source: cnet.com

Your new HP laptop may be recording everything you do on it.

That is the warning issued Thursday by Swiss security researcher ModZero, which discovered an audio driver installed on several HP laptops contains a keylogger-type feature that secretly records every keystroke entered into the computer to an unencrypted file on the computer's hard drive.

The driver, developed by audio chip maker Conextant, is loaded on more than two dozen models of HP laptops and tablets, including the HP Elitebook , ProBook and ZBook models.

The stored keystroke data would likely include records of passwords, websites visited and private chat messages. Anyone with access to the computer using the driver would also have access to that information and other sensitive information, regardless of whether they were authorized to see the data.

The driver in question includes an executable file for controlling audio hardware when a user presses special keys. However, the software includes a debugging feature that sends all keystrokes through a debugging device or deposits them to a log file in a public directory on the hard drive.

ModZero said the log file is overwritten every time the computer is booted up.

Contextant didn't immediately respond to a request.

HP said it was aware of the issue but had no access to customer data as a result of it.

"Our supplier partner developed software to test audio functionality prior to product launch and it should not have been included in the final shipped version," HP said in a statement, adding that fixes are available via HP.com.

 

 source: darkreading.com

The Persirai IoT botnet, which targets IP cameras, arrives hot on the heels of Mirai and highlights the growing threat of IoT botnets.

 

Researchers at Trend Micro have discovered a new Internet of Things (IoT) botnet that leaves than 120,000 Internet Protocol (IP) cameras vulnerable to attack.

The botnet, dubbed Persirai, was discovered targeting more than 1,000 different models of IP cameras. Persirai hits IoT devices a few months after the Mirai botnet, which wreaked havoc by compromising DVRs and CCTV cameras to fuel a massive DDoS attack in October 2016.

The researchers uncovered Persirai when they found four command and control (C&C) servers and explored the vulnerabilities associated with them, explains Jon Clay, global director of threat communications at Trend Micro.

In analyzing the malware, they found it was targeting IP cameras. Using the Shodan tool, they spotted more than 120,000 devices exposed on the public Internet. IP cameras are visible targets for IoT malware because they usually use the Universal Plug and Play (UPnP) open network protocolsThe most notable difference between Mirai and Persirai is that Mirai used brute-force login attempts to steal credentials, and Persirai uses a zero-day vulnerability made public months ago. Attackers exploiting this vulnerability can get the password file from the user, which gives them access to the device.

After they get into the victim camera, the attacker can use it to perform a DDoS attack on other computers with User Datagram Protocol (UDP) floods, as described on the Trend Micro blog. The threat actor can provide an IP address in the port where they want to launch the DDoS attempt, and target any IP in the world.

The compromised camera can be used to discover other victims, which can be infected using the same zero-day vulnerability. From there, they can continue stealing password files and securing the ability to perform command injections and continue the spread of malicious code.

Researchers found affected IP cameras report to C&C servers using the .IR country code, which is managed by an Iranian research institute. They also discovered special Persian characters used by the malware author. However, this does not indicate the attacker is Iranian.

Clay says the use of this zero-day vulnerability indicates Persirai will continue to be a threat. Interestingly, the malware erases itself once the target machine has been infected, and will only run in memory. This makes it tougher to detect code once it's gone.

source: securityweek.com

Security experts expressed alarm Friday over a fast-moving wave of cyberattacks around the world that appeared to exploit a flaw exposed in documents leaked from the US National Security Agency.

The attacks came in the form of ransomware, a technique used by hackers that locks a user's files unless they pay the attackers in bitcoin.

The scope of the attacks was not immediately clear, amid varying estimates from security researchers. But the malware was linked to attacks on hospitals in Britain as well as the Spanish telecom giant Telefonica and was also spreading in other countries.

The malware's name is WCry, but analysts were also using variants such as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r.

Microsoft released a security patch earlier this year for the flaw, but many systems have yet to be updated, researchers said.

Researcher Costin Raiu of the Russian-based security firm Kaspersky said in a tweet, "So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast."

Jakub Kroustek of Avast said on Twitter the security firm had detected "36,000 detections of #WannaCry (aka #WanaCypt0r aka #WCry) #ransomware so far. Russia, Ukraine, and Taiwan leading. This is huge."

Kaspersky said the malware was released in April by a hacking group called Shadow Brokers which claimed to have discovered the flaw from the NSA.

In the United States the package delivery giant Fedex acknowledged it was hit by malware after one researcher cited the company as a target.

"Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware," the company said in a statement.

"We are implementing remediation steps as quickly as possible."

source:  thecipherbrief.com

Hackers exploiting malicious software stolen from the National Security Agency executed damaging cyberattacks on Friday that hit dozens of countries worldwide, forcing Britain’s public health system to send patients away, freezing computers at Russia’s Interior Ministry and wreaking havoc on tens of thousands of computers elsewhere.

The attacks amounted to an audacious global blackmail attempt spread by the internet and underscored the vulnerabilities of the digital age.

Transmitted via email, the malicious software locked British hospitals out of their computer systems and demanded ransom before users could be let back in — with a threat that data would be destroyed if the demands were not met.

By late Friday the attacks had spread to more than 74 countries, according to security firms tracking the spread. Kaspersky Lab, a Russian cybersecurity firm, said Russia was the worst-hit, followed by Ukraine, India and Taiwan. Reports of attacks also came from Latin America and Africa.

The attacks appeared to be the largest ransomware assault on record, but the scope of the damage was hard to measure. It was not clear if victims were paying the ransom, which began at about $300 to unlock individual computers, or even if those who did pay would regain access to their data.