Category: News

Iranian Hackers Charged Last March are Now Targeting Universities

Despite being charged by US authorities last March for cyber-attacks, Iran-based hackers Cobalt Dickens or Silent Librarian has continued its phishing operations. They have now been targeting universities and academic institutions around the world in a bid to steal intellectual property.

In these latest wave of attacks, the group allegedly stole information from a total of 76 universities located in 14 countries including the following:

  • United Kingdom
  • United States
  • Canada
  • China
  • Switzerland
  • Australia
  • Israel
  • Japan
  • Turkey

They have also targeted 47 US and foreign private sector companies, including the US Department of Labor and the United Nations.

 

The hack involved creating spoofed websites resembling that of the login pages for the said 76 universities. An estimated 16 domains contained over 300 spoofed websites including online libraries.

Targets are sent links to the fraudulent domains through phishing emails. Those who have fallen prey and filled in their credentials into the fake pages would have handed the group their login details. After “successfully” logging in, users are then sent onwards to the real service while this information is saved by the cyberattackers to gain access to legitimate systems.

Professional Golfer’s Association (PGA) of America Computers Infected by Ransomware

Several computer systems at the PGA of America were recently hijacked with a ransomware. On Tuesday morning, August 7, staff discovered that their system had been compromised when ransom notes started appearing on their screen: “Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm [sic].” It locked down critical files and demanded cryptocurrency for their return. The association has to transfer bitcoin to the hackers or risk losing their files forever.

The notice includes a bitcoin wallet address where the funds will be sent and a pair of encrypted email addresses. The amount of ransom was not specified but the hackers, proving their “honest intentions” and “good faith”, said they would unlock two files for free.

 

According to a report from Golfweekthe files contained creative materials for the PGA Championship at Bellerive and next month’s Ryder Cup in France. That includes extensive promotional banners and logos used in digital and print communications, and on digital signage around the grounds at Bellerive. The stolen files also include development work on logos for future PGA Championships. Some of the work began more than a year ago and cannot be easily replicated.

 

Following the advice of law enforcement agencies and cybersecurity experts, an anonymous source told Golfweek that PGA officials had no intention to meet or pay any extortion demands. The network remained locked. Complete control of the servers were not yet regained and external researchers are still currently investigating.

 

As of the moment, PGA of America has declined to comment on this matter. As the PGA Championship kicks off at Bellerive, the tournament has been unaffected so far and is slated to continue as per the usual schedule.

MikroTik Routers Compromised in Coinhive Cryptojacking Campaign

Security researchers have recently uncovered a massive cryptojacking campaign that relies on compromised MikroTik routers. It targets these routers to conduct cryptocurrency mining by changing its configuration. It injects a copy of the Coinhive in-browser cryptocurrency mining script into every web page that a user visited.

The campaign has taken off the ground this week and was in its initial stages. It mainly focused on compromising devices located in Brazil but later began targeting MikroTik routers in other geo-locations all over the world. In total, 210,000 MikroTik routers have been compromised.

MikroTik routers compromised

 

The hack exploits a security flaw in Winbox, a remote management service bundled in MikroTik routers’ operating system, RouterOS.  This flaw was was reportedly discovered early this year (April 2018) but accordingly patched the next day.

If you own a MikroTik router, it is advised that you should install the the latest MikroTik firmware as soon as possible. Also, as an added precaution, security mechanisms such as firewalls should always be enabled.

Idaho Inmates Hacked Jail-Issued Tablets for $225,000 Free Credits

364 inmates from five Idaho prisons exploited a vulnerability in their prison-issued tablets to issue themselves nearly $225,000 worth of digital credits to their accounts. They were able to crack and leverage a software vulnerability on their JPay tablets to increase their balances. The transferred credits were then used to buy music, ebooks and games.

