Windows Users Beware of the “Complete Control” Hack Attack; Update Imperative!





The hardware device drivers of Microsoft Windows due to a common design flaw left the entire systems of users compromised giving it to a recently resuscitated Remote Tojan Access (RAT).

The RAT brought about a hack attack tool with a modified format which as it turns out is absolutely free of cost.

The NanoCore RAT as it’s called, has been hovering around the dark web for quite some time now. It was sold initially for $25 which is a minimal amount for a hacking tool for Windows OS.

NanoCore’s cracked version, as soon as it appeared caused quite a commotion amongst researchers and hackers.

Initially the “premium plugins” were especially paid for privileges but the latest cracked version has it all for free.

The NanoCore coder had to be arrested given the rising familiarity of the product and the fact that he was a part cybercrime!
Despite that, NanoCore thrived and generated other tool variants RAT, Surprise Ransomware, LuminosityLink and of course the free “highly modified” latest version.

The NanoCore RAT, per researchers is controlled by way of easy security measures, no particular entry troubles and a really uncomplicated interface to aid even the novice hackers.

There was an outburst of campaigns using the very malware including:
·       Remote shutdown and restart of Windows systems
·       Remote file browsing on the infected system
·       Access and control of Task Manager, mouse and Registry editor
·       Disabling webcam lights to spy
·       Taking over open webpages
·       Recovering passwords and obtaining credentials
·       Remotely operated “locker” for encryption

Owing it to the long presence of NanoCore the techniques it uses are well known to the researchers. Scripting, registry keys and malicious attachments are the three main categories that the researchers found out.


The scripting threat’s basic solution is to check Microsoft office files for macro code and “anomalous execution” of legitimate scripting programs like PowerShell or Wscript.

The registry keys should be monitored for updates and patch cycles and rigorous security implementations should be made for behavioural detection.

Windows users should immediately go ahead and get their systems updated and make sure all their applications are running the way they actually should.

Additionally, Windows 10, 8.1 and 7 users should especially keep a keen check on regular updates and patching!


Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.

Firefox Now Set To Utilize BITS for Downloading New Software Updates


Mozilla Firefox is all set to utilize the Windows Background Intelligent Transfer Service, or BITS, to download the software updates in the background, this initial phase in the possible release of a standalone "Update Agent" that will perform updates despite when the browser's closed.
Presently Firefox will look for the new updates when the user opens the browser and either show a notification that an update is available or automatically install it.

Mozilla developers are likewise taking a shot at an independent application written in Rust called "Update Agent" which will discreetly run while checking for new browser updates notwithstanding when Firefox isn't open. For the users who don't run Firefox every now and again, it'll make it simpler for them to receive the new updates.

The purpose behind the Update Agent being planned as a 'background process’ which will remain running even after the browser is closed to download and apply updates is to make updating progressively helpful for everybody and lessen the time to get the new updates for users who aren't all around bolstered by the present update process since they don't run Firefox very much or they do not have an access to a proper internet connection.

This technique makes Firefox progressively secure, as regardless of whether a user immediately installs the update when prompted to do so, despite everything it comes up with an open door for a vulnerability which could be exploited before the update as well as its security fixes, can be installed.

For Windows users, Mozilla will utilize the Windows Background Intelligent Transfer Service, or BITS, since it enables updates to be downloaded in a manner that can be recovered if a download ends or is paused for reasons unknown. This enables the update to keep downloading where it left off when it can and spare time completing the update.

As the Update Agent application isn't prepared as of yet and requires a few different bugs to be settled with first, Mozilla is empowering BITS in Firefox with the goal that the browser can start utilizing the support and service of download browser updates.


Firefox BITS preferences


While the Mozilla developers are effectively taking a shot at this venture, with the goal that they can positively finish it sooner rather than later, then again in the Firefox Nightly build, Mozilla has included two new flags that can be utilized to test downloading software updates through BITS. Users can thus enable this test by setting the app.update.BITSenabled and app.update.BITS.inTrialgroup preferences to true in about:config.


New China-Based Campaign Targets Windows MS-SQL and Phpmyadmin Servers Worldwide


A china based attack campaign has primarily targeted on servers having a place with the healthcare, telecommunications, media, and IT segments. The campaign named as Nansh0u is known to target Windows MS-SQL and PHPMyAdmin servers around the world.

Despite the fact that the campaign was detected towards the start of April, however the attacks were observed to go back to February 26. All through the campaign the threat actors used 20 unique payloads, and continued making at least one payload a week and utilized them right away.


More than 50,000 servers were reported to be breached in this campaign, when the targeted servers compromised they were infected with a rather pernicious payload, which thusly drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.

