The infamous Lucy ransomware has now appeared again to prey on users. This time, Lucy ransomware threatens Android users with a threat seemingly from the FBI. Lucy Ransomware Targets Android Users Researchers from Check Point have highlighted Lucy ransomware back in action. This time, Lucy ransomware targets Android users while impersonating the FBI. As explained in a recent post, Lucy first caught the attention of Check Point back in 2018. And now, after two years, the ransomware that serves as malware-as-a-service (MaaS) back with improvised capabilities to target Android devices. Briefly, the malware is spreading around mainly through social media links and instant messaging apps. The researchers found at least 80 different samples carrying this Lucy variant. Upon entering the target device, the malware tricks the user to gain access to the Android Accessibility Service. As stated in the post, It displays a message asking the user to enable SVO (Streaming Video Optimization).  By clicking ‘OK’, the user grants the malware the permission to use the accessibility service. Now Lucy is ready to initiate its malicious plan to encrypt the data on the victim’s device. This then lets the malware take control of the smartphone’s screen and WiFi, keeping both ‘On’. After that, Lucy starts encrypting all files. Once verified, it displays the ransom note via the device’s browser, which appears as a notice from the US FBI. This notice may suffice into scaring the victim to pay the ransom which, to them, seems a fine for cybercrime. Below is a copy of the ransom note.

Source: Check Point Research The malware performs other activities on the device. Some of its capabilities include making calls to the C&C server number, send a list of all installed apps to the C&C, and, the most peculiar one is to display a message to the victim regarding a failed payment. Ransom Not Demanded In Bitcoins Although Lucy typically behaves like any other ransomware, what makes it unique is the way it asks payment. While the attackers behind most other ransomware demand ransom in Bitcoins, Lucy Gang asks for a payment of $500 via the victim’s credit card. It seems, through this strategy by asking payments through credit cards, the attackers can gather victim’s payment card data, which they can exploit in the future as well. Certainly, this ransomware attack reiterates the need for vigilance while installing apps on mobile phones. Users must always ensure that they only download apps from official stores and trusted developers. Moreover, users should also keep their Android devices secure by ensuring prompt updates, using a robust antivirus, and employing safe browsing habits. Let us know your thoughts in the comments.

Serious security vulnerabilities have been discovered in Avast’s Antitrack and AVG Antitrack tools. Exploiting the flaws could expose users to MiTM attacks whilst downgrading browsers’ security. Avast AntiTrack Certificate Vulnerability Reportedly, researcher David Eade found numerous security vulnerabilities in the Avast Antitrack tool. One of these is a vulnerability in certificate validation feature that could have allowed man-in-the-middle (MiTM) attacks. Elaborating his findings in a post, the researcher stated, Avast Antitrack does not check the validity of certificates presented by the end web server. This makes it trivial for a man-in-the-middle to serve a fake site using a self-signed certificate. An attacker could not only intercept the victim’s traffic but could also hijack live sessions by cloning cookies, thus bypassing two-factor authentication as well. Exploiting this bug required no user interaction, hence becoming entirely possible for a remote attacker. The researcher also noticed two other issues with the same tool. At first, it downgraded the browser’s security protocol to TLS 1.0. Then, the chosen cipher suites by the tool did not support Forward Secrecy. Patches Rolled Out The researcher found the said issues in the Avast Antitrack tool. However, since it shares codes with AVG Antitrack as well, the same vulnerabilities also applied to the latter. Specifically, the bugs affected all Avast Antitrack versions prior to 1.5.1.172, and AVG Antitrack versions below 2.0.0.178. Upon discovering the flaws in August 2019, the researcher contacted Avast to report the matter. After continued communication in the following months, the vendors eventually patched the flaws. At first, they released Avast Antitrack 1.5.1.172, and then AVG Antitrack 2.0.0.178 containing the patches. Avast has confirmed the existence and subsequent patching of the vulnerabilities whilst acknowledging the researcher in a separate advisory. As stated, Thanks to David for reporting these issues to us, the issues have been fixed, through an update pushed to all AntiTrack users.

