Hackers sponsored by Russia and North Korea are targeting COVID-19 researchers

Enlarge (credit: Getty Images)

Hackers sponsored by the Russian and North Korean governments have been targeting companies directly involved in researching vaccines and treatments for COVID-19, and in some cases, the attacks have succeeded, Microsoft said on Friday.

In all, there are seven prominent companies that have been targeted, Microsoft Corporate VP for Customer Security & Trust Tom Burt said. They include vaccine makers with COVID-19 vaccines in various clinical trial stages, a clinical research organization involved in trials, and a developer of a COVID-19 test. Also targeted were organizations with contracts with or investments from governmental agencies around the world for COVID-19-related work. The targets are located in the US, Canada, France, India, and South Korea.

“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law,” Burt wrote in a blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate—or even facilitate—within their borders. This is criminal activity that cannot be tolerated.”

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2H38aHy

Apple pays $288,000 to white-hat hackers who had run of company’s network

Enlarge (credit: Nick Wright. Used by permission.)

For months, Apple’s corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday.

Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.

The 11 critical bugs were:

Read 16 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3jHHTMU

DHS warns that Emotet malware is one of the most prevalent threats today

Enlarge (credit: Getty Images)

The malware known as Emotet has emerged as “one of the most prevalent ongoing threats” as it increasingly targets state and local governments and infects them with other malware, the cybersecurity arm of the Department of Homeland Security said on Tuesday.

Emotet was first identified in 2014 as a relatively simple trojan for stealing banking account credentials. Within a year or two, it had reinvented itself as a formidable downloader or dropper that, after infecting a PC, installed other malware. The Trickbot banking trojan and the Ryuk ransomware are two of the more common follow-ons. Over the past month, Emotet has successfully burrowed into Quebec’s Department of Justice, and increased its onslaught on governments in France, Japan, and New Zealand. It has also targeted the Democratic National Committee.

Not to be left out, US state and local governments are also receiving unwanted attention, according to the CISA, short for the Cybersecurity and Infrastructure Security Agency. Einstein, the agency’s intrusion-detection system for collecting, analyzing, and sharing security information across the federal civilian departments and agencies, has in recent weeks noticed a big uptick, too. In an advisory issued on Tuesday, officials wrote:

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2GNGMMY

Boom! Hacked page on mobile phone website is stealing customers’ card data

Enlarge / Computer hacker character stealing money online. Vector flat cartoon illustration (credit: GettyImages)

If you’re in the market for a new mobile phone plan, it’s best to avoid turning to Boom! Mobile. That is, unless you don’t mind your sensitive payment card data being sent to criminals in an attack that remained ongoing in the last few hours.

According to researchers from security firm Malwarebytes, Boom! Mobile’s boom.us website is infected with a malicious script that skims payment card data and sends it to a server under the control of a criminal group researchers have dubbed Fullz House. The malicious script is called by a single line that comprises mostly nonsense characters when viewed with the human eye.

(credit: Malwarebytes)

When decoded from Base64 format, the line translates to: paypal-debit[.]com/cdn/ga.js. The JavaScript code ga.js masquerades as a Google Analytics script at one of the many fraudulent domains operated by Fullz House members.

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2GCo6jx

New Windows exploit lets you instantly become admin. Have you patched?

Enlarge (credit: VGrigas (WMF))

Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization’s crown jewels—the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device.

An “insane” bug with “huge impact”

Such post-compromise exploits have become increasingly valuable to attackers pushing ransomware or espionage spyware. Tricking employees to click on malicious links and attachments in email is relatively easy. Using those compromised computers to pivot to more valuable resources can be much harder.

Read 13 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2Rrv64J

A single text is all it took to unleash code-execution worm in Cisco Jabber

Enlarge (credit: Cisco)

Until Wednesday, a single text message sent through Cisco’s Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said.

The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that’s designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as “onanimationstart.”

Jumping through hoops

But even then, the filter still blocked content that contained <style>, an HTML tag that had to be included in a malicious payload. To bypass that protection, the researchers used code that was tailored to a built-in animation component called spinner-grow. With that, the researchers were able to achieve a cross-site scripting exploit that injected a malicious payload directly into the internals of the browser built into Jabber.

Read 10 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2F0XM1y

NSA and FBI warn that new Linux malware threatens national security

Enlarge (credit: Suse)

The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands.

