East Asia have been targeted by a stream of cyber-attacks carried about by an advanced persistant threat (APT) group. The group goes by several names such as Tick, Brzone Butler and Redbaldknight.

The APT group’s main targets are South Korea and Japan. This current wave of Datper malware attacks is written in Delphi and is capable of executing shell commands to gain information from the infected machine, such as hostnames and drive information.

Security researchers from Cisco Talos have stated It is not yet known how the attacks are being conducted since command and control (C2) servers in question are not active. However, they say it’s possible the malware is being delivered using web-based attacks such as drive-by downloads, or by watering hole attack. Watering hole attacks is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.

Could this signal the re-emergence of Comment Crew

A fresh wave of APT cyber-attacks has hit South Korea, but also US and Canada, causing some to believe this could spell the re-emergence of Chinese government backed hacking group Comment Crew. Security company McAfee claimed they have discovered a new hacking campaign that focuses on cyberespionage and data reconnaissance.

Comment Crew or otherwise known as Shanghai Group or APT1 is thought to be responsible for the majority of China’s cyber-attacks since 2006. In 2013 they were linked to the successful hacks of over 100 US companies, but vanished soon after the exposure, along with hundreds of terabytes of data. The Chinese government maintains that they do not sponsor hacking and claim to be a victim to hacking campaigns themselves.

McAfee has found malware that reuses some of the code that was uses in a campaign called Seasalt that was introduced by APT1 around 2010. The reason this is interesting is because this code was never released publicly, lending authority to McAffee’s claims.

A recent campaign, named Operation Oceansalt has been linked to Comment crew. Operation Onceansalt started in May this year and was seen to be targeting Korean speaker with a data reconnaissance implant. Four more waves have since been detected, aimed against companies in South Korea, the United States and Canada.

The Oceansalt implant gives attackers full control of any system or network it is connected to, however, is mainly used for espionage activity. McAffee acknowledged that the implant allows for information to be sent to a control server and commands can also be executed on infected machines, however the full extent of its purpose is not known.

The waves of attacks

The first wave of attacks happened when a South Korean website was compromised, allowing for a spear-phishing campaign to take place. This was done through Microsoft excel email attachments.

For the first two waves of the attack the targets were South Korean public infrastructure officials. The third round of malware documents was distributed from another compromised South Korean website, and the content related to the financials of the Inter-Korean Cooperation Fund.

In the fourth wave involved the targeting of investment, healthcare, banking and agriculture industries in the US and Canada. There are few details around the extent or damage of this wave.

The fifth wave primarily targeted South Korea and the United States using Oceansalt implant.

Although the full motive of the attack is unclear, there is speculation that it could be financial, or a small part of a much larger attack.

The post The APT attacks hitting East Asia appeared first on Hack Ware News.

A malicious app called “Album by Google Photos” was found to be hosted on the Microsoft store. The app was pretending to be part of Google Photos, but was in fact an ad clicker that generates hidden adverts within the Windows 10 Operating System.

The ad clicker app seemed credible to users because of its name, and also the fact it claimed to be created by Google LLC, Google’s actual Microsoft store account is Google Inc, but it looks unsuspecting to users. Microsoft came under some criticism for not realising the app was actually malicious software since the user reviews did highlight that the app was fake, with plenty of 1* reviews. One review states “ My paid Anti-malware solution detected several attempts to download malware by this app. Watch out”. The App was first released on the Microsoft store in May.

What did the application do?

The “Album by Google Photos” app is a Progressive Web Application (PWA), which acts as the front end for Google Photos and includes a legitimate login screen. Hidden in the app bundle is also an ad clicker which runs in the background and generates income for the app developers.

The app connects to ad URLS, and the ads were very similar to what users would see from typical adware, including tech support scams, random chrome extensions, fake flash and java installs and general low-quality sites.

Microsoft haven’t commented how this app managed to pass the Microsoft review process before ending up on the store.  This is somewhat concerning since it could mean other malicious apps of a similar nature have flown under the radar and are still infecting user’s computers. We are waiting for Microsoft to comment on the issue.

