Google Maps Users are Receiving Notification Spam and No One Knows Why

• December 5, 2018
 
• 04:22 PM
 
• 0

Users are receiving spam notifications through the Google Maps app that asks them to share their location in order to get something for free and no one knows why.

According to reports from numerous users, Android users are receiving Maps push notifications with titles such as "You Have Received a Free Prize from Google", "You Have Received a Free Prize",  "Congratulations for Winning Pixel", and more.  When users click on these notifications, they are then being asked to share their location.

For example, a Reddit post stated:

"Strange thing. Just got a push notif from my Maps app that read "You Have Received a Free Prize from Google [...]", so I figured it was some sort of Google-Play-Rewards-type thing — but once I clicked on it it appeared to be about a user named "You Have Received a Free Prize", with Maps giving me the option to share my location with them. I found the block button and that was that, but has anyone else been subject to this? What's the endgame if a gullible user decides to follow through?"

Maps Notification Spam

Most users who BleepingComputer spoke to regarding these notifications simply block them.

Some, though, have stated that they thought it was an ad from a nearby shop, so shared their location, but did not receive any other information after doing so. As you can imagine, this is confusing as it is not known what the location sharing is being used for.

There has been a lot of speculation as to where these notifications are coming from. Some think that criminals are using this to check when your not home in order to rob you, others that it's part of the Nearby service, or could be a way to advertise a store's products or other promotion. 

For now, if you receive a Maps push notification asking you to share your location, just block it as you never know who you are sending your location to and for what reason.

You have some theories about this Maps spam? Let us know.

Update: Shortly after posting the article, we were told that iOS users of Google Maps have also received these notifications.

Read More

Company Pretends to Decrypt Ransomware But Just Pays Ransom

• December 5, 2018
 
• 12:28 PM
 
• 1

Ransomware is a serious threat but also a lucrative business for crooks and scammers posing as IT professionals promising successful decryption services for the right price.

Security researchers have found a company in Russia that guarantees decryption of files touched by the Dharma/Crisis ransomware strain, an operation known to be successful only by paying for the unlock key from the malware maker.

Huge markup added

The intriguing claim comes from a company called Dr. Shifro that pretends to be an IT consultancy firm. Its line of business, though, it brokering the file decryption for a hefty bill for the victim and a discount negotiated with the cybercriminals.

Check Point says that Dr. Shifro intermediates these deals since 2015 and has added to its account at least 100 BTC from 300 "contracts." The company advertises decryption services for multiple ransomware variants, including Cryakl, Scarab, Bomber, and Dharma.

An undercover investigation from Check Point revealed that the faux consultant contacts the ransomware creator and asks for a discounted price for the decryption key, which in the case of the researchers was $1,300.

The cost of the unlock key would be incurred by the victim, along with a fee of $1,000 for delivering a decryption tool.

An email to the threat actor makes clear Dr. Shifro's business model:

"I’m an intermediary. We redeem keys for clients since 2015 on a regular basis. Send bitcoins tight, don’t ask dumb questions. Clients frequently addressed under recommendation. Could you give a discount to 0.15 btc?"

The researchers say that the revenue from this type of activity rises to at least $300,000, calculated at an average BTC price of $3,000 recorded during their investigation. However, it is unclear if all victims were billed the same.

The general recommendation is not to pay the ransom in order to make the ransomware business unprofitable. So turning to a company that can decrypt files is a way to get the data back without endorsing criminal activity.Ransomware victims should be aware that a legitimate company offering file decryption services does not make bold claims regarding the success of their efforts because there is a good chance of failure, especially with data locked by strong encryption. Only the availability of the decryption keys can give the confidence of recovery.

Data recovery companies are nothing new on the ransomware scene. Coveware, a company that handles ransomware incidents, is upfront about its business, but many of them hide the fact that all they do is negotiate with the malware developer to get an unlock key.

This activity is not without restrictions, though, and these companies should be more careful about who they negotiate with. At the end of November, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions for two Iran-based individuals associated with SamSam ransomware, banning any business with them. This means that transactions to their cryptocurrency wallets are in violation with the imposed sanctions.

Read More

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

By 

Lawrence Abrams

 

• December 5, 2018
 
• 11:11 AM
 
• 0

Adobe has released an update for Flash Player that fixes a zero-day user after free vulnerability that was used as part of an APT attack against Russia. This attack is being named "Operation Poison Needles" and targeted the Russian FSBI "Polyclinic #2" medical clinic.

According to research from Qihoo's 360 Advanced Threat Response Team and Gigamon, on November 29, 2018 an attack was detected against Russia's FSBI "Polyclinic #2" clinic. The site for this clinic indicates it provides medical and cosmetic services to the executive and higher level employees of the Russian Federation.

The targeted attack came in the form of a fake employee questionnaire that when opened triggered an exploit for the zero-day Flash vulnerability. This questionnaire is shown below and you can see the Flash object is displayed as a black square in the document.

