Browsing category


Artem Radchenko, Data loss, EDGAR, Electronic Data Gathering Analysis and Retrieval, hacking, indictment, Law & order, Malware, Oleksandr Ieremenko, Phishing, SEC, Securities and Exchange Commission, securities fraud, Security threats, ukraine, wire fraud,

Two charged with hacking company filings out of SEC’s EDGAR system

They’re charged with phishing and inflicting malware to get into the EDGAR filing system, stealing thousands of filings, and selling access.

This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas

Computer Security, Cyber Security News, office 365 vulnerability, Phishing, Vulnerability,

New Phishing Attack Taking Advantages of Vulnerability in Office 365 to Bypass all of Microsoft’s Security

office 365 vulnerability

Researchers discovered a new type of advance phishing attack that taking advantages of office 365 vulnerability to bypass all the Microsoft security even though users implemented the Advanced Threat Protection (APT) Phishing attacks one of the most frequently targeting millions of users nowadays and this attack left all the Office 365 users vulnerable since the […]

The post New Phishing Attack Taking Advantages of Vulnerability in Office 365 to Bypass all of Microsoft’s Security appeared first on GBHackers On Security.

Android, information stealer, Mobile, Phishing, spyware,

Spyware Disguises as Android Applications on Google Play

by Ecular Xu and Grey Guo

We discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world.

One of the applications we initially investigated was the game called Flappy Birr Dog, as seen in Figure 1. Other applications included FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird. Five out of six of these apps have been suspended from Google Play since February 2018. And as of writing, Google has already removed all of these applications from Google Play.

Figure 1

Figure 1. Flappy Birr Dog download page

Information stealing

MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items. It uses Firebase Cloud Messaging to send information to its server.
Once the malicious application is launched, the malware will first check the device’s network availability. It then reads and parses an XML configure file from its C&C server.

Figure 2

Figure 2. Example of configure file being taken from a C&C server

The malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc. Examples of all the information it steals can be seen in Figure 3.

Figure 3

Figure 3. Example of stolen information

It sends the gathered information to its C&C server, thus registering the device. Once done, the malware will wait for and perform commands sent from its C&C server through FCM.

Figure 4

Figure 4. Parse command from the C&C

Depending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs, as seen from commands in the subsequent figures below.

Figure 5

Figure 5. Steal SMS conversations

Figure 6

Figure 6. Steal contact list

Figure 7

Figure 7. Steal call logs

The malware is even capable of stealing and uploading files found on the device, and will do so as long as it receives the commands as seen in Figures 8 and 9 respectively.

Figure 8

Figure 8. Steal files from target folds

Figure 9

Figure 9. Upload files

Phishing capabilities

In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It’s capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details.

Figure 10

Figure 10. Phishing behavior

If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. At which point the malware would already have stolen the user’s credentials.

Figure 11

Figure 11. Fake Facebook login pop-up

User distribution

Part of what makes this case interesting is how widely its applications have been distributed. Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries.

Figure 12

Figure 12. Top countries with the most number of affected users

Other countries affected include Mozambique, Poland, Iran, Vietnam, Algeria, Thailand, Romania, Italy, Morocco, Mexico, Malaysia, Germany, Iraq, South Africa, Sri Lanka, Saudi Arabia, Philippines, Argentina, Cambodia, Belarus, Kazakhstan, Tanzania, United Republic of Hungary, etc. As can be surmised, these applications were widely distributed around the globe.

Trend Micro Solutions

This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices. The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks. In addition, users can install a comprehensive cybersecurity solution to defend their mobile devices against mobile malware.

Trend Micro Mobile Security detects such attacks, while Trend Micro Mobile Security Personal Edition defends devices from all related threats. Trend Micro™Mobile Security for Android™ (available on Google Play) blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise

SHA256 Package Name Label Download Count
12fe6df56969070fd286b3a8e23418749b94ef47ea63ec420bdff29253a950a3 ma[.]coderoute[.]hzpermispro HZPermis Pro Arabe 50 to 100
72252bd4ecfbd9d701a92a71ff663776f685332a488b41be75b3329b19de66ba com[.]tassaly[.]flappybird Flappy Bird 0
4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838 com[.]mobistartapp[.]windows7launcher Win7Launcher 1,000 to 5,000
38d70644a2789fc16ca06c4c05c3e1959cb4bc3b068ae966870a599d574c9b24 com[.]mobistartapp[.]win7imulator Win7imulator 100,000 to 500,000
0c477d3013ea8301145b38acd1c59969de50b7e2e7fc7c4d37fe0abc3d32d617 com[.]mobistartapp[.]flashlight FlashLight 50 to 100
 a645a3f886708e00d48aca7ca6747778c98f81765324322f858fc26271026945 com[.]tassaly[.]flappybirrdog Flappy Birr Dog 10

