The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

This report was taken up by Cado Security researchers, who obtained a sample of the ransomware for a detailed analysis. According to this report, this strain is part of a new ransomware family identified as Khonsari, targeting Windows servers; the exploit used by the hackers loads the malicious Java code into hxxp://3.145.115.94/zambo/groenhuyzen.exe, sample retrieved for analysis.

Malware scanning

Experts mention that Khonsari uses the .NET framework and is written in C♯, so retrieving the source code by decompiling is relatively simple using tools like ILspy. After decompiling the sample, it was possible to obtain a detailed description of its capabilities.

This does not appear to be a highly sophisticated ransomware variant, as it weighs only 12KB and barely has the functionalities of any other encryption malware; however, Khonsari operators use this simplicity to their advantage, as some antivirus engines might not detect it. After execution, the malware begins to list the drives on the affected system and encrypt the contents.

On the encryption of the C:\ drive, experts mention that this is a more specialized process, since the malware only encrypts specific directories, which store documents, images, videos and downloads. Files are encrypted using the AES 128 CBC algorithm.

Forensic analysis

At the end of the static analysis, the researchers imported a disk image of the hard drive of a Windows Server 2019 machine infected with Khonsari in an attempt to confirm their hypotheses. This analysis revealed that the malware’s main executable is hosted in a Windows temporary folder:

This is suspicious behavior, as this is a non-standard location for executable files in Windows and goes against conventional development practices. Another remarkable fact is that the .khonsari extension was added to the encrypted files.

Finally, like other ransomware variants, Khonsari issues a ransom note on the target system, which includes information such as the amount required and instructions for making the payment.

At the moment this is a limited campaign, especially compared to cases of exploiting the flaw in Log4j for purposes other than a ransomware infection. However, experts mention that this could be taken as a warning, so it would be worth thinking of this vulnerability as a new attack vector.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This 12Kb-sized ransomware can exploit Log4j critical vulnerability and encrypt your network appeared first on Information Security Newspaper | Hacking News.

Through a security wing, the researchers detailed the detection of stack-based buffer overflow in the ONVIF server component of the Victure PC420 smart camera. This issue would allow threat actors to execute remote code on the affected device, leading to subsequent attack scenarios such as interception of signals transmitted by these devices and compromise of the affected firmware.

Bogdan Botezatu, research director at Bitdefender, says that these devices and their cloud platform are very popular deployments among Internet of Things (IoT) users, so there could be up to 4 million implementations affected. It should be clarified that the fault lies in the Victure PC420 devices with firmware version 1.2.2 and earlier.

The researchers tried to contact Victure to present their findings, although they decided to reveal the flaw after receiving no response: “We made several attempts to contact the provider, although we were unsuccessful,” adds Botezatu.

Considering that the manufacturer seems to be unaccupied with the flaws and that the firmware of these devices has not been updated, users concerned about their safety are advised to completely stop using any Victure equipment: “Threat actors have abused similar flaws on previous occasions, putting at severe risk the minors who are supposed to monitor these monitors,” adds the expert.

Experts point out that evading vulnerability reports is a negligent practice on the part of IoT device manufacturers, as they choose not to release updates, let alone alert users to the security risks related to the affected devices. At the time of writing, the China-based company keeps without answering to the constant requests for information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Zero-day vulnerabilities in Victure baby monitors allow hackers to spy on families remotely. Parents should turn off these devices appeared first on Information Security Newspaper | Hacking News.

The main problems of this practice have to do with the violation of intellectual property laws, although reports of security incidents related to the use of “cracked” software have recently increased.

A recent report by security firm BitDefender refers to the discovery of a series of attacks based on exploiting security flaws in pirated versions of Microsoft Office and some image editing tools such as the popular Photoshop. These attacks seek to take control of affected devices to hijack cryptocurrency wallets and inadvertently extract information over the Tor network.

When running on the compromised system, cracked software delivers an instance of ncat.exe, a tool for sending raw data over the network, as well as a Tor proxy. These files are placed in the system storage identified as ‘%syswow64%-nap.exe’ or ‘%syswow64%-ndc.exe’, and ‘%syswow64-tarsrv.exe’. A batch file is also placed at ‘%syswow64%-chknap.bat’ which contains a command line for the Ncat component dedicated to traversing ports 8000 and 9000 in .onion domains as shown below.

