Category Archives: Malware

GlobalHackNews Is The Popular Blog of IT Security, Cybersecurity, and Latest Hacking News Update. Read Regular News to Improve Your Security.

Adobe Coldfusion BlazeDS Java Object Deserialisation RCE

Adobe ColdfusionAdobe ColdFusion is a commercial rapid web application development platform created by JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) it was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it became a full platform that included an IDE in addition to a full scripting language.

Adobe Coldfusion, a commercial Rapid Web Technology Application Development Platform created by Adobe is affected to a Java Deserialisation Flaw in its Apache BlazeDS Library when it handles untrusted Java Objects which further gives Attacker the permission to attack remotely as a Remote Code Execution Vulnerability.

Affected Platforms

  • Adobe CF 2016 Update 3 and earlier
  • Adobe CF 11 update 11 and earlier
  • CF 10 Update 22 and earlier

Lab Environment

Security Patches : Upgrade to Adobe ColdFusion version 10 update 23 / 11 update 12 / 2016 update 4 or later.

 

New undetectable Keylogging CrossRAT targets Windows, Linux and Mac OS systems.

crossrat-keyloggingAnother day, another malware ,it is CrossRAT malware targeting Linux, macOS and Windows devices without being detected by anti-virus software. to be developed by the Dark Caracal group . Written in Java, this cross-platform malware can take screenshots, manipulate the entire file system, and run random DLLs for secondary infection on Windows.

As per the researchers, the developers of this Trojan are using WhatsApp messages and Facebook group messages to tract it and to redirect the customer send to the malicious websites and download malicious programs.

CrossRAT, however, does not have any predefined command to activate the keylogger, but when uses the open source Java library ‘jnativehook,’ to check the mouse and keyboard occasions.

CrossRAT, one of the very harmful desktop surveillance malware is designed with some basic surveillance features which get activated after getting the predefined instructions from C&C server.crossrat-keylogging

The Trojan then uses the mechanisms according to the particular operating system and re-executes every time the infected system is rebooted. It further registers itself on the C&C server thereby providing an access to the distant attackers.

Yesterday  that the malware is find  by most of the security software on Virus Total, its threat has gone to a low level however following commands can also help you identify if your system is infected with CrossRAT:

Windows users:
Test the ‘HKCU Software Microsoft Windows Current VersionRun’ registry key. It will include a command featuring java, -jar and mediamgrs.jar if infected by CrossRAT

For Mac OS:

Search for launch agent mediamgrs.plist in in /Library/LaunchAgents or ~/Library/LaunchAgents.

(OR) Test for jar file, mediamgrs.jar, in ~/Library.

For Linux:

Search for an ‘autostart file’ probably named mediamgrs.desktop within the ~/.config/autostart

(OR) Test for jar file, mediamgrs.jar, in /usr/var.

Critical Vulnerability in Electrum Bitcoin Wallets Finally Addressed

Electrum is one of bitcoin’s longest-standing wallets, having been used heavily in the space since its inception in 2011. However, it has only recently been revealed to have a long undiscovered vulnerability, which was only fully  on January 8th 2018

Electrum Bitcoin Wallets AddressedThe vulnerability allows for remote access to a user’s funds by having an un-encrypted wallet open in the background while browsing the internet. All users with outdated wallets are still vulnerable to the exploit and are highly recommended to upgrade to version 3.0.5 as soon as possible. The original summary of the issue can be read here.

Play-by-play

The issue was first pointed out on November 25th, 2017 on the Electrum repo by jsmad. The full extent of the vulnerability was not fully understood by the poster, nor the Electrum devs, and it was added to the non-critical backlog:

 

Only recently was the potential of the exploit fully realized by taviso, who stated “I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability?” along with a complete explanation. He posted this on Saturday, January 6th, approximately a month and a half after the issue was first disclosed:

It was confirmed by Electrum dev ecdsa that the exploitable code had been around, undiscovered, since a commit on November 30th, 2015, over two years ago

Once the extent of the exploit was revealed, a hotfix was released with Electrum version 3.0.4. But, open source contributors promptly revealed the quick patch to be insufficient:

Finally, the dev team followed up with Electrum 3.0.5 which has fixed the bug in its entirety.

