Human Resources Firm ComplyRight Breached

Cloud-based human resources company ComplyRight said this week that a security breach of its Web site may have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by the company’s thousands of clients on behalf of employees.

Pompano Beach, Fla-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach. Indeed, many readers who received these letters wrote to KrebsOnSecurity asking for more information, as the company hadn’t yet published any details about the breach on its Web site. Also, most of those folks said they’d never heard of ComplyRight and could not remember ever doing business with a company by that name.

Neither ComplyRight nor its parent company Taylor Corp. responded to multiple requests for comment this past week. But on Wednesday evening, ComplyRight posted additional facts about the incident on its site, saying a recently completed investigation suggests that fewer than 10 percent of individuals with tax forms prepared on the ComplyRight platform were impacted.

According to ComplyRight’s Web site, some 76,000 organizations — many of them small businesses — use its services to prepare tax forms such as 1099s and W2s on behalf of their employees and/or contractors. While the company didn’t explicitly say which of its cloud services was impacted by the breach, the Web site which handles its tax preparation business is efile4biz.com.

ComplyRight says it learned of the breach on May 22, 2018, and that the “unauthorized access” to its site persisted between April 20, 2018 and May 22, 2018.

ANALYSIS

Even with the additional disclosure published to ComplyRight’s site, it’s difficult to accurately gauge the size of this breach. ComplyRight includes information about its tax solutions division here and it appears that they also file Affordable Care Act (ACA) and HIPAA paperwork. So, if these “solutions” are indeed part of the “tax reporting web platform,” then we’re probably talking way more beyond efile4biz.com’s 76,000 customers. And remember that each “customer” is a business that employs multiple people.

ComplyRight’s efile4biz.com Web site has long stated that the company employs the latest, most sophisticated security measures, noting that “the result is a level of data protection that would thwart even the most determined cyber criminals.”

“Data security is a primary concern with reputable e-file providers like efile4Biz.com,” the site explains. “We use the strongest encryption program available, as recommended by the federal government, to block the interception or interruption of information by a third party. “Data is encrypted as soon as it’s entered on the site, and it says encrypted throughout the entire print, mail and e-file process.”

The site also includes a Geotrust security seal intended to reinforce the above statement. While ComplyRight hasn’t said exactly how this breached happened, the most likely explanation is that intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms.

Translation: Assurances about the security of data in-transit to or from the company’s site do little to stop cyber thieves who have compromised the Web site itself, because there are countless tools bad guys can install on a hacked site that steals usernames, passwords and other sensitive data before the information is even encrypted and transmitted across the wire.

Also, it’s far from clear that data security is in fact a primary concern of ComplyRight. Let me explain: Very often when I’m having difficulty getting answers or responses from a company that I suspect or know has had a breach, I’ll start identifying and pestering the company’s executives via their profiles on LinkedIn.

As I did so in this case, I was surprised to discover that I couldn’t identify a single ComplyRight employee on Linkedin whose job is listed as at all related to security. Nor does it appear that ComplyRight is currently hiring anyone in these positions. I did, however, find plenty of network managers and software engineers, Web developers and designers, data specialists, and even several “poster guard specialists” (ComplyRight also produces workplace safety posters of the kind typically hung in corporate breakrooms).

It may well be that there are indeed security personnel working at ComplyRight, but if so they don’t seem to have a LinkedIn profile. Again, neither ComplyRight nor its parent firm responded to multiple requests for comment.

WHAT CAN YOU DO?

The company is offering 12 months of free credit monitoring to those affected by the breach. As I’ve noted several times here, credit monitoring can be useful for helping people recover from identity theft, it is virtually useless in stopping identity thieves from opening new accounts in your name.

A more comprehensive approach to combating ID theft involves adopting the assumption that all of this static data about you as a consumer — including your name, date of birth, address, previous address, phone number, credit card number, Social Security number and possibly a great deal more sensitive information — is already breached, stolen and/or actively for sale in the cybercrime underground.

One response to this increasingly obvious reality involves enacting a security freeze on one’s credit files with the major consumer credit reporting bureaus. See this primer from last year’s breach at Equifax for more details on how to do that, and for information on slightly less restrictive alternatives.

In addition, people who received a letter from ComplyRight may also file a Form 14039 with the U.S. Internal Revenue Service (IRS) to help reduce the likelihood of becoming victims of tax refund fraud, an increasingly common scam in which fraudsters file a tax refund request with the IRS in your name and then pocket the refund money.

Any American can be a victim of refund fraud, whether or not they are owed money by the IRS. Most people first learn they are victims when they go to file their tax return and the submission is rejected because someone already filed in their name.

By filing a Form 14039, you are asking the IRS to issue you a special one-time code — called an IP PIN — via snail mail that must be entered on subsequent tax returns before the return can be accepted by the IRS.

A couple of caveats about this form: If you request and are granted an IP PIN, make sure you store the information in a safe place that you will be able to access next year when it comes time to file your taxes again (a clearly labeled folder in a locked filing cabinet is a good start).

Also, understand that enrolling in the IP PIN program requires taxpayers to pass an identity-proofing process called Secure Access. This process includes making specific credit inquiries to big-three credit bureau Experian, which means if you already have a security freeze on your consumer credit file with Experian you will need to temporarily thaw the freeze before completing the enrollment. For those contemplating a freeze and seeking an IP PIN, complete the Secure Access enrollment with the IRS before enacting a freeze.