The post Ad Clicker Disguised as a Google Photos App has been Hosted on Microsoft Store. appeared first on Hack Ware News.

At the end of September, it was revealed that a Facebook security flaw allowed the access tokens of over 50 Million accounts to be stolen. Access tokens allow users to stay signed in on devices, rather than signing in every time they interact with a Facebook app. On Friday 12 October, after weeks of investigation, Facebook reported that the actual number of accounts affected was 30 million, not 50.

The investigation into how this was made possible, and the extent of the data stolen is still ongoing, but Facebook have said there is no need for users to log out or change their password. Facebook forced 90 million users to log out when the breach was discovered.

Users can use this page to check if they were one of the accounts affected in the incident, as well as read any recent findings from the investigation. When you visit page, if you are not one of the affected users it will tell you this in a statement towards the bottom of the page, and there is no further action required from you other than remaining security conscious when it comes to passwords and such. You will also see a message saying your account hasn’t been compromised if you are one of the one million users to who their tokens stolen but information remained safe.

If you fall into the other 29 million users camp, then you will see one of two messages, depending on the level of your information that was stolen. Fifteen million users had their name, email addresses and phone numbers compromised by hackers. While this is serious enough itself, the other 14 million have a more serious data breach problem.

The other 14 million have had the above information stolen, as well as their username, date of birth, devices you use, gender, language settings and possibly more data such as religious and political views. It’s also possible that they accessed your 10 most recent locations and 15 most recent searches, giving a detailed window into your online presence.

There is currently no evidence that hackers used the vulnerability to attack third-party apps and services to gather more information, which was technically possible.  Facebook also continues to report that no passwords of credit card information has been compromised. We are yet to see the full fallout from the breach, but there is also evidence that Facebook logins are being sold on the dark web.

While that data is now out there in the hands of attackers, Facebook has used their support page to offer some advice on avoiding phishing schemes. This is a good move from Facebook, but it doesn’t make up for the grievous level of the data breach and the users it has left vulnerable to tailored phishing attacks now their data is out there.

Photo by Glen Carrie on Unsplash

The post How to guide: Check if your Facebook Account has been hacked? appeared first on Hack Ware News.

Tenable researcher, Jacob Baines, has discovered multiple vulnerabilities in the Mikrotik routers; four separate security flaws that are vulnerable to hacking attacks. Mikrotik made it into the news in September after it was discovered routers had been hijacked using a security flaw on the RouterOS, and attackers we able to spy on users.

RouterOS, Mikrotik’s operating system was found to have around four security flaws. This includes a remote code execution vulnerability (CVE-2018-1156), File upload memory exhaustion flaw (CVE-2018-1157), recursive JSON parsing stack exhaustion (CVE-2018-1158), and www memory corruption (CVE-2018-1159).

While these are separate vulnerabilities, they all require legitimate user credentials before being able to exploit. These vulnerabilities are particularly dangerous, allowing an attacker to gain full control of the system, by remote attacks.

This security vulnerability has been exploited in the past, memorably the hacking of 7500 routers for intercepting user’s traffic and the cryptojacking campaign in which routers were exploited for cryptocurrency mining.

According the Tenable the multiple vulnerabilities affected RouterOS versions 6.42.6 and 6.40.8. Tanable contacted MikroTik in May 2018 to inform them about the flaws, after which Mikrotik released patches to fix the issue. However, not everyone is vigilant with patching their router when these flaws become known, and Jacob Baines has estimated that around 200,000 routers across the world may still be open to this exploit.

We second Tenable’s statement in encouraging users to update their system to the latest patch at the earliest possible time to help protect against these security vulnerabilities.

The post Several vulnerabilities found in RouterOS that Affected MikroTik Routers appeared first on Hack Ware News.

The implant was found to be built into the server’s Ethernet port, giving the spies access to the company’s networks. The server was created by Supermicro, a Chinese manufacturing company who were originally reported to have supplied the spying chip servers in last week’s report.

