Category Archives: Malware

GlobalHackNews Is The Popular Blog of IT Security, Cybersecurity, and Latest Hacking News Update. Read Regular News to Improve Your Security.

A Set of Address Bar Spoofing Vulnerabilities in Mobile Browser

Spoofing VulnerabilitiesSecurity researchers on Tuesday reveal a set of address bar spoofing vulnerabilities about Multiple Address Bar. Ranging from the more common browsers, for example, Apple Safari and Opera Touch, and also other browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser open for spear-phishing attacks and delivering malware.

Address bar spoofing vulnerabilities have been around since the early days of the web, but they have never been so dangerous as they are today. Rafay Baloch in the summer of 2020 and jointly reported by Baloch and cybersecurity firm Rapid7 in August before they were communicated to the browser developer over the last few days.

The Rapid7 exec announces that by messing with the timing between when the page loads and when the browser gets a possibility to refresh the address bar URL, a malicious site could force the browser to show the incorrect address.

Spoofing Vulnerabilities in Affected Browser.

The problem came across earlier this year and reported to browser makers in August. The big vendors patched the issues right away, UCWeb and Bolt Browser remain unpatched as yet, while Opera Mini is expected to receive a fix on November 11, 2020, List In Blow

CVE-2020-7363 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE-2020-7364 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE TBD-Opera Opera Opera Mini 51.0.2254 Android Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fixed in version 2.4.5 released Sep 15, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fixed in version 2.4.5 released Sep 15, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fixed in version 2.4.5 released Sep 15, 2020
CVE-2020-7369 Yandex Yandex Browser 20.8 Android Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370 Danyil Vasilenko Bolt Browser 1.4 iOS Support email bounced, alerted Apple product security
CVE-2020-7371 Raise IT Solutions RITS Browser 3.3.9 Android Fix expected Oct. 19, 2020
CVE-2020-9987 Apple Apple iOS 13.6 iOS Fix released Sept. 16, 2020

Table Copy by Rapid7

In this outline, the attacker would construct a URL that inserts both RTL and LTR characters. Baloch gave the example of.:

127.0.0.1/|/http://example.com.

When you browse the page in your phone browser, it would misunderstand how to display the text and show it as.:

http://example.com/|/127.0.0.1

The above Javascript renders in a browser as a hyperlink on the “test” text, and when clicked, shows an in-browser rendering of the “This is not Bing” text in a window attributed to bing.com, as shown below

.Mobile Browser

 

Now, some browsers are more popular than others, but even some of these relatively obscure browsers have some pretty impressive download stats—the least popular, Bolt, has over 210,000 reviews. And ranks No. 47 in the App Store, and UC Browser is probably the most popular non-FOCES browser around, with over 500 million downloads from Google Play. Yandex is pretty popular, too, at over 100 million installs, and RITS is sitting at over a million. So, altogether, nothing to sneeze at, installation-wise. as per rapid7 data

“With the ever-growing sophistication of spear-phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” Baloch said.

First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators of forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.

Google Add New Password Protections alerts to Chrome for Android, iOS

Password Protections alertsGoogle has added a new update to improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised.

Google Add New Password Protections alerts to Chrome for Android, iOS

The browser alerts you if any of the passwords you have asked it to save have been compromised, and lead you straight to the right ‘change password’ .

Chrome will check if your passwords are compromised passwords, they send a copy of your usernames and passwords to Google using special encryption code. Lets Google checks it against credentials known to be compromised, but Google cannot derive your username or password from this encrypted copy.

Moreover, Google also establishes its Safety Check feature to the Chrome mobile release after first launching it on desktop. This will include checking whether your browser version is up to date and if you’ve enabled Safe Browsing.

Google will also add new features in Chrome 86 that is rolling out now, to improve user security. It will also be launching Enhanced Safe Browsing for Android & ISO through which Chrome can protect you against phishing, malware, and other harmless websites, by sharing real-time data with Google’s Safe Browsing Service. Google had released Enhanced Safe Browsing for desktop Advance this year.

Enhanced Safe Browsing for Android

Earlier this year, We launched Enhanced Safe Browsing for desktop, which gives Chrome users the option of more advanced security protections.