The hackers behind this campaign utilize propelled systems pursued by APTS groups, like the 'fake certificates and privilege escalation exploits' so to state the Nansh0u campaign isn't only a crypto-miner attack.

The attack begins with a serious of login endeavors targeting MS-SQL servers in order to gain administrator privileges. Attacker’s infrastructure consolidates the following modules to dispatch an attack on MS-SQL servers.
  • Port scanner
  • MS-SQL brute-force tool
  • Remote Code Executor


And by analysing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.

The reasons being why the researchers are quite confident in accessing that Chinese attackers have operated this campaign are:
  •  The attacker choosing to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs in Chinese.
  • Many log files and binaries on the servers included Chinese strings, such as (“duplicates removed”) in logs containing breached machines, or (“start”) in the name of the script initiating port scans.


A2 Hosting finds 'restore' the hardest word as Windows outage slips into May

The great A2 Hosting Windows TITSUP has entered its second week as the company continues to struggle to recover from a security breach that forced its System Operations team to shut down all its Windows services.

To recap, things went south on 23 April as malware spread over the company's Windows operation, causing a problem so severe that the A2 Hosting team decided the only way to recover was to restore data from backups. The company told furious customers last week that "Restores continue to progress at a steady pace".

Except, alas, things have not gone smoothly.

As some services gradually tottered into life, users made the horrifying discovery that the backups being restored from were less than minty fresh.

A "day or two" is bad enough for an ecommerce site, but the loss of several months' worth of data is an altogether angrier bag of monkeys. To make matters worse, the company has left it to users to work out just how whiffy those backups are.

Register reader David Sapery, who was lucky enough to see his services stagger back to life after a five-day liedown, was then somewhat embarrassed when his customers, finally able to access his sites, told him things looked a tad outdated.

Sapery told us: "Anything on any of my websites that was updated over the past 2+ months is gone."

Still, Sapery was at least able to recover. Another reader was not so lucky, describing his experience as "an unmitigated disaster."

Having spent eight months and "thousands of dollars", the unfortunate A2 Hosting customer told us that "my business and all my hard work has been gutted within seven days by a hosting company that clearly did not have robust security in place."

A2 Hosting will, of course, point to its Terms of Service where it makes it quite clear that it is not responsible for any data loss and that users are responsible for their own backups.

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.

Telegram Messenger Leaks IP Addresses of Users



Dhiraj Mishra, a security researcher from Mumbai, India found that under specific conditions, the Telegram desktop clients for Windows, Mac, and Linux would uncover users' IP address, notwithstanding when the user was configured to protect this data.

Despite the fact that the program describes itself similar to a protected and private correspondence application, yet the researcher has demonstrated that in its default design it would permit a user's IP address to be leaked when making call.

The leak, happening just amid voice calls, happened notwithstanding when the "Peer-to-Peer" connection choice was set to "Nobody." A Peer-to-Peer connection isn't private by outline, as it directly exposes the two participants.

P2P Settings in Telegram for iOS

When utilizing Peer-to-Peer to begin Telegram calls, however, the IP address of the person you are conversing with will show up in the Telegram console logs. Not all forms incorporate a console log. For instance, Windows does not show a console log in their tests, while the Linux variant does.

The Telegram application indicates that users can keep their IP address from being disclosed by changing the setting as doing it will make the user's calls to be steered through Telegram's servers, which would then shroud the IP address, however at the expense of having a slight abatement in sound quality.

Dhiraj, the researcher even shared a Proof of Concept video to BleepingComputer that showed how the IP addresses were leaked. Where he explained about the 3 IP's that leak:

1. Telegram server IP (That's Ok)

2. Your own IP (Even that's okay too)

 3. End user IP (That's not okay)

IP address leak in Telegram console log

The issue since its revelation has been a matter of deep concern that was patched by telegram with the release of Telegram for Desktop v1.4.0 and v1.3.17 beta.

Nevertheless telegram clients who particularly utilize the application for its obscurity highlights are advised to update their desktop clients at the earliest opportunity to patch the bug that has the ability to very easily leak their IP address.


Over 145 Malicious Android Apps Discovered On the Google Play Store




Researchers from the security software company Palo Alto Network made an alarming disclosure in regards to certain applications accessible on the Google Play Store esteeming them to be defected with malware for stealing information from the Windows Computers.

These 145 applications, with names, "Gymnastics Training Tutorial ", "Modification Trail" and " Learn to Draw Clothing” were uploaded to Google Play between October 2017 and November 2017 and remained there until the point when Palo Alto Networks made Google aware of this issue.

