For testing, the experts took the Ellume COVID-19 Home Test device, which uses an analyzer that connects to a smartphone via Bluetooth and works in tandem with the corresponding companion application.

During tests, researchers noticed activity com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity. It turned out that users with root access can run it to “help interact with the analyser via Bluetooth.”

Further investigation revealed two types of Bluetooth traffic associated with the transmission of test results. The researchers write that they were able to intervene in traffic as follows:

Worse, the fake data provided by Ellume has been successfully accepted by Azova, which certifies COVID test results so that travellers can enter the United States.

Also, the F-Secure report details how one of the company’s employees used the Ellume device to check for COVID, the test turned out negative, but the experts applied the aforementioned methods to change the result.

Researchers from F-Secure shared their best practices on GitHub.

Fortunately, the problem has now been fixed. The specialists notified the Ellume developers of their findings, and they made changes to their product. In particular, additional obfuscation and OS checks were introduced in the Android application, and now additional analysis of test results is being carried out, which is designed to identify fake data.

Let me remind you that I also talked about various fraudulent operations speculating on the COVID-19 topic. For example, that Fake COVID-19 contact tracking apps install banking trojans, and that Cybercriminals attacked UCSF, the US leading COVID-19 vaccine developer. For example, Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic.

The post Experts hacked Bluetooth test for COVID-19 appeared first on Gridinsoft Blog.

Check Point reports that a new trend has emerged at the beginning of 2021: not hackers do not post their “vacancies” there, but applicants themselves publish ads and inform that they are ready for any illegal activity.

According to the observations of the researchers, in the last quarter, from 10 to 16 new messages of this kind appeared on the forums every month. Given that such ads were rare in the past, this is an impressive number.

Researchers attribute this to the desperation of people who cannot find work and are experiencing financial difficulties due to the coronavirus pandemic, which has affected the global economy and led to an increase in unemployment around the world.

In the ads, desperate job seekers offer their help to cybercriminals, “promising not to ask stupid questions”, “24/7 availability” and “the desire to make money in any way.”

In their report, Check Point experts provide examples of such job search ads.

Below are a couple of such ads.

The applicant writes: “I am ready for any possible job … I am at home 24 hours a day, 7 days a week because of this pandemic.”

A 25-year-old woman from Ukraine, “experienced in fraud in logistics, sales and wholesale”, understands the risks involved in doing such work, and is looking for a position with monthly pay.

Let me remind you that I also talked about the fact that Cybercriminals fake letters from WHO to distribute HawkEye and trick money into fight with COVID-19.

The post Check Point: Desperate Job Seekers Are Ready To Work For Cybercriminals appeared first on Gridinsoft Blog.

Two global issues will help shape people’s memories of 2020: Covid-19 and the increased exploitation of the Internet for disruption of the economy. It is alarming that these threates are now gathered together, as according to Microsoft officials, attackers use cyberattacks are being to undermine healthcare organizations fighting the pandemic.

The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as the North Korean Zinc (Lazarus) and Cerium, are accused of these attacks.

The victim companies, whose names are not disclosed, are based in Canada, France, India, South Korea, and the United States.

Many attacked organizations have signed contracts with government agencies from different democratic countries that have invested in their research related to Covid-19.

Let me remind you that I talked about the fact that cybercriminals attacked the University of California, San Francisco (UCSF), one of the leaders in developing a vaccine against COVID-19.

According to Microsoft, the Strontium group used brute force and password spraying to steal credentials, hack accounts and steal confidential information. The technique mentioned is that the attackers go through different usernames and try to use them with the same simple, easily guessed password, in the hope of finding a poorly protected account.

In turn, the Zinc (aka Lazarus) hack group relied heavily on targeted phishing campaigns, sending out emails to potential victims with fake job descriptions and posing as recruiters.

The second North Korean faction, Cerium, appears to be a new player. Microsoft representatives say that Cerium organized targeted phishing attacks, posing as representatives of the World Health Organization, and the content of the decoys was associated with COVID-19.

Let me also remind you that Elon Musk confirmed that the Russian offered a Tesla employee a million dollars for hacking the company.

The post Microsoft accused Russia and North Korea of attacks on pharmaceutical companies appeared first on Gridinsoft Blog.

Experts write that, first of all, everyone will remember 2020 due to the coronavirus pandemic. While some hacker groups have used the COVID-19 theme in their attacks, Microsoft says these operations were only a small part of the overall malware ecosystem, and the pandemic appears to have played a minimal role in the attacks of the past year.

“The number of phishing attacks on the corporate sector continues to grow and are becoming the dominant vector. Most phishing lures are centered around Microsoft and other SaaS vendors, and the top five fraudulent brands include Microsoft, UPS, Amazon, Apple and Zoom”, – write Microsoft analysts.

