Cyber threats and Malware are REAL THREATS!

[zipping]

https://www.techspot.com/news/72736-intel-amt-security-hole-hackers-take-control-corporate.html

 

 

 

Intel AMT security hole lets hackers take control of corporate laptops Another Intel flaw for attackers to exploit By Cal Jeffrey  on Jan 12, 2018, 3:43 PM

Intel is off to a rough start in 2018 with yet another security issue found impacting their products. Coming fast on the heels of Spectre and Meltdown is a security vulnerability in Intel’s Active Management Technology (AMT). The Intel Core processor with vPro feature is intended to help IT staff manage networked assets. Ironically, it is supposed to help administrators protect devices. This security risk flushes all that down the toilet.

According to researchers at F-Secure, “The issue allows a local intruder to backdoor almost any corporate laptop in a matter of seconds, even if the BIOS password, TPM Pin, Bitlocker and login credentials are in place. No, we’re not making this stuff up.”

This flaw has a high destructive potential and can be executed very quickly. The attacker doesneed to have physical access to the laptop but there are several scenarios where this could prove to be a trivial issue.

Harry Sintonen, one of F-Secure’s senior security consultants, describes using the “evil maid” scenario. This is where a pair of attackers identify a target and while one distracts the mark, the other accesses the computer. Since the exploit can be completed in seconds, this tactic is quite viable.

"AMT is no stranger to security weaknesses, with many other researchers finding multiple flaws within the system, but Sintonen’s discovery surprised even him."

The way the attack is accomplished is by rebooting the computer and then entering the boot menu. In most circumstances, this is the end of the line for an attacker because any competent IT pro would have enabled the BIOS password and the exploit could go no further.

However, on AMT machines, the attacker can select Intel’s Management Engine BIOS Extension (MEBx) and log in using the default password “admin.” They can then change the password, enable remote access and set the user’s opt-in to “None.” What he has essentially done here is set up the machine to allow remote access without the user’s knowledge that the computer is being exploited.

 

https://www.youtube.com/watch?v=aSYlzgVacmw

 

To remote in, the attacker does have to be on the same network segment. However, Sintonen says that wireless access can be achieved with only a few extra steps.

Dealing with the problem can be a pain, especially for large companies with vast numbers of mobile assets. In most cases, the individual machines must be physically accessed and have the AMT default password changed or have the suite disabled altogether.

"The security issue seems like something lifted straight from IT security officers’ worst nightmares."

F-Secure advises that large companies first try to determine the number of affected devices remotely to find a more manageable number. There is no sense wasting time on laptops that do not have AMT.

“Organizations with Microsoft environments and domain connected devices can also take advantage of the System Center Configuration Manager to provision AMT,” said F-Secure. If in the process of reconfiguration, a device is found with the AMT password set to an unknown value, assume the worst and initiate an incident response. “First rule of cybersecurity? Never take unnecessary risks.” For more details, see F-Secure's FAQ on the flaw.

 

Edited January 13, 2018 by zipping

[zipping]

https://www.techspot.com/news/72742-google-removes-60-apps-play-store-following-discovery.html

 

 

Google removes 60 apps from the Play Store following discovery of pornographic ads The Adult Swine malware could also steal user credentials By Rob Thubron  on Jan 14, 2018, 10:30 AM

Malware appearing in Google's Play Store apps isn’t something new, but a newly discovered piece of code proved to be particularly unpleasant. Among the different ways that ‘Adult Swine’ affects users is by displaying porn ads within games, and many of the titles it appeared in were aimed at children.

Google has removed 60 games from its Play Store after security firm Check Point uncovered the malware. Its ads come from main providers, who don’t allow their content to be used this way, and from the malware’s own ad libraries, which are the source of the pornographic and inappropriate adverts. Back in November, at least one parent left a review complaining that his four-year-old son was exposed to the ads.

Some of the ads use scareware pop-ups that warn users they’ve been infected with a virus. Clicking on the link to remove it directs them to “questionable” security apps within the Google Play Store, which could cause even more problems if installed.

