CoinVault: Caught red-handed

Way back in 2015, Kaspersky Lab helped Dutch cyberpolice catch the creators of one of the very first pieces of ransomware, CoinVault. The decryptor we developed for it inspired the NoRansom portal, where we upload tools for unlocking files after various encryption attacks. Although CoinVault’s creators were caught a while ago, the first court hearing took place recently, and our expert Jornt van der Wiel attended.

CoinVault ran riot in 2014 and 2015 through dozens of countries around the world. Our experts estimate the number of victims at more than 10,000. Behind the attacks were two Dutch brothers, aged 21 and 25, who developed and distributed the Trojan. Every victim received a ransom demand for 1 bitcoin, which at the time was worth about 200 euros. The pair snagged about 20,000 euros as a result.

CoinVault was ahead of its time. In addition to encryption, it had features that we still see in ransomware Trojans today. For example, the victim was allowed to decrypt one file free. Mentally, this plays into the hands of the cybercriminals: When victims realize they are one click away from recovering their vital data, the temptation to pay up becomes stronger. The on-screen timer is another of CoinVault’s psychological teasers, inexorably counting down to a higher ransom demand.

 

Double Dutch

We studied CoinVault and described its structure in detail in late 2014. The malware authors took great pains to hide it from security solutions and hinder its analysis. The ransomware can determine, for example, whether it is being run in a sandbox, and its code is heavily obfuscated.

Nevertheless, our experts were able to get to the source code and find a clue that ultimately led to the criminals’ arrest: It contained some comments in Dutch. It was fairly likely that the malware hailed from the Netherlands.

We passed the information to the Dutch cyberpolice, and within a few months they reported the successful capture of the campaign masterminds. Thanks to our cooperation with the Dutch police, we managed to obtain the keys from the C&C server and develop a data decryption tool.

 

Lady Justice weighs the evidence

The police collected almost 1,300 statements from victims of the ransomware. Some of them appeared in court personally to demand compensation. One victim, for example, had their vacation ruined by the ransomware. They estimated the damage at 5,000 euros, saying that this sum would enable them to pay for another trip.

Another victim asked for the ransom to be paid back in the same coin — bitcoin. Since the attack, the cryptocurrency exchange rate has risen almost thirtyfold, so if the court satisfies the claim, it will be the first time that an injured party has earned money from a ransomware attack.

At the recent hearing, the prosecutors demanded punishment in the form of three months’ imprisonment, followed by a nine-month suspended sentence and 240 hours’ community service. The defense asked the court not to put the brothers behind bars, arguing that the defendants had cooperated with the investigation, plus one is irreplaceable in his current job and the other is in college. The verdict will be delivered at the next hearing, on July 26.

 

Trespassers will be prosecuted

We always say that giving in to criminals only encourages them. The trial of the CoinVault creators shows that even seemingly anonymous cybercriminals cannot escape punishment. But instead of waiting three years for justice, it’s better to protect yourself in advance. Remember our standard tips:

  • Don’t click on suspicious links and don’t open suspicious e-mail attachments.
  • Make regular backups of important files.
  • Use a reliable security solution.

Go to Source
Author: Anna Markovskaya

Roaming Mantis infects smartphones via wi-fi routers

Some time ago our experts investigated a piece of malware that they dubbed Roaming Mantis. Back then, mainly users from Japan, Korea, China, India, and Bangladesh were being attacked, so we didn’t discuss the malware in the context of other regions, since it seemed to be a local threat.

However, in the month since the report was published, Roaming Mantis has learned to speak another two dozen languages and is rapidly spreading around the world.

Roaming Mantis infects smartphones via wi-fi routers

The malware uses compromised routers to infect Android-based smartphones and tablets, redirect iOS devices to a phishing site, and runs the CoinHive cryptomining script on desktops and laptops. It does so by means of DNS hijacking, making it hard for targeted users to detect that something’s amiss.

What is DNS hijacking

When you enter a site name in the browser address bar, the browser doesn’t actually send a request to this site. Because it can’t. The Internet operates on IP addresses, which are sets of numbers, while domain names with letters are for people, since they are easier to remember and input.

