Malicious App on Google Play Tallies 100 Million Downloads

Call it the case of a good app gone bad! For some time, a handy PDF creator and optical character recognition OCR app available via Google Play offered users utility and convenience. The app, downloaded more than 100 million times, is called CamScanner and allows Android phone owners to snap a...

Imperva Firewall Breach Exposes Customer API Keys, SSL Certificates

UPDATE Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall WAF product. Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity. Users’...

Oil and Gas Firms Targeted By New LYCEUM Threat Group

Researchers have identified a never-before-seen threat group targeting Middle East critical infrastructure organizations with novel malware, sent via spearphishing emails. The threat group, LYCEUM, was observed in 2019 sending spear phishing emails harboring malicious Microsoft Excel attachments ...

Apple Fixes iOS Flaw That Opened iPhones to Jailbreaks

Apple has released an emergency patch fixing a kernel vulnerability – for the second time – after it was accidentally unpatched in iOS 12.4. The flaw CVE-2019-8605, a use-after-free issue existing in the kernel, could enable a malicious application to execute arbitrary code with system privileges...

IRS Impersonation Attacks Spread Malware Nationwide

The Internal Revenue Service IRS is warning taxpayers about a snowballing email attack that uses messages pretending to be legitimate IRS communications. The end game for the effort is malware being installed on unsuspecting users’ machines; imposters may gain control of the taxpayer’s computer o...

ThreatList: Half of All Social Media Logins Are Fraud

More than half of logins 53 percent on social-media sites are fraudulent; and 25 percent of all new account applications on social media are fake, according to a recent analysis. Those numbers far outstrip the overall rate of 10 percent of interactions being fraudulent. The Arkose Labs Q3 Fraud a...

Hostinger Data Breach: 14M Customer Passwords, Personal Data at Risk

Web hosting company Hostinger is warning that a breach of one of its servers potentially gave bad actors access to the hashed passwords and personal data of more than 14 million customers. Hostinger, a popular web, cloud and virtual private server hosting provider and domain registrar with 29...

WordPress Plugins Exploited in Ongoing Attack, Researchers Warn

Researchers are warning of an ongoing campaign exploiting vulnerabilities in a slew of WordPress plugins. The campaign is redirecting traffic from victims’ websites to a number of potentially harmful locations. Impacted by the campaign is a plugin called Simple 301 Redirects – Addon – Bulk Upload...

News Wrap: Steam Zero Day Disclosure Drama, Unix Utility Backdoor

Why did Valve-owner Steam say it made a “mistake” turning a researcher away from its bug bounty program? Who was behind a backdoor that was purposefully introduced into a utility utilized by Unix and Linux servers? And why is Facebook coming under fire for its “Clear History” feature? Threatpost...

Lenovo High-Severity Bug Found in Pre-Installed Software

Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving ...

Google Launches Open-Source Browser Extension for Ad Transparency

Google is launching an experimental, open-source browser extension aimed at increasing transparency around online advertising by displaying information about the ads that are shown to users. The browser extension is an integral part of a new Google initiative announced Thursday to develop a set o...

Building a Mobile Defense: 5 Key Questions to Ask

How often do we hear Willie Sutton’s famous but probably apocryphal quote about robbing banks because “that’s where the money is?” This gets invoked in the context of information security in general and mobile devices in particular, and there’s a reason: Given the estimates from institutions like...

Spyware App on Google Play Gets Boot, Returns Days Later

A music-streaming app offered on Google Play, harboring spyware that stole victims’ contacts, files and SMS messages, made its way onto the official Android app marketplace not once, but twice. The spyware was hidden in an app called Radio Balouch also known as RB Music. The app itself was actual...

Researcher Discloses Second Steam Zero-Day After Valve Bug Bounty Ban

A researcher has disclosed a zero-day privilege-escalation vulnerability for the Steam gaming client after he said he was barred from the bug bounty program of Steam’s owner, Valve. The vulnerability is the second zero-day privilege-escalation vulnerability that has been released by independent...

The Texas Ransomware Attacks: A Gamechanger for Cybercriminals

Texas officials have been left scrambling after up to 22 Texas entities – the majority of which are local governments – were hit by a coordinated ransomware attack on Friday. So far, these include the cities of Borger and Keene, and Texas officials say the attacks are all connected and carried ou...

Cisco Patches Six Critical Bugs in UCS Gear and Switches

Cisco Systems is warning of six critical vulnerabilities impacting a wide range of its products, including its Unified Computing System server line and its small business 220 Series Smart switches. In all instances of the vulnerabilities, a remote unauthenticated attacker could take over targeted...

Backdoor Found in Utility for Linux, Unix Servers

In an unnerving twist, when a critical zero-day vulnerability was reported in a Unix administration tool, called Webmin, it was revealed the flaw was no accident. According to researchers, the vulnerability was a secret backdoor planted in the popular utility nearly a year before its discovery. T...

Adult Content Site Exposed Personal Data of 1M Users

The personal information more than a million users of popular adult website Luscious, including email addresses that sometimes indicated full names, were found exposed in an unsecured Elasticsearch database. The website, which focuses on anime-themed, user-uploaded adult content, has over 1 milli...

