The Rise of "Onion-Layered" Attacks , IBM Says

"Onion-layered" security incidents have been on the rise throughout 2015, according to the IBM X-Force Threat Intelligence Quarterly report for Q4 2015.

Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.

IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.

"As the name suggests, an 'onion-layered' security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event," the report said.

Such attacks demand large amounts of resources and time to investigate and mitigate, IBM says, given that stealthy attackers use sophisticated tools, are careful to cover their tracks, and use anti-forensic techniques to remain undetected. IBM also notes that anti-virus software alerts about malware on Internet-facing servers, unexpected reboots of servers and other unusual behavior, suspicious log records, and frequent user lockouts are signs that stealthy attackers have infiltrated a network.

Undetected attacks could prove highly damaging to companies, especially if the cybercriminals behind them manage to get hold of valuable data.  

“While the recovery of systems compromised by script kiddie attacks might take only a few days of an operation team’s time and effort, the job of finding a root cause, then fully understanding and remediating the work of the stealthy attackers could take months,” IBM said. Meanwhile, an undetected attacker could roam the network undetected, ultimately trying to gain access to the client’s crown jewels.

Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.

"The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself," Corero said. "The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources."

Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.

IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Read More

Subtitle Hack: 200 Million Devices Are Vulnerable, Download Fix For VLC, Kodi, Etc.

A simple but malicious subtitle file can be used to gain control of your PC, TV or smartphone. Check Point researchers have spotted vulnerabilities in VLC, Kodi, Stremio, and Popcorn Time in the way these media players handle subtitle files. As of now, fixes have been released for the media players.

According to a blog post published by Check Point security, a subtitle file could be modified to create a new attack vector and compromise the devices such as PCs, mobile devices, TVs, etc running vulnerable media players. Once compromised, the attacker can perform remote code execution, steal data, use the device as a pawn in a DDoS attack, and more.The researchers say, delivering a cyber attack when subtitles are loaded onto a media players is a “completely overlooked technique”.Most of the people download subtitles files from repositories on the web without giving a second thought, treating them as no more than innocent text files.The researchers say that attackers can upload a malicious subtitle on a repository and manipulate the rankings to put their results on the top. This could result in an increase in manual download counts and automatic download counts (by media players).They also note that subtitles aren’t considered as a threat in comparison to traditional attack vectors which are well-known to security companies and users. That’s the reason a malicious code hiding in a subtitle file could easily sneak through filters deployed by antivirus software.The actual vulnerability lies in the way the media players handle subtitle files. One aspect that contributes to the complexity of the whole thing is a large number of subtitle formats each having its own set of features. Currently, there are around 25 subtitle formats in circulation.Different media players have their own method of parsing and combining different subtitle formats in order to enhance user experience. As a result, the researchers were able to find distinct vulnerabilities in affected media players.The list of affected media players includes VLC, XBMC Kodi, Popcorn Time, and Stremio. However, the researchers don’t exclude the possibility of the exploit existing on other media players. 

The researchers haven’t published further details as the developers are currently investigating the vulnerability.Each of the affected media players has millions of users with VLC topping the list. The last release of VLC (June 5, 2016) has been downloaded more than 170 million times. In total, the researchers estimated that around 200 million devices running the affected media players are exposed to the attack.

Download Subtitle Hack Fix:

Check Point researchers contacted the developers of the affected media players in April 2017. Thankfully, the security patches have been released.

In the case of VLC, the attacker can leverage memory corruption bug. The media player had four vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) which have been fixed by VideoLan.

A fix for VLC is available as the latest version 2.2.5.1 which is present on the VideoLan’s website. The same is the case of Stremio.

The developers of Popcorn Time and Kodi have created a fix, but it’s not released for public yet. For Popcorn Time, you can download the fix manually using this link provided by the researchers. Head over to GitHub where you can find a source code fix for XBMC Kodi.

Read More

3 Nigerian Scammers Get 235-Years of Total Jail Sentence in U.S.

You may have heard of hilarious Nigerian scams. My all time favourite is this one:

A Nigerian astronaut has been trapped in space for the past 25 years and needs $3 million to get back to Earth, Can you help?

Moreover, Nigerians are also good at promising true love and happiness.

But You know, Love hurts.

Those looking for true love and happiness lost tens of millions of dollars over the Nigerian dating and romance scams.

These criminals spend their whole day trolling the online dating sites for contact emails and then send off hundreds of thousands of fraudulent emails awaiting the victim's response.

A US federal district court in Mississippi has sentenced such three Nigerian scammers to a collective 235 years in prison for their roles in a large-scale international fraud network that duped people out of tens of millions of dollars.

The three Nigerian nationals were part of a 21-member gang of cyber criminals, of which six, including Ayelotan, Raheem, and Mewase, were extradited from South Africa to the Southern District of Mississippi in July 2015 to face charges in the case.

• Oladimeji Seun Ayelotan, 30, faces up to 95 years in prison
• Rasaq Aderoju Raheem, 31, faces up to 115 years in prison
• Femi Alexander Mewase, 45, faces up to 25 years in prison

A federal jury found all of them guilty of offenses involving mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property, the US Department of Justice announced Thursday.

