2014, Encryption and Libraries - Information Management Today

Malware attack took down 600 computers at Volusia County Public Library

Security Affairs

JANUARY 22, 2020

System supporting libraries in Volusia County were hit by a cyber attack, the incident took down 600 computers at Volusia County Public Library (VCPL) branches. 600 staff and public access computers were taken down at Volusia County Public Library (VCPL) branches in Daytona Beach, Florida, following a cyberattack.

Libraries

Libraries Ransomware Encryption Access

Google expert disclosed details of an unpatched flaw in SymCrypt library

Security Affairs

JUNE 12, 2019

Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs. Pierluigi Paganini.

Libraries

Libraries Encryption Security IT

Apple Mail stores parts of encrypted emails in plaintext DB

Security Affairs

NOVEMBER 10, 2019

The Apple Mail app available on macOS stores leave s a portion of users encrypted emails in plaintext in a database called snippets. The Apple expert Bob Gendler discovered that the Apple Mail app available on macOS stores leaves a portion of users encrypted emails in plaintext in a database called snippets. ” continues the post.

Encryption

Encryption Libraries Data collection Privacy

Webinars

Peak Performance: Continuous Testing & Evaluation of LLM-Based Applications

MORE WEBINARS

EventBot, a new Android mobile targets financial institutions across Europe

Security Affairs

APRIL 30, 2020

The malware also downloads the Command-and-control (C2) URLs, C2 communication is encrypted using Base64, RC4, and Curve25519. . Most recent versions of EventBot also include a ChaCha20 library that can improve performance, but it is not currently being used, a circumstance that suggests authors are actively working to optimize EventBot. .

Financial Services

Financial Services Libraries Encryption Authentication

Message Decryption Key for Signal Desktop application stored in plain text

Security Affairs

OCTOBER 23, 2018

The flaw affects the process implemented by the Signal Desktop application to encrypt locally stored messages. Signal Desktop application leverages an encrypted SQLite database called db.sqlite to store the user’s messages. The encryption key is used each time Signal Desktop application accessed the database.

Encryption

Encryption Passwords Libraries Cybersecurity

1.2 million CPR numbers for Danish citizen leaked through tax service

Security Affairs

FEBRUARY 10, 2020

The good news is that according to the Agency, data was encrypted, it also added that Google and Adobe were not able to see the CP R numbers. “Google Hosted Libraries have been designed to remove all information that allows identifying users before logging on. ” states the Government Agency. “Google has accessed 1.2

Encryption

Encryption Libraries Access Government

OceanLotus APT group leverages a steganography-based loader to deliver backdoors

Security Affairs

APRIL 3, 2019

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. “ Threat actors used a custom steganography algorithm to hide the encrypted payload within PNG images to to avoid detection.

Libraries

Libraries Encryption Communications Manufacturing

North Korea-linked Lazarus APT uses a Mac variant of the Dacls RAT

Security Affairs

MAY 9, 2020

The activity of the Lazarus APT group (aka HIDDEN COBRA ) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. The Mac version uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file. “Both Mac and Linux variants use the WolfSSL library for SSL communications.

Libraries

Libraries Communications Encryption Authentication

CERT France – Pysa ransomware is targeting local governments

Security Affairs

MARCH 19, 2020

” According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. locked to the filename of the encrypted files. CERT-FR’s alert states that the Pysa ransomware code based on public Python libraries. newversion file extension instead of.

Ransomware

Ransomware Government Encryption Passwords

New PyLocky Ransomware stands out for anti-machine learning capability

Security Affairs

SEPTEMBER 12, 2018

exe will drop malware components — several C++ and Python libraries and the Python 2.7 Core dynamic-link library (DLL) — along with the main ransomware executable (lockyfud.exe, which was created via PyInstaller ) in C:Users{user}AppDataLocalTempis-{random}.tmp.” When successfully run, the Facture_23100.31.07.2018.exe

Ransomware

Ransomware Libraries Encryption Archiving

New KilllSomeOne APT group leverages DLL side-loading

Security Affairs

NOVEMBER 5, 2020

Dynamic-link library (DLL) side-loading takes advantage of how Microsoft Windows applications handle DLL files. The attackers use a simple XOR encryption algorithm with the string “Hapenexx is very bad” as a key. In these attacks, the encryption key used is the string “HELLO_USA_PRISIDENT.”

