Connect with us


Jupyter trojan: Newly discovered malware stealthily steals usernames and passwords




A newly uncovered trojan malware campaign is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Jupyter infostealer has been detailed by cybersecurity company Morphisec who discovered it on the network of an unnamed higher education establishment in the US. It’s thought the trojan has been active since May this year.

The attack primarily targets Chromium, Firefox, and Chrome browser data, but also has additional capabilities for opening up a backdoor on compromised systems, allowing attackers to execute PowerShell scripts and commands, as well as the ability to download and execute additional malware.

The Jupyter installer is disguised in a zipped file, often using Microsoft Word icons and file names that look like they need to be urgently opened, pertaining to important documents, travel details or a pay rise.

If the installer is run, it will install legitimate tools in an effort to hide the real purpose of the installation – downloading and running a malicious installer into temporary folders in the background.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Once fully installed on the system Jupyter steals information including usernames, passwords, autocompletes, browsing history and cookies and sends them to a command and control server. Analysis of the malware showed that whoever created it constantly changes the code to collect more information while also making it harder for victims to detect.

It isn’t clear what the exact motive for stealing the information is, but cyber criminals could use it to gain additional access to networks for further attacks – and potentially stealing highly sensitive data – or they could sell login credentials and backdoor access to systems to other criminals who access.

The researchers believe that Jupyter originates from Russia. Not only did analysis of the malware reveal that it linked to command and control servers in Russia, but reverse image searching of the planet Jupiter in infostealer’s admin panel revealed the original to come from a Russian-language forum. This image is also spelled Jupyter, likely a Russian to English misspelling of the planet’s name.

While many of the command servers are now inactive, the admin panel is still live, suggesting that Jupyter campaigns may not be finished yet.




Google Cloud: We do use some SolarWinds, but we weren’t affected by mega hack




Google Cloud’s first chief information security office (CISO) has revealed that Google’s cloud venture does use software from vendor, SolarWinds, but says its use was “limited and contained”. 

Google Cloud announced the hire of its first CISO, Phil Venables, in mid-December, just as the US was beginning to understand the scope of the Russian government’s software supply chain malware attack.

The hack affected US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Justice, Microsoft’s source code and many more. 

But Venables, a Goldman Sachs veteran, insists that no Google systems were affected by the attack. It’s an important message from Google at a time when hacks have undermined trust in known software suppliers, which in turn threatens Google’s $12bn-a-year cloud business. Google is set to announce its Q4 2020 FY financial results on Tuesday, February 2. 

“Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event,” Venables said in a blogpost

“We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.”

Venables also shared some top tips that Google uses to protect itself and customers from software supply chain threats. This particular attack exposed how connected the entire software industry is, and how vulnerable the ecosystem is because of assumptions built into the systems that are used to receive updates from known and trusted suppliers. 

Hackers breached SolarWinds and planted malware inside software updates for Orion, which offered a beachhead from where attackers could move within networks of companies and government agencies. 

Researchers at Crowdstrike last week revealed a third piece of malware was used in the attack on SolarWinds’ customers via official software updates. SolarWinds last week disclosed that the attackers were testing malware distribution through Orion updates from at least September 2019, indicating the planning that went into the attack. 

Other organizations affected by this breach included the Department of Health’s National Institutes of Health (NIH), the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the US Department of State, the National Nuclear Security Administration (NNSA), the US Department of Energy (DOE), several US state governments, and Cisco, Intel, and VMWare.

According to Venables, Google uses secure development and continuous testing frameworks to detect and avoid common programming mistakes. 

“Our embedded security-by-default approach also considers a wide variety of attack vectors on the development process itself, including supply chain risks,” he says. 

He goes on to explain what trusted cloud computing means at Google Cloud, which comes down to control over hardware and software.  

“We don’t rely on any one thing to keep us secure, but instead build layers of checks and controls that includes proprietary Google-designed hardware, Google-controlled firmware, Google-curated OS images, a Google-hardened hypervisor, as well as data center physical security and services,” says Venables.  

“We provide assurances in these security layers through roots of trust, such as Titan Chips for Google host machines and Shielded Virtual Machines. Controlling the hardware and security stack allows us to maintain the underpinnings of our security posture in a way that many other providers cannot. We believe that this level of control results in reduced exposure to supply chain risk for us and our customers.”

Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.

The company then enforces these controls during deployment, depending on the sensitivity of the code. 

“Binaries are only permitted to run if they pass such control checks, and we continuously verify policy compliance for the lifetime of the job. This is a critical control used to limit the ability of a potentially malicious insider, or other threat actor using their account, to insert malicious software into our production environment,” says Venables.  

Finally, Google ensures that at least one person beyond the author provably reviews code and configuration changes submitted by its developers.   