So the first thing the browser does when a URL is entered is to send a request to what is called a DNS-server (DNS is Domain Name System), which translates the ‘human’ name into the IP address of the corresponding website. It is this IP address that the browser uses to locate and open the site.

DNS hijacking is a way of fooling the browser into thinking it has matched the domain name to the correct IP address when in fact it hasn’t. Although the IP address is wrong, the original URL entered by the user is displayed in the browser address bar, so nothing looks suspicious.

There are many DNS-hijacking techniques, but the creators of Roaming Mantis have chosen perhaps the simplest and the most effective: they hijack the settings of compromised routers forcing them to use their own rogue DNS servers. That means that whatever is typed in the browser address bar of a device connected to this router, the user is redirected to a malicious site.

Roaming Mantis on Android

After the user is redirected to the malicious site, they are prompted to update the browser. This leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk).

Roaming Mantis on Android

The malware requests a whole host of permissions during the installation process, including rights to access accounts information, send/receive SMS, process voice calls, record audio, access files, display its own window on top of others, and so on. For a trusted application like Google Chrome, such a list doesn’t seem too suspicious — if the user considers this ‘browser update’ legit, they are sure to grant permissions without even reading the list.

After the application is installed, the malware uses the right to access the list of accounts to find out which Google account is used on the device. Next, the user is shown a message (it appears on top of all other open windows, since the malware also requested permission for that) saying that something is wrong with their account and that they need to sign in again. A page then opens prompting the user to enter their name and date of birth.

Roaming Mantis on Android

It appears that this data, together with the SMS permissions that grant access to the one-time codes needed for two-factor authentication, is then used by the creators of Roaming Mantis to steal Google accounts.

Roaming Mantis: world tour, iOS debut, and mining

In the beginning, Roaming Mantis knew how to display messages in four languages: English, Korean, Chinese, and Japanese. But somewhere along the line its creators decided to expand out and teach their polyglot malware another two dozen languages:

  • Arabic
  • Armenian
  • Bulgarian
  • Bengali
  • Czech
  • Georgian
  • German
  • Hebrew
  • Hindi
  • Indonesian
  • Italian
  • Malay
  • Polish
  • Portuguese
  • Russian
  • Serbo-Croat
  • Spanish
  • Tagalog
  • Thai
  • Turkish
  • Ukrainian
  • Vietnamese

While they were at it, the creators also improved Roaming Mantis, teaching it to attack devices running iOS. It’s a different scenario from Android. It skips downloading the application and instead the malicious site displays a phishing page prompting the user to relog into the App Store right away. To add credibility, the address bar shows the reassuring address security.apple.com:

Roaming Mantis phishing on iOS

The cybercriminals do not confine themselves to stealing only Apple ID credentials; immediately after entering this data, the user is asked for a bank card number:

Roaming Mantis phishing on iOS

The third innovation that our experts uncovered concerns desktop computers and laptops. On these devices, Roaming Mantis runs the CoinHive mining script, which mines cryptocurrency straight into the pockets of the malware makers. The victim’s computer processor is loaded to the max, forcing the system to slow down and consume vast amounts of power.

Roaming Mantis mining on desktops and laptops

More details about Roaming Mantis can be found in the original report and a fresh Securelist post with updated information about the malware.

How to protect from Roaming Mantis

  • Use antiviruses on all devices: not just computers and laptops, but smartphones and tablets too.
  • Regularly update all installed software on your devices.
  • On Android devices, disable installation of applications from unknown sources. To do so, go to Settings -> Security -> Unknown sources.

  • The router firmware should also be updated as often as possible. Don’t use unofficial firmware downloaded from shady sites.
  • Always change the default administrator password on the router.

What to do if infected by Roaming Mantis

  • Immediately change all passwords for accounts compromised by the malware. Cancel all bank cards for which you entered details on the Roaming Mantis phishing site.
  • Install an antivirus on all your devices and run a system scan.
  • Navigate to your router’s settings and check the DNS server address. If it doesn’t match the one issued by your provider, change it back to the right one.
  • Change the router administrator password and update the firmware. In doing so, be sure to download it only from the official website of the router manufacturer.

