Select Page
Rapidly Growing Electrum Botnet Infects Over 152,000 Users; Steals $4.6 Million

Rapidly Growing Electrum Botnet Infects Over 152,000 Users; Steals $4.6 Million

An ongoing attack against Electrum Bitcoin wallets has just grown bigger and stronger with attackers now targeting the whole infrastructure of the exchange with a botnet of over 152,000 infected users, raising the amount of stolen users’ funds to USD 4.6 million.

Electrum has been facing cyber attacks since December last year when a team of cybercriminals exploited a weakness in the Electrum infrastructure to trick wallet users into downloading the malicious versions of the software.

In brief, the attackers added some malicious servers to the Electrum peer network which were designed to purposely display an error to legitimate Electrum wallet apps, urging them to download a malicious wallet software update from an unofficial GitHub repository.

The phishing attack eventually allowed attackers to steal wallet funds (almost 250 Bitcoins that equals to about $937,000 at the time) and take full control over the infected systems.

To counter this, the developers behind Electrum exploited the same technique as the attackers in order to encourage users to download the latest patched version of the wallet app.

“Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade and to prevent exposure to phishing messages. Linux Tail users should download our Appimage,” Electrum developers tweeted in March.

images from Hacker News

Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks

Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks

A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients.

The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile.

When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you.

However, researchers tested 25 widely-used email clients for Windows, Linux, macOS, iOS, Android and Web and found that at least 14 of them were vulnerable to multiple types of practical attacks under five below-mentioned categories, making spoofed signatures indistinguishable from a valid one even by an attentive user.

The research was conducted by a team of researchers from Ruhr University Bochum and Münster University of Applied Sciences, which includes Jens Müller , Marcus Brinkmann , Damian Poddebniak , Hanno Böck, Sebastian Schinzel , Juraj Somorovsky, and Jörg Schwenk.

“In our scenario, we assume two trustworthy communication partners, Alice and Bob, who have securely exchanged their public PGP keys or S/MIME certificates,” the team explains in a research paper [PDF] published today.

“The goal of our attacker Eve is to create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice.”

1) CMS Attacks (C1, C2, C3, C4) — Flaws due to mishandling of Cryptographic Message Syntax (CMS), the container format of S/MIME, lead to contradicting or unusual data structures, such as multiple signers or no signers.

2) GPG API Attacks (G1, G2) — Implementation flaws in many email clients fail to properly parse a wide range of different inputs that could allow attackers to inject arbitrary strings into GnuPG status line API and logging messages, tricking clients into displaying successful signature validation for arbitrary public keys.

images from Hacker News

Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware

Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware

Taking advantage of newly disclosed and even patched vulnerabilities has become common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware.

As suspected, a recently-disclosed critical vulnerability in the widely used Oracle WebLogic Server has now been spotted actively being exploited to distribute a never-before-seen ransomware variant, which researchers dubbed “Sodinokibi.”

Last weekend, The Hacker News learned about a critical deserialisation remote code execution vulnerability in Oracle WebLogic Server that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorisation.

To address this vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software and was given a severity score of 9.8 out of 10, Oracle rolled out an out-of-band security update on April 26, just a day after the vulnerability was made public and several in-the-wild attacks were observed.

According to cybersecurity researchers from Cisco Talos’ threat research team, an unknown group of hackers has been exploiting this vulnerability since at least April 25 to infect vulnerable servers with a new piece of ransomware malware.

images from Hacker News

Google Adds New Option to ‘Auto-Delete’ Your Location History and Activity Data

Google Adds New Option to ‘Auto-Delete’ Your Location History and Activity Data

Google is giving you more control over how long you want the tech company to hold on to your location history and web activity data.

Google has introduced a new, easier, privacy-focused auto-delete feature for your Google account that will allow you to automatically delete your Location History and Web and App Activity data after a set period of time.

Google’s Location History feature, if enabled, allows the company to track locations that you have visited, while Web and App Activity tracks websites you have visited and apps you have used.

Until now, Google allowed you to either altogether disable the Location History and Web and App Activity feature or manually delete all or part of that data, providing no controls for regular deletion so that users can manage their data efficiently.

However, an AP investigation last year revealed that even if you turn off the Location History feature in all your accounts, Google services on Android and iPhone devices continue to track your movements.

Just last month, it was also revealed that Google maintains a database containing detailed location records from hundreds of millions of phones around the world, called Sensorvault, that’s reportedly being used by law enforcement agencies to solve crime cases.

Following the revelation, U.S. Congress last week asked Google CEO Sundar Pichai to issue a briefing by May 10 on a series of questions on how the Sensorvault database is used and shared by the company.

images from Hacker News

Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking

Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking

If you use a Dell computer, then beware — hackers could compromise your system remotely.

Bill Demirkapi, a 17-year-old independent security researcher, has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that comes pre-installed on most Dell computers.

Dell SupportAssist, formerly known as Dell System Detect, checks the health of your computer system’s hardware and software.

The utility has been designed to interact with the Dell Support website and automatically detect Service Tag or Express Service Code of your Dell product, scan the existing device drivers and install missing or available driver updates, as well as perform hardware diagnostic tests.

If you are wondering how it works, Dell SupportAssist in the background runs a web server locally on the user system, either on port 8884, 8883, 8886, or port 8885, and accepts various commands as URL parameters to perform some-predefined tasks on the computer, like collecting detailed system information or downloading a software from remote server and install it on the system.

Though the local web service has been protected using the “Access-Control-Allow-Origin” response header and has some validations that restrict it to accept commands only from the “dell.com” website or its subdomains, Demirkapi explained ways to bypass these protections in a blog post published Wednesday.

images from Hacker News