The Idaho Department of Correction (DOC) discovered the hack earlier this month. They emphasized though that no real money was stolen and that the credits did not involve taxpayer dollars.

idaho inmates hacked prison tablets

 

For a few years now, tablets are allowed at low-security level prisons across the United States. This gives the inmates the privilege to email their families, access educational materials, read news, and even purchase music and simple computer games. They’ve been offered through a contract between JPay and CenturyLink.

 

Prison officials have already reprimanded the inmates involved in the hacking. They have been charged with a disciplinary offense and lost various privileges. They may also be reclassified to a higher security risk level.

According to the DOC, JPay has managed to recover $65,000 worth of digital credits from the 364 inmate accounts. It has also blocked the inmates involved from being able to download music and games until the company is compensated for their losses.

Network Breach in LabCorp May Expose Millions of Patient Records

Over the weekend of July 14, North Carolina-based LabCorp, United States’ biggest blood testing laboratories network, forced a shutdown on its IT network after hackers breached into their system.

As part of its breach response policy, the company immediately took various portions of its systems offline to contain the hack.

Excerpts from the form 8-K they filed with the Securities and Exchange Commission read:

“LabCorp detected suspicious activity on its information technology network.”

“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,

“Work has been ongoing to restore full system functionality as quickly as possible”

labcorp hacker

 

The breach could potentially expose millions of patient records at risk. Taken from their webpageLabCorp provides diagnostic, drug development and technology-enabled solutions for more than 115 million patient encounters per year.

 

The company, however, is trying to downplay the incident assuring their customers not to worry.

“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said in its statement.

FBI is currently monitoring the situation and LabCorp is required to alert customers whose data were compromised within 60 days.

 

Healthcare organizations are often the target of hackers and cybercriminals for data breaches because it is believed that the highly sensitive data they keep on records is worth a lot when sold online.

Hacker Steals Sensitive Military Drone Docs!

Security firm Recorded Future has discovered that last month, an unidentified hacker stole sensitive military documents and tries to sell it online via hacking forums. The selling price for such docs run as low as $150 – $200. The data was allegedly hacked from the computer of an Air Force officer. It said to contain sensitive information about the MQ-9A Reaper drone that is used for overseas strikes and surveillance missions. This could give an enemy clues into its technical capabilities and potential weaknesses.

 

However, the firm confirmed that there was no evidence the mystery hacker was tied to a foreign country. It posed as a potential buyer and based on their exchanged messages with the mystery hacker, the firm suspects that he/she could be from South America because the communication is sometimes in Spanish and of broken English.

Also for sale are various training manuals such as a crewman training and survival manual, deployment tactics manual for improvised explosive devices (IED), and a tank operation manual.

 

Recorded Future already informed Homeland Security about the alleged hack and so the hacker was blocked from selling the said sensitive documents while the issue is currently being investigated.

Samsung Messages Glitch Sending Photos to Contacts Randomly

According to reports gathered online, an unusual glitch is affecting Samsung users causing the default Samsung Messages app to send random photos to their list of contacts. Since the messages were sent without consent (and apparently with no evidence), users were only made aware of the bug once they get a reply from someone who received their photos.

The issue appears to be limited though only to the newer Samsung Galaxy devices – the S9, S9 Plus, and Note 8.  The images sent seem to be just random picks from the user’s photo gallery.

Samsung Galaxy S9 glitch

 

Samsung, on their part, has already acknowledged the said reports. “We are aware of the reports regarding this matter and our technical teams are looking into it. Concerned customers are encouraged to contact us directly at 1-800-SAMSUNG.”

 

For the time being, concerned Samsung owners can resort to other messaging applications or simply disable sending photos entirely via their phone settings. This can be done by going to Settings > Apps > Samsung Messages > Permissions > Storage. By doing so, it should prevent the pre-installed Samsung Messages app to access the photo gallery by disabling its storage permissions.

 

It is also recommended that users may hold off installing the latest Samsung Messages update until the company will be able to fix the issue.

