Home   Blog   Twitter   Database  

Microsoft and dance partners coordinate firmware defenses with Secure-core PCs

Windows code armors its arse

Pointing to a five-fold increase in firmware vulnerabilities over the last three years and not saying much about the growing number of Windows vulnerabilities, Microsoft on Monday said it has been working with PC-selling and silicon-making partners to ship kit that implements protection from malicious low-level device code.…

Posted: 21 Oct 2019 | 11:54 pm

How Googling Our Favourite Celebrities Is A Risky Business

Did you know that searching for your favourite celebrities online may very well increase your chance of running into trouble?

For the thirteenth year running, McAfee has put together its Most Dangerous Celebrities List which includes the celebrities who generate the riskiest search results that could potentially expose their fans to malicious websites and viruses. And, as usual, Aussies feature!!

Who Are the Riskiest Aussie Celebrities?

After a tumultuous year in and out of love, Liam Hemsworth – Aussie actor and ex-husband of popstar Miley Cyrus – has taken out top honours as the most dangerous Australian born celebrity coming in at 19th place on the list. Rose Byrne, Cate Blanchett and Kylie Minogue also feature on the list coming in at 37th, 41st and 52nd place respectively.

Talk Show Hosts Top the List

While previous years have seen Reality TV stars, such as The Kardashians, top of the list, in 2019 – it’s all about talk show hosts. In fact, there are 4 talk show hosts in the top 10. John Oliver takes out 1st place, followed by James Corden in 4th place, Jimmy Kimmel in 6th place and Jimmy Fallon in 10thplace.

Whether it’s their karaoke singing or their viral views on politics, our fascination with charismatic talk show hosts is clearly very strong. McAfee’s research also shows that the names of these 4 hosts are strongly associated with the search term ‘torrent’. This indicates people may be trying to avoid paying expensive subscriptions to view these cult shows and are pursuing free yet riskier alternatives.

Singers Are Also Proving Risky!

English singer Dua Lipa came in at no 2 on the list, followed by Scottish singer/DJ Calvin Harris in 5th place and teen favourite Billie Eilish at no 7. Our quest for immediate or free content about our favourite singers could mean that we visit sites purposefully designed by cybercriminals to extract our personal information or even better, our credit card details!

And then there’s Game of Thrones

The world’s love affair with Game of Thrones saw Emilia Clarke take out the 9th spot in this year’s list of risky celebs to search for online. Clarke, who played Daenerys Targaryen in the HBO fantasy series, was joined by Hollywood royalty Morgan Freeman in the top 10 list.

Cybercriminals Capitalise on Our Love for Celebrities

Our love of ‘all things celebrity’ has clearly not escaped the attention of cybercriminals with many spending a lot of time

and energy creating malicious websites designed to trick consumers into visiting. Whether it’s the promise of a ‘sneak-peak’ of the latest Star Wars movie, or free access to full episodes of a favourite American talk show, consumers will often drop their guard in favour of speed or convenience and quickly enter their personal details to gain access to a site without thinking about the consequences.

How to Avoid Getting Stung!

The good news is that you don’t need to give up your obsession with your favourite celebrity to stay safe online. Instead, develop some patience and trust your gut. Here are my top tips to help you stay ahead of the cybercriminals:

  1. Be Careful What You Click

Only stream and download movies and TV shows from reliable sources. While it may feel boring, the safest thing to do is wait for the official release of a movie instead of visiting a 3rd party site that could contain malware.

  1. Avoid Using Illegal Streaming Sites – No Exceptions!

Many illegal streaming sites are riddled with malware or adware disguised as pirated videos. Do yourself a favour and stream the show from a reputable source.

  1. Use a Web Reputation Tool

A web reputation tool such as McAfee’s freely available WebAdvisor will alert users if they are about to visit a malicious website. Very handy!

  1. Consider Parental Control Software

Kids love celebrities too! Ensure you set limits on device usage with your kids and use parental control software to help minimise exposure to potentially malicious or inappropriate websites.

But if you aren’t convinced your kids are going to take your advice on board then why not invest in some comprehensive security software like McAfee’s Total Protection for the whole family? This Rolls Royce cybersecurity software will protect you (and your kids) against malware and phishing attacks. A complete no-brainer!!

Alex xx


The post How Googling Our Favourite Celebrities Is A Risky Business appeared first on McAfee Blogs.

Posted: 21 Oct 2019 | 10:17 pm

Don’t look now, but Pixel 4’s Face Unlock works with eyes closed

There's a risk that someone might get hold of a device and unlock it by holding the screen to the face of its sleeping or unconscious owner.