Another element of Adult Swine is tricking victims into signing up to premium services and charging their accounts. It does this through another popup that claims users can win an iPhone by answering some simple questions. If someone completes the quiz, they’re asked to enter their phone number to receive the prize, but the information is really used to register for a premium service.

While most people will know not to click on the ads or hand over any data, they could have fooled less tech-savvy users and children.

Google Play’s data shows apps containing the code were downloaded between 3 million and 7 million times. They included Five Nights Survival Craft, which was downloaded a minimum of one million times; McQueen Car Racing Game, based on characters from Disney Pixar’s Cars, and Addon Pixelmon for MCPE.

Google has now removed the offending apps. “We’ve removed the apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to anyone that has installed them. We appreciate Check Point’s work to help keep users safe,” the company said, in a statement to the Financial Times.

 

[zipping]

https://www.channelnewsasia.com/news/singapore/beware-of-sms-linking-uob-customers-to-phishing-website-police-9866490

 

 

 

Beware of SMS linking UOB customers to phishing website: Police

 

Several victims have been cheated into providing their personal information and credit card details on phishing websites after responding to SMS' purportedly sent by United Overseas Bank. (Images: Facebook/Stephen Tay, BeeLeng Kaya Novem)

 

 

SINGAPORE: Several victims have been tricked into providing their personal information and credit card details on phishing websites after responding to SMSes that were purportedly sent by United Overseas Bank, the police said in a news release on Tuesday (Jan 16).

The victims later realised that unauthorised transactions in various foreign currencies were made to their credit cards.

In these cases, the victims received an SMS purportedly sent by UOB informing them of a new account notification. They were asked to click on the link uob-mob.com provided in the text message.

This link would direct them to a website resembling UOB's and the victims were asked to enter their personal information and credit card details.

They were also prompted to key into the website, the one-time password sent to their mobile phones. Subsequently, the victims received SMS notifications of foreign transactions made on their credit cards.

 

 

 

 

 

"Without the knowledge of the victims, the scammers had actually downloaded the UOB Mighty App and entered all the details that the victim had provided into the application," said the police.

They advised members of public to take the following precautions to avoid falling for online scams:

• Be wary when are asked to disclose personal information and bank account details over the Internet;
• Beware of phishing websites that may look genuine. Websites that are secure use "'https:" instead of "http:" at the start of the URL, or display a closed padlock or unbroken key icon at the bottom right corner of the web browser;
• Report any fraudulent charges detected in your credit card bills to your bank immediately.

For scam-related advice, members of the public can call 1800-722-6688 or visit www.scamalert.sg.

Source: CNA/aj

 

 

 

Edited January 16, 2018 by zipping

[Wt_know]

with smart nation and more reliance on technology, this problem will getting more serious by day

[zipping]

https://www.techspot.com/news/72791-world-most-powerful-mobile-spyware-can-read-whatsapp.html

 

 

World's most powerful mobile spyware can read WhatsApp messages, take photos, more Skygofree can perform numerous malicious activities By Rob Thubron  on Jan 17, 2018, 11:09 AM

Security firm Kaspersky has uncovered a new Android spyware tool that’s being described as one of the most powerful and advanced forms of mobile malware ever. Named after one of the domains where it was first identified, Skygofree can perform a number of malicious activities, including recording audio and reading WhatsApp messages.

While Kaspersky discovered Skygofree in late 2017, it’s been around and evolving since 2014. What makes the spyware particularly insidious is the way it’s distributed through fake sites designed to look like those from mobile carriers. The tool is advertised as a piece of software designed to increase the internet speeds of anyone who downloads it.

It appears that those behind Skygofree and the people it targets are all based in Italy. "Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions," said Kaspersky Lab’s Alexey Firsh.

References to Rome-based technology company Negg were found in Skygofree’s code. According to Forbes, archived versions of the small company’s website shows it provides cybersecurity and app development services. It also offers forensic capabilities and has worked with authorities and prosecutors in Italy.

