Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw

UPDATE A variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers. The newfound samples of Muhstik are targeting the recently-patched CVE-2019-2725 in WebLogic servers, and then launching...

Fake Jason Statham Bilks a Fan Out of Serious Money

English actor Jason Statham – a.k.a. “the Transporter” – is cozying up to people who like his Facebook page – or at least, someone purporting to be him is. A fraudster managed to bilk a vulnerable and unsuspecting Statham fan out of a “significant amount” of money after approaching her while she...

New 'Sodinokibi' Ransomware Exploits Critical Oracle WebLogic Flaw

A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant. The recently-patched flaw exists in Oracle’s WebLogic server, used for building and deploying enterprise applications. Th...

Researchers Compromise Netflix Content in Widevine DRM Hack

Researchers have used a proof-of-concept PoC side-channel attack to download an unencrypted raw file for Netflix’ Stranger Things, in a format that’s ready to distribute out to any buyer on the internet. This pirate’s booty is the result of breaking open the widely deployed digital rights...

BEC Hack Cons Catholic Church Out of $1.75 Million

A church in Brunswick, Ohio was scammed out of a whopping $1.75 million as a result of a business email compromise BEC attack. St. Ambrose Catholic Parish, which has around 16,000 members, has been working on a massive $4 million church renovation, dubbed “Vision 20/20” – but attackers figured ou...

Malware Infests Popular Pirate Streaming Hardware

You get what you pay for when you pirate content. That’s the takeaway from the latest report by Digital Citizens Alliance. It found that pirating hardware, which enables free streaming copyright-protected content, comes packed with malicious malware. The devices give criminals easy access to rout...

MuddyWater APT Hones an Arsenal of Custom Tools

An array of customized attack tools are helping the MuddyWater advanced persistent threat APT group to successfully exfiltrate data from its governmental and telco targets in the Middle East; an analysis of this toolset reveals a moderately sophisticated threat actor at work – with the potential ...

Apple Defends Parental Control App Removal Amid Backlash

Apple is defending its decision to take down several highly popular parental control apps amidst a firestorm of backlash, saying it did so for “privacy and security” reasons. Apple came under scrutiny this weekend after a New York Times article alleged that the phone giant had unfairly removed or...

Docker Hub Hack Affects 190K Accounts, with Concerning Consequences

UPDATE Docker Hub has confirmed that it was hacked last week; with sensitive data from approximately 190,000 accounts potentially exposed. “On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,” Kent Lamb, director o...

2 Million IoT Devices Vulnerable to Complete Takeover

Over 2 million IP security cameras, baby monitors and smart doorbells have serious vulnerabilities that could enable an attacker to hijack the devices and spy on their owners — and there’s currently no known patch for the shared flaws. The attack stems from peer-to-peer P2P communication technolo...

Users Urged to Update WordPress Plugin After Flaw Disclosed

UPDATE A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager extension is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout...

News Wrap: Amazon Echo Privacy, Facebook FTC Fines and Biometrics Regulation

Data privacy has been an outstanding theme this past week, and the Threatpost team discussed the biggest privacy related news. In the news wrap podcast for April 26, the team discussed the backstories behind several reports from the week, including: Facebook potentially facing Federal Trade...

GoDaddy Shutters 15,000 Subdomains Tied to 'Snake Oil' Scams

Researchers at the security firm Palo Alto Networks worked with domain registrar and web hosting firm GoDaddy to shut down 15,000 subdomains pitching ‘snake oil’ products and other scams. The takedowns are linked to affiliate marketing campaigns peddling everything from weight-loss solutions and...

Critical Flaws in Sierra Wireless 5G Gateway Allow RCE, Command Injection

A 5G wireless gateway tailored for industrial internet of things IoT, retail point-of-sale and enterprise redundancy applications is riddled with vulnerabilities, include two critical bugs that allow remote code-execution RCE and arbitrary command-injection. The Sierra Wireless AirLink ES450 LTE...

Facial Recognition 'Consent’ Doesn’t Exist, Threatpost Poll Finds

Half of respondents in a recent Threatpost poll said that they don’t believe consent realistically exists when it comes to real-life facial recognition. The recent poll of 170 readers comes as facial recognition applications continue to pop up in the real world – from airports to police forces...

Android-Based Sony Smart-TVs Open to Image Pilfering

Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, could allow attackers to access WiFi passwords and images stored on the devices. The bugs exist in the Photo Sharing Plus feature of Sony smart-TVs going back to 2015. They were uncovered by xen1thLabs i...

Amazon Employees Given 'Broad Access' to Personal Alexa Info

Employees at Amazon can access geolocation information for Alexa users, according to reports – thus uncovering their home addresses and even satellite pictures of their houses generated from a service such as Google Earth. Alexa is the built-in voice assistant shipped with devices like Amazon Ech...

Qualcomm Critical Flaw Exposes Private Keys For Android Devices

Researchers have uncovered a side-channel attack that enables a bad actor to extract sensitive data from Qualcomm’s secure keystore. The critical flaw impacts most modern Android devices that use Qualcomm chips. The issue stems from an issue in Qualcomm technology, dubbed the Qualcomm Secure...