Go to Source
Author: Alex Drozhzhin

SynAck ransomware: The doppelgängster

Malware tends to evolve, with crooks adding new functions and techniques to help it avoid detection by antivirus programs. Sometimes, the evolution is rather rapid. For example, SynAck ransomware, which has been known since September 2017 (when it was just average, not particularly clever), has recently been overhauled to become a very sophisticated threat that avoids detection with unprecedented effectiveness and uses a new technique called Process Doppelgänging.

 

Sneak attack

Malware creators commonly use obfuscation — attempts to make the code unreadable so that antiviruses will not recognize the malware — typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it, making detection significantly harder for security solutions.

That’s not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelgänging technique — and it is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers, after which it was picked up by malefactors and used in several malware species.

Process Doppelgänging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes. The technique is complicated; to read more about it, see Securelist’s more detailed post on the topic.

SynAck has two more noteworthy features. First, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing. That’s a common technique for restricting malware to specific regions.

 

The usual crime

From the user’s perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.

The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.

We have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.

 

Getting ready for the next generation of ransomware

Even if SynAck is not coming for you, its existence is a clear sign that ransomware is evolving, becoming more and more sophisticated and harder to protect against. Decryptor utilities will appear less frequently as attackers learn to avoid the mistakes that made the creation of those decryptors possible. And despite ceding ground to hidden miners (just as we predicted), ransomware is still a big global trend, and knowing how to protect against all such threats is a must for every Internet user.

Go to Source
Author: Alex Perekalin

Cloning chip-and-PIN cards: Brazilian job

Recently, the United States shifted from using insecure magnetic stripe in credit and debit cards to better-protected chip-and-PIN cards, which are regulated by the EMV standard. That’s a big step toward increasing the security of transactions and reducing card fraud, and one might think that the end is near for the kind of card fraud that relied on cloning.

However, our researchers recently discovered that a group of cybercrooks from Brazil has developed a way to steal card data and successfully clone chip-and-PIN cards. Our experts presented their research at the Security Analyst Summit 2018, and here we will try to explain that complex work in a short post.

Cards with chips are still vulnerable

Jackpotting ATMs and beyond

While researching malware for ATM jackpotting used by a Brazilian group called Prilex, our researchers stumbled upon a modified version of this malware with some additional features that was used to infect point-of-service (POS) terminals and collect card data.

This malware was capable of modifying POS software to allow a third party to capture the data transmitted by a POS to a bank. That’s how the crooks obtained the card data. Basically, when you pay at a local shop whose POS terminal is infected, your card data is transferred right away to the criminals.

However, having the card data is just half the battle; to steal money, they also needed to be able to clone cards, a process made more complicated by the chips and their multiple authentications.

The Prilex group developed a whole infrastructure that lets its “customers” create cloned cards — which in theory shouldn’t be possible.

To learn why it’s possible, you might first want to take a quick look at how EMV cards work. As for the cloning, we’ll try to keep it as simple as possible.

How the chip-and-PIN standard works

The chip on the card is not just flash memory, but a tiny computer capable of running applications. When the chip is introduced into a POS terminal, a sequence of steps begins.

The first step is called initialization: The terminal receives basic information such as cardholder name, card expiration date, and the list of applications the card is capable of running.

Second is an optional step called data authentication. Here, the terminal checks if the card is authentic, a process that involves validating the card using cryptographic algorithms. It’s more complicated than needs to be discussed here.

Third is another optional step called cardholder verification; the cardholder must provide either the PIN code or a signature (depending on how the card was programmed). This step is used to ensure that the person trying to pay with a card is actually the same person the card was issued for.

Fourth, the transaction happens. Note that only steps 1 and 4 are mandatory. In other words, authentication and verification can be skipped — that’s where the Brazilians come in.

Carding unlimited

So, we have a card that is capable of running applications, and during its first handshake, the POS asks the card for information about the apps available to it. The number and complexity of steps needed for the transaction depend on the available applications.

The card-cloners created a Java application for cards to run. The application has two capabilities: First, it tells the POS terminal there is no need to perform data authentication. That means no cryptographic operations, sparing them the near-impossible task of obtaining the card’s private cryptographic keys.