Also, Ayelotan and Raheem were found guilty of conspiracies to commit bank fraud and money laundering, which is why they have been given longer prison sentences.

Until now, the justice department has charged a total of 21 suspects in this case: 12 defendants have already pleaded guilty to charges related to the conspiracy while 11 have been sentenced to date.

The gang has been operating since 2001 and ran a variety of online scams, including romance scams, where the criminals used the false identity of love-struck girlfriends on a dating site to establish a romantic relationship with unsuspecting victims.

Once the gang members gained the victim's trust and affection, they would convince them to carry out their money laundering schemes and launder money from other rackets via MoneyGrams and Western Union, or resend electronics and other goods bought with stolen credit cards to countries where they could be sold for a profit.

The gang members were arrested by South African police in a joint operation with U.S. Immigration and Customs Enforcement's Homeland Security Investigations (HSI) and the U.S. Postal Inspection Service in December 2015.

However, Nigerian scams will never die, and you could be their next victim.

Read More

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password


WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.

The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.

The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.

"This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website," Golunski wrote in an advisory published today. "As there has been no progress, in this case, this advisory is finally released to the public without an official patch."

Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.

The vulnerability lies in the way WordPress processes the password reset request, for the user it has been initiated.

In general, when a user requests to reset his/her password through forgot password option, WordPress immediately generates a unique secret code and sends it to user’s email ID already stored in the database.

What's the Vulnerability?

While sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to set values of the From/Return-Path fields.

Here, "From" refers to the email address of the sender and "Return-Path" refers to the email address where 'bounce-back' emails should be delivered in the case of failure in the delivery for some reason.

According to Golunski, an attacker can send a spoofed HTTP request with a predefined custom hostname value (for example attacker-mxserver.com), while initiating password reset process for a targeted admin user.

Since the hostname in the malicious HTTP request is an attacker-controlled domain, the From and Return-Path fields in the password reset email will be modified to include an email ID associated with the attacker's domain, i.e. wordpress@attacker-mxserver.com, instead of wordpress@victim-domain.com.

"Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the following headers and email body to the /usr/bin/sendmail wrapper," Golunski says.

Don't get confused here: You should note that the password reset email will be delivered to victim's email address only, but since the From and Return-Path fields now point to attacker's email ID, the attacker can also receive reset code under following scenarios:

1. If, in case, the victim replies to that email, it will be delivered to attacker email ID (mentioned in 'From' field), containing a password reset link in the message history.
2. If, for some reason, victim's email server is down, the password reset email will automatically bounce-back to the email address mentioned in "Return-Path" field, which points to the attacker's inbox.
3. In another possible scenario, to forcefully retrieve bounce-back email, the attacker can perform a DDoS attack against the victim's email server or send a large number of emails, so that the victim's email account can no longer receive any email.

"The CVE-2017-8295 attack could potentially be carried out both with user interaction (the user hitting the 'reply' button scenario), or without user interaction (spam victim's mailbox to exceed their storage quota)," Golunski told The Hacker News in an email.

For obvious reason, this is not a sure shot method, but in the case of targeted attacks, sophisticated hackers can manage to exploit this flaw successfully.

Another notable fact on which successful exploitation of this flaw depends is that, even if WordPress website is flawed, not all web servers allow an attacker to modify hostname via SERVER_NAME header, including WordPress hosted on any shared servers.

"SERVER_NAME server header can be manipulated on default configurations of Apache Web server (most common WordPress deployment) via HOST header of an HTTP request," Golunski says.

Since the vulnerability has now been publically disclosed with no patch available from the popular CMS company, WordPress admins are advised to update their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.

Read More

Hundreds of Apps Using Ultrasonic Signals to Silently Track Smartphone Users

Hundreds of Apps Using Ultrasonic Signals to Silently Track Smartphone Users 


Your smartphone may have some apps that are continuously listening inaudible, high-frequency ultrasonic sounds from your surroundings and they know where you go, what you like and dislike — all without your knowledge.

Ultrasonic Cross-Device Tracking is a new technology that some marketers and advertising companies are currently using to track users across multiple devices and have access to more information than ever before for ad targeting.

For example, retail stores you visit, a commercial on TV or an advertisement on a web page can emit a unique "ultrasonic audio beacon" that can be picked up by your device’s mobile application containing a receiver.

This information helps advertisers to create your personalized profile and collect your interests by figuring out that both devices probably belongs to you, allowing them to target you with interest-based advertisements.

More & More Apps Have Started Using Ultrasonic Tracking Technology

In fact, while presenting research last week at the IEEE European Symposium on Security and Privacy, security researchers said they discovered 234 Android applications that ask permission to access your smartphone’s microphone to incorporate a particular type ultrasonic beacon to track consumers.

Moreover, the researchers found that 4 of the 35 retail stores they visited in Germany have ultrasonic beacons installed at the entrance.

According to investigators, SilverPush, Lisnr, and Shopkick are three SDKs that use ultrasonic beacons to send messages to the mobile device. While SilverPush allows developers to track users across multiple devices, Lisnr and Shopkick perform location tracking.

