Botnet pwns 100,000 routers using ancient security flaw

From nakedsecurity.sophos.com

Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attention.

This one’s been named BCMUPnP_Hunter by discoverers Qihoo 360 Netlab, which says it’s infected at least 100,000 routers in the US, India and China since September.

The BCM part of that name refers to a security flaw affecting a Broadcom router software interface that was first made public in February 2013 by DefenseCode.

The UPnP, of course, is Universal Plug and Play, a longstanding and widely abused networking protocol designed to make it easy for devices to talk to one another without the need for complicated configuration.

We’ll skip the sermon about turning that off if you don’t need it (it’s not the only risky router interface that deserves this treatment after all), and merely note that Qihoo’s use of ‘Hunter’ at the tail end of this bot’s name is a warning.

BCMUPnP_Hunter feels like a despairing story for at least two reasons; the first being the range of products it affects.

Read more…

Unearthing Ransomware Characteristics Using Classification Taxonomy

From tripwire.com

Unearthing Ransomware Characteristics Using Classification Taxonomy

We are familiar with the problem of ransomware – malicious software that seeks to encrypt user data and demand a ransom in return for the decryption key.

There are several defensive measures that help work against crypto-malware. Backups work, in theory, but are not always available or are partial. We need to realize that ransomware does, and will, continue to find victims.

These victims are not eCrime or DefCon or BSides conference attendees. Mostly, these are average computer users. In the past, ransomware developers and operators have gone for the low-hanging fruit – victims who fall for common phishing scams, expose RDP services with poor passwords, neglect security updates, etc. Targeted ransomware is now seeking bigger victims as seen in the case of the City of Atlanta.

In our paper, we assume that crypto-malware has the infiltrated host. What can be done from this point forward as a corrective measure for victims? Can we get files back without paying the ransom? Here, we realized that not every ransomware is the same. Some can be broken due to their poor cryptosystems. But which ones? We need a classification system.

Read more…

Beware !! Worlds Most Active Malware Emotet Launching New Campaign With Malicious Word and PDF Attachments

From gbhackers.com

Threat actors now launching a new malicious spam campaign since November 5 since then actively spike to target corporate network and individuals.

Emotet banking malware is continually spreading since 2017 and it is one of the costly banking trojans and currently it spreading via large spam campaign.

It has various advance future and persistence techniques along with self-spreading capabilities to harvesting the Email and banking credentials.

Emotet malware activities spike keep increasing Since Nov 5 and the campaign appears to be most active in the Americas, the UK, Turkey, and South Africa.

The new malware campaign emerged again with a new module that capable of exfiltrating email content and send back to the attackers.

The US-Cert team already issued an alert for an advanced Emotet malware attack that targets governments, private and public sectors in the most destructive way to steal various sensitive information.

Read more…

Who Hijacked Google’s Web Traffic?

From  bankinfosecurity.com

Who Hijacked Google's Web Traffic?
A routing change directed traffic bound for Google through Nigeria, Russia and China on Nov. 12. (Source: ThousandEyes)

Google says it is investigating an unorthodox routing of internet traffic that on Monday sent traffic bound for its cloud services instead to internet service providers in Nigeria, Russia and China.

See Also: The Truth About Mobile Security Risks In Business and What To Do About It

The routing problems persisted for about two hours before they were fixed, says Alex Henthorn-Iwane, vice president of product marketing for the security company ThousandEyes.

The fact that it affected such a large swath of Google’s networks makes it unlikely the routing was simply an error, especially since it involved network providers within Russia and China, Henthorn-Iwane says.

“It’s not a mistake,” Henthorn-Iwane says. “There’s nothing about this that suggests that this was a mistake.”

Read more…

4 best practices to combat new IoT security threats at the firmware level

From techrepublic.com

Telepresence robots enable physicians to administer care to patients in remote and rural areas, and extend the reach of healthcare to those who otherwise might go without it. The use of telepresence in healthcare isn’t new; it has operated for more than ten years and is an accepted part of medical practice in many care networks.

What has changed for telepresence is the emergence of a new set of security vulnerabilities that attack telepresence robots at the firmware level—where standard IT security practices often don’t extend.

“Robotic telepresence is a next-generation technology that allows a person in one location to replicate himself in another,” wrote Dan Regalado, Security Researcher at IoT security provider Zingbox in a 2018 research report. “The remote person can see you, hear you, interact with you, and move all around your location. But what if the person behind the robot is not who you think he is? What if the robot gets compromised, and now the attacker is watching you and your surroundings?”

Read more…

M&A transactions may be stalling due to GDPR compliance concerns

From helpnetsecurity.com

An increasing number of M&A transactions may be stalling because of concerns over GDPR compliance, according to a survey of EMEA M&A professionals conducted by Merrill Corporation.

GDPR compliance concerns

Overall, the survey highlights the significant role due diligence plays in determining M&A success, while providing insight into the challenges faced by M&A professionals today. The implementation of the GDPR stood out as a major hurdle for mergers and acquisitions, with more than half of respondents (55 percent) citing the compliance and data protection employed by the target company as a primary reason a transaction did not progress.

Additionally, 66 percent of those surveyed believe that GDPR will increase acquirers’ scrutiny of the data protection policies and processes of target companies, further complicating the deal-making process.

Read more…

Internal Chrome Page Shows All Google Interstitial Warnings

From bleepingcomputer.com

An internal Google Chrome page allows users to see all interstitial warnings or notifications that may be encountered while browsing the web with Chrome.

An interstitial warning page is shown when Google wants to warn or notify a user about a particular risk or concern before a web page is loaded into the browser. For example, if a web page has been flagged as a phishing site, it will display the above warning before allowing you to proceed.

At these warning pages, users can decide whether they want to ignore the warning and proceed, or go back to the previous page they were at.

While researching the recent deceptive mobile billing interstitial coming to Chrome 71, I stumbled onto the internal chrome://interstitials page that allows you to view all warnings that are supported by the particular Chrome version you are using. For example, Chrome 70 will have different warning interstitials than Chrome 71.

Read more…