Posted: 21 Oct 2019 | 4:47 am

Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing

By Song Wang (Mobile Threat Analyst)

At the start of the year, Google updated its permission requests in Android applications, and in particular, restricted access to SMS and CALL Log permissions. Google also added requirements for non-default applications (or those that don’t provide critical core features), allowing them to prompt and ask users for permission to access the device’s data.

This restriction is meant to prevent fake or malicious apps from abusing these features to deliver malware, steal personally identifiable information, or perpetrate fraud. But as last year’s mobile threat landscape showed, fraudsters and cybercriminals will always try to follow the money, whether fine-tuning their strategies, finding ways to bypass restrictions, or, in a recent case we’ve seen, revert to old but tried-and-tested techniques.

This is recently exemplified by an app we found on Google Play named “Yellow Camera” (detected by Trend Micro as AndroidOS_SMSNotfy), which poses as a camera and photo beautification or editing app — an increasingly common trick we’ve observed, what with the various information-stealing as well as malware- or adware-ridden apps we’ve uncovered so far this year. While the functions work as advertised, it is embedded with a routine that reads SMS verification codes from the System Notifications, and, in turn, activate a Wireless Application Protocol (WAP) billing. We disclosed our findings to Google, and the app, along with similar ones we saw, are no longer in the Play store.

Based on the name of the file downloaded by the app, it appears it is mostly targeting users in Southeast Asian countries (e.g., Thailand, Malaysia). However, we’ve also seen the app targeting Chinese-speaking users, so it won’t be a surprise if the app to gradually shift or expand their targets. While Google already removed the app from the Play store, we found that the fraudsters uploaded similar apps to the iOS App Store, as shown in Figure 5.

WAP-billing services are widely used as an alternative payment method for users to buy content from WAP-enabled sites. These services charge purchases directly to the user’s phone bill or credits without having to register for services, key in credentials, or use credit or debit cards. Unfortunately, fraudsters appear to have also taken advantage of this convenience. Based on the app’s reviews on the Play Store (Figure 1), some of the users already lost phone credits to the app.

Figure 1. Screenshot showing reviews about the app; one user noted how she lost mobile credits after installing the app
Figure 2. Infection chain of the malicious app

Yellow Camera’s Infection Chain

Here are additional details of Yellow Camera’s infection chain, as visualized in Figure 2:

For persistence, the malicious app uses the startForeground API to put the service in a foreground state, where the system considers it to be something the user is actively aware of and thus would not be terminated even if the device is low on memory.

We also found other apps (Figure 5), posing as photo filtering or beautifying apps, bearing the same routine of fraudulently subscribing the device to a WAP service. While they do share similar codes, we can’t fully confirm if these apps came from the same operators, or the group behind the Yellow Camera app.

Figure 3. Code snippet showing the file being downloaded by the app

Figure 4. Snapshot of WAP-billing site where TAC is requested and subscription is confirmed

Figure 5. Screenshots of apps with malicious routines similar to those of the Yellow Camera app

Best practices and Trend Micro solutions

The fraudsters’ technique may appear undistinguished, as WAP billing scams and fraudulent subscription to premium services aren’t new. However, this can be seen as a different approach or response to security controls designed to mitigate threats or deter abuse of device functionalities, particularly the Notifications feature. Previous scams, for example, relied on SMS to fetch verification codes, and would often require the device to switch connections between Wi-Fi and mobile data. Given how it affected the users who installed the apps, the malicious app showed how it can conveniently steal money by abusing the device’s other functionalities.

Also of note is how scammers and cybercriminals adapt their tactics — or the way they ride social networking trends — in their social engineering lures, as we’ve seen increased incidence in using photo editing or beautification apps as decoys to entice unwitting users into downloading fraudulent or malicious apps.

For the end users’ part, however, it pays to read an app’s reviews before installing them, as they can help identify apps with fraudulent or suspicious behaviors. Users should also adopt best practices for securing mobile devices, especially against socially engineered threats.

Users can also benefit from security solutions that can thwart stealthy adware, such as Trend Micro™ Mobile Security for Android™ (also available on Google Play), which blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and that safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, the Trend Micro™ Mobile Security for Enterprise suite provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

The indicators of compromise (IoCs) are in this appendix.

