Tag Archive for: legitimate

WhatsApp update brings major new security feature to check app is legitimate

/in


The messages were allegedly sent on WhatsApp (Nick Ansell/PA) (PA Wire)

The messages were allegedly sent on WhatsApp (Nick Ansell/PA) (PA Wire)

WhatsApp has launched a new feature, named “Code Verify”, intended to improve its security.

The tool consists of a browser extension that makes sure users are really running WhatsApp – and that the code has not been tampered with an attempt to hack or otherwise attack users.

WhatsApp said it had taken the decision to introduce the new tool because of a rise in the number of people using WhatsApp Web, which allows people to access their messages through their browser. That came after the company added multi-device capability last year, meaning that WhatsApp could connect with more than one computer at any one time.

Using WhatsApp on the web means that users can keep up with messages on their computer, type using their keyboard, and more. But it also offers a new opportunity for cyber criminals to try and break into the system.

That is because while WhatsApp is able to encrypt the messages as they are sent over its system, protecting them from being read, hackers could potentially read those messages by hacking into the WhatsApp Web code itself.

Unlike the mobile app version of WhatsApp, web apps are served up straight to users – meaning that the security can be weaker and people might not even know they are being tricked.

“For years, WhatsApp has protected the personal messages you send on WhatsApp Web with end-to-end encryption as they transit from sender to recipient,” WhatsApp wrote in its announcement. “But security conscious users need to be confident that when WhatsApp Web receives these encrypted messages, it is protected as well.”

Code Verify attempts to fix that. It is installed as a web browser extension and works with internet infrastructure company Cloudflare to check that the code being run is legitimate, and that users are not being hacked.

Once it is installed, it will automatically check that code and show the result in a traffic light system. Users will be told that they are validated and safe, that there are possible risks – or that there is a validation failure and something has gone wrong with the source code.

Links to download the extensions can be found on…

Source…

Living Off the Land: How to Defend Against Malicious Use of Legitimate Utilities – Threatpost

/in



Living Off the Land: How to Defend Against Malicious Use of Legitimate Utilities  Threatpost

Source…

Hidden Botnet C&C on Legitimate Infrastructure? The Case of 000webhostapp[.]com

/in


Note: Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher, for the initial investigation available here, which led to the creation of this post.

Threats can come from anywhere, even from legitimate hosting infrastructure. In fact, many cybercriminals often host their command-and-control (C&C) servers in known hosting providers’ networks, sometimes those that offer bulletproof hosting services, to evade detection and consequent blocking.

We found that one service provider that has been recently abused by cyber attackers is Hostinger. Two WhoisXML API studies specified 93 IP addresses, 119 subdomains of the domain 000webhostapp[.]com, and four name servers, all part of Hostinger’s infrastructure, that have played a part in botnet operations.

We used a variety of domain and IP intelligence tools to obtain as much information as possible on these to help cybersecurity teams better protect their networks.

IP Address Resolutions

We subjected the 93 IP addresses to reverse IP/DNS lookups to determine how many and what domains they resolved to over time according to passive Domain Name System (DNS) data.

The 93 IP addresses resolved to at least 300 domains each, amounting to a total of at least 27,900 domains. Note that the results of the reverse IP/DNS lookups we did listed only up to 300 domains per IP address queried even if there could be more resolutions.

After removing duplicate domains, we ended up with a list of 8,416. Of these, 48% (totaling 4,015 domains) use the .com top-level domain. In second and third place are .xyz (6% or 520) and .online (5% or 393) domains, respectively. The top 20 TLDs are shown in Chart 1 below.

Chart 1: Top 20 TLDs used by the domains connected to the Hostinger-hosted botnet C&C servers

Based on the data shown in Chart 1, it may be best for organizations that don’t want to employ IP-level blocking of the Hostinger IP addresses related to the campaign, to instead be especially wary of connected domains sporting the top 20 TLDs mentioned above. Companies that use Hostinger or have partners and customers that do may be among those who wouldn’t want to block the IP addresses. Some of these could have been hijacked by the…

Source…