“Sensitive administrative actions typically require additional human approvals. We do this to prevent unexpected changes, whether they’re mistakes or malicious insertions.”


Continue Reading


iOS 14.4 kicks off crackdown on non-genuine iPhone cameras




iOS is already flagging non-genuine batteries and displays, and now it seems that iOS 14.4 will add non-genuine cameras to the list.

According to reports by MacRumors, and confirmed by ZDNet, iOS 14.4 developer beta 2 now throws up an error message when it detects a non-genuine camera fitted to an iPhone.

The message, which reads “Unable to verify this iPhone has a genuine Apple camera,” can be dismissed and does not seem to affect the use or operation of the camera.

This appears to be yet another step forward (or backward) by Apple, as it continues its fight against user-repairable iPhones.

Must read: Switching to Signal? Turn on these settings now for greater privacy and security

Interestingly, according to tech repair site iFixit, cameras can now be swapped between iPhone 12 units without any problems. However, before you start celebrating that, iFixit believes that Apple will soon start flagging any camera replacements that have not been followed up with by running Apple’s proprietary, cloud-linked System Configuration app as non-genuine.

This basically means that this warning will be present any time a repair is not carried out by Apple or an Apple Authorized Service Provider.

Is this a money-making ploy by Apple? In response to US politicians investigating anti-competitive practices asking about repair revenue, Apple responded that “each year since 2009, the costs of providing repair services has exceeded the revenue generated by repairs.”

However, according to iFixit’s Kay-Kay Clapp, ” there’s no way to fact check Apple’s accounting on repairs because of the vagaries of revenue reporting.”

“Knowing how much we pay for parts and the general labor costs of the repair industry, it seems unbelievable that they’re not making money from repair services.”


Continue Reading


Ongoing ransomware attack leaves systems badly affected, says Scottish environment agency




The Scottish Environment Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and is continuing to feel the impact.

SEPA’s contact centre, internal systems, processes and internal communication have all been affected by the attack, which hit on Christmas Eve. The organisation, which is Scotland’s government regulator for protecting the environment, has also confirmed that 1.2GB of data has been stolen as part of the attack – including personal information relating to SEPA staff.

More on privacy

Despite the ransomware attack, SEPA’s ability to provide flood forecasting and warning services, as well as regulation and monitoring services, has continued.

SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    

But while the infected systems have been isolated, SEPA’s latest update on the ransomware attack says that recovery will take a “significant period” and that a number of systems will “remain badly affected for some time” with entirely new systems required. SEPA has blamed the ransomware attack on “serious and organised” cyber criminals.

“Whilst having moved quickly to isolate our systems, cybersecurity specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre, have now confirmed the significance of the ongoing incident,” said Terry A’Hearn, Chief Executive of SEPA.

“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

While the organisation itself hasn’t confirmed what form of ransomware it has fallen victim to, the cyber-criminal group behind Conti ransomware has published what it claims to be data stolen from the Scottish government agency.

Stealing data has become increasingly common for ransomware gangs. They use the stolen data to double-down on attempts at extortion by threatening to leak the information if the victim doesn’t give into the ransom demand of hundreds of thousands, or even millions, of dollars in bitcoin in exchange for the decryption key.

SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network

SEPA hasn’t yet detailed how cyber criminals were able to break into the network to deploy ransomware and the investigation into the incident is still ongoing.

“We are aware of this incident affecting the Scottish Environment Protection Agency and are working with law enforcement partners to understand its impact,” an NCSC spokesperaon told ZDNet.

Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and cyber criminals show no signs of slowing down ransomware campaigns because, for now at least, ransomware gangs are still successfully extorting large payments out of victims.



Continue Reading


UK police warn of sextortion attempts in intimate online dating chats




As politicians play whack-a-mole with COVID-19 infection rates and try to balance the economic damage caused by lockdowns, stay-at-home orders have also impacted those out there in the dating scene. 

No longer able to meet up for a drink, a coffee, or now even a walk in the park, organizing an encounter with anyone other than your household or support bubble is banned and can result in a fine in the United Kingdom — and this includes both dates and overnight stays. 

Therefore, the only feasible option available is online connections, by way of social networks or dating apps. 

Dating is hard enough at the best of times but sexual desire doesn’t disappear just because you are cooped up at home. Realizing this, a number of healthcare organizations worldwide have urged us not to contribute to the spread of COVID-19 by meeting up with others for discreet sex outside of our social bubbles, bringing new meaning to the phrase, “You are your safest sex partner.”

This doesn’t mean, however, that we’ve abandoned the search in the time of a pandemic; instead, dating apps — such as Tinder, eHarmony, and the new Quarantine Together — are signing up users in record numbers. 

Apps and chats over Zoom, however, can only go so far and after you’ve made your way through remote small talk, what’s next?

