Security

Search Marquis malware easily bypasses built-in Mac defenses

Back in the day, when malware makers capitalized on eroding the PC landscape, the Mac was a godsend for the average security-minded user. Things have changed, though, and so has the status quo in the cybercrime arena. Over the past few years, threats targeting computers with macOS under their hoods have seen a dramatic spike. Here we are now – adware, rogue optimizers, ransomware, and crypto-miners have gone from marginal to commonplace in this once-safe environment. Moreover, some of these culprits are treacherous enough to survive major system security updates as well as the native malware countermeasures for an insanely long time. A prolific browser hijacker called Search Marquis is a prime example of such a threat.

This piece of malicious code shows its sharp fangs by repeatedly redirecting a victim’s web sessions in Safari, Chrome, and Firefox to searchmarquis.com. From there, the traffic wanders through interstitial domains such as searchbaron.com, nearbyme.io, and r.a9g.io until it hits Bing. As odd as it may sound, Microsoft’s search engine has been an element of similar browser manipulation schemes for quite a while. Why? Probably because it works well as a red herring in such chicanery. It smokescreens everything that happens before the victim reaches the landing page, including ad networks that fit the profit model of Search Marquis masters. (more…)

Continue ReadingSearch Marquis malware easily bypasses built-in Mac defenses

Online extortionists going after HPE iLO interfaces

Internet threat actors are constantly diversifying their portfolio of attack mechanisms and targets. When it comes to the extortion vector, things no longer boil down to attacking individual computers or enterprise IT networks. In a recent defiant move, a group of hackers have been targeting HPE iLO 4 interfaces. This technology stands for HPE Integrated Lights-Out, a proprietary framework by Hewlett-Packard that allows administrators to access and manage some HP servers remotely. The admin can use their regular web browser to log in and do their settings tweaking or maintenance job, for instance, reboot the server and view details on its current status.

Security analysts have stumbled upon incidents where malefactors replaced HPE iLO 4 login screen with a ransom note named “Security Notice: Basic principles of Data Anonymization”. It says the server’s hard disk is encrypted using RSA-2048 asymmetric cipher, and to decrypt the data the victim needs to obtain the private key. In order to get this secret code, the plagued user is instructed to contact the attacker at 15fd9ngtetwjtdc@yopmail.com and follow the steps provided in a reply. Ultimately, the recover process is a matter of paying 2 BTC (about $19,000) to the crooks’ Bitcoin address. (more…)

Continue ReadingOnline extortionists going after HPE iLO interfaces

The New Wave of MongoDB Attacks – Bigger Than Before

IT specialists warn about the resumption of extortion attacks aimed at misconfigured MongoDB servers.

The first wave of MongoDB attacks was observed in late 2016. Dozens of criminal groups hacked vulnerable MongoDB servers that time. After that, they also targeted ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL.

Cybercriminals used to erase all information from the databases and demanded a ransom from the owners of the servers. Importantly this was a bluff as criminals were not able to get the data back because and as stated earlier they completely delete all data during the attack.

This week extortionists stepped up again. Although the number of attackers is small compared to the cases occurred in the beginning of the year, new criminal groups involved have approached the situation on a grand scale. New attacks cause much more damage. For example, if in winter criminals managed to compromise 45,000 databases per month, now the Cru3lty group broke 22,449 databases in one week. (more…)

Continue ReadingThe New Wave of MongoDB Attacks – Bigger Than Before