When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against Phishing, Malware, and other Dangerous sites by sharing real-time data with Google’s Safe Browsing service.

Among our users who have enabled checking websites and downloads in real-time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites.

Google Chrome Creators Group also announced a biometric authentication step before auto-dialing passwords for iOS. You can authenticate using your Face ID, Touch ID, or phone passcode. If you enable Chrome autofill in Settings, Chrome Password Manager allows you to autofill saved passwords into iOS apps or browsers.

Google Chrome also block or warn on some insecure downloads initiated by secure pages. This is also part of Google Chrome’s plan to gradually block mixed downloads altogether.
The feature, which can be easily accessed in the ‘Settings’ tab under ‘Sync and Google services’, relies on Google’s service known as Safe Browsing, which contains a database of unsafe web facility that updates every 30 minutes.

According to Google, however, many phishing sites slipped through the time window, Google says that the expansion of its phishing protection and real-time scanning on the desktop has been shown to create alerts for an extra 30 percent of phishing sites.

HTTP/2 network protocol Expose Web Servers to DoS Attacks

HTTP/2 network protocolHTTP/2 network protocol exposes web server are vulnerable to attacks that should burn feasible a denial-of-service (DoS) attack, affected to this vulnerable to many most popular server like Facebook, Microsoft, Amazon, Apple,  Apache, Nginx, Node.js.

According to W3Techs, as of August 2019,  40% of the top 10 million websites supported HTTP/2 including popular website like google, facebook, wiki,qq.

Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks. http/2 which are launce in 2015 for better internet security and experience by improving page load but recently Jonathan Looney of Netflix and one by Piotr Sikora of Google discover seven out of eight in vulnerable Jonathan Looney and another one Piotr Sikora has been discovered a total of eight flaws in May 2019 and responsibly informed them to each of the affected vendors and maintainers, which are allotting a client to overload the server’s queue control code. These attack vectors allow a remote attacker to consume excessive system resources.

In an advisory today, Netflix says that they allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash.

A vulnerabilities note from the kb.cert organization report matrix of vendors that may be affected products and DDoS vulnerabilities. All discovered by Jonathan Looney of Netflix, except for CVE-2019-9518 which was discovered by Piotr Sikora of Google.

The individual HTTP/2 vulnerabilities discovered included in Below

CVE-2019-9511 HTTP/2 Data Dribble:- Attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9512 HTTP/2 Ping Flood:-  Attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 HTTP/2 Resource Loop:- Attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.

CVE-2019-9514 HTTP/2 Reset Flood:- Attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service

CVE-2019-9515 HTTP/2 Settings Flood:- Attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgment per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9516 HTTP/2 0-Length Headers Leak:- Attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.

CVE-2017-9517 — HTTP/2 “Internal Data Buffering”:- Attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

CVE-2019-9518 HTTP/2 Request Data/Header Flood:- Attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)

A malicious client asks the server to do something which generates a response, but the client refuses to read the response. This exercises the server’s queue management code. Depending on how the server handles its queues, the client can force it to consume excessive memory and CPU while processing its requests.

Facetime bug Callers Hear and See You Without You Picking Up

Apple Facetime bug Callers See You Without You Picking CallAre you Apple phone user, then you should immediately turn OFF FaceTime app for resolve bug reason Facetime bug Callers Hear and See You Without You Picking Up

An important bug in Apple’s popular video and audio call app has been found that lets a user listen to your microphone and maybe see through your camera without you answering an incoming call. Apple says the issue will be declaimed in a software update “later this week”.

The bug is going viral on Twitter posted by  Benji Mobb also various users complaining of this bug

GlobalHackNews has tested the bug to try Callers Hear and See You Without You Picking on iPhone X to devices running iOS 12.1 it can freely confirm that it works as 9to5Mac’s directions state

Here’s how to do someone can spy using iPhone FaceTime bug 

  • Start a FaceTime Video call with an iPhone contact.
  • Whilst the call is dialing, swipe up from the bottom of the screen and tap Add Person.
  • Add your own phone number in the Add Person screen.
  • You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.

Here’s How to turn OFF FaceTime on your iPhone.