Go to Source
Author: BrianKrebs

Vulnerability Spotlight: Foxit PDF Reader JavaScript Remote Code Execution Vulns

OVERVIEW

Discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing a pair of vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2018-0588

TALOS-2018-0588 / CVE-2018-3924 is an exploitable user-after-free vulnerability that exists in the JavaScript engine of Foxit’s PDF Reader. As a complete feature-rich PDF reader Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code a document can be cloned, which frees a lot of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the ‘mailForm’ method of the active document resulting in arbitrary code execution.

A specially crafted PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0606

TALOS-2018-0606 / CVE-2018-3939 is an exploitable use-after-free vulnerability found in the Javascript engine that can result in remote code execution.  As a complete feature-rich PDF reader Foxit supports JavaScript for interactive documents and dynamic forms. When executing embedded JavaScript code a document can be closed, which frees a lot of used objects, but the JavaScript can continue to execute, potentially leading to a user-after-free condition. This particular vulnerability lies in invoking the ‘createTemplate’ method of the active document resulting in arbitrary code execution.

A specially crafted PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

Go to Source

Author: Talos Group

CoinVault: Caught red-handed

Way back in 2015, Kaspersky Lab helped Dutch cyberpolice catch the creators of one of the very first pieces of ransomware, CoinVault. The decryptor we developed for it inspired the NoRansom portal, where we upload tools for unlocking files after various encryption attacks. Although CoinVault’s creators were caught a while ago, the first court hearing took place recently, and our expert Jornt van der Wiel attended.

CoinVault ran riot in 2014 and 2015 through dozens of countries around the world. Our experts estimate the number of victims at more than 10,000. Behind the attacks were two Dutch brothers, aged 21 and 25, who developed and distributed the Trojan. Every victim received a ransom demand for 1 bitcoin, which at the time was worth about 200 euros. The pair snagged about 20,000 euros as a result.

CoinVault was ahead of its time. In addition to encryption, it had features that we still see in ransomware Trojans today. For example, the victim was allowed to decrypt one file free. Mentally, this plays into the hands of the cybercriminals: When victims realize they are one click away from recovering their vital data, the temptation to pay up becomes stronger. The on-screen timer is another of CoinVault’s psychological teasers, inexorably counting down to a higher ransom demand.

 

Double Dutch

We studied CoinVault and described its structure in detail in late 2014. The malware authors took great pains to hide it from security solutions and hinder its analysis. The ransomware can determine, for example, whether it is being run in a sandbox, and its code is heavily obfuscated.

Nevertheless, our experts were able to get to the source code and find a clue that ultimately led to the criminals’ arrest: It contained some comments in Dutch. It was fairly likely that the malware hailed from the Netherlands.

We passed the information to the Dutch cyberpolice, and within a few months they reported the successful capture of the campaign masterminds. Thanks to our cooperation with the Dutch police, we managed to obtain the keys from the C&C server and develop a data decryption tool.

 

Lady Justice weighs the evidence

The police collected almost 1,300 statements from victims of the ransomware. Some of them appeared in court personally to demand compensation. One victim, for example, had their vacation ruined by the ransomware. They estimated the damage at 5,000 euros, saying that this sum would enable them to pay for another trip.

Another victim asked for the ransom to be paid back in the same coin — bitcoin. Since the attack, the cryptocurrency exchange rate has risen almost thirtyfold, so if the court satisfies the claim, it will be the first time that an injured party has earned money from a ransomware attack.

At the recent hearing, the prosecutors demanded punishment in the form of three months’ imprisonment, followed by a nine-month suspended sentence and 240 hours’ community service. The defense asked the court not to put the brothers behind bars, arguing that the defendants had cooperated with the investigation, plus one is irreplaceable in his current job and the other is in college. The verdict will be delivered at the next hearing, on July 26.

 

Trespassers will be prosecuted

We always say that giving in to criminals only encourages them. The trial of the CoinVault creators shows that even seemingly anonymous cybercriminals cannot escape punishment. But instead of waiting three years for justice, it’s better to protect yourself in advance. Remember our standard tips:

  • Don’t click on suspicious links and don’t open suspicious e-mail attachments.
  • Make regular backups of important files.
  • Use a reliable security solution.

Go to Source
Author: Anna Markovskaya

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July2018 Elections and Reveals Broad Operations Globally

Introduction

FireEye has examined a range of TEMP.Periscope activity revealing
extensive interest in Cambodia’s politics, with active compromises of
multiple Cambodian entities related to the country’s electoral system.
This includes compromises of Cambodian government entities charged
with overseeing the elections, as well as the targeting of opposition
figures. This campaign occurs in the run up to the country’s July 29,
2018, general elections. TEMP.Periscope used the same infrastructure
for a range of activity against other more traditional targets,
including the defense industrial base in the United States and a
chemical company based in Europe. Our previous blog post focused on
the group’s targeting
of engineering and maritime entities
in the United States.

