There was another family of Point of Sale (POS) malware has been discovered by Researchers.
POS malware is very dangerous and hard to recognize threats that preys on retailers running Windows Based payment terminals. This risk has been around for a long time, yet has now turned into the favored misrepresentation technique by which cybercriminals cheat retailers of enormous measures of payment card information. Punkey is a group of POS malware that contaminates POS systems to steal payment card data. Attackers use two methods for exploitation. First method being, Punkey will be introduced by exploiting easy-to-crack passwords normally utilized for remote access software on the POS systems, or through cashiers utilizing the POS systems to skim malicious web sites or open phishing messages.
Once introduced, Punkey conceals itself as a piece of Explorer, one of Windows essential courses of action. Like a great deal of POS malware, Punkey utilizes memory scraping to steal card information and key logging to catch anything typed into the infected system. The stolen information is then sent back to a command-and-control (C&C) server to be gathered by the criminals.
Punkey is not difficult to uproot once you are clear on what to search for. Since are investigations made a lot of analysis done on the malware, organizations ought to have the capacity to utilize standard hostile to malware answers for recognize and evacuate Punkey.
Punkey is little advanced than the vast majority of other POS malware. Most POS malware doesn't try to shroud itself utilizing similar injection and encryption strategies. Punkey additionally keeps up customary correspondence with a C&C server to transfer stolen payment card information, as well as to download upgraded versions of itself and any extra malware the culprits behind it may choose to utilize.
Cyber criminals run behind money, and contaminating a POS terminal that may swipe a great number of payment cards is an extremely lucrative parkway for them. Ideally protections being placed set up like chip-and-PIN- based cards and point-to-point encryption will drive hoodlums to look somewhere else.
Punkey is not greatly widespread yet but for sure that It's pretty targeted. Organizations and their security accomplice, such as their managed security provider- ought to run updated anti-virus and intrusion detection system or solutions, and in addition they have to monitor their networks for any suspicious traffic. organizations ought to additionally teach their workers to take after best security practices, like, only utilizing POS systems for what they are planned for and not to search the web, check email, play feature amusements, and so on. For POS systems that use remote access control innovation, organizations ought to guarantee that the product is stayed up with the latest and can be gotten to just by solid passwords or two-factor authentication.
Dyre Wolf–dangerous banking malware
A cyber-attack operation has successfully stolen more than 1Million Dollars from few of the targeted organizations utilizing spear phishing emails, malware and few social engineering tricks, says security analysts. The operation named after “The Dyre Wolf” by security intelligence division of IBM which targets organizations which uses wire transfer of huge amounts frequently regardless of 2-factor authentications security.
A mixture of malware, socila engineering & DDoS
Cyber Criminals are not just dependent on trojans to gather financial related information but they are using other technique like social engineering strategies to keep big companies under attack which does conduct frequent wire transfers of huge amounts. These criminals sidetrack the attention of the bank users from the theft by using DDoS attacks against targeted banks or businesses
How the attack works
The attackers will send an email your organization with an attachment stating the mail is of an important financial report but it is actually an “Upatre downloader” this is also known as spear-phishing attack. Upatre will be downloaded to the victim’s machine once the attachment is opened and this cannot be detected by most of the antivirus programs. Now, with the help of this Dry Trojan the attacker can takeover victim’s address book and is capable of sending out mass emails via outlook. The malware keeps silent and observes the activities that are being done by the victims on their machines.