If you’re not careful, it’s blackmail. 

In a recent case documented by the UK’s Thames Valley police, a sextortion scam started innocently enough: a young man was contacted over Facebook by a woman who wanted to video chat. 

They talked twice online and the woman asked him to show off his body. While no “intimate” acts took place in the first online session, the police say, the second chat was another story — and the intimate footage he provided was then covertly recorded by the scam artist. 

She then told her victim that their online session had been recorded and demanded £200 ($270) on pain of it being sent to all of his family and friends, now available to her through the Facebook connection. 

The man refused, but over the next two hours, he received over 100 demands for payment. Eventually, he appeared to cave in — but instead blocked her and deactivated all of his accounts before contacting law enforcement. 

Thames Valley asks for us to “not do anything silly” online, but this case — as it goes, a small fish in a large phishing pond and one in which the young man escaped from the net — still highlights how careful we need to be now about sharing intimate footage or allowing the opportunity for it to be taken online without our permission. 

Sextortion is not a new concept, and unfortunately, the internet has provided a lucrative arena for people trying to extort money, sexual acts, services, or images from others. Some of the most common forms of sextortion are:

  • Phishing emails: Messages claim to have seen your web history or pornographic website visits, and may also say that ‘hackers’ accessed your webcam and recorded you. 
  • Phishing emails containing known passwords: The same, but with the addition of passwords used by you to access online accounts that may have been leaked in a data breach to try and appear more legitimate.
  • Revenge porn: Threats to release intimate photos or videos online, sometimes by ex-partners or other people you know. 
  • Internet of Things: Nest and Ring devices have been compromised to recycle old tactics and convince victims that hackers have illicit recordings of them. 

Emotional triggers are the key: humiliation, fear, worry of friends, family, or co-workers finding out or viewing footage, and the concern of the future impact such material could have on your life. 

A report conducted by Thorn and the Crimes Against Children Research Center (CCRC) estimates that in 45% of cases where a perpetrator has access to sensitive material, they will carry out their threat. 

After all, it’s not them who face humiliation.

With this in mind, it’s time to reconsider just what risks we are comfortable taking online, lockdown or not. Sextortion can be devastating but there’s no guarantee that a scammer will delete footage they have obtained after you’ve paid up — and may simply demand more and more from you.

“Anybody who is threatened with this type of blackmail by an online contact is advised to contact the police and should refuse to send the scammer any money,” commented Ray Walsh, Digital Privacy Expert at ProPrivacy. “Once a scammer knows that a victim is willing to pay they will only double down and ask for more. For this reason, it is vital that you contact the police and refuse to pay.”

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Continue Reading
Blockchain3 days ago

Buying the Bitcoin Dip: MicroStrategy Scoops $10M Worth of BTC Following $7K Daily Crash

Blockchain3 days ago

Bitcoin Correction Intact While Altcoins Skyrocket: The Crypto Weekly Recap

Blockchain4 days ago

TA: Ethereum Starts Recovery, Why ETH Could Face Resistance Near $1,250

Blockchain3 days ago

MicroStrategy CEO claims to have “thousands” of executives interested in Bitcoin

Blockchain3 days ago

Canadian VR Company Sells $4.2M of Bitcoin Following the Double-Spending FUD

Amb Crypto3 days ago

Monero, OMG Network, DigiByte Price Analysis: 23 January

Amb Crypto3 days ago

Chainlink Price Analysis: 23 January

Amb Crypto3 days ago

Popular analyst prefers altcoins LINK, UNI, others during Bitcoin & Eth’s correction phase

Amb Crypto2 days ago

Bitcoin Cash, Synthetix, Dash Price Analysis: 23 January

Amb Crypto2 days ago

Why has Bitcoin’s brief recovery not been enough

Amb Crypto2 days ago

Will range-bound Bitcoin fuel an altcoin rally?

Blockchain4 days ago

Bitcoin Cash Analysis: Strong Support Forming Near $400

Blockchain4 days ago

OIO Holdings Appoints Rudy Lim as CEO of Blockchain Business Subsidiary

Automotive2 days ago

Tesla Powerwalls selected for first 100% solar and battery neighborhood in Australia

PR Newswire5 days ago

Clear Aligners Market Size Worth $6.0 Billion By 2027 | CAGR: 23.1%: Grand View Research, Inc.

SPAC Insiders4 days ago

Virtuoso Acquisition Corp. (VOSOU) Prices Upsized $200M IPO

Amb Crypto3 days ago

Why now is the best time to buy Bitcoin, Ethereum

Cyber Security4 days ago

Einstein Healthcare Network Announces August Breach

Amb Crypto2 days ago

Stellar Lumens, Cosmos, Zcash Price Analysis: 23 January

AI2 days ago

Plato had Big Data and AI firmly on his radar