Lucian Constantin

Author Archives: Lucian Constantin

Estonian man gets over 7 years in prison for role in global DNS hijacking botnet

An Estonian man has been sentenced to seven years and three months in prison in the U.S. for his role in a cybercriminal operation that infected over 4 million computers with DNS hijacking malware.Vladimir Tsastsin, 35, from Tartu, Estonia, was one of the key players in a US$14 million click fraud scheme. He is the sixth individual to be sentenced in the case and has received the longest prison sentence. The sentence was handed down Tuesday in U.S. District Court for the Southern District of New York.According to the Department of Justice, between 2007 and 2011, Tsastsin and his co-conspirators set up companies that masqueraded as publisher networks and entered into agreements with advertising brokers to display ads on their properties.To read this article in full or to leave a comment, please click here

Cyberespionage group abuses Windows hotpatching mechanism for malware stealth

A cyberespionage group active in Asia has been leveraging a Windows feature known as hotpatching in order to better hide its malware from security products.The group, which malware researchers from Microsoft call Platinum, has been active since at least 2009 and has primarily targeted government organizations, defense institutes, intelligence agencies and telecommunications providers in South and Southeast Asia, especially from Malaysia, Indonesia and China.So far the group has used spear phishing -- fraudulent emails that target specific organizations or individuals -- as its main attack method, often combining it with exploits for previously unknown, or zero-day, vulnerabilities that install custom malware. It places great importance on remaining undetected.To read this article in full or to leave a comment, please click here

Cyberespionage group abuses Windows hotpatching mechanism for malware stealth

A cyberespionage group active in Asia has been leveraging a Windows feature known as hotpatching in order to better hide its malware from security products.The group, which malware researchers from Microsoft call Platinum, has been active since at least 2009 and has primarily targeted government organizations, defense institutes, intelligence agencies and telecommunications providers in South and Southeast Asia, especially from Malaysia, Indonesia and China.So far the group has used spear phishing -- fraudulent emails that target specific organizations or individuals -- as its main attack method, often combining it with exploits for previously unknown, or zero-day, vulnerabilities that install custom malware. It places great importance on remaining undetected.To read this article in full or to leave a comment, please click here

Empty DDoS threats earn extortion group over $100,000

Extorting money from companies under the threat of launching distributed denial-of-service attacks (DDoS) against their online properties has proven lucrative for cybercriminals. So much so that one group has managed to earn over $100,000 without any evidence that it's even capable of mounting attacks.Since early March, hundreds of businesses have received threatening emails from a group calling itself the Armada Collective, asking to be paid between 10 and 50 bitcoins -- US$4,600 to $23,000 -- as a "protection fee" or face DDoS attacks exceeding 1Tbps.While many of them did not comply, some did; the group's bitcoin wallet address shows incoming payments of over $100,000 in total. Yet none of the companies who declined to pay the protection fee were attacked, website protection firm CloudFlare found.To read this article in full or to leave a comment, please click here

Empty DDoS threats earn extortion group over $100,000

Extorting money from companies under the threat of launching distributed denial-of-service attacks (DDoS) against their online properties has proven lucrative for cybercriminals. So much so that one group has managed to earn over $100,000 without any evidence that it's even capable of mounting attacks.Since early March, hundreds of businesses have received threatening emails from a group calling itself the Armada Collective, asking to be paid between 10 and 50 bitcoins -- US$4,600 to $23,000 -- as a "protection fee" or face DDoS attacks exceeding 1Tbps.While many of them did not comply, some did; the group's bitcoin wallet address shows incoming payments of over $100,000 in total. Yet none of the companies who declined to pay the protection fee were attacked, website protection firm CloudFlare found.To read this article in full or to leave a comment, please click here

Empty DDoS threats earn extortion group over $100,000

Extorting money from companies under the threat of launching distributed denial-of-service attacks (DDoS) against their online properties has proven lucrative for cybercriminals. So much so that one group has managed to earn over $100,000 without any evidence that it's even capable of mounting attacks.Since early March, hundreds of businesses have received threatening emails from a group calling itself the Armada Collective, asking to be paid between 10 and 50 bitcoins -- US$4,600 to $23,000 -- as a "protection fee" or face DDoS attacks exceeding 1Tbps.While many of them did not comply, some did; the group's bitcoin wallet address shows incoming payments of over $100,000 in total. Yet none of the companies who declined to pay the protection fee were attacked, website protection firm CloudFlare found.To read this article in full or to leave a comment, please click here

