 An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks -- and which is ongoing -- has revealed a new propagation method leading to high infection numbers. In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through "indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes." Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000. The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a "hodge-podge of vulnerable and exploited servers" is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG. As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators. Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs. The malware's MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a "cheap and simple" way to avoid the malware's installers being connected to one another during investigations. In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports -- potentially in a bid to stop the vulnerable server from being reinfected with other malware. An IPv6 interface is also installed for port scanning purposes and to "maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets," the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot. Purple Fox will then generate IP ranges and begin scans on port 445 to spread. "As the machine responds to the SMB probe that's being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session," the researchers say. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks. To learn more visit OUR FORUM.
 Looking to use your phone in an emergency? Modern smartphones and smartwatches allow you to set certain features that will ping your last known location to emergency contacts in a situation where you’re unable to talk on the phone. Both Apple and Google have baked these features into the respective iOS and Android platforms, and we’re seeing more and more wearable manufacturers include the features too. Why would you want to set up emergency SOS location tracking? There’s a variety of scenarios where you may not be able to talk on a phone, but you will be able to find a way to send your location to trusted individuals. You can also have an easy way to directly call the emergency services through these features too, so they’re worth setting up for when you may need them in the future. This guide will teach you how to set up the equivalent features on your iPhone, Android phone, or an alternative such as wearables from Garmin and Apple. Not all fitness trackers or wearables sport these features, but most smartphones do. Emergency SOS is already available when you take an iPhone out of the box, but there are some ways you can set it up to work better. It works in all countries, but in some places, you may only be able to choose one particular emergency service. First off, making an emergency services call is simple from an iPhone, but the way it works differs depending on the model of iPhone you have. If you own an iPhone 8 or later (that’s if your phone came out after 2017) you can hold down the side button and the volume buttons. Then, you’ll find a slider on the screen that says “Emergency SOS”. If you drag this across, it’ll make an immediate call to the emergency services. If you can’t slide this across, continue to hold down the buttons and you’ll find your phone makes an alert noise with a countdown. That countdown will finish with the phone calling the emergency services, so this is particularly useful if you can’t take your phone out of a pocket. We would encourage you to set up emergency contacts (more on that below) as it will then message your contacts immediately afterward with your location information and more. Why would you want an emergency contact? First off, it can help emergency services identify who to contact, and on Apple devices, these people will immediately receive a message of your location after your call with the emergency services. To set this up, click on the Health app and press on the profile picture. In here, you’ll find an option called Medical ID and at the bottom of the page, you’ll find an option called emergency contacts. Here is where you can enter the information of the contact, a relationship, and their phone number as well. Tap on done afterward, and you’ve set up your emergency contact. You can have several of these on your iPhone at one time. On Android phones, these features differ depending on the manufacturer. You can often find the information you need by searching in your phone’s Settings for phrases such as SOS messages or simply the word emergency. For example, Samsung phones have a feature called Send SOS Messages that allows you to press the side key three times to automatically message someone with your location. It will automatically attach pictures using your rear and front camera, as well as an audio recording of the moments before the message was sent. For more detailed instructions on various devices visit OUR FORUM.  Today, researchers have exposed common weaknesses lurking in the latest smart sex toys that can be exploited by attackers. As more as more adult toy brands enter the market, given that the COVID-19 situation has led to a rapid increase in sex toy sales, researchers believe a discussion around the security of these devices is vital. In examples provided by the researchers, technologies like Bluetooth and inadequately secured remote APIs make these IoT personal devices vulnerable to attacks that go beyond just compromising user privacy. ESET security researchers Denise Giusto Bilić and Cecilia Pastorino have shed light on some weaknesses lurking in smart sex toys, including the newer models. The main concern highlighted by the researchers is, that newer wearables like smart sex toys are equipped with many features such as online conferencing, messaging, internet access, and Bluetooth connectively. This increased connectivity also opens doors to these devices being taken over and abused by attackers. The researchers explain most of these smart devices feature two channels of connectivity. Firstly, the connectivity between a smartphone user and the device itself is established over Bluetooth Low Energy (BLE), with the user running the smart toy's app. Secondly, the communication between a remotely located sexual partner and the app controlling the device is established over the internet. To bridge the gap between one's distant lover and the sex toy user, smart sex toys, like any other IoT device, use servers with API endpoints handling the requests. "In some cases, this cloud service also acts as an intermediary between partners using features like chat, videoconferencing and file transfers, or even giving remote control of their devices to a partner," explained Bilić and Pastorino in a report. But, the researchers state that the information processed by sex toys consists of highly sensitive data such as names, sexual orientation, gender, a list of sexual partners, private photos and videos, among other pieces, which, if leaked can adversely compromise a user's privacy. This is especially true if sextortion scammers get creative after getting their hands on such private information. More importantly, though, the researchers express concern over these IoT devices being compromised and weaponized by the attackers for malicious actions, or to physically harm the user. This can, for example, happen if the sex toy gets overheated. "And finally, what are the consequences of someone being able to take control of a sexual device without consent, while it is being used, and send different commands to the device?" "Is an attack on a sexual device sexual abuse and could it even lead to a sexual assault charge?" Bilić and Pastorino further stress. To demonstrate the seriousness of these weaknesses, the researchers conducted proof-of-concept exploits on the Max by Lovense and We-Vibe Jive smart sex toys. Both of these devices were found to use the least secure "Just Works" method of Bluetooth pairing. Using the BtleJuice framework, and two BLE dongles, the researchers were able to demonstrate how a Man-in-the-Middle (MitM) attacker could take control of the devices and capture the packets. The attacker can then re-broadcast these packets after tampering with them to change settings like vibration mode, intensity, and even inject their other commands. Likewise, the API endpoints used to connect a remote lover (sexual partner) to the user make use of a token which wasn't awfully hard to brute-force. Want more visit OUR FORUM. |
Latest Articles
|