Tesla’s Cloud Hit By Crypto Mining Malware Attack

Tesla's Cloud Hit By Crypto Mining Malware Attack

Electric vehicle maker Tesla has reportedly fallen victim to a cryptocurrency mining malware attack.

On Tuesday, cybersecurity software firm RedLock reported that hackers had exploited an insecure Kubernetes console, which they used to access and siphon computer processing power from Tesla’s cloud environment in order to mine cryptocurrencies. The team says it discovered and reported the vulnerability to Tesla several months ago.

A Tesla spokesperson told Gizmodo that customer information was not accessed during the incident.

“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesperson reportedly said, explaining:

 

“The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

Unlike previous crypto mining attacks, the hackers that targeted Tesla did not utilize a public mining pool. Instead, they installed mining pool software and obscured it behind CloudFlare, which allowed them to hide the IP address of their mining pool server, making detection of the mining more difficult. To further hide their actions, the hackers ensured that CPU usage remained low during the hack.

RedLock CTO Gaurav Kumar said that public cloud environments are particularly vulnerable to mining hacks, which have been on the rise in tandem with the increase in cryptocurrencies’ value.

“Organizations’ public cloud environments are ideal targets due to the lack of effective cloud threat defense programs,” he explained to Gizmodo. “In the past few months alone, we have uncovered a number of cryptojacking incidents including the one affecting Tesla.”

News Source

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Besides Timehop, another data breach was discovered last week that affects users of one of the largest  web hosting companies in Germany, DomainFactory, owned by GoDaddy.

The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum.

It turns out that the attacker breached company servers to obtain the data of one of its customers who apparently owes him a seven-figure amount, according to Heise.

Later the attacker tried to report DomainFactory about the potential vulnerability using which he broke into its servers, but the hosting provider did not respond, and neither disclosed the breach to its customers.

In that situation, the attacker head on to the company’s support forum and broke the news with sample data of a few customers as proof, which forced DomainFactory to immediately shut down the forum website and initiate an investigation.

Attacker Gains Access to a Large Number of Data

DomainFactory finally confirmed the breach last weekend, revealing that following personal data belonging to an unspecified number of its customers has been compromised.

  • Customer name
  • Company name
  • Customer account ID
  • Physical address
  • E-mail addresses
  • Telephone number
  • DomainFactory Phone password
  • Date of birth
  • Bank name and account number (e.g. IBAN or BIC)
  • Schufa score (German credit score)

Well, that’s a whole lot of information, which can be used by cyber criminals for targeted social engineering attacks against the customers.

The forum has since been temporarily down, and DomainFactory said that a data feed of certain customer information, accessed by the attacker, was left open to external third parties after a system transition on January 29, 2018.

“We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount, and we regret the inconvenience this incident causes, very much,” the company said.

Change All of Your Passwords

DomainFactory is now advising its users to change passwords for all of the following services and applications “as a precautionary measure,” and also change passwords for other online services where you use the same password.

  • Customer password
  • Phone password
  • Email passwords
  • FTP / Live disk passwords
  • SSH passwords
  • MySQL database passwords

Since the compromised data can be used for identity theft and to create direct debits for customers’ bank account, users are also recommended to monitor their bank statements for any unauthorized transaction.

So far it is unclear how the attacker got into the Domainfactory servers, but the German publication said the attacker did not give an impression of selling the captured data or leaking it online.

News Source

Google Developer Discovers a Critical Bug in Modern Web Browsers

Google Developer Discovers a Critical Bug in Modern Web Browsers
Google Developer Discovers a Critical Bug in Modern Web Browsers
Image Source

Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser.

Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.

For security reasons, modern web browsers don’t allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.

That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites.

However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.

Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.

In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.

However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.

Google Developer Discovers a Critical Bug in Modern Web Browsers
Image Source

In a blog post published today, Archibald detailed this vulnerability, which he dubbed Wavethrough, explaining how an attacker can leverage this feature to bypass protections implemented by browsers that prevent cross-origin requests.

“Bugs started when browsers implemented range requests for media elements, which wasn’t covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard,” Archibald explained.

According to Archibald, this loophole can be exploited by a malicious website using an embedded media file on its webpage, which if played, only serves partial content from its own server and asks the browser to fetch rest of the file from a different origin, forcing the browser to make a cross-origin request.

The second request, which actually is a cross-origin request and should be restricted, will be successful because mixing visible and opaque data are allowed for a media file, allowing one website to steal content from the other.

“I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio,” Archibald said.

Archibald has also published a video, and a proof-of-concept exploit demonstrating how a malicious website can fetch your private content from websites like Gmail and Facebook, whose response will be same for the malicious site as your browser loads them for you.