Overall, this activity indicates that the group maintains an
extensive intrusion architecture and wide array of malicious tools,
and targets a large victim set, which is in line with typical
Chinese-based APT efforts. We expect this activity to provide the
Chinese government with widespread visibility into Cambodian elections
and government operations. Additionally, this group is clearly able to
run several large-scale intrusions concurrently across a wide range of
victim types.

Our analysis also strengthened our overall attribution of this
group. We observed the toolsets we previously attributed to this
group, their observed targets are in line with past group efforts and
also highly similar to known Chinese APT efforts, and we identified an
IP address originating in Hainan, China that was used to remotely
access and administer a command and control (C2) server.

TEMP.Periscope Background

Active since at least 2013, TEMP.Periscope has primarily focused on
maritime-related targets across multiple verticals, including
engineering firms, shipping and transportation, manufacturing,
defense, government offices, and research universities (targeting is
summarized in Figure 1). The group has also targeted
professional/consulting services, high-tech industry, healthcare, and
media/publishing. TEMP.Periscope overlaps in targeting, as well as
tactics, techniques, and procedures (TTPs), with TEMP.Jumper, a group
that also overlaps significantly with public reporting by Proofpoint
and F-Secure
on “NanHaiShu.”


Figure 1: Summary of TEMP.Periscope activity

Incident Background

FireEye analyzed files on three open indexes believed to be
controlled by TEMP.Periscope, which yielded insight into the group’s
objectives, operational tactics, and a significant amount of technical
attribution/validation. These files were “open indexed” and
thus accessible to anyone on the public internet. This TEMP.Periscope
activity on these servers extends from at least April 2017 to the
present, with the most current operations focusing on Cambodia’s
government and elections.

  • Two servers,
    chemscalere[.]com and scsnewstoday[.]com, operate as typical C2
    servers and hosting sites, while the third, mlcdailynews[.]com,
    functions as an active SCANBOX server. The C2 servers contained both
    logs and malware.
  • Analysis of logs from the three servers
    revealed:

    • Potential actor logins from an IP address
      located in Hainan, China that was used to remotely access and
      administer the servers, and interact with malware deployed at
      victim organizations.
    • Malware command and control
      check-ins from victim organizations in the education, aviation,
      chemical, defense, government, maritime, and technology sectors
      across multiple regions. FireEye has notified all of the victims
      that we were able to identify.
  • The malware
    present on the servers included both new families (DADBOD, EVILTECH)
    and previously identified malware families (AIRBREAK, EVILTECH,
    HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

Compromises of Cambodian Election Entities

Analysis of command and control logs on the servers revealed
compromises of multiple Cambodian entities, primarily those relating
to the upcoming July 2018 elections. In addition, a separate spear
phishing email analyzed by FireEye indicates concurrent targeting of
opposition figures within Cambodia by TEMP.Periscope.

Analysis indicated that the following Cambodian government
organizations and individuals were compromised by TEMP.Periscope:

  • National Election
    Commission, Ministry of the Interior, Ministry of Foreign Affairs
    and International Cooperation, Cambodian Senate, Ministry of
    Economics and Finance
  • Member of Parliament representing
    Cambodia National Rescue Party
  • Multiple Cambodians
    advocating human rights and democracy who have written critically of
    the current ruling party
  • Two Cambodian diplomats serving
    overseas
  • Multiple Cambodian media entities

TEMP.Periscope sent a spear phish with AIRBREAK malware to
Monovithya Kem, Deputy Director-General, Public Affairs, Cambodia
National Rescue Party (CNRP), and the daughter of (imprisoned)
Cambodian opposition party leader Kem Sokha (Figure 2). The decoy
document purports to come from LICADHO (a non-governmental
organization [NGO] in Cambodia established in 1992 to promote human
rights). This sample leveraged scsnewstoday[.]com for C2.


Figure 2: Human right protection survey lure

The decoy document “Interview Questions.docx” (MD5:
ba1e5b539c3ae21c756c48a8b5281b7e) is tied to AIRBREAK downloaders of
the same name. The questions reference the opposition Cambodian
National Rescue Party, human rights, and the election (Figure 3).


Figure 3: Interview questions decoy

Infrastructure Also Used for Operations Against Private Companies

The aforementioned malicious infrastructure was also used against
private companies in Asia, Europe and North America. These companies
are in a wide range of industries, including academics, aviation,
chemical, maritime, and technology. A MURKYTOP sample from 2017 and
data contained in a file linked to chemscalere[.]com suggest that a
corporation involved in the U.S. defense industrial base (DIB)
industry, possibly related to maritime research, was compromised. Many
of these compromises are in line with TEMP.Periscope’s previous
activity targeting maritime and defense industries. However, we also
uncovered the compromise of a European chemical company with a
presence in Asia, demonstrating that this group is a threat to
business worldwide, particularly those with ties to Asia.

AIRBREAK Downloaders and Droppers Reveal Lure Indicators

Filenames for AIRBREAK downloaders found on the open indexed sites
also suggest the ongoing targeting of interests associated with Asian
geopolitics. In addition, analysis of AIRBREAK downloader sites
revealed a related server that underscores TEMP.Periscope’s interest
in Cambodian politics.

