14 December 2018
New Android Trojan That Masquerades as a Performance-boosting app
Security researchers have discovered a new Android Trojan disguised as a performance-boosting app. Its goal is to steal victims PayPal accounts. Not even accounts with 2-factor authentication are safe. When a user executes the app it appears to crash immediately. In reality, it's still working in the background. It then pops up a fake Android security prompt asking the user to enable what looks like a legitimate statistics service. What the user is actually doing is enabling an accessibility feature that lets the malware do its dirty work. If the malware finds the PayPal app installed on the victim's phone, that's when it takes things to the next level. An alert pops up urging the user to sign in to PayPal. Once they're signed in, the malware uses the accessibility service to mimic user input in the PayPal app. Those invisible taps attempt to send cash to the attacker's own PayPal accounts. 2-factor authentication can't protect PayPal victims with this particular attack. That's because it's part of the login process they're used to. If a user has fallen for the fake alert, punching in a 2FA code will seem like a perfectly normal thing to do -- especially since it's being done right in the PayPal app.
Samsung fixed a bug that could have allowed hackers to takeover user accounts
Samsung fixed a vulnerability in its account management system that could have allowed hackers to take control of any Samsung account by tricking users into clicking on a malicious link. The vulnerability was discovered by a Ukrainian bug bounty hunter, Artem Moskowsky, who reported it to Samsung this month. The exploit is classified as a Cross-Site Request Forgery (CSRF) vulnerability – a term used to denote vulnerabilities that allow hackers to hoodwink a browser into running hidden commands on other sites that the users are logged into while they’re on the hacker’s site. Moskowsky discovered three CSRF vulnerabilities in Samsung’s account management system – all of which involve a user clicking on a malicious link. The first vulnerability allowed attackers to modify account profile details; the second one permitted them to disable two-factor authentication (if enabled), while the third and the most severe vulnerability let hackers change the user’s account security question and answer. The third vulnerability was catastrophic since Samsung allowed resetting account passwords by answering security questions. This meant an attacker could initiate a password recovery on the account login page and reset the password using the new security question, thereby gaining full access to the user account that can contain private notes, health data, smart home controls and location data.
Critical Security Vulnerability in Google+'s People API
Google revealed that Google+ has suffered another data breach, ordering the tech giant to shut down its social network four months earlier than its expected scheduled date. Google said it discovered another critical security vulnerability in one of Google+'s People APIs that could have allowed developers to steal private information on 52.5 million users, including their name, email address, occupation, and age. The API vulnerable is called "People: get". This API has been designed to let developers request basic information associated with a user profile. However, software update in November introduced the bug in the Google+ People API that allowed apps to view users' information even if a user profile was set to not-public. Google engineers discovered the security issue during standard testing procedures and addressed it within a week of the issue being introduced. The company said it found no evidence that the vulnerability was exploited or its users' data was misused by any third-party app developers. Google said the company is going to shut down its social media network in April 2019 instead of August.
Three Newly Discovered phpMyAdmin Vulnerabilities
phpMyAdmin Developers released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers. Here are there vulnerabilities: Local file inclusion (CVE-2018-19968) — phpMyAdmin versions from at least 4.0 through 4.8.3 includes a local file inclusion flaw that could allow a remote attacker to read sensitive contents from local files on the server through its transformation feature. Cross-Site Request Forgery (CSRF)/XSRF (CVE-2018-19969) — phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 includes a CSRF/XSRF flaw, which if exploited, could allow attackers to perform harmful SQL operations such as create, modify or delete database entries, just by tricking victims into opening specially crafted links. Cross-site scripting (XSS) (CVE-2018-19970) — The software includes a cross-site scripting vulnerability in its navigation tree, which impacts versions from at least 4.0 through 4.8.3, using which an attacker can inject malicious code into the dashboard through a specially-crafted database/table name. To address all above listed security vulnerabilities, phpMyAdmin developers released the latest version 4.8.4, and separated patches for some previous versions. Website administrators and hosting providers are highly advised to install latest update or patches immediately.
Linux.org Domain Hijacked
Linux.org domain was hijacked, with the hacker plastering the message "G3T 0WNED L1NUX N3RDZ". The real administrator of the site, Mike McLagan, immediately 'fessed up on Reddit, and said the vandal had managed to hack into his partner's Network Solutions registrar account and switch Linux.org DNS servers to their own site. The series of events was confirmed by a screenshot posted by the hacker themselves on a new Twitter account - @kitlol5 - that showed them inside Michelle McLagan's account with access to a series of domains including linuxonline.com, linuxhq.com and linux.org. The hacker took them all down. The miscreant then decided to take offense at the existence of transgender Linux developer Coraline Ada Ehmke, posting an article to an alt-right website slamming her, and then posting her personal details including email and home addresses. But finally, at around 0300 GMT – after three-and-a-hour hours of ring-piece vandalism – the Linux.org owners managed to get the site redirected. Lesson to be taken from all this: put multi-factor authentication on your registrar account. It's also another sign that the changes forced onto the Whois by European GDPR data laws – where private detail is currently hidden – may actually be beneficial to many internet users. It may make sense for people to take this opportunity to change their domain contact email addresses so old Whois records are no longer accurate.
Hackers Controlling a “botnet” of Over 20,000 Infected WordPress
Hackers controlling a “botnet” of over 20,000 infected WordPress sites are attacking other WordPress sites. The botnets attempted to generate up to five million malicious WordPress logins within the past thirty days. According to a report from The Defiant Threat Intelligence team, the hackers behind this attack are using four command and control servers to send requests to over 14,000 proxy servers from a Russian provider. Those proxies are then used to anonymize traffic and send instructions and a script to the infected WordPress “slave” sites concerning which of the other WordPress sites to eventually target. The servers behind the attack are still online, and primarily target the XML-RPC interface of WordPress to try out a combination of usernames and passwords for admin logins. Attacks on the XML-RPC interface aren’t new and date back to 2015. If you’re concerned that your WordPress account might be impacted by this attack, The Defiant Threat Intelligence team reports that it is best to enable restrictions and lockouts for failed logins. You also can consider using WordPress plugins which protect against brute force attacks, such as the Wordfence plugin. The Defiant Threat Intelligence team has shared information on the attacks with law enforcement authorities. Unfortunately, the four command and control servers can’t be taken offline because they are hosted on a provider that doesn’t honor takedown requests. Still, researchers will be contacting hosting providers identified with the infected slave sites to try and limit the scope of the attack.