These tools work together to create a dangerous backdoor connected to the attackers’ C&C server over the Tor network. The ncat binary uses the listener port of the Tor proxy and uses the -exec standard, which allows all client entries to be sent to the corresponding application and responses to be sent to the client through the socket in the same way as a reverse shell.  

This malware also creates persistence mechanisms for the TOR proxy file and the Ncat binary on the compromised machine with a scheduled service that runs every 45 minutes. BitDefender experts mention that the backdoor is highly likely to be used by a human operator rather than sending automated requests to victims.

Some of the malicious tasks detected by experts include:

• Extracting files
• Running the BitTorrent client
• Disabling the firewall
• Theft of Monero wallets through the legitimate CLI client “monero-wallet-cli.exe”

A broader report in addition to the indicators of compromise found by experts, are available on BitDefender’s official platform. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pirated versions of Photoshop and Office steal browser data and cryptocurrency appeared first on Information Security Newspaper | Hacking News.

As can be seen in the graph below, this operation showed its highest activity point during the last quarter of 2020, when the number of DarkSide samples detected in ID-Ransomware increased the previous records more than 4 times.

The tool is available for free on the official platforms of the developers. Using this tool you will be able to scan your entire system or search specific folders to unlock the files infected by DarkSide, as well as relying on the user to create a backup to protect their information from future incidents.

Experts note that DarkSide works under the Ransomware as a Service (RaaS) scheme and is maintained by former members of other hacking groups. After each successful attack, operators charge amounts that vary depending on the number of infected files or devices, the type of organization compromised, among other factors.

According to previous records about this hacking group, the ransom figures range from $200 billion to $2 million USD, depending on the victim.

Last November, DarkSide developers announced to their customers that they were building a distributed and sustainable storage system hosted in Iran and other unreleased locations. It should be remembered that Iran faces an economic blockade by the U.S., so these groups must look for a constant source of income to keep their operations active.

This free tool will allow thousands of users affected by this malware to reset their systems, although darkside developers are likely already working on launching new versions of the ransomware.

The post Remove the DarkSide ransomware encryption with this free tool appeared first on Information Security Newspaper | Hacking News.

“The incorrect input validation vulnerability in the Safepay browser component of BitDefender Total Security 2020 allows a specially crafted external web page to execute remote commands within the Safepay Utility process,” a company security alert mentions. The flaw, identified as CVE-2020-8102, is found in BitDefender Total Security 2020 versions prior to v24.0.20.116.

On his blog, the vulnerability analysis expert and adblock plus developer Wladimir Palant, detailed how he discovered the vulnerability in the way BitDefender protects users from invalid certificates. As part of the overall system security solution, BitDefender acts as a Man-in-the-Middle (MitM) proxy to inspect secure HTTPS connections.

This behavior is almost a standard used by almost all antivirus vendors and is commonly referred to as Safe Search, Web Protection, Web Access Protection, etc. When presented with an invalid or expired SSL certificate, most browsers pass the option to the user to accept the certificate with a warning, or to leave the website. BitDefender offers a similar browsing experience to its users and provides a customized version of that website.

If a user chooses to ignore HSTS warnings and stay on the website at their own risk, that’s usually not a problem. The problem is that the URL itself within the address bar of the web browser remains constant. This tricks the application into sharing security tokens between that (potentially malicious) page and any other website hosted on the same server and running within BitDefender’s Safepay virtual browsing environment.

“The URL in the browser address bar does not change. Regarding the browser, this error page originates from the web server and there is no reason why other web pages on the same server cannot access, regardless of the security tokens they contain, websites can read them. This is a very common problem in the security products of other firms, such as Kaspersky”, mentions the expert in vulnerability analysis.

Palant released a proof-of-concept for the flaw, waiting for the company to release the corresponding updates shortly. For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

The post BitDefender flaw allows hacking your phone or laptop remotely appeared first on Information Security Newspaper | Hacking News.