Select Page
Targeted Ransomware Attacks Hit Several Spanish Companies

Targeted Ransomware Attacks Hit Several Spanish Companies

Everis, one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely.

Ransomware is a computer virus that encrypts files on an infected system until a ransom is paid.

According to several local media, Everis informed its employees about the devastating widespread ransomware attack, saying:

“We are suffering a massive virus attack on the Everis network. Please keep the PCs off. The network has been disconnected with clients and between offices. We will keep you updated.”

 

“Please, urgently transfer the message directly to your teams and colleagues due to standard communication problems.”

According to cybersecurity consultant Arnau Estebanell Castellví, the malware encrypted files on Everis’s computers with an extension name resembling the company’s name, i.e., “.3v3r1s,” which suggests the attack was highly targeted.

At this moment, it’s unknown which specific ransomware family was used to target the company, but the attackers behind the attack reportedly demanded €750,000 (~USD 835,000) in ransom for the decryptor, a company insider informed bitcoin.es site.

However, considering the highly targeted nature of the attack, the founder of VirusTotal in a tweet suggests the type of ransomware could be BitPaymer/IEncrypt, the same malware that was recently found exploiting a zero-day vulnerability in Apple’s iTunes and iCloud software.

Here’s the ransomware message that was displayed on the screens of the infected computers across the company:

Hi Everis, your network was hacked and encrypted.
No free decryption software is available on the web.
Email us at sydney.wiley@protonmail.com or evangelina.mathews@tutanota.com to get the ransom amount.
Keep our contacts safe.
Disclosure can lead to the impossibility of decryption.

What’s more? It seems like Everis is not the only company that suffered a ransomware attack this morning.​

images from Hacker News

Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light

Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light

A team of cybersecurity researchers has discovered a clever technique to remotely inject inaudible and invisible commands into voice-controlled devices — all just by shining a laser at the targeted device instead of using spoken words.

Dubbed ‘Light Commands,’ the hack relies on a vulnerability in MEMS microphones embedded in widely-used popular voice-controllable systems that unintentionally respond to light as if it were sound.

According to experiments done by a team of researchers from Japanese and Michigan Universities, a remote attacker standing at a distance of several meters away from a device can covertly trigger the attack by simply modulating the amplitude of laser light to produce an acoustic pressure wave.

“By modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio,” the researchers said in their paper [PDF].

Doesn’t this sound creepy? Now read this part carefully…

Smart voice assistants in your phones, tablets, and other smart devices, such as Google Home and Nest Cam IQ, Amazon Alexa and Echo, Facebook Portal, Apple Siri devices, are all vulnerable to this new light-based signal injection attack.

“As such, any system that uses MEMS microphones and acts on this data without additional user confirmation might be vulnerable,” the researchers said.

Since the technique ultimately allows attackers to inject commands as a legitimate user, the impact of such an attack can be evaluated based on the level of access your voice assistants have over other connected devices or services.

Therefore, with the light commands attack, the attackers can also hijack any digital smart systems attached to the targeted voice-controlled assistants, for example:

  • Control smart home switches,
  • Open smart garage doors,
  • Make online purchases,
  • Remotely unlock and start certain vehicles,
  • Open smart locks by stealthily brute-forcing the user’s PIN number.

As shown in the video demonstration listed below: In one of their experiments, researchers simply injected “OK Google, open the garage door” command to a Google Home by shooting a laser beam at Google Home that was connected to it and successfully opened a garage door.​

images from Hacker News

Explained: How New ‘Delegated Credentials’ Boosts TLS Protocol Security

Explained: How New ‘Delegated Credentials’ Boosts TLS Protocol Security

Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called “Delegated Credentials for TLS.”

Delegated Credentials for TLS is a new simplified way to implement “short-lived” certificates without sacrificing the reliability of secure connections.

In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours.

Before jumping into how Delegated Credentials for TLS works, you need to understand the current TLS infrastructure, and of course, about the core problem in it because of which we need Delegated Credentials for TLS.

The Current TLS Infrastructure

More than 70% of all websites on the Internet today use TLS certificates to establish a secure line of HTTPS communication between their servers and visitors, ensuring the confidentiality and integrity of every bit and byte of data being exchanged.