In total, Microsoft blocked more than 13,000,000,000 malicious and suspicious emails in 2019, more than a billion of which contained phishing URLs.

Moreover, successful phishing operations are often the first step in BEC attacks. That is, fraudsters gain access to the mailbox of a company executive, examine his email, and then trick the compromised user’s business partners into paying bills and sending funds to their bank accounts. The report states that BEC scammers are most often interested in credentials from the C-suite accounting product.

However, phishing isn’t the only way to break into someone else’s account.

Also, hackers use the password spraying technique and often exploit the fact that users reuse the same passwords. In the mentioned technique, attackers go through different usernames and try to use them with the same simple, easily guessed password, in the hope of finding a poorly secured account.

“These attacks are most often used against IMAP and SMTP. They allow attackers to bypass multi-factor authentication because login via IMAP and SMTP does not support this feature”, – say Microsoft researchers.

Microsoft experts unambiguously call ransomware the most serious threat over the past year.

Most of this activity came from hack groups that specialize in attacks on large corporations or government organizations, since they can get the most significant ransom. Most of these groups either exploit infrastructure provided by other hackers or massively scan the Internet for recently discovered vulnerabilities.

In most cases, hackers infiltrate the system and stay there, waiting until they are ready to launch an attack.

Microsoft reports that ransomware has been particularly active this year and has dramatically reduced the time it takes to launch attacks, especially during the COVID-19 pandemic.

“Attackers used the COVID-19 crisis to reduce the time spent on the victim’s system. They compromise, steal data, and, in some cases, quickly activate ransomware, apparently in the belief that they would be more likely to get paid that way. In some cases, cybercriminals went from initial infiltration to encrypting the entire network and demanding a ransom in less than 45 minutes”, — said the report.

Let me remind you that the researchers also calculated that Ransomware attacks most often occur at night and on weekends.

The post Microsoft estimated that ransomware attacks take less than 45 minutes appeared first on Gridinsoft Blog.

In June, the average number of attacks per week increased by 18% compared to May of this year. It is noted that the number of cyberattacks related to the theme of coronavirus decreased by 24% compared with the previous month.

“The number of phishing attacks related to COVID-19 is significantly higher in those regions where the self-isolation mode has not been canceled. For example, in Europe and North America, where business is returning to normal, there is a sharp decrease in the number of attacks associated with coronavirus”, – write the researchers.

At the same time, countries in Latin America and Africa that are still struggling with the epidemic are suffering from frequent attacks involving COVID-19.

Despite the fact that the number of “coronavirus” attacks is decreasing, fraudsters use other media topics for their malicious campaigns. A striking example of this is the global protests associated with the Black Lives Matter (BLM) movement.

In early June, when the protests peaked, Check Point researchers discovered spreading of spam campaigns related to BLM.

Attackers attached to their letters a text document with the following topics: “Leave a review anonymously about Black Lives Matter” and “Vote anonymously about Black Lives Matter”. In each of these files, was hidden the Trickbot banking trojan.

“If you receive a letter from an unknown sender, be careful. By opening an attachment or clicking on the link inside, you can automatically download a malicious file. We are now seeing a trend towards phishing attacks with the use of domain names, such as Microsoft Office 365. They are less likely to reach a potential victim. Despite the fact that the self-isolation regime in some regions is waning, the number of cyberattacks will only grow in the nearest future. The coronavirus pandemic has become the catalyst for another global process – cyber pandemic”, — said Check Point Software Technologies.

According to Check Point, the number of weekly attacks increased in June by 18% compared with the average in May. However, the number of coronavirus-related attacks is declining. So, in the first week of June were recorded 129,796 attacks, which is 24% less than in May. It is noted that in the first two weeks of June, were registered 2451 new domains associated with coronavirus. Of these, 4% (91) were considered malicious and 3% (66) – suspicious.

As we said, in connection with the protests, GitHub will replace the term “master” with a more neutral one.

The post Check Point: hackers exploit BLM theme for attacks appeared first on Gridinsoft Blog.

Attackers are actively exploiting the panic around the coronavirus pandemic to trick users into revealing their credentials.

“Fake applications are designed to download and install malware (Anubis, SpyNote, etc.) onto devices and steal users’ financial and confidential data. Criminals do not distribute their programs through official stores such as the Google Play Store, but do so through other applications, third-party stores and websites”, — said Anomali researchers.

Anubis malware is a banking Trojan for Android devices that uses overlays to access infected devices and steal user credentials. Malware exists since at least 2017 and masks itself as legitimate applications.

