close
  • chevron_right

    Billing fraud apps can disable Android Wi-Fi and intercept text messages

    news.movim.eu / ArsTechnica · 6 days ago - 20:47 · 1 minute

Billing fraud apps can disable Android Wi-Fi and intercept text messages

Enlarge (credit: Aurich Lawson )

Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.

This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker , which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such "toll fraud" malware uses. Enter Microsoft, which has published a technical deep dive on the issue.

The billing mechanism abused in this type of fraud is WAP, short for wireless application protocol, which provides a means of accessing information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider's web page while their devices are connected to cellular service, then clicking a button. In some cases, the carrier will respond by texting a one-time password (OTP) to the phone and requiring the user to send it back in order to verify the subscription request. The process looks like this:

Read 5 remaining paragraphs | Comments

  • chevron_right

    Microsoft Exchange servers worldwide hit by stealthy new backdoor

    news.movim.eu / ArsTechnica · 7 days ago - 21:57

Microsoft Exchange servers worldwide hit by stealthy new backdoor

Enlarge (credit: Getty Images)

Researchers have identified stealthy new malware that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers after they have been hacked.

Dubbed SessionManager, the malicious software poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. Organizations often deploy IIS modules to streamline specific processes on their web infrastructure. Researchers from security firm Kaspersky have identified 34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021. As of earlier this month, Kaspersky said , 20 organizations remained infected.

Stealth, persistence, power

Malicious IIS modules offer an ideal means to deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. To the untrained eye, the HTTP requests look unremarkable, even though they give the operator complete control over the machine.

Read 5 remaining paragraphs | Comments

  • Sc chevron_right

    ZuoRAT Malware Is Targeting Routers

    news.movim.eu / Schneier · 7 days ago - 20:04

Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets:

So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

More details in the article.

  • chevron_right

    YouTube content creator credentials are under siege by YTStealer malware

    news.movim.eu / ArsTechnica · Wednesday, 29 June - 22:25

YouTube content creator credentials are under siege by YTStealer malware

Enlarge (credit: Getty Images)

In online crime forums, specialization is everything. Enter YTStealer, a new piece of malware that steals authentication credentials belonging to YouTube content creators.

“What sets YTStealer aside from other stealers sold on the Dark Web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” Joakim Kennedy, a researcher at security firm Intezer wrote in a blog post on Wednesday . “When it comes to the actual process, it is very similar to that seen in other stealers. The cookies are extracted from the browser’s database files in the user’s profile folder.”

As soon as the malware obtains a YouTube authentication cookie it opens a headless browser and connects to YouTube’s Studio page, which content creators use to manage the videos they produce. YTStealer then extracts all available information about the user account, including the account name, number of subscribers, age, and whether channels are monetized.

Read 4 remaining paragraphs | Comments

  • chevron_right

    Méfiez-vous aussi d’Excel : des hackers s’en servent pour piéger des employés

    news.movim.eu / Numerama · Wednesday, 29 June - 09:31

Des chercheurs en cybersécurité ont découvert que le célèbre logiciel tableur, Excel, était utilisé par des hackers pour propager un malware. Plusieurs liens frauduleux contenant la charge utile étaient encore en ligne. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité https://www.numerama.com/newsletter/

  • chevron_right

    A wide range of routers are under attack by new, unusually sophisticated malware

    news.movim.eu / ArsTechnica · Wednesday, 29 June - 00:01

A wide range of routers are under attack by new, unusually sophisticated malware

Enlarge (credit: Getty Images)

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

A high level of sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

Read 11 remaining paragraphs | Comments

  • chevron_right

    Ne téléchargez surtout pas ces 5 applis sur Google Play, elles contiennent un malware

    news.movim.eu / Numerama · Wednesday, 15 June - 09:35

Des experts en cybersécurité ont repéré cinq applis contenant des programmes malveillants. Une fois téléchargées, elles peuvent dérober les identifiants Facebook. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité https://www.numerama.com/newsletter/

  • Sc chevron_right

    M1 Chip Vulnerability

    news.movim.eu / Schneier · Tuesday, 14 June - 20:01 · 1 minute

This is a new vulnerability against Apple’s M1 chip. Researchers say that it is unpatchable.

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.

The attack, appropriately called “Pacman,” works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered. This is done using speculative execution—a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation—to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.

What’s more, since there are only so many possible values for the PAC, the researchers found that it’s possible to try them all to find the right one.

It’s not obvious how to exploit this vulnerability in the wild, so I’m unsure how important this is. Also, I don’t know if it also applies to Apple’s new M2 chip.

Research paper . Another news article .