Many of these applications have been downloaded over a thousand times and even 4-star ratings purportedly from individuals who utilized them.

"We have reported our findings to Google Security Team and all infected apps have been removed from Google Play,"

In any case, the fact that these infected applications are very easily accessible on the official Google Play Store is for sure concerning. Additionally, it demonstrates that the software developer ‘odieapps’ isn't sufficiently paying enough consideration to the security part of the applications.

 This by a long shot though isn't the first run through Google has needed to expel the malware-loaded applications from Play, which is by and large thought about as the most secure hotspot for Android applications.

 “These embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform. The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware.”  - Palo Alto Networks said in a blog post.

Also in the most recent two years alone, various security vendors have discovered a huge number of Android applications released to Google Play corrupted with adware, spyware and different vindictive payloads and much like for this situation where these applications were downloaded countless of times before being hailed as hazardous and finally expelled from the Play store.

An analysis of the malware code proposes that the developers of the compromised applications may have built up the applications on infected Windows machines and incidentally exchanged the pernicious code in their Android applications to the Play store.

Had the malware apparatuses functioned as proposed they would have been equipped for recording the mobile device user's keystrokes and thusly steal information, like the passwords, social security numbers, payment card data as well as other important and significant information, says the Palo Alto Networks.

Nevertheless the capacity of enemies just to get their malware past the Play store's defenses poses a tough challenge for Google indeed and as well for the countless users that download their applications from it.


Malware that hijacks clipboard monitoring over 2.3 million bitcoin addresses


Bleeping Computer today revealed that they discovered a type of “clipboard hijacker” malware that monitors over 2.3 million bitcoin addresses.

A clipboard hijacker malware works by tricking users by switching the bitcoin address from their clipboard to another address that the attacker control. Since bitcoin addresses are long and hard to remember, this method works easily for hackers since users simply copy paste addresses from one application to another when sending cryptocoins.

The malware reportedly comes as a part of the All-Radio 4.27 Portable malware affecting Windows computers and monitors the Windows clipboard for a bitcoin address. Unless the user double-checks the address after pasting it, the bitcoin will go to the attackers’ address.

“While we have covered cryptocurrency clipboard hijackers in the past and they are not new, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses,” their report on the malware read. They also posted a video showing how the malware works: 


Bitcoin users are advised to always double-check the address before making a transaction and to have a trusted antivirus program installed on their device.


Mylobot Turns your PC into a Zombie system



Tom Nipravsky, a security researcher at Deep Instinct, discovered another 'never seen before' malware that could transform a Windows PC into a botnet. Named as 'Mylobot', this malware has developed from the 'Dark Web'. It was finished up in the wake of following its server that was additionally utilized by other malware from the dark web.

The powerful botnet is said to consolidate various noxious systems, generally including:

·       Anti-VM techniques
·       Anti-sandbox techniques
·       Anti-debugging techniques
·       Wrapping internal parts with an encrypted resource file
·       Code injection
·       Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
·       Reflective EXE (executing EXE files directly from memory, without having them on disk)
·       A 14-day delay before accessing its C&C servers.

"On a daily basis we come across dozens of highly sophisticated samples, but this one is a unique collection of highly advanced techniques," says Arik Solomon, vice president of R&D at Deep Instinct. "Each of the techniques is known and used by a few malicious samples, but the combination is unique."

As indicated by the researcher, Mylobot likewise bears contrary to the botnet property. The reason, as indicated by the researcher, for this conduct being is, possibly to prevail upon the "opposition" on the dark web.

 “Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The researchers say it's vital to take note that Mylobot was found in the wild, at a Level 1 communication and telecommunication equipment manufacturer and not in a proof-of-idea show.

Also, in conclusion the one thing they are extremely sure about is the modernity of the malware's creators as, according to ZDNet, the real author(s) of this malware are yet obscure, be that as it may, the malware utilizes a similar server which is connected to the scandalous Locky ransomware, Ramdo, and DorkBot.


Zacinlo Malware; Yet another Threat for All Windows 10 Users


Researchers at Bitdefender have recently discovered a powerful malware that takes control over the PC and spams with advertisements. They have named it 'Zacinlo' after the last and final payload, looking at this as a transitory name for an intricate code. In any case, the Zacinlo malware has been around for almost six years extremely contaminating various Windows users.

The researchers at the Cyber Threat Intelligence Lab, following a year of research have published a rather detailed paper about this malware. Despite the fact that the malware has been around since 2012, it became the most active in late the 2017, state the researchers while clarifying about their work.

Zacinlo is said to be so powerful to the point that it has the capability of deactivating the most anti- malware directly accessible. Well known targets of Zacinlo incorporate Bitdefender, Kingsoft, Symantec, Microsoft, Avast, and various different programs.

