Yearly Archives: 2018

Apple Launches New Privacy Portal – You Can Download A Copy Of Everything Apple Knows About You

Apple has today launched a new Data and Privacy website, allowing Apple users to download everything that Apple personally associates with your account, from Apple ID info, App Store activity, AppleCare history to data stored in iCloud like photos and documents. This is currently only available for European Union accounts, to comply with GDPR, and will roll out worldwide in the coming months.

How to download A Copy Of Your Data

To obtain a copy of your data, log in to privacy.apple.com.

Select the Get started link under the ‘Obtain a copy of your data’ heading.

You can then simply tick the boxes of the categories of data you want to download. You can press ‘Select All’ to pick everything. iCloud Photos, Mail and Drive are separated into a separate list as this data may be exceptionally large. Then, press Continue.

After selecting the categories you’ll be asked how large the archives should be, you can choose 1GB, 2GB, 5GB, 10GB, or 25GB – then hit complete request. You’ll be emailed once the archives are ready to download.

It can take up to a week to prepare the downloads. Apple notifies you when the data is ready to download, and it is automatically deleted after 2 weeks.

Further details here on how to amend your data and make any changes.



AnyDesk Bundled with New Ransomware Variant

Trend Micro recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.  This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.

In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.

Although the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites.

Once downloaded, RANSOM_BLACKHEART drops and executes two files:

  • %User Temp%\ANYDESK.exe
  • %User Temp%\BLACKROUTER.exe

Trend Micro believe bundling AnyDesk with the ransomware might be an evasion tactic. Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the ransomware while it performs its encryption routine. Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools.

Screenshot of the ransom note




GDPR-inspired Phishing Scams

The imminent arrival of the new EU General Data Protection Regulation (GDPR) has gifted scammers with a new hook for sending phishing emails.

Many internet users are now receiving emails from organisations that they have online dealings with, explaining the new regulations and asking them for permission to carry on storing their information.

Scammers have taken advantage of this to send fake GDPR-themed emails in an attempt to spread malware or steal personal data.

Apple customers, for example, have been sent a link advising users that their accounts had been “limited” due to unusual activity and then asking them to update their security information.

Users are then directed to a fraudulent webpage where they are asked to input security information. Once this has been completed, users are then directed back to a legitimate Apple web page.

The scammers also used Advanced Encryption Standard (AES) protocols when directing users to the page controlled by them, bypassing anti-phishing tools embedded in some antivirus software.

GDPR comes into effect on 25th May 2018, so the scammers have a short window in which to use GDPR as cover for their activities.




Sky Now Showing 4K HDR Content In Italy – Is The UK Next ?

Sky Italia recently started broadcasting TV shows and films in 4K HDR for Sky Q users based in Italy, and we think that UK customers are next in line for the upgrade.

Back in February of this year Sky promised that an HDR update was on its way, but it is yet to confirm when this might happen.

What Is 4K HDR ?

HDR or High Dynamic Range is the latest revolution in the TV tech world that’s shaking up colour definition in a big way.

Whereas HD and 4K technology upped the number of pixels in our TVs, HDR takes things to a whole new level. Offering 64 times more colour than standard 4K screens, 4K HDR TV is all about bringing more vivid colour to your screen.



The Xbox Adaptive Controller [Pictures Included!]

Microsoft has unveiled a new Xbox and Windows 10 controller that lets people with disabilities plug in the assistive aids they already own to play games.

It has been welcomed by charities and gamers, as it allows those with limited mobility to use their own buttons, joysticks and switches to mimic a standard controller, so they can play any videogame.

This allows them to choose which assistive aid will make the character jump, run or shoot, for example, without relying on pressing specific buttons on the controller that came with the Xbox.

Click the pictures below to see the Xbox Adaptive Controller ( Click here to see full screen )





cURL FTP Shutdown Response Buffer Overflow Remote Code Execution Vulnerability [CVE-2018-1000300]

CVE Number – CVE-2018-1000300

A vulnerability in cURL could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a heap-based memory buffer overflow condition that could occur when the affected software closes an FTP connection with long server command replies. An attacker could exploit this vulnerability by persuading a user to send a request to an attacker-controlled server. If successful, the attacker-controlled server could return a malicious FTP shutdown response, which could trigger a heap-based memory buffer condition that the attacker could use to execute arbitrary code.

