Read more here:Avast deploys hardened self-defense and wider intelligence industry collaboration
Global software companies are increasingly being targeted for disruptive attacks, cyber-espionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years. At Avast, we constantly work hard to stay ahead of the bad guys and to fight off attacks on our users. It is therefore not so surprising that we ourselves could be a target.
On September 23, we identified suspicious behavior on our network and instigated an immediate, extensive investigation. This included collaborating with the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team to provide additional tooling to assist our efforts and verify the evidence that we were collecting.
__Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.
Get your free KCleaner license. The tool helps to effectively clean the system of temporary and unused files, and also offers a safe method of permanently deleting files
KCleaner, from the developer of SUMo and DUMo programs, is an effective "cleaner" of hard drives that tracks every useless byte to free up more space for important data - documents, music, photos, movies, etc. The program runs completely in the automatic background, so you do not need to worry about when to start cleaning.
As evidence of its effectiveness, KCleaner often detects additional GB of junk files even after cleaning with competing tools. And if you are interested in data security, you can use the methods of permanently deleting files offered by KCleaner, which makes deleted files unrecoverable by any known means.
Key features of KCleaner
Detects and cleans up temporary and useless files (cache, unused installation files, etc.).
Automatic background operation.
A safe method to permanently delete files.
Expert mode: allows users to control the file deletion performed by KCleaner.
2. Install the program on your computer. Supported OS: Windows Vista, 7, 8 / 8.1 and 10 (32-bit and 64-bit).
3. Go to the menu "?> About the program> Enter registration data" and activate the following license:
Serial number: 20069074102085066101081093076080083071077069130099051046054
Here we go again—another popular Android app caught defrauding users on a huge scale. This is familiar territory now, although the numbers get bigger and more onerous. The app this time is SnapTube, a video downloader that lets users select YouTube and Facebook videos to play offline. The app’s developers claim more than 40 million users, and it has been installed many more times that that. The problem, it seems, is that while users are enjoying those videos, the app’s software is busy doing other things in the background—essentially defrauding both users and advertisers to generate material financial returns.
The disclosure against SnapTube has been made by researchers at Upstream, who say that their Secure-D platform detected and blocked “more than 70 million suspicious mobile transaction requests” from SnapTube installs on 4.4 million devices. And this was all inside a six-month period. Such fraud tends to run in bursts, and the team seems to have been monitoring the app at the right time.
According to Upstream, “SnapTube has been delivering invisible ads, generating non-human clicks and purchases... The ads are hidden from users as they do not appear on-screen.” Generating returns from adware or click fraud is one thing, but the report claims that SnapTube has gone further, to the triggering of premium calls and texts, and subscribing users to paid services. Upstream has calculated that this fraudulent purchase of “premium digital services” would have cost users up to $91 million.
Experienced network intruders and ransomware groups have struck an alliance helping each other monetize their skills by spreading malware to company networks.
One access-as-a-service provider works with multiple ransomware collectives, including REvil/Sodinokibi, offering them access to large targets.
High-profile ransomware actors like REvil focus on companies and are in constant need of new victims to keep the business humming.
Experts in breaching corporate networks advertise their talent on underground markets or over secure messenger communication and are the perfect partner.
Intruders hack into the network of a company and then rent or sell access to a ransomware team. This mutually beneficial cooperation enables spreading file-encrypting malware even on more secure networks.
Research from Advanced Intelligence (AdvIntel) reveals the strong connection between the two types of cybercriminal operations.
A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit.
More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency.
The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians.
Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software.
Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal:
Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run.
- torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic
Last month we introduced you to the STOP Ransomware, which is the most widely distributed ransomware that is currently active. This ransomware is distributed by adware bundles that masquerade as software cracks, pirated games (warez), and free software downloads.
When a user installs one of these downloads, their computer will become infested with malicious browser extensions, click fraud trojans, adware, and the STOP Ransomware.
While the exact number of victims is hard to determine, there have been 116,000 submissions to ransomware identification site ID Ransomware related to this infection. This makes it the most submitted family of ransomware on the site followed by the Dharma Ransomware.
Top Detections at ID Ransomware
While there are some victims from the United States, most of the victims are from Europe, Asia, South American, and Africa. As expected, there are no victims from Russia, which is most likely due to language checks in the adware bundles.
STOP Heat Map
The release of Emsisoft's STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer.
Since the STOP Ransomware was released, this infection has had the most requests for help decrypting files that we have seen since TeslaCrypt. This has led to a monstrous STOP Ransomware support topic at BleepingComputer containing 526 pages of support requests.