Microsoft Offers $30K Rewards For Chromium Edge Beta Flaws

Microsoft is calling on researchers to help sniff out any security glitches in the beta version of its new Chromium-based Edge browser before officially pushing it live. The tech company has been working to build a new version of Edge based on Google’s open-source Chromium code, as opposed to its...

Fortnite Ransomware Masquerades as an Aimbot Game Hack

A ransomware that calls itself “Syrk” is targeting gaming juggernaut Fortnite’s enormous user base, purporting to be a game hack tool. Syrk promises players an “aimbot” for aiming more accurately while playing, and “ESP,” for discovering other player’s locations in the game. What it really gives...

How to Prepare for Misconfigurations Clouding the Corporate Skies

Cloud-based storage and infrastructure provides myriad benefits for any organization, like letting them avoid the costs of expensive hardware and granting them quick access to infrastructure as needed. Companies can use cloud services for minutes or years, depending on their needs. However, there...

Apple iOS Patch Blunder Opens Updated iPhones to Jailbreaks

Apple’s most recent operating system update, iOS 12.4, accidentally unpatched a fix that had been issued in a previous update — leaving devices vulnerable to code execution and privilege-escalation attacks. The flaw also allows phones to be jailbroken — and a public jailbreak has just been releas...

Adwind Spyware-as-a-Service Attacks Utility Grid Operators

A phishing campaign that spoofs a PDF attachment to deliver Adwind spyware has been taking aim at national grid utilities infrastructure. Adwind, a.k.a. JRAT or SockRat, is being used in a malware-as-a-service model in this campaign, researchers said. It offers a full cadre of info-gathering...

VLC Media Player Allows Desktop Takeover Via Malicious Video Files

Two high-risk vulnerabilities in the VLC media player could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim’s PC. The flaws were made public Monday by the developer of the open-source VLC media player, VideoLAN project, who als...

Apple Sues Corellium Over iOS 'Replica' Security Testing Software

Apple has sued startup Corellium for copyright infringement, alleging that the company has developed “exact digital replicas” of its iPhone operating system without authorization – from the code down to the graphical user interface. While details about Florida-based Corellium on its website are...

Post GandCrab, Cybercriminals Scouring the Dark Web for the Next Top Ransomware

Ransomware continues to be a top threat, with Friday’s ransomware attack on 23 Texas local government and agencies and two in June on dual Florida cities – Lake City and Riviera Beach, resulting in a decision to pay off the hackers — acting as perfect examples of just how lucrative this type of...

Google Nest Security Cam Bugs Allow Device Takeover

Multiple vulnerabilities in Google’s Nest Cam IQ connected indoor security camera would allow an attacker on the same network to take over the device, execute code on it and/or take it offline. Nest Labs’ Cam IQ Indoor integrates security-enhanced Linux in Android, Google Assistant and facial...

Coordinated Ransomware Attack Hits 23 Texas Government Agencies

UPDATE Up to 22 Texas entities – the majority of which are local governments – were hit by a ransomware attack on Friday that Texas officials say is part of a targeted attack launched by a single threat actor. Details remain scant about the specific agencies hit by the ransomware attacks, which...

Fake News and Influence: Information Warfare in the Digital Age

It’s 2019 and we live in a world where understanding what is real and what is fake can be challenging. For the security community, we increasingly deal with information warfare adversaries that rely on that fact; and, operating at internet scale, are capable of causing plenty of havoc...

ThreatList: 4.1B Records Exposed in Breaches in First Half of 2019

This year is on track to be the worst year on record for data breach activity, according to a recent analysis. Within the first six months of this year, there have been 3,813 incidents publicly reported, according to Risk Based Security’s 2019 MidYear QuickView Data Breach Report. That’s up 54...

Breached Passwords Still in Use By Hundreds of Thousands

Hundreds of thousands of web visitors continue utilizing passwords that have previously been compromised. Worse, they are reusing the breached credentials for some of their most sensitive financial, government and email accounts. That’s according to a new Google study released this week, which wa...

News Wrap: DejaBlue Bugs and Biometrics Data Breaches

On the heels of Black Hat USA 2019 and DEF CON, Threatpost editors break down the biggest news of this past week ended Aug. 16, from Patch Tuesday craziness to publicly-exposed databases. That includes: Microsoft’s August Patch Tuesday release featuring four BlueKeep-like critical remote...

How to Guide Users to Better Passwords by Learning from Attackers

If you’re human, you’ve probably re-used a password or two. In fact, the majority of internet users between the ages of 18-65 have done so, and the younger you are, the more likely it is that you use just one password for all of your accounts. Article written by: Chris LaConte, Chief Strategy...

HTTP Bugs Open Websites to DoS Attacks

Eight bugs in the implementation of HTTP/2, the most recent version of the HTTP protocol, can be exploited to launch denial of service attacks. The flaws were found in vendor server configurations ranging from Amazon, Google, Microsoft and Apache. Bugs are similar in nature and can be exploited b...

