The infamous Lucy ransomware has now appeared again to prey on users. This time, Lucy ransomware threatens Android users with a threat seemingly from the FBI. Lucy Ransomware Targets Android Users Researchers from Check Point have highlighted Lucy ransomware back in action. This time, Lucy ransomware targets Android users while impersonating the FBI. As explained in a recent post, Lucy first caught the attention of Check Point back in 2018. And now, after two years, the ransomware that serves as malware-as-a-service (MaaS) back with improvised capabilities to target Android devices. Briefly, the malware is spreading around mainly through social media links and instant messaging apps. The researchers found at least 80 different samples carrying this Lucy variant. Upon entering the target device, the malware tricks the user to gain access to the Android Accessibility Service. As stated in the post, It displays a message asking the user to enable SVO (Streaming Video Optimization).  By clicking ‘OK’, the user grants the malware the permission to use the accessibility service. Now Lucy is ready to initiate its malicious plan to encrypt the data on the victim’s device. This then lets the malware take control of the smartphone’s screen and WiFi, keeping both ‘On’. After that, Lucy starts encrypting all files. Once verified, it displays the ransom note via the device’s browser, which appears as a notice from the US FBI. This notice may suffice into scaring the victim to pay the ransom which, to them, seems a fine for cybercrime. Below is a copy of the ransom note.

Source: Check Point Research The malware performs other activities on the device. Some of its capabilities include making calls to the C&C server number, send a list of all installed apps to the C&C, and, the most peculiar one is to display a message to the victim regarding a failed payment. Ransom Not Demanded In Bitcoins Although Lucy typically behaves like any other ransomware, what makes it unique is the way it asks payment. While the attackers behind most other ransomware demand ransom in Bitcoins, Lucy Gang asks for a payment of $500 via the victim’s credit card. It seems, through this strategy by asking payments through credit cards, the attackers can gather victim’s payment card data, which they can exploit in the future as well. Certainly, this ransomware attack reiterates the need for vigilance while installing apps on mobile phones. Users must always ensure that they only download apps from official stores and trusted developers. Moreover, users should also keep their Android devices secure by ensuring prompt updates, using a robust antivirus, and employing safe browsing habits. Let us know your thoughts in the comments.

T-Mobile has once again made it to the news owing to a security incident. One more time, T-Mobile has suffered a data breach that exposed the personal and financial information of their customers. T-Mobile is presently notifying customers affected during this incident. T-Mobile Data Breach Reportedly, T-Mobile has once again suffered a data breach affecting numerous users. While it isn’t clear how many users were affected by the breach, the extent of information exposed during the incident sounds huge. Specifically, the incident happened as a result of a malicious attack against their email vendors. As a result, the attackers could gain access to T-mobile employee email accounts that included customers’ information. The news surfaced online after the service started notifying their customers about a ‘security event’ they recently ‘shut down’. Nonetheless, they have sent these notifications differently to every customer based on the extent of information exposed. For the customers who only suffered breach of personal details, the company directed them to the PII notice of the breach. In the case of these customers, the affected information included names, addresses, phone numbers, govt. ID numbers, Social Security numbers, billing and account details, rate plans and features, and financial account data. While, to some other users, the firm forwarded another security notice addressing the breach of account information. For such customers, the exposed data includes personal details such as names, contact numbers, addresses, account numbers, billing information, rate plans and features. Whereas, their Social Security numbers and financial information remained unaffected during the incident. What Next? Following the incident, the telecom giant began notifying affected customers. Though, they assured no misuse so far of the exposed details. For users receiving the PII breach notice, T-Mobile has offered free credit monitoring and identity theft services for two-years. However, for the other subset of the affected users, the firm hasn’t offered any such compensation. This isn’t the first time that the company has suffered a security incident. In 2018, they twice made it to the news owing to data breaches. Let us know your thoughts in the comments.