Command and Control Servers


The post Spyware Disguises as Android Applications on Google Play appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

Computer Security, Cyber Security News, Data Breach, data leak, hacking, Phishing, San Diego Unified School, Security Hacker, Vulnerability,

San Diego School District Hacked – 500,000 Students and Staff Data May Have been Stolen

San Diego Unified School

A Massive data breach at San Diego Unified School District lost more than 500,000 and the stolen data file contains the personal information of dating back to the 2008-09 school year faculties and students. An unauthorized individual have been accessed that database file and he/she may have an access to view the personal data of some […]

The post San Diego School District Hacked – 500,000 Students and Staff Data May Have been Stolen appeared first on GBHackers On Security.

Access Management, Advanced Threats, Antivirus, atm, CISO, Compliance, Credentials, cryptocurrency, cryptocurrency miner, Cybercrime, Cybercrime Trends, Data Breaches, Data Privacy, Data Protection, database security, Endpoint Protection, Financial Industry, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, IBM X-Force Research, Identity and Access Management (IAM), Incident Response, Incident Response (IR), Malware, Obfuscation, Personal Data, Phishing, regulatory compliance, Security Trends, Social Security, Threat Intelligence, Vulnerabilities, X-Force,

IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape

Taking a look back at 2018, it amazes me that the cybercrime threat landscape continues to top itself year after year. Over the past year, we’ve seen historic breaches, the discovery of large-scale vulnerabilities, the emergence of the trust economy and regulators trying to help make sense of it all.

The looming General Data Protection Regulation (GDPR) deadline finally came in May after businesses spent years preparing. Now we’re in the GDPR era, and we’re still seeing organizations struggle to interpret and tackle the regulation. Businesses are asking themselves, should we disclose every possible incident to be covered or spend more time investigating incidents to confirm them?

We also saw many unintended consequences from the GDPR, including the removal of WHOIS data that threat intelligence experts rely on to identify malicious domains used by fraudsters. We learned that in Europe, organizations will need to go through work councils to receive approval to deploy endpoint protection tools in the wake of an incident due to the privacy regulation. This gives attackers a significant advantage to harvest data for an extensive amount of time — upwards of 30 to 90 days.

One of my security predictions for 2018 was that organizations will start to get response right. We’ve seen some progress on this, but there’s still a lot of work to be done here. Since we opened our Cyber Range in Cambridge, Massachusetts two years ago, we’ve had more than 2,000 people experience what it’s like to respond to an attack.

We’ve seen many industry groups come together in the Cyber Range and collaborate to help their entire industries. We also launched our Cyber Tactical Operations Center (C-TOC), an 18-wheeler that will be touring Europe in 2019 to address the increased demand for preparedness training. Of course, there’s always room for improvement, but our industry is making progress, and for that, I’m proud.

Security Predictions for the New Year

So what lies ahead in 2019? How will the cybercrime threat landscape change and evolve?

Top experts from IBM X-Force have been analyzing emerging trends and clues this year, which they believe are indicators of potential major cybercriminal activity in 2019. Below, these experts reveal their top security predictions for 2019 based on insights from their research and work with clients. The predictions span a range of potential attack schemes and consequences, from industry-specific prognostications to a rapid expansion of emerging criminal schemes.

First, a couple of my own predictions:

Social Insecurity Numbers Dropped for Access

With most Americans’ Social Security numbers a shared secret after 2017, corporations will start to move away from using the numbers as a form of access. In particular, corporate benefits programs often still use Social Security numbers as an identifier. Expect corporations and benefits programs to evolve their authentication methods ahead of regulators.

What organizations can do: Stop using Social Security numbers for identification. Instead, use one-time PIN to establish accounts tied to two-factor authentication. Also, further use of biometrics for authentication.

Unforeseen Consequences of the GDPR

2018 was all about implementation of GDPR and getting organizations prepared. In 2019, new, unforeseen impacts of GDPR on threat intelligence will be identified and have broader consequences in cybersecurity. With the elimination of WHOIS data, identification of malicious domains connected to bad actors becomes an enormous challenge, and we’ll likely see malicious domains ramp up. Organizations in Europe will struggle to remove attackers from networks and devices due to a 30- to 90-day waiting period to deploy endpoint protection after an incident. My hope is that regulators, work councils and security industry leaders can work together in 2019 to identify some exceptions in which security takes precedent.