The AIRBREAK downloaders in Table 1 redirect intended victims to the
indicated sites to display a legitimate decoy document while
downloading an AIRBREAK payload from one of the identified C2s. Of
note, the hosting site for the legitimate documents was not
compromised. An additional C2 domain, partyforumseasia[.]com, was
identified as the callback for an AIRBREAK downloader referencing the
Cambodian National Rescue Party.

Redirect Site (Not Malicious) AIRBREAK Downloader AIRBREAK C2
en.freshnewsasia.com/index.php/en/8623-2018-04-26-10-12-46.html TOP_NEWS_Japan_to_Support_the_Election.js

(3c51c89078139337c2c92e084bb0904c) [Figure 4]

chemscalere[.]com
iric.gov.kh/LICADHO/Interview-Questions.pdf [pdf]Interview-Questions.pdf.js

(e413b45a04bf5f812912772f4a14650f)

iric.gov.kh/LICADHO/Interview-Questions.pdf [docx]Interview-Questions.docx.js

(cf027a4829c9364d40dcab3f14c1f6b7)

unknown Interview_Questions.docx.js

(c8fdd2b2ddec970fa69272fdf5ee86cc)

scsnewstoday[.]com
atimes.com/article/philippines-draws-three-hard-new-lines-on-china/ Philippines-draws-three-hard-new-lines-on-china
.js

(5d6ad552f1d1b5cfe99ddb0e2bb51fd7)

mlcdailynews[.]com
facebook.com/CNR.Movement/videos/190313618267633/ CNR.Movement.mp4.js

(217d40ccd91160c152e5fce0143b16ef)

Partyforumseasia[.]com

Table 1: AIRBREAK downloaders


Figure 4: Decoy document associated with
AIRBREAK downloader file TOP_NEWS_Japan_to_Support_the_Election.js

SCANBOX Activity Gives Hints to Future Operations

The active SCANBOX server, mlcdailynews[.]com, is hosting articles
related to the current Cambodian campaign and broader operations.
Articles found on the server indicate targeting of those with
interests in U.S.-East Asia geopolitics, Russia and NATO affairs.
Victims are likely either brought to the SCANBOX server via strategic
website compromise or malicious links in targeted emails with the
article presented as decoy material. The articles come from
open-source reporting readily available online. Figure 5 is a SCANBOX
welcome page and Table 2 is a list of the articles found on the server.


Figure 5: SCANBOX welcome page

Copied Article Topic Article Source (Not Compromised)
Leaders confident yet nervous Khmer Times
Mahathir_ ‘We want to be friendly with
China
PM urges voters to support CPP for peace
CPP determined to maintain Kingdom’s peace and
development
Bun Chhay’s wife dies at 60
Crackdown planned on boycott callers
Further floods coming to Kingdom
Kem Sokha again denied bail
PM vows to stay on as premier to quash
traitors
Iran_ Don’t trust Trump Fresh News
Kim-Trump summit_ Singapore’s role
Trump’s North Korea summit may bring peace
declaration – but at a cost
Reuters
U.S. pushes NATO to ready more forces to deter
Russian threat
us-nato-russia_us-pushes-nato-to-ready-more-forces-to-deter-russian-threat
Interior Minister Sar Kheng warns of dirty
tricks
Phnom Penh
Post
Another player to enter market for cashless
pay
Donald Trump says he has ‘absolute right’ to
pardon himself but he’s done nothing wrong – Donald Trump’s
America
ABC News
China-funded national road inaugurated in
Cambodia
The Cambodia Daily
Kim and Trump in first summit session in
Singapore
Asia Times
U.S. to suspend military exercises with South
Korea, Trump says
U.S. News
Rainsy defamed the King_ Hun Sen BREAKING NEWS
cambodia-opposition-leader-denied-bail-again-in-treason-case Associated Press

Table 2: SCANBOX articles copied to server

TEMP.Periscope Malware Suite

Analysis of the malware inventory contained on the three servers
found a classic suite of TEMP.Periscope payloads, including the
signature AIRBREAK, MURKYTOP, and HOMEFRY. In addition, FireEye’s
analysis identified new tools, EVILTECH and DADBOD (Table 3).

Malware Function Details
EVILTECH Backdoor
  • EVILTECH is a
    JavaScript sample that implements a simple RAT with support
    for uploading, downloading, and running arbitrary
    JavaScript.
  • During the infection process, EVILTECH is
    run on the system, which then causes a redirect and possibly
    the download of additional malware or connection to another
    attacker-controlled system.
DADBOD Credential
Theft
  • DADBOD is a tool
    used to steal user cookies.
  • Analysis of this
    malware is still ongoing.

Table 3: New additions to the TEMP.Periscope
malware suite

Data from Logs Strengthens Attribution to China

Our analysis of the servers and surrounding data in this latest
campaign bolsters our previous assessment that TEMP.Periscope is
likely Chinese in origin. Data from a control panel access log
indicates that operators are based in China and are operating on
computers with Chinese language settings.

A log on the server revealed IP addresses that had been used to log
in to the software used to communicate with malware on victim
machines. One of the IP addresses, 112.66.188.28, is located in
Hainan, China. Other addresses belong to virtual private servers, but
artifacts indicate that the computers used to log in all cases are
configured with Chinese language settings.