  • Open Settings app.
  • Tap on FaceTime icon.
  • Turn off the toggle to Gray.
  • Open the FaceTime app on your Mac.
  • Click “FaceTime” in the Menu bar.
  • Click “Turn off FaceTime

Apple, report on Tuesday afternoon, said a fix is coming this week. “

We’re aware of this issue and we have identified a fix that will be released in a software update later this week,”
and also deactivated Group FaceTime to prevent people from exploiting the bug before it releases a fix.

Beware New Ransomware Anatova that targets gamer | How to Remove Anatova

anatovaSecurity researchers Valthek yesterday assigned a new ransomware family Anatova that is targeting consumers across the countries in Europe (Belgium, Germany, France, the UK).who see it as a serious warning created by skilled authors that can turn it into a multifunctional piece of malware.

Anatova just makes a file which was unusable and make a Ransome demanding message in “ANATOVA.TXT” text file. Anatova never add any extension to the encrypted files and also never change their symbolanatova

“We believe that Anatova can become a serious threat since the code is prepared for a modular extension,” the researchers noted

Anatova encrypts the file and then demand of 10 DAS coin, worth approximately $690 to unencrypts file.

This ransomware flattens with the help of multiple distribution routines, including:anatova

  • Spam emails;
  • Brute-force attacks
  • Hacked websites;
  • Repacked installers;
  • Drive-by downloads;
  • Cracks or keygens;
  • Fake updates, etc

anatovaThe malware will try to create a mutex with a hardcoded name (in this case: 6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO) but the mutex name changes in each sample. If the mutex is created and gets the handle, it will call the “GetLastError” function and look if the last error is ERROR_ALREADY_EXISTS or ERROR_ACCESS_DENIED. Both errors mean that a previous instance of this mutex object exists. If that is the case, the malware will enter in a flow of cleaning memory, that we will explain later in this post, and finish. (source McAfee )

Name Anatova
Type Ransomware
Distribution Spam emails, malicious files, hacked websites, drive-by downloads, fake updates, brute-force attacks, etc.
Discovery date January 16th, 2019
Extension None
Ransom note ANATOVA.TXT
Contact anatova2@tutanota.com or anatoday@tutanota.com
Decryptable? No
Elimination Scan your with Reimage or other software that is capable of detecting the payload

 

How to Avoid Anatova diseases while browsing the web.

1.Backup your files regularly. (if possible otherwise weakly)
2. Download and install comprehensive security software and keep it up to date
3. Install system and software patches on time
4. Do not casually open attachments or click on links inside spam emails
5. Avoid visiting high-risk websites, such as porn, gambling, or file-sharing
6. Do not use cracks/keygens tolls. Hacker love injecting malicious scripts into cracks
Be careful with torrents, as something like name.torrent.exe is malicious
7. Disable Adobe Flash – it is an old and unsafe technology that will soon be terminated

Anatova Overview

Anatova usually uses the icon of a game or application to try and fool the user into downloading it.anatova

How to Remove Anatova

First shutdown your system manually then, opened menu click “Restart“, while holding “Shift” button on your keyboard.
In the “choose an option” window click on the “Troubleshoot”, then select “Advanced options“.
In the advanced options menu select “Startup Settings” and click on the “Restart” button. In the following window, you should click the “F5” button on your keyboard. This will restart your operating system in safe mode with networking.

anatova remove

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore. If you face any problem then contact our team we will try to solve your problem.

 

Fortnite Bug Hacker Takeover Your Gamers’ Accounts

fortnite accounts hacked

Checkpoint researchers found a bug to Fortnite Accounts Hacked‘, the account authentication process for the massively popular online battle game players accounts hacks to takeover. Hacker could have stolen login tokens by just duping the victim into clicking a WhatsApp and any social sharing link.

The sequence of an unvalidated subdomain and cross-site scripting (XSS) bug to load a JavaScript that would make allowed to bypass the protections implemented by the single sign-on (SSO) access control mechanism used for logging into Fortnite access account and most importantly an OAuth account to Fortnite Accounts Hacked.

