Hacking & Security
Introduction What makes Petya a special ransomware is that it doesn’t aim to encrypt each file individually, but aims for low-level disk encryption. In this series, we’ll be looking into the “green” Petya variant that comes with Mischa. Mischa is launched when Petya fails to run as a privileged process. All that Mischa does is […]
Why is Bitcoin the cybercriminals’ most favorite payment method? Adam Kujawa is the head researcher at the antivirus company Malwarebytes, and he estimates that ransomware nowadays amounts to 70% of all malware downloaded from web pages on the Internet. One look at the cybersecurity headlines from the beginning of the year is enough to name […]
The post Bitcoin May Turn from Cybercriminals’ Biggest Asset into Their Biggest Liability appeared first on InfoSec Resources.
Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. The disclosure comes more than a month after KrebsOnSecurity first broke the news of the intrusion, offering readers a sneak peak inside the sprawling cybercrime machine that thieves used to siphon card data from Cici’s customers in real-time.
In a statement released Tuesday evening, Cici’s said that in early March 2016, the company received reports from several of its restaurant locations that point-of-sale systems were not working properly.
“The point-of-sale vendor immediately began an investigation to assess the problem and initiated heightened security measures,” the company said in a press release. “After malware was found on some point-of-sale systems, the company began a restaurant-by-restaurant review and remediation, and retained a third-party cybersecurity firm, 403 Labs, to perform a forensic analysis.”
According to Cici’s, “the vast majority of the intrusions began in March of 2016,” but the company acknowledges that the breach started as early as 2015 at some locations. Cici’s said it was confident the malware has been removed from all stores. A list of affected locations is here (PDF).
On June 3, 2016, KrebsOnSecurity reported that sources at multiple financial institutions suspected a card breach at Cici’s. That story featured a quote from Stephen P. Warne, vice president of service and support for Datapoint POS, a point-of-sale provider that services a large number of Cici’s locations. Warne told this author that the fraudsters responsible for the intrusions had tricked employees into installing the card-stealing malicious software.
On June 8, 2016, this author published Slicing Into a Point-of-Sale Botnet, which brought readers inside of the very crime machine the perpetrators were using to steal credit card data in real-time from Cici’s customers. Along with card data, the malware had intercepted private notes that Cici’s Pizza employees left to one another about important developments between job shifts.
Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.
Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.
Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.
The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
"The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."
If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April.
The sites were most likely exploited by a botnet called SoakSoak or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin.
In this recent wave of compromises, SoakSoak planted code that redirects visitors to a website hosting the Neutrino Exploit Kit, a "commercial" malware dropping Web tool sold through underground marketplaces. The latest string of compromises appears to have begun in May. But since then, both the malware kit and the ransomware have been upgraded. The latest version of the exploit kit attempts to evade security software or virtual machines.
Image credit: ABB
ABB, a Switzerland-based company that produces software for control systems in the energy industry, has acknowledged that its PCM600 suffers from four vulnerabilities related to insecure password storage. The one who detected and reported them to the vendor was Ilya Karpov, an ICS security expert from Positive Technologies.
As noted in the ICS-CERT advisory, the ABB engineer software for industrial automation management (protective relay, IED) is deployed in electric power substations around the world. PCM600s up to and including version 2.6 suffer from the vulnerabilities found by Ilya Karpov. Exploiting these flaws allows a low-skilled attacker or malicious software access a local machine that has ABB's PCM600 installed, reconfigure a project or obtain critical information to leverage read and write access via OPC.
All four PCM600 vulnerabilities are related to sensitive data storage and processing:
- CVE-2016-4511 — Weak hashing algorithms for project password storage
- CVE-2016-4516 — Passwords are stored in plain text, if a user doesn’t readdress the dialog box for changing a project password via the configuration menu
- CVE-2016-4524 — OPC server passwords are stored in plain text
- CVE-2016-4527 — Insecure transfer and storage of sensitive data in the database
ABB has already issued a hot fix for version 2.6 and released version 2.7 that resolves all reported vulnerabilities. The company recommends that customers apply the update at earliest convenience.
Other measures include:
⎯ Restricting physical access to objects for unauthorized persons
⎯ Forbidding ICS direct Internet connection
⎯ Forbidding usage of online services (email, messengers) at user workstations
⎯ Connecting to other networks exclusively via firewalls with a limited amount of open ports
⎯ Antivirus scanning of all portable computers and storage devices prior to connection to control systemsYou may find the details on maintaining PCM600 security in the vendor’s manual.
It is worth mentioning that the ABB control systems are popular in Russia. According the Positive Technologies ICS security research, ABB product specialists in Russia hold the third place in the segment of programmable logic controllers.
Illegal activities in the Dark Web continue to grow The Dark web is a privileged place for cyber criminals that, under specific conditions, could operate in anonymity. The United Nation’s Office on Drugs and Crime (UNODC) has published its annual report that contains a specific mention to the illicit trade of goods and drugs in this hidden part of […]
The post Law Enforcement and the Dark Web: A Never-Ending Battle appeared first on InfoSec Resources.
Everyone wants to maintain privacy while surfing the internet and most of them rely on TOR network to achieve anonymity while online. As we all know TOR has its limitations and the anonymity of the users can be broken. In come the Riffle Anonymity Network; a prototype developed by Massachusetts Institute of Technology (MIT) and […]