Outlook and Implications

The activity uncovered here offers new insight into TEMP.Periscope’s
activity. We were previously aware of this actor’s interest in
maritime affairs, but this compromise gives additional indications
that it will target the political system of strategically important
countries. Notably, Cambodia has served as a reliable supporter of
China’s South China Sea position in international forums such as ASEAN
and is an important partner. While Cambodia is rated as Authoritarian
by the Economist’s Democracy Index, the recent surprise upset of the
ruling party in Malaysia may motivate China to closely monitor
Cambodia’s July 29 elections.

The targeting of the election commission is particularly
significant, given the critical role it plays in facilitating voting.
There is not yet enough information to determine why the organization
was compromised – simply gathering intelligence or as part of a more
complex operation. Regardless, this incident is the most recent
example of aggressive nation-state intelligence collection on election
processes worldwide.

We expect TEMP.Periscope to continue targeting a wide range of
government and military agencies, international organizations, and
private industry. However focused this group may be on maritime
issues, several incidents underscore their broad reach, which has
included European firms doing business in Southeast Asia and the
internal affairs of littoral nations. FireEye expects TEMP.Periscope
will remain a virulent threat for those operating in the area for the
foreseeable future.

Go to Source
Author: Scott Henderson

Patch Tuesday, July 2018 Edition

Microsoft and Adobe each issued security updates for their products today. Microsoft’s July patch batch includes 14 updates to fix more than 50 security flaws in Windows and associated software. Separately, Adobe has pushed out an update for its Flash Player browser plugin, as well as a monster patch bundle for Adobe Reader/Acrobat.

According to security firm Qualys, all but two of the “critical” fixes in this round of updates apply to vulnerabilities in Microsoft’s browsers — Internet Explorer and Edge. Critical patches mend software flaws that can be exploited remotely by malicious software or bad guys with little to no help from the user, save for perhaps visiting a Web site or opening a booby-trapped link.

Microsoft also patched dangerous vulnerabilities in its .NET Framework (a Windows development platform required by many third-party programs and commonly found on most versions of Windows), as well as Microsoft Office. With both of these weaknesses, an attacker could trick a victim into opening an email that contained a specially crafted Office document which loads malicious code, says Allan Liska, a threat intelligence analyst at Recorded Future.

One of the more nettlesome features of Windows 10 is the operating system by default decides on its own when to install updates, very often shutting down open programs and restarting your PC in the middle of the night to do so unless you change the defaults.

Not infrequently, Redmond ships updates that end up causing stability issues for some users, and it doesn’t hurt to wait a day or two before seeing if any major problems are reported with new updates before installing them. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

It’s a good idea to get in the habit of backing up your computer before applying monthly updates from Microsoft. Windows has some built-in tools that can help recover from bad patches, but restoring the system to a backup image taken just before installing updates is often much less hassle and an added piece of mind while you’re sitting there praying for the machine to reboot successfully after patching.

As per usual on Microsoft’s Patch Tuesday, Adobe issued an update to its Flash Player browser plugin. The latest update brings Flash to version 30.0.0.134, and patches at least two security vulnerabilities in the program. Microsoft’s patch bundle includes the Flash update as well.

Adobe says the Flash update addresses “critical” security holes, meaning they could be exploited by malware or miscreants to take complete, remote control over vulnerable systems. My standard advice is for readers to kick Flash to the curb, as it’s a buggy program that is a perennial favorite target of malware purveyors.

For readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

By default, Mozilla Firefox on Windows computers with Flash installed runs Flash in a “protected mode,” which prompts the user to decide if they want to enable the plugin before Flash content runs on a Web site.

Another, perhaps less elegant, alternative to wholesale junking Flash is keeping it installed in a browser that you don’t normally use, and then only using that browser on sites that require Flash.

If you use Adobe Reader or Acrobat to manage PDF documents, you’re probably going to want to update these products soon: Adobe released updates for both today that fix more than 100 security vulnerabilities in the software titles.

Some folks may be unaware that there are other free PDF readers which aren’t quite as bloated as Adobe’s. Whether these alternative readers are more secure is another question; they certainly seem to be updated less frequently, but that may have something to do with the fact that they include far fewer features and likely less overall attack surface area.

I can’t recall the last time I had Adobe Reader installed on anything I own. My preferred PDF reader for Windows is Sumatra PDF, which is comparatively lightweight and very fast. Unfortunately, no matter how many times you change Sumatra to the default PDF reader on Windows 10, the operating system keeps defaulting to opening PDFs in Microsoft Edge.

For a detailed rundown of the individual vulnerabilities patched by Microsoft today, check out the SANS Internet Storm Center, which indexes the fixes by severity, how likely it is that each vulnerability will be exploited anytime soon, and whether specific flaws were publicly disclosed prior to today’s patch release.

According to SANS, at least three of the flaws — CVE-2018-8278, CVE-2018-8313, and CVE-2018-8314 — were previously disclosed publicly, meaning that attackers may have had a head start figuring out how to exploit these flaws for criminal gain.

As always, if you experience any problems installing or downloading these updates, please don’t hesitate to leave a comment. If past Patch Tuesday posts are any indicator, you may even find helpful responses or solutions from other readers experiencing the same issues.

