Tag Archive for: Hijacks

Hey Alexa Go Hack Yourself: Researchers Detail Wild Self-Issued Smart Speaker Hijacks

/in


dot table

Did you ever get an Amazon delivery and not remember placing an order for the item? There are plenty of stories of this all over the internet, and sometimes those boil down to one too many cocktails in your attitude adjustment hour. What if we told you that maybe one of those times it wasn’t related to brain fog or blackouts, but some random person decided to order something for you through your own Amazon Echo device?

That’s what researchers from the University of London’s Royal Holloway, and Catania University in Italy discovered is entirely possible. Through a few different methods of either social engineering or just being nearby an Echo device, Alex can be activated and used fairly easily. Tested on the third generation of the Echo Dot, though believed to be exploitable via fourth gen devices as well, the researchers found that playing audio files with the right wake words will activate the Alexa Voice-enabled device it is playing from. Dubbed “Alexa Versus Alexa” by the researchers, the exploit can be used to order products, make modifications to settings, install skills, and a whole host of other functionality that the Echo device product line allows Amazon Echo Dot owners to take advantage of.

fixed social radio
Diagram Of Alexa Vs Alexa Exploit

An social engineering exploit example would be having someone activate an internet radio station that intentionally utilizes common activation terms. So pre-existing skills, like Echo’s Music and Radio skill, may play one of these stations that then let that device activate itself. Part of the reason this can be a really big problem is that Amazon’s Echo devices typically only validate account activity and actions during the initial setup of the device. Skill installation is a big deal for this because these are small apps that run directly on the device, and with the right malicious code they can potentially be a security threat. That creates a situation where once the vulnerability is activated, the attacker can issue any command that is at the disposal of the Echo device.

Amazon has issued a patch (check your software version here), which you can force by asking the device to ‘check for updates’. However, the issue remains if the attacker is in…

Source…

Global Botnet Hijacks $500,000 In Crypto Transactions In Just One Year

/in


A stealthy botnet that has infected computers in nearly 100 different countries is silently stealing cryptocurrency from its victims. From November 2020 to November 2021 it hijacked nearly $500,000.

The Phorpiex botnet has been operating since 2016 and is made up of hundreds of thousands of compromised devices. Back in 2019 it was grabbing headlines for an alarmingly successful sextortion email campaign that was raking in $20,000 a month for its criminal controllers.

Phorpiex also has the ability to steal cryptocurrency, which it does by “crypto-clipping.” In these attacks, malware on an infected devices waits for cryptocurrency transactions to be take place. When a transaction is detected, the malware clips the original destination wallet address and replaces it with one controlled by the attacker.

According to Check Point Research the Phorpiex crypto-clipper supports more than 30 different cryptocurrencies. Since April of 2016 Phorpiex has hijacked thousands of transactions and swiped around 38 Bitcoin and 133 Ether. At today’s exchange rates that works out to around $2.2 million in stolen cryptocurrency.

From last November until this November alone Phorpiex successfully clipped 969 transactions. Those attacks netted its controller(s) more than $650,000.

This summer, however, the botnet activity suddenly tailed off. In August one of its creators allegedly walked away from cybercrime and the other decided to sell the Phorpiex code to the highest bidder.

Whether or not a sale actually happened, Phorpiex was back a few weeks later with some new tricks. A new variant called Twizt emerged.

One of the biggest differences with Twizt is that the botnet is now able to communicate peer-to-peer. That means it’s not dependent on specific command and control servers. Infected hosts can send instructions to each other.

Twizt has also added a double-encrypted protocol for communication and new data integrity functions. Check Point researcher Alexey Bukhteyev says The emergence of such features suggests that the botnet may become even more stable and therefore, more dangerous.”

Security researchers had managed to take control of the…

Source…

Smashing Security podcast #240: 3D printer hijacks, crypto fails, and a tech billionaire's revenge – Graham Cluley Security News

/in



Smashing Security podcast #240: 3D printer hijacks, crypto fails, and a tech billionaire’s revenge  Graham Cluley Security News

Source…

Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox

/in


adrozek-attack-chain.png

Image: Microsoft

Microsoft has raised the alarm today about a new malware strain that infects users’ devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages.

Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day.

But in a report today, the Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Microsoft researchers said that between May and September 2020, they observed “hundreds of thousands” of Adrozek detections all over the globe.

Based on internal telemetry, the highest concentration of victims appears to be located in Europe, followed by South and Southeast Asia.

adrozek-geographic-distribution.png

Image: Microsoft

How Adrozek spreads and works

Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software.

The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.

Once persistence is assured, the malware will look for locally installed browsers such as Microsoft EdgeGoogle ChromeMozilla Firefox, or the Yandex Browser.

If any of these browsers are found on infected hosts, the malware will attempt to force-install an extension by modifying the browser’s AppData folders.

To make sure the browser’s security features don’t kick in and detect unauthorized modifications, Adrozek also modifies some of the browsers’ DLL files to change browser settings and disable security features.

Modifications performed by Adrozek include:

  • Disabling browser updates
  • Disabling file integrity checks
  • Disabling the Safe Browsing feature
  • Registering and activating the extension they added in a previous step
  • Allowing their malicious…

Source…