According to the Checkpoint researchers, the cross-site scripting (XSS) bug and a malicious direct redirect issue on the Epic Games’ subdomains allowed attackers to hijack users’ authentication token simply by dumping them into clicking an especially web link.

Single Sign-On (SSO) shifts the authentication engagement to a trusted third party like (Google, Facebook, X-Box, PlayStation), which authorizes access to the resource with the access token. Fortnite Accounts Hacked

Fortnite Bug Hacker Takeover Your Gamers’ Accounts

The Fortnite user used an unvalidated domain for the login page accounts.epicgames.com, which could be redirected to another online location to hacked Accounts.

Fortnite Accounts Hacked

Epic Games’ request to their server, along with the attacker’s “crafted state” parameters received from the single sign-on (SSO)

hacking-fortnite

CheckPoint has released a video showing the exact steps of the attack and how easy it would have been to trick a Fortnite user into clicking the wrong link. The original research is available Checkpoint 

Fortnite popularity, with at least 80 million monthly players, while statistics point to nearly 250 million registered users.

Bypassing the WAF

The XSS payload was executed the WAF took effect and told us that the request was forbidden. Apparently, the only issue was the length of the script source URL, so we simply bypassed it by using a shortened URL.

Now that we had the XSS we could load our own JavaScript which, in turn, would be executed in the context of “ut2004stats.epicgames.com”. [Source:-checkpoint]

Fortnite Accounts Hacked-4

According to CheckPoint, researchers notified Epic Games’ developer of the Fortnite vulnerabilities which the company fixed in mid-December.

Fortnite developer advice players are also to enable two-factor authentication (2FA) which prompts users to enter a security code sent to their email when logging into the Fortnite game account.

adobe updates fix 47 major security vulnerabilities

adobe-security updateadobe updates fix 47 major security vulnerabilities

This week also update huge of Adobe-related vulnerabilities. There are 24 new important vulnerabilities found by now, Adobe just published another step of useful patches. But now there is a total of 47 vulnerabilities that affect versions of Adobe’s Acrobat DC, Acrobat Reader DC, and Photoshop CC for Windows.

In 12th may flaws were fixed with priority 2 and this week’s vulnerabilities are fixed with priority 1.the flaws found this week seem to be more difficult than the first wave. Here’s how Adobe describes this situation:

This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible.

Defense updates for Adobe Acrobat and Reader software a few defects that could guide to temporary code execution. Further flaws add protection bypass and data disclosure issues, and these are rated as important.

V 2015.006.30417 and newer versions of Acrobat DC (Classic 2015) for Windows and Acrobat Reader DC (Classic 2015) for Windows are combined as well.

Adobe Photoshop CC has a different flaw that could point to absolute code performance. Theatrical versions include Photoshop CC 2017 for Windows and Photoshop 2018 for Windows.

users to update the systems as soon as possible and always be aware of PDF files on websites or coming from unknown people. recommended by  Allan Liska, a threat intelligence analyst

You can read the complete info on these flaws.

New Strain of ATM Jackpotting Malware

New Strain of ATM Jackpotting MalwareNew Strain of ATM Jackpotting Malware

A new ATM malware has been identified by security researchers at Netskope Threat Research Labs. Dubbed ATMJackpot, the malware appears to be still under development and to have originated in Hong Kong. There are no current details of any deployment or use.

It has a smaller footprint than earlier efforts of jackpotting malware but serves the same purpose: to withdraw money from automated teller machines (ATMs)

New kickass torrents are back to the group of original stuff

ATM jackpotting also called a logical attack, it is the control of malware to measure security assigning from individual ATMs. The malware can be managed locally to each ATM via a USB port, or remotely by negotiating the ATM operator network.

Netskope didn’t explain whether ATMJackpot’s deployment was the effect of standard installation through USB on ATMs. The case then it wouldn’t have been challenging for the criminals because installing malware on an ATM materially isn’t difficult at all.

Jackpotting designed to avoid to physically break into the vault and can be transferred via a USB port to the network part of the ATM that controls the vault. ATMJackpot malware first manifests the windows class name ‘Win’ with a system of the malware activity.