But that still leaves PIN authentication. However, there’s an option in the EMV standard to choose as the entity checking if the PIN is correct…your card. Or, more precisely, an app running on your card.

You read that right: The cybercriminals’ app can say a PIN is valid, no matter what PIN was entered. That means that the crook wielding the card can simply enter four random digits — and they’ll always be accepted.

Card fraud as a service

The infrastructure Prilex created includes the Java applet described above, a client application called “Daphne” for writing the information on smart cards (smart card reader/writer devices and blank smart cards are inexpensive and completely legal to buy.) The same app is used for checking the amount of money that can be withdrawn from the card.

The infrastructure also includes the database with card numbers and other data. Whether the card is debit or credit doesn’t matter; “Daphne” can create clones of both. The crooks sell it all as a package, mostly to other criminals in Brazil, who then create and use the cloned cards.

Conclusion

According to Aite’s 2016 Global Consumer Card Fraud report, it is safe to assume that all users have been compromised. Whether you use a card with a magnetic stripe or a more secure chip-and-PIN card doesn’t matter — if you have a card, its information has probably been stolen.

Now that criminals have developed a method to actually clone the cards, that starts to look like a very serious financial threat. If you want to avoid losing significant amounts of money through card fraud, we recommend you do the following:

  • Keep an eye on your card’s transaction history, using either mobile push or SMS notifications. If you notice suspicious spending, call your bank ASAP and block the card right away.
  • Use AndroidPay or ApplePay if possible; these methods don’t disclose your card data to the POS. That’s why they can be considered more secure than inserting your card into a POS.
  • Use a separate card for Internet payments, because this card is even more likely to be compromised than those you use only in brick-and-mortar stores. Don’t keep large sums of money on that card.

Go to Source
Author: Alex Perekalin

Sofacy APT turns to the East

We at Kaspersky Lab monitor, report, and protect against a lot of threat actors, some of which are known internationally and sometimes featured in the news. It doesn’t matter which language the threat actor speaks, it’s our duty to know about it, investigate it, and protect our customers from it.

One of the most active threat actors is a Russian-speaking APT called Sofacy, also known as APT28, Fancy Bear, and Tsar Team, infamous for its spear phishing campaigns and cyberespionage activities. In 2017, it shifted focus in a way worthy of an update here.

We’ve been watching Sofacy since 2011 and are pretty familiar with the instruments and tactics the threat actor is using. Last year, the main change was that it moved beyond the NATO countries it was actively spear phishing in the beginning of the year and onto countries in the Middle East and Asia — and farther — in Q2 2017. Earlier, Sofacy also targeted the Olympic Games, the World Anti-Doping Agency (WADA), and the Court of Arbitration for Sports (CAS).

Sofacy uses different tools for different target profiles. For example, in early 2017 a campaign called Dealer’s Choice targeted mostly military and diplomatic organizations (mainly in NATO countries and Ukraine); later, the hackers were using two other tools, which we call Zebrocy and SPLM, to target companies of different profiles including science and engineering centers and press services. Both Zebrocy and SPLM were heavily modified last year, with SPLM (which also goes by the name Chopsticks) becoming modular and using encrypted communications.

The usual infection scheme starts with a spear-phishing letter containing a file with a script that downloads the payload. Sofacy is known for finding and exploiting zero-day vulnerabilities and using those exploits to deliver the payload. The threat actor maintains a high level of operational security and really focuses on making its malware harder to detect — which, of course, makes it harder to investigate.

In cases of highly sophisticated targeted campaigns such as Sofacy, thorough incident investigation is vital. It will allow you to figure out what information malefactors were after, understand their motives, and detect the presence of any sleeping implants.

To do that, your security system needs not only advanced protective solutions but also an endpoint detection and response system. Such a system detects threats at early stages, and helps analyze events that predated the incident. Having skilled experts doesn’t hurt, either. As a solution, we offer the Threat Management and Defense platform, which incorporates Kaspersky Anti Targeted Attack, Kaspersky Endpoint Detection and Response, and expert services.