When the victim tries to access any bank site, Dyre shows a customized screen with a message stating that the site is encountering some issues and asks to call the number given in order to make any transaction. Interestingly you will be assisted by a person when you call on the number provided despite an automated response. Now the attackers retrieve all the victims’ information and hangs the phone and immediately a wire transfer made from the victim’s account. By the time the bank detects the fishy wire transfers from so many accounts the bank website will be subjected to a DDoS attack, this is to prevent the user from accessing bank account
What are the steps can be considered to be followed in order to protect from Dyre Wolf
Security best practices to be trained, implemented and are to be adhered by all the employees of organization
Create awareness in the employees by conducting regular simulated attacks, publishing the findings and reporting the consequences
Conduct periodic security trainings
Regular alerts and reminders to be sent to all employees and conduct spam campaigns to make sure that none of the employees open any attachment or click any link from unknown source
All employees to be trained to not to reveal their banking credentials to anyone under any circumstances
The attackers targeted those banks which never focused on alarming when large amount of money transferred. The Dyre Wolf has already ripped off organizations for $500,000 and more than $1 million per attack. We recommend the organizations to conduct an immediate and active campaign and create that awareness to all their customers.
Github, a popular community coding website used by programmers on software development, suffered a DDoS attack on late Thursday night.
The code instructs browsers of visitors to those websites to rapidly connect to GitHub.com every two seconds in a way that visitors couldn't smell, creating "an extremely large amount of traffic," according to a researcher who goes by the name A nthr@x.
According to a researcher A nthr@x, the attackers made sure that the code instructs browsers of the visitors of those sites to quickly interface with github.com at regular intervals in such a way that the guest could not smell creating an very huge amount of traffic.
According to A nthr@x,
"In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech."
In particular the attack targeted two popular projects viz., GreatFire and CN-NYTimes.
GreatFire – A well-known group on Github that fights against Chinese government censorship of the Internet.
CN-NYTimes – A group that hosts New York Times mirrors to allow Chinese citizens to access the news website, which is normally blocked in China.
The attackers are well known that the Baidu search engine is exceptionally prevalent and the attack will bring about a gigantic surge of movement on the Github which was started at around 2AM UTC on Friday and lasted for more than a day.
There was a nonstop series of DDoS assaults which brought about regular blackouts and their administrators have been dealing with to alleviate the assault with irregular achievement, Github said.
However, the most recent status on the site says the company has deployed new defenses.
"We're aware that GitHub.com is intermittently unavailable for some users during the ongoing DDoS," GitHub said in a message posted at 1549 UTC Friday.
"Restoring service for all users while deflecting attack traffic is our number one priority. We've deployed our volumetric attack defenses against an extremely large amount of traffic. Performance is stabilizing," a message posted by Github at 15:04 UTC says.
The company stated that, "We've been under continuous DDoS attack for 24+ hours. The attack is evolving, and we're all hands on deck mitigating."
Baidu has denied any inclusion in the current DDoS attack and said that Baidu was not deliberately involved in any traffic redirection. The company said in a statement that "We've notified other security organizations, and are working together to get to the bottom of this."
Rivest Cipher 4 which is a most commonly used stream cipher securing about 30% of the TLS movement on the internet today. The most prominent and generally utilized encryption plan RC4 has been discovered to be weaker with the revelation of another attack that could permit attackers to take charge card numbers, passwords and other touchy information from transmissions secured by SSL and TLS protocols.
A security researcher Itsik Mantin from a security firm Imperva, presented his research white paper “Attacking SSL when using RC4” explaining the weaknesses in the RC4 and how it can be attached using “Bar Mitzvah attack”, at the Black Hat Asia security conference on 27th March, hosted at Singapore.
This attack essentially exploits the weak key pattern (Invariance Weakness) utilized as a part of RC4 keys that can release plain content information from the encoded SSL/TLS traffic into the cipher text under specific conditions, possibly uncovering record certifications, Visa information, or other sensitive data to attackers.
The Invariance Weakness of RC4 pseudo-arbitrary stream permits a hacker to recognize RC4 streams from haphazardness and expand the likelihood to release delicate information in plain content.
The researchers articulates in their white paper, "The security of RC4 [algorithm] has been questionable for many years, in particular its initialization mechanisms,"
"However, only in recent years has this understanding begun translating into a call to retire RC4. In this research, we follow [researches on 2013 RC4] and show that the impact of the many known vulnerabilities on systems using RC4 is clearly underestimated."