One of the most advanced mobile threats found: #Skygofree. Capable of taking pictures & video, seizing call records, SMS, geolocation, calendar events & business-related information. Read the full story over at @Securelist https://t.co/RAlNIYw5ab pic.twitter.com/JN7WRt57ho

— Kaspersky Lab (@kaspersky) January 17, 2018

Some of Skygofree’s capabilities include tracking the location of an infected device and switching on a microphone to record audio when a person enters a certain place.

The spyware is also able to connect to Wi-Fi networks controlled by the hackers, which can occur even when a user has disabled a device’s Wi-Fi. This could compromise passwords, allow the collection of personal information, and more. Additionally, it can read victims' private WhatsApp messages through Accessibility Services—a tool for visually and audibly impaired users. Finally, it can intercept user data like SMS messages and calendar events, as well as turn on the front-facing camera to take a picture when a user unlocks their device.

Only a few infections have been discovered, and all of them were in Italy. But Android users everywhere are still advised to stick with downloading apps from official stores and be wary of suspicious websites and links.

 

[zipping]

http://www.hardwarezone.com.sg/tech-news-40000-oneplus-customers-were-affected-credit-card-security-breach

 

 

 

 

Up to 40,000 OnePlus customers were affected by credit card security breach

 By Cookie Monster - on 22 Jan 2018, 1:00am

OnePlus' online payment system suffered a serious security breach which affected up to 40,000 customers.

The security breach came to light after members of the OnePlus community reported cases of fraudulent credit card transactions from OnePlus.net two weekends ago. The company immediately investigated the cases and suspended credit card payments although the PayPal option is still available. 

In a forum post update on 19 January, OnePlus confirmed that one of its systems has been attacked and amalicious script was injected into the payment page code to steal credit card information when it was being entered.

 

The malicious script was found to have operated intermittently on one server, capturing and sending data directly from the user's browser. OnePlus states that the malicious script has since been eliminated and the infected server quarantined. 

The company also revealed that customers who entered their credit card details between mid-November 2017 and 11 January 2018 may be affected. OnePlus has sent out emails to these customers and is working with current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit to prevent similar incidents from happening in the future. 

Source: OnePlus, The Verge

 

[zipping]

https://www.techspot.com/news/72814-intel-spectremeltdown-patches-also-causing-reboots-systems-newer.html

 

 

 

 

Update: Intel now says to stop installing Spectre patches due to reboots   Last week Intel was warning about random reboots, but it's apparently too widespread an issue By Rob Thubron  on Jan 22, 2018, 5:14 PM 22 comments

Update (1/22): In what's unfortunately turning into a big disaster for Intel -- security issues aside -- in rushing with a fix for the Spectre flaws, the company has discovered and now identified the cause of random restarts in systems that have installed the microcode update.

As a result Intel is now recommending all users of Haswell and newer platforms to stop installing current microcode or firmware updates. Instead a new patch that is nearly ready for systems with those CPUs will be offered to manufacturers soon. That means OEMs and component vendors will have to go through QA testing again for each of their products before the new update reaches end users.

Update #2: Linus Torvalds is pissed at Intel, calls current patches utter garbage. Remember that Google has offered "Retpoline" as an alternative solution, which is said to have almost no effect on systems' speed.

The original story follows below:

Last week, Intel promised to be more “transparent” about the Meltdown and Spectre patch situation after users with Broadwell and Haswell CPUs complained of reboot issues. Now, Intel has admitted that the firmware updates could cause the same problems on systems using newer processors.

Intel VP and general manager of the Data Center Group, Navin Shenoy, writes that frequent reboots have been occurring on firmware-updated PCs containing Ivy Bridge, Sandy Bridge, Skylake, and even Kaby Lake processors. Shenoy says Intel has reproduced the issues internally and is working to identify the root cause. “In parallel, we will be providing beta microcode to vendors for validation by next week,” he added.