Facebook May Face $5 Billion FTC Fine for Data Misuse

UPDATE Facebook may be facing fines as high as $5 billion after a year-long Federal Trade Commission FTC investigation into its data-security practices. Though it wasn’t mentioned in its earnings call on Wednesday, the social-media giant in a release for its Q1 2019 earnings said that it was...

Adware-Ridden Apps in Google Play Infect 30 Million Android Users

More than 50 malicious apps have been discovered on the Google Play app marketplace, peddling adware to millions of Android victims. The 50 adware apps, which have been since removed, include fitness, photoshopping and gaming apps, and were installed a total of 30 million times, researchers at...

Point Blank Gamers Targeted with Backdoor Malware

The focus of the APT behind the ShadowHammer supply-chain attack that abused the ASUS computer update function turns out to be wider in scope than previously thought. Researchers have found similar digitally-signed binaries using the videogame industry as a delivery conduit for malware. Victims...

Poll: Are You Creeped Out By Facial Recognition?

Several news incidents this week regarding facial recognition and biometrics have sparked discussions in the security space over privacy concerns and issues around consent. First, a JetBlue passenger made headlines in a now-viral Twitter exchange with the airline, about the facial-recognition...

Latest Qbot Variant Evades Detection, Infects Thousands

Qbot, an information-stealing trojan that has been around for 10 years, has resurfaced again with a new phishing-based infection technique that is able to evade anti-spam defenses. Varonis Security Research spotted the fresh global Qbot campaign in March. Researchers said they have positively...

Facial Recognition is Here: But Are We Ready?

When MacKenzie Fegan was boarding her morning flight to Mexico City last Wednesday, she noticed something odd at her gate at the JFK International Airport. Instead of a JetBlue employee scanning her boarding pass or taking a look at her passport, she – and other passengers at the gate – was...

Carbanak Source Code Unveils a Startlingly Complex Malware

A look under the hood of FIN7’s notorious Carbanak backdoor – the result of nearly 500 total hours of analysis across 100,000 lines of code and dozens of binaries – shows that the malware is highly sophisticated – more sophisticated than expected. It’s a Cadillac in a sea of golf carts, if you...

Exploits for Social Warfare WordPress Plugin Reach Critical Mass

UPDATE Active exploits for a recently disclosed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild – potentially putting more than 40,000 websites at risk. The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting XSS vulnerability and a remote...

FBI: BEC Scam Losses Almost Double To Reach $1.2 Billion

Business email compromise BEC scams are squeezing more money than ever out of victims, with losses from the attacks almost doubling year-over-year in 2018 to reach $1.2 billion. That’s according to the FBI’s annual Internet Crime Report IC3 for 2018, which records the number of complaints, losses...

Wi-Fi Hotspot Finder Spills 2 Million Passwords

More than 2 million passwords for Wi-Fi hotspots were leaked online by the Android app developer behind the mobile application called WiFi Finder. The passwords were part of an insecure database found by researchers at GDI Foundation. The Android app itself did not just help users find Wi-Fi...

Is Privacy Really iPhone? Researchers Weigh in on Apple's Targeted Ad Tracking

Apple has a consistent track record of implementing privacy controls, which it has been touting via a series of saturating “Privacy? That’s iPhone” television ads. Yet, though it may be deservedly capitalizing on the increasing privacy-consciousness of consumers out there and the negative headlin...

Evil TeamViewer Attacks Under the Guise of the U.S. State Department

UPDATE A targeted, email-borne attack against embassy officials and government finance authorities globally is making use of a malicious attachment disguised as a top-secret U.S. document. It weaponizes TeamViewer, the popular remote-access and desktop-sharing software, to gain full control of th...

France's 'Secure' Telegram Replacement Hacked in an Hour

The French Government last week launched a custom messaging application called Tchap, touting it as being “more secure than Telegram.” One small snag however: The platform has already – quelle dommage! – been hacked. French security researcher Robert Baptiste, a.k.a. Elliot Alderson, downloaded t...

WannaCry Hero Pleads Guilty to Kronos Malware Charges

Marcus Hutchins, the researcher hailed for squashing the WannaCry ransomware outbreak in May 2017, pleaded guilty to charges relating to the creation of the Kronos malware. The 24-year-old researcher filed a plea agreement admitting guilt to two of 10 counts in the Eastern District of Wisconsin o...

Millions of Medical Documents for Addiction and Recovery Patients Leaked

As if wrestling with addiction and recovery weren’t difficult enough, tens of thousands of patients of a rehab clinic in Pennsylvania may find their personal information hijacked and manipulated by identity thieves or extortionists. An ElasticSearch database that was left open to the internet...

Microsoft’s Latest Patch Hoses Some Antivirus Software

Microsoft’s April 9 security update is bogging down systems running antivirus software packages made by McAfee, Avast, ArcaBit, Avira and Sophos. According to Microsoft, the company’s April Patch Tuesday security update is causing some systems to have slow startup times, sluggish performance or...