Volunteers at BleepingComputer have worked tirelessly trying to help these victims, but in many cases it was in vain. With the release of this decryption service, victims can finally get help in recovering their files.
All support for this decryptor will be handled in the BleepingComputer STOP Support and Help topic, so please post there with any issues.
How to decrypt STOP Djvu Ransomware encrypted files
Once again, if your files were encrypted after August 2019, then you are encrypted with a new version that the decryptor does not support and these instructions do not apply. You should instead download the decryptor to see if Emsisoft has been able to gain access to an offline key and if that will help with your files.
If you are using an older variant that you think is supported, before you can decrypt your files with Emsisoft's STOP Djvu Ransomware decryption service, confirm if you were encrypted with a supported extension. The list of supported extensions are:
.shadow, .djvu, .djvur, .djvuu, .udjvu, .uudjvu, .djvuq, .djvus, .djvur, .djvut, .pdff, .tro, .tfude, .tfudet, .tfudeq, .rumba, .adobe, .adobee, .blower, .promos, .promoz, .promorad, .promock, .promok, .promorad2, .kroput, .kroput1, .pulsar1, .kropun1, .charck, .klope, .kropun, .charcl, .doples, .luces, .luceq, .chech, .proden, .drume, .tronas, .trosak, .grovas, .grovat, .roland, .refols, .raldug, .etols, .guvara, .browec, .norvas, .moresa, .vorasto, .hrosas, .kiratos, .todarius, .hofos, .roldat, .dutan, .sarut, .fedasot, .berost, .forasom, .fordan, .codnat, .codnat1, .bufas, .dotmap, .radman, .ferosas, .rectot, .skymap, .mogera, .rezuc, .stone, .redmat, .lanset, .davda, .poret, .pidom, .pidon, .heroset, .boston, .muslat, .gerosan, .vesad, .horon, .neras, .truke, .dalle, .lotep, .nusar, .litar, .besub, .cezor, .lokas, .godes, .budak, .vusad, .herad, .berosuce, .gehad, .gusau, .madek, .darus, .tocue, .lapoi, .todar, .dodoc, .bopador, .novasof, .ntuseg, .ndarod, .access, .format, .nelasod, .mogranos, .cosakos, .nvetud, .lotej, .kovasoh, .prandel, .zatrov, .masok, .brusaf, .londec, .krusop, .mtogas, .nasoh, .nacro, .pedro, .nuksus, .vesrato, .masodas, .cetori, .stare, .carote, .gero, .hese, .seto, .peka, .moka, .kvag, .karl, .nesa, .noos, .kuub, .reco, .bora
If you are infected with the .puma, .pumas, or .pumax extensions of the earlier STOP Ransomware variants, you can skip all of the following steps and instead download the STOP Puma decryptor.
In order to use the service, you first need to find some encrypted files and their originals that match the following requirements and train the decryption service using them.
To be clear, for each file type (doc, docx, xls, xlsx, png, etc) you want to decrypt, you must also upload an encrypted and unencrypted pair in order to train the service. Once the service is trained with a file type, it can be used to decrypt all files on your computer of that same type.
- Must be the same file before and after encryption
- Must be a different file pair per file type you wish to decrypt
- Must be at least 150KB
The best way to find encrypted and unencrypted file pairs are to look for encrypted images or files that were downloaded from the Internet. That way you can download the original location so that you have an unencrypted version.
Once you have a pair of files, go to Emsisoft | STOP Djvu Decryption and upload the files using the page's form.
Emsisoft STOP Ransomware Decryption Service
After pressing the SUBMIT button, it will change to a rotating circle to show that it is processing your files. Please be patient at this point as it may take some time to complete.
When done, the service will tell you if the files were properly processed, and if so, will provide a link to the decryptor.
Click on the link to download the STOP Decryptor and then double-click on it to launch the program. As this decryptor requires a working Internet connection, please make sure you are connected before proceeding.
When launching the program, it will display a UAC prompt asking if you would like to allow the program to make changes to your computer. At this prompt, you should click on the Yes button.
A license screen and a small instruction screen will then be displayed. Please read through both of these screens and acknowledge them to continue.
The main decryptor screen will now be displayed with the C:\ drive already selected to be decrypted.
STOP Djvu Decryptor
Add the folders you wish to decrypt or go with the default selection of the entire C:\ drive and click on the Decrypt button.
The decryptor will begin to decrypt all file types that you used to train the service.
While decrypting, if the decyrptor is unable to decrypt a particular file type, you need to train the service by uploading encrypted and unencrypted pairs of those files. Once you do so, you then click on the Decrypt button again to have it handle that particular file type.