In a report that’s unusual for the depth of technical detail from a government agency, officials said the Drovorub malware is a full-featured tool kit that was has gone undetected until recently. The malware connects to command and control servers operated by a hacking group that works for the GRU, Russia’s military intelligence agency that has been tied to more than a decade of brazen and advanced campaigns, many of which have inflicted serious damage to national security.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 US Presidential Election as described in the 2017 Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent US Elections (Office of the Director of National Intelligence, 2017),” officials from the agencies wrote.

Read 13 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3fWWZeX

Intel is investigating the leak of >20GB of its source code and private data

Enlarge (credit: Tillie Kottman)

Intel is investigating the purported leak of more than 20 gigabytes of its proprietary data and source code that a security researcher said came from a data breach earlier this year.

The data—which at the time this post went live was publicly available on BitTorrent feeds—contains data Intel makes available to partners and customers under NDA, a company spokeswoman said. Speaking on background, she said Intel officials don’t believe the data came from a network breach. She also said the company is still trying to determine how current the material is and that, so far, there is no signs the data includes any customer or personal information.

“We are investigating this situation,” company officials said in a statement. “The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data.”

Read 9 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3fF4mHv

Honda halts production at some plants after being hit by a cyberattack

Enlarge (credit: Yonkers Honda)

Honda halted manufacturing at some of its plants around the world on Tuesday after being hit by a cyberattack that’s widely reported to be ransomware.

“Honda has experienced a cyberattack that has affected production operations at some US plants,” the automaker told Ars. “However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”

Bloomberg News reported on Tuesday evening that production was suspended at car factories in Ohio and Turkey as well as at motorcycle plants in India and South America. The company, according to Bloomberg, was working to fix systems. The news outlet also said that Japanese operations weren’t affected and that other Honda plants in the United States have already resumed manufacturing.

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2XLwhA6

Iran- and China-backed phishers try to hook the Trump and Biden campaigns

Enlarge (credit: Marco Verch Professional Photographer and Speaker)

State-backed hackers from Iran and China recently targeted the presidential campaigns of Republican President Donald Trump and Democrat Joe Biden, a Google threat analyst said on Thursday.

The revelation is the latest evidence of foreign governments attempting to gain intelligence on US politicians and potentially disrupt or meddle in their election campaigns. An Iran-backed group targeted the Trump campaign and China-backed attackers targeted the Biden campaign, said Shane Huntley, the head of Google’s Threat Analysis Group on Twitter. Both groups used phishing emails. There’s no indication that either attack campaign succeeded.

Kittens and Pandas

Huntley identified the Iranian group that targeted Trump’s campaign as APT35, short for Advanced Persistent Threat 35. Also known as Charming Kitten, iKittens, and Phosphorous, the group was caught targeting an unnamed presidential campaign before, Microsoft said last October. In that campaign, Phosphorous members attempted to access email accounts campaign staff received through Microsoft cloud services. Microsoft said that the attackers worked relentlessly to gather information that could be used to activate password resets and other account-recovery services Microsoft provides.

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3dBR5zh

Apple fixes bug that could have given hackers unauthorized to user accounts

Enlarge (credit: Apple)

Sign in with Apple—a privacy-enhancing tool that lets users log into third-party apps without revealing their email addresses—just fixed a bug that made it possible for attackers to gain unauthorized access to those same accounts.

“In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures,” app developer Bhavuk Jain wrote on Sunday. “This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.”

Jain privately reported the flaw to Apple under the company’s bug bounty program and received a hefty $100,000 payout. The developer shared details after Apple updated the sign-in service to patch the vulnerability.

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3eSb2Cv

Cisco security breach hits corporate servers that ran unpatched software

Enlarge (credit: Prayitno / Flickr)

Six servers Cisco uses to provide a virtual networking service were compromised by hackers who exploited critical flaws contained in unpatched versions the open source software service relies on, the company disclosed on Thursday.

Got updates?

The May 7 compromise hit six Cisco servers that provide backend connectivity to the Virtual Internet Routing Lab Personal Edition (VIRL-PE), a Cisco service that lets customers design and test network topologies without having to deploy actual equipment. Both the VIRL-PE and a related service, Cisco Modeling Labs Corporate Edition, incorporate the Salt management framework, which contained a pair of bugs that, when combined, was critical. The vulnerabilities became public on April 30.

