Tag Archive for: hide

Samsung Releases Maintenance Mode, A New Feature To Hide Your Personal Information From Prying Eyes

/in


The new privacy feature will roll out gradually to Galaxy devices starting with the Galaxy S22, allowing users to block access to their data while their devices are being serviced

Samsung Electronics Co., Ltd. today begins the global rollout[1] of Maintenance Mode, a new privacy feature coming to select Samsung Galaxy devices, following a successful pilot program in Korea and initial launch in China. Maintenance Mode can relieve user anxiety that comes with giving a personal device to someone for repairs, by letting users block access to their personal information, such as their photos, messages or contacts.

“Our whole lives are on our phones, from credit card information to family photos. With Maintenance Mode, we are giving extra reassurance that Galaxy users can keep their privacy, even if they hand their phone to someone,” said Seungwon Shin, VP and Head of Security Team at Mobile eXperience Business, Samsung Electronics. “This is just the latest example of our constant efforts to introduce new ways to make people feel safe and in control, so they can explore new mobile experiences with peace of mind, knowing we have their back.”

Maintenance Mode is a way of creating a separate user account when you hand in your device to be repaired so they can operate core functions without being able to access to any of your private information. All the user needs to do is select Maintenance Mode in the ‘Battery and device care’ menu within ‘Settings’, and reboot their smartphone. As soon as it’s rebooted, all their personal information including their photos, documents and messages will be restricted[2].


Galaxy

Once Maintenance Mode is switched on, the person who was entrusted with the device won’t be able to retrieve user-installed apps either. Data or accounts generated when using Maintenance Mode are automatically deleted as soon as the owner exits Maintenance Mode. They will be able to download apps on Galaxy Store, but those will be automatically deleted along with any data or accounts created as soon as the owner exits Maintenance Mode.

Samsung Galaxy devices are protected by Knox,…

Source…

Hackers hide a nasty secret in James Webb telescope images

/in


Space images from the James Webb telescope are being used by hackers to hide and distribute malware.

As reported by Bleeping Computer, a new malware campaign titled ‘GO#WEBBFUSCATOR’ has been uncovered, which also involves both phishing emails and malicious documents.

A depiction of a hacked computer sitting in an office full of PCs.
Getty Images

A phishing email named “Geos-Rates.docx” is initially sent to victims, who would then unknowingly download a template file if they fall for the trap.

Should the target system’s Office suite have the macros element enabled, the aforementioned file subsequently auto-executes a VBS macro. This will then allow a JPG image to be downloaded remotely, after which it is decoded into an executable format, and then finally loaded onto the machine.

If the file itself is opened with an image viewer application, the image displays the galaxy cluster SMACS 0723, captured by the recently launched James Webb telescope. That said, opening the same file with a text editor reveals how the image disguises a payload that turns into a malware-based 64-bit executable.

After it’s successfully launched, the malware allows a DNS connection to the command and control (C2) server to be set up. Hackers can then execute commands via the Windows cmd.exe tool.

To help avoid detection, the threat actors incorporated the use of XOR for the binary in order to conceal Golang (a programming language) assemblies from analysts. These assemblies also utilize case alteration so it’s not picked up by security tools.

As for Golang, Bleeping Computer highlights how it’s becoming increasingly popular for cybercriminals due to its cross-platform (Windows, Linux, and Mac) capabilities. And as evidenced above, it’s harder to detect.

Researchers from Securonix have found that domains used for the malware campaign were registered as recently as May 29, 2022. The payloads in question have yet to be flagged as malicious by antivirus scanning systems via VirusTotal.

It’s been a busy year for hackers looking to deliver malware. In addition to the regular tried and tested methods to spread malicious files and the like, they’re even delaying the launch of their dangerous codes once it’s found its way into PCs by up to a month.

Fake…

Source…

New XLoader botnet uses probability theory to hide its servers

/in


Dice on a blackboard

Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware’s operation.

This helps the malware operators continue using the same infrastructure without the risk of losing nodes due to blocks on identified IP addresses while also reducing the chances of being tracked and identified.

XLoader is an information-stealer that was originally based on Formbook, targeting Windows and macOS operating systems. It first entered widespread deployment in January 2021.

Researchers at Check Point, who have been following the evolution of the malware, have sampled and analyzed the more recent XLoader versions 2.5 and 2.6 and spotted some critical differences compared to previous versions.

Law of large numbers

XLoader already camouflaged its actual command and control (C2) servers in version 2.3 by hiding the real domain name in a configuration that includes 63 decoys.

Hiding the real domain among 63 decoys
Hiding the actual domain among 63 decoys (CheckPoint)

In the most recent versions, though, Check Point’s analysts noticed that the malware overwrites 8 out of a list of randomly chosen domains from the 64 in its configuration list with new values in every communication attempt.

Ovewriting random domains in the list
Overwriting random domains in the list (CheckPoint)

“If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately every 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name,” explains CheckPoint.

“The eight domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the “fake c2 (2)” domain.”

This helps in disguising the real C2 servers from security analysts while keeping the impact on the malware’s operations at a minimum.

Successful C2 access results from the law of large numbers, which increases the probabilities of obtaining the expected outcome given enough trials.

As CheckPoint explains via the following…

Source…

Companies Linked to Russian Ransomware Hide in Plain Sight

/in


MOSCOW — When cybersleuths traced the millions of dollars American companies, hospitals and city governments have paid to online extortionists in ransom money, they made a telling discovery: At least some of it passed through one of the most prestigious business addresses in Moscow.

The Biden administration has also zeroed in on the building, Federation Tower East, the tallest skyscraper in the Russian capital. The United States has targeted several companies in the tower as it seeks to penalize Russian ransomware gangs, which encrypt their victims’ digital data and then demand payments to unscramble it.

Those payments are typically made in cryptocurrencies, virtual currencies like Bitcoin, which the gangs then need to convert to standard currencies, like dollars, euros and rubles.

That this high-rise in Moscow’s financial district has emerged as an apparent hub of such money laundering has convinced many security experts that the Russian authorities tolerate ransomware operators. The targets are almost exclusively outside Russia, they point out, and in at least one case documented in a U.S. sanctions announcement, the suspect was assisting a Russian espionage agency.

“It says a lot,” said Dmitri Smilyanets, a threat intelligence expert with the Massachusetts-based cybersecurity firm Recorded Future. “Russian law enforcement usually has an answer: ‘There is no case open in Russian jurisdiction. There are no victims. How do you expect us to prosecute these honorable people?’”

Recorded Future has counted about 50 cryptocurrency exchanges in Moscow City, a financial district in the capital, that in its assessment are engaged in illicit activity. Other exchanges in the district are not suspected of accepting cryptocurrencies linked to crime.

Cybercrime is just one of many issues fueling tensions between Russia and the United States, along with the Russian military buildup near Ukraine and a recent migrant crisis on the Belarus-Polish border.

The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011. One Russian ransomware strain, Ryuk, made an estimated $162 million last year encrypting the computer systems of American hospitals…

Source…