Heads up, Zoho customers! A zero-day vulnerability exists in Zoho platform that can pose a serious security threat. The disgruntled researcher dropped the bug publicly on Twitter, a patch isn’t available yet. Zoho Zero-Day Disclosed On Twitter Reportedly, a security researcher Steven Seeley dropped a Zoho zero-day vulnerability on Twitter. The bug exists in Zoho’s ManageEngine Desktop Central. Exploiting the bug allows a remote attacker to execute arbitrary code. The researcher disclosed the bug publicly since Zoho did not heed their bug reports. Elaborating on the vulnerability in a separate advisory, the researcher stated that exploiting the flaw requires no authentication. Whereas, regarding how the flaw affected the system, the advisory reads, The specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. The advisory has deemed the vulnerability as critical with a CVSS score of 9.8. The researcher also shared the PoC exploit for the flaw. For now, the vulnerability has also received a CVE ID, CVE-2020-10189. Patch Rolling Out Soon Since the researcher disclosed the vulnerability publicly instead of following a responsible disclosure, no patch is currently available. Hence, at present, the bug poses a threat to all the users. Nonetheless, Zoho’s Twitter team has assured patching the bug shortly.

The ManageEngine Desktop Central has also officially acknowledged the existence of the bug in an advisory. They confirm that the flaw affects Desktop Central build 10.0.473 and earlier. While they are working on the patch, they have advised mitigation steps for the users. So, until a fix arrives, everyone must remain very careful considering the risk of abusing the publicly disclosed exploit.

A serious vulnerability existed in NordVPN payment systems. Exploiting the flaw required sending an HTTP POST request that exposed NordVPN users’ details to anyone. NordVPN Flaw Exposed Users’ Details Reportedly, NordVPN has patched a serious flaw that could have exposed users’ details to others. First discovered by a bug bounty hunter, the vulnerability existed in their payments system. The researcher with alias foo bar on HackerOne reported this vulnerability to NordVPN in December 2019. He found that sending a HTTP POST request without any authentication to join.nordvpn.com could let anyone view other users’ data. Doing so was simple; the attacker could simply change the numbers in the id and user_id to get the details of other users. The said vulnerability received a high-severity rating with a score of 7 to 8.9. Upon reporting the flaw, not only NordVPN patched the vulnerability, but also awarded the researcher with a $1000 bounty. Though, it remains unclear whether NordVPN has notified its users about the flaw, they did assure fixing of the bug. As per the statement of Jody Myers, spokesperson NordVPN, to TheRegister, Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party. Multiple Bugs Patched Since Bug Bounty Program NordVPN announced launching its bug bounty program on HackerOne in October 2019. The announcement came up after the company faced backlash over a security breach. Since then, the HackerOne profile of NordVPN shows back-to-back vulnerabilities being reported and addressed. Around the same time as that of the above-referenced IDOR, NordVPN also fixed the absence of rate-limiting on their password reset feature. Towards the end of February 2020, they also patched a critical severity bug that violated users’ privacy. Specifically, the flaw existed owing to potential reuse of the API key that could send connection information to third-party service. For highlighting this bug, NordVPN awarded a $7,777 bounty to the researcher.

T-Mobile has once again made it to the news owing to a security incident. One more time, T-Mobile has suffered a data breach that exposed the personal and financial information of their customers. T-Mobile is presently notifying customers affected during this incident. T-Mobile Data Breach Reportedly, T-Mobile has once again suffered a data breach affecting numerous users. While it isn’t clear how many users were affected by the breach, the extent of information exposed during the incident sounds huge. Specifically, the incident happened as a result of a malicious attack against their email vendors. As a result, the attackers could gain access to T-mobile employee email accounts that included customers’ information. The news surfaced online after the service started notifying their customers about a ‘security event’ they recently ‘shut down’. Nonetheless, they have sent these notifications differently to every customer based on the extent of information exposed. For the customers who only suffered breach of personal details, the company directed them to the PII notice of the breach. In the case of these customers, the affected information included names, addresses, phone numbers, govt. ID numbers, Social Security numbers, billing and account details, rate plans and features, and financial account data. While, to some other users, the firm forwarded another security notice addressing the breach of account information. For such customers, the exposed data includes personal details such as names, contact numbers, addresses, account numbers, billing information, rate plans and features. Whereas, their Social Security numbers and financial information remained unaffected during the incident. What Next? Following the incident, the telecom giant began notifying affected customers. Though, they assured no misuse so far of the exposed details. For users receiving the PII breach notice, T-Mobile has offered free credit monitoring and identity theft services for two-years. However, for the other subset of the affected users, the firm hasn’t offered any such compensation. This isn’t the first time that the company has suffered a security incident. In 2018, they twice made it to the news owing to data breaches. Let us know your thoughts in the comments.