File names

File names Encryption Libraries IT

Victims of Pylocky ransomware can decrypt their files for free

Security Affairs

JANUARY 11, 2019

In this phase, the ransomware sends to the command and control server information on the encryption process, including a string that contains the Initialization Vector (IV) and a random password used by the ransomware to encrypt the files. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Ransomware

Ransomware Encryption Passwords Libraries

Evilnum APT used Python-based RAT PyVil in recent attacks

Security Affairs

SEPTEMBER 3, 2020

The second layer of Python code decodes and loads to memory the main RAT and the imported libraries. The malware communicates with the C2 communications via POST HTTP requests and uses RC4 encryption with a hardcoded key encoded with Base64. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Phishing

Phishing Encryption File names Metadata

Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins

Security Affairs

NOVEMBER 27, 2018

The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week. It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->.

Libraries

Libraries Encryption IT Security

Kaspersky found malware in popular CamScanner app. Remove it now from your phone!

Security Affairs

AUGUST 27, 2019

The module was hidden in a 3rd-party advertising library that the author of the app recently was introduced. “After analyzing the app, we saw an advertising library in it that contains a malicious dropper component. . Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

IT

IT Libraries Encryption Security

U.S. Bookstore giant Barnes & Noble hit by cyberattack

Security Affairs

OCTOBER 15, 2020

Over the weekend, users have been complaining on Nook’s Facebook page and Twitter that they were not able to access their library of purchased eBooks and magazine subscriptions. 2/2) Please be assured that there is no compromise of customer payment details which are encrypted and tokenized. Thank you for your patience.

Ransomware

Ransomware Encryption Retail Access

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Security Affairs

APRIL 14, 2020

.” The messages use a weaponized rich text format (RTF) attachment that exploits the CVE-2012-0158 buffer overflow in Microsoft’s ListView / TreeView ActiveX controls in MSCOMCTL.OCX library. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” continues the analysis.

Ransomware

Ransomware Phishing File names Encryption

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

Security Affairs

SEPTEMBER 12, 2019

This operation is similar to the threat group’s August 2018 campaign , using compromised university resources to send library-themed phishing emails.” The hackers appear to be interested in getting access to the library, they sent phishing messages to people with access to the library of the targeted university.

Phishing

Phishing Libraries File names Metadata

JSWorm: The 4th Version of the Infamous Ransomware

Security Affairs

SEPTEMBER 4, 2019

JSWorm encrypts all the user files appending a new extension to their name. During the encryption phase, the ransomware creates an HTML Application “JSWRM-DECRYPT.hta” in each folder it encounters. The malware encrypts all the files whose extension is not present in the list. Figure 3: Extensions excluded from encryption.

Ransomware

Ransomware Encryption File names Libraries

New JNEC.a Ransomware delivered through WinRAR exploit

Security Affairs

MARCH 19, 2019

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive. The ransomware encrypts data on the victim’s machine and appends the.Jnec extension to the encrypted data asking a ransom 0.05 bitcoins (about $200). Pierluigi Paganini.

Ransomware

Ransomware Archiving Encryption Libraries

Blue Mockingbird Monero-Mining campaign targets web apps

Security Affairs

MAY 10, 2020

This issue could be exploited only when the encryption keys are obtained via a separate attack, meaning that the attackers have to chain more exploits in their campaigns. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->.

Mining

Mining Libraries Access Encryption

Nodersok malware delivery campaign relies on advanced techniques

Security Affairs

SEPTEMBER 28, 2019

One of the second-stage instances of PowerShell downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components. based payload, and a bunch of encrypted files. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

e-Delivery

e-Delivery Retail Libraries Education

xHelper, the Unkillable Android malware that re-Installs after factory reset

Security Affairs

APRIL 7, 2020

Upon the installation, the malicious app registers itself as a foreground service and extracts an encrypted payload that gathers information about the victim’s device (android_id, manufacturer, model, firmware version, etc.) Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” concludes Kaspersky.

Manufacturing

Manufacturing Libraries Access Encryption

Buran ransomware-as-a-service continues to improve

Security Affairs

NOVEMBER 12, 2019

Buran is advertised as a stable malware that uses an offline cryptoclocker , 24/7 support, global and session keys, and has no third-party dependencies such as libraries. The malware will encrypt the files only if the machines are not in Russia, Belarus or Ukraine. . ” reads the analysis published by McAfee. Pierluigi Paganini.

Ransomware

Ransomware Encryption Libraries Security

Attor malware was developed by one of the most sophisticated espionage groups

Security Affairs

OCTOBER 10, 2019

The malware implements a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The Attor malware makes sophisticated use of encryption to hide its components. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Communications

Communications Encryption Metadata Libraries

Infecting Canon EOS DSLR camera with ransomware over the air

Security Affairs

AUGUST 12, 2019

Searching online the expert first found an encrypted firmware, he found on a forum a Portable ROM Dumper , (a custom firmware update file that once loaded, dumps the memory of the camera into the SD Card) that allowed him to dump the camera’s firmware and load it into his disassembler (IDA Pro). ” continues the post.

