- HiddenMiner Android Cryptocurrency miner can brick your device
- After Cambridge Analytica scandal Facebook announces Election security Improvements
- MITRE is evaluating a service dubbed ATT&CK for APT detection
- VPNs & Privacy Browsers leak users’ IPs via WebRTC
Posted: 02 Apr 2018 11:44 AM PDT
Researchers at Trend Micro recently discovered a new strain of Android miner dubbed ANDROIDOS HIDDENMINER that can brick infected devices
Crooks are looking with increasing interest cryptocurrency mining malware developed for mobile devices.
Researchers at Trend Micro recently discovered a new strain of Android malware dubbed ANDROIDOS HIDDENMINER that abuse device CPU to mine Monero cryptocurrency.
HiddenMiner also implements evasion techniques, it is able to bypass automated analysis by checking if it's running in a virtualized environment by abusing an Android emulator detector found on Github.
“We uncovered a new Android malware that can surreptitiously use the infected device's computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” reads the analysis published by Trend Micro.
“This Monero-mining Android app's self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”
The experts were able to find the Monero mining pools and wallets connected to the HiddenMiner malware, they learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This information suggests that the operators are currently active.
HiddenMiner abuse the device's CPU power to mine Monero, unfortunately, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and be permanently damaged.
“There is no switch, controller or optimizer in HiddenMiner's code, which means it will continuously mine Monero until the device's resources are exhausted.” continues the analysis.
“Given HiddenMiner's nature, it could cause the affected device to overheat and potentially fail.”
This behavior was already observed in the past, the Loapi Monero-mining malware caused a device's battery to bloat.
HiddenMiner, like Loapi, uses to lock the device screen after revoking device administration permissions.
The ANDROIDOS HIDDENMINER is currently being delivered through a fake Google Play update app, experts found it on third-party app marketplaces.
The miner is mainly affecting users in India and China, but experts fear it could rapidly target other countries.
Malware developers are abusing Device Administration Permission, experts pointed out that users can't uninstall an active system admin package until device administrator privileges are removed first.
Victims of the HiddenMiner's cannot remove the miner from device administrator as it employs a trick to lock the device's screen when a user wants to deactivate its device administrator privileges. Experts explained that it exploits a vulnerability found in Android operating systems except for Nougat and later versions.
“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave.” concluded Trend Micro. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device's OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”
(Security Affairs – HiddenMiner, Monero cryptocurrency miner)
The post HiddenMiner Android Cryptocurrency miner can brick your device appeared first on Security Affairs.
Posted: 02 Apr 2018 02:41 AM PDT
After Cambridge Analytica case, Facebook announced security improvements to prevent future interference with elections.
While the analysts are questioning about the interference with other events, including the Brexit vote, Facebook is now looking to prevent such kind of operations against any kind of election.
Guy Rosen, Facebook VP of Product Management declared that everyone is responsible for preventing the same kind of attack to the democracy and announced the significant effort Facebook will spend to do it.
"By now, everyone knows the story: during the 2016 US election, foreign actors tried to undermine the integrity of the electoral process. Their attack included taking advantage of open online platforms — such as Facebook — to divide Americans, and to spread fear, uncertainty and doubt," said Guy Rosen.
“Today, we're going to outline how we're thinking about elections, and give you an update on a number of initiatives designed to protect and promote civic engagement on Facebook.”
Facebook plans to improve the security of elections in four main areas: combating foreign interference, removing fake accounts, increasing ads transparency, and reducing the spread of false news.
Alex Stamos, Facebook's Chief Security Officer, added that the company always fight "fake news," explaining that the term is used to describe many malicious activities including:
“When you tease apart the overall digital misinformation problem, you find multiple types of bad content and many bad actors with different motivations.” said Alex Stamos.
“Once we have an understanding of the various kinds of "fake" we need to deal with, we then need to distinguish between motivations for spreading misinformation. Because our ability to combat different actors is based upon preventing their ability to reach these goals.” said Stamos.
“Each country we operate in and election we are working to support will have a different range of actors with techniques are customized for that specific audience. We are looking ahead, by studying each upcoming election and working with external experts to understand the actors involved and the specific risks in each country.”
Stamos highlighted the importance to profile the attackers, he distinguished profit-motivated organized group, ideologically motivated groups, state-sponsored actors, people that enjoy causing chaos and disruption, and groups having multiple motivations such as ideologically driven groups.
Facebook is working to distinguish between motivations for spreading misinformation and implement the necessary countermeasures.
Currently, Facebook already spends a significant effort in combatting fake news and any interference with elections.
Samidh Chakrabarti, Product Manager, Facebook, explained that the social media giant is currently blocking millions of fake accounts each day with a specific focus on those pages that are created to spread inauthentic civic content.
Chakrabarti explained that pages and domains that are used to share fake news is increasing, in response, Facebook doubles the number of people working on safety issues from 10,000 to 20,000. This hard job is mainly possible due to the involvement of sophisticated machine learning systems.