Google have recently fixed numerous security bugs in their Chrome browser. These Chrome bugs include two serious vulnerabilities as well as a zero-day flaw under active exploit. Chrome Zero-Day Under Exploit Researcher Clement Lecigne of Google’s Threat Analysis Group discovered a zero-day bug in the Chrome browser under active exploit. The vulnerability, CVE-2020-6418, was a type confusion flaw in V8 – a Chrome component that processes JavaScript code. Google labeled it a high-severity flaw in their advisory, what makes it serious is its exploitation in the wild. Though, Google hasn’t shared details about how the attackers are exploiting the bug. Yet, they confirm the zero-day is under attack. Other than this zero-day, Google also revealed two other bugs in the Chrome browser. These include two high-severity bugs for which, Google hasn’t hinted of any active exploitation. One of these caught the attention of Google Project Zero’s Sergei Glazunov. Google described it as an Out of bounds memory access in streams (CVE-2020-6407). The other vulnerability caught Google’s attention after researcher André Bargull reported it. This vulnerability, an integer overflow in the ICU component, the researcher was awarded a $5000 bounty. Google Released Patches Recently, Google has patched all the three flaws and released fixes with the latest Chrome version 80.0.3987.122. As the tech giant rolls out the updates, users must ensure their devices are updated to avoid any issues. This is particularly important considering the active exploitation of the zero-day. The present zero-day marks the third major vulnerability that caught the hackers’ attention before a fix. The first of these (CVE-2019-5786) surfaced online in March 2019. The attackers exploited this use after free flaw to target Windows 7. Whereas, the second vulnerability, another use after free flaw (CVE-2019-13720), appeared online in November 2019.

The latest victim of an actively exploited zero-day vulnerability is the Taiwan-based firm ‘Zyxel’ whom manufacture networking devices.  Zyxel has addressed a critical zero-day vulnerability in some of its NAS devices that could allow remote code execution. Zero-Day Vulnerability In Zyxel NAS Devices The Taiwan-based technology firm Zyxel has made it into the news owing to a serious vulnerability in its network-attached storage devices. The founder of security firm Hold Security, Alex Holden, discovered a serious zero-day vulnerability in Zyxel NAS devices. As revealed through a blog post, Holden found that exploiting this vulnerability could allow a potential attacker to execute arbitrary code. Worryingly the exploit required no user permission for code execution. The researcher also noticed active sales of the exploit code on the dark web. He found ransomware gangs interested in the working exploit code which the seller put up for $20,000. CERT/CC has confirmed the presence of the vulnerability in their advisory. Regarding the details of the bug, the advisory reads, ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. While the webserver doesn’t run with root privileges, an attacker could achieve elevated privileges by abusing the setuid utility. Hence, remote code execution with root privileges would become possible. Zyxel Patched The Flaw Upon receiving the alerts for the zero-day under attack, Zyxel worked swiftly to patch the flaw. They confirmed that the vulnerability, CVE-2020-9054, affected numerous devices including NAS326, NAS520, NAS540, and NAS542. While the patches for these are available, users of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325, and NSA325v2 would still remain vulnerable since these devices won’t receive the updates due to end-of-support. The complete list of devices and the hotfixes is available in Zyxel’s advisory. Zyxel have recommended limiting access to vulnerable NAS devices and blocking access to the web interface as possible mitigations.