Bloomberg has come under intense scrutiny following the report’s publishing due to lack of clarity around their sources. Because they haven’t revealed the sources, and because many of the 30 companies, including Apple and Amazon have come forward to deny the allegations, some people are calling into question the legitimacy of the report. However, despite Apple’s initial denial, they later came forward to say they did find an inserted chip on one of their servers, used for testing in their labs. This server was provided by Supermicro.

The Department of Homeland Security put forward a statement on Saturday to say

we have no reason to doubt the statements from the companies named in the story

by companies they are referring to Apple and Amazon, who have both denied the Bloomberg report allegations. The UK’s primary cyber security agency GCHQ have stood by Homeland security’s statement. Apple’s vice president of information security, George Stathakopoulos has said he will make himself available for questioning this week.

The report also fails to name the major telecommunications company in question, adding to this frustration around lack of transparency over the claims.

The post Major US telecom hacked by tampered Chinese Ethernet port appeared first on Hack Ware News.

Google first discovered the bug in March 2018 and released a patch and a statement to say that there was no evidence of misuse or evidence of the vulnerability being exploited. However, Google felt that the effort involved in protecting user data on the social network outweighs the benefit of keeping the functionality running, when it hasn’t proven to be a very popular social network. They are set to close the consumer functionality of Google+ over a 10-month period.

After performing a code review of the Google+ APIs, they discovered a bug that could leak the personal information of Google+ account users. The bug allows a user to use installed apps to utilize the API and see personal information of that user’s friends. This personal information includes name, email address, occupation, gender and age.

Although Google has said they have seen no evidence the bug was exploited, it’s not possible for them to know if it has, or the extent, since they only keep two weeks of API logs for the Google+ service.

A report done by the Wall Street Journal stated that the bug existed between 2015 to March 2018 when it was patched. Google decided not to disclose the bug even though they weren’t sure it wasn’t exploited. The Wall Street Journal reported they have seen a memo by Google’s legal team advising not to disclose the data breach in case it attracts negative attention from government agencies around data protection.

A Google spokesperson has said they didn’t disclose the breach because it didn’t reach the necessary threshold to warrant informing users.

The post Google+ Shutting down after info from 500k Accounts is leaked appeared first on Hack Ware News.

The servers are designed in the US by an American company called Super Micro, and do not include the chip in their designs. It is thought the chip must have been added in China, during the manufacturing process for the servers. The chip is an example of a “hardware hack” where hardware is modified to perform functions that wasn’t originally intended in the design. It is suspected the purpose of the chip is to spy on American companies and their users.

The lengthy publication by Bloomberg reports that Apple and Amazon were among those companies affected, but both companies refute the claim. An Apple spokesperson told Bloomberg that they had no history of finding malicious chips or hardware manipulations in any of its servers. Apple no longer used Super Micro servers after ending their contract with them in 2016.

Amazon also disputes the claims about their servers containing malicious chips and says they have not worked with the FBI to investigate malicious hardware within the company. Super Micro join Apple and Amazon in denying the claims about its servers.

In response to the allegations, China’s Ministry of Foreign Affairs released a statement saying “China is a resolute defender of cybersecurity. It advocates for the international community to work together on tackling cybersecurity threats through dialogue on the basis of mutual respect, equality and mutual benefit. Supply chain safety in cyberspace is an issue of common concern, and China is also a victim. China, Russia, and other member states of the Shanghai Cooperation Organization proposed an “International code of conduct for information security” to the United Nations as early as 2011. It included a pledge to ensure the supply chain security of information and communications technology products and services, in order to prevent other states from using their advantages in resources and technologies to undermine the interest of other countries. We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.

[stackCommerce layout=”2″ count=”5″ sort=”best_sellers”][/stackCommerce]

The post Chinese Spying Chips Found Hidden on US companies’ servers appeared first on Hack Ware News.

However, there is a new phishing attack that stores their phishing form on Azure Blob Storage, so that it is secured by a Microsoft SSL certificate, giving an air of legitimacy to its victims. The phishing attack is an Office 365 based attack.