SamSam Ransomware New Variant Requires User Interaction Prior to Infection

A new variant of the SamSam ransomware has recently been detected. It is equally robust as its popular version which caused widespread damage with its high profile attack to state agencies, hospitals, city councils, and more.

remove SamSam ransomware

 

This newly discovered, more targeted Samsam variant utilizes new techniques and alterations making it unique and more difficult to spot – it requires user interaction to start its attack. It will not execute unless the attacker running the payload manually enters a special password (via the command line) before infecting any system. This means that only the person/s who know the author’s passcode can run the ransomware. Moreover, even if the ransomware is already inside one’s system, it will not infect unless the password has already been entered. This gives researchers a hard time executing the ransomware binary or run on their test machine unless they knew the password.

 

SamSam ransomware has remained a nasty yet elusive malware. It gained its worldwide notoriety when it infected Atlanta City’s IT systems, the Colorado Department of Transportation, and several health care organisations compromising data security and leaving millions of dollars in losses.

To get protected against this notorious ransomware, basic security practices like secured passwords, performing regular backups, and employing a centralized patch management system is crucial. These will not only keep potential hackers out of your system but you will also be able to limit any damage caused and easily recover from a ransomware attack.

74 Scammers from Nigeria, US, and Others Arrested by FBI

Last July 11, 2018, the United States Department of Justice announced that they have arrested 74 individuals (42 in the US, 29 in Nigeria, and 1 each from Poland, Canada and Mauritius) because of their involvement in BEC (business email compromise) scams swindling millions of dollars from people across the globe. US law enforcement seized about $2.4 million and recovered nearly $14 million in fraudulent transfers.

BEC scam

 

BEC, also known as cyber-enabled financial fraud, is a sophisticated scam. The scam involves BEC fraudsters posing as trusted vendors or corporate executives of legit corporations. They will establish communication by sending phishing emails to firm employees with access to the company’s finances and then instruct the victims to transfer funds to accounts they control.

They also target real estate buyers and those who are not tech-savvy especially elderly users. Using social engineering techniques, they will trick them to wire money or reveal personal data.

Dubbed as “Operation Wire Wire” and coordinated by the FBI, US authorities and international law enforcements have been working with the following institutions:

  • Homeland Security Investigations
  • U.S. Attorneys’ Offices
  • Secret Service
  • Postal Inspection Services
  • Treasury Department

It took them six months to finally get hold of these criminals.

Facebook Confirms Your Data Shared With Chinese Firms

Yesterday, June 5, Facebook has confirmed that it has data-sharing partnerships with at least four Chinese companies which include:

  • Lenovo
  • Huawei (previously under scrutiny from U.S. intelligence agencies regarding security threat)
  • TCL (the present manufacturer of BlackBerry phones)
  • Oppo (OnePlus’ parent company)

facebook data sharing

 

The said agreements, dating to as far as 2010, gave the listed Chinese firms access to some of the users’ data so they could build Facebook interfaces on their own platforms. Facebook said that the data collected were stored and stayed on the users’ phones, and not on the phone manufacturers’ servers. Huawei, on their part, maintained that the company has worked with Facebook to make the latter’s services more convenient to users. It has never collected or stored any user data.

 

According to an interview with Facebook officials, the majority of these company partnerships have already wound down. However, the agreements with the four Chinese companies listed above remain in effect but they will be ending Huawei’s partnership later this week, to be followed by the other three companies as well.

 

If you’re concerned with your data being affected by this issue, don’t panic. If you’re using an iPhone, make sure to update to the latest iOS and for Android users, no need to worry. All the information you’ve shared or posted are stored on your device. Facebook simply manages the flow of information on their servers.

 

As an added precaution, consider following these tips:

  • Minimize the amount of data you are sharing
  • Change your privacy settings
  • Turn off/limit access for third-party applications
  • Avoid posting your every location
  • Turn on extra security settings
  • Only add people you know

 

Better safe than sorry, as they say!