A critical vulnerability has been discovered in the OpenBSD email server OpenSMTPD. Exploiting the flaw could allow remote code execution attacks. The seriousness of the vulnerability poses a threat to the integrity of OpenBSD and Linux systems. OpenSMTPD Email Server Vulnerability Researchers from Qualys have discovered a serious vulnerability in the OpenSMTPD email server. As elaborated in their advisory, the vulnerability, CVE-2020-8794, could allow a remote attacker to execute code on the target system. Describing the vulnerability, the advisory reads, This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response …”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018. In brief, the flaw exists on the client-side code that is responsible for delivering emails. Hence, the bug could allow exploitation in two different scenarios: the client-side in the default configuration, or the server-side where the attacker should send an email that creates a bounce. Then, reconnecting again with the server in an attempt to deliver the bounce would let the attacker exploit the client-side vulnerability. Apart from this brief disclosure, the researchers haven’t shared the detailed PoC yet to avoid mass exploitation. Patch Available – Update Now The team Qualys successfully tested their exploit against various distros including OpenBSD 6.6, OpenBSD 5.9, Debian 10 (stable), Debian 11 (testing), and Fedora 31. They also tested the exploit against OpenSMTPD 6.6.3p1 that worked in a specific scenario. We tested our exploit against the recent changes in OpenSMTPD 6.6.3p1, and our results are: if the “mbox” method is used for local delivery (the default in OpenBSD -current), then arbitrary command execution as root is still possible; otherwise (if the “maildir” method is used, for example), arbitrary command execution as any non-root user is possible. Fortunately, OpenBSD has addressed this vulnerability with the release of OpenBSD 6.6.4p1. Hence, users must ensure updating their systems to avoid any exploits.

The social media craze TikTok has recently drawn negative attention from the United States Military. In brief, the US Army has banned the app TikTok due to security concerns. US Army Ban TikTok Reportedly, the US Army has banned the Chinese social media application TikTok amidst security risks. According to Military.com, the Army has restricted the soldiers from using the application as they deem it a security threat. As the Army spokesperson Lt. Col. Robin Ochoa told Military.com, It is considered a cyber threat… We do not allow it on government phones. Earlier, Army recruiters used the app as a means to reach out to the youth. Though, amidst rising popularity, the app also attracted negative attention as people were concerned over security risks. In October 2019, the Senators wrote a letter to the US Director of National Intelligence requesting a thorough review of the app. They mentioned in their letter, Security experts have voiced concerns that China’s vague patchwork of intelligence, national security, and cybersecurity laws compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party. The Senators, detailing various concerns, deemed TikTok a threat to US security. With over 110 million downloads in the U.S. alone, TikTok is a potential counterintelligence threat we cannot ignore. Alongside the ByteDance-owned TikTok, the letters also demanded a review of other Chinese content platforms operating in the United States. Ban Applicable On Government Phones Only Though the Army has banned the use of TikTok, it only applies for Government phones. Perhaps, the soldiers might still use it on their personal phones. However, the US Army has urged all soldiers using TikTok on personal phones to stay very cautious, especially while receiving unfamiliar messages. This isn’t the first move from the US Military banning TikTok. In December 2019, the US Navy also prohibited the personnel from using TikTok on government-issued phones. Violating the restriction threatened the users to face a block from the Navy Marine Corps Intranet. Let us know your thoughts in the comments.

