CCleaner hack effects 2.27 million computers

A popular PC cleaning software used by over 130 million people put users at risk after hackers were able to insert malware into legitimate downloads. By any chance, if you have downloaded or updated CCleaner application on your computer between the period of August 15 and September 15' 2017 from it's official website, then kindly pay attention because of high chances that your system is at huge risk.

 

Trustworthiness is everything when it comes to antivirus software. Malware developers are changing their attacks all the time so you have to hope that the tools you’re using to fight them are keeping up. Millions of users trust the free CCleaner by Avast/Piriform, a big name in the space, to be that tool. It was found to be hosting a "multi-stage malware payload" that could install ransomware or keyloggers that steals data from infected computers and sends it to attacker's remote command-and-control servers.

In the past, attackers would create fake alternatives of popular applications and trick people into downloading them. The trend now, however, is to attack the download source directly and gain access to legitimate servers. Once they are in, it's a case of loading the trusted software with a nefarious payload, with the end-user being none the wiser. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.

What does the malware do?

It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server.


Who was infected?

According to Piriform, around 3 percent - roughly 2.27 million computers - used the infected software. Specifically, computers running 32-bit Windows 10.


How do I know if I have the corrupted version?

The versions that were affected are CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 for 32-bit Windows PCs. The Android version for phones doesn't seem to be affected. If you've updated your software since September 12, you should be ok. This is when the new, uncorrupted version was released. Also, if you have the Cloud version, it should have automatically updated itself by now to the clean version.


How to Remove Malware From Your PC?

The impact of this attack could be severe given the extremely high number of systems possibly affected. Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here.

This is also just a great reminder to practice safe computer security habits in general. Also be sure to regularly scan and back up your computer to prepare for the worst. In a cyber-security world where even your official antivirus can give you a virus, you can never be too safe.

OurMine Hacks Vevo After Employee Was Disrespectful to Hackers on LinkedIn

Hacking group OurMine has breached Vevo, a video hosting service, and has leaked files from the company's internal network. The hacker group, who has a reputation for defacing websites and social media accounts, said it leaked data from Vevo after one of its employees was disrespectful to an OurMine member on LinkedIn.

The leaked data was published on the hacker group's website late last night. It included links to six data troves, offering 3.12TB of data for download. Browsable from OurMine’s site, the data included Vevo’s private dossiers on 90 different artists, including Taylor Swift, Ariana Grande, One Direction and U2. Other documents included social-media strategy memos and instructions for disabling the office’s alarm system.

"We don't know how long they [the hackers] have been accessing the Vevo system or what additional data –financial, email, employee info – the attackers may have..." cautioned Terry Ray, CTO of data and application security company Imperva, in emailed comments. Attackers maximize opportunities for engagement by impersonating legitimate users or by fine-tuning profile fields and interactions to lure targets. Once socially engineered, a target's trust can be leveraged to extract personal information or deliver malicious payloads.

New York-based Vevo, which is jointly owned by Universal Music Group, Sony Music Entertainment, Warner Music Group, Abu Dhabi Media, and Google parent company Alphabet Inc., acknowledged the breach in an official statement, which revealed that OurMine's initial method of attack was a social engineering scheme perpetrated via social media.

Vevo spokesperson acknowledged the incident. "We can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure," the company said. Vevo did not comment if the hacker group made any ransom demands. The mysterious disappearance of most of the leaked files might lead some people to believe Vevo might have caved in and paid, hence the reason why most of the files are gone.

Vevo joins a long string of companies compromised by OurMine, which typically uses high-profile targets to drum up interest in legitimate security products. OurMine has built quite the reputation in the past years by hacking social media accounts belonging to companies, celebrities, and CEOs. Last month, the group compromised both the WikiLeaks website and various HBO-linked social media accounts. Previous targets include Mark Zuckerberg, Sundar Pichai and Jack Dorsey.

Beware: Compromised LinkedIn accounts used to send phishing links

Phishing continues to be a criminals’ favourite for harvesting user credentials with more or less sophisticated social engineering tricks. 

 

LinkedIn has been in the news for all the bad reasons. Previously, it was the data of 117 million of its users stolen back in 2012, leaked in 2016 and sold on the darknet afterwards. In the latest, cyber criminals are targeting LinkedIn users with a sophisticated phishing scam in which the idea is to trick the user into believing that their LinkedIn account has a security issue which can be solved only by providing their personal details. This Phishing Link Widely Spreading Champaign that Mimics as Legitimate Gmail and other Email Provides Login Page.