You can find more information on the threat actor’s activity in 2017, including technical details, on Securelist. Further, at the start of this year, our researchers found some interesting shifts in Sofacy’s behavior that we will highlight at the SAS 2018 conference. If you are interested in APTs and building defense against them, don’t forget to get a ticket — or at least visit our blogs frequently during the SAS.

Go to Source
Author: John Snow

Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at NoMoreRansom.org, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Go to Source
Author: Anna Markovskaya

Xiaomi Mi Robot vacuum cleaner hacked

The story of the Internet and its Things may seem as star-crossed a tale as any, but it does not need to be hopeless. Although security researchers Dennis Giese and Daniel Wegemer eventually managed to hack into the Xiaomi Mi Robot vacuum cleaner, their research shows that the device is much more secure than most other smart things are.

In their talk at Chaos Communication Congress 34, which was held in Leipzig recently, the researchers explained how the device’s software works and which vulnerabilities they had to use to finally crack its protection.

Xiaomi Mi Robot vacuum cleaner hacked

Hacking the Mi Robot with tinfoil

When they started their research, Giese and Wegemer were amazed to find that the Xiaomi vacuum cleaner has more powerful hardware than many smartphones do: It is equipped with three ARM processors, one of which is quad core. Sounds pretty promising, right? So, for starters, Giese and Wegemer tried to use several obvious attack vectors to hack the system.

First, they examined a unit to see if there was a way in through the vacuum cleaner’s micro USB port. That was a dead end: Xiaomi has secured this connection with some kind of authentication. After that, the researchers took the Mi Robot apart and tried to find a serial port on its motherboard. This attempt was likewise unsuccessful.

Their second hacking method was network based. The researchers tried to scan the device’s network ports, but all ports were closed. Sniffing network traffic didn’t help, either; the robot’s communications were encrypted. At this point, I’m already rather impressed: Most other IoT devices would have been hacked by now because their creators usually don’t go this far in terms of security. Our recent research on how insecure connected devices are illustrates it perfectly.

However, let’s get back to the Xiaomi Mi Robot. The researchers’ next attempt was to attack the vacuum cleaner’s hardware. Here, they finally succeeded — by using aluminum foil to short-circuit some of the tiny contacts connecting processor to motherboard, causing the processor to enter a special mode that allows reading and even writing to flash memory directly through the USB connection.

That’s how Giese and Wegemer managed to obtain Mi Robot firmware, reverse-engineer it, and, eventually, modify and upload it to the vacuum cleaner, thereby gaining full control over the unit.

Hacking the Mi Robot wirelessly

But cracking stuff open and hacking hardware is not nearly as cool as noninvasive hacks. After reverse-engineering the device’s firmware, the researchers figured out how to hack into it using nothing more than Wi-Fi — and a couple of flaws in the firmware’s updating mechanism.

Xiaomi has implemented a pretty good firmware-update procedure: New software arrives over an encrypted connection, and the firmware package is encrypted as well. However, to encrypt update packages, Xiaomi used a static password — “rockrobo” (don’t use weak passwords, kids). That allowed the researchers to make a properly encrypted package containing their own rigged firmware.

After that, they used the security key they obtained from Xiaomi’s smartphone app to send a request to the vacuum cleaner to download and install new firmware — not from Xiaomi’s cloud but from their own server. And that’s how they hacked the device again, this time wirelessly.

Inside the Mi Robot’s firmware

Examining the firmware, Giese and Wegemer learned a couple of interesting things about Xiaomi smart devices. First, the Mi Robot firmware is basically Ubuntu Linux, which is regularly and quickly patched. Second, it uses a different superuser password for each device; there’s no master password that could be used to mass-hack a whole lot of vacuum cleaners at once. And third, the system runs a firewall that blocks all ports that could be used by hackers. Again, hats off to Xiaomi: By IoT standards, this is surprisingly good protection.

The researchers also learned something disappointing about Mi Robot, however. The device collects and uploads to Xiaomi cloud a lot of data — several megabytes per day. Along with reasonable things such as device operation telemetry, this data includes the names and passwords of the Wi-Fi networks the device connects to, and the maps of rooms it makes with its built-in lidar sensor. Even more disturbing, this data stays in the system forever, even after a factory reset. So if someone buys a used Xiaomi vacuum cleaner on eBay and roots it, they can easily obtain all of that information.