Google have recently fixed numerous security bugs in their Chrome browser. These Chrome bugs include two serious vulnerabilities as well as a zero-day flaw under active exploit. Chrome Zero-Day Under Exploit Researcher Clement Lecigne of Google’s Threat Analysis Group discovered a zero-day bug in the Chrome browser under active exploit. The vulnerability, CVE-2020-6418, was a type confusion flaw in V8 – a Chrome component that processes JavaScript code. Google labeled it a high-severity flaw in their advisory, what makes it serious is its exploitation in the wild. Though, Google hasn’t shared details about how the attackers are exploiting the bug. Yet, they confirm the zero-day is under attack. Other than this zero-day, Google also revealed two other bugs in the Chrome browser. These include two high-severity bugs for which, Google hasn’t hinted of any active exploitation. One of these caught the attention of Google Project Zero’s Sergei Glazunov. Google described it as an Out of bounds memory access in streams (CVE-2020-6407). The other vulnerability caught Google’s attention after researcher André Bargull reported it. This vulnerability, an integer overflow in the ICU component, the researcher was awarded a $5000 bounty. Google Released Patches Recently, Google has patched all the three flaws and released fixes with the latest Chrome version 80.0.3987.122. As the tech giant rolls out the updates, users must ensure their devices are updated to avoid any issues. This is particularly important considering the active exploitation of the zero-day. The present zero-day marks the third major vulnerability that caught the hackers’ attention before a fix. The first of these (CVE-2019-5786) surfaced online in March 2019. The attackers exploited this use after free flaw to target Windows 7. Whereas, the second vulnerability, another use after free flaw (CVE-2019-13720), appeared online in November 2019.

The latest victim of an actively exploited zero-day vulnerability is the Taiwan-based firm ‘Zyxel’ whom manufacture networking devices.  Zyxel has addressed a critical zero-day vulnerability in some of its NAS devices that could allow remote code execution. Zero-Day Vulnerability In Zyxel NAS Devices The Taiwan-based technology firm Zyxel has made it into the news owing to a serious vulnerability in its network-attached storage devices. The founder of security firm Hold Security, Alex Holden, discovered a serious zero-day vulnerability in Zyxel NAS devices. As revealed through a blog post, Holden found that exploiting this vulnerability could allow a potential attacker to execute arbitrary code. Worryingly the exploit required no user permission for code execution. The researcher also noticed active sales of the exploit code on the dark web. He found ransomware gangs interested in the working exploit code which the seller put up for $20,000. CERT/CC has confirmed the presence of the vulnerability in their advisory. Regarding the details of the bug, the advisory reads, ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. While the webserver doesn’t run with root privileges, an attacker could achieve elevated privileges by abusing the setuid utility. Hence, remote code execution with root privileges would become possible. Zyxel Patched The Flaw Upon receiving the alerts for the zero-day under attack, Zyxel worked swiftly to patch the flaw. They confirmed that the vulnerability, CVE-2020-9054, affected numerous devices including NAS326, NAS520, NAS540, and NAS542. While the patches for these are available, users of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325, and NSA325v2 would still remain vulnerable since these devices won’t receive the updates due to end-of-support. The complete list of devices and the hotfixes is available in Zyxel’s advisory. Zyxel have recommended limiting access to vulnerable NAS devices and blocking access to the web interface as possible mitigations.

While everyone was busy on New Year’s Eve in welcoming the calendrical change,  cybercriminals were busy “working”. The evidence backing this statement came from the cyber attack on foreign currency exchange Travelex. Recently, Travelex has confirmed a malware attack hit its systems, following which, its services went down. Travelex Disclosed Malware Attack Reportedly, the international foreign currency exchange service Travelex has emerged as the latest victim of a cyber attack. As experienced by users, and confirmed by the service, Travelex services went down following the malware attack. The exchange clearly defined the incident as a ‘malware’ attack. Sharing their statement in a tweet, Travelex mentioned, Travelex confirms that a software virus was discovered on New Year’s Eve which has compromised some of its services. They also confirmed the shut down of their services, which they did as a precaution. As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all our systems offline.
Though the exchange only stated about the disruption of ‘some’ services, it actually caused huge trouble to the users. The attack potentially affected the partnering businesses as well, such as Tesco Bank.
Security Measures And Maintenance Underway After the online services of Travelex went down, the company had to manage serving customers by providing exchange manually. They also engaged cybersecurity experts to resolve the matter. However, until the time of writing this article, the Travelex website is still down.
While Travelex are still striving to restore their services, they assure that the incident did not affect customers’ data. For any queries, customers can contact them via their official twitter account where they are actively responding. Before Travelex, numerous other incidents affecting different businesses also surfaced online towards the end of 2019. Some of the affected services include Poloniex cryptocurrency exchange, telemarketing firm The Heritage Company, IT service provider Synoptek, and a US Maritime facility.

Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network, as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you.

Firefox Private Network service is currently in beta and available only to desktop users in the United States as part of Mozilla's recently expunged "Firefox Test Pilot" program that lets users try out new experimental features before they were officially released.

The Firefox Test Pilot program was first launched by the company three years ago but was shut down in January this year. The company now decided to bring the program back but with some changes.