Energy Sector Phish Swims Past Microsoft Email Security via Google Drive

A targeted spearphishing campaign has hit an organization in the energy sector – after using a savvy trick to get around the company’s Microsoft email security stack. According to Aaron Riley, a researcher from Cofense, the campaign impersonated the CEO of the targeted company, sending email via...

Apache Security Advisories Red Flag Wrong Versions in Patching Gaffe

Researchers have pinpointed errors in two dozen Apache Struts security advisories, which warn users of vulnerabilities in the popular open-source web app development framework. They say that the security advisories listed incorrect versions impacted by the vulnerabilities. The concern from this...

Choice Hotels Breach Showcases Need for Shared Responsibility Model

Hospitality giant Choice Hotels fell victim to hackers this week, thanks to a MongoDB database that was left open to the internet containing 700,000 customer records. The situation highlights supply-chain data-security risk, given that the data was being held by a third-party vendor — and brings ...

Clickjacking Evolves to Hook Millions of Top-Site Visitors

Clickjacking, where links on a website redirect unknowing users to spam, advertising or malware, has been around for decades. However, new tactics that defy the best mitigation efforts of browsers has led to it affecting millions of internet users browsing the web’s top sites, researchers found i...

Fingerprints of 1M Exposed in Public Biometrics Database

Researchers discovered the personal and biometrics data of more than a million people left publicly exposed on a database owned by Suprema, a biometric security company. Data includes facial recognition and fingerprint information collected by the UK metropolitan police, small local businesses an...

Lenovo Warns of ThinkPad Bugs, One Unpatched

Dozens of Lenovo’s flagship ThinkPad models are vulnerable to bugs ranging in severity from low to high. Two of the flaws are tied to industry-wide security bulletins, while a medium-severity flaw affects only Lenovo laptops but remains unpatched. The most severe of the three bugs is a...

20-Year-Old Bug in Legacy Microsoft Code Plagues All Windows Users

A 20-year-old vulnerability present in all versions of Microsoft Windows could allow a non-privileged user to run code that will give him or her full SYSTEM privileges on a target machine. The bug is notable because of where it resides: In a legacy, omnipresent protocol named Microsoft CTF. First...

Windows Users at Risk From High-Severity Intel Software Flaw

Intel is warning of a high-severity vulnerability existing in its software that identifies the specification of Intel processors in Windows systems. The flaw could have an array of malicious impacts on affected systems, such as opening systems up to information disclosure or denial of service...

DEF CON and Feds Partner on Anonymous Bug Submission Program

Hacking conference organizer DEF CON Communications said it plans to roll out a global anonymous bug submission platform based on the SecureDrop communications tool. During a session at DEF CON in Las Vegas last week, conference founder Jeff Moss said the goal was to launch the yet-to-be-named...

Facebook Records User Audio, Sparking Privacy Questions

Facebook has admitted that it has been transcribing audio chats between its users on its Messenger platform. Sources said that it’s paying hundreds to third-party outside contractors to do so. The latter calls into question Facebook’s data-handling practices when it comes to being open with its...

Norman Cryptominer Employs Sophisticated Obfuscation Tactics

A never-before-seen cryptomining variant, dubbed “Norman” after one of its executable files, has been spotted in the wild using various techniques to hide and avoid discovery. The levels of obfuscation are notable for their sheer depth, according to an analysis. Varonis uncovered an initial sampl...

TikTok Scammers Cash In On Adult Dating, Impersonation Tricks

As social media platform TikTok becomes the top App Store download in 2019 – and the number three app download on Google Play and on platforms overall – scammers are looking to cash in on the troves of younger users of the popular platform. Tenable researcher Satnam Narang, who has been tracking...

Shades of BlueKeep: Wormable Remote Desktop Bugs Top August Patch Tuesday List

Microsoft’s August Patch Tuesday release contains updates for 93 CVEs, including 29 that are rated critical in severity. The highest priority of these include four critical remote code-execution RCE vulnerabilities in Remote Desktop Services RDS and a critical RCE flaw in Microsoft Word. Also, tw...

22 Critical Flaws Patched in Adobe Photoshop

Adobe has patched 22 critical vulnerabilities in Adobe Photoshop CC, its photo editing application, which the company warns can enable arbitrary code execution. Overall, Adobe issued patches for 119 important and critical vulnerabilities in August, including 25 critical bugs across several...

Cerberus Enters the Android Malware Rental Scene

A never-before-seen Android banking trojan, dubbed Cerberus, is being rented out on underground forums by a threat group that likes to engage with the defense community publicly via Twitter. According to a Tuesday posting from ThreatFabric, Cerberus isn’t based on the leaked Anubis source code th...

British Airways E-Ticketing Flaw Exposes Passenger Flight, Personal Data

A security bug discovered in British Airways’ e-ticketing system has the potential to expose passengers’ data, including their flight booking details and personal information. Researchers on Tuesday said that check-in links being sent by British Airways to their passengers via email are unencrypt...