- New variant of Dridex banking Trojan implements polymorphism
- Israel blamed Russia for jamming at Israeli Ben Gurion airport
- City Council of Somerville bans facial recognition technology
- Singapore Government will run its third bug bounty program
- ViceLeaker Android spyware targets users in the Middle East
- Iran-linked APT33 updates infrastructure following its public disclosure
Posted: 01 Jul 2019 12:41 PM PDT
Security researchers at eSentire tracked a new campaign spreading a variant of the Dridex banking Trojan that shows polymorphism.
Security experts at
Even if the activity of Dridex decreased in the last couple of years, crooks continued to updates it adding new features such the support of XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption.
Malware researcher Brad Duncan first observed a new variant of Dridex on June 17 that leverage an Application Whitelisting technique to bypass mitigation via disabling or blocking of Windows Script Host.
On June 26, 2019, experts at eSentire Threat Intelligence discovered a C2 infrastructure pointing to a similar Dridex variant that was undetected by most of the antivirus listed in VirusTotal service.
“On June 26, 2019,
Experts noticed that threat actors continuously change up indicators through the current campaign, making it hard for signature-based defense solutions to detect the threat.
"Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign," eSentire notes.
In attacks observed on June 17, the malware was using 64-bit DLLs with file names loaded by legitimate Windows system executables. Duncan pointed out that file paths, file names, and associated hashes would change at every computer login.
Attacks begin with spam emails containing weaponized documents, once victims have executed the embedded macros, the malicious code connects to the ssl-pert[.]com domain to download the Dridex installer.
"Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior," eSentire concludes.
The post New variant of Dridex banking Trojan implements polymorphism appeared first on Security Affairs.
Posted: 01 Jul 2019 07:13 AM PDT
Israel blamed Russia for jamming at Israeli Ben Gurion airport that disrupted GPS signals, but the Kremlin denies its involvement in the attacks.
Starting from early June, a significant jamming activity has interfered with GPS signals at Israeli Ben Gurion airport causing severe problems to pilots and aircraft.
Israel’s Airports Authority confirmed that the disruption of GPS signals had a “significant impact” on the operations at the airport.
At the time of writing, Israeli authorities are still investigating the source of the jamming activity.
Fortunately, the attacks did not cause any accidents at the airport, explained the Airports Authority. Pilots were forced to use the alternative Instrument Landing System when approaching and landing at the airport.
Russia denied to have carried out the jamming attacks, Russia’s ambassador to Israel defined the accusation as “fake news” that and could not be “taken seriously”.
Experts pointed out that interference with the GPS system
“The Israeli Airline Pilots Association said the GPS problems were a “spoofing” attack that produces incorrect location data.” reported the BBC. “This can mean receivers on planes sometimes reporting their location as miles away from where they actually are. BBC Monitoring said Israeli IDF radio had quoted “high-ranking” sources as blaming Russia for the continuing disruption.”
According to the BBC, the jamming activity could be linked to systems used by the Russia army to protect its planes at the Hmeimim airbase in Syria. The Russian military base is located about 350km north of Ben Gurion.
Russia is operating in Syria due to its political and commercial interests in the country, it deployed airbases and a naval base its territory.
The sky over Syria is crowded, aircraft belonging to the US-led coalition were often involved in operations against the Islamic State.
In the past, Russia was already involved in jamming attacks, jamming systems are an essential component of the Russian military strategy that aims to prevent attacks against its troops in the area.
In November 2015, Russia announced the deployment of jamming systems in Syria to protect its air forces and prevent attacks against its aircraft.
“It documented more than 10,000 separate incidents of GPS disruption and said Russia was “pioneering” the technique to “protect and promote its strategic interests”.” concludes the BBC.
“Some of the disruption helped to keep drones away from Russian airports, said the report, but it was also used to project a bubble around senior government figures when they visited sensitive locations.
(Security Affairs – jamming systems, electronic warfare)
The post Israel blamed Russia for jamming at Israeli Ben Gurion airport appeared first on Security Affairs.
Posted: 01 Jul 2019 05:51 AM PDT
City Council of Somerville, a Boston suburb, has voted to ban the use of facial recognition system by police and other city offices.
The City Council of Somerville, Massachusetts, a Boston suburb, has decided to ban the use of facial recognition system by police and other city departments.
Last week, the Somerville City Council expressed a unanimous vote (11-0) to prohibit the use of facial recognition technology. The technology represents a serious threat to citizens’ privacy.
“Councilor Ben Ewen-Campen, the sponsor of the measure, said its passage is a "reminder that we are in charge of our own society."” reported the AP press agency.
“Ewen-Campen worked on the issue with the American Civil Liberties Union of Massachusetts.”
Mayor Joseph Curtatone also announced that he will support the measure to prevent the abuse of facial recognition systems.
According to Kade Crockford, director of the Technology for Liberty Program at the ACLU, Somerville is the first city of the US East Coast to ban the facial recognition technology.
In May, San Francisco was the first city in the US to ban facial recognition technology.
“San Francisco, long at the heart of the technology revolution, took a stand against potential abuse on Tuesday by banning the use of facial recognition software by the police and other agencies.” reported the NYT.
“The action, which came in an 8-to-1 vote by the Board of Supervisors, makes San Francisco the first major American city to block a tool that many police forces are turning to in the search for both small-time criminal suspects and perpetrators of mass carnage.”
