a certain piece of malware is waiting to be downloaded.

At the end, you even have to go over the human factor which is convincing the user that this link is not a suspicious link. So, there are a lot of obstacles that need to be dealt with. Compared with the option of coming with out of bound raspberry pi with a spoofing capability, you open up the browser independently, and forensic wise it would look like this was an act of an employee within the organization.

So sometimes it would be attributed to a phishing attack or wrongful doings of an employee while in real life the story is completely different.

 

6.       How do Sepio Systems counter these Rogue Devices?

Sepio Systems HAC-1 “dives deeper” into the the physical layer, revealing the true entity of a given device, not according by what it “says” it is, but for what it is really is.These capabilities are achieved through a unique algorithm, a combination of physical layer fingerprinting and Machine Learning augmentation.

7.       The Data Security Council of India (DSCI) has also talked about your company. Can you please tell us more about this project and ‘Sepio Prime Rogue Device Mitigation Solution?’

Without referring to any specific name (a customer or not), our solution provides enterprises, especially the ones concerned with their data. These enterprises can be financial institutes, government agencies or other entities extremely concerned with the attack vehicles.

We provide them with solutions that cover two main interfaces. One is the USB interface and the other is the Network interface. Our solution actually monitors and analyses the physical layer information. It means that we don’t look into user traffic, user log files. We read out all the physical layer related information by analyzing it with an algorithm which is a combination of physical layer fingerprinting and machine learning. We can actually detect the existence of such passive devices.

One of the coolest features of our solution is that it doesn’t require a baseline or training period. Obviously in today’s cybersecurity atmosphere, no single solution provides a complete seal for the entire enterprise. Therefore, the capability with integrating other solutions is extremely important, and all these solutions are easily integrated with our solutions so that we can actually extend the visibility of the enterprise into the deeper layer.

8.       Can you explain how this Layer-1 solution works?

Our solution is actually comprised of two main functionalities. The first one deals with Network Security and the second one deals with Peripheral Security/ End Point security. The way Network Security works are that we communicate with the existent networking infrastructure by using read-only commands. The only thing the enterprise needs to do is to provide restricted user credentials for our solutions.

Before our deployment, we actually provide a list of commands that we will be using. Once we get the information, we will compile it using an algorithm that is a combination of physical fingerprinting and machine learning enhanced solution. The fingerprinting is extremely important because when we get a hit, we can actually name the attack tool. The deployment process itself is straight forward, it takes less than 24 hours to have everything up and running.

The output and value of this solution are instantly delivered, you can actually see all the rogue devices and visibility. In a very interesting incident, we found a gaming console connected to a secured network, approved by NAC but never reported.

Now, the second part of this solution deals with the peripheral. It is a bit different because in the endpoint case, the endpoints could be offline, and you want to make sure that the mitigation, once a rogue device has been detected or even just a brief of policy. The mitigation needs to be immediately so that the USB device will be blocked. When the attacker comes in, they can configure their attack tools to present the same façade as a legitimate device.

So, the difference between Network Security and End Point Security (algorithm wise) is the fact that on the peripheral we also fingerprint ‘known to be good’ devices, so that we have a full database of good devices and bad devices. One of the nicest features we also have is the ‘threat intelligence database,’ it means that every installation has a local copy of our threat intelligence database which includes a list of all ‘known to be vulnerable devices.’


9.       Tell us more about the leadership team behind Sepio Systems?

Our leadership is something that we take great pride in. We are a U.S-Israel based company, we are headquartered in Rockville, Maryland. We have a very strong all-women U.S board which we take great pride in, led by the current CISO for HSBC. We have interviews posted on social media which I think are a fascinating array of women that bring tremendous value to our company.

We have a strong backup from various industry leaders and veterans from various government agencies. We perceive to be kind of a task force to deal with this domain which was until now significantly underserved.

10.   During the COVID-19 pandemic, everyone has started working from home, sometimes it can be a kid playing a video game on a pc. How does an organization keep the family’s data separate from the employee’s? How do you make sure that the family’s data is not being taken by your systems?

Enterprises first need to have a clear policy about their equipment. Having a policy without the capability of enforcing it is ineffective. First of all, the employee needs to understand the risks associated with it. And for that, we have a very interesting video series called Captain RDM which actually illustrates very serious cases in a non-technical way.

You can do one or two things. As a CSO, we can issue (this is what a lot of enterprises do) a company-issued device for it. If you are in need of an additional keyboard, we will provide you with that. If this is not the case, we make sure to know that if a ‘known to be vulnerable device’ is connected and block it.

For work from home cases, we have allowed the ‘1 + 1’ option, it means that for every license that our user got they were eligible for another license without any additional costs.

11.   On your website, people talked about how Sepio Systems has efficiently countered Rogue Device Threats and Internet of Threats (IoT)? Before we conclude the interview, do you have anything to say about that?

One thing that we’ve learned is never disrespect your opponent. They will always be innovative and smart. They are able to provide attack tools that are cocooned within legitimate looking device in ways that you can only imagine. When there is enough motivation for the attacking party for a specific side, because its specifically lucrative target, they will find a way to get into it even if it’s a data centre, or a highly secured facility, anything can be achieved.

With IoT, smart nations and smart cities coming up, a lot of hardware getting installed all over, and the Covid pandemic making people work from home, this issue becomes more relevant. It is more relevant today than it was yesterday and it is going to get even more relevant as the days go by.