Hackers hijack Twitter account of India’s top diplomat to post photos of Pakistan’s flag
The verified Twitter account of India’s top diplomat to the United Nations was briefly taken over by suspected Turkish hackers early on Sunday, 14 January, morning. India’s permanent representative to the United Nations, Syed Akbaruddin’s Twitter handle @AkbaruddinIndia was changed to @AkbaruddinSyed before two photos of Pakistan’s flag and the country’s President Mamnoon Hussain was posted. The Turkish hacking group has previously claimed responsibility for hacking the Twitter account of Greek Minister of Finance Yanis Varoufakis, the US Department of Defense’s official website, Microsoft Bosnia’s site and a number of websites in Israel, Netherlands and Canada. In a pinned tweet, the group wrote in both Turkish and English: “You are hacked by the Turkish cyber army Ayyıldız Tim. Thanks to @TwitterIndia and many others who helped,” Akbaruddin tweeted around 12 pm on Sunday. The Turkish hacking group Ayyıldız Tim claimed responsibility for the attack and managed to take over the president of the World Economic Forum’s account over the weekend as well. After Twitter was made aware of the attack, Akbaruddin’s account was briefly blocked and later restored. Brende’s account was later restored and tweeted, “We got the account back. The group pinned a similar tweet claiming responsibility for the attack and posted a video featuring clips of other public figures who have been targeted by hackers, including former Belgian Prime Minister Guy Verhofstadt. The header image on Brende’s account was changed to a picture of an eagle with the hacking group’s logo.
Fake Telegram app found serving up malware and ads on Google Play Store
Security researchers have discovered a fake Telegram application on the Google Play Store that claims to be a new, updated version of the popular encrypted messenger app. Screenshot of the legitimate Telegram app besides the fake Teligram one on Google Play Store Symantec Once the dodgy app is installed and run on the device, the malware can be leveraged by hackers to install a backdoor, ad clicker or carry out other nefarious activities. Compared to this malware, Teligram users are lucky as advertising revenue appears to be the main motive behind the app,” Hou wrote. The only differences, at least at first glance, are the (mis)spelling of Telegram, with an ‘I’ replacing the second ‘e’, the bracketed addendum, and a slightly different app icon,” These differences are an attempt to trick users into thinking the app is the latest updated version of the legitimate Telegram app. Although it actually functions as an instant messaging app, it also runs malware in the background and displays advertisements throughout the app. Google has since removed the malicious Teligram app from its Play Store. 2, which was built using the open source Telegram code that is distributed to third-party app stores. Teligram displays advertisements in two different ways, within the chat list and by showing intermittent full screen advertisements. Comparing the apps’ manifests reveals that Teligram has added advertising libraries in order to create revenue for the fraudsters behind the deceptive app. According to Symantec researchers, the phony app goes by the name “Teligram [NEW VERSION UPDATED]” and is designed to look exactly like the real and legitimate Telegram app.
New undetectable Mac malware can hijack DNS settings, steal users’ personal data
A security researcher has uncovered a new, undetectable strain of malware affected Apple Macs that can hijack a device’s DNS settings and steal victims’ personal data. After analysing the malware’s source code, Wardle said OSX/MaMi is capable of installing a local certificate, setting up custom DNS settings, hijacking mouse clicks, running AppleScripts and taking mouse clicks. The malware is also very ‘macOS’-centric, meaning it’s unlikely a direct port of some Window DNS hijacking malware. Since it is currently undetectable to antivirus software, Users can use a third-party tool that can detect and block outgoing traffic, he said. Wardle suspects attackers are likely using the usual methods of malware distribution such as social-engineering-based attacks, malicious emails or web-based fake security alerts to dupe victims into downloading the malicious code. There was a piece of Mac malware called ‘DNSChanger’ (or Puper, Jahlav, RSPlug-F),” Wardle wrote. To find out if you have been infected by the malware, Wardle suggests checking your DNS settings and seeing if they have been changed to 82. A user in the US reported on the Malwarebytes forums this week that the DNS servers on a fellow teacher’s device were set to 82. According to former NSA analyst and security researcher Patrick Wardle, the malicious code dubbed OSX MaMi is a DNS hijacker but also features a slew of other malicious capabilities. As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections),” Wardle writes.
