For the first time, researchers have exploited the Rowhammer memory-chip weakness using nothing more than network packets sent over a local area network. The advance is likely to further lower the bar for triggering bit flips that change critical pieces of data stored on vulnerable computers and servers. Until now, Rowhammer exploits had to execute code on targeted machines.

…

Nigerian business email compromise scams are growing more dangerous and sophisticated as cybercriminals add new tools and techniques to their arsenal such as remote access trojans (RATs) and advanced information stealers, researchers found. Palo Alto Networks’ Unit 42 said in a report released Tuesday about Nigerian cybercrime that they found Nigerian business email compromise (BEC) linked incidents have shot up 45 percent in 2017 compared to the year prior, representing 17,600 attacks per month. But even beyond soaring cybercriminal incidents, criminals are becoming less of a pesky threat, such as Nigerian Prince 419-style email scams, and more dangerous.

…

Within just 10 days of the disclosure of two critical vulnerabilities in GPON router at least 5 botnet families have been found exploiting the flaws to build an army of million devices. Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of the GPON exploit in the wild. As detailed in our previous post, Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device.

…

It’s been a year since the WannaCryptor. D ransomware (aka WannaCry and WCrypt) caused one of the largest cyber-disruptions the world has ever seen. And while the threat itself is no longer wreaking havoc around the world, the exploit that enabled the outbreak, known as EternalBlue, is still threatening unpatched and unprotected systems.

And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017.

…

Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer: All of these wiper malwares, and others like them, have a singular purpose of destroying systems and/or data, usually causing great financial and reputational damage to victim companies. However, the threat actors behind this kind of code, whether they’re bent on sending a political message or simply wanting to cover their tracks after data exfiltration, have adopted various techniques to carry out those activities. Cisco Talos researcher Vitor Ventura, along with contributions from Martin Lee, noted in a report published on Tuesday, that malware with destructive payloads has been around since the early days of virus development.

…

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.

…

The paper inadvertently offers an answer to a crucial question of our time: Why won’t Facebook just level with us? Why all the long, vague transparency pledges and congressional evasion? The study concludes that when the data mining curtain is pulled back, we really don’t like what we see.

There’s something unnatural about the kind of targeting that’s become routine in the ad world, this paper suggests, something taboo, a violation of norms we consider inviolable — it’s just harder to tell they’re being violated online than off. But the revulsion we feel when we learn how we’ve been algorithmically targeted, the research suggests, is much the same as what we feel when our trust is betrayed in the analog world.

…

It is now proven that Electrum Pro steals wallet seeds on creation. Meaning that any coins stored in a wallet created with this tool are accessible to anyone with access to electrum(dot)com. If you mistakenly used this wallet, you should move your coins to a secure wallet as soon as possible.

The proof given is a step by step guide to decompiling the python based binary. The proof claims that within the binary, where the seeds are created, an additional step exists which uploads the seed to electrum(dot)com. The official website for the Electrum wallet is electrum.org, which we can be sure of due to its link on the external site bitcoin.org.

…

But the Internet of Hackable Things leaves no connected device behind: Even in famously cyclist-friendly Copenhagen, the city’s electric bikeshare program recently experienced a huge, pain-in-the-ass technical difficulty. Bycyklen, the company that maintains the bicycles, announced on Sunday that its system—and all of the electric bikes within it—was hacked. The company had to send staff to each of its 100 locations around the city to manually reboot each bike.

…

Fresno, California, man has been sentenced by a federal judge to 18 months in prison after having pleaded guilty to firing a laser at a police helicopter. On Monday, Michael Alvarez became the latest person to be convicted in a string of prosecutions brought by Karen Escobar, an assistant United States attorney who is believed to be the nation’s most aggressive prosecutor for such cases.

…

City police plan to begin encrypting all the radio channels they use, ending the public’s ability to listen in. It will go forward if the City Council approves a five-year, $6.2 million plan when they vote May 15 on the budget. In city documents, police said encryption is needed because criminals listen to police communications.

It would greatly increase officer safety and help protect citizens, they wrote.

…

One of Signal’s best features is that messages can be set to “self-destruct,” meaning there is no paper trail for conversations in the app. But with Signal’s default settings on a Mac, your friends’ messages appear—and live on—on the operating system’s notifications bar even if the message is set to self-destruct using Signal’s timer. These notifications include the sender’s name and the message’s content.

…

Barely a week has passed from the last attempt to hide a backdoor in a code library, and we have a new case today. This time around, the backdoor was found in a Python module, and not an npm (JavaScript) package. The module’s name is SSH Decorator (ssh-decorate), developed by Israeli developer Uri Goren, a library for handling SSH connections from Python code.

…

To cut a long story short, Dave didn’t just figure out a vulnerability that was theoretically exploitable, he also created a proof-of-concept (PoC) exploit that showed how to create a RAR file that, when opened, would sneakily and unexpectedy launch the Calculator app. Generally speaking, if a PoC can pop up CALC.EXE without asking, it could be modified to run any other command, including malware, invisibly to the user.

…

Security researcher Charles Dardaman explains on his blog, how he was able to use Microsoft’s own documentation of how to use JavaScript functions in the Insider Preview edition of Excel to link a spreadsheet to the Coinhive cryptomining service. Right now, JavaScript in Excel custom functions is only supported in the Developer Preview edition to Office 365 subscribers enrolled in the Office Insiders program. But it seems inevitable that in the not too distant future it will be available in more widely-used versions of Excel as well.

…

Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers. At worst, miscreants can, potentially, ‘gain access to sensitive memory information or control low-level operating system functions,” which is a fancy way of saying peek at kernel memory, or hijack the critical code running the machine. The vulnerabilities can be exploited by malware running on a computer, or a malicious logged-in user.

…

Microsoft has today released security patches for a total of 67 vulnerabilities, including two zero-days that have actively been exploited in the wild by cybercriminals, and two publicly disclosed bugs. In brief, Microsoft is addressing 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity. These patch updates address security flaws in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Exchange Server, Outlook, .NET

…

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.

Source: securelist.com

…

Introducing WebAuthn This cryptographic proof makes U2F security keys a very strong form of two-step verification, but adoption of U2F has been limited by browser and hardware support. We hope WebAuthn will change that.

It’s a new way to interact with security keys and other “authenticators” that standardizes and builds on key parts of U2F, the result of a collaboration between the W3C and FIDO Alliance. While for years only Chrome supported U2F, browser vendors have committed to bringing WebAuthn to Chrome, Firefox, and Edge. More and more devices will have WebAuthn support built in, bringing stronger security to the many users who don’t own special security keys.

…

Whether it be Saga, SwissRealCoin, Havven, or a dozen other candidates, cryptocurrencies that are backed by real assets to help reduce volatility are becoming increasingly popular. Enter TrueUSD, which not only has a stablecoin, but has been putting it into action since launch. The result?

After less than two months on the market, TrustToken — a platform that securitizes real-world assets and currencies using blockchains — has announced that its TUSD stablecoin has organically amassed over $12 million in circulation. Stablecoins allows cryptocurrency traders to put their money into a non-volatile cryptocurrency. This gives them the benefits of an efficient store of value and cost-effective trading without the need to move cryptocurrency into and out of USD.

…