The post City Council of Somerville bans facial recognition technology appeared first on Security Affairs.
Posted: 01 Jul 2019 02:03 AM PDT
Singapore has announced the third bug bounty program aimed at assessing the security of government systems exposed online.
The government of Singapore has announced its third bug bounty program aimed at assessing the level of security implemented for government systems exposed online.
The bug bounty program sees the involvement of the Cyber Security Agency of Singapore (CSA) and the Government Technology Agency of Singapore (GovTech).
Like previous programs, this bug bounty initiative program will be operated through the HackerOne platform.
The bug bounty program will run from July to August and will see the participation of 200 international hackers and 100 local hackers. The organization will offer payouts between $250 and $10,000 for each vulnerability reported by the experts.
The Government will present the results of the program in September.
“The Singapore Government's latest bug bounty program is part of a strategic initiative and commitment to build a secure and resilient Smart Nation by strengthening collaboration with the cybersecurity industry and community.” reads the press release. “GovTech's bug bounty program will run from July to August 2019 and will cover nine Internet-facing government digital services and information and communication technology systems with high user interaction.”
In December 2017, Singapore's Ministry of
The second program run earlier in 2019 and resulted in the discovery of 26 security flaws that were paid a total of $12,000.
(SecurityAffairs – Singapore, bug bounty)
The post Singapore Government will run its third bug bounty program appeared first on Security Affairs.
Posted: 01 Jul 2019 01:06 AM PDT
Experts at Kaspersky have uncovered a spyware campaign dubbed ViceLeaker that spreads in the Middle East to spy on Android users.
Kaspersky spotted a spyware campaign, tracked as ViceLeaker, that spreads in the Middle East to steal device and communications data from Android users.
The ViceLeaker campaign has been active at least since May 2018 when it targeted dozens of mobile Android devices belonging to Israeli citizens.
The same campaign was also monitored by researchers at Bitdefender that dubbed the malware
The attack chain starts with malicious Telegram and WhatsApp messages containing links to Trojanized apps, one of which was a fake application named “Sex Game For Adults.”
Attackers aim to backdoor legitimate applications with an unusual injection technique dubbe
The mobile malware also aims to inject legitimate mobile applications with a backdoor for persistent access once it has compromised an Android device.
“To backdoor legitimate applications, attackers used a
The ViceLeaker APK implements very common spyware features (exfiltration of SMS messages, call logs, and device information) along with backdoor capabilities (upload, download, delete files, camera takeover, and record surrounding audio).
ViceLeaker leverages HTTP for C&C communications and to transfer exfiltrated data.
During the investigation, Kaspersky also spotted a sample of a modified version of the open-source Jabber/XMPP called “Conversations.” The tainted version used by the ViceLeaker group sends the C2 geographical coordinates every time a message was sent via the app.
The modified Conversations app mimics Telegram messenger, but experts did not find any malicious activity implemented by this specific app.
“Even when we originally thought this was a backdoored version of the Conversations app, used to infect victims, we didn’t discover anything malicious in it,” continues Kaspersky. “This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other, unclear purposes.”
Experts were aware of the possibility that threat actors might be using a compromised email account, investigating it they found a personal page and a GitHub account that contains a forked Conversation repository.
According to Kaspersky, the ViceLeaker campaign is still ongoing, but currently, attackers have taken down their communication channels.
“The operation of ViceLeaker is still ongoing, as is our research,” Kaspersky concludes. “The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner.”
The post ViceLeaker Android spyware targets users in the Middle East appeared first on Security Affairs.
Posted: 30 Jun 2019 11:49 PM PDT
The Iran-linked cyberespionage group APT33 has updated its infrastructure after the publication of a report detailing its activities.
In March, Symantec published a report detailing the activities of Iran-linked
The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korean, and Europe.
Most of the exposed domains no longer resolve to a real IPv4 address, while others moved to new providers. Four domains used in the past were updated the day after publication of the report and resolving to the same IP, which is registered to Swiss-dedicated hosting provider Solar Communications GmBH.
The actions show that threat actors quickly reacted to the publication of the report, but continued to focus on Saudi Arabian organizations.
“In response to the publication of operations in late March 2019, domains associated with suspected APT33 activity were parked or changed to new hosting providers.” reads the report.
“APT33, or a closely aligned threat actor, continues to control C2 domains in bulk.
Since March, the operations associated with the APT33 group involved over 1,200 domains, 728 C2 domains were identified communicating with infected hosts, 575 with hosts infected by one of 19 mostly publicly available RATs.
Most of the domains (60%) were associated with malware families related to njRAT infections, a malware wasn't previously associated with APT33. Other commodity RATs involved in the attacks and associated with the domains are AdwindRAT and RevengeRAT.
The list targeted entities
The experts at Recorded Future speculate that one APT33 actor, the Nasr Institute, is part of a tiered structure of the Iranian government cyber operations apparatus that also includes APT35 and MUDDYWATER.
“These technical and persona overlaps among Iranian threat actors are not unexpected given the tiered structure of Iranian state management of cyber operations.” concludes the
"Within this structure, we assessed that managers are running multiple teams, some of which are associated with government organizations (such as the Nasr Institute), and others that are contracted private companies (such as ITSec Team)," .
The post Iran-linked APT33 updates infrastructure following its public disclosure appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|