Malicious Word document pretending to be a questionnaire

When the exploit is triggered, Word will display a warning stating "The embedded content contained in this document may be harmful to your computer.' and if a user agrees to continue, the following command is executed to extract a rar file and start the backup.exe executable contained within it.

According to Gigamon, the executed command is:

C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul*.rarscan042.jpg & rar.exe e -o+ -r -inulscan042.jpg backup.exe & backup.exe

This attack flow is illustrated in the image below.

Attack Flow (Source: 360 Advanced Threat Response Team)

The backup.exe file is backdoor that pretends to be the Nvidia Control Panel application and uses a stolen certificate from "IKB SERVICE UK LTD", which has since been revoked.

The researchers state that when the backup.exe program is executed it will copy itself to %LocalAppData%\NVIDIAControlPanel\NVIDIAControlPanel.exe and send information about the computer and installed applications to a remote host. It will also download and execute shell code on the computer.

Backup.exe backdoor disguised as a Nvidia Control Panel

The researchers feel that this attack is politically motivated as it occurred right after the Kerch Strait Incident when the Russian coast guard boats fired upon and captured three Ukrainian Navy vessels.

"Since it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution," the 360 Core Security team stated in their report. "Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack."

Adobe releases update for Flash Player

Adobe has issued security bulletin APSB18-42 that states that Flash Player 31.0.0.153 and earlier are affected by this vulnerability, which has been assigned the CVE-2018-15982 ID. To resolve this vulnerability, users should update to version 32.0.0.101 immediately.

This update also resolves DLL hijacking vulnerability in the program that would allow a bad actor to load a malicious DLL when Flash Player starts.

To be truly safe, it is recommended that all users uninstall Flash Player unless they absolutely need it for an internal application. Adobe plans on retiring flash in 2020 and most sites that have utilized it in the past have moved to other technologies.

Related Articles:

Adobe Flash Player Update Released for Remote Code Execution Vulnerability

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens

New Cannon Trojan Is the Latest Asset of Sofacy APT Group

State-Sponsored Actors Focus Attacks on Asia

Adobe Releases Security Update for Acrobat Vulnerability with Public PoC

Read More

Apple Fixes Passcode Bypass, RCE Vulnerabilities, and More in Today's Updates.

By 

Lawrence Abrams

 

• December 5, 2018
 
• 05:23 PM
 
• 0

Today Apple released updates for their core products that includes iCloud, Safari, iTunes, macOS Mojave, High Sierra, Sierra, Shortcuts for iOS 2.1.2, tvOS 12.1.1, and of course iOS 12.1.1.

Included in these security updates are numerous code execution, privilege escalations, and information disclosure vulnerabilities. Due to this, if you are the user of any of the above products, you should update them as soon as possible.

iOS 12.1.1 fixes FaceTime locked screen contacts disclosure

iOS 12.1.1 fixes a bug that was discovered at the end of October, the day after iOS 12.1 was released, that allows a user to access a phone's contacts even when iOS was locked.  This bug was discovered by security researcher Jose Rodriguez who has a knack for finding these types of bypasses and demonstrates them on YouTube.

Other vulnerabilities that were fixed include remote code execution, information disclosure, escalation of privileges, and denial of service attacks.

Shortcuts for iOS gets its first security update!

Shortcuts is a new feature added to iOS 12 that allows you to create shortcuts that execute multiple commands with one voice command or tap.

This update is Shortcuts for iOS' first one and sadly there is not much to indicate what was fixed if anything.  Instead we are greeted with the following statement:

"This update has no published CVE entries. We would like to acknowledge Micah A for their assistance."

Whoever Micah A is, congrats!

Below are the rest of the Apple security updates released today.

Name and information link	Available for	Release date
iCloud for Windows 7.9	Windows 7 and later	05 Dec 2018
Safari 12.0.2	macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.1	05 Dec 2018
iTunes 12.9.2 for Windows	Windows 7 and later	05 Dec 2018
macOS Mojave 10.14.2, Security Update 2018-003 High Sierra, Security Update 2018-006 Sierra	macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.1	05 Dec 2018
Shortcuts 2.1.2 for iOS	iOS 12.0 and later	05 Dec 2018
tvOS 12.1.1	Apple TV 4K and Apple TV (4th generation)	05 Dec 2018
iOS 12.1.1	iPhone 5s and later, iPad Air and later, and iPod touch 6th generation	05 Dec 2018

Related Articles:

November Android Security Update Fixes Critical Bugs, Drops Media Library

Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More

Adobe Flash Player Update Released for Remote Code Execution Vulnerability

Scam iOS Fitness Apps Steal Money Through Apple Touch ID

How a Security Test for DropBox Revealed 3 Apple Zero Day Vulnerabilities

• APPLE
 
• INFORMATION DISCLOSURE
 
• IOS
 
• MACOS
 
• RCE
 
• REMOTE CODE EXECUTION
 
• VULNERABILITY

 
 
 

 

 

LAWRENCE ABRAMS  

Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

•  PREVIOUS ARTICLE
• NEXT ARTICLE 

Post a CommentCommunity Rules

You need to login in order to post a comment

Not a member yet? Register Now

Read More