The company has issued a new warning about the stability issues and recommends system manufacturers, software vendors, and cloud providers test its beta microcode updates before the final release.

Microsoft recently warned that those running Haswell CPUs or older, and those with older versions Windows, will notice performance impacts from the Spectre patch.

Intel confirmed that the patches are affecting performance in some cases. A data center benchmark test simulating a stock exchange showed a 4 percent impact, while tests using the Storage Performance Development Kit (SPDK), which "provide a set of tools and libraries for writing high performance, scalable, user-mode storage applications," showed workload speeds reduced by up to 25 percent.

The post highlights other mitigation options that have less of a performance impact, including Google’s "Retpoline" security solution, which is said to have almost no effect on a system’s speed.

 

[zipping]

https://www.techspot.com/news/72973-drive-cryptomining-code-discovered-youtubes-ad-system-week.html

 

 

 

'Drive-by' cryptomining code was discovered in YouTube ads this week

 

If you visited YouTube recently, your system may have been used to mine cryptocurrency By Cohen Coberly  on Jan 27, 2018, 11:26 AM 10 comments

"Cryptojacking" is nothing new but it has begun to pick up more steam in recent months. For the unaware, cryptojacking typically involves unscrupulous website owners or advertisers using JavaScript code to take advantage of a website visitor's CPU power to mine cryptocurrency in the background, without their knowledge or consent.

The Pirate Bay was one of the first websites of note to contain this sort of code but its use has only become more common over time. Indeed, the problem has become so pervasive in certain parts of the internet that web browsers such as Opera have received new featuresspecifically designed to mitigate or eliminate these issues -- usually in the form of ad blocking filters.

While simply avoiding sketchy sites to begin with might seem like the obvious solution, the issue becomes more complicated when this code starts to appear on bigger, more well-known sites like Showtime or even YouTube.

This past week YouTuber viewers' antivirus programs began to alert them to the presence of cryptocurrency mining code throughout the website this week, specifically within YouTube's advertising code. Naturally, this led to some users hopping on Twitter to voice their concerns.

 

Diego Betto

@diegobetto

 

Hey

@

avast_antivirus

seems that you are blocking crypto miners (

#

coinhive

) in

@

YouTube

#

ads

Thank you :)

https://

diegobetto.com/crypto-miner-c

oinhive-youtube-ads/ 

…

11:40 PM - Jan 25, 2018

Crypto Miner (Coinhive) in YouTube Ads | Diego Betto

During normal browsing on YouTube, at some point, the antivirus Avast reported something that was not good.   From the Chrome Inspector it appears that one of the ads is infected and tries to load a...

diegobetto.com

•  
   
  2
  2 Replies
•  
•  
   
  60
  60 Retweets
•  
•  
   
  70
  70 likes

Twitter Ads info and privacy

 

 

Great now my browser everytime I watch youtube... my anti virus always blocking coinhive because malware . Idk much about it but this is getting annoying and I need a solution please T n T

— Arung (@ArungLaksmana) 

January 23, 2018

Researchers from antivirus company Trend Micro said these ads resulted in "more than a three-fold spike" in web miner detection stats. The company also said the individuals behind the ads seemed to be targeting YouTube visitors in specific countries, such as France, Taiwan, Italy, Spain and Japan.

"YouTube was likely targeted because users are typically on the site for an extended period of time," security researcher Troy Mursch said in a statement. "This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made."

This may not seem like a significant issue but background miners can hog quite a bit of a given system's computing power if left unchecked, as much as 80 percent according to Trend Micro.

Google issued the following statement on the matter:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

As Ars noted, evidence supplied by Trend Micro seems to contradict Google's statement. The antivirus company has shown several examples of these ads being in place for the better part of a week, which is certainly longer than the two hours Google claims it took to shut the scheme down.

 

[Blueray]

Fitness tracking app could be ‘serious security threat’ to Singapore

 

 

But experts say banning technologies such as Strava’s is not the solution as society needs to learn to “live with them”.