Concluding this post, it’s worth emphasizing that both of the techniques Giese and Wegemer used enabled them to hack only their own devices. The first one required physical access to the vacuum cleaner. As for the second, they had to obtain the security key to make an update request, and those keys are generated every time the device is paired with the mobile app. The security keys are unique, and it’s not that easy to get them if you don’t have access to the smartphone that is paired with the Xiaomi device you’re going to hack.

All in all, it doesn’t look like the Xiaomirai is nigh. Quite the contrary: The research shows that Xiaomi puts much more effort into security than most other smart device manufacturers do, and that is a hopeful sign for our connected future. Almost everything can be hacked, but if something takes a lot of effort to hack, it’s less likely that criminals will bother trying — they are usually after easy money.

Go to Source
Author: Alex Drozhzhin

NRansom: Ransomware that demands your nudes

Ransomware has been called the scourge of the Internet for quite a while. It’s really one of the twenty-first century’s main cyberthreats, and recently it has taken … quite a turn. Researchers from MalwareHunterTeam have discovered a new strain of ransomware, called nRansom, that blocks victims’ computers, but instead of requiring money to unlock the computer, it demands nude photos.

NRansom: Ransomware that demands your nudes

This ransomware seems to be not a cryptor, but rather a blocker, which means that in case of infection it doesn’t encrypt your files, but simply blocks access to your computer. The ransom note that appears on the screen informs victims that the only way to get back access to their computers is to send the aforementioned pictures: ten of them, nude, and demonstrably of the victims.

They state that they will somehow verify those nudes really belong to the victim before sending the code that unlocks the computer.

At this point, nRansom has been seen only as a file called nRansom.exe, which means it affects only Windows users.

We can only speculate on what the criminals are planning to do with any photos they manage to get. They’ll probably use the pictures to shame the victims and extort either more nudes or money.

As always, we advise you not to pay the ransom if your computer gets infected. The word “pay” in this case is as legitimate as in any other; private information is no less payment than money.

Kaspersky Internet Security detects nRansom as Trojan-Ransom.MSIL.Agent.zz and neutralizes it right away. In case the blocker has somehow sneaked onto your PC, you can unblock the computer by pressing Ctrl + Alt + Shift + F4 simultaneously. It’s necessary to run a full scan of your system after that. You can read more about that here.

That technique is available in all of our flagship security solutions, and it works against all blockers, in case they somehow get onto your computer. However, if you always keep protection running, that scenario is highly unlikely; Kaspersky Internet Security neutralizes almost all ransomware species before they can do anything at all, and any that manage to sneak in under the radar are detected by System Watcher when they attempt to do anything malicious.

Go to Source
Author: John Snow

Taxi Trojans are on the way

You’re in a hurry, trying to get to work, a business meeting, a date. So you launch your favorite app for booking a taxi as usual, but this time, it prompts you to enter your credit card number. Does that seem suspicious? It may not — apps forget information, and all you have to do is add your card number again.

However, after some time you notice money disappearing from your account. What happened? You may be the unlucky winner of a mobile Trojan. This kind of malware has been caught recently stealing bank data by impersonating the interfaces of taxi-booking apps.

The Faketoken Trojan has existed for a long time, and it has been upgraded for many years. Our experts named the current version “Faketoken.q,” and by now it has learned a significant number of tricks.

After getting onto a smartphone (judging by the malware icon, Faketoken infiltrates smartphones through bulk SMS messages with a prompt to download some picture) and installing the necessary modules, the Trojan hides its shortcut icon and starts background monitoring of everything that happens in the system.

The icon of the installed Faketoken Trojan

First, the Trojan is interested in the user’s calls. As soon as it detects a call, it starts recording. When the call is finished, Faketoken sends the recording to the criminal’s server. Second, the Trojan also checks which apps the smartphone’s owner uses.