Go to Source
Author: BrianKrebs

Adobe Releases Security Patch Updates For 112 Vulnerabilities

Adobe has released security patches for a total 112 vulnerabilities in its products, most of which have a higher risk of being exploited.

The vulnerabilities addressed in this month’s patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader.

None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.

Adobe Flash Player (For Desktops and Browsers)

Security updates include patches for two vulnerabilities in Adobe Flash Player for various platforms and application, as listed below.

One of which has been rated critical (CVE-2018-5007), and successful exploitation of this “type confusion” flaw could allow an attacker to execute arbitrary code on the targeted system in the context of the current user.

This flaw was discovered and reported to Adobe by willJ of Tencent PC Manager working with Trend Micro’s Zero Day Initiative.

Without revealing technical details of any flaw, Adobe said the second vulnerability, which has been rated important by the company, could allow an attacker to retrieve sensitive information.

Affected Version

  • Flash Player v30.0.0.113 and earlier versions

Affected Platforms and Applications

  • Windows
  • macOS
  • Linux
  • Chrome OS
  • Google Chrome
  • Microsoft IE 11
  • Microsoft Edge

 

Adobe Acrobat and Reader (Windows and macOS)

The company has patched a total of 104 security vulnerabilities in Adobe Acrobat and Reader, of which 51 are rated as critical and rest are important in severity.

Both products include dozens of critical heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference and buffer errors vulnerabilities which could allow an attacker to execute arbitrary code on the targeted system in the context of the current user.

These vulnerabilities were reported by security researchers from various security firms, including Palo Alto Networks, Trend Micro Zero Day Initiative, Tencent, Qihoo 360, CheckPoint, Cisco Talos, Kaspersky Lab, Xuanwu Lab and Vulcan Team.

Affected Version

  • Continuous Track—2018.011.20040 and earlier versions
  • Classic 2017 Track—2017.011.30080 and earlier versions
  • Classic 2015 Track—2015.006.30418 and earlier versions

Affected Platforms

  • Microsoft Windows
  • Apple macOS

Adobe Experience Manager (All Platforms)

Adobe has addressed three important Server-Side Request Forgery (SSRF) vulnerabilities in its Experience Manager, an enterprise content management solution, which could result in sensitive information disclosure.

Two of these security vulnerabilities (CVE-2018-5006, CVE-2018-12809) were discovered by Russian application security researcher Mikhail Egorov.

Affected Version

  • AEM v6.4, 6.3, 6.2, 6.1 and 6.0

The vulnerabilities affect Adobe Experience Manager for all platforms, and users are recommended to download the updated version from here.

Adobe Connect (All Platforms)

Adobe has patched three security vulnerabilities in Adobe Connect—a software used to create information and general presentations and web conferencing—two of which, rated important, could allow an attacker to bypass the authentication, hijack web sessions and steal sensitive information.

The third flaw, rated moderate, in Adobe Connect is a privilege escalation issue caused due to an insecure loading of a library.

Affected Version

  • Adobe Connect v9.7.5 and earlier for all platforms

Adobe recommends end users and administrators to install the latest security updates as soon as possible.

Go to Source

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFactory, owned by GoDaddy.

The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum.

It turns out that the attacker breached company servers to obtain the data of one of its customers who apparently owes him a seven-figure amount, according to Heise.

Later the attacker tried to report DomainFactory about the potential vulnerability using which he broke into its servers, but the hosting provider did not respond, and neither disclosed the breach to its customers.

In that situation, the attacker head on to the company’s support forum and broke the news with sample data of a few customers as proof, which forced DomainFactory to immediately shut down the forum website and initiate an investigation.

Attacker Gains Access to a Large Number of Data

DomainFactory finally confirmed the breach last weekend, revealing that following personal data belonging to an unspecified number of its customers has been compromised.

  • Customer name
  • Company name
  • Customer account ID
  • Physical address
  • E-mail addresses
  • Telephone number
  • DomainFactory Phone password
  • Date of birth
  • Bank name and account number (e.g. IBAN or BIC)
  • Schufa score (German credit score)

Well, that’s a whole lot of information, which can be used by cybercriminals for targeted social engineering attacks against the customers.

The forum has since been temporarily down, and DomainFactory said that a data feed of certain customer information, accessed by the attacker, was left open to external third parties after a system transition on January 29, 2018.

“We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount, and we regret the inconvenience this incident causes, very much,” the company said.

Change All of Your Passwords

DomainFactory is now advising its users to change passwords for all of the following services and applications “as a precautionary measure,” and also change passwords for other online services where you use the same password.

  • Customer password
  • Phone password
  • Email passwords
  • FTP / Live disk passwords
  • SSH passwords
  • MySQL database passwords

Since the compromised data can be used for identity theft and to create direct debits for customers’ bank account, users are also recommended to monitor their bank statements for any unauthorized transaction.

So far it is unclear how the attacker got into the Domainfactory servers, but the German publication said the attacker did not give an impression of selling the captured data or leaking it online.

Go to Source

Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users

And the hacks just keep on coming.

Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.

Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.

The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.

“We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached,” the company wrote in a security advisory posted on its website.

Social Media OAuth2 Tokens Also Compromised

Moreover, the attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images.

With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.

However, Timehop claims that all the compromised tokens were deauthorized and made invalid within a “short time window” after the company detected the breach on its network on July 4th at 4:23 PM Eastern Time.