Electrum Bitcoin Wallets Addressed

Outdated wallets still vulnerable

This reveals a key issue still withstanding with the Electrum client: outdated and exposed wallets will not auto-update to the new, secure version of the client. Users who regularly scour social media would have promptly downloaded the upgrade manually, but the majority that haven’t will stillbe using outdated and vulnerable versions of the Electrum wallet none-the-wiser. Furthermore, with the exploit fully publicized, there are certainly now scores of bad actors intent on exploiting the vulnerability to those very wallets that have yet to be updated.

 

Crypto Insider emphasizes that users who are still operating outdated versions upgrade to the latest version via the Electrum download page immediately.

Edward Snowden’s Haven app turns your laptop into a security system

Haven app

If you forget your phone calls no worry  — a new app haven from The Guardian Project, the Founder of this app Edward Snowden, His aims to turn Android smartphones into tiny, mainly security systems. Haven, released on(23rd December 2017 ) public beta version, it was designed to use a phone’s built-in sensors to track sudden changes in the environment about it. Let’s say you’d like to keep tabs on a room while you’re away from it — the app can direct cooperative devices to record unexpected sounds, look out for changes in ambient light, and notice if it’s being picked up or tampered with. You can even prop the phone up and set up the camera for use as a motion tracker, just for good measure.Haven app

Some of the journalists to defend their hard-won data, it’s no astonishment that Haven may see use as a means to keep suspicious trespassers from PCs and laptops containing sensitive data. The Intercept’s Micah Lee helped receive the app and explained how it could be used to deal with so-called “evil maid” attacks, in which an attacker attempts to physically tamper with a machine in order to compromise it.

how Haven might work on this project.

He writes. “You lock your laptop in a hotel safe — not a secure move on its own — and place your Haven phone on top of it. If someone opens the safe while you’re away, the phone’s light meter might detect a change in lighting, its microphone might hear the safe open (and even the attacker speak), its accelerometer might detect motion if the attacker moves the laptop, and its camera might even capture a snapshot of the attacker’s face.”

Haven won’t necessarily protect such attacks from being carried out, but the app can be configured to send notifications and recordings via text message and Signal (for end-to-end encryption) when the phone’s sensors detect something out of the ordinary. And even in cases where the phone itself doesn’t have network access and can’t fire off those warnings — say, if the phone doesn’t have a SIM card or isn’t connected to WiFi — every event that triggers an alert is logged locally on the phone. That way, the machine’s owner will still be able to tell that an unauthorized actor may have had access to it.

You can currently get the Haven BETA release in one of three ways:

Haven app download beta
                                       Haven app download beta

Of course, Haven could — and should — see use outside of those very specific situations. Guardian Project founder Nate Freitas calls Haven “the most powerful, secure and private baby monitor system ever,” and it’s not hard to imagine leaving a spare room in a room with a child to relay every anguished crying jag to parents. None of the data captured by Haven is relayed to third-party servers, so parents and paranoiacs can rest easier knowing they’re in full control of this highly personal data. Meanwhile, Wired reports that Haven provided peace of mind to some 60 social activists in Colombia, a country that has seen more than 100 activists assassinated in the past year alone according to a recent UN report.

Loapi the New Android malware Can Physically Damage Your Phone Android phones

loapi

Lopi a new ache of malware targeting Android phones is competent of performing a plethora of malicious activities, from mining cryptocurrencies to launching DDoS attacks — and so numerous of malicious functions in between those heights that it can cause the battery to bulge and destroy the phone within two days.

the new malware is known as ‘Loapi’ has such a difficult modular planning that Kaspersky Lab researchers called it a “jack of all trades” and unlike any malware, they had seen before. It looks like advertisement module, a testing module, a web lagging module, a proxy module and a module for mining Monero. Loapi also aggressively fights to defend itself.

Kaspersky Lab researchers warned:

Loapi is an interesting representative of the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.

 

Loapi, which may have been created by the same cyber thief stable for the 2015 Android malware Podec, is distributed on third-party app stores. Researchers found that Loapi is usually disguised as apps for “popular antivirus solutions and even a famous porn site.”

After the malicious files are downloaded and installed, the app obtains device administrator permissions by using popups. Kaspersky showed an example of a supposed security app needing the user to activate administrator permissions. After acquiring admin privileges, the app either hides its icon or pretends to do what it is supposed to be doing, such as running an antivirus scan.

