The European Commission has publish their 2018 Digital Economy and Society Index (DESI), which uses data from 2017 and 2018 to reveal the United Kingdom’s progress toward the EU’s Digital Agenda goals (e.g. NGA 30Mbps+ broadband for all by 2020). This year we remain ranked 7th out of 28 member states. In case anybody has […]
Read more here:: ISPreview
As a man dies from an exploding vape pen, we ask how dangerous are the devices?
Read more here:: BBC News – Technology
Fortunately, patches exist for both vulnerabilities in question, but if an unpatched Windows system suffers infection from this PDF exploit, all bets are off.
Read more here:: Avast
Two firms have closed this month, citing changes in airline policies on carrying batteries.
Read more here:: BBC News – Technology
The site published images of people taken by police after arrest and asked for cash to remove them.
Read more here:: BBC News – Technology
For many companies, GDPR has become a four-letter acronym.
The European Union’s new General Data Protection Rule – which applies to virtually any kind of data that can be used to identify a person – goes into effect May 25. And companies around the world are rushing to make sure they’re in compliance, or at least can demonstrate that they’re hard at work trying to meet the EU demands.
GDPR is designed to protect personal privacy, (hopefully) make companies more secure from data breaches and force them to get their collective hands around all the data they collect, use and distribute.
Read more here:: IT news – Security
The rental site will report homeowners’ income to the Danish tax authorities in the first deal of its kind.
Read more here:: BBC News – Technology
We’ve seen two attempts at a hybrid mechanical/membrane keyboard so far: Logitech’s G213 Prodigy with its “mech-dome” switch and Razer’s Ornata with its “mecha-membrane.” And I would’ve been happy if that were it, forever. Neither was that great, and it’s hard to convince me to buy an “upscale” membrane keyboard when true mechanical keyboards are so cheap these days. (Shoot, our favorite budget mechanical keyboard, Razer’s Blackwidow X Tournament Edition, is just $70.)
Read more here:: IT news – Hardware Systems
In April 2018, Kaspersky Lab published a blogpost titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices. This activity is located mostly in Asia (South Korea, Bangladesh and Japan) based on our telemetry data. Potential victims were redirected by DNS hijacking to a malicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed manually by users. The application actually contained an Android Trojan-Banker.
Soon after our publication it was brought to our attention that other researchers were also focused on this malware family. There was also another publication after we released our own blog. We’d like to acknowledge the good work of our colleagues from other security companies McAfee and TrendMicro covering this threat independently. If you are interested in this topic, you may find the following articles useful:
In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.
In our previous blogpost we mentioned that a user attempting to connect to any websites while using a hijacked DNS, will be redirected to malicious landing pages on the rogue server. The landing page displays a popup message that corresponds to the language settings of the device and which urges the user to download a malicious apk file named ‘facebook.apk’ or ‘chrome.apk’.
Kaspersky Lab confirmed several languages hardcoded in the HTML source of the landing page to display the popup message.
The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese.
But, of course, this multilingualism is not limited to the landing page. The most recent malicious apk (MD5:”fbe10ce5631305ca8bf8cd17ba1a0a35″) also was expanded to supports 27 languages.
The landing page and malicious apk now support the following languages:
We believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of languages with an automatic translator.
Previously, this criminal group focused on Android devices only. They have apparently changed their monetizing strategy since then. The attackers now target iOS devices as well, using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’:
A legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.
The phishing site steals user ID, password, card number, card expiration date and CVV. The HTML source of the phishing site also supports 25 languages.
The supported languages are almost the same as on the landing pages and malicious apk files – only Bengali and Georgian are missing from the phishing site.
Looking at the HTML source code of the landing page, we also discovered a new feature: web mining via a special script executed in the browser. More details about web miners can be found in our blogpost ‘Mining is the new black‘.
Coinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser.
Older malicious apk samples include a legitimate website, accounts and a regular expression for retrieving the real C2 address, which the malware connects to by using a web socket. This process for obtaining its C2 changes in more recent samples, further described below:
| MD5 | f3ca571b2d1f0ecff371fb82119d1afe | 4d9a7e425f8c8b02d598ef0a0a776a58 | fbe10ce5631305ca8bf8cd17ba1a0a35 |
| Date | March 29 2018 | April 7 2018 | May 14 2018 |
| File name | chrome.apk | facebook.apk | $random_num{8}.apk |
| Legitimate web | http://my.tv.sohu[.]com/user/%s | https://www.baidu[.]com/p/%s/detail | n/a |
| n/a | n/a | @outlook.com | |
| Accounts | 329505231 329505325 329505338 |
haoxingfu88 haoxingfu12389 wokaixin158998 |
haoxingfu11 haoxingfu22 haoxingfu33 |
| RegExp |
"<p>([u4e00-u9fa5]+?)</p>s+</div>" |
"公司</span>([u4e00-u9fa5]+?)<" |
“abcd” |
| Encrypted dex | assetsdb | assetsdata.sql | assetsdata.sql |
| Encoding | Base64 | Base64 + zlib compression | Base64 + zlib compression |
Older samples retrieved the next C2 by accessing the legitimate website, extracting a Chinese string from a specific part of the HTML code, and decoding it. This scheme has been changed in the recent sample. Instead of using HTML protocol, it now uses email protocol to retrieve the C2.
The malware connects to an email inbox using hardcoded outlook.com credentials via POP3. It then obtains the email subject (in Chinese) and extracts the real C2 address using the string “abcd” as an anchor.
The old and new decoding functions are exactly the same.