Millions of Amazon Echo 1st generation and Amazon Kindle 8th generation are susceptible to an old WiFi vulnerability called KRACK that allows an attacker to perform a man in the middle attack against a WPA2 protected network.
KRACK, or Key Reinstallation Attack, is a vulnerability in the 4-way handshake of the WPA2 protocol that was disclosed in October 2017 by security researchers Mathy Vanhoef and Frank Piessens.
Using this attack, bad actors can decrypt packets sent by clients in order to steal sensitive information that is sent over plain text. While the WPA2 wireless connection of this network has been compromised by this attack, it is important to note that any encrypted traffic sent over the wireless network will still be protected from snooping.
In order to fix these vulnerabilities, hardware manufacturers needed to release new firmware for the affected devices.
In a report by the ESET Smart Home Research Team, the researchers have discovered that Amazon Echo 1st generation and Amazon Kindle 8th generation devices were still affected by the KRACK vulnerability.
Google has confirmed the Pixel 4 smartphone's Face Unlock system can allow access to a person's device even if they have their eyes closed.
One security expert said it was a significant problem that could allow unauthorised access to the device. By comparison, Apple's Face ID system checks the user is "alert" and looking at the phone before unlocking. Google said in a statement: "Pixel 4 Face Unlock meets the security requirements as a strong biometric." Speaking before the launch, Pixel product manager Sherry Lin said: "There are actually only two face [authorisation] solutions that meet the bar for being super-secure. So, you know, for payments, that level - it's ours and Apple's."
Soon after that, in July 2018, Google decided to enable the Site Isolation feature in Chrome for desktops and promised to the extent the same for Chrome users on Android to help them defend against even fully compromised processes."Even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker," Google said. "This significantly reduces the threat posed by Spectre."
For example, when you visit a banking or e-commerce site within the Chrome browser on your Android phone and log in to your account, Chrome will observe a password interaction and automatically turn on the Site Isolation feature."This is why, unlike desktop platforms where we isolate all sites, Chrome on Android uses a slimmer form of Site Isolation, protecting fewer sites to keep overhead low. This protects sites with sensitive data that users likely care about, such as banks or shopping sites, while allowing process sharing among less critical sites."
Malicious plugins for WordPress websites are being used not just to maintain access on the compromised server but also to mine for cryptocurrency.
Researchers at website security company Sucuri noticed the number of malicious plugins increase over the past months. The components are clones of legitimate software, altered for nefarious purposes.
One of the plugins discovered by Sucuri to have a double purpose is a clone of "wpframework." It was found in September and attackers used it to "gain and maintain unauthorized access to the site environment," the researchers say.
This is a continually updated article about upcoming Ubuntu 20.04 LTS release. All the important develops associated with this release is added to this page.
Ubuntu 19.10 is about to be released today and we already have some updates on the upcoming Ubuntu 20.04 LTS release due in April 2020.
Ubuntu 20.04 is called Focal Fossa
As OMG! Ubuntu first noted, Ubuntu 20.04 has been codenamed “Focal Fossa”.
The codenames of Ubuntu releases are composed of two words starting with the same letter. First world is usually and adjective while the second word is usually an animal species.
Focal is a common English world meaning “center or most important part”. Fossa is a cat-like animal found in Madagascar.
While it seems that we are on the precipice of the Windows 10 November 2019 Update being rolled out to the general public in its finalized form, a good number of us may be using the May 2019 Update, particularly after Microsoft gave it the rubber stamp for broad deployment last month. However, it seems that an Intel display driver update delivered via Windows Update is causing problems that, at the time of writing, may mainly impact HP computers such as the ProBook 450 G6.
More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.
The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems.
"The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus," said Cyberbit.
Luckily, besides affecting the infected systems' overall performance and leading to increased power consumption, the XMRig Monero miner did not impact the airport's operations.
If an attacker wanted to sneak a monitoring device into a target network, how might they go about it?
As Naked Security reported last week, they could try soldering a tiny chip on to the circuit board of something like a firewall on the assumption that it will never be noticed. But there might be a much simpler approach – hide the device in plain sight, safe in the knowledge that its very conspicuousness means its legitimacy will probably never be questioned. This was the initial suspicion of a team from UK-based outfit Pen Test Partners when they noticed an unlabelled, “potentially toxic box” connected to the onboard LAN of a ship that the team was performing a security assessment on. Ship networks feature a lot of specialised equipment, of course, but every box should have a purpose. And yet, after enquiring about its origins, the message came back : Fleet management told us that shoreside had no invoice, record, or inventory listing for it. They were blissfully unaware of its existence. It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night that the crew covered it up. The assumption had been that it was meant to be there.
How many more mystery boxes might be quietly sitting connected to numerous other networks?