Loapi malware modules

One Loapi module is for spamming advertisements, opening various URLs, including pages in popular social networks such as Facebook or Instagram, as well as for displaying videos ads and banners.

The proxy module can be used to launch DDoS attacks, and the mining module forces the Android to mine for Monero.

Another module is focused on manipulating text messages, using SMS messages to communicate with the attackers’ Command and Control (C&C) server. It also deletes text messages from the inbox and sent folder to keep the user in the dark about the information received from the C&C server.

Yet another module is related to a web crawler, using hidden JavaScript to subscribe users to various services. If the subscription requires a text message verification, Loapi takes care of that, too. The researchers remarked, “This module, mutually the advertisement module, tried to open about 28,000 unique URLs on one device during our 24-hour experiment.”

Loapi’s aggressive self-protection

As it appears to self-defense, Loapi “aggressively fights any attempts to reverse device manager permissions,” including installing a list of apps from the C&C server that endanger the malware. If that app is installed or launched, then Loapi displays a fake message claiming to have detected malware and asks the victim to uninstall it.

The victim will be spammed with this popup until finally caving and selecting uninstall. The researchers wrote, “This message is shown in a loop, so even if the user rejects the offer, the message will be shown again and again until the user finally agrees and deletes the application.”

To surely take rid of Loapi, users will be required to boot to safe mode. Until, the malware will regularly close Settings so users cannot deactivate admin privileges.

Loapi destroyed an Android in two days

android-malware

The researchers showed the test Android used while analyzing the malware. It was completely trashed after two days of testing. They noted, “Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.”

 

85 Malicious Apps found on Google Play Store Implied Stealing Login Credentials

85 Malicious Apps found on Google Play Store 

Kaspersky reported:-

Whatsoever is amusing that the American president Donald Trump banned Kaspersky antivirus from existing users on a government computer. Due to political allegations. The malware caught by Kaspersky researchers was targeting especially Russian-speaking victims, users of VK. Yet, malware is known to instantly change and adapt, and target wider lakes of victims.

Also though the apps stayed leveraged only to cheat passwords for one particular social network, VK, some of them have been available for quite a while. The individual particular app charged Mr. President Trump, found more than one million downloads solely! This app is, in fact, a game published beginning this year, in March 2017. All of the apps applied in this malware operation were prompting users to give away their login credentials

Read Also:k money-taker hackers from 10 million us ban

Also, the apps had been a possibility to authenticate on VK, asking implied victims to give their login credentials. This application is standard for game apps as they enter social network functionalities for more articles. Such a stories involve sharing high scores on the platform, or getting premium content, researchers explain.

assumed all users are requested to change the passwords for their accounts.

These cybercriminals were publishing their malicious apps on Google Play store for more than two years so they had to modify their code to bypass detection. We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so,”

Kaspersky wrote.

The apps are removed from Google Play Store. otherwise, all users suspect that their accounts may have been compromised should change their passwords quickly.

Last year, the Marcher Android Trojan had been updated to show fake login screens. The Trojan was producing so to borrow the victim’s credentials for several popular Android apps. Started in 2013, this Android Trojan has been quite active on Google Play. Its primary purpose has always been harvesting user credentials and credit card data.

Sophisticated ‘MoneyTaker’ group stole millions from Russian & US banks

moneytaker-hacking-group-steals-millions-from-us-uk-russian-banks

A cybersecurity firm announces it has distinguished an earlier MoneyTaker anonymous MoneyTaker group of Russian-speaking hackers who should be supposedly borrowed at least $10 million from U.S. and Russian banks over the past year and a half.

The group named “Money Takers” behind a software tool others use, supposedly targeted banks across the United States, breaking within at least 15 lenders in Utah, New York, and California, also borrowed at least $3 million from Russian banks, according to a statement from that Moscow-based cyber security firm IB-Group.The group MoneyTaker also stole elements indicating it may be developing to mount fresh attacks on institutions in Latin America, the statement assumed and could be working to breach the Swift international banking messaging policy that provides a huge number of the world’s financial transactions.moneytaker-hacking-group-steals-millions-from-us-uk-russian-banks

Starting in May 2016, the group  MoneyTaker mostly targeted card payment systems belonging to small population groups in the U.S., are then beating a transfer system used between Russian banks, IB-Group said. The hackers adjusted on small U.S. banks with several sources to put into cyberdefenses, according to the report, getting in stealing an average of $500,000 from each.

