Martijn Lammerts
My own digital place with a little of everything

New Magecart Attack Delivered Through Compromised Advertising Supply Chain

On January 1, we detected a significant increase in activity from one of the web skimmer groups we’ve been tracking. During this time, we found their malicious skimming code (detected by Trend Micro as JS_OBFUS.C.) loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands. Trend Micro’s machine learning and behavioral detection technologies proactively blocked the malicious code at the time of discovery (detected as Downloader.JS.TRX.XXJSE9EFF010).

The activities are unusual, as the group is known for injecting code into a few compromised e-commerce websites then keeping a low profile during our monitoring. Further research into these activities revealed that the skimming code was not directly injected into e-commerce websites, but to a third-party JavaScript library by Adverline, a French online advertising company, which we immediately contacted.

The post New Magecart Attack Delivered Through Compromised Advertising Supply Chain appeared first on .

Continue reading...

Demonstrating Command Injection and E-Stop Abuse Against Industrial Radio Remote Controllers

In our research, we found that it is possible to perform attacks within or out of RF range. For remote attackers out of the transmission range, there are two possibilities: be a truly remote attacker and do a computer-borne attack (that is, to take control of a computer used to software-program or -control the RF devices), or have temporary physical access to the facility to drop a battery-powered, pocket-sized embedded device for remote access. As a proof of concept (PoC), we developed such a device to show the feasibility.

The post Demonstrating Command Injection and E-Stop Abuse Against Industrial Radio Remote Controllers appeared first on .

Continue reading...

Demonstrating Command Injection and E-Stop Abuse Against Industrial Radio Remote Controllers

In our research, we found that it is possible to perform attacks within or out of RF range. For remote attackers out of the transmission range, there are two possibilities: be a truly remote attacker and do a computer-borne attack (that is, to take control of a computer used to software-program or -control the RF devices), or have temporary physical access to the facility to drop a battery-powered, pocket-sized embedded device for remote access. As a proof of concept (PoC), we developed such a device to show the feasibility.

The post Demonstrating Command Injection and E-Stop Abuse Against Industrial Radio Remote Controllers appeared first on .

Continue reading...

January Patch Tuesday: First Bulletin of 2019 has Fixes for DHCP and Microsoft Exchange Vulnerabilities

Microsoft starts off 2019 relatively smoothly with 49 security patches and two advisories — seven of these vulnerabilities were rated Critical and 40 were Important. Ten of these were disclosed through the Zero Day Initiative (ZDI) program.

The post January Patch Tuesday: First Bulletin of 2019 has Fixes for DHCP and Microsoft Exchange Vulnerabilities appeared first on .

Continue reading...

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

We recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. The 85 fake apps have been downloaded a total of 9 million times around the world.

The post Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users appeared first on .

Continue reading...

With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit

We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP. Aside from Miori, several known Mirai variants like IZ1H9 and APEP were also spotted using the same RCE exploit for their arrival method. The aforementioned variants all use factory default credentials via Telnet to brute force their way in and spread to other devices.

The post With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit appeared first on .

Continue reading...