Welcome to the next episode of the Xopero Security Center! A team of academics discovered a new security bug that impacts FPGA chips used in data centers, IoT devices and many safety-critical applications today. What’s worse – it looks like there is no way to fix these issue. Houston, we have a problem…
Newly discovered bug impacts FPGA chips used in data centers, IoT devices and many more safety-critical applications
A new security bug impacts FPGA (Field Programmable Gate Arrays) chipsets. Named Starbleed it allows attackers to extract and tamper with a configuration file to reprogram the chip with malicious code. This is concerning because FPGA can be found in many safety-critical applications today, from cloud data centers and mobile phone base stations to encrypted USB-sticks and industrial control systems. The attack can be carried out remotely – the hacker doesn’t have to have physical access to the FPGA. Researchers believe there is no way to fix these issue – it seems that replacing the FPGA chip may be the only safe solution.
VictoryGate, the cryptomining botnet was taken down
The botnet has been active since May 2019 and during this time it infected more than 35,000 computers. Most of its victims were located in Latin America, with Peru accounting for more than 90% of the total victim count. According to ESET the botnet’s primary purpose was to infect victims with malware that mined the Monero cryptocurrency behind their backs. The botnet was controlled using a server hidden behind the No-IP dynamic DNS service. ESET reported and took down the botnet’s command and control (C&C) server and set up a fake one (called a sinkhole) to monitor and control the infected hosts.
A very “interesting” distribution method. It looks like all victims have received… a USB drive. After the malicious USB was connected to the victim’s computer, the malware was installed on the device. It appears that the VictoryGate malware might have been secretly installed on a tainted batch of USB storage devices that have been shipped inside Peru. VictoryGate contains a component that copies the USB infector to new USB devices connected to a computer, helping it spread to new devices.
New banking trojan uses “elaborate” attack techniques to still credentials and take over bank accounts
The malware, dubbed “Banker.BR”, was spotted in messages targeting users in countries that speak Spanish or Portuguese (including Spain, Portugal, Brazil and other parts of Latin America). According to researchers from IBM X-Force the malicious code is entirely new and does not rely on previously leaked code or existing mobile malware.
Modus operandi. The malware is spread via messages that lead users to a malicious domain controlled by the attackers. The domain instructs victims to download the most recent version of a purported “security app” required for mobile banking. If victims click the update button, they unwittingly launch the malware download from a legitimate file-sharing platform. After being installed on the victim’s device, the malware scoops up device information – including phone number, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI) and SIM serial number – and sends it the command and control (C2) server, which is a domain address hardcoded into the malware.
Similar to other malware, Banker.BR abuses the Accessibility service on phones in order to grant itself permissions on the phone without the victim’s knowledge. These permissions give the malware to access contacts, camera, SMS messages and more. Once the victim goes to a banking domain, the malware then deploys an overlay screen, which typically features the bank’s logo and asks for the user’s sign-in credentials. The victim enters these credentials, unwittingly giving them to the attacker — who can now access the victim’s bank account and launch fraudulent transfers. The malware can also exfiltrate victims’ SMS messages, which allows it to grab any potential two-factor authentication (2FA) codes sent to the user by the bank.
There is a new phishing campaign targeting Skype business users
Remote workers are being warned of a new phishing campaign targeting their Skype passwords. The social engineering in this campaign is refined enough to make victims access the fraudulent login page and provide their credentials. The phishing emails look “eerily similar” to a legitimate Skype notification alert. Emails indicate users have 13 pending Skype notifications that can be checked by clicking a “Review” button. The level of impersonation in the template is also interesting as the attacker clearly put in some effort to make it look legitimate. A logo of the victim’s company is present on the phishing page along with a warning under the login box saying “the system is for the use of authorized users” of the company. The username is also auto-filled (due to the URL containing the base64 of the target email address) – another trick that leaves little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.
Malicious ads are a serious problem and during the COVID-19 pandemic more deadly than ever
Google has taken steps to crackdown on fake or misleading advertising as fraudulent ads and counterfeits surge during the COVID-19 pandemic. How? By extending its identity verification policy from political ads to all advertising on its platforms.
Advertisers will be required to complete a verification program in order to buy ads on Google network. They will need to submit personal identification, business incorporation documents or other information that proves who they are and the country in which they operate.
The main goal is to help support the health of the digital advertising ecosystem by detecting bad actors and limiting their attempts to misrepresent themselves.
Little too late? Although the program will start in the US this summer, it could take years to complete, which may be too late to stop the surge in scams peddling counterfeit and fake COVID-19 products.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Window 10 update weakened Google Chrome’s security (BleepingComputer)
2. Hacker returns $25 million after their IP address is exposed (HackRead)
3. Hey there! Are you using WhatsApp? Your account may be hackable (We live security)
4. CS:GO & Team Fortress 2 source code leaked – Virus alert for TF2 (HackRead)
5. New iPhone text-bomb bug: Just receiving this Sindhi character notification crashes iPhones (ZDNet)
6. Maze Ransomware Attack Hits Cognizant (ThreatPost)
7. Automated Bots Are Increasingly Scraping Data & Attempting Logins (Dark Reading)
8. Hackers trick 3 British Private Equity firms into sending them $1.3 Million (Hacker News)
9. Researchers Use Microsoft Terminal Services Client in New Attack Method (Dark Reading)
10. Fast-Moving DDoS Botnet Exploits Unpatched ZyXel RCE Bug (ThreatPost)
See you next Monday!