While everyone was busy on New Year’s Eve in welcoming the calendrical change,  cybercriminals were busy “working”. The evidence backing this statement came from the cyber attack on foreign currency exchange Travelex. Recently, Travelex has confirmed a malware attack hit its systems, following which, its services went down. Travelex Disclosed Malware Attack Reportedly, the international foreign currency exchange service Travelex has emerged as the latest victim of a cyber attack. As experienced by users, and confirmed by the service, Travelex services went down following the malware attack. The exchange clearly defined the incident as a ‘malware’ attack. Sharing their statement in a tweet, Travelex mentioned, Travelex confirms that a software virus was discovered on New Year’s Eve which has compromised some of its services. They also confirmed the shut down of their services, which they did as a precaution. As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all our systems offline.
Though the exchange only stated about the disruption of ‘some’ services, it actually caused huge trouble to the users. The attack potentially affected the partnering businesses as well, such as Tesco Bank.
Security Measures And Maintenance Underway After the online services of Travelex went down, the company had to manage serving customers by providing exchange manually. They also engaged cybersecurity experts to resolve the matter. However, until the time of writing this article, the Travelex website is still down.
While Travelex are still striving to restore their services, they assure that the incident did not affect customers’ data. For any queries, customers can contact them via their official twitter account where they are actively responding. Before Travelex, numerous other incidents affecting different businesses also surfaced online towards the end of 2019. Some of the affected services include Poloniex cryptocurrency exchange, telemarketing firm The Heritage Company, IT service provider Synoptek, and a US Maritime facility.

Immediately after Mozilla announced its plan to soon enable 'DNS over HTTPS' (DoH) by default for Firefox users in the United States, Google today says it is planning an experiment with the privacy-focused technology in its upcoming Chrome 78.

Under development since 2017, 'DNS over HTTPS' performs DNS lookups—finding the server IP address of a certain domain name—over an encrypted HTTPS connection to a DNS server, rather than sending DNS queries in plaintext.

The protocol that sends DNS queries over secure HTTPS connections has specifically been designed to prevent miscreants from interfering with domain name lookups, eventually stopping network observers, including your ISPs and attackers, from figuring out what sites you visit.

Though the privacy-focused technology is also helpful in preventing attackers from redirecting unsuspecting visitors to phishing and malware sites, DNS over HTTPS could also bring its own new challenges to the enterprise security solutions by making it difficult to monitor network traffic for malicious activities.

For the same reason, two months ago, the UK Internet Services Providers' Association (ISPA) nominated Mozilla for "Internet villain of the year" award after the company added support for DoH protocol in its Firefox browser that breaks DNS-based content filters.

However, it should be noted that Firefox by default sets DoH server to Cloudflare and the setting needs to be changed manually, for which Mozilla has been criticized, whereas Google's implementation only upgrades to the equivalent DoH service from the same provider that a user is using.

Enabling 'DNS over HTTPS' in Chrome 78

In a blog post published today, Google said the company will add its implementation of 'DNS over HTTPS' to the upcoming Chrome 78, which is due for beta release in the next two weeks, and will enable the feature for a fraction of users as an early-experiment,

The experimental feature will automatically upgrade the DNS provider to the equivalent DoH service from the same provider if the user's current DNS provider is part of the list of known DoH-compatible providers. If not in the list, Chrome will continue to operate as it does today.

"In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged. It's also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe filtering," Google says.

Chrome 78 users who want to manually opt-in or opt-out of the experiment can change the flag settings at chrome://flags/#dns-over-https.

Chrome Compatible' DNS over HTTPS' Providers

Google says it has selected some DNS providers for "their strong stance on security and privacy, as well as the readiness of their DoH services" and their agreement to participate in the test. The list of providers currently include:

• Cleanbrowsing
• Cloudflare
• DNS.SB
• Google
• OpenDNS
• Quad9

The experiment will run on all platforms for Chrome 78 users except Linux and iOS, with the goals to validate the company's "implementation and to evaluate the performance impact."

On Android 9 and later, if users have set a DNS-over-TLS (DoT) provider in the private DNS settings, Chrome may attempt to utilize DoH instead, but if an error occurred, the browser would fall back to the DoT setting.

For those unaware, though DoH and DoT are separate standards for encrypting DNS queries, the concept of both is the same.

What're your thoughts on Google's experiment of implementing DoH? Let us know in the comment section below.

Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer.

Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone's SSH password, from Intel's CPU cache.

Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel's DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.

The DDIO comes enabled by default on all Intel server-grade processors since 2012, including Intel Xeon E5, E7 and SP families.

According to the researchers [paper], NetCAT attack works similar to Throwhammer by solely sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access (RDMA) feature enabled.

