Connect with us

Security

‘Infamous’ GravityRAT spyware now hits Macs as well as Windows

Published

on

The notorious GravityRAT spyware, which initially targeted Windows PCs, now also enable attacks against Macs and Android devices.

Remote Access Trojans (RATs) are so-called because they masquerade as legitimate apps (the Trojan part) and then permit the compromised machine to be accessed remotely …

Cybersecurity company Kaspersky describes the GravityRAT malware as ‘infamous’ because it has been used in attacks against even military targets, and enables a huge amount of control.

Bleeping Computer reports on the capabilities of the spyware.

– get information about the system
– search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
– get a list of running processes
– intercept keystrokes
– take screenshots
– execute arbitrary shell commands
– record audio (not implemented in this version)
– scan ports

Kaspersky has long suspected that the tool has been used against other platforms too, and has now found proof of this.

The identified module is further proof of this change, and there are a number of reasons why it doesn’t look like a typical piece of Android spyware. For one, a specific application has to be selected to carry out malicious purposes, and the malicious code – as is often the case – is not based on the code of previously known spyware applications. This motivated Kaspersky researchers to compare the module with already known APT families.

Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT. Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android.

Macs are relatively well protected against trojans because Apple vets apps allowed into the Mac App Store, and by default won’t allow software from other sources to be installed. If a user overrides the default protection, macOS still checks to see whether the app is signed by a legitimate developer.

However, BleepingComputer reports that the group behind GravityRAT uses stolen developer signatures to make the apps appear legitimate.

It isn’t possible to list the infected apps, as GravityRAT mimics a variety of legitimate apps. The best protection is to ensure you only install apps from the Mac App Store or directly from developers you trust. Similarly, don’t plug in cables or devices to your Mac unless you know their provenance.

Source: https://9to5mac.com/2020/10/20/infamous-gravityrat-spyware-now-hits-macs-as-well-as-windows/

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Be Very Sparing in Allowing Site Notifications

Published

on

By

An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters.

Notification prompts in Firefox (left) and Google Chrome.

When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called “push notifications” rely on an Internet standard designed to work similarly across different operating systems and web browsers.

But many users may not fully grasp what they are consenting to when they approve notifications, or how to tell the difference between a notification sent by a website and one made to appear like an alert from the operating system or another program that’s already installed on the device.

This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company’s site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet traffic globally.

Website publishers who sign up with PushWelcome are asked to include a small script on their page which prompts visitors to approve notifications. In many cases, the notification approval requests themselves are deceptive — disguised as prompts to click “OK” to view video material, or as “CAPTCHA” requests designed to distinguish automated bot traffic from real visitors.

An ad from PushWelcome touting the money that websites can make for embedding their dodgy push notifications scripts.

Approving notifications from a site that uses PushWelcome allows any of the company’s advertising partners to display whatever messages they choose, whenever they wish to, and in real-time. And almost invariably, those messages include misleading notifications about security risks on the user’s system, prompts to install other software, ads for dating sites, erectile disfunction medications, and dubious investment opportunities.

That’s according to a deep analysis of the PushWelcome network compiled by Indelible LLC, a cybersecurity firm based in Portland, Ore. Frank Angiolelli, vice president of security at Indelible, said rogue notifications can be abused for credential phishing, as well as foisting malware and other unwanted applications on users.

“This method is currently being used to deliver something akin to adware or click fraud type activity,” Angiolelli said. “The concerning aspect of this is that it is so very undetected by endpoint security programs, and there is a real risk this activity can be used for much more nefarious purposes.”

Sites affiliated with PushWelcome often use misleading messaging to trick people into approving notifications.

Angiolelli said the external Internet addresses, browser user agents and other telemetry tied to people who’ve accepted notifications is known to PushWelcome, which could give them the ability to target individual organizations and users with any number of fake system prompts.

Indelible also found browser modifications enabled by PushWelcome are poorly detected by antivirus and security products, although he noted Malwarebytes reliably flags as dangerous publisher sites that are associated with the notifications.

Indeed, Malwarebytes’ Pieter Arntz warned about malicious browser push notifications in a January 2019 blog post. That post includes detailed instructions on how to tell which sites you’ve allowed to send notifications, and how to remove them.

KrebsOnSecurity installed PushWelcome’s notifications on a brand new Windows test machine, and found that very soon after the system was peppered with alerts about malware threats supposedly found on the system. One notification was an ad for Norton antivirus; the other was for McAfee. Clicking either ultimately led to “buy now” pages at either Norton.com or McAfee.com.

Clicking on the PushWelcome notification in the bottom right corner of the screen opened a Web site claiming my brand new test system was infected with 5 viruses.

It seems likely that PushWelcome and/or some of its advertisers are trying to generate commissions for referring customers to purchase antivirus products at these companies. McAfee has not yet responded to requests for comment. Norton issued the following statement:

“We do not believe this actor to be an affiliate of NortonLifeLock. We are continuing to investigate this matter. NortonLifeLock takes affiliate fraud and abuse seriously and monitors ongoing compliance. When an affiliate partner abuses its responsibilities and violates our agreements, we take necessary action to remove these affiliate partners from the program and swiftly terminate our relationships. Additionally, any potential commissions earned as a result of abuse are not paid. Furthermore, NortonLifeLock sends notification to all of our affiliate partner networks about the affiliate’s abuse to ensure the affiliate is not eligible to participate in any NortonLifeLock programs in the future.”

Requests for comment sent to PushWelcome via email were returned as undeliverable. Requests submitted through the contact form on the company’s website also failed to send.

While scammy notifications may not be the most urgent threat facing Internet users today, most people are probably unaware of how this communications pathway can be abused.