Having crashed into the banks’ card payments systems, the hackers would open accounts and remove departure destinations on legitimate cards, according to details in the report. So-called ‘mules’– criminals with the sheets — would then go to an ATM and take out money, IB-Group said.

A report, First Data said that a quantity of small economic organizations working on the STAR network should their credentials breached for offering debit cards earlier in 2016, protecting First Data to complete new necessary security controls. It announced the STAR system was never more itself breached.

The Money Takers similarly attacked the servers of Russia’s AWS CBR interbank transfer policy — a Russian system similar to Swift linked to Russia’s Central Bank — according to IB-group. The criminals succeeded in breaking into an unnamed Russian bank by first gaining access to the home computer of the bank’s system administrator, according to the cybersecurity researchers, IB-Group says. They then took control of the bank’s AWS CBR system to make payments to themselves. IB Group named the hackers after the tool used in this attack, MoneyTaker V.5.

The system enabled the hackers to steal about $1.3 million through attacks in Russia. This fall, the ring examined again to discredit the same bank transfer system but were thwarted from stealing any money.Russia’s government hacking programs, as well as the assumed collaboration within the country’s intelligence services and its cybercriminals, have dragged serious attention since allegations that Moscow used cyberattacks to try to influence the 2016 U.S.

Also Read :-largest-data-leaked-password-list

 

presidential election.Russian hackers supposedly used popular antivirus software to keep NSA codes.Russia has also suffered an increasing amount of serious cyber attacks, most newly with the Bad Rabbit ransomware virus that hit Russia and Ukraine last month, at one point crippling Russia’s extensive objective newswire, Interfax, that also communicates financial news.

IB-Group, which announces it becomes one of the longest forensics computer labs in East Europe, said that the Money Takers also displayed a broader trend of cybercriminals increasingly targeting banks instead of their clients, as improved security makes fraud against individual customers less profitable.

“What we recognize in modern years is for targeted attack groups to actually target the bank itself, rather than the customer of the bank,” Nick Palmer, the producer of international sales at IB-Group told ABC News in an email. “As tools to defend against common malware and other types of fraud which target banking customers get better, the return on investment becomes lower.”

Palmer’s co-worker Tim Bobak from IB-Group’s threat ability outreach unit responded, “It’s easier to take 5 million once than 1,000 [dollars] 5,000 times.”The Money Takers did unusually complex malware to screen their attacks, according to IB-Group. The group of employed so-called fileless malware that exists only on a computer’s temporary memory that is deleted when it reboots, making it hard to detect. The hackers also further hid their break-ins with malware that generated encryption certificates from well-known brand names, such as Bank of America and Yahoo.Criminals are watching more often for a larger payoff from one-off hits.moneytaker-hacking-group-

IB-Group announced

it had not found any indication that the Money Takers had succeeded in breaking into SWIFT, but warned that it expected the group would likely try to compromise it at some point.

While carrying out their attacks, the ring sought out internal documents within the banks’ systems, including those relating to the SWIFT system, the IB-Group report said. In particular, the hackers stole documents on a product used in money transfers, called FedLink, that has 200 customers in Latin America, IB-Group noted.”We arrogate that banks in Latin America may become specific next victim of this group,” the report read.

In an October 2017 declaration, Reuters proclaimed, SWIFT said hackers were still trying to breach its system but that heightened security measures were taken last year had impeded the attempts.The scope of the Money Taker’s activity is still unknown, the report maintained, and the cybersecurity firm thinks there are more attacks it has not unscrewed

 Found On Over 460 HP Laptop Pre-Installed Keylogger

hp-laptop-keyloggerHP has keyloggers onto its customers’ laptops.by the way Two times this year, HP laptops remained caught with a pre-installed keylogger

A security researcher declaring to have found a built-in keylogger in several HP laptops, a security researcher who goes to the name of ZwClose‘ discovered a keylogger in several Hewlett-Packard (HP) laptops that could support hackers to record your every keystroke and swipe sensitive data, including passwords, account information, and credit card details.