According to Mantin, though Man in the Middle attack is well known for session hijacking, Mar Mar Mitzvah is the first reasonable attack on the SSL that requires just latent sniffing or listening stealthily on the SSL / TSL encrypted connections rather Man in the Middle attack.
Next Steps for You:
Network and System administrators should consider the following steps to protect themselves from the weaknesses of RC4 till we have a solution:
RC4 in their web applications’ TLS configurations should be disabled by web application administrators
Power Users / Super Users should disable RC4 in their browsers’ TLS configurations
RC4 from the TLS cipher lists should be removed by the browser providers
We also need to remember that a few critical vulnerabilities like BEAST, POODLE and CRIME have been found in the SSL protocol utilizing the RC4 weakness in the last many years.
Hazardous Malware – Vawtrak
Security analyst has found some new offers in the most hazardous Vawtrak, also known as Neverquest malware that permit it to send and get information through encoded favicons conveyed over the secured Tor network
A Researcher, Jakub Kroustek from AVG, has given an inside and out investigation (PDF report) on the new and complex arrangement of highlights of the malware which is thought to be a standout amongst the most risky dangers in presence
According to them, PoSeidon is more advanced and awful than already seen Point of Sale malware
Vawtrak is a modern bit of malware as far as supported features are considered. It is talented enough for thieving financial information and executing exchanges from the traded off PC remotely with no traces left.The highlights incorporate features and screenshots catching and dispatching man-in-the-middle attacks.
How Vawtrak Blowouts?
AVG anti-virus firm is cautioning clients that it has found a progressing battle conveying Vawtrak to get entrance to ledgers went by the exploited person and utilizing the scandalous Pony module as a part of request to take an extensive variety of victimized people's login accreditations
One of the following three ways that the Vawtrak Banking Trojan spreads by:
Spam email attachments or links to compromised sites - Drive-by download
Zemot or Chaintor - Malware downloaders
Angler Exploit Kit – Like Exploit kits
Features OF Vawtrak
According to the researcher, Vawtrak is using the Tor2Web proxy to receive updates from its developers.
"Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser," Kroustek says. "Moreover, the communication with the remote server is done over SSL, which adds further encryption."
The most recent Vawtrak test utilizes steganography to shroud overhaul files inside favicons to disguise the malignant downloads. Favicons are the little pictures utilized by the sites to add symbol to site bookmarks and browser tabs
Vawtrak performs the following actions once executed in the victim’s machine:
Antivirus protection disabled
Malicious custom code could be injected in user’s web pages mostly related to online banking
Digital Certificates, Stealing of passwords, browser history and cookies
Surveillance of the victim by key logging or taking screenshots or capturing video
Remote access to a user’s machine either VNC or SOCKS
Vawtrak is capable of stealing password from almost all browsers. Internet Explorer, Firefox, and Chrome are also not an excuse.
Countries That May Be Affected
Vawktrak is capable of infecting banking, gaming and social network users mainly across the countries including United Kingdom, the United States, and Germany. Users in Australia, New Zealand and across Europe can also be affected
According to AVG "Vawtrak is like a Swiss Army knife for its operators because of its wide range of applications and available features."
There is another malware family focusing on PoS systems, tainting machines to rub memory for Visa card and extract that information to servers, likewise fundamentally .ru TLD, for reaping and likely resale. This new malware family, has been named after PoSeidon. .
This new and frightfully terrible type of Point-of-Sale (POS) malware has been seen in the wild by the Cisco's Talos Security Intelligence & Research Gro
According to them, PoSeidon is more advanced and awful than already seen Point of Sale malware
It has been designed such a way, to the point that it has the capacities of both the scandalous Zeus banking Trojan and Black POS malware which burglarized Millions from US big retailers, like Target in 2013 and Home Depot in 2014
This malware wipes off memory from Point of Sale terminals and quest for card number arrangements of vital card guarantors like MasterCard, Visa, MasterCard, Discover, AMEX Etc., utilizing the Luhn algorithm to check that card numbers are substantial. The researchers say that the malware then tap the card information off to Russian (.ru) domains and for a likely resale
"PoSeidon is another in the growing number of malware targeting POS systems that demonstrate the sophisticated techniques and approaches of malware authors," researchers of Cisco’s Security Solutions team wrote in a blog post."