What’s more, dodgy notification networks could be used for less conspicuous and sneakier purposes, including spreading fake news and malware masquerading as update notices from the user’s operating system. I hope it’s clear that regardless of which browser, device or operating system you use, it’s a good idea to be judicious about which sites you allow to serve notifications.

If you’d like to prevent sites from ever presenting notification requests, check out this guide, which has instructions for disabling notification prompts in Chrome, Firefox and Safari. Doing this for any devices you manage on behalf of friends, colleagues or family members might end up saving everyone a lot of headache down the road.

Source: https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/

Continue Reading

Security

How to Secure IoT Devices–Right Now

Published

on

By

IoT devices are not going away any time soon. The estimates vary widely as to how many devices are currently in use, and how many devices will be deployed in the next few years, but the one thing that everybody seems to agree on is that IoT adoption is on the rise. The other thing people seem to agree on is that it is critical to secure IoT devices–using long-term and short-term strategies.

Early on, many IoT vendors rushed their products to market with seemingly no concern about security. Things seem to be getting better, but IoT’s reputation for being insecure has been firmly cemented. That makes IoT devices a big target, so it makes sense to consider what you can do–right now–to keep secure IoT devices.

1. Perform a password audit.

The very first thing I recommend doing to secure IoT devices is to perform a password audit against all of your IoT devices. While it is important to determine whether any of your devices are using weak passwords, it is far more important to test for default password use. Remember, nearly every device manufacturer posts its manuals online, and these manuals almost always list the default password for the device. Anyone can get access to this information, and default passwords are often a starting point for those who seek to compromise IoT devices.

Ideally, each of your IoT devices should be equipped with a random, but complex password. After all, if all of your devices share a common password, an attacker could conceivably acquire that password and take control of all of the devices. This is especially troubling since there are stories of attackers who have managed to get IoT devices to function as botnets.

2. Review the end user agreement.

One of the things that I never hear anyone talk about with regard to IoT security is the importance of reviewing the end user agreement. That’s the agreement that the manufacturer displays on screen when you initially configure the device. If you simply click OK to accept the agreement without reading it–so you can finish the deployment and get on with your day–you really don’t know what you have just agreed to. Given the extent to which devices have become known for spying, it may be worth taking the time to review the end user agreement for your devices and make sure that the device is not compromising sensitive information. If you’re not comfortable with something in the end user agreement, it may be worth adopting a competing vendor’s product.

3. Keep firmware up to date.

Just as software vendors routinely release patches for their products, reputable IoT vendors will occasionally release firmware updates to secure IoT devices. It is important to download, test and deploy these firmware updates just as you would any other patch.

4. Disable unnecessary features.

In some cases, you can enhance your security by disabling unnecessary features. To determine what’s really necessary and what’s not, spend time reviewing the feature sets of the IoT devices that you use.

Obviously, some devices are far more feature-rich than others. An IP-enabled industrial sensor, for instance, probably has few, if any, ancillary features. On the other hand, devices that are oriented more toward the end user tend to be feature-rich. In some cases, disabling even a single feature can significantly improve the device’s overall security.

For example, like many other people, I have a Wi-Fi enabled, smart thermostat in my home. This thermostat has a remote access feature that lets me remotely monitor the temperature in my home and make adjustments if necessary. I have disabled the thermostat’s remote access feature–not because I’m worried about a hacker setting the air conditioner to run at full blast, but because an attacker who gains access to the thermostat could conceivably use it as a platform for launching an attack against other devices on the network.

5. Put segmentation to use.

My goal for this blog post was to focus on immediate actions that can be taken in an effort to secure IoT devices. Even so, I just couldn’t conclude the post without mentioning segmentation. Segmentation takes some planning, so it doesn’t really qualify as something that you can do right now. Even so, segmentation is one of the most important things that you can do to keep your IoT devices secure, so I wanted to be sure to mention it.

When possible, place your IoT devices on isolated network segments. The smart thermostat I mentioned is connected to a dedicated Wi-Fi network that services only the connected devices in my home. Using this dedicated network prevents IoT devices from accessing sensitive data such as the files stored on my laptop.

Even if you cannot completely isolate a device, you may be able to use firewall and routing policies to restrict a device’s communications. For example, if a particular device communicates with a backend SQL Server, you should look for ways to prevent the device from ever communicating with anything else (with the possible exception of a management PC). This can go a long way toward keeping the device secure while also preventing data leakage.

Source: https://www.itprotoday.com/mobile-management-and-security/how-secure-iot-devices-right-now

Continue Reading

Security

Google launches new VPN to prevent hackers

Published

on

By

To protect people from hacking via unsecure public wi-fi networks, Google has announced a new virtual private network by Google One to provide an extra layer of online protection on Android phones.

According to The Economic Times of India, the VPN by Google One is available for people who have taken 2TB and higher plans.

If you’ve shared your 2TB Google One plan with family members (up to five additional people), they can also enable the VPN on their own devices at no extra cost.

The VPN by Google One will roll out in the US in the coming weeks through the Google One app (Android only) and will expand to more countries and to iOS, Windows and Mac in the coming months.

The company said in a statement that it is rolling out ‘Pro Sessions’ by Google One with VPN support.

“With Pro Sessions, you can schedule one-on-one online sessions with a Google expert to learn more about VPNs and how to stay safer online,” the company said on Thursday.

Pro Sessions will also be available in the coming weeks to all 2TB members in the US, the UK and Canada.

The VPN is built into the Google One app, so with just one tap, you can “rest assured knowing your connection is safe from hackers.”

Source: https://punchng.com/google-launches-new-vpn-to-prevent-hackers/

Continue Reading
Advertisement

Trending

Copyright © 2020 Inventrium Magazine

%d bloggers like this: