A group of cyberattackers that emerged in 2010 and then went quiet has resurfaced and is targeting Japan's critical infrastructure, a security vendor said this week.The attacks have targeted utilities and energy companies in Japan, as well as other companies in finance, transportation and construction, said Greg Fitzgerald, chief marketing officer at Cylance, which specializes in end-point protection.The group appears to be based in Asia, and its methods and procedures suggest it may be linked to a nation state, Fitzgerald said.Symantec detected signs of the group, which Cylance calls Operation Dust Storm, in 2010, Fitzgerald said. The group went quiet in March 2013, shortly after Mandiant -- the forenics investigative unit of FireEye -- published a lengthy report on APT 1, which the company believes to be an elite cyber unit of the Chinese army.To read this article in full or to leave a comment, please click here
CloudFlare has launched a domain name registration service with enhanced security controls designed to prevent domain hijacking, a serious attack that can have far-reaching consequences for companies.Its Registrar keeps a close eye on domain name registrations and changes to registrations with the intention of preventing attackers from gaining control of a domain name, said Ryan Lackey, who works with CloudFlare's security product strategy.The idea came after CloudFlare began looking for a domain name registrar with better security, Lackey said. CloudFlare is a constant target for attackers. They couldn't find anything suitable, so CloudFlare decided to develop its own.To read this article in full or to leave a comment, please click here
The source code for a powerful Android malware program that steals online banking credentials has been leaked, according to researchers with IBM.The malware family is known by several names, including GM Bot, Slempo, Bankosy, Acecard, Slempo and MazarBot. GM Bot has been sold on underground hacking forums for around US$500. But it appears someone who bought the code then leaked it on a forum in December, perhaps to increase his standing, wrote Limor Kessem, a cybersecurity analyst with IBM Trusteer.The person included an encrypted archive file containing the source code of GM Bot, according to Kessem.To read this article in full or to leave a comment, please click here
A new kind of Android malware steals online banking credentials and can hold a device's files hostage in exchange for a ransom, delivering a particularly nasty one-two punch.The malware, called Xbot, is not widespread yet and appears to be just targeting devices in Australia and Russia, wrote researchers with Palo Alto Networks in a blog post on Thursday.But they believe whomever is behind Xbot may try to expand its target base."As the author appears to be putting considerable time and effort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and remain hidden will only grow," Palo Alto wrote.To read this article in full or to leave a comment, please click here
A security company recently laid tempting bait online in order to see how hackers would react. The findings aren't surprising but show how quickly leaked data is used by shady characters.California-based Bitglass, which specializes in cloud-based security, created a fake digital identity for an employee of a non-existent bank.The details included credentials for a Google Drive account, complete with real credit card details, fake corporate data and personal data, according to Bitglass' report.The files were tagged with a tracker so Bitglass could obtain some technical data on systems that accessed it. They also created a fake banking site portal.To read this article in full or to leave a comment, please click here
A Los Angeles hospital has paid US$17,000 to cyberattackers who crippled its network by encrypting its files, a payment that will likely rekindle a fierce debate over how to deal with a problem known as ransomware.Hollywood Presbyterian Medical Center issued a statement saying that its systems were restored on Monday, 10 days after malware locked access to its systems.The hospital contacted law enforcement as well as computer experts, wrote Allen Stefanek, president and CEO of Hollywood Presbyterian, in a statement on Wednesday. But it is apparent those efforts did not help in recovering files.To read this article in full or to leave a comment, please click here
A new flavor of ransomware, similar in its mode of attack to the notorious banking software Dridex, is causing havoc with some users.Victims are usually sent via email a Microsoft Word document purporting to be an invoice that requires a macro, or a small application that does some function.Macros are disabled by default by Microsoft due to the security dangers. Users who encounter a macro see a warning if a document contains one.If macros are enabled, the document will run the macro and download Locky to a computer, wrote Palo Alto Networks in a blog post on Tuesday. The same technique is used by Dridex, a banking trojan that steals online account credentials.To read this article in full or to leave a comment, please click here
Craigslist, the popular online listings service, has waged a long fight against scammers, but a new academic study suggests it's been losing the battle.The study focussed on listings for housing rentals, and found that Craigslist failed to remove a majority of those that were fraudulent.The researchers analyzed two million ads over a five-month period in 2014 and determined that Craigslist had flagged and removed fewer than half the listings that likely weren't genuine.Looking for housing can be stressful, and people are vulnerable to schemes that advertise below-market pricing or ways to get ahead of the rental game.To read this article in full or to leave a comment, please click here
A malware program for Android seen advertised on Russian underground forums in the last few months appears to have made its first big debut.MazarBOT can take full control of a phone and appears to be targeting online banking customers, wrote Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies."Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks," Kruse wrote.To read this article in full or to leave a comment, please click here
Attackers are still trying to find Magento installations that haven't patched a particularly bad vulnerability, this time trying to trick people into downloading a fake patch.The bogus patch purports to fix a flaw known as the Shoplift Bug, or SUPEE-5344, wrote Denis Sinegubko, a senior malware researcher with Sucuri."While the patch was released February 2015, many sites unfortunately did not update," he wrote. "This gave hackers an opportunity to compromise thousands of Magento powered online stores."To read this article in full or to leave a comment, please click here
The attackers who crippled Ukrainian power operators in December probably committed attacks shortly before against a mining company and a railway operator, Trend Micro said Thursday.The security company said its latest technical research shows that the same malware -- dubbed BlackEnergy and KillDisk -- were probably used in the earlier actions. It didn't name the targets of those attacks, which took place in November and December."There is remarkable overlap between the malware used, infrastructure, naming conventions, and to some degree, the timing of use for this malware," wrote Kyle Wilhoit, a senior threat researcher.To read this article in full or to leave a comment, please click here
Four third-party app stores for Android have apps with a malicious component that seeks root access to devices, according to Trend Micro.