Malvertising attack silently infects old Android devices with ransomware

Attackers are using two known exploits to silently install ransomware on older Android devices when their owners browse to websites that load malicious advertisements.Web-based attacks that exploit vulnerabilities in browsers or their plug-ins to install malware are common on Windows computers, but not on Android, where the application security model is stronger.But researchers from Blue Coat Systems detected the new Android drive-by download attack recently when one of their test devices -- a Samsung tablet running CyanogenMod 10.1 based on Android 4.2.2 -- became infected with ransomware after visiting a Web page that displayed a malicious ad.To read this article in full or to leave a comment, please click here

Malvertising attack silently infects old Android devices with ransomware

Attackers are using two known exploits to silently install ransomware on older Android devices when their owners browse to websites that load malicious advertisements.Web-based attacks that exploit vulnerabilities in browsers or their plug-ins to install malware are common on Windows computers, but not on Android, where the application security model is stronger.But researchers from Blue Coat Systems detected the new Android drive-by download attack recently when one of their test devices -- a Samsung tablet running CyanogenMod 10.1 based on Android 4.2.2 -- became infected with ransomware after visiting a Web page that displayed a malicious ad.To read this article in full or to leave a comment, please click here

Bangladesh Bank attackers used custom malware that hijacked SWIFT software

The hackers who stole US $81 million from Bangladesh's central bank likely used custom malware designed to interfere with the SWIFT transaction software used by many financial institutions.The attackers attempted to transfer $951 million out of Bangladesh Bank's account at the Federal Reserve Bank of New York in February, but most of the transfers were blocked before completion. The attackers did manage to send $81 million to accounts in the Philippines, and that money is still missing.Researchers from BAE Systems have recently come across several malware components that they believe are part of a custom attack toolkit that was likely used in the heist.To read this article in full or to leave a comment, please click here

Bangladesh Bank attackers used custom malware that hijacked SWIFT software

The hackers who stole US $81 million from Bangladesh's central bank likely used custom malware designed to interfere with the SWIFT transaction software used by many financial institutions.The attackers attempted to transfer $951 million out of Bangladesh Bank's account at the Federal Reserve Bank of New York in February, but most of the transfers were blocked before completion. The attackers did manage to send $81 million to accounts in the Philippines, and that money is still missing.Researchers from BAE Systems have recently come across several malware components that they believe are part of a custom attack toolkit that was likely used in the heist.To read this article in full or to leave a comment, please click here

Facebook bug hunter stumbles on backdoor left by… another bug hunter

When Orange Tsai set out to participate in Facebook's bug bounty program in February, he successfully managed to gain access to one of Facebook's corporate servers. But once in, he realized other hackers had beaten him to it.Tsai thought he had stumbled on some malicious activity in Facebook's network. But, according to a statement from Facebook on Friday, what he found was something else.Tsai, a consultant with Taiwanese penetration testing outfit Devcore, had started by mapping Facebook's online properties, which extend beyond user-facing services like facebook.com or instagram.com.One server that caught his attention was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was presumably used by Facebook employees for file sharing and collaboration.To read this article in full or to leave a comment, please click here

Facebook bug hunter stumbles on backdoor left by… another bug hunter

When Orange Tsai set out to participate in Facebook's bug bounty program in February, he successfully managed to gain access to one of Facebook's corporate servers. But once in, he realized other hackers had beaten him to it.Tsai thought he had stumbled on some malicious activity in Facebook's network. But, according to a statement from Facebook on Friday, what he found was something else.Tsai, a consultant with Taiwanese penetration testing outfit Devcore, had started by mapping Facebook's online properties, which extend beyond user-facing services like facebook.com or instagram.com.One server that caught his attention was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was presumably used by Facebook employees for file sharing and collaboration.To read this article in full or to leave a comment, please click here

Facebook bug hunter stumbles on backdoor left by hackers

When Orange Tsai set out to participate in Facebook's bug bounty program in February, he successfully managed to gain access to one of Facebook's corporate servers. But once in, he realized that malicious hackers had beaten him to it.Tsai, a consultant with Taiwanese penetration testing outfit Devcore, had started by mapping Facebook's online properties, which extend beyond user-facing services like facebook.com or instagram.com.One server that caught his attention was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was presumably used by Facebook employees for file sharing and collaboration.To read this article in full or to leave a comment, please click here