Cisco deployed the vulnerable servers on May 7, and they were compromised the same day. Cisco took them down and remediated them, also on May 7. The servers were:

Read 5 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/36Dw6te

For a limited time, a new jailbreak gives full root access to any iPhone

Enlarge (credit: Maurizio Pesce / Flickr)

Hackers have released a new jailbreak that any user can employ to gain root access on any iPhone, regardless of the hardware as long as it runs iOS 11 or later.

Dubbed unc0ver, the exploit works only when someone has physical access to an unlocked device and connects it to a computer. Those requirements mean that the jailbreak is unlikely to be used in most malicious scenarios, such as through malware that surreptitiously gains unfettered system rights to an iPhone or iPad. The inability for unc0ver to survive a reboot also makes it less likely it will be used in hostile situations.

Rather, unc0ver is more of a tool that allows users to break locks Apple developers put in place to limit key capabilities such as what apps can be installed, the monitoring of OS functions, and various other tweaks that are standard on most other OSes. The jailbreak, for instance, allows users to gain a UNIX shell that has root privileges to the iPhone. From there, users can use UNIX commands to do whatever they’d like.

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/3d8PpgK

Microsoft patches 4 Windows 0days under active exploit

Enlarge / A man looks at the home screen for the "new" Windows 7 platform when it was launched in October 2009. Microsoft has ended support, but the OS lives on. (credit: Katie Collins - PA Images / Getty Images)

Microsoft has patched four actively exploited vulnerabilities that allow attackers to execute malicious code or elevate system privileges on devices that run Windows.

Two of the security flaws—tracked as CVE-2020-1020 and CVE-2020-0938—reside in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. On supported operating systems other than Windows 10, attackers who successfully exploit the vulnerabilities can remotely execute code. On Windows 10, attackers can run code inside an AppContainer sandbox. The measure limits the system privileges malicious code has, but even then, attackers can use it to create accounts with full user rights, install programs, and view, change, or delete data.

Attackers can exploit the flaws by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane. Tuesday’s advisories said that Microsoft is “aware of limited, targeted attacks that attempt to leverage” both vulnerabilities. Microsoft revealed last month that one of the bugs was being exploited in limited attacks against Windows 7 machines.

Read 10 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2xjw3G1

Reputable sites swept up in FB’s latest coronavirus-minded spam cleanse

Enlarge (credit: Aurich Lawson / Getty Images)

As of press time, there is a chance that if you share this very news article on Facebook, its headline will trigger an eventual takedown with a "spam" tag and no further explanation.

On Tuesday, social media users began sharing scattered reports with a confusing issue in common: links from reputable news outlets they'd shared—either publicly or in private, friends-only groups—were marked as violations of "community guidelines" and automatically taken down, and many—but not all—had "coronavirus" mentioned in either the headline or in the article's body. Other hot topics in the automatic-takedown spree include recent Democratic Party primaries in the United States.

This seemed to affect posts going back as far as five days, and it includes content from established newspapers and sites such as Politico, The Atlantic, USA Today, Vice, Business Insider, Axios, and The Seattle Times. Also caught in the net are the more open-ended blogging platform Medium (which runs a series of staffed and edited sub-sites) and the crowdfunding site GoFundMe. As of press time, compiling a complete list of affected sites and topics is admittedly difficult, thanks to the anecdotal nature of how these takedown notices are being reported and circulated.

Read 3 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2x336xp

Comcast and T-Mobile upgrade everyone to unlimited data for next 60 days

Enlarge / A Comcast service vehicle in Indianapolis, Indiana, in March 2016. (credit: Getty Images | jetcityimage)

Comcast announced late Friday that it is suspending enforcement of its data cap and overage fees for 60 days during the coronavirus pandemic.

"With so many people working and educating from home, we want our customers to access the Internet without thinking about data plans," Comcast's announcement said. "While the vast majority of our customers do not come close to using 1TB of data in a month, we are pausing our data plans for 60 days giving all customers unlimited data for no additional charge."

Normally, Comcast charges an extra $50 per month for unlimited data, or $10 for each additional block of 50GB after customers exceed 1TB.

Read 6 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2TPmEOY

737 Max fix slips to summer—and that’s just one of Boeing’s problems

Enlarge / The 737 Max is just the most high-profile of Boeing's crises. (credit: Boeing)

The past 10 months have not been good for Boeing for all sorts of reasons—capped off by the failure of the company's Starliner commercial crew vehicle to achieve the right orbit in its uncrewed premier in December. But the biggest of the company's problems remains the 737 Max, grounded since last spring after two crashes that killed 346 people between them. Combined, the crashes are the worst air disaster since September 11, 2001.

