Security News

All-in-one malware out, GovPayNow drops the ball on security, and more

Avast Security News Team, 21 September 2018

All-in-one malware poses as ransomware, new cold-boot attack steals while your PC sleeps, 14 million government records leaked, and Newegg suffers a crack.

All-in-one super malware hits the internet

A self-propagating malware mashup has been found lurking online. Called Xbash, the all-in-one malware is thought to be made by crime syndicate Iron Group and boasts of botnet, ransomware, diskwiper, cryptojacker, and worm features.

Xbash initiates by attacking weak passwords and unpatched vulnerabilities in protocols like HTTP, VNC, MySQL, Memcached, MariaDB, FTP, Telnet, PostfreSQL, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogic, Rsh, Rsync, Oracle database, CouchDB and phpMyAdmin. Once inside, the worm deletes the targeted database and leaves a ransom note under a database titled ‘PLEASE_READ_ME_XYZ’ with instructions to deposit 0.02 Bitcoin into the attacker’s account.

However, cybersecurity researchers discovered that Xbash never backs up the database. Similar to NotPetya, the worm is destructive malware posing as ransomware. The attackers simply walk away with their victim’s money without reinstating their database(s). So far, 48 victims are known to have paid $6,000 in ransom.

“This is a threat specifically designed to target companies,” adds Luis Corrons, Security Evangelist at Avast. “And the fact that only the Linux version has been seen in the wild certifies it. The threat is really dangerous as it deletes the contents of the databases attacked, with no real recovery option other than backup.”

Cold boot malware exploits decades old vulnerability

In what sounds like a trick straight out of Inception, cybersecurity researchers have developed a new tool that can steal valuable information from your PC while it’s asleep. The tool can bypass BIOS fail-safes by exploiting a weakness in how computers protect firmware. Almost every PC made in the last 10 years is vulnerable to its MO.

When a computer is incorrectly turned off or put into sleep mode, critical information remains in its RAM even after the device has lost power. The new tool can be executed through a USB stick to boot up the PC and steal any information remaining in its RAM.

Cold boot attacks are nothing new, as they’ve been around since 2008. Computers typically overwrite the contents of its RAM when power is restored in order to ensure they are not compromised. However, the new tool simply disables such overwrite features and rewrites non-volatile information. The researchers have shared their findings with all computer manufacturers so that safeguards can be created against such maneuvers.

This is a great opportunity to clear up a common myth, adds Corrons: “People believe that if their laptop is lost or stolen, that their data will not be compromised.” He continues, “The victim’s belief is that whoever found the computer wouldn’t have the credentials they need to access it. This has never been true — and now this ‘cold boot’ attack shows how easy is to obtain credentials from a computer, even if it is off.”

GovPayNow leaks 14 million customer records

A payment system used by almost 2,300 US Federal services in 35 states for processing everything from traffic tickets to court fines was found to have an exposed receipt system.

Users could log on and pay their federal dues through GovPayNow.com, upon which the site would generate an online receipt. Until fairly recently, the receipts were displayed on an unsecured webpage. Interested parties could access customer names, the last four digits of their credit card, addresses, and phone numbers simply by changing a few digits in the URL.

The leak, which was discovered by KrebsOnSecurity, has been reportedly active since 2012. In response, GovPayNow says it has addressed the issue by only allowing authorized users to access their receipts.

MageCart works its (black) magic on Newegg

Even as their ABS-CNN heist is still fresh in our memory, digital credit card skimmer Magecart has already claimed another victim – Newegg. The attack started on August 16th and, given the site's popularity, could have claimed a massive number of victims by now. To date, MageCart has a number of successful hits to its credit, including British Airways and TicketMaster.

Digital card skimmers work the same way as their physical counterparts that are used on credit card machines. They read card details being entered into a payment gateway, and transmit them to their command and control server (C&C). MageCart works by injecting a 15-line piece of Java Code into a targeted payment processing page. The code binds to the button user’s press after entering their card details, and uploads their information to neweggstats.com, which is owned by the attackers. Protecting against attacks like these is difficult as hackers exploit any vulnerability available to them.