 

Read more at https://www.channelnewsasia.com/news/singapore/singapore-strava-fitness-tracking-app-security-military-9910070

[Kusje]

Fitness tracking app could be âserious security threatâ to Singapore

 

But experts say banning technologies such as Stravaâs is not the solution as society needs to learn to âlive with themâ.

Read more at https://www.channelnewsasia.com/news/singapore/singapore-strava-fitness-tracking-app-security-military-9910070

Lol. What security risk. Any information that can be bought for 500 bucks from an nsf or ns man cannot possibly be termed confidential. Edited January 31, 2018 by Kusje

[DACH]

Lol. What security risk. Any information that can be bought for 500 bucks from an nsf or ns man cannot possibly be termed confidential.

Your IC number, which can be linked to your bank account number and your credit cards, and link to your phone number, and then your address, and your car. 

[Kusje]

Your IC number, which can be linked to your bank account number and your credit cards, and link to your phone number, and then your address, and your car.

Isn't it about location tracking devices? What nric.

[DACH]

Isn't it about location tracking devices? What nric.

 

If these tracking devices links to the related app installed in your hp? 

[zipping]

https://www.techspot.com/news/73349-flight-sim-dlc-maker-used-malware-steal-pirates.html

 

 

 

 

Flight sim DLC maker used malware to steal pirates' passwords Questionable tactics for sure By Shawn Knight  on Feb 19, 2018, 2:48 PM

It’s not uncommon for developers to have a bit of fun with those who download pirated copies of their games.

In 2013, for example, Greenheart Games released a “cracked” version of Game Dev Tycoon featuring an in-game punishment that made it impossible to progress beyond a certain point. Maxis did something similar a year later with The Sims 4. Others simply concede that piracy is inevitable and upload their games to torrent sites before pirates have the opportunity to do so.

One developer, however, may be taking anti-piracy measures a bit too far.

As Motherboard highlights, a Reddit users recently noticed something fishy with an installer for an add-on for Microsoft Flight Simulator. The piece of software in question, DLC from Flight Sim Labs, Ltd. (FSLabs, for short), reportedly included a file called “text.exe” which apparently extracts all saved usernames and passwords from Chrome and seemingly sends them to FSLabs.

(Screenshot of password stealer courtesy Fidus Information Security)

Andrew Mabbitt, founder of cybersecurity company Fidus Information Security, verified to Motherboard that the malicious software is indeed included in FSLabs’ installer. Mabbitt described it as “by far one of the most extreme, and bizarre, methods of Digital Rights Management (DRM) we’ve ever seen.”

Lefteris Kalamaras, founder and owner of FSLabs, had the following to say in a forum post:

1) First of all - there are 

no

 tools used to reveal any sensitive information of any customer who has 

legitimately

 purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as 

pirate

 copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by a 

pirate

 (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. "Test.exe" is part of the DRM and is 

only

 targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is 

never

 under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a 

pirate

 serial number (not blacklisted numbers).

As Mabbitt points out, the malware file itself is “dropped on every single PC it [the FSLabs software] was installed on.” Kalamaras doesn’t seem to deny this.

In a follow-up post, Kalamaras said they realize that “a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part. It is for this reason we have uploaded an updated installer that does not include the DRM check file in question.”

Motherboard notes that FSLabs has not yet responded to questions regarding what they do with information obtained by the password-stealing malware. In Kalamaras’s original post (above), it is noted that “this method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals.”

 

[zipping]

https://www.techspot.com/news/74607-security-researchers-discover-critical-flaw-pgp-encryption-reveals.html

 

 

 

 

Security researchers discover critical flaw in PGP encryption that reveals plaintext Recommendation to stop using PGP immediately By Greg Synek, Today 7:47 AM

Pretty Good Privacy (PGP) is an encryption tool used to sign emails, documents, directories, and even full hard disks. According to security researcher and professor Sebastian Schninzel of FH Münster, PGP and S/MIME email encryption contains a flaw that allows for the plaintext form to be recovered.