The stolen access tokens cannot be now used to gain access to any of your social media profiles, and the company also claims that there is “no evidence that this actually happened.”

“In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens,” the company said.

It should also be noted that these authorization tokens do not give anyone, including the company itself, access to your private messages on Facebook Messenger, Direct Messages on Twitter and Instagram, and things that your friends post to your Facebook wall.

Timehop is also confident that the security breach did not affect your private/direct messages, financial data, social media and photo content, and other Timehop data including streaks and memories.

Timehop also pointed out that there was no evidence that any account was accessed without authorization.

Data Breach Aided By Lack of Two-Factor Authentication

 

“The breach occurred because an access credential to our cloud computing environment was compromised,” Timehop said.

The same day Timehop identified the breach on its network, we reported about the Gentoo GitHub account hack that allowed intruders to replace the content of the project’s repositories and pages with the malicious one, after guessing the account password.

The Gentoo breach was aided by the lack of two-factor authentication (2FA) for its Github account. The 2FA makes it mandatory for users to enter an additional passcode besides the password in order to gain access to the account.

The same happened with Timehop.

Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.

Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.

Timehop immediately logged out all of its users of the app after the company invalidated all API credentials, which means you will need to re-authenticate each of your social media accounts to the app when you log into your Timehop account to generate a new token.

The company is also working with security experts and incident response professionals, local and federal law enforcement officials, and its social media providers to minimize the impact of the breach on its users.

Since the new GDPR privacy law defines a breach as “likely to result in a risk to the rights and freedoms of the individuals,” Timehop claims to have notified all of its affected European users and is working closely with GDPR experts to assist in the countermeasures.

To know more about the incident and how it happened, you can head on to the technical reportpublished by Timehop, which provides a more detailed breakdown of the security incident.

Go to Source

Rakhni Trojan: To encrypt and to mine

We recently posted that ransomware is giving way to miners at the top of the online threat rankings. In line with this trend, the Trojan ransomware Rakhni, which we’ve been watching since 2013, has added a cryptocurrency mining module to its arsenal. What’s interesting is that the malware loader is able to choose which component to install depending on the device. Our researchers figured out how the updated malware works and where the danger lies.

Our products spotted Rakhni in Russia, Kazakhstan, Ukraine, Germany, and India. The malware is distributed mainly through spam mailings with malicious attachments. The sample that our experts studied, for example, was disguised as a financial document. This suggests that the cybercriminals behind it are primarily interested in corporate “clients.”

A DOCX attachment in a spam e-mail contains a PDF document. If the user allows editing and tries to open the PDF, the system requests permission to run an executable file from an unknown publisher. With the user’s permission, Rakhni swings into action.

 

Like a thief in the night

When it’s started, the malicious PDF file appears to be a document viewer. First, the malware shows the victim an error message explaining why nothing has opened. Next, it disables Windows Defender and installs forged digital certificates. Only when the coast seems clear does it decide what to do with the infected device — encrypt files and demand ransom or install a miner.

Finally, the malicious program tries to spread to other computers inside the local network. If company employees have shared access to the Users folder on their devices, the malware copies itself onto them.

 

Mine or encrypt?

The selection criterion is simple: If the malware finds a service folder called Bitcoin on the victim’s computer, it runs a piece of ransomware that encrypts files (including Office docs, PDFs, images, and backups) and demands a ransom payment within three days. Details of the ransom, including how much, the cybercriminals kindly promise to send by e-mail.

If there are no Bitcoin-related folders on the device, and the malware believes it has enough power to handle cryptocurrency mining, it downloads a miner that surreptitiously generates Monero, Monero Original, or Dashcoin tokens in the background.

 

Go to Source
Author: Julia Glazova

Top PirateBay Alternatives — Torrent, Free Movie Download Websites

piratebay torrent download sites and free movie download websites

There’s no doubt that PirateBay (TPB) is one of the world’s most famous and widely used torrent download website, but it has again been caught mining cryptocurrency by using its visitors’ CPU processing power.

This is the second time when The Pirate Bay has been caught mining digital coins. In September last year, PirateBay was found quietly running CoinHive JavaScript code to mine Monero cryptocurrency without informing its users to generate revenue.

However, this time the PirateBay let users know, though in a very tiny print at the end of its homepage, that the free torrent download website is cryptocurrency mining again—without allowing users to opt out.

PirateBay Torrent Site Displays New Notification

“By entering TPB [PirateBay], you agree to XMR being mined using your CPU. If you don’t agree, please leave now or install a blocker.”

Last year, when the PirateBay torrent site got many complaints from its users about the increased of their CPU usage whenever they try to browser the Piratebay, the website expressed regret for using a crypto-miner without users’ consent.

However, this time when a use expressed his concern about the mining operation on the free torrent website due to his slow internet speed, here’s what the Piratebay administrator, who goes by the online alias “Sid,” replied:

“Yeah, yeah, whatever. The time it takes to download torrent files is completely and utterly irrelevant. All you require from PirateBay is magnet links. Open the site. Find a torrent. Click the magnet links. Close the site. End of the miner.”

The Pirate Bay is an infamous Swedish torrent search engine used worldwide for downloading pirated material, such as software, movies, music files and TV shows for free.