When Faketoken detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with its own screen. To achieve that, it uses a standard Android feature that supports showing screen overlays on top of all other apps. A whole bunch of legitimate apps, such as messengers, window managers, and so on, use this feature.

The overlaying window matches the colors of the original app’s interface. In this window, the Trojan prompts the user to enter the number of his or her credit card, including the verification code from the back of the card.

The Faketoken.q Trojan impersonates taxi-booking apps popular in Russia

Actually, Faketoken.q is after a huge variety of apps that have one thing in common: in them, a request to enter payment data looks normal enough not to arouse suspicion. Among the attacked apps are a number of mobile banking apps, Android Pay, the Google Play Store, apps for booking flights and hotel rooms, and apps for paying traffic tickets — as well as apps for booking taxis.

During the very stage of stealing money from the user, Faketoken resorts to another ruse, intercepting all incoming SMS messages, hiding them from the user, and forwarding them to the criminals’ server, where one-time passwords for payment confirmation from those messages are extracted.

How banking Trojans bypass two-factor authentication

Judging by the small number of attacks that we have registered and the UI artifacts, which you can see in one of the screenshots above, we’d say the researchers at our antivirus laboratory got their hands on one of the test versions of the Trojan, not the final one.

We must give the assiduous creators of Faketoken their due. They will most likely improve the Trojan, and a wave of infection incidents may sprout from the “commercial” version at some point.

Currently the Trojan is focused on users in Russia, but as we’ve seen many times in the past, cybercriminals constantly steal ideas from each other, so it won’t take long for them to adopt the same trick in other countries. A lot of city dwellers have taxi-booking apps installed these days, so this trick represents a good opportunity for malware creators.

Below you can find several pieces of advice on how to protect yourself against Faketoken and similar mobile Trojans that steal card numbers and intercept SMS messages with one-time passwords used to confirm payments.

  • It is imperative that you go into Android’s settings and prohibit the installation of apps from unknown sources. To block installation from unknown sources, go to Settings -> Security and uncheck Unknown sources.

  • Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well). You can learn more about Android permissions in this article.

Go to Source
Author: Alex Drozhzhin

Snap Map security concerns

Do you use Snapchat? If so, you may want to take a deeper look at the Snap Map feature released earlier this week. As the company explains:

With the Snap Map, you can view Snaps of sporting events, celebrations, breaking news, and more from all across the world.

If you and a friend follow one another, you can share your locations with each other so you can see where they’re at and what’s going on around them! Plus, meeting up can be a cinch.

Only the people you choose can see your location — so if you’re friends with your boss, you can still keep your location on the down low during a “sick day”.

Snaps you submit to Our Story can still show up on the Map, though!

Snap Map Security and Privacy concerns

The feature sounds quite straightforward, but the setup is not clear about how your data is shared, only that you are giving access to the app.

Earlier today, The Verge penned a piece digging into the privacy aspect and discovered that the map feature was firing up each time the author’s friend opened the app:

Turned out, she didn’t know she had Snap Map enabled, and didn’t know it was showing her location every time she opened the app. When she updated Snap and went through the Snap Map introduction, she believed Snap was giving the option to geotag her Snaps for Our Story, as shown in the promotional video. Instead, she had inadvertently broadcasted where she lived to every one of her Snap contacts.

In a follow-up, the company noted some things that were not mentioned during signup:

  • If you tap on your friend, you will see when their location was updated (i.e., 1 hour ago, 2 hours ago). Their location reflects where they last opened Snapchat.
  • A friend’s location will remain on the Map for up to 8 hours if they do not open the app again, causing their location to update. If more than 8 hours have passed and a Snapchatter has not opened the app, their location will disappear from the Map entirely.

We know that everyone has their own threshold for sharing — and, in some instances, oversharing. This is why the company offers many settings.

If you are like me and value your privacy, avoid opting in to the service. If you are curious but don’t want to broadcast your location, opt in by using Ghost mode, which shares your location with you alone; from there, you can browse the map.

Given the demographics of Snapchat, this is also a good time for parents to take a minute and talk with their children about privacy. Kids could be unwittingly sharing where they are and how long they have been there.

Go to Source
Author: Jeffrey Esposito