This is a major concern for anyone who is using the encryption to protect sensitive information. Previously encrypted emails may now become available for decryption without having the proper credentials to do so.

Although the research will not be released until Tuesday at 7am UTC (scratch that, it's out already), the Electronic Frontier Foundation was granted access to the full publication ahead of time in an effort to warn the community of the risk. Schninzel and the rest of his team are intentionally warning users ahead of time as part of a responsible disclosure procedure.

Both the researchers involved and the EFF recommend that all users of PGP immediately disable or uninstall the tool they are using until the exact issues are better understood. Alternatives such as Signal are believed to remain secure methods of communication.

There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4

— Sebastian Schinzel (@seecurity) May 14, 2018

Currently, there is no fix that has been developed to fix the flaws found. All we know for right now is that PGP and S/MIME should be avoided until there is more information to determine their future viability.

 

[zipping]

https://www.hardwarezone.com.sg/tech-news-newly-discovered-malware-has-already-infected-half-million-routers

 

 

 

Newly discovered malware has already infected half a million routers

 By Marcus Wong - on 25 May 2018, 10:39am

 

 

Cisco’s Talos security division has just posted a warning about a malware it calls VPNFilter, which it says has infected at least half a million home and small business routers. This includes those sold by Netgear, TP-Link, Linksys, MicroTik and QNAP network storage devices. 

Talos believes the code is designed to turn the routers into unwitting VPNs, hiding the attackers’ origin as they carry out malicious activities. They also note that the code contains a destructive feature that would allow the hackers to corrupt the code of the entire collection of routers, rendering them useless.

"This actor has half a million nodes spread out over the world and each one can be used to control completely different networks if they want, it's basically an espionage machine that can be retooled for anything they want." 

Craig Williams, Director, Talos Outreach

 

Talos says the type of devices that have been infected are difficult to defend as they are typically on the perimeter of the network, with no intrusion protection system (IPS) or host-based protection system (like and anti-virus package). They have yet to determine what particular exploit VPNFilter is using to insert itself, but most of the devices targeted have known public exploits or default credentials that make compromise relatively straight forward. 

Evidently, the threat has been growing since at least 2016. Talos has a detailed post on their blog about how the malware works, and it seems the malware is capable of leeching data off any traffic that passes through the network devices it infects.

Other than the espionage element VPNFilter presents, Talos thinks there might be another threat to consider. Most of the infected devices are in Ukraine, which suggests the  hackers might be planning a massive takedown of hundreds of thousands of Ukranian networks simultaneously.

In fact, an element of VPNFilter’s code overlaps with BlackEnergy, a piece of spyware that was first used in the massive blackouts in Ukraine caused by hackers in December 2015. For the moemnt, Talos cannot definitely say that this is from the same hacker group, as code can easily be copied and reused.

A basic first step to take would be an initial restart of the router, which removes part of the malware's functionality, but a full firmware reinstall is required to truly clean the router of the malware.

Sources: Wired, Talos Intelligence Blog

 

[Neutrino]

This is worth a read.

 

It starts off by referring to porn but will inform about preventing viruses

[zipping]

https://torrentfreak.com/rogue-mega-chrome-extension-stole-passwords-and-crypto-keys-180905/

 

 

 

Rogue MEGA Chrome Extension Stole Passwords and Crypto Keys

• By Andy
• on September 5, 2018
• C: 17

News

A rogue version of file-hosting platform MEGA's Chrome extension has triggered a major security alert from the company. The variant was able to steal user credentials for sites including Amazon, Live.com, Github.com and Google's webstore, in addition to private keys to cryptocurrency wallets. MEGA is investigating how its Chrome webstore account was compromised.

Founded by Kim Dotcom in 2013, the MEGA file-hosting site was an overnight success, attracting hundreds of thousands of users in a matter of hours.