RDMA enables attackers to spy on remote server-side peripherals such as network cards and observe the timing difference between a network packet that is served from the remote processor's cache versus a packet served from memory.

Here the idea is to perform a keystroke timing analysis to recover words typed by a victim using a machine learning algorithm against the time information.

"In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet," explains the VUSec team.

"Now, humans have distinct typing patterns. For example, typing's' right after 'a' is faster than typing 'g' after's.' As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session."

"Compared to a native local attacker, NetCAT's attack from across the network only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%."

The VUSec team has also published a video, as shown above, demonstrating a method for spying on SSH sessions in real-time with nothing but a shared server.

NetCAT becomes the new side-channel vulnerability joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, Foreshadow,  SWAPGS, and PortSmash.

In its advisory, Intel has acknowledged the issue and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.

The company assigned the NetCAT vulnerability a "low" severity rating, describing it as a partial information disclosure issue, and awarded a bounty to the VUSec team for the responsible disclosure.

Estonian based web security startup WebARX, the company who is also behind open-source plugin vulnerability scanner WPBullet and soon-to-be-released bug bounty platform plugbounty.com, has a big vision for a safer web.

It built a defensive core for websites which is embedded deep inside the company's DNA as even ARX in their name refers to the citadel (the core fortified area of a town or city) in Latin.

WebARX—web application security platform—allows web developers and digital agencies to get advanced website security integrated with every site and makes it more effective and less time-consuming to manage security across multiple websites.

You can find reviews such as "WebARX - the Swiss army knife that secures my websites!", "The security software that I use every day," "Many Promise - WebARX Delivers" from their Trustpilot page, so where is all that coming from?

Serious Team With A Unique Focus

WebARX is solving a very specific problem—reducing the security risk from third-party components within web applications, or as its website states, "Protect websites from plugin vulnerabilities."

In fact, the latest studies show that 98% of security vulnerabilities within the WordPress ecosystem (running 35% of the websites online) are related to plugins, which are intended to expand the functionality and features of a website.

Additionally, by contributing to the open-source with WPBullet, the company is also planning to release the first open-source plugin bug bounty platform plugbounty.com, which is released in few weeks.

Advanced Protection For Any PHP App Made Simple and Accessible

Lately, WebARX has gained a lot of popularity for its security platform. According to many, it's one of the most advanced solutions for modern websites that are built on WordPress or any other PHP based content management system.
It takes less than a minute to add a site to the portal and activate monitoring and firewall.

WebARX protects sites from malicious traffic, unwanted bot requests, and prevents OWASP TOP 10 vulnerability exploitation.

As a managed service, WebARX is actively keeping its firewall up to date with the latest threats. Virtual patches are applied automatically to prevent software specific vulnerabilities mostly found within components such as plugins and themes.

The firewall has its benefits from running on the end-point and being component agnostic.

Since WebARX is running on the site, it can't be bypassed the way DNS firewalls are often bypassed (when the IP to the server is leaked by abusing DNS history or when the server is not configured correctly allowing traffic from sources other than what is coming through the firewall).

With WebARX you have the freedom to create an unlimited number of custom firewall rules (match anything within HTTP protocol).

You can analyze and control the firewall among all your sites from the central cloud-based dashboard.

WordPress In the Center of Attention

WordPress, as the most popular content management system, has clearly received a lot of attention. According to some statistics, it runs already more than 35% of the websites.

Attention is not always positive, and this has made WordPress a very attractive target for attackers.

Hundreds of thousands of websites are being abused to redirect traffic, host malware, send out spam and sites are even used as slaves in botnets.

Victims are not chosen; most of the attacks are automated, which targets the software, not the company or the people behind the website itself.

WordPress security is an active topic. Just a week ago, a critical 'Backdoor Attack' warning was issued for 60 million WordPress users via Forbes.

WebARX is the All-in-One Solution For WordPress Sites

"A must for WordPress sites!" as one of its Trustpilot review states, WebARX has already gone a long way to ultimately become the only WordPress security solution you need.

It's always good to keep the number of components/plugins low while having all the security and hardening options available for every site.