The main functions of the program are access to SMS messages, location, contact list, system information, injections into various banking and social applications to collect confidential information, keylogging, recording phone calls, etc.

SpyNote is also an Android Trojan designed to steal data from infected devices. The trojan was first discovered in December 2016. The main functions of the program are access to SMS, GPS data, contacts, making calls from the victim’s number, checking browser history, checking installed applications, accessing device information, etc.

“Fake applications are distributed in Armenia, Brazil, India, Colombia, Indonesia, Iran, Italy, Kyrgyzstan, Russia and Singapore, and some of them impersonate official government programs”, – say the experts.

COVID-19 patient contact tracking applications are being developed in many countries. For example, as part of the fight against the spread of coronavirus infection, the Qatar government has obliged citizens and residents of the country to install a similar application on their mobile devices to track contacts with infected people.

In April of this year, France joined to the list of countries that use digital technology in the fight against the spread of coronavirus. French experts are working on the creation of the StopCovid mobile application, which will use Bluetooth to identify the chain of infection and warn the user if a sick person is nearby.

Let me remind you that Google Maps helps users protect users from COVID-19.

The post Fake COVID-19 contact tracking apps install banking trojans appeared first on Gridinsoft Blog.

Among other updates, now the Google Maps application will display notifications of restrictions imposed in connection with the pandemic regarding movement, checkpoints and even public transport congestion

”Getting from A to B can be more complicated these days. Because of COVID-19, it’s increasingly important to know how crowded a train station might be at a particular time or whether the bus is running on a limited schedule. Having this information before and during your trip is critical for both essential workers who need to safely navigate to work and will become more important for everyone as countries around the world begin to reopen”, — write Google specialists.

In some countries, while searching for routes for travelling by public transport, the application will also display notifications from local authorities. For example, if the institution is closed or the entrance is allowed only in masks, Google Maps will warn about this.

This feature is currently available only to users in Argentina, Australia, Belgium, Brazil, Colombia, France, India, Mexico, the Netherlands, Spain, Thailand, the US and the UK, where Google can receive information from local authorities. In the future, this list will be updated.

“We’re showing these alerts where we’ve received authoritative data from local, state and federal governments or from their websites, and are actively working with other agencies around the world to bring even more of this helpful data to users in Google Maps”, — said in Google.

Notifications will also appear when a user plans a trip to a medical facility or to the COVID-19 testing center. These alerts will be based on data received by Google from local and state authorities, as well as from the institutions themselves. Function is available for residents of Indonesia, the Philippines, Israel, the Republic of Korea and the United States. Soon the list of countries should expand.

The updated application also received the function of “predicting a large crowd of people.” Data will be based on the number of Google Maps users using public transportation services.

Meanwhile, in the IT world, there is a complete mess in connection with the coronavirus pandemic. For example, we reported that conspiracy theorists accuse Bill Gates of the crisis, and in the meantime, the malware operators stepped up and even attack research centers where is tested vaccine for COVID-19. Additionally, the number of cyberattacks that are linked with the theme of coronavirus is growing for an average of 5,000 per day.

The post Google Maps helps users protect themselves from COVID-19 appeared first on Gridinsoft Blog.

The university administration confirmed to Bloomberg reporters that it was the victim of an “illegal invasion”, but did not specify which part of the IT infrastructure was damaged.

UCSF experts are leaders in the United States in the field of antibody testing and the development of treatment for coronavirus infection. Here were tested antimalarial drugs, which President Donald Trump called the possible cure for COVID-19. However, scientists refuted this statement.

“Hackers are increasingly targeting institutions like UCSF not only for ransomware payments themselves, but also for possibly lucrative intellectual property, like valuable research on a cure for Covid-19. UCSF has engaged in extensive sampling and anti-body testing, including on the experimental anti-viral drug remdesivir, which has shown signs of being effective early in the Covid-19 life-cycle”, — write Bloomberg reporters.

According to Peter Farley, head of the UCSF public relations department, cyberattack did not affect studies involving patients.

The UCSF administration reported about the incident to law enforcement and turned to cybersecurity experts for help.

“With their help, we conduct a thorough assessment of the incident, including finding out what information could have been compromised”, — said Fairley, adding that he could not disclose any details while the investigation was ongoing.

It seems that the attackers encrypted the UCSF data and demanded a ransom for their recovery. Payment must be made before June 8 this year, and in case of non-payment, the extortionists promised to publish the “secret data” of the UCSF. It is not reported, what sum demanded the cybercriminals.

NetWalker ransomware operators confirmed responsibility for the attack on their blog on Darkweb.

