Archive for the ‘malware’ Category

Google confirms that advanced backdoor came preinstalled on Android devices

June 6th, 2019
Man wearing T-shirt that reads

(credit: Alexandre Dulaunoy / Flickr)

Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.

Triada first came to light in 2016 in articles published by Kaspersky here and here, the first of which said the malware was "one of the most advanced mobile Trojans" the security firm's analysts had ever encountered. Once installed, Triada's chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS' all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers.

In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn't be deleted using standard methods, the report said.

Read 11 remaining paragraphs | Comments

Posted in Android, backdoor, Biz & IT, google, malware, supply chain attack | Comments (0)

Advanced Linux backdoor found in the wild escaped AV detection

May 30th, 2019
Advanced Linux backdoor found in the wild escaped AV detection

Enlarge (credit: Jeremy Brooks / Flickr)

Researchers say they’ve discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.

HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer’s post went live, the VirusTotal malware service indicated Hidden Wasp wasn’t detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.

Some of the evidence analyzed—including code showing that the computers it infects are already compromised by the same attackers—indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It’s not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies.

Read 9 remaining paragraphs | Comments

Posted in backdoors, Biz & IT, linux, malware, rootkits, trojans | Comments (0)

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

May 29th, 2019
Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide. Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on

Posted in cyber security, digital Certificate, hacking mysql, Linux Rootkit, malware, MySQL database, phpMyAdmin, rootkit, Windows Malware | Comments (0)

Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

May 14th, 2019
Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to implant persistent backdoor on wide range devices used in enterprises and government networks, including routers, switches, and firewalls. Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects

Posted in bootkit, Cisco Device, cisco firewall, Cisco Router, cisco switch, hacking firewall, hacking news, hacking router, malware, remote code execution, secure boot | Comments (0)

Zero-day attackers deliver a double dose of ransomware—no clicking required

April 30th, 2019
Screenshot of ransomware warning.

Enlarge (credit: Cisco Talos)

Attackers have been actively exploiting a critical zero-day vulnerability in the widely used Oracle WebLogic server to install ransomware, with no clicking or other interaction necessary on the part of end users, researchers from Cisco Talos said on Tuesday.

The vulnerability and working exploit code first became public two weeks ago on the Chinese National Vulnerability Database, according to researchers from the security educational group SANS ISC, who warned that the vulnerability was under active attack. The vulnerability is easy to exploit and gives attackers the ability to execute code of their choice on cloud servers. Because of their power, bandwidth, and use in high-security cloud environments, these servers are considered high-value targets. The disclosure prompted Oracle to release an emergency patch on Friday.

On Tuesday, researchers with Cisco Talos said CVE-2019-2725, as the vulnerability has been indexed, has been under active exploit since at least April 21. Starting last Thursday—a day before Oracle patched the zero-day vulnerability, attackers started using the exploits in a campaign to install “Sodinokibi,” a new piece of ransomware. In addition to encrypting valuable data on infected computers, the malicious program attempts to destroy shadow copy backups to prevent targets from simply restoring the lost data. Oddly enough, about eight hours after infection, the attackers exploited the same vulnerability to install a different piece of ransomware known as GandCrab.

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, exploits, malware, oracle, ransomware, vulnerabilities, WebLogic | Comments (0)

‘Karkoff’ Is the New ‘DNSpionage’ With Selective Targeting Strategy

April 24th, 2019
The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware. First uncovered in November last year, the DNSpionage attacks used compromised sites and crafted malicious documents to infect victims' computers with DNSpionage—a custom remote administrative

Posted in Cyber Attack, DNS Changer, dns hacking, DNS malware, dnspionage, hacking news, malware, Malware attack | Comments (0)

Popular Video Editing Software Website Hacked to Spread Banking Trojan

April 11th, 2019
If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer. The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once

Posted in banking malware, banking Trojan, Cyber Attack, hacking news, keylogger, malware, password stealer, supply chain attack, video editing software | Comments (0)

Sophisticated ‘TajMahal APT Framework’ Remained Undetected for 5 Years

April 10th, 2019
Cybersecurity researchers yesterday unveiled the existence of a highly sophisticated spyware framework that has been in operation for at least last 5 years—but remained undetected until recently. Dubbed TajMahal by researchers at Kaspersky Lab, the APT framework is a high-tech modular-based malware toolkit that not only supports a vast number of malicious plugins for distinct espionage

Posted in APT, APT Framework, APT hacking group, Cyber Attack, cyber espionage, malware, Malware attack, malware framework, Taj Mahal | Comments (0)

Mysterious safety-tampering malware infects a second critical infrastructure site

April 10th, 2019
Critical infrastructure sites such as this oil refinery in Port Arthur, Texas, rely on safety systems.

Enlarge / Critical infrastructure sites such as this oil refinery in Port Arthur, Texas, rely on safety systems. (credit: IIP Photo Archive)

Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents.

There had been compromises of critical infrastructure sites before. What was unprecedented in this attack—and of considerable concern to some researchers and critical infrastructure operators—was the use of an advanced piece of malware that targeted the unidentified site’s safety processes. Such safety instrumented systems (SIS) are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, a SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.

By focusing on the site’s SIS, the malware carried the threat of physical destruction that depending on the site and the type of accident had the potential to be serious if not catastrophic. The malware was alternately named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. It’s development was ultimately linked to a Russian government-backed research institute.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, critical infrastructure, Industrial Control Systems, malware, Policy, Triton | Comments (0)