First Android malware written in Kotlin found posing as Swift Cleaner app and stealing user data
Security researchers have discovered a new Android malware, written in the Kotlin programming language – the first ever of its kind to be found. Kotlin is described as concise, drastically reducing the amount of boilerplate code; safe, because it avoids entire classes of errors such as null pointer exceptions; interoperable for leveraging existing libraries for JVM, Android, and the browser; and tool-friendly because of its capability to choose any Java IDE or build from the command line,” Trend Micro researchers said in a blog. According to security researchers at Trend Micro, who discovered the Android malware, it can also sign up victims for premium SMS subscription services, without their knowledge or permission. Although the Android malware has several features, hackers appear to be using only a few. Once uploaded, the C&C server automatically processes the user’s premium SMS service subscription, which can cost the victim money,” the Trend Micro researchers said. Kotlin is a popular language used for writing Android apps. Fortunately, Google has already removed the fake malware-laced Swift Cleaner app from the Google Play Store. Twitter, Pinterest and Netflix are among some of the top apps that still use Kotlin. The malware can also upload the information of the user’s service provider, along with the login information and CAPTCHA images, to the C&C server. The malware was found posing as a Google Play Store app called “Swift Cleaner” and already has between 1,000 to 5,000 installs.
WhatsApp security flaws could let uninvited guests slip into your private group chats
Security researchers have discovered flaws in WhatsApp’s security that could allow anyone to covertly add uninvited people to any private, encrypted group chat. These include stealthily adjusting the order of messages delivered to the group members to avoid detection or blocking messages to the group, particularly when a member starts asking questions about the new uninvited guest. According to a group of cryptographers at Ruhr University in Bochum, Germany, anyone controlling WhatsApp’s server could easily insert new members into a private group, without the permission of the group administrator. who controls the WhatsApp server or can break the transport layer security, to take full control over a group,” the researchers wrote in their paper published earlier this month. The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them,” says Paul Rösler, one of the Ruhr University researchers told Wired. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. The WhatsApp server can, therefore, use the fact that it can stealthily reorder and drop messages in the group. Once the new person is added to the group, the phone of each member of the group chat automatically shares secret keys with that person, giving them full access to all future encrypted messages sent in the chat. Typically, only a group administrator can invite new members to the group. Existing members are notified when new people are added to a WhatsApp group.
Adult VR app leaked 20,000 users’ sensitive data that could have allowed hackers to blackmail them
According to security researchers at London-based cybersecurity firm Digital Interruption, one of the flaws in the app could have allowed hackers to download users’ names, email addresses as well as device names. The researchers raised concerns about the possibility of the data exposure leaving the app’s users at risk of being the victim of hackers launching social engineering attacks or even blackmail. Although the flaws have now been fixed, it is still unclear whether any malicious entities accessed users’ information while the app was still leaking data. High-risk vulnerabilities discovered in the SinVR app saw personally identifiable information (PII) of the app’s customers leaked for days before the firm fixed the issue. As this is quite a lot of PII, not only could an attacker use this to perform social engineering attacks, but due to the nature of the application, it is potentially quite embarrassing to have details like this leaked. Adult VR app leaked 20,000 users’ sensitive data that could have allowed hackers to blackmail them An adult VR app reportedly exposed the private and sensitive information of 20,000 customers. Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system. However, around five days after the researchers first disclosed details about the problem to the firm, SinVR finally fixed the patch. The vulnerability could have also let hackers download the details of users who paid for content using PayPal. According to the security experts, the flaw could have allowed hackers to download the personal details of every single SinVR customer with an account.