Facebook bug hunter stumbles on backdoor left by hackers

When Orange Tsai set out to participate in Facebook's bug bounty program in February, he successfully managed to gain access to one of Facebook's corporate servers. But once in, he realized that malicious hackers had beaten him to it.Tsai, a consultant with Taiwanese penetration testing outfit Devcore, had started by mapping Facebook's online properties, which extend beyond user-facing services like facebook.com or instagram.com.One server that caught his attention was files.fb.com, which hosted a secure file transfer application made by enterprise software vendor Accellion and was presumably used by Facebook employees for file sharing and collaboration.To read this article in full or to leave a comment, please click here

Cisco fixes serious denial-of-service flaws in wireless LAN controllers, other products

Cisco Systems has released patches to fix serious denial-of-service flaws in its Wireless LAN Controller (WLC) software, Cisco Adaptive Security Appliance (ASA) software and the Secure Real-Time Transport Protocol (SRTP) library that's used in many products.The Cisco WLC software contains two denial-of-service vulnerabilities, one of which is rated critical and could be exploited by an unauthenticated attacker through specially crafted HTTP requests sent to the device. This can cause a buffer overflow condition that, in addition to a device reload, might also allow for execution of arbitrary code on the device.To read this article in full or to leave a comment, please click here

Cisco fixes serious denial-of-service flaws in wireless LAN controllers, other products

Cisco Systems has released patches to fix serious denial-of-service flaws in its Wireless LAN Controller (WLC) software, Cisco Adaptive Security Appliance (ASA) software and the Secure Real-Time Transport Protocol (SRTP) library that's used in many products.The Cisco WLC software contains two denial-of-service vulnerabilities, one of which is rated critical and could be exploited by an unauthenticated attacker through specially crafted HTTP requests sent to the device. This can cause a buffer overflow condition that, in addition to a device reload, might also allow for execution of arbitrary code on the device.To read this article in full or to leave a comment, please click here

Cisco fixes serious denial-of-service flaws in wireless LAN controllers, other products

Cisco Systems has released patches to fix serious denial-of-service flaws in its Wireless LAN Controller (WLC) software, Cisco Adaptive Security Appliance (ASA) software and the Secure Real-Time Transport Protocol (SRTP) library that's used in many products.The Cisco WLC software contains two denial-of-service vulnerabilities, one of which is rated critical and could be exploited by an unauthenticated attacker through specially crafted HTTP requests sent to the device. This can cause a buffer overflow condition that, in addition to a device reload, might also allow for execution of arbitrary code on the device.To read this article in full or to leave a comment, please click here

This tool can block ransomware on Mac OS X, for now

A security researcher has created a free security tool that can detect attempts by ransomware programs to encrypt files on users' Macs and then block them before they do a lot of damage.Called RansomWhere? the application is the creation of Patrick Wardle, director of research and development at security firm Synack. It's meant to detect and block the encryption of files by untrusted processes.The tool monitors users' home directories and detects when encrypted files are rapidly created inside them -- a telltale sign of ransomware activity.When such activity is detected, RansomWhere? determines the process responsible and suspends it. To limit false positives -- legitimate encryption programs being detected as ransomware -- the tool whitelists all applications signed by Apple and most of those that already exist on the computer when RansomWhere? is first installed.To read this article in full or to leave a comment, please click here

This tool can block ransomware on Mac OS X, for now

A security researcher has created a free security tool that can detect attempts by ransomware programs to encrypt files on users' Macs and then block them before they do a lot of damage.Called RansomWhere? the application is the creation of Patrick Wardle, director of research and development at security firm Synack. It's meant to detect and block the encryption of files by untrusted processes.The tool monitors users' home directories and detects when encrypted files are rapidly created inside them -- a telltale sign of ransomware activity.When such activity is detected, RansomWhere? determines the process responsible and suspends it. To limit false positives -- legitimate encryption programs being detected as ransomware -- the tool whitelists all applications signed by Apple and most of those that already exist on the computer when RansomWhere? is first installed.To read this article in full or to leave a comment, please click here

New point-of-sale malware Multigrain steals card data over DNS

Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS).Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.That's because unlike other PoS malware programs that look for card data in the memory of many processes, Multigrain targets a single process called multi.exe that's associated with a popular back-end card authorization and PoS server. If this process is not running on the compromised machine, the infection routine exists and the malware deletes itself.To read this article in full or to leave a comment, please click here

1 34 35 36 37 38 58