“Over the past year, we've gotten increasingly better at finding and disabling fake accounts. We're now at the point that we block millions of fake accounts each day at the point of creation before they can do any harm.” said Chakrabarti.
“Rather than wait for reports from our community, we now proactively look for potentially harmful types of election-related activity, such as Pages of foreign origin that are distributing inauthentic civic content. If we find any, we then send these suspicious accounts to be manually reviewed by our security team to see if they violate our Community Standards or our Terms of Service. And if they do, we can quickly remove them from Facebook. “
But we all know that Facebook is a business that needs to increase profits, for this reason ads are very important for it.
Facebook is building a new transparency feature for the ads on the platform, dubbed View Ads, that is currently in testing in Canada. View Ads allows anyone to view all the ads that a Facebook Page is running on the platform.
“you can click on any Facebook Page, and select About, and scroll to View Ads.” explained Rob Leathern, Product Management Director.
"Next we'll build on our ads review process and begin authorizing US advertisers placing political ads. This spring, in the run up to the US midterm elections, advertisers will have to verify and confirm who they are and where they are located in the US,"
This summer, Facebook will launch a public archive with all the ads that ran with a political label.
Stay tuned ….
(Security Affairs – Facebook, fake news)
The post After Cambridge Analytica scandal Facebook announces Election security Improvements appeared first on Security Affairs.
Posted: 02 Apr 2018 02:14 AM PDT
“MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's lifecycle and the platforms they are known to target.” reads the MITRE’s official page. “ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.”
The MITRE ATT&CK evaluation service will evaluate endpoint detection and response products for their ability to detect advanced threats.
“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.
Duff explained MITRE will adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.
In my opinion, sharing information about attackers’ TTPs is essential and such kind of initiative is very important for cyber security community.
Jessica Payne from Microsoft Windows Defender praised the MITRE ATT&CK service.
The knowledge base was initially collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives, it comes from publicly available sources.
“ATT&CK provides a common framework for evaluating post-breach capabilities," said Duff. "We believe that objective and open testing based on ATT&CK will advance capabilities and help drive the entire endpoint detection and response market forward.”
According to Duff, internal MITRE information doesn’t contaminate the knowledge base.
In this phase, MITRE intends to evaluate its service and its efficiency, the first case study will be based on APT3/Gothic Panda and will evaluate the ability of products in detecting this threat.
“As part of their participation in MITRE's impartial cyber evaluation, cybersecurity vendors will be provided clear articulation of their capabilities, as well as access to MITRE's cyber experts' feedback for improving their products.” reads the statement published by MITRE. “Details captured will include the ATT&CK technique tested, specific actions the assessors took to execute, and details on the product's ability to detect the emulated adversary behavior.”
MITRE, for this first round, call for vendors to contribute until April 13, 2018.
(Security Affairs – ATT&CK technique, MITRE)
The post MITRE is evaluating a service dubbed ATT&CK for APT detection appeared first on Security Affairs.
Posted: 02 Apr 2018 12:39 AM PDT
The security researcher Dhiraj Mishra (@mishradhiraj_) has studied how VPNs & Privacy Browsers leak users’ IPs via WebRTC
Got CVE-2018-6849 reserved, wrote a Metasploit Module for this issue which uses WebRTC and collects the leak private IP address, however this module may be implemented as a new library in (browser_exploit_server.rb) in MSF. #cheers What is WebRTC ?
Chrome Team says :
We’ve already done what we plan to do, following the guidelines in https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-04. And we offer a “Network Limiter” extension (https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en) to turn on more restrictive modes.
Don’t forget Facebook even they have Webkits and it is vulnerable too.
Thank you for your report. We’ve looked into your finding but determined the information being leaked is not sensitive enough to warrant a bounty. We may consider leakage of a victims referrer header, but it would have to display a full and potentially sensitive path. However, we have protections in place which prevent this from happening. Although this finding doesn’t qualify we still appreciate your time and effort sending it in.
Okay if your an android lover, you would be aware with android webkit though, The android webkit also leaks IP address as well, I tested this on Nokia 8 android 8.1.0 and the issue still exists.
Android Team says:
The Android security team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin.
Pheewww ! then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it leaks your IP address, I reported the same to DD Go Security Team.
Duck Duck Go Team says:
Thank you for trying out the new browser and for sending this report,
There’s a similar discussion in the Firefox Focus for Android repository
Then I thought of creating module for this, many thanks to Brendan Coles who helped me in this and even suggested this can be used has a functionality to a HTTP library would be more useful, as it could be leveraged by existing exploits and info gathering modules.
In between RageLtMan also gave his thoughts that “I could actually see a benefit to this being in lib for use by things like #8648. I can inject the separate script ref in the response via the MITM mechanism, but would be cool to just generate and serve the JS directly (for any script we think will have more than 2 weeks of lifetime in browsers). Thanks for the PR”
now that’s cool. Hope you like the read……
About the Author: Security Researcher Dhiraj Mishra (
The post VPNs & Privacy Browsers leak users’ IPs via WebRTC appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|