Azure Blob storage is a service that allows for storing large amounts of unstructured object data, such as text or binary data. This data can then be accessed anywhere in the world using HTTP or HTTPS. When the user connects via HTTP or HTTPS, a SSL certificate will be displayed, making it difficult for even competent users to tell it’s a phishing attack.

Cloud security provider Nekskope recently discovered this method being used. The attackers have been sending victims emails with a PDF attachment that pretend to be from a law firm in Denver. The attachments are innocently named “Scanned document. Please review” and contains a button to download the PDF. When the target clicks on the button they are brought to a HTML page masquerading as an Office 365 login form. The URL may trigger some savvy users to be suspicious, but the SSL may be enough to convinced them that this is a secured and legitimate Microsoft site.

Once Clicked on the “Download PDF”button, you are presented with message that the document is trying to connect to Azure blob storage

In order to protect yourself from this type of attack Netskope advises that companies would properly educate their users to recognise non-standard URL addresses. If users could easily recognise the legitimate address and be suspicious of any change in the web address then they would be less likely to fall victim to this type of phishing scam.

[stackCommerce layout=”2″ count=”5″ sort=”best_sellers”][/stackCommerce]

The post Azure Blob Storage phishing attack impersonates Microsoft appeared first on Hack Ware News.

Sales engagement company Apollo have announced that hackers have stolen over 200 million data records. They reported the breach was on its contact database. Apollo have informed their customers of the breach via email. The breach was noticed “weeks after system upgrades in July”.

The database in question contains publicly available data including names, employer details, job titles, social media account names, phone numbers and email addresses. Tim Zheng, Apollo Chief Executive claims he informed customers in line with their values around transparency, however he has declined to answer questions on the topic.

We have confirmed that the majority of exposed information came from our publicly gathered prospect database, which could include name, email address, company names, and other business contact information. Some client-imported data was also accessed without authorization.

Although this a large scale and serious data breach, Apollo have assured customers that financial, social security and other sensitive data has not been stolen and remains unaffected. Investigations have been underway since the breach was noticed. As of now there is little information about the investigation or its findings.

With the kind of information stolen by the attackers it poses a long terms security threat where they can send personalised phishing emails. However, this attack poses a less immediate security threat than if account names and passwords were stolen, which they were not in this case.

There are also concerns that Apollo may face action from European authorities under the GDPR ruling that came into law in May this year. The GDPR regulation is aimed at protecting customers data and imposing steep fines on companies who mishandled personal data, Apollo would fall into this category.

The post 200 Million Contact Records Stolen in Apollo Data Breach appeared first on Hack Ware News.

Attackers gained access to the accounts through a vulnerability discovered after the Facebook’s “view as” feature was introduced earlier in the year

The feature allows users greater control of their privacy by letting them view their account as another user. Once attacks gained access to the Facebook accounts, they also gained access to accounts logged in via Facebook such as Tinder, Instagram, Airbnb and Spotify.

Since Friday’s attack the Facebook logins for the leaked accounts have started appearing for sale on the dark web, for as little as $3.90 each, with some email logins being sold for $2.70, according to Money Guru

Researchers found that for $970 it was possible to purchase a person’s online footprint, including all usernames, passwords and email addresses. The best way to protect yourself and your accounts is to always opt for a multiple step verification process where possible. For example, a 2-factor authentication any time you log into Facebook from a new device.

UK Based company Money Guru, who released these findings, said social media account details are frequently targeted by hackers because they give a good insight in targeted advertising. The report found that other accounts were also being offered for sale on the dark web. Reddit accounts came in slightly cheaper at $2.09, and Instagram and Pintrest on the more expensive end at $6.30 and $8.48 respectively.

Facebook has said that they are working with the FBI in investigating the hack and will inform users when they know more. CEO Mark Zuckerberg has assured users that passwords and credit card information was not accessed.

[stackCommerce layout=”2″ count=”5″ sort=”best_sellers”][/stackCommerce]

The post Facebook logins are being sold on the dark web after 50 million users hacked appeared first on Hack Ware News.