Three-Fourths of Consumers Don't Trust Facebook, Threatpost Poll Finds

As Facebook privacy-related incidents continue to pile up, a new Threatpost poll found that a whopping three-fourths of respondents no longer trust the social-media giant. The negative sentiment, reflected in a Thursday Threatpost poll of over 130 security professionals, comes as Facebook faces a...

Insecure Ride App Database Leaks Data of 300K Iranian Drivers

A researcher has discovered that over a quarter-million drivers of the Iranian ride hailing app Tap30 have had their data left publicly exposed in an insecure database. Tap30 is an online taxi application, similar to Uber, that connects users to drivers through the mobile app and the corporate...

Weather Channel Knocked Off-Air in Dangerous Precedent

On Thursday, The Weather Channel – a trusted cable network source of meteorological data across the U.S. – was knocked off the air by what it said was a “malicious software attack” on its network. The Weather Channel hack – not to be confused with the Weather Channel’s own hacks – affected its li...

Shopify Flaw Exposed Thousands of Merchants' Revenue, Traffic Numbers

A researcher has uncovered a high-severity vulnerability in an e-commerce software platform used by 800,000 different online merchants, which could have been abused to expose the traffic and revenue data for the stores. The platform is Shopify, which was found exposing store data dating back to...

Poll: Facebook Harvests Email Contacts for 1.5M Users – Is Enough, Enough?

Another day, another Facebook issue. Earlier on Thursday, news broke that Facebook confirmed that it has harvested the email contact lists for 1.5 million people, in an ongoing effort since May 2016. The social network said the situation was “unintentional” – and that somehow, it just happened. A...

Easter Attack Affects Half a Billion Apple iOS Users via Chrome Bug

UPDATE About a half a billion Apple iOS users and counting have been hit by session-hijacking cybercriminals bent on serving up malware. They’re exploiting an unpatched flaw in the Chrome for iOS browser, to bypass sandboxing and hijack user sessions, targeting iPhone and iPad users. The attacks...

Cisco Patches Critical Flaw In ASR 9000 Routers

Cisco has rushed out patches for a critical vulnerability in its ASR 9000 routers that could give remote, unauthenticated attackers access to the devices – as well as the power to launch denial-of-service DoS attacks against them. The flaw is specifically in Cisco Aggregation Services Routers ASR...

Ubiquitous Bug Allows HIPAA-Protected Malware to Hide Behind Medical Images

A bug in a 30-year-old standard used for the exchange and storage of medical images has been uncovered; it allows an adversary to embed fully-functioning executable code into the image files captured by medical devices such as CT and MRI machines. This results in hybrid files that allow malware...

Researchers: Facebook's Data-Leveraging Scandal Puts Users on Notice

On the heels of reports that Facebook leveraged its users’ data in its relationships with other companies, researchers say that the tech space needs to re-assess the value of data as it relates to user privacy measures. However, they also said that users need to take steps themselves to safeguard...

State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally

A newly-discovered state-sponsored campaign is targeting national security organizations across the Middle East and North Africa MENA – and elsewhere – with domain name system DNS hijacking attacks, used to scoop up credentials. The campaign, dubbed “Sea Turtle” by the Cisco Talos researchers who...

ThreatList: Bad Bots Account for a Fifth of All Web Traffic, FinServ Hit the Worst

About a fifth of all web traffic 20.4 percent comes from bad bots, which continue to attack daily in automated offensives on websites, mobile apps and APIs. That’s worse for some verticals, like the banking and finance sector, which was hit the hardest last year. That’s according to the Distil...

Oracle Squashes 53 Critical Bugs in April Security Update

Oracle is urging customers to patch critical vulnerabilities in its products as part of its massive April update, which fixes a whopping 297 flaws. Of those flaws, 53 vulnerabilities in Oracle products had a CVSS score of 9.0 or higher, making them “critical” severity – and in fact, 49 of those...

RatVermin Spyware Targets Ukraine Gov Agencies

Researchers have uncovered an ongoing spear-phishing campaign, targeting the Ukraine government and military with emails aiming to distribute the RatVermin malware, which carries out various info-gathering activities. Researchers said that an infrastructure analysis of the attack indicates that t...

Wipro Confirms Hack and Supply Chain Attacks on Customers

IT systems consulting behemoth Wipro Ltd. has confirmed that its network was hacked and used for mounting attacks on its customers. After multiple unnamed sources independently told Brian Krebs that a “multi-month intrusion” occurred and is likely the work of an advanced persistent threat APT act...

Windows Zero-Day Emerges in Active Exploits

A just-patched vulnerability in the Windows operating system that was previously unknown up until last week is being actively exploited in the wild; it opens the door for full system takeover. Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw...

Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change

The HawkEye malware kit and information-stealer has been spotted in a newfound slew of campaigns after a recent ownership change. While the keylogger has been in continuous development since 2013, in December a thread on a hacking site noted an ownership change, after which posts on hacking forum...