Once installed, it altogether takes control over the user's framework for noxious exercises. These incorporate controlling the OS, forestalling against malware activities, at last accomplishing its fundamental objective – to display ads and generate income. This is accomplished by infusing contents in webpages.

 “The infection chain starts with a downloader that installs an alleged VPN application. Once executed, it downloads several other components, as well as a dropper or a downloader that will install the adware and rootkit components.”

Zacinlo effectively keeps running on most commonly utilized programs, including Chrome, Firefox, Internet Explorer, Edge, Safari, and Opera. As this adware starts working, it wipes out some other adware exhibit in the victim's PC to accomplish its main objectives. It at that point shows advertisements in order to produce income by getting the snaps.

The advancement of this malware makes its detection extremely hard. However, there is one route through which you can detect the presence of Zacinlo in the victim's PC. As stated by Bogdan Botezatu, the senior e-Threat Analyst at Bitdefender.

“Since the rootkit driver can tamper with both the operating system and the anti-malware solution, it is better to run a scan in this rescue mode rather than running it normally.”

Regardless of this all the windows users are thus instructed to stay wary while downloading any outsider applications or applications from untrusted sources to shield themselves from any malware attacks.


NHS to migrate to Windows 10 to upgrade cybersecurity defences

Microsoft on Saturday announced that The UK Department of Health and Social Care will transition all National Health Service (NHS) computer systems to Windows 10 to better protect against future cyber attacks. 

The Department has made a security deal with Microsoft regarding the same.

According to officials, the operating system’s more advanced security features are the primary reason for the transition, such as the SmartScreen technology equipped with Microsoft Edge and Windows Defender.

One of the other reasons for upgrading their security systems was the damages caused by the WannaCry ransomware attack last year, when NHS was one of the first victims.

“More than a third of trusts in the UK were disrupted by the WannaCry ransomware attack last year, according to the National Audit Office, which led to the cancellation of 6,900 appointments. WannaCry was an international attack on an unprecedented scale that affected organisations across the globe. While it did not specifically target the NHS, the impact on health organisations was significant,” read the announcement by Microsoft.

According to Kaspersky and Microsoft telemetry, over 98 percent of all WannaCry victims were Windows 7 users.

“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS as far as reasonably possible against this threat,” said Jeremy Hunt, the Health and Social Care Secretary. “This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”



Zero-day vulnerability in Internet Explorer discovered

According to security researchers at Chinese web giant Quihoo 360, hackers are using a zero-day vulnerability in Internet Explorer kernel code to infect Windows computers with malware.

The researchers say that an advanced persistent threat (APT) group is using the vulnerability to infect victims on a global scale by sending malicious Office documents to selected targets.


These documents are loaded with what they call a "double-kill" vulnerability, which affects the latest versions of Internet Explorer and any other applications that use IE kernel. When victims open the office document, the bug launches a malicious webpage in the background to deliver malware from a remote server.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," the researchers wrote in a blog post on the Chinese platform Weibo.

The researchers said that the attack involves the use of a public User Account Control (UAC) bypass, reflective DLL loading, fileless execution, and steganography; they also provided a diagram that roughly outlines the attack, with Chinese annotations.


The company says that it has reported the vulnerability to Microsoft and will be giving them appropriate time to find a patch before it reveals more details about the bug.

Microsoft has neither confirmed nor denied the attacks, but has given the following statement:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

CVE-2013-5065: Windows XP Kernel Privilege escalation vulnerability exploited in the wild


Microsoft has issued a warning about new zero-day vulnerability affecting the Windows XP and 2003 Server operating systems.

The bug referred with CVE id "CVE-2013-5065" is a local privilege escalation vulnerability, is reportedly being exploited in the wild.

A successful exploitation allows attackers to run the arbitrary code in Kernel mode(User mode --> kernel mode).  It will get access to install software, modify data or creating accounts with admin privilege.

However, the vulnerability is not exploitable by a remote attacker.

"It does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003." Microsoft security advisory reads.

Though the Microsoft is issued a workarounds for this vulnerability, it is better to switch to the latest version of Windows (7 or 8), as we aware that Microsoft is going to stop supporting Windows xp by April 2014. 

Top 10 Reasons Why Linux is better than Windows

1. It Doesn''t Crash

Linux has been time-proven to be a reliable operating system. Although the desktop is not a new place for Linux, most Linux-based systems have been used as servers and embedded systems. High-visibility Web sites such as Google use Linux-based systems, but you also can find Linux inside the TiVo set-top box in many livingrooms.