In 2014, it was reported that Pirate Bay runs on 21 “raid-proof servers,” hosted around the globe at different cloud provider, to avoid detection.

Although every ISP blocks The Pirate Bay, users still access the website using a VPN service or a proxy to bypass service providers restrictions.

Moreover, The Pirate Bay regularly faces down times.

Almost two months ago, the piratebay website was down worldwide, leaving millions of users disappointed for not being able to get magnet links and download torrent files.

PirateBay Alternatives: Torrent Download Websites

However, to avoid websites that mine digital secretly coins in the browser, users have found some best piratebay alternatives.

Though we do not support any act of copyright infringement or illegal downloading of content, here are top recommendations people sharing over social media websites:

1. TorLock — [torlock.com]

TorLock is one of the best piratebay alternatives to download high quality torrent files.

Torlock is a unique download site that offers music, games, software, the latest TV series, and movies for free.

With “No Fakes Torrent Site” as its official motto, Torlock is dedicated to listing 100% verified torrents only. It challenges users to find fake torrents and get a compensation of $1 for each finding.

2. KickAssTorrents — [katcr.co]

Among the best piratebay alternatives is KickAssTorrents, but after being in controversies over copyright infringement, many service providers and ISP blocks this service and its mirror domains as well.

The peer to peer file sharing site became the world’s biggest piracy hub after The Pirate Bay went offline for over a month following a police raid in December 2014.

KickAssTorrents (KAT) hosts a good number of torrent files and magnet links for movies, TV shows, software, games, e-books, and music.

While the original Kickass Torrents domain (kat.cr) was shut down after its alleged owner Artem Vaulin arrested in Poland two years ago, the site’s original team revived the website at a new web address (katcr.co) and has since been, no doubt, kicking ass in the world of torrents.

3. iDope — [idope.se]

This is a relatively new download website that not only lets you discover anything you search for and also claims never to track its visitors. It is a great alternative to the pirate bay.

The homepage of iDope includes not much more than a torrent indexer bar with a tagline: “A tribute to KickassTorrents.” iDope has a Chrome plugin and an Android app. The service is also available on the darknet.

4. 1337x — [1337x.to]

If you love piratebay, 1337x would be your go-to for the site. The peer to peer file sharing site has been around for a long time that makes it a reliable and prominent alternative for The Pirate Bay.

Just like pirate bay, 1337x offers a simple, user-friendly search bar with no complex design. You can also search torrent files and magnet links by categories or directly head on to its Top 100 section for most trending torrents on the website.

5. Yify Torrent / YTS — [yts.am]

Also known as YTS, this site is yet another best piratebay alternative. However, this is not the original YIFY torrent site to download YIFY Movies and YTS Movies that I’m sure all the movie lovers are aware of it.

The original YTS or YIFY site went dark after its leader pleaded guilty in New Zealand Jurisprudence. YTS.am is an excellent clone of the original website, though you need to beware of other fake torrent sites promoting itself as YTS.

6. ExtraTorrent — [extratorrent.si]

Among these, ExtraTorrent is also a good alternative to thepiratebay.

ExtraTorrent was once the most popular and, of course, best torrent site, but the site suddenly disappeared on May 17, 2017, with a message on its website that it has been permanently shut down.

ExtraTorrent, however, made a comeback with a new domain.

Is Downloading Torrent Files Legal or Illegal?

Watching TV shows and movies online are a great way to entertain yourself or have a fun time with your friends and family, and the fun could be even more when they come for free.

The torrent search engines mentioned above are excellent pirate bay alternatives if you want to try out, although it is not a good idea to use popular torrent sites for downloading copyright-protected content.

If you found guilty of copyright infringement, you can be ordered to pay damages.

Although the concept of torrent is not illegal, those who download copyrighted content for free without permission are breaking the law in some of the other ways.

Some countries even impose a hefty fine or/and imprisonment on pirates, like in India you could be sentenced to three-year prison if caught just visiting a torrent site.

Using a VPN service to unblock peer to peer file sharing and torrent sites, which are blocked by service providers, sometimes doesn’t help much to stay anonymous on the Internet.

Websites to Legally Download Movie for Free

It is important to know that—when you type free movie download websites on your search engines, you’ll be served with a long list of sites, where you could end up downloading links to nasty malware and viruses that could infect your computer.

We have long advised our readers to avoid illegal sites for free downloads of movies, and always use streaming services like Netflix and Amazon Prime to watch newly released movies in the comfort of your home.

However, we frequently receive emails and messages from our readers asking for legal websites for downloading movies and TV shows for free.

So, in the interest of our readers, I have compiled a list of free movie websites, where you can download hollywood movies for free, watch movies online, watch TV shows online for free.

However, before heading towards the list, always keep in mind that there is no legal way to download a free version of movies that are still in theaters, or that has recently been released.

You can try legal ways to watch high quality movies online. Here below we have listed top free movie download sites that offers a quite good collection of movies:

Since, other torrent and free movie download sites have also started consider using in-browser cryptocurrency mining, just like the PirateBay, readers are advised to install minerBlock or No Coin like browser extensions/plugins that do not allow sites to mine cryptocurrencies without users’ consent and authorization.

Go to Source