Four malicious Chrome extensions caught infecting more than half a million users worldwide
Necurs: World’s biggest botnet spews millions of spam emails pushing Swisscoin cryptocurrency
One of the worlds biggest and most proliferate botnets, dubbed Necurs, is reportedly back spreading millions of spam emails after its ‘annual Christmas break. VirusBulletin reported having detected over 35,000 emails from the new Necurs campaign, which indicates that it likely is a massive spam operation – typical of the Necurs botnet, which has spread millions of emails in just hours in previous campaigns. Bleeping Computer reported that Swisscoin trading resumed on Monday, 15 January, but the cryptocurrency lost around 40% of its initial trading price after the new Necurs spam campaign started spreading. Necurs has reportedly been sending out millions of spam emails pushing Swisscoin in an attempt to inflate the price of the cryptocurrency and make a profit. However, for the very first time, the Necurs botnet’s new spam campaign is pushing a cryptocurrency, albeit an obscure one, known as Swisscoin. In previous campaigns, Necurs, which is believed to be made up of millions of bots, has spread the infamous Locky malware, Dridex banking malware, as well as various ransomware variants. Necurs’ last massive operation, which took place in November 2017, saw the botnet distribute over 12 million emails in just six hours, which spread the Scarab ransomware. However, it is still unclear as to what impact the Necurs campaign has had on Swisscoin’s trading price. However, this is the first time that a Necurs spam campaign has pushed a cryptocurrency, the security researcher who runs the MyOnlineSecurity blog told Bleeping Computer. The decline in the cryptocurrency’s trading price could also have been caused by the sudden drop in Bitcoin’s price this week.
Hospital pays $55,000 in bitcoin to hackers after ‘SamSam’ ransomware locks systems
A US hospital paid hackers $55,000 (£39,900) to restore control over its computer systems after they were infected with a strain of ransomware known as ‘SamSam. Hospital sent offline as hackers infect systems with ransomware, demand payment Read more Now, as first revealed by local media outlet the Greenfield Reporter, officials from Hancock Health have confirmed that four bitcoins – worth $55,000 at the time – had been transferred to the culprits. The attack used ransomware, a kind of computer malware that locks up computers until a ransom is paid, usually in the form of bitcoin. Interestingly, the hospital stated that the hacker – or hackers – accessed its system through a “remote-access portal” using an “outside vendor’s username and password. Hancock Health CEO Steve Long said hackers in Eastern Europe were to blame, adding that funds were paid because the costly process of recovering backup data may have taken weeks to complete. Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected. A statement posted online by Hancock Health read: “At approximately 9:30 pm on Thursday, January 11, 2018, an attack on the information systems of Hancock Health was initiated by an as-yet unidentified criminal group. Last Thursday (11 January), the staff at Hancock Regional Hospital, Indiana, found their computers had been infected with malware, which was demanding bitcoin to regain access. And more recently, in May last year, a global malware outbreak dubbed “WannaCry” wreaked havoc on the UK’s National Health Service (NHS), causing computer disruption and cancellations. The majority of law enforcement experts and industry professionals advise against paying hackers’ ransom demands, arguing that it helps to fund the cybercriminal underground.professionals advise
New Satori botnet variant now targets cryptocurrency mining rigs, replaces wallet addresses
Satori the infamous successor of the notorious Mirai botnet used to hijack hundreds of thousands of IoT devices worldwide is now hopping onto the cryptocurrency bandwagon. The Satori variant comes less than a month after hackers posted the working code for a Huawei router exploits, which was used by the Satori botnet, for free on PasteBin during the holiday season in December. Robber – is designed to target vulnerable rigs that run the Claymore Miner software to mine Ethereum and replace the wallet address of the host with the hackers’ own address. Robber issues three payloads that gather the mining state of the computer, replaces the mining pool’s wallet address and then reboots the host with the new address, allowing any mined Ethereum to be directed towards the hackers. Researchers at NewSky Security who spotted the code warned at the time, “When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code. According to researchers from China-based Qihoo Netlab 360, the Satori variant – dubbed Satori. The robber and the original Satori, including similar code structures, the same UPX packing magic numbers, encrypted configurations and similar configuration strings, and the same payload. Robber claims the code is not malicious and has even left an email address behind. Upon analysing the malicious code, researchers found similarities between Satori. connected to the botnet shows the Satori variant is still actively mining and has a hashrate of 2162.