"The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and will be far more polished, and just one step shy of general public release," said Marissa Wood, vice president of product at Mozilla.

Firefox Private Network is the Test Pilot program's first new project.

Firefox Private Network — Mozilla's VPN Service

Like any other best VPN service, Firefox Private Network also masks your IP address from third-party online trackers and protect your sensitive information, like the website you visit and your financial information, when using public Wi-Fi.

Mozilla says its Firefox Private Network "provides a secure, encrypted path to the web to protect your connection and your personal information anywhere, and everywhere you use your Firefox browser."

Firefox Private Network also works the same way as any other VPN service.

The Firefox Private Network VPN service also encrypts and funnels every Internet browsing activity of yours through a collection of remote proxy servers, thereby masking your real location/identity and blocking third parties, including government and your ISP, from snooping on your connection.

The actual proxy servers for the Firefox Private Network extension is provided by Cloudflare, the company that offers one of the biggest and fastest CDN, DNS and DDoS protection services.

For those concerned about the data collection by Cloudflare, Mozilla promises "strong privacy controls" to limit what data Cloudflare may collect and for how long it may store that data.

"Cloudflare only observes a limited amount of data about the HTTP/HTTPS requests that are sent to the Cloudflare proxy via browsers with an active Mozilla extension," Cloudflare says.

"When requests are sent to the Cloudflare proxy, Cloudflare will observe your IP address, the IP address for the Internet property you are accessing, source port, destination port, timestamp and a token provided by Mozilla that indicates that you are a Firefox Private Network user (together, "Proxy Data"). All Proxy Data will be deleted within 24 hours."

How To Sign Up For Firefox VPN Service

Firefox Private Network currently works only on desktops but is believed to be made available for mobile users as well, once the VPN exits beta.

Although the Firefox Private Network service is currently free, Mozilla hinted that the company is exploring possible pricing options for the service in the future to keep it self-sustainable.

For now, if you have a Firefox account and reside in the United States, you can test the Firefox VPN service for free by signing up on the Firefox Private Network website.

Once installed on your desktop, the Firefox Private Network extension will add a toggle on the toolbar of your Firefox web browser so you can easily turn it on or off at any time.

Immediately after Mozilla announced its plan to soon enable 'DNS over HTTPS' (DoH) by default for Firefox users in the United States, Google today says it is planning an experiment with the privacy-focused technology in its upcoming Chrome 78.

Under development since 2017, 'DNS over HTTPS' performs DNS lookups—finding the server IP address of a certain domain name—over an encrypted HTTPS connection to a DNS server, rather than sending DNS queries in plaintext.

The protocol that sends DNS queries over secure HTTPS connections has specifically been designed to prevent miscreants from interfering with domain name lookups, eventually stopping network observers, including your ISPs and attackers, from figuring out what sites you visit.

Though the privacy-focused technology is also helpful in preventing attackers from redirecting unsuspecting visitors to phishing and malware sites, DNS over HTTPS could also bring its own new challenges to the enterprise security solutions by making it difficult to monitor network traffic for malicious activities.

For the same reason, two months ago, the UK Internet Services Providers' Association (ISPA) nominated Mozilla for "Internet villain of the year" award after the company added support for DoH protocol in its Firefox browser that breaks DNS-based content filters.

However, it should be noted that Firefox by default sets DoH server to Cloudflare and the setting needs to be changed manually, for which Mozilla has been criticized, whereas Google's implementation only upgrades to the equivalent DoH service from the same provider that a user is using.

Enabling 'DNS over HTTPS' in Chrome 78

In a blog post published today, Google said the company will add its implementation of 'DNS over HTTPS' to the upcoming Chrome 78, which is due for beta release in the next two weeks, and will enable the feature for a fraction of users as an early-experiment,

The experimental feature will automatically upgrade the DNS provider to the equivalent DoH service from the same provider if the user's current DNS provider is part of the list of known DoH-compatible providers. If not in the list, Chrome will continue to operate as it does today.

"In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged. It's also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering," Google says.

Chrome 78 users who want to manually opt-in or opt-out of the experiment can change the flag settings at chrome://flags/#dns-over-https.

Chrome Compatible' DNS over HTTPS' Providers

Google says it has selected some DNS providers for "their strong stance on security and privacy, as well as the readiness of their DoH services" and their agreement to participate in the test. The list of providers currently include:

• Cleanbrowsing
• Cloudflare
• DNS.SB
• Google
• OpenDNS
• Quad9

The experiment will run on all platforms for Chrome 78 users except Linux and iOS, with the goals to validate the company's "implementation and to evaluate the performance impact."

