“Faceliker” Facebook Trojan Making Comeback

“Faceliker” is malware that has been around for a few years, but recently in 2017 McAfee is reporting surges in the use of Faceliker (9.8% of all new malware in Q1/Q2 are Faceliker strains). Faceliker uses JavaScript to basically hijack the users’ clicks and generates likes on Facebook. The malware is becoming increasingly common to be embedded within malicious Chrome extensions.

Why would someone want to hijack clicks from users? Well, it seems as though Faceliker is being used to promote “fake news” (*cough* propaganda), and is also used to promote advertisements and games that aren’t popular, but seem popular due to the likes accumulated by Faceliker. It also can promote fake pages of companies or users in order to make them seem real or reputable, and possibly result in possible catfishing.

McAfee is not certain, but it appears that Faceliker is only being used to promote content by spoofing likes. It is possible different Faceliker strains are being used to steal passwords or other sensitive data, but there isn’t a clear cut answer.

-Ryan Corrao




Hackers Exploit Microsoft Servers to Mine Cryptocurrency

Mining for cryptocurrency is becoming an extremely profitable investment. One of the most popular currencies, bitcoin, is skyrocketing in value. One bitcoin is currently worth $4297 U.S. dollar. These currencies are becoming more and more popular to use online for illegal activity because it’s more difficult to trace, and increasing in value so quickly.

Now to this recent attack on servers running Windows server 2003. An exploit in this software was discovered in March of this year (2017), the exploit targets the web server in Windows server 2003. Hackers have now taken to attacking servers that have not patched to the most recent update that fixes the exploit. The exploit infects the server and adds it to a botnet for the hacker to control and mine for cryptocurrency. In this attack the hackers were mining for a currency called Monero, this currency is completely untraceable and anonymous. Hackers prefer mining for Monero because it uses an algorithm called CryptoNight which works on CPUs and GPUs and unlike Bitcoin requires no special hardware to begin mining. This currency is currently significantly less valuable than bitcoin, at the time of writing 1 Monero is worth $90 U.S. dollars but, like all cryptocurrency the value fluctuates quite frequently. This attack gained the hackers $63,000 worth of Monero in 3 months. There are quite a few pieces of malware that exploit servers to mine this currency. One piece of malware called Adylkuzz uses the EternalBlue exploit, which was actually created by the NSA and released by a group called the Shadow Brokers this exploit was used in the WannaCry ransomware attack. BondNet is another form of malware that also creates a botnet to mine Monero.


– Levi Walker









Major Accounting Firm Deloitte Hit by Extensive Cybersecurity Data Breach

Similar to Equifax’s data breach, Deloitte with $37B in annual revenues, suffered an extensive cybersecurity data breach that led to a lot of things being compromised. Moreover, Deloitte did not tell anyone similar to Equifax, both of the company’s data had been compromised months ago before reported. Deloitte kept the hack internally secret, only informing “a handful” of senior partners and lawyers, as well as six clients. The company is one of the world’s Big Four accounting firms — which works with large banks, global firms, and government agencies, among others, provides tax and auditing services, operations consulting, merger and acquisition assistance and, ironically cybersecurity advice.

The hackers compromised confidential emails, sensitive attachments, the hackers may have gotten their hands on usernames, passwords, IP addresses, business information and workers’ health records. The Guardian reported that six Deloitte clients have already confirmed that the hack had impacted their data. Deloitte has yet to establish whether a lone wolf, business rivals, or state-sponsored hackers were responsible.

The cause of the data breach was apparently stemmed from an administrator’s account that was protected by a single password and did not have multi-factor authentication setup. The attack was discovered back in March 2017, but the attackers could have gained access as early as October 2016. The emails were stored in Microsoft Azure; some 5 million emails were said to have been stored in the cloud when it was compromised. Compromised email servers are usually filled with very sensitive information that hackers can exploit and even spear phish people with. However, Deloitte told The Guardian that only a fraction were actually at risk. Deloitte’s internal review is still ongoing.

-Matthew Brown






CCleaner Hack


As of Augusts 15th the application CCleaner was hacked.

CCleaner is an application made by Piriform that works on computers running Microsoft Windows. The intent of this application is to clean out the temporary files, broken shortcuts, unneeded files along with other ‘junk’. This application also cleaned out the users’ browser history and temporary internet files to help protect the users from identity theft and help protect their privacy.

This Avast download servers were compromised by a group of unknown of hackers for nearly a month. From August 15th to September 12th, CCleaner was replaced with a malicious version. This is a prime example of a supply chain attack, where hackers indirectly attack a company through the company’s process of supplying a product.

The versions that were effected have been confirmed by Avast and Piriform. The effected versions are Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. The malware was at first detected on September 15. This malicious version used a multi-staged malware payload that takes data from infected computers and sends it to the attackers’ remote command-and-control servers.


Data Stolen:

  • Computer name
  • List of installed software, including Windows updates
  • List of all running processes
  • IP and MAC addresses
  • Additional information like whether the process is running with admin privileges and whether it is a 64-bit system.

Based on an estimate of 5 million downloads per week, it is indicated that about 20 million people could’ve been affected by this malware. Piriform estimated that approximately 3% of its users ( 2.27 million people) were affected. Piriform strongly recommends strongly that the affected users download version 3.5 or higher of CCleaner.

– Justin Palmer





BlueBorne, a Bluetooth Vulnerability

Armis has identified a new threat to almost every device we own. There are eight vulnerabilities that have been identified, four of which are critical. These vulnerabilities affect over 5 billion Android, Windows, iOS, and Linux devices. This vulnerability is known as BlueBorne.

What makes this vulnerability different than most cyber attacks is that there is no link that a user has to click on or a malicious file that the user has to download to become a victim. The user doesn’t even have to be connected to the internet. Instead, BlueBorne is spread through a devices Bluetooth connection. The attack doesn’t require the targeted device to be paired to the attackers device or even for the targeted device to be set to discoverable mode.

Image result for BlueBorne

This all contributes to BlueBorne being easily spread to devices at a possible unprecedented rate. Bluetooth processes have high privileges on all operating systems which allows this exploit to completely take over the device. Android devices are vulnerable to remote code execution, information leaks, and Man-in-The-Middle attacks. Windows devices are vulnerable to the Man-in-The-Middle attack. Linux devices running BlueZ are affected by the information leak vulnerability, and Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (This includes many smart watches, smart tvs, and smart refrigerators). iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability, but this vulnerability was already patched for users running iOS 10. Even networks that are “air gapped” are at risk of this attack, and includes industrial systems, government agencies, and critical infrastructure.

Examples of attacks:

  • Taking a picture on a phone and sending it to the hacker
  • Listening to a conversation through a wearable device
  • Redirecting a user to a fake login page to steal their login information
  • Cyber espionage
  • Data theft
  • Ransomware
  • Creating large botnets out of IoT devices

Many companies are pushing out updates for their users, but for many it is too late, and for others they have older devices that will not receive the updates.

As of 9/13/17:

  • Apple users with iOS 10 are safe
  • Google has released a patch for this vulnerability for Android Marshmallow and Nougat, but it might be weeks before the patch is available to some Android users
  • Microsoft patched the vulnerabilities in July
  • A patch for Linux is expected to be released soon

The problem is that even with these patches, there are many users who are unaware of this exploitation and/or do not update their devices regularly. For users that haven’t updated their devices or do not have an update for their device, the safest thing to do is to turn Bluetooth off on your phone and leave it off until there is a patch for your device


Source: https://www.armis.com/blueborne/


-Matthew Smith