"Attackers will continue to target POS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as POS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families."
Poseidon Point of Sale malware contains a Loader binary that keeps up ingenuity on the target machine trying to survive reboots and client logouts. The Loader then gets different parts from the charge and control servers, and then downloads binary FindStr installs a Keylogger component to scan the memory of the PoS device for credit card number sequences.
The recognized numbers are checked utilizing the Luhn algorithm and afterward scrambled and sent to one of the given exfiltration servers, lion's share of which fits in with Russian domains, listed below :
In recent years, various Point of Sale malware has been seen in the United States, gathering clients' credit card magnetic stripe information, and offering them in underground bootleg trades
Researchers say that, the System and network administrators ought to stay vigilant and must stick to industry best practices so they can ensure themselves against propelling Point of Sale malware attacks.
PoSeidon is an addendum to the developing number of Point-of-Sale malware focusing on PoS systems that show the complex procedures and methodologies of malware creators. Attackers will keep on targeting PoS systems and utilize different jumbling procedures trying to stay away from identification. The length of PoS attacks keep on giving returns, aggressors will keep on putting resources into advancement and improvement of new malware families. System and network admins need to stay vigilant and stick to industry best practices to guarantee scope and insurance against progressing malware threats.
We recommend organizations to consider security best practices, beginning with a risk driven methodology. Given the element danger scene, we advocate this risk driven and operationalized methodology that actualizes insurances over the developed system – and over the full attack gamut – some time recently, amid, and after an attack. This methodology is predicated upon predominant perceivability, ceaseless control, and propelled danger assurance over the developed system and the whole attack range
GHOST glibc Vulnerability affects WordPress and PHP applications
Ubuntu as of now, as they already have updated their software, but hackers can effectively use this vulnerability to gain control of a Linux server.
Heap-based buffer overflow was found in __nss_hostname_digits_dots()function, which is particularly used by the gethostbyname() and gethostbyname2() glibc function call.
The shot of the basic weakness gets to be higher much after numerous Linux disseminations issued fixes as, PHP applications including WordPress also use the gethostbyname() function wrapper
IS GHOST - BIG ISSUE FOR WORDPRESS?
According to the Sucuri researcher Marc-Alexandre Montpas, GHOST vulnerability could be a big issue for WordPress CMS, as it uses wp_http_validate_url() function to validate every pingback post URL.
"....And it does so by using gethostbyname()," wrote Montpas in an advisory published Wednesday. "So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server."
The vulnerability influences all forms of glibc from glibc-2.17 and lower. In any case, it was fixed in glibc-2.18 in May 2013, yet was not checked as a security powerlessness so the fix did not make it into numerous basic Linux appropriations like Redhat and Ubuntu.
CHECK YOUR SYSTEM AGAINST GHOST FLAW
"This is a very critical vulnerability and should be treated as such," Montpas said. "If you have a dedicated server (or VPS) running Linux, you have to make sure you update it right away."
DEFEND THE FOLLOWING WAY
All the latest Linux distributors like Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 are recommended to patch their systems, followed by a system reboot, with immediate effect.
Based on your convenience, if you don’t want to use XML-RPC process, you can disable it. There are even Wordpress plugins that will totally disable XML-RPC process
Disable Pingback Requests
Disable the pingback feature by adding the following code to your functions.php file:
Top Breaches of 2014 tells us that organizations from all sectors are vulnerable to external attacks , which may crash organizations and their leaders careers.
Some of the top incidents of the year are as follows :
CHS Community Health Systems (4.5 million people affected)
This is considered to be the largest health data breach in 2014, which includes breaching the
organization's systems and fetching sensitive patient details.