The campaign was identified by researchers at Heimdal Security who pointed out that the brain behind this scam is looking for users’ financial details, driving license and or passport copy. The purpose of collecting this information is to not only hijacking their account but also conduct further scams by stealing their identity.

Most appear as if the LinkedIn user is sharing a Google Drive file with the victim and contain a malicious link, obscured by a URL shortener to hide its true destination. The link then redirects to a phishing site for Gmail and other email providers which require potential victims to log in. Those who proceed will have their username, password, and phone number stolen but won’t realize they were duped right away. Indeed, this phishing scam ends on a tricky note with a decoy document on wealth management from Wells Fargo. URL shorteners are a well-known vehicle for spreading malware and phishing scams but they are also used for legitimate purposes, especially on social media where long URLs tend to be too cumbersome.

Furthermore, the email content also contains two links. One is a Dropbox link and other is what researchers have identified as a password reset link which leads users to the original LinkedIn password reset page. Apparently, the reason behind this is to trick users into believing that the email is legitimate and their account is in danger for real.

This is not the first time when LinkedIn users have been targeted with such scam. In the past, the users have been under target by Blackhole malware, trojans developed to steal login credentials of job seekers and even fake profiles pretending as job recruitment officials.

Beware of the malicious phishing links and don’t provide any credential information to untrusted website!!!

You can actually hack a computer with DNA

Hackers have used all sorts of attack vectors to gain control of someone else’s computer, from USB drives to phishy emails. In what appears to be the first successful hack of a software program using DNA, researchers say malware they incorporated into a genetic molecule allowed them to take control of a computer used to analyse it.

Akin to something from the pages of science fiction, the researchers used the life-encoding molecule to attack and take over a computer, using strands of DNA to transmit a computer virus from the biological to the digital realm.

The researchers used the four bases in DNA, adenine, cytosine, guanine and thymine – A, C, G and T – to encode their malware, which when read by a piece of DNA sequencing equipment converted the molecular code into computer code capable of taking over the computer connected to the DNA sequencer.

“When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing. That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA.” said the researchers.

The researchers say that there is no reason for concern: “Note that there is not present cause for alarm about present-day threats. We have no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack.” They argue the attack could be leveled against any facility that accepts DNA samples for computer-based gene sequencing and processing. For example, if an attacker knew DNA samples will be sequenced on a computer they contaminate blood and saliva samples with a specially crafted synthetic gene.

The results show that it is technically possible to use DNA as a way to transfer malware and attack vulnerabilities in the sequencing compute program.

Microsoft Attempts To Fix Stuxnet For The Third Time Nearly Five Years Later

One of the patches released by Microsoft as part of its June 2017 security updates represents the company’s third attempt at patching an old vulnerability exploited by the notorious Stuxnet worm in 2010. The initial vulnerability, tracked as CVE-2010-2568, allows a remote attacker to execute arbitrary code on a system using specially crafted shortcut files with the LNK or PIF extension.

CVE-2010-2568 was one of the four zero-day vulnerabilities exploited in the 2010 Stuxnet attacks targeting Iran’s nuclear program. It's arguably the first, and most famous example of government-developed malware. Its creation is said to have been a joint operation between Israel and the United States.

In 2015, researchers discovered that Microsoft’s initial fix could be bypassed and the tech giant released another patch. The flaw, tracked as CVE-2015-0096, was treated by Microsoft as a completely new issue.

The flaw leveraged by Stuxnet allowed .LNK files, which are what define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files.

"The problem is that in Windows, icons are loaded from modules (either executable or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, by convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device.

Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake.

CERT/CC pointed out that Microsoft patched the new vulnerability, tracked as CVE-2017-8464, with its June security updates. Microsoft informed customers at the time that this flaw had been exploited in the wild. Exploits for the security hole are now publicly available, including a Metasploit module made by Securify's Yorick Koster.

The organization pointed out that in addition to applying Microsoft’s patches, users can prevent potential attacks by blocking outgoing connections on TCP and UDP ports 139 and 445. This prevents machines from accessing a remote SMB server, which is typically needed to exploit the vulnerability.