A keylogger was found secured in the ‘SynTP.sys file‘, a part of Synaptics touchpad driver that vessels with HP notebook, devising more than 460 HP laptop models which vulnerable to hackers.
Although a keylogger segment is incapacitated by error, hackers can make use of possible open source tools for bypassing User Account Control (UAC) to allow built-in keylogger]

“by setting a registry value.”

Here’s the location of the registry key:

  • HKLM\Software\Synaptics\%ProductName%
  • HKLM\Software\Synaptics\%ProductName%\Default

The researcher advised the keylogger ingredient to HP last month, and the company acknowledges the occupancy of keylogger, saying it was actually “a debug trace” which was left unexpectedly but has now been eliminated.

Also read:- 5,000 WordPress websites plagued with Keylogger

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners,” HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.

“A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”

Recently HP  has been released an update for all the affected HP Notebook/Laptop  Models.

If you have an HP laptop, you can look for updates for your model. Drive also available the HP Support website

 

Google collects locations even when location services are disabled

Google collects locations

Google Android collects location data from Android phones even when location services are disabled, an investigation by Quartz revealed about this. Google confirmed that it has been doing since the beginning of 2017, and say that it will end the same by the end of this month.

The Android smartphones are smart enough to gather data about your location and send it back to Google. They have been collecting and sending location data back to Google even when the location services are disabled.
Users who have taken all those precautions like turning off GPS, not using any apps, and when carrier SIM card is disabled or haven’t inserted, the data is still transmitted. According to Google, the Android phones gather the addresses of nearby cellular towers and transmit data back to its servers, but the data is never used or stored.
 Google-collects-locations-even-when-location-services-are-disabled

“The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months. They were never used or stored”, Google spokesperson said. The company is now taking steps to end the practice after being contacted by Quartz.

Even if Google didn’t use the data, the act of collecting data without permission seems a potential risk. There appears to be no way for a user to disable the data collection. Google does allow advertisers to target consumers based on their location. However, Google said that the apps won’t have access to the data. Google is ending the practice by the end of this month i.e. November 2017.

NSA Worker’s Computer Was Already Infected With Malware

NSA Worker’s Computer Was Already Infected With Malware

NSA-Worker-Computes-Was-Already
Embattled material security firm Kaspersky Lab announced Thursday that malware-infected Microsoft Office software is abrogating its own was to blame for the hacking fraud of top-secret US intelligence materials.
The Moscow-based anti-virus software creator, which is immediately halted on US power computers because of claimed connections to the Russian report, established that someone did possibly remove important National Security Agency programs from an NSA worker’s home computer, as first reported by the Wall Street Journal on October 5.Adding tantalizing new details to the cyber-espionage mystery that has rocked the US intelligence community, Kaspersky also said there was a China link to the hack.
According to individual Journal, the person should be top concealed folders and applications from the NSA hacking unit called the Equation Group on his computer, which was also using Kaspersky software protection.
They understand that Russian spies practiced the Kaspersky record as a back door to discover and siphon off the files, reportedly causing deep damage to the NSA’s own cyber-espionage operations.
US assertions that Kaspersky, which disappointed extra $600 million of anti-virus software globally in 2015, deliberately or unknowingly supported Russian intelligence in the theft have effectively killed its US business and hurt its worldwide reputation.
Kaspersky software ‘disabled’
Practicing its criminological study, Kaspersky said the breach of the NSA worker’s computer took place between September and November 2014, rather than 2015 as the Journal reported.
Kaspersky announced anything happened taken covered fundamental source code for some Equation Group , as well as classified documents. Based on the materials, it said the computer appeared to belong to someone involved in creating malware for the Equation Group.
The company required, though, that the computer was affected by other malware, including a Russian-made “backdoor tool” hidden in Microsoft Office.
Kaspersky announced that the malware was established of a computer server based in Hunan, China, and would have realized a path into the  for anyone targeting an NSA worker.
“Given that practice owner’s potential clearance level, the user could have been a prime target of nation-states,” it said.
Kaspersky’s own software would have detected that malware, the company said, except that its  had been turned off.
“To install and run this malware, the user must have disabled Kaspersky Lab products on his machine,” it claimed.