Possible solution: Greater collaboration between regulators, work councils and security industry leaders to identify exceptions to regulations when security inadvertently could suffer due to the regulation.

Now, some predictions from my fellow X-Force team members:

Automated Customer Service Systems in Attackers’ Sights

Kiosk and other self-service systems have become more and more a part of our world. Retailers, airlines, hotels and public buildings are using these systems to speed up check-ins and reduce labor costs. In 2018, we saw a resurgence in ATM hacking, and we expect in 2019 to see public-facing self-service systems targeted as a way to harvest valuable customer data.

– Charles Henderson, X-Force Red

What organizations can do: Test hardware and software before criminals have a chance to. Harden physical interfaces and disable unused ports at the hardware level. When using third-party components, ensure that they are still supported by the manufacturer.

Listen to the podcast: Spotlight on ATM Testing

A Cyber Insurance Market Reality Check

The growth of cybersecurity insurance has risen alongside the epic growth of cybercrime. While a valuable tool to manage costs of a security incident or data breach, businesses have become too reliant on insurance, avoiding investment in other preventative technologies and response services. In 2019, we’ll see closer teaming between cyber insurance providers and security vendors to fill the emerging gap created by the market.

– Christopher Scott, X-Force Incident Response and Intelligence Services (IRIS)

Possible solution: Providers of managed security services and cyber insurance team up together to offer consulting services, assess risk and implement defensive strategies.

Have Data, Will Travel

Cybercriminals will shift their sights to the lucrative databases of personal data maintained by travel and hospitality companies. In 2018, we saw the tip of the iceberg with high-profile breaches at airlines and hotel chains. Expect more mega breaches in this area in 2019 as cybercriminals look to monetize rewards points and gather new credentials, such as passport numbers and driver licenses, to establish identities for online crime. This data could also lead to targeted, travel-related phishing, tapping a person’s interests, motivations and connections.

– Wendi Whitmore, X-Force IRIS

What organizations can do: Deploy data obfuscation technologies, encryption and regular database activity monitoring. Conduct regular security testing and have an incident response plan in place. Frequently audit the storage requirements for personally identifiable information (PII) and set expirations for how long sensitive data is stored.

Evidence of Cybercriminal Stock Manipulation

There’s growing speculation that some shorting of stocks can be tied to cyberattacks. Are criminals collaborating to time their attacks for financial gain? In 2019, we expect these schemes will be further exposed and possibly prosecuted as government regulators take notice of this activity.

– Dustin Heywood, X-Force Red

Possible solution: A breach of a public company is now both a technical crisis as well as a financial crisis. Rapid manipulation of stock prices can occur as a result of bad guys looking to profit or hedge funds reacting to breaking news. Your speed of response and precision of communications will matter. Organizations need to build and test their runbooks ahead of time.

Crypto-Mining Powered by PowerShell

PowerShell use for malicious activities has continued to grow in 2018. IBM X-Force IRIS saw the tool used by malicious actors to inject malware directly into memory, enhance obfuscation and evade antivirus detection software. In 2019, X-Force IRIS anticipates that crypto-mining tools will use PowerShell to load fileless malware onto compromised systems — similar to reported activity by the crypto-miner GhostMiner earlier this year.

– Dave McMillen, X-Force IRIS

What organizations can do: Enterprises will want to ensure that they are logging, tracking and auditing PowerShell use in their networks. This can be achieved by leveraging the latest version of PowerShell and enabling logging through Group Policy Settings. These logs should be forwarded to a central location where they can be analyzed.

In addition to logging, companies using Windows 10 should be sure to implement an antivirus solution that is compatible with the Anti Malware Scanning Interface (AMSI). This interface provides antivirus products the ability to inspect PowerShell code before it is executed, allowing the product to stop malicious PowerShell before it can run.

Meet more IBM Security All Stars

The post IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Caleb Barlow

Computer Security, Cyber Attack Prevention, Malicious Phishing, Malware, Phishing, Phishing Attack, Phishing Scam, PREVENTION, ransomware attack, SOC,

Cyber Attack Prevention Checklist to Keep Your Business Safe & Secure From Hackers

Cyber Attack Prevention

Cyber Security manages business risk during the full cycle(monitor, assess, advise, re-mediate). It fights against the cybercrime: detection of attacks and fraud attempts. It increases security on services platforms, infrastructures, and networks. Here is the Cyber Attack Prevention checklist. There are loads of minimal effort, simple-to-setup methods that can enhance Cyber Security inside the organization. We […]

The post Cyber Attack Prevention Checklist to Keep Your Business Safe & Secure From Hackers appeared first on GBHackers On Security.