On Android 9 and later, if users have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH instead, but if an error occurred, the browser would fall back to the DoT setting.

For those unaware, though DoH and DoT are separate standards for encrypting DNS queries, the concept of both is the same.

What're your thoughts on Google's experiment of implementing DoH? Let us know in the comment section below.

Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer.

Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone's SSH password, from Intel's CPU cache.

Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel's DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.

The DDIO comes enabled by default on all Intel server-grade processors since 2012, including Intel Xeon E5, E7 and SP families.

According to the researchers [paper], NetCAT attack works similar to Throwhammer by solely sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access (RDMA) feature enabled.

RDMA enables attackers to spy on remote server-side peripherals such as network cards and observe the timing difference between a network packet that is served from the remote processor's cache versus a packet served from memory.

Here the idea is to perform a keystroke timing analysis to recover words typed by a victim using a machine learning algorithm against the time information.

"In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet," explains the VUSec team.

"Now, humans have distinct typing patterns. For example, typing's' right after 'a' is faster than typing 'g' after's.' As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session."

"Compared to a native local attacker, NetCAT's attack from across the network only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%."

The VUSec team has also published a video, as shown above, demonstrating a method for spying on SSH sessions in real-time with nothing but a shared server.

NetCAT becomes the new side-channel vulnerability joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, Foreshadow,  SWAPGS, and PortSmash.

In its advisory, Intel has acknowledged the issue and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.

The company assigned the NetCAT vulnerability a "low" severity rating, describing it as a partial information disclosure issue, and awarded a bounty to the VUSec team for the responsible disclosure.

Estonian based web security startup WebARX, the company who is also behind open-source plugin vulnerability scanner WPBullet and soon-to-be-released bug bounty platform plugbounty.com, has a big vision for a safer web.

It built a defensive core for websites which is embedded deep inside the company's DNA as even ARX in their name refers to the citadel (the core fortified area of a town or city) in Latin.

WebARX—web application security platform—allows web developers and digital agencies to get advanced website security integrated with every site and makes it more effective and less time-consuming to manage security across multiple websites.

You can find reviews such as "WebARX - the Swiss army knife that secures my websites!", "The security software that I use every day," "Many Promise - WebARX Delivers" from their Trustpilot page, so where is all that coming from?

Serious Team With A Unique Focus

WebARX is solving a very specific problem—reducing the security risk from third-party components within web applications, or as its website states, "Protect websites from plugin vulnerabilities."

In fact, the latest studies show that 98% of security vulnerabilities within the WordPress ecosystem (running 35% of the websites online) are related to plugins, which are intended to expand the functionality and features of a website.

Additionally, by contributing to the open-source with WPBullet, the company is also planning to release the first open-source plugin bug bounty platform plugbounty.com, which is released in few weeks.

Advanced Protection For Any PHP App Made Simple and Accessible

Lately, WebARX has gained a lot of popularity for its security platform. According to many, it's one of the most advanced solutions for modern websites that are built on WordPress or any other PHP based content management system.
It takes less than a minute to add a site to the portal and activate monitoring and firewall.

WebARX protects sites from malicious traffic, unwanted bot requests, and prevents OWASP TOP 10 vulnerability exploitation.

As a managed service, WebARX is actively keeping its firewall up to date with the latest threats. Virtual patches are applied automatically to prevent software specific vulnerabilities mostly found within components such as plugins and themes.

The firewall has its benefits from running on the end-point and being component agnostic.

Since WebARX is running on the site, it can't be bypassed the way DNS firewalls are often bypassed (when the IP to the server is leaked by abusing DNS history or when the server is not configured correctly allowing traffic from sources other than what is coming through the firewall).

With WebARX you have the freedom to create an unlimited number of custom firewall rules (match anything within HTTP protocol).

You can analyze and control the firewall among all your sites from the central cloud-based dashboard.

WordPress In the Center of Attention

WordPress, as the most popular content management system, has clearly received a lot of attention. According to some statistics, it runs already more than 35% of the websites.

Attention is not always positive, and this has made WordPress a very attractive target for attackers.

Hundreds of thousands of websites are being abused to redirect traffic, host malware, send out spam and sites are even used as slaves in botnets.

Victims are not chosen; most of the attacks are automated, which targets the software, not the company or the people behind the website itself.

WordPress security is an active topic. Just a week ago, a critical 'Backdoor Attack' warning was issued for 60 million WordPress users via Forbes.