This attack shows that hackers are mostly focusing on healthcare organizations which are
considered to be easier targets than other sectors
The Home Depot (56 Million People affected)
This breach resulted in data loss of 56 million people credit and debit card numbers ,from the compromise of a third party vendor.
This attack shows that organizations need to closely monitor security measures of their vendors
JPMorganChase (76 Million People Affected)
When the chase bank's security team was upgrading the server to two-factor authentication
control , this massive breach occurred which resulted in data loss of 76 million people names,
The takeaway from this incident is that if the nation's largest bank can be breached, then
virtually all other banking institutions must be considered at risk.
Target (110 million people affected)
This breach occurred in 2013,which resulted in data loss of 110 million people credit and debitcard details, where the company faced massive breach response cost, a changing C-suite,
federal scrunity and several class action lawsuits.
Targets breached showed that such incidents can cost a CEO's job.
ebay (145 million people affected)
This is considered to be least-discussed major breach of 2014 which resulted in data loss of
145 million people encrypted passwords,customer names,email addresses,mailing addresses,
phone numbers,date of birth etc.
The film studio was hacked by unknown people which was a hit with a massive "wiper" malware
attack that exposed intellectual property like PII,PHI,unreleased feature films,company emails
along with personal employee details.
Sandworm(CVE-2014-4114) - OLE RCE Exploit MS14-060
This recent exploit (dubbed “Sandworm”) took advantage of a vulnerability in which a specially crafted OLE object could allow remote code execution. In the case of the live sample exploit PPSX file I examined, it automatically downloaded the payload from a remote SMB share.
First, the PPSX file contains two binary OLE object binary files (oleObject1.bin and oleObject2.bin) that (thanks to the vulnerability) are able to define content to retrieve from a remote share
Each is responsible for downloading one of the following two files:
1) A malicious executable, posing as a GIF (slide1.gif).
2) An INF file (slides.inf) that, when retrieved and executed, will rename the retrieved GIF to EXE.
There Is a New Security Vulnerability Named POODLE, and It Is Not Cute
POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
Apple patches 144 security flaws across seven products
In addition to OS X 10.10 Yosemite, Apple released a number of software updates on Thursday, largely for security fixes: Security Update 2014-005 for OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.5; OS X Server versions 2.2.5, 3.3.2 and 4.0; and iTunes 12.0.1. In total, 144 separate vulnerabilities are addressed in these updates
Google Patches Chrome for 159 Security Vulnerabilities
Google officially released the Chrome 38 browser on Oct. 9, providing users with few new features. The main focus of Chrome 38 is stability and security fixes—lots of security fixes.
In total, Google is patching 159 security vulnerabilities in Chrome 38, which is one of the highest numbers of security-related fixes for any single browser ever released. Going a step further, Google noted that it also made "113 relatively minor fixes" that it found with its open-source Memory Sanitizer application. Other browser vendors likely might have also counted the 113 memory fixes in their security totals, so for argument's sake, let's say that Chrome 38 fixes 272 security related issues.
Remote exploit vulnerability in bash CVE-2014-6271
A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some. This affects Debian as well as other Linux distributions. You will need to patch ASAP.
Java Reflection API Woes Resurface in Latest Oracle Patches
Problems with the maligned Java Reflection API, the molten core of far too many exploited Java vulnerabilities in 2013, have surfaced again.
Researchers with Security Explorations published details of a number of critical vulnerabilities in Java; the disclosures were made on the same day Oracle released its Critical Patch Update, a quarterly monster patch release addressing security issues across its product lines.
A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.
Still more vulnerabilities in bash? Shellshock becomes whack-a-mole
Remember when we said that a new patch had fixed the problems with the last patch to fix the rated-highly-dangerous “Shellshock” bug in the GNU Bourne Again Shell (bash)? You know, that bug that could allow an attacker to remotely execute code on a Linux or Unix system running some configurations of Apache, or perhaps the Git software version control system, DHCP network configuration or any number of other pieces of software that use bash to interact with the underlying operating system? Well, the new patch may not be a complete fix—and there may be vulnerabilities all the way down in the bash code