Both were at least partially caused by a sensor failure with no redundancy and a problem with MCAS (the new software controlling the handling of the aircraft) that the air crews had not been trained to overcome.

Boeing executives are now telling the company's 737 Max customers that the software fix required to make the airliner airworthy will not be approved in the near future, and that it will likely be June or July before the Federal Aviation Administration certifies the aircraft for flight again—meaning that the aircraft will have been grounded for at least 16 months.

Read 15 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/38wZn8X

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Enlarge / Chrome on Windows 10 as it Rickrolls the NSA. (credit: https://twitter.com/saleemrash1d/status/1217519809732259840/photo/1)

Less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit it to cryptographically impersonate any website or server on the Internet.

Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heartthrob Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency. Brave and other Chrome derivatives, as well as Internet Explorer, are also likely to fall to the same trick. (There's no indication Firefox is affected.)

The same exploit used to Rickroll Github on Edge.

Rashid's simulated attack exploits CVE-2020-0601, the critical vulnerability that Microsoft patched on Tuesday after receiving a private tipoff from the NSA. As Ars reported, the flaw can completely break certificate validation for websites, software updates, VPNs, and other security-critical computer uses. It affects Windows 10 systems, including server versions Windows Server 2016 and Windows Server 2019. Other versions of Windows are unaffected.

Read 16 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2Tucgfw

The broken record of breaking encryption skips again in Florida shooter case

Enlarge / US President Donald Trump speaks about the impeachment inquiry during a tour of the Flextronics computer manufacturing facility where Apple's Mac Pros are assembled in Austin, Texas, on November 20, 2019. Now, he's ranting about Apple being unpatriotic. (credit: MANDEL NGAN/AFP via Getty Images)

On the eve of the House of Representatives' forwarding of articles of impeachment to the Senate, President Donald Trump took time to attack Apple. The president's outburst on Twitter appears to be about the FBI's inability to get access to the physical storage on two iPhones connected to last month's killings at Naval Air Station Pensacola in Florida. And it is the latest ratcheting up of rhetoric from the Trump administration on device encryption.

The phones are believed by the FBI to have been the property of  Mohammed Saeed Alshamrani, the Saudi Air Force officer who was the suspect in the shooting of three members of the US Navy in December. Alshamrani died after being shot by law enforcement, and the devices were locked.

But an Apple spokesperson said that Apple had provided the contents of the cloud backups of those devices to investigators within hours of the shooting, and Apple executives thought the FBI was satisfied with that—until the FBI came back a week ago and asked for additional assistance. It is not clear that Apple has refused that assistance, but the company has resisted providing a way for the government to break the encryption on devices in the past. Apple did this out of concern that breaking open devices would reduce the protection provided to law-abiding customers against theft of their personal data off stolen or otherwise targeted devices.

Read 9 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/30nTb00

Senate Judiciary committee interrogates Apple, Facebook about crypto

Enlarge / Lindsay Graham doesn't want people reading his texts. But he'll make darned sure there are backdoors for law enforcement into encrypted texts and devices, and he will pass a law if he needs to. (credit: US Senate)

In a hearing of the Senate Judiciary Committee yesterday, while their counterparts in the House were busy with articles of impeachment, senators questioned New York District Attorney Cyrus Vance, University of Texas Professor Matt Tait, and experts from Apple and Facebook over the issue of gaining legal access data in encrypted devices and messages. And committee chairman Sen. Lindsay Graham (R-S.C.) warned the representatives of the tech companies, "You're gonna find a way to do this or we're going to do it for you."

The hearing, entitled "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy," was very heavy on the public safety with a few passing words about privacy. Graham said that he appreciated "the fact that people cannot hack into my phone, listen to my phone calls, follow the messages, the texts that I receive. I think all of us want devices that protect our privacy." However, he said, "no American should want a device that is a safe haven for criminality," citing "encrypted apps that child molesters use" as an example.

"When they get a warrant or court order, I want the government to be able to look and find all relevant information," Graham declared. "In American law there is no place that's immune from inquiry if criminality is involved... I'm not about to create a safe haven for criminals where they can plan their misdeeds and store information in a place that law enforcement can never access it."

Read 18 remaining paragraphs | Comments

from Biz & IT – Ars Technica https://ift.tt/2semzJ7