MITRE ATT&CK techniques:

Tactic Technique ID Description
Initial Access Deliver Malicious App via Authorized App Store T1475 Used to upload malware to Google Play store
Persistence App Auto-Start at Device Boot T1402 Used to listen for the BOOT_COMPLETED broadcast
Impact Premium SMS Toll Fraud T1448 Used to autofill content on WAP billing page by embedded JS
Exfiltration Alternate Network Mediums T1438 Used to connect cellular networks rather than Wi-Fi
Command and Control Standard Application Layer Protocol T1437 Used to communicate with remote C&C server

The post Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing appeared first on .

Posted: 18 Oct 2019 | 5:05 am

Masad Clipper and Stealer - Windows spyware exfiltrating data via Telegram (samples)


2019-09-25 Juniper. Masad Stealer: Exfiltrating using Telegram 

“Masad Clipper and Stealer” steals browser information, computer files,  and automatically replaces cryptocurrency wallets from the clipboard with its own.
It is written using Autoit scripts and then compiled into a Windows executable.
It uses Telegram to exfiltrate stolen information.


             Other malware



Posted: 6 Oct 2019 | 8:53 pm

Measuring up to the NIST Cybersecurity Framework: A Q&A with Matt Barrett

Read the Q&A with Matt Barrett, Chief Operating Officer of CyberESI, published on JUNTO by eRiskHub. Exchanging ideas on cyber risk & privacy liability

First introduced in 2014, the National Institute of Standards and Technology (NIST) CyberSecurity Framework (CSF) has since become a widely held best practice far beyond the commerce industry. To get some perspective on the framework and how it’s evolved over the past five years, we talked to Matt Barrett, who was the program manager for CSF. (Note: Barrett currently serves as COO for Cyber Engineering Services Inc (CyberESI), a cyber risk management firm.)

The post Measuring up to the NIST Cybersecurity Framework: A Q&A with Matt Barrett appeared first on CyberESI.

Posted: 28 Jun 2019 | 10:29 am

Introducing Reneo

Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. The … Continue reading

Posted: 27 Jun 2018 | 8:14 am

The Trusted Internet: Who governs who gets to buy spyware from surveillance software companies?

Posted by FSLabs @ 02:31 GMT

When hackers get hacked, that's when secrets are uncovered. On July 5th, Italian-based surveillance technology company Hacking Team was hacked. The hackers released a 400GB torrent file with internal documents, source code, and emails to the public - including the company's client list of close to 60 customers.

The list included countries such as Sudan, Kazakhstan and Saudi Arabia - despite official company denials of doing business with oppressive regimes. The leaked documents strongly implied that in the South-East Asian region, government agencies from Singapore, Thailand and Malaysia had purchased their most advanced spyware, referred to as a Remote Control System (RCS).

According to security researchers Citizen Lab, this spyware is extraordinarily intrusive, with the ability to turn on microphone and cameras on mobile devices, intercept Skype and instant messages, and use an anonymizer network of proxy servers to prevent harvested information from being traced back to the command and control servers.

Based on images of the client list posted to pastebin the software was purchased in Malaysia by the Malaysia Anti-Corruption Commission (MACC), Malaysia Intelligence (MI) and the Prime Minister's Office (PMO):

hacking_team_client_list (86k image)

Additional images of leaked invoices posted to medium.com indicated the spyware was sold through a locally-based Malaysian company named Miliserv Technologies (M) Sdb Bhd (registered with the Ministry of Finance Malaysia), which specializes in providing digital forensics, intelligent gathering and public security services:

hacking_team_hack_1 (95k image)

hacking_team_hack_2 (72k image)

Why the Prime Minister's Office would need surveillance software remains puzzling. Mind you, professional grade spyware ain't cheap - a license upgrade could cost you MYR400, 000 and maintenance renewal will set you back about MYR160,000.

According to reports of the incident in Malaysian alternative media, Malaysian government agencies have probably been using the spyware even before discovery of the FinFisher malware that was detected in the run-up to the 2013 General Elections.

Coincidentally, Malaysia has also been the frequent host of the annual ISS World Asia tradeshow, where companies promote their arsenal of 'lawful' surveillance software to law enforcement agencies, telco service provider or government employees. During the 2014 event, the Hacking Team was present and the associate lead sponsor of the event.

MiliServ Technologies is currently involved in the upcoming 2015 ISS World Asia in Kuala Lumpur. The event is invitation-only – though it may be interesting to see if Hacking Team will make it there this year.

Post by – Su Gim

On 08/07/15 At 02:31 AM

Posted: 15 Oct 2015 | 3:49 am