The platform launched on a wave of concerns over Internet snooping so with tight encryption and privacy as a policy, it went on to become a roaring success. Now, however, it’s reporting a serious breach that affects a currently unknown number of users.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company reports.

MEGA says that whenever a user installed or auto-updated to the rogue extension, it sought permissions that the official extension does not. That included the ability to read and change ALL data on websites the user visits. While for experienced users that should’ve set alarm bells ringing, many people would not have understood the risks. As it turns out, they were huge.

The rogue extension was programmed to steal user credentials for a range of sites including Amazon, Live (Microsoft), Github, and Google’s webstore, meaning that anyone with accounts on these sites could’ve had their usernames and passwords stolen. Things got worse, however.

According to a user posting on Reddit, the extension also has the ability to steal private keys to cryptocurrency wallets affecting MyEtherWallet, MyMonero, and Idex.market utilizing the following code.:

“content_scripts”: [ {

“js”: [ “mega/jquery.js”, “mega/content.js” ],

“matches”: [ “file:///*”, “

https://www.myetherwallet.com/

*”, “https://mymonero.com/*”, “https://idex.market/*” ],

“run_at”: “document_end”

} ]

In a security update, MEGA confirmed the findings, noting that the extension had been sending credentials to a server located in Ukraine, previously identified by Monero developer SerHack as www.megaopac.host.

@MyMonero @myetherwallet @aurora_dao keys will be logged too! PLEASE UNINSTALL MEGA AS SOON AS POSSIBLE. @fluffypony pic.twitter.com/V8T6NVV8rO

— SerHack (@serhack_) September 4, 2018

MEGA says it is currently investigating how its Chrome webstore account was compromised to allow the attacker to upload the malicious code. However, as soon as it became aware of the problems, the company took immediate action.

“Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach,” the company reports.

This serious breach affects two sets of people; those who had the MEGA Chrome extension installed at the time of the incident, had auto-update enabled (and accepted the new elevated permissions), plus anyone who freshly installed version 3.39.4 of the extension.

While credentials for the sites detailed above were specifically targeted, MEGA says that these could be the tip of the iceberg due to the extension attempting to capture information destined for other platforms.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications,” the company warns. (see note below)

TorrentFreak contacted MEGA for comment and company chairman Stephen Hall pointed us to technical advice and an apology from the company. MEGA says it has strict release procedures with multi-party code review. However, limitations in place at Google means that security isn’t as tight as it could be.

“Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company notes.

Since MEGAsync and MEGA’s Firefox extension are both signed and hosted by the company, they are unaffected by this attack. MEGA’s mobile apps, which are hosted by Apple, Google, and Microsoft are also unaffected.

Also in the clear is MEGA itself. The extension didn’t have the ability to steal users’ MEGA credentials and any users accessing MEGA without the Chrome extension remain unaffected.

Note: TorrentFreak has asked MEGA for additional clarification on the “plain-text credentials through POST requests” statement and details on why MEGA itself isn’t at risk. We’ll update when we receive a response.

Update: More detailed response from MEGA

Basically, users who created an account at, or logged into, any website while version 3.39.4 was installed and enabled should consider their credentials compromised for those sites. If users were already logged into websites before version 3.39.4 was distributed and they visited those sites while the trojaned extension was installed and enabled, then their credentials should not have been compromised (unless for some reason a website does send their credentials on subsequent visits, which shouldn’t be the case but we can’t talk for them all).

Other installed browser extensions may send user credentials through background requests, so users should consider them compromised as well.

MEGA accounts were not compromised because we do not send the plain-text user credentials to our servers, thanks to our E2EE paradigm (end-to-end encryption). The user password locally decrypts a master key, which decrypts an RSA private key, which decrypts a session ID (“SID”) generated by our servers and encrypted with the user’s RSA public key. The attacker didn’t exfiltrate MEGA SIDs, because the malicious script was only gathering special named fields, such as “login”, “username”, “password” and variants, none of them matching what we use to transmit the SID.

Tagged in:

Chrome extension, Mega