The cURL Project has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, an attacker may use misleading language and instructions to persuade a user to send a request to an attacker-controlled server.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
Fixed Software
  • The cURL Project has released software updates at the following link: cURL 7.60.0





Pivotal Software Spring Security OAuth Authorization Request Remote Code Execution Vulnerability [CVE-2018-1260]

CVE Number – CVE-2018-1260

A vulnerability in Pivotal Software Spring Security OAuth could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to improper validation of user-supplied input processed by the affected software. An attacker could exploit the vulnerability by sending an authorization request that submits malicious input to the targeted authorization endpoint. An exploit could allow the attacker to execute arbitrary code on the targeted system when the resource owner is forwarded to the approval endpoint.

Pivotal Software has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, an attacker must make an authorization request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software





Google And Microsoft Find New Strain Of Spectre And Meltdown [Variant 3a & 4]

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

CVE-2018-3639 – Speculative Store Bypass (SSB) – known as Spectre Variant 4 or SpectreNG

Security researchers at Google and Microsoft have found a new variant of the Spectre security flaw that was first reported back in January this year.

To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device.

Security researchers identified two software analysis methods that, if used for malicious purposes, have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems.

Intel worked closely with other technology companies and several operating system and system software vendors, developing an industry-wide approach to mitigate these issues promptly.

To fix the problem, Intel has released beta microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). SSBD provides additional protection by blocking Speculative Store Bypass from occurring. Intel hopes most major operating system and hypervisors will add support for Speculative Store Bypass Disable (SSBD) starting as early as May 21, 2018.

Description:

CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as Variant 4

  • Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

  • Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
  • 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Additional Information

Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:

  • Variant 1: Bounds Check Bypass – CVE-2017-5753
  • Variant 2: Branch Target Injection – CVE-2017-5715
  • Variant 3: Rogue Data Cache Load – CVE-2017-5754
  • Variant 3a: Rogue System Register Read – CVE-2018-3640
  • Variant 4: Speculative Store Bypass – CVE-2018-3639

Patches For Variant 3a & 4

Link to Vendor Information Date Added
AMD May 21, 2018
ARM May 21, 2018
Intel May 22, 2018
Microsoft May 21, 2018
Redhat May 21, 2018





Fake Amazon Emails From amzo.co.uk Domain

We have had quite a few fake e-mails from Amazon this week, so we thought we would share them with you.  This one is using the amzo.co.uk domain.  It’s aim is to get you to click on a link to cancel your Amazon Prime subscription, the link is https://bit[.]ly/2GybeVV this is using the bit.ly service which is a genuine re director site.

The test of the e-mail says :-

This email confirms the Amazon Prime subscription: #725-3256097-54775

Product Name: Amazon Prime

Order Number: 5418886

Receipt Date: 05/21/2018

Payment Method: Amazon Account Membership

Price: 179.00 GBP

The subscription period will automatically renew unless you turn it off no later than 24 hours before the end of the current period. To cancel auto-renewal or manage your subscriptions, click below and sign in.If you did not initiate this purchase, we recommend that you go to:

At the time we checked the URL redirected to a site IP address that did not load (see image below) but the spammers can change this to a valid link at any time.





Google Chrome Malware – Malicious Software Can Steal Your Saved Credit Card Payment Details [Vega Stealer]

Recently, Proofpoint observed a campaign targeting Marketing/Advertising/Public Relations and Retail/Manufacturing industries with a new malware called Vega Stealer. The malware contains stealing functionality targeting saved credentials and credit cards in the Chrome and Firefox browsers, as well as stealing sensitive documents from infected computers. Vega is a variant of August Stealer with only a subset of its functionality as well as several important new features.

Vega Stealer keeps on working, and takes a screenshot of the infected PC and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.

Proofpoint is urging users to be on the lookout for suspicious emails that may suddenly pop up in their inbox.

Vega Stealer communicates with a hardcoded C&C server using the HTTP protocol.

The best way to protect yourself from malware etc is by approaching all attachments with caution. If you don’t know where it came from, it’s better to ignore it.

Domains And IP’s To Block

hxxp://46.161.40[.]155