WebARX is the All-in-One Solution For WordPress Sites

"A must for WordPress sites!" as one of its Trustpilot review states, WebARX has already gone a long way to ultimately become the only WordPress security solution you need.

It's always good to keep the number of components/plugins low while having all the security and hardening options available for every site.

Some of the options WebARX includes:

• WAF with virtual patches and an unlimited number of custom rules.
• Advanced firewall management and analytics.
• Central, easy to use cloud-based security portal.
• Up-time, Blacklist, Domain/SSL expiration, and plugin vulnerability monitoring.
• 2FA for any site and each user.
• ReCAPTCHA implementation for forms.
• Brute-force/XML-RPC protection.
• Automatic off-site backups to Google Drive.
• Customizable cookie notice bar.
• User activity logging.
• Cloud-based plugin management (remote updating).
• Cloud-based hardening.
• Multi-site support.
• And much more…

WebARX is currently celebrating its birthday, and a 50% discount is offered for a limited time.

Whilst you would expect cybersecurity and IT firms to serve customers with adequate online security measures. However, these firms themselves remain vulnerable to various security threats too. Recently, the cybersecurity firm Imperva has disclosed a security breach that affected customers of its Cloud WAF. Imperva Revealed Security Breach In a recent security notice, the popular cybersecurity firm Imperva has revealed a security breach. The incident impacted customers of its Cloud WAF product previously known as ‘Incapsula’. As disclosed, the company learned of the breach recently from a third-party. They discovered the incident on August 20, 2019, where they found the exposure of data of some of the customers. The company found that the incident impacted a database through September 15, 2019. The leaked or exposed information from the database includes email addresses, hashed and salted passwords. For a subset of customers, exposed details also included customer-provided SSL certificates and API keys. The company assured that the impact of the incident remained confined to the Cloud WAF product only. Security Measures Taken Upon noticing the breach, Imperva began working towards implementing appropriate security measures. These steps include engaging forensic experts and global regulatory agencies, activating internal data security response team, and implementing forced password rotations in Cloud WAF. In addition, they have also informed customers affected during the incident regarding the breach. They also advise customers to take necessary steps to stay protected. Some of the security best practices Imperva advised to all users include resetting Cloud WAF user passwords, enabling two-factor authentication, enabling Single Sign-On (SSO), uploading new SSL certificates and resetting API keys. Recently, a web hosting company Hostinger has also confessed of a breach. The incident allegedly affected 14 million customers, exposing the victims’ personal information and hashed passwords. Let us know your thoughts in the comments.

Critical ISPsystem Software Vulnerability Discovered

ISPsystem Fixed The Bug

Qualcomm Chip Vulnerability Discovered

Qualcomm Patched The Flaw

“Android developers who use the keystore in their applications can also take advantage of the user authentication requirements and key attestation offered by the keystore. These defense-in-depth mitigations increase the complexity of compromising keystore keys, making difficult-to-perform side-channel attacks even more challenging to pull off.”

EmCare Data Breach Exposed Personal And Clinical Data

“Patients impacted by this incident may have received medical care from a clinician employed by or engaged with an affiliate of EmCare. These services may have been provided in an Emergency Department or as inpatient services in a hospital.”

EmCare Takes Security Measures

“There is no evidence to suggest that the information has been misused, or that anyone will attempt to misuse the information. In addition, EmCare is not aware of any individual who has been impacted by fraud or identity theft as a result and does not know if any personal information was actually obtained by an unauthorized party.”

Microsoft Word Bug Under Active Exploits

“The group was able to exploit this bug to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.”

“Malware code reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands, and executing and ending programs. It can also steal information by logging keystrokes and mouse events.”

No Patch From Microsoft

“Microsoft acknowledged it was unintended behavior, but declined to release a security patch at this time, as the issue on its own does not result in memory corruption or code execution. The issue may be fixed at a later date.”

Adobe ColdFusion Vulnerability Exploited In The Wild

“The vulnerability is easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication.”

Update Your Software ASAP!

Trade.io Cold Wallet Hacked By Unknown Attackers

Trade.io Decided Hard Fork

“At no point was the trade.io exchange or liquidity pool accessed or affected, and both remain operational. The breach was limited to one particular hardware wallet that was purchased directly from the manufacturer. Consequently, no customer accounts were directly affected, or customer funds lost.”

“As a result of the incident, trade.io Management has decided to fork TIO. The name of the forked token will be Trade Token X with the ticker TIOx, similar to TIO it will be an ERC-20 token.”