We decoded the following next stage C2 servers:
Kaspersky Lab observed that the previous malicious apk (MD5:f3ca571b2d1f0ecff371fb82119d1afe) had 18 backdoor commands to confirm victims’ environments and to control devices.
According to our analysis, the recent malicious apk (MD5:fbe10ce5631305ca8bf8cd17ba1a0a35) now implements 19 backdoor commands: “ping” was added.
The backdoor commands in the recent sample are as follows:
This additional command calls the OS ping command with the IP address of the C2 server. By running this, the attackers validate the availability of the server, packet travel time or detect network filtering in the target network. This feature can also be used to detect semi-isolated research environments.
Roaming Mantis uses a very simple detection evasion trick on the malicious server. It entails the landing page generating a filename for the malicious apk file using eight random numbers.
Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018. It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes. This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.
However, the malicious apk still contains a loader inside ‘classes.dex’ and an encrypted payload inside ‘assetsdata.sql’ that are identical to those in the previous variants. For security researchers, we have added MD5 hashes of the decrypted payloads without hashes of the whole apk files in the IoC of this report, as well as a few full apk hashes that were uploaded to VirusTotal.
Since our first report, Roaming Mantis has evolved quickly. The update history shows how rapidly the threat has been growing:
The actors behind it have been quite active in improving their tools. As seen in the graph below, which shows the unique detected user counts per day according to KSN data, the count increased on May 5. That date is very close to the update date of the new features on the landing pages.
Kaspersky Lab products detect Roaming Mantis’s malicious apk files as ‘Trojan-Banker.AndroidOS.Wroba’. Below is the data from Kaspersky Security Network (KSN) based on the verdict ‘Trojan-Banker.AndroidOS.Wroba.al’ from May 1 to May 10, 2018.
It’s clear from this that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia, Ukraine and India bore the brunt. According to data gathered between February 9 and April 9, the unique user count was 150. It’s worth mentioning that the most recent data shows more than 120 users of Kaspersky Lab products were affected in just 10 days.
Also, it’s important to note that what we see in the KSN data is probably a tiny fraction of the overall picture. There are two reasons for that:
The Roaming Mantis campaign evolved significantly in a short period of time. The earliest report of this attack was made public by researchers from McAfee in August 2017. At that time, the Roaming Mantis distribution method was SMS and there was one target: South Korea. When we first reported this attack in April 2018, it had already implemented DNS hijacking and expanded its targets to the wider Asian region.
In our report of April this year, we called it an active and rapidly changing threat. New evidence shows a dramatic expansion in the target geography to include countries from Europe, the Middle East and beyond by supporting 27 languages in total. The attackers have also gone beyond Android devices by adding iOS as a new target, and recently started targeting PC platforms – the landing page PC users are redirected to is now equipped with the Coinhive web miner.
The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.
The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.
For our previous findings, please refer to the Securelist post Roaming Mantis uses DNS hijacking to infect Android smartphones.
Kaspersky products detect this malware as:
Kaspersky Lab products block the Coinhive web miner for PC.
Malicious hosts:
Malicious apks:
classes.dex:
Decrypted payload (dex file) from assetsdata.sql:
Read more here:: Securelist
Since its launch in 2013, Telegram has grown in popularity in the secure messaging category (its developers claim the app has over 200 million users), but with controversy. In addition to technical questions about how safe it truly is for users counting on it to keep their messaging activity private, the app has been in the news for political reasons throughout the first half of 2018. The governments of Iran and Russia have banned Telegram for thwarting them from accessing communications conducted on the app by their citizens and others inside their countries.
Read more here:: IT news – Security
Buying a processor for a gaming rig isn’t as hard as it used to be. Now that AMD’s Ryzen and Intel’s 8th-gen CPUs debuted with more performance and cores than ever before, it’s hard to buy a stinker these days—especially since most games favor graphics firepower over CPU oomph. But all that said, there are specific chips that stand out from the horde as the best gaming CPUs due to their price, performance, or nifty extras.
Whether you’re on a budget or willing to pay for sheer face-melting speed, these are the best CPUs for gaming PCs that you can buy.
Read more here:: IT news – Hardware Systems
Continuing our quest for robust, enterprise-grade open source network monitoring, we tested Icinga Core 2 (version 2.8.1) and the stand-alone Icinga Web 2 interface. Created in 2009 as a fork of the Nagios network monitoring tool, Icinga has come a long way.
We found Icinga to be a powerful monitoring tool with many great features. The Core install is straightforward and basic monitoring is easy with either pre-configured templates or plugins. However, we discovered that the Web install is a bit more complicated and could stand to be streamlined.
Icinga runs on most of the popular Linux distros and the vendor provides detailed installation instructions for Ubuntu, Debian, Red Hat (including CentOS and Fedora) and SUSE/SLES. Icinga does not publish specific hardware requirements, but our installation ran well on a quad-core processor with 4 GB RAM and this is probably be a good starting point for a basic installation.
Read more here:: IT news – Networking
The firm at the centre of the Facebook data row has filed legal papers that will see it wound up.
Read more here:: BBC News – Technology
BBC Click’s Emily Bates looks at some of the best technology news stories of the week.
Read more here:: BBC News – Technology
Next week a change in UK advertising guidelines will mean that broadband ISPs need to start promoting “average download speeds” (a MEDIAN measured at peak time 8-10pm) on their public packages (details). But a new study by Which? suggests that some may end up over estimating their averages. The consumer magazine claims to have conducted […]
Read more here:: ISPreview