Ransomware

Ransomware Encryption Libraries Authentication

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

Security Affairs

JUNE 18, 2020

It exploits a vulnerability in the Windows wdigest.dll library and then uses an improved ListPlanting technique to inject its code into a trusted process. The activity of the group is characterized by the heavy use of legitimate tools and per-victim encryption in the early stages of the attack chains. Pierluigi Paganini.

Military

Military Communications Libraries Encryption

Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA

Security Affairs

JANUARY 15, 2020

dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption. . “This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, The flaw affects the way Crypt32.dll Pierluigi Paganini.

Libraries

Libraries Encryption Security Risk

Proton Technologies makes the code of ProtonMail iOS App open source

Security Affairs

NOVEMBER 2, 2019

“Although issues with certificate validation have been identified within the encrypted communication between the mobile application and the backend system, the inner layer of end-to-end encryption could not be broken.” Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Encryption

Encryption Privacy Libraries Risk

Roboto, a new P2P botnet targets Linux Webmin servers

Security Affairs

NOVEMBER 21, 2019

One of the addresses disguised the Bot sample as a Google font library “ roboto. ” The analysis of the bot revealed that it supports seven functions: reverse shell, self-uninstall, gather process’ network information, gather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack, etc.

Honeypots

Honeypots Systems administration Passwords IoT

Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws

Security Affairs

JUNE 12, 2019

Experts pointed out that Microsoft failed to address a flaw in SymCrypt , a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs. Pierluigi Paganini.

Security

Security Authentication Libraries Encryption

Security Affairs newsletter Round 188 – News of the week

Security Affairs

NOVEMBER 11, 2018

Flaws in several self-encrypting SSDs allows attackers to decrypt data they contain. Apache Struts users have to update FileUpload library to fix years-old flaws. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->.

Security

Security IoT Insurance Libraries

The Long Run of Shade Ransomware

Security Affairs

FEBRUARY 19, 2019

This file acts as downloader in the infection chain, using a series of hard-coded server addresses, It heavily rely on obfuscation and encryption to avoid the antimalware detection. Shade encrypts all the user files using an AES encryption scheme. Background of the infected machine, after encryption phase.

Ransomware

Ransomware Mining File names Encryption

Taking down Gooligan: part 2 — inner workings

Elie

MARCH 17, 2018

This file is encrypted with a hardcoded [XOR encryption] function. This encryption is used to escape the signatures that detect the code that Gooligan borrows from previous malware. Encrypting malicious payload is a very old malware trick that has been used by. Android malware. since at least 2011. publicly shared code.

Encryption

Encryption Libraries Ransomware Marketing

Taking down Gooligan: part 2 — inner workings

Elie

MARCH 17, 2018

This file is encrypted with a hardcoded [XOR encryption] function. This encryption is used to escape the signatures that detect the code that Gooligan borrows from previous malware. Encrypting malicious payload is a very old malware trick that has been used by. Android malware. since at least 2011. publicly shared code.

Encryption

Encryption Libraries Ransomware Marketing

Security Affairs newsletter Round 228

Security Affairs

AUGUST 25, 2019

A backdoor mechanism found in tens of Ruby libraries. million to allow towns to access encrypted data. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->. 5 Ways to Protect Yourself from IP Address Hacking.

Security

Security Mining Data breaches Libraries

Kaiji, a new Linux malware targets IoT devices in the wild

Security Affairs

MAY 5, 2020

Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->. Recently other IoT botnets made the headlines, such as including Hoaxcalls , Mukashi , and dark_nexus. Pierluigi Paganini. SecurityAffairs – Kaiji malware, hacking).

IoT

IoT Libraries IT Security

CVE-2019-13720 flaw in Chrome exploited in Operation WizardOpium attacks

Security Affairs

NOVEMBER 1, 2019

The vulnerabilities, tracked as CVE-2019-13720 and CVE-2019-13721, reside respectively in Chrome’s audio component and in the PDFium library. “[$7500][ 1013868 ] High CVE-2019-13721: Use-after-free in PDFium. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Libraries

Libraries Encryption Security IT

Sofacy’s Zepakab Downloader Spotted In-The-Wild

Security Affairs

JANUARY 29, 2019

Then, all the information is encoded in Base64 and sent to the C2 through the “ connect ” function, using a SSL encrypted HTTP channel. This last code snippet is likely borrowed from a publicly available AutoIT library script called “ CompInfo.au3 ”: an AutoIt interface to access the Windows Management Instrumentation framework’s data.

