Marcus Hutchins, better known as MalwareTech, has been sentenced to “time served” and one year of supervised release for developing and selling the Kronos banking malware.

Yes, Hutchins will not go to prison, United States District Judge J.P. Stadtmueller ruled today in Milwaukee County Court, after describing his good work as “too many positives on the other side of the ledger.”

In response to today’s sentencing Hutchins said: “Sentenced to time served! Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally.”

Marcus Hutchins, 25, is the same British malware analyst who gained notoriety in cybersecurity circles for “accidentally” helping to stop the WannaCry ransomware outbreak in 2017 that wreaked havoc in over 150 countries and brought down companies across all industries.

Hutchins was arrested by the FBI in August 2017 at Las Vegas International Airport when he was heading home to England after attending DefCon hacking conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015.

Kronos is a banking trojan that Hutchins created, which he described today in court as one of some “bad decisions” he made when he was a teenager and “deeply regret” his conduct and the harm that was caused.

Kronos malware has been designed to steal banking credentials and personal information of victims from their compromised computers, which was sold for $7,000 on Russian online forums.

images from Hacker News

FaceApp—the AI-powered photo-morphing app that recently gone viral for its age filter but hit the headlines for its controversial privacy policy—has been found collecting the list of your Facebook friends for no reason.

The Russian-made FaceApp has been around since the spring of 2017 but taken social media by storm over the course of the past few weeks as millions of people downloaded the app to see how they would look when they are older or younger, or swap genders.

The app also contains a feature that allows users to download and edit photos from their Facebook accounts, which only works when a user enables FaceApp to access the social media account via the ‘Login with Facebook’ option.

As you can see in the screenshot above, besides requesting for access to your basic profile information and photos, FaceApp also fetches the list of your Facebook friends “who also use and have shared their friends’ lists with FaceApp.”

Have you yet asked yourself why this app asks for permission it unlikely need to perform its intended function?

FaceApp Unnecessarily Access Your Facebook Friends Lists

Indian security researcher Athul Jayaram recently contacted The Hacker News raising a huge red flag about the collection of users’ Facebook friend list data that FaceApp currently doesn’t use in any way to function itself or power any of its features.

“When an app asks for permissions that are unnecessary to its functioning, you should think twice before downloading it.”

We also tried to find if FaceApp in someway is using this data to “enhance the user experience,” but we failed to find one that justifies the collection of this particular data.

images from Hacker News

Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems (RTOS) for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networking, and other critical industries.

According to a new report Armis researchers shared with The Hacker News prior to its release, the vulnerabilities are collectively dubbed as URGENT/11 as they are 11 in total, 6 of which are critical in severity leading to ‘devastating’ cyberattacks.

Armis Labs is the same IoT security company that previously discovered the BlueBorne vulnerabilitiesin Bluetooth protocol that impacted more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT).

These vulnerabilities could allow remote attackers to bypass traditional security solutions and take full control over affected devices or “cause disruption on a scale similar to what resulted from the EternalBlue vulnerability,” without requiring any user interaction, researchers told The Hacker News.

It’s likely possible that many of you might have never heard of this operating system, but Wind River VxWorks is being used to run many everyday internet-of-things such as your webcam, network switches, routers, firewalls, VOIP phones, printers, and video-conferencing products, as well as traffic lights.

Besides this, VxWorks is also being used by mission-critical systems including SCADA, trains, elevators and industrial controllers, patient monitors, MRI machines, satellite modems, in-flight WiFi systems, and even the mars rovers.

images from Hacker News

Another week, another massive data breach.

Capital One, the fifth-largest U.S. credit-card issuer and banking institution, has recently suffered a data breach exposing the personal information of more than 100 million credit card applicants in the United States and 6 million in Canada.

The data breach that occurred on March 22nd and 23rd this year allowed attackers to steal information of customers who had applied for a credit card between 2005 and 2019, Capital One said in a statement.

However, the security incident only came to light after July 19 when a hacker posted information about the theft on her GitHub account.

The FBI Arrested the Alleged Hacker

The FBI arrested Paige Thompson a.k.a erratic, 33, a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016, in relation to the breach, yesterday morning and seized electronic storage devices containing a copy of the stolen data.

Thompson appeared in U.S. District Court on Monday and was charged with computer fraud and abuse, which carries up to five years in prison and a $250,000 fine. A hearing has been scheduled for August 1, 2019.

According to court documents [PDF], Thompson allegedly exploited a misconfigured firewall on Capital One’s Amazon Web Services cloud server and unauthorizedly stole more than 700 folders of data stored on that server sometime in March.

“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” U.S. Attorney Moran said. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”

It is important to note that Amazon Web Services was not compromised in any way since the alleged hacker gained access to the cloud server due to Capital One’s misconfiguration and not through a vulnerability in Amazon’s infrastructure.

images from Hacker News

Google’s cybersecurity researchers have finally disclosed details and proof-of-concept exploits for 4 out of 5 security vulnerabilities that could allow remote attackers to target Apple iOS devices just by sending a maliciously-crafted message over iMessage.

All the vulnerabilities, which required no user interaction, were responsibly reported to Apple by Samuel Groß and Natalie Silvanovich of Google Project Zero, which the company patched just last week with the release of the latest iOS 12.4 update.

Four of these vulnerabilities are “interactionless” use-after-free and memory corruption issues that could let remote attackers achieve arbitrary code execution on affected iOS devices.

However, researchers have yet released details and exploits for three of these four critical RCE vulnerabilities and kept one (CVE-2019-8641) private because the latest patch update did not completely address this issue.

The fifth vulnerability (CVE-2019-8646), an out-of-bounds read, can also be executed remotely by just sending a malformed message via iMessage. But instead of code execution, this bug allows an attacker to read the content of files stored on the victim’s iOS device through leaked memory.

Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:

• CVE-2019-8647 (RCE via iMessage) — This is a use-after-free vulnerability that resides in the Core Data framework of iOS that can cause arbitrary code execution due to insecure deserialization when NSArray initWithCoder method is used.
• CVE-2019-8662 (RCE via iMessage) — This flaw is also similar to the above use-after-free vulnerability and resides in the QuickLook component of iOS, which can also be triggered remotely via iMessage.
• CVE-2019-8660 (RCE via iMessage) — This is a memory corruption issue resides in Core Data framework and Siri component, which if exploited successfully, could allow remote attackers to cause unexpected application termination or arbitrary code execution.
• CVE-2019-8646 (File Read via iMessage) — This flaw, which also resides in the Siri and Core Data iOS components, could allow an attacker to read the content of files stored on iOS devices remotely without user interactions, as user mobile with no-sandbox.

Besides these 5 vulnerabilities, Silvanovich also last week released details and a PoC exploit for another out-of-bounds read vulnerability that also allows remote attackers to leak memory and read files from a remote device.

images from Hacker News