The researchers analyzed millions of Android apps and discovered few that were using the Shopkick and Lisnr SDKs, but there were much more that were using the SilverPush SDK.

Serious Privacy Concerns

Although cross-device user tracking technologies are currently being used for the legitimate purposes, it has already raised some serious privacy concerns.

Since an app requires no mobile data nor Wi-Fi connection, but only microphone access to listen to beacons, tracking works even when you have disconnected your phone from the Internet.

In fact, a team of researchers last year demonstrated that how ultrasonic sounds emitted by ads on a web page accessed through Tor can be used to deanonymize Tor users by making nearby phones or computers send identification information, such as location and IP, back to advertisers.

"The case of SilverPush emphasizes that the step between spying and legitimately tracking is rather small. SilverPush and Lisnr share essential similarities in their communication protocol and signal processing. While the user is aware of Lisnr location tracking, SilverPush does not reveal the application names with the tracking functionality," research paper reads.

In 2014, Snowden revelations disclosed that how spying agencies were tracking foreign travelers’ movements across the city by capturing their device’ unique MAC address at the airport and then comparing it with the data collected by free WiFi hotspots installed in various coffee shops, restaurants, and retail stores.

This incident could also be another great example, showcasing how intelligence agency could use this ultrasonic cross-device tracking technology to track your movements across the country.

How can You Protect Yourself?

Since you can not stop ultrasonic beacons from emitting sound frequencies around you, the best way to reduce the chance of your smartphone listening for beacons and feed data to a third party is to simply restrict unnecessary permissions you have granted to the apps installed on your device.

In other words, use your common sense.

For example, Skype wants microphone access? Fair enough, as it is necessary for Skype to work as intended. But what about if an app for beauty or clothing store wants microphone access? No way.

To revoke such unnecessary app permissions, some Android phone manufacturers, like One Plus provide a feature called Privacy Guard that allowed its users to block unnecessary app permissions of certain apps on a smartphone that do not have anything to do with the primary function of the apps.

Navigate to Settings → Personal → Privacy → Privacy Guard. Now select any from the list of apps and edit unnecessary permissions you have granted it.

A similar feature has been included in Android 7. Navigate to Settings → Apps → App Permissions. Now edit the privileges you’ve granted each app.

For iOS 10 users: Go to Settings → Privacy → Microphone to see which apps have requested access to it, and which apps you have granted it to.

Read More

Warning! Don't Click that Google Docs Link You Just Received in Your Email

Warning! Don't Click that Google Docs Link You Just Received in Your Email 


Did someone just share a random Google Doc with you?

First of all — Do not click on that Google Doc link you might have just received in your email and delete it immediately — even if it's from someone you know.

I, my colleagues at The Hacker News, and even people all around the Internet, especially journalists, are receiving a very convincing OAuth phishing email, which says that the person [sender] "has shared a document on Google Docs with you."

nce you clicked the link, you will be redirected to a page which says, "Google Docs would like to read, send and delete emails, as well access to your contacts," asking your permission to "allow" access.

If you allow the access, the hackers would immediately get permission to manage your Gmail account with access to all your emails and contacts, without requiring your Gmail password.

Beware! New GoogleDocs Phishing Email Scam Spreading Across the World — Here's Everything You Need to Know

But How? The "Google Docs" app that requests permissions to access your account is fake and malicious, which is created and controlled by the attacker.

You should know that the real Google Docs invitation links do not require your permission to access your Gmail account.

Anything Linked to Compromised Gmail Accounts is at Risk

Once the app controlled by the attacker receives permissions to manage your email, it automatically sends same Google Docs phishing email to everyone on your contact list on your behalf.

Since your personal and business email accounts are commonly being used as the recovery email for many online accounts, there are possibilities that hackers could potentially get control over those online accounts, including Apple, Facebook, and Twitter.

In short, anything linked to a compromised Gmail account is potentially at risk and even if you enabled two factor authentication, it would not prevent hackers to access your data.

Meanwhile, Google has also started blacklisting malicious apps being used in the active phishing campaign.

"We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail," Google tweeted.

This Google Docs phishing scheme is spreading incredibly quickly, hitting employees at multiple organizations and media outlets that use Google for email, as well as thousands of individual Gmail users who are reporting the same scam at the same time.

If by anyhow you have clicked on the phishing link and granted permissions, you can remove permissions for the fraudulent "Google Docs" app from your Google account. Here’s how you can remove permissions:

1. Go to your Gmail accounts permissions settings at https://myaccount.google.com and Sign-in.
2. Go to Security and Connected Apps.
3. Search for "Google Docs" from the list of connected apps and Remove it. It's not the real Google Docs.

Stay tuned to our Facebook Page for more updates ! Stay Safe!

Update: Google Docs Phishing Scam Hits Nearly One Million Users

Google said that the last night's Google Docs phishing campaign affected "fewer than 0.1%" of Gmail users, which means nearly one million people were affected by it, handing over their email access to attackers.

Read More