Tag Archives: Security

Posted on Author Atlantic Computer Services Categories Blog

Emotet Malware Will Include Credit Card Theft In Attacks

If you’re involved in information security in any capacity, you’re probably quite familiar with the infamous Emotet botnet.  It’s one of the most dangerous and prolific botnets out there and it is a dire threat to organizations of all sizes.

The bad news is that the botnet is still being actively enhanced and is gaining new capabilities at regular intervals.

Most recently, its developers have added a new credit card stealing module that is designed to harvest saved credit card information stored in Google Chrome profiles.

Once it harvests information (name on the card, card number, security code, and expiration month and year), the malicious code will send that data to a command-and-control server controlled by the Emotet group.

The new capabilities were discovered by researchers at Proofpoint, and they reported being somewhat surprised that the new module was designed specifically to target Chrome users.  No other browsers are impacted by it.

Emotet has a fascinating history.  It first hit the internet in 2014 and when it first appeared, it was a simple banking trojan.

A concerted effort by law enforcement nearly destroyed the botnet. They took it offline as law enforcement officers pulled the plug on most of the botnet’s infrastructure.

Things were quiet for several months, but then in November 2021, Emotet returned like a malicious phoenix and has been causing trouble for IT professionals around the world ever since.

Controlled by the TA542 threat group also known as Mummy Spider, it can be used to deliver any number of second-stage payloads which makes it incredibly dangerous.

This is one malware you will have to stay on the alert for.  There’s no telling what new features the threat group will add next, and you may find yourself in Mummy Spider’s crosshairs.

0
Posted on Author Atlantic Computer Services Categories Blog

Medical Service Provider Data Breach Affects 2 Million Users

Depending on where you live, you may have received medical care from the Shields Health Care Group (Shields), or from a provider associated with them.

If so, be aware that the Massachusetts-based medical provider specializing in PET/CT scans, MRIs, radiation oncology, and ambulatory surgical services has been hacked.

The unknown hackers gained access to their network and stole data relating to more than 2 million users.

According to the breach notification that the company published on their website, Shield first became aware of the attack on March 28th of this year (2022).  Immediately after, they retained the services of third-party cybersecurity specialists, engaging them to assist in determining the scope and scale of the incident.

While that investigation is ongoing, here’s what we know so far:

A currently unknown group attacked the network and gained access from March 7 to March 21, 2022.

Consequently, they were able to steal database records of more than two million users, which included the following information:

  • User full name
  • Social security number
  • User date of birth
  • User home address
  • Provider information
  • Patient diagnosis
  • Billing information
  • Insurance number and related information
  • Medical Record Number
  • Patient ID
  • And other assorted treatment information

This is serious and more than enough data was exfiltrated to allow the hackers to steal people’s identities.  Whether they do it themselves or sell the information on the Dark Web remains to be seen. Either way, if your information was stolen because of this breach, you are very much at risk.

If you’re not sure, it’s worth your time to head to the Shields website.  There, you’ll find a complete listing of all the impacted medical facilities.  If you received treatment from any facility on the list, be on the alert and watch your credit and banking statements closely.

0
Posted on Author Atlantic Computer Services Categories Blog

Beware New Windows Vulnerability With Remote Search Window Access

You may not know the name Matthew Hickey, but you should thank him for a recent discovery that could save you a lot of grief.

Hickey is the co-founder of a company called Hacker House.  He recently discovered a flaw that could allow for the opening of a remote search window simply by opening a Word or RTF document.

This newly discovered zero-day vulnerability is about as serious as it gets.

Here’s how it works:

A specially crafted Word Document or RTF is created which, when launched, will automatically launch a “search-MS” command, which opens a Windows Search window.

This window lists executable files on a remote share and the share can be given any name the attacker desires such as “Critical Updates” and the like. That would naturally prompt an unsuspecting user to click the file name to run that file.

Naturally, clicking the file name wouldn’t do anything other than install malware, which is exactly what the hackers are trying to do.

Although not quite as dangerous as the MS-MSDT remote code execution security flaw, this one is still incredibly serious. Even worse, there is not currently a patch that will make your system safer.

The good news however, is that there are steps you can take to minimize your risks.

If you’re worried about this security flaw, here’s what you can do:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTsearch-ms search-ms.reg”
  • Execute the command “reg delete HKEY_CLASSES_ROOTsearch-ms /f”

Kudos to the sharp eyes of Matthew Hickey for first spotting this flaw.  We can only hope when the next zero-day rears its head, researchers like Mr. Hickey will be there to help point them out and show us how to defeat them.

0
Posted on Author Atlantic Computer Services Categories Blog

Some Carrier Embedded Android Apps May Have Security Vulnerabilities

Recently, Microsoft reported high severity security vulnerabilities in multiple apps offered by large international mobile service providers.  What makes this especially noteworthy is the fact that these vulnerabilities aren’t app specific, but framework specific.  Many carriers use the same basic framework to construct their apps and now all have been found to contain vulnerabilities.

The vulnerabilities discovered to this point are being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, respectively.

The framework is owned by a company called mce Systems.  All vulnerabilities center around command injection and privilege escalation type attacks.  Carriers with apps that are impacted include AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile.

Members of the Microsoft 365 Defender team had this to say about the issue:

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers.

All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

This is a problem with a truly vast scope.  Just counting the number of downloads from the Google Play Store, the number runs into the millions.  Add to that the number of installed instances that were pre-installed on phones sold by the vendors above, and the scope and scale is simply mindboggling.

If there’s a silver lining to be found, it lies in the fact that all the vendors who have had apps impacted by this issue have already issued updates to fix the problem.

If you have a phone sold to you by any of the providers above, check all your installed apps and make sure you’re running the latest versions.  Better safe than sorry.

0
Posted on Author Atlantic Computer Services Categories Blog

Millions Of MySQL Server Users’ Data Found On The Internet

Do you maintain a MySQL server?  If so, you’re certainly not alone.  What you may not know is that according to research conducted by The Shadowserver Foundation, (a cybersecurity research group) there are literally millions of MySQL servers visible on the internet that shouldn’t be. In all, the group found more than 3.6 million MySQL servers visible on the web and using the default port, TCP port 3306.

The company noted that they did not check for the level of access possible, or the exposure of specific data. The fact remained that the server itself was visible and that alone was a security risk, regardless of any other factors.

The United States led the world in terms of total number of exposed servers, with just over 1.2 million, but there were also substantial numbers to be found in Germany, Singapore, the Netherlands, and China.

The company broke their scan down in much more detail and granularity in their report.

Here are the highlights:

  • Total exposed population on IPv4: 3,957,457
  • Total exposed population on IPv6: 1,421,010
  • Total “Server Greeting” responses on IPv4: 2,279,908
  • Total “Server Greeting” responses on IPv6: 1,343,993
  • 67 percent of all MySQL services found are accessible from the internet

And here’s the bottom line:  An exposed MySQL server has serious security implications that can lead to a catastrophic data breach that sees a company lose control of proprietary data or sensitive customer data.

In addition to that, it can give hackers an easy inroad to mine your network with a wide range of malware, allowing them to siphon data from you in real time and over an extended period. They can also wholesale encrypt your files and demand a hefty ransom to regain access.

None of those outcomes are good for your company, so if you’ve got a MySQL server, check to be sure it’s properly secured today.

0
1 12 13 14 15 16 155