The malware then populates of the choices on the window and initiates a connection with the XFS manager.  The malware then frees a session with the co-operation providers and also the registers to monitor events. It opens a session with the cash machine, the card reader & PIN pad service providers.The malware download has been detected by Netskope as Gen: Variant.Razy.255528.It is before able to monitor events and issue commands. It can read data from the PIN pad, dispense cash, and eject cards.

This Year January 2018, the US beheld the first ever jackpotting attack  ATMs. it announced an oversubscribed Series E funding round that raised $100 million in June 2017.A defense signal was dispensed by the Secret Service and a worldwide operation against the members of the notorious Carbanak group, thought to be implicated in attacks on ATMs and keeping up $1.24m, was launched.

Memcached Servers reflection ddos attack

memcached amplify ddos attacks
memcached amplify ddos attacks

 

 Memcached Servers reflection ddos attack

Hackers have found a way to amplify distributed denial-of-service attacks by an unprecedented 51,000 times their original strength in a development that white hats say could lead to new record-setting assaults that take out websites and Internet infrastructure.These type of DDoS attacks are possible because of the unsecured way Memcache developers have implemented support for the UDP protocol in their product.

Furthermore, to make matters worse, Memcache servers also expose their UDP port to external connections in the default configuration, meaning any Memcache server, not behind a firewall can be abused for DDoS attacks right now.memcached amplify ddos attacks

How To Memcrashed DDoS Amplification Works?

Attackers are apparently abusing unprotected memcached servers that have UDP enabled. Similar to other amplification methods, the attacker sends a request to the targeted server on port 11211 using a spoofed IP address that matches the IP of the victim. The request sent to the server is just a few bytes, but the response can be tens of thousands of times bigger, resulting in a significant attack.

memcached amplify ddos attacks

The largest memcached DDoS attack observed by Cloudflare peaked at 260 Gbps, but Arbor Networks reported seeing attacks that peaked at 500 Gbps and even more.

Cloudflare Say’s about Memcrashed DDoS

“I was surprised to learn that memcached does UDP, but there you go!” said CloudFlare’s Marek Majkowski. “The protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”

Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.

How to protect Memcached  DDoS Servers?

The system administrators of Memcached servers can protect them in one of the following ways:

memcached amplify ddos attacks

  • Update the configuration of the server to listen only on 127.0.0.1 (localhost), if the memcached server is used only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
  • Disable UDP support, if you are not using it. You can do this with the option -U 0
  • Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need

Have a question? Ask us in the comments.

Lazarus Group is back again , now Attacks Banks, Bitcoin Users in New Campaign

Lazarus GroupThe Lazarus Group has been created backward a new  WannaCry ransomware dubbed HaoBao targeting banks and Bitcoin users via spear phishing lures that deliver a new cryptocurrency scanner that hunts for Bitcoin wallets.

Know About The Lazarus Group

Lazerus group also know  HIDDEN COBRA   is a  cybercrime group made up of an unknown number of individuals.he group first came in the news back in 2009 and 2012 by targeting South Korean government institution with large-scale  (DDoS) distributed denial-of-service attack.

However, Kaspersky also declared that the reproduction of the code could be a “false flag” meant to mislead researchers and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well.

This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017.  Symantec reported in 2017 that it was “highly likely” that Lazarus groups were behind the WannaCry attack.

Ber Alert Of Phishing Scams on Lazarus Group 

Lazarus Group is out there for the money and its targets include large-scale banking monsters to unsuspecting cryptocurrency investors looking to make money the right way and you can be one of their very next victims so be careful when you transition your crypto wallet.

Recently, Federal Bureau of Investigation (FBI)alert users that cybercriminals have been posing as officials from Internet Crime Complaint Center and sending emails to users about the crime they did not commit since the sole purpose of it is to infect their computers with malware to remove data.

Cryptocurrency attacks
in 2018 Recorded Future issued a report linking the Lazarus Group to attacks on cryptocurrency Bitcoin and Monero users frequently in South Korea. These attacks were reported to be technically similar to early attacks using the WannaCry ransomware and the attacks on Sony PicturesOne of the tactics used by Lazarus groups hackers was to exploit vulnerabilities in Hanscom’s Hangul, a South Korean word processing software.

Image Credit goes to- Kaspersky Lab