Communications

Communications Libraries Encryption Security

Exclusive: Pakistan and India to armaments: Operation Transparent Tribe is back 4 years later

Security Affairs

FEBRUARY 21, 2020

The two dll are legit windows library and are used in support of the malicious behaviour. This executable has got a sophisticated encryption method of communication with the C2: Figure 13: Evidence of the decrypting routine of the certificate. The downloaded code has been encrypted through the Rijndael algorithm with a hard-coded key.

Military

Military Communications Encryption IT

Analyzing a Danabot Paylaod that is targeting Italy

Security Affairs

DECEMBER 20, 2018

The malware tries to connect to the remote host 149.154.157.104 (EDIS-IT IT) through an encrypted SSL channel, then it downloads other components and deletes itself from the filesystem. These registry keys are responsible of the loading of dynamically linked libraries in the “read only ” and “ hidden ” “ C:ProgramDataD93C2DAC ”.

Libraries

Libraries Phishing Encryption Authentication

Operation Red Signature – South Korean Firms victims of a supply chain attack

Security Affairs

AUGUST 22, 2018

This dynamic-link library (DLL) is responsible for decrypting the encrypted rcview.log file and executing it in memory. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Passwords

Passwords Libraries Encryption Access

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Security Affairs

SEPTEMBER 20, 2019

Before passing the control to the “ swety.dll ” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code. Load()” method.

Libraries

Libraries Passwords IT Phishing

Latest Turla backdoor leverages email PDF attachments as C&C mechanism

Security Affairs

AUGUST 23, 2018

This is a binary blob with a special format that contains encrypted commands for the backdoor ,” reads the report released by ESET. The backdoor is a standalone DLL (dynamic link library) that interacts with Outlook and The Bat! Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Metadata

Metadata Military Libraries Access

Malware attack took down 600 computers at Volusia County Public Library

Google expert disclosed details of an unpatched flaw in SymCrypt library

Webinars

Trending Sources

Apple Mail stores parts of encrypted emails in plaintext DB

Webinars

EventBot, a new Android mobile targets financial institutions across Europe

Message Decryption Key for Signal Desktop application stored in plain text

1.2 million CPR numbers for Danish citizen leaked through tax service

OceanLotus APT group leverages a steganography-based loader to deliver backdoors

North Korea-linked Lazarus APT uses a Mac variant of the Dacls RAT

CERT France – Pysa ransomware is targeting local governments

New PyLocky Ransomware stands out for anti-machine learning capability

New KilllSomeOne APT group leverages DLL side-loading

Victims of Pylocky ransomware can decrypt their files for free

Evilnum APT used Python-based RAT PyVil in recent attacks

Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins

Kaspersky found malware in popular CamScanner app. Remove it now from your phone!

U.S. Bookstore giant Barnes & Noble hit by cyberattack

Crooks target Healthcare facilities involved in Coronavirus containment with Ransomware

Iran-linked group Cobalt Dickens hit over 60 universities worldwide

JSWorm: The 4th Version of the Infamous Ransomware

New JNEC.a Ransomware delivered through WinRAR exploit

Blue Mockingbird Monero-Mining campaign targets web apps

Nodersok malware delivery campaign relies on advanced techniques

xHelper, the Unkillable Android malware that re-Installs after factory reset

Buran ransomware-as-a-service continues to improve

Attor malware was developed by one of the most sophisticated espionage groups

Infecting Canon EOS DSLR camera with ransomware over the air

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA

Proton Technologies makes the code of ProtonMail iOS App open source

Roboto, a new P2P botnet targets Linux Webmin servers

Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws

Security Affairs newsletter Round 188 – News of the week

The Long Run of Shade Ransomware

Taking down Gooligan: part 2 — inner workings

Taking down Gooligan: part 2 — inner workings

Security Affairs newsletter Round 228

Kaiji, a new Linux malware targets IoT devices in the wild

CVE-2019-13720 flaw in Chrome exploited in Operation WizardOpium attacks

Sofacy’s Zepakab Downloader Spotted In-The-Wild

Exclusive: Pakistan and India to armaments: Operation Transparent Tribe is back 4 years later

Analyzing a Danabot Paylaod that is targeting Italy

Operation Red Signature – South Korean Firms victims of a supply chain attack

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Latest Turla backdoor leverages email PDF attachments as C&C mechanism

Stay Connected