“Attack groups often post data samples to prove the success of their breach. In this case, their blog posted four screenshots, including of two files accessed by the attackers. The files’ names, seen by Bloomberg on the darkweb, contain possible references to the U.S. Centers for Disease Control and Prevention and departments central to the university’s coronavirus research”, — writes Bloomberg.

Let me remind you that just recently Europe’s largest private hospital operator Fresenius attacked with Snake ransomware.

Netwalker ransomware was first introduced and operated by the criminal cyber group dubbed Circus Spider by CrowdStrike Inc. Since September 2019, Netwalker ransomware has been actively used by criminal actors with links to malware including Mailto, Koko, and KazKavKovKiz.[/box]

The post Cybercriminals attacked UCSF, US leading COVID-19 vaccine developer appeared first on Gridinsoft Blog.

This would sound fine, but for some reason the application requires permission for a number of actions that have nothing to do with containing a pandemic.

Using Bluetooth, the Ehteraz application pings nearby devices so that they can be contacted later, if users with whom they were nearby will have COVID-19 symptoms.

“However, application also requires access to geolocation data, which may indicate the intention of the authorities to monitor the movements of citizens”, – for example, reports Al-Jazeera channel.

Moreover, the application asks users for permission to access photo and video materials on the device, make calls, turn off the screen lock, start services in the background, as well as read, delete and modify data in the device’s shared memory.

Do you remember the infamous Arab ToTok messenger, with which the UAE government monitored its (and not only) citizens?

Ehteraz was released last month and is obligatory for installation, according to The Times of Israel. Failure to install the application leads a penalty or imprisonment for up to three years (the same penalty is provided for appearing in a public place without a protective mask). On Sunday, May 24, throughout the Qatar were established checkpoints for verification of compliance with the mask regime and presence of applications on citizens’ devices.

According to the Minister of Health of Qatar, Mohamed Al-Thani, all data collected is “strictly confidential. ”We confirm that all user data on Ehteraz app is completely confidential and is only accessible to relevant teams upon necessity,” said Qatar’s Director of the Public Health Department Dr Mohamed bin Hamad Al Thani.

The new version of Ehteraz was released on May 24. According to the developers, in it were fixed only minor bugs.

There is no information if they resolved an issue with access of the application to data and services on the device. MIT Technology Review’s Tate Ryan-Mosley, who has created a database of government-backed COVID-19 apps, told Al Jazeera the idea of contact tracing is old, but that digital tracing, which started to gain traction during the Ebola outbreak, has not proven to be effective yet.

“What we’re seeing now is a type of tech solutionism, meaning that these new technologies are seen as a panacea to all issues. There’s research done that if a government makes something compulsory, like an app, for instance, the likelihood of people putting their trust in it is less. If people don’t trust them, they are going to be looking for workarounds, not using these apps in good faith”, — Ryan-Mosley told Al Jazeera.

Another reason, why privacy experts question such applications is that the technology may be simply ineffective.

Let me remind you that US authorities can hack iPhone, but may have difficulties with Android

The post Qatar obliged citizens to install “spyware” for containing COVID-19 pandemic appeared first on Gridinsoft Blog.

According to KrebsOnSecurity sources, the incident disrupted some systems, but care for the patients continues.

Germany-based Fresenius company includes four independent companies: Fresenius Medical Care, a leading provider of services for people with kidney failure; Fresenius Helios, Europe’s largest private hospital operator; Fresenius Kabi, a pharmaceutical and medical device company; and Fresenius Vamed, medical facility manager.

Overall, Fresenius employs nearly 300,000 people in more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States.

“This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies”, — reports KrebsOnSecurity.

We live in truly difficult times – I recall that the other day, the Indian techno giant Jio disclosed data of people tested for COVID-19.

One Fresenius Kabi employee in the United States said that the computers in his company’s office were hacked and a cyberattack affected company’s operations around the world.

During the attack, hackers used Snake ransomware, which is a relatively new malware. Snake operators attack mainly large companies, turn off their IT systems and demand a ransom in bitcoins for access to data.

“I can confirm that Fresenius IT systems have been the victim of the malware. As a precaution, have been taking steps to prevent further spread. We also informed the relevant investigating authorities, and although some functions in the company are currently limited, patient care continues,” – said Fresenius representative.

According to security researchers, Snake ransomware is unique as it tries to identify IT processes associated with enterprise management tools and large automated process control systems. The malware is written in Golang and has a higher level of obfuscation than other ransomware.

After starting, Snake deletes shadow copies of computer volumes and then disables numerous processes associated with SCADA systems, virtual machines, industrial management systems, remote management tools, network management software, etc. Then it encrypts files on the device, skipping those located in the Windows system folders, and various system files.

The post Europe’s largest private hospital operator Fresenius attacked with Snake ransomware appeared first on Gridinsoft Blog.