Websites obtain a TLS certificate from a Certificate Authority (CA) that must be trusted by all major web browsers. CA organization digitally signs a certificate that remains only valid for a specific period, typically for a year or two.

When you connect to an HTTPS-protected website, the server provides its TLS certificate to your web browser for confirming its identity before exchanging any information that could include your passwords and other sensitive data.

Ideally, certificates are expected to be used for their entire validity period, but unfortunately, a certificate can go bad before its expiration date for many reasons.

For example, the secret private key corresponding to a certificate can be stolen, or the certificate can be issued fraudulently, allowing an attacker to impersonate a targeted server or spy on encrypted connections through a man-in-the-middle attack.

Moreover, big tech companies like Facebook, Google, and Cloudflare offer their services from thousands of servers implemented worldwide. They distribute private certificate keys to each one of them, a process where the risk of compromise is higher than usual.

images from Hacker News

Facebook Reveals New Data Leak Incident Affecting Groups’ Members

Facebook Reveals New Data Leak Incident Affecting Groups’ Members

Facebook today revealed yet another security incident admitting that roughly 100 app developers may have improperly accessed its users’ data in certain Facebook groups, including their names and profile pictures.

In a blog post published Tuesday, Facebook said the app developers that unauthorizedly access this information were primarily social media management and video streaming apps that let group admins manage their groups more effectively and help members share videos to the groups, respectively.

For those unaware, Facebook made some changes to its Group API in April 2018, a month after the revelation of the Cambridge Analytica scandal, limiting apps integrated with a group to only access information, like the group’s name, the number of members and the posts’ content.

To get access to additional information like names and profile pictures of members in connection with group activities, group members had to opt-in.

However, it seems like Facebook once again failed to protect its users’ information despite the company changing its Group API access parameters back in April 2018.

In an ongoing review, Facebook said it found that the developers of some apps retained the ability to access Facebook Group member information from the Groups API for longer than the company intended.

Though Facebook did not disclose the total number of users affected by the leak or if the data also involved other information beyond just names and profile pictures, the company did assure its users that it stopped all unauthorized access to the data and that it found no evidence of abuse.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained, and we will conduct audits to confirm that it has been deleted,” the company said.

Facebook also believes that the number of app developers that actually accessed this data is smaller and decreased over time, as it says that of roughly 100 app developers retaining user data access through Groups API since the last 18 months, “at least 11 partners accessed group members’ information in the last 60 days.”

images from Hacker News

Two Former Twitter Employees Caught Spying On Users For Saudi Arabia

Two Former Twitter Employees Caught Spying On Users For Saudi Arabia

Two former employees of Twitter have been charged with spying on thousands of Twitter user accounts on behalf of the Saudi Arabian government, likely with the purpose of unmasking the identity of dissidents.

According to an indictment filed on November 5 and unsealed just yesterday, one of the charged Twitter employees, American citizen Ahmad Abouammo, left the company in May 2015 and the other, Saudi citizen Ali Alzabarah, left the company in December 2015.

Both ex-employees were recruited in 2014 by Saudi government officials with close ties to the Saudi crown prince, Mohammed bin Salman, to access sensitive and non-public information of Twitter accounts associated with known Saudi critics.

The information Abouammo and Alzabarah illegally accessed about Twitter users include their email addresses, devices used, browser information, user-provided biographical information, birthdates, and other info that can be used to know a user’s location, like IP addresses associated with the accounts and phone numbers.

Alzabarah, who joined Twitter in August 2013 as a “site reliability engineer,” worked with the Saudi officials between May 21 and November 18, 2015, and allegedly accessed the private data on more than 6,000 Twitter accounts.

The accounts he accessed included at least 33 users for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter.

According to the indictment, Abouammo has also been separately charged with acting as a foreign agent and providing the Federal Bureau of Investigation (FBI) with falsified records to obstruct the federal investigation.

Besides spying on Twitter users, Abouammo has also been accused of deleting certain information from the social media platform, unmasking the identities of some users, and shutting down Twitter accounts on request of the Saudi government officials.

images from Hacker News