Since Chrome and Safari already have a policy in place to reject such cross-origin requests as soon as they see any redirection after the underlying content appears to have changed between requests, their users are already protected.

“This is why standards are important. I believe Chrome had a similar security issue long ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against,” Archibald said.

FireFox and Edge browsers that were found vulnerable to this issue have also patched the vulnerability in their latest versions after Archibald responsibly reported it to their security teams.

Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers.

News Source

Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives

Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
Image Source

 

Security researchers are warning of almost a decade old issue with one of the Apple’s macOS feature which was designed for users’ convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.

Earlier this month, security researcher Wojciech Regula from SecuRing published a blog post, about the “Quick Look” feature in macOS that helps users preview photos, documents files, or a folder without opening them.

Regula explained that Quick Look feature generates thumbnails for each file/folder, giving users a convenient way to evaluate files before they open them.

However, these cached thumbnails are stored on the computer’s non-encrypted hard drive, at a known and unprotected location, even if those files/folders belong to an encrypted container, eventually revealing some of the content stored on encrypted drives.

Patrick Wardle, chief research officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, “however the fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”

To prove his claim, Regula created two new encrypted containers, one using VeraCrypt software and the second with macOS Encrypted HFS+/APFS drives, and then saved a photo in each of them.

As explained in his post, after running a simple command on his system, Regula was able to find the path and cached files for both images left outside the encrypted containers.

“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” Regula said.

In a separate blog post, Wardle demonstrated that macOS behaves same for the password-protected encrypted AFPS containers, eventually exposing even encrypted volumes to potential snooping.

“If we unmount the encrypted volume, the thumbnails of the file are (as previously mentioned) still stored in the user’s temporary directory, and thus can be extracted,” Wardle said.

“If an attacker (or law enforcement) has access to the running system, even if the password-protected encrypted containers are unmounted (as thus their contents ‘safe’), this caching ‘feature’ can reveal their contents.”

Wardle also noted that if you connect a USB drive with your Mac computer, the system will create thumbnails of files residing on the external drive and store them on its boot drive.

Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.

Until and unless Apple resolves this issue in future, Wardles advises users to manually delete the QuickLook cache when they unmount an encrypted container.

News Source

Epic Games Fortnite for Android–APK Downloads Leads to Malware

Epic Games Fortnite for Android–APK Downloads Leads to Malware
Epic Games Fortnite for Android–APK Downloads Leads to Malware
Image Source

Given Fortnite’s current popularity and craziness across the globe, we understand if you have been searching the web for download links to Fortnite APK for Android phone.

However, you are not alone, thousands of people out there are also searching tutorials and links for, “how to install Fortnite on Android” or “how to download Fortnite for Android” on the Internet.

The app has taken the world by storm since its launch in the same way Minecraft and Pokemon Go took before it. The fortnite game spent the first third of 2018 breaking records with an astonishing 3.4 million players playing the game at a time in February.

However, you should keep this in mind—Fortnite for Android smartphones is not available yet and, is still under development.

In March when Epic Games released Fortnite game for iOS, the company also announced that the world’s most famous battle royale game with more than 125 million players is also coming to Android this summer.

We know many of you are excited about the release, but the news did catch the attention of nefarious scammers and cyber criminals as well who are trying their best to fool smartphone users with fake and malicious apps.

YouTube Videos Sharing Fortnite Android APKs Get Millions of Views

Due to the massive interest of users surrounding the Fortnite game, many gaming and tutorial websites have started taking advantage of Android users’ impatience with frighteningly convincing scams, which is all over Google and YouTube as well.

Just search for “Fortnite Android App” on YouTube and the front page will display a long list of videos on “How to install Fortnite on Android,” claiming to include links to actual Fortnite APK files, which have been viewed millions of times.

News Source

Chinese Hackers Carried Out Country-Level Watering Hole Attack

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks.

The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called LuckyMouse.

LuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year.

The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain “access to a wide range of government resources at one fell swoop.”

According to the researchers, the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks.

Although LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center.

The initial attack vector used in the attack against the data center is unclear, but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center.

The attack against the data center eventually infected the targeted system with a piece of malware called HyperBro, a Remote Access Trojan (RAT) deployed to maintain persistence in the targeted system and for remote administration.

“There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites,” the researchers said in a blog post published today.

“These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.”

As a result of the waterholing attack, the compromised government websites redirected the country’s visitors to either penetration testing suite Browser Exploitation Framework (BeEF) that focuses on the web browser, or the ScanBox reconnaissance framework, which perform the same tasks as a keylogger.

The main command and control (C&C) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP, specifically to a MikroTik router running a firmware version released in March 2016.

Researchers believe the Mikrotik router was explicitly hacked for the campaign in order to process the HyperBro malware’s HTTP requests without detection.

News Source