Some of the options WebARX includes:

• WAF with virtual patches and an unlimited number of custom rules.
• Advanced firewall management and analytics.
• Central, easy to use cloud-based security portal.
• Up-time, Blacklist, Domain/SSL expiration, and plugin vulnerability monitoring.
• 2FA for any site and each user.
• ReCAPTCHA implementation for forms.
• Brute-force/XML-RPC protection.
• Automatic off-site backups to Google Drive.
• Customizable cookie notice bar.
• User activity logging.
• Cloud-based plugin management (remote updating).
• Cloud-based hardening.
• Multi-site support.
• And much more…

WebARX is currently celebrating its birthday, and a 50% discount is offered for a limited time.

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.

S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.

Since S@T Browser contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.

How Does Simjacker Vulnerability Work?

Disclosed by researchers at AdaptiveMobile Security in new research published today, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.

• Retrieving targeted device' location and IMEI information,
• Spreading mis-information by sending fake messages on behalf of victims,
• Performing premium-rate scams by dialing premium-rate numbers,
• Spying on victims' surroundings by instructing the device to call the attacker's phone number,
• Spreading malware by forcing victim's phone browser to open a malicious web page,
• Performing denial of service attacks by disabling the SIM card, and
• Retrieving other information like language, radio type, battery level, etc.

"During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated," researchers explain.

"The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks."

"This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute."

Though the technical details, detailed paper and proof-of-concept of the vulnerability are scheduled to be released publicly in October this year, the researchers said they had observed real-attacks against users with devices from nearly every manufacturer, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.

According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.

Simjacker Vulnerability Being Exploited in the Wild

 

Whilst you would expect cybersecurity and IT firms to serve customers with adequate online security measures. However, these firms themselves remain vulnerable to various security threats too. Recently, the cybersecurity firm Imperva has disclosed a security breach that affected customers of its Cloud WAF. Imperva Revealed Security Breach In a recent security notice, the popular cybersecurity firm Imperva has revealed a security breach. The incident impacted customers of its Cloud WAF product previously known as ‘Incapsula’. As disclosed, the company learned of the breach recently from a third-party. They discovered the incident on August 20, 2019, where they found the exposure of data of some of the customers. The company found that the incident impacted a database through September 15, 2019. The leaked or exposed information from the database includes email addresses, hashed and salted passwords. For a subset of customers, exposed details also included customer-provided SSL certificates and API keys. The company assured that the impact of the incident remained confined to the Cloud WAF product only. Security Measures Taken Upon noticing the breach, Imperva began working towards implementing appropriate security measures. These steps include engaging forensic experts and global regulatory agencies, activating internal data security response team, and implementing forced password rotations in Cloud WAF. In addition, they have also informed customers affected during the incident regarding the breach. They also advise customers to take necessary steps to stay protected. Some of the security best practices Imperva advised to all users include resetting Cloud WAF user passwords, enabling two-factor authentication, enabling Single Sign-On (SSO), uploading new SSL certificates and resetting API keys. Recently, a web hosting company Hostinger has also confessed of a breach. The incident allegedly affected 14 million customers, exposing the victims’ personal information and hashed passwords. Let us know your thoughts in the comments.

Critical ISPsystem Software Vulnerability Discovered

ISPsystem Fixed The Bug

Records Of 80 Million US Households Exposed

Researchers Request Assistance To Identify Database Owners

“This time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.”

“The only real hint that this database belongs to some kind of service is that “member_code” and “score” each appear in every entry.”

“We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured.”

Take your time to comment on this article. 

Google Bans App Developer From Play Store

“At least six of DO Global’s apps, which together have more than 90 million downloads from the Google Play store, have been fraudulently clicking on ads to generate revenue, and at least two of them contain code that could be used to engage in a different form of ad fraud.”

“We actively investigate malicious behavior, and when we find violations, we take action, including the removal of a developer’s ability to monetize their app with AdMob or publish on Play.”

Developers Accepted Google’s Decision

“We regret to find irregularities in some of our products’ use of AdMob advertisements. Given this, we fully understand and accept Google’s decision.”