The security company found 1,163 Android application packages containing the malware, which it calls ANDROIDOS_ LIBSKIN.A, wrote Jordan Pan, a mobile threats analyst with Trend. The malware obtains root access to the phone, the highest level of access and privilege.
The apps containing the component were downloaded across 169 countries between Jan. 29 and Feb. 1 from marketplaces called Aptoide, Mobogenie, mobile9 and 9apps.To read this article in full or to leave a comment, please click here
Kaspersky Lab has linked a single group to a long-known campaign of cyberattacks that appears to be aimed at extorting corporate victims.The Poseidon Group may have been active since 2001, according to an analysis of malware samples. The group's tools have been designed to function on systems set to English and Portuguese.Victims are usually sent spear-phishing emails and malware hidden inside office documents. Once on a network, the hackers explore its topology in order to eventually steal intellectual property and commercial information."Then the attacker looks for all administrator accounts on both the local machine and the network," Kaspersky wrote in a post on Tuesday. "This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest."To read this article in full or to leave a comment, please click here
Google has just hammered another nail in the coffin for Flash, Adobe Systems' multimedia software widely criticized for its frequent security vulnerabilities.On Tuesday, Google set deadlines for when it will stop running Flash ads and accept only those written in HTML5, the latest version of the Web's mother tongue.As of June 30, Google will stop accepting new Flash-based display ads for AdWords and DoubleClick Digital Marketing. And Flash ads won't be allowed on the company's Display Network or DoubleClick after Jan. 2, 2017.Flash is one of the most commonly targeted applications by hackers because it's installed on hundreds of millions of computers. Unpatched vulnerabilities can allow a hacker to install malicious software on a computer if a victim merely views a malicious ad.To read this article in full or to leave a comment, please click here
President Barack Obama on Tuesday will propose a sharp increase in cybersecurity spending for next year's budget, to improve outdated government software and promote better online security for consumers.The plan calls for a $3.1 billion fund to replace outdated IT infrastructure; a new position of federal chief information security officer; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles.The U.S has been working since 2009 to improve the nation's cyber defenses, most recently with the Cybersecurity Act of 2015, which promotes better information sharing between private industry and government, said Michael Daniel, special assistant to the President and cybersecurity coordinator, in a phone briefing with reporters Monday.To read this article in full or to leave a comment, please click here
President Barack Obama on Tuesday will propose a sharp increase in cybersecurity spending for next year's budget, to improve outdated government software and promote better online security for consumers.The plan calls for a $3.1 billion fund to replace outdated IT infrastructure; a new position of federal chief information security officer; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles.The U.S has been working since 2009 to improve the nation's cyber defenses, most recently with the Cybersecurity Act of 2015, which promotes better information sharing between private industry and government, said Michael Daniel, special assistant to the President and cybersecurity coordinator, in a phone briefing with reporters Monday.To read this article in full or to leave a comment, please click here
Cisco warned on Monday of serious flaws it found in an Internet-connected thermostat control, which it said are typical among products of vendors who aren't well-versed in network security.The flaws were found in the ComfortLink II thermostats made by Trane. The thermostats allow users to control room temperature from a mobile device, display the weather and even act as a digital photo frame.Cisco's Talos unit said the issues have now finally been patched since notifying Trane nearly two years ago, which is why it went public."The unfortunate truth is that securing internet-enabled devices is not always a high priority among vendors and manufacturers," wrote Alex Chiu, a Cisco threat researcher, in a blog post Monday.To read this article in full or to leave a comment, please click here
The developers of the Neutrino exploit kit have added a new feature intended to thwart security researchers from studying their attacks.The feature was discovered after Trustwave's SpiderLabs division found computers they were using for research couldn't make a connection with servers that delivered Neutrino."The environment seems completely fine except for when accessing Neutrino," wrote Daniel Chechik, senior security researcher.Exploit kits are one of the most effective ways that cybercriminals can infect computers with malware. They find vulnerable websites and plant code that transparently connects with another server that tries to exploit software vulnerabilities.To read this article in full or to leave a comment, please click here
An in-depth analysis of yet another Internet-connected security camera has revealed a host of software problems.Alex Farrant and Neil Biggs, both of the research team for Context Information Security in the U.K, analyzed Motorola's Focus 73, an outdoor security camera. Images and video taken by the camera can be delivered to a mobile phone app.They found they could take control of the camera remotely and control its movement, redirect the video feed and figure out the password for the wireless network the device is connected to.One attack exploits a cross-site request forgery problem. It was possible to scan for camera connected to the Internet and then get a reverse root shell.To read this article in full or to leave a comment, please click here
Comodo will release an update Wednesday to fix a serious vulnerability in its web browser, which it markets as a way for users to enhance their security.Google engineer Tavis Ormandy found that the company's Chromodo browser disables the "same origin policy," one of the most basic tenets of web security, according to a writeup.To read this article in full or to leave a comment, please click here
Jeremy Kirk