Last year’s release by ShadowBrokers about tools belonging to the National Security Agency continues to be a talking point. A new malware which utilizes the EternalRomance tool has appeared on the scene along with Monero-mining. According to the FortiGuard of Fortinet laboratory, the malicious code has been called PyRoMine as it was written in Python, and it has been discovered for the first time this month. The malware can download it as an executable compiled file with PyInstaller, thus, there is no need to install Python in the machine where PyRoMine will be run. Once installed, it silently steals CPU resources from the victims with the aim of obtaining Monero’s profits.

“We do not know with certainty how it gets into a system, but taking into account that this is the type of malware which needs to be widely distributed, it is safe to assume that it gets in through the spam or drive-by-downlod” said the security investigator from Fortiguard Jasper Manuel. In a worrying way, PyRoMine also configures a predetermined hidden account within the infected equipment through the system administrator’s privileges; utilizing the password “P@ssw0rdf0rme”. It is possible that this is utilized for reinfection and other attacks, according to Manuel.

PyRoMine is not the first miner to use these NSA tools. Other investigators have discovered more malware pieces which utilize EternalBlue for cryptocurrency mining with great success, such as Adylkuzz, Smominru and WannaMine.

More information available at Fortinet

Highlighted News

The government of the United States and United Kingdom allege that Russia is behind the increase in attacks to their network infrastructure.

anti-doping imagen

In the first statement connected to this, the United States cyber-security authorities have issued a technical alert in order to warn users of a campaign being carried out by the Russian attackers who attack the network infrastructure. The targets are devices at all levels, including routers, switches, firewalls, network intrusion detection systems and other devices that support network operations. With the access which they have obtained, they are capable of masking themselves as privileged users, which permits them to modify the devices operations so that they can copy or redirect the traffic towards their infrastructure. This access also could allow them to hijack devices for other purposes or to shut down network communications completely.

More information available at US CERT

Facebook: “The company will comply with the new privacy laws and offer new privacy protection for everyone, no matter where you live”

So Facebook has announced their latest steps taken in respect to user privacy, with the aim of granting themselves more control over their data as part of a General Data Protection Regulation (GDPR) from the EU, this includes updates of their terms and data policy. In this way, everyone, regardless of where they live, will be asked to review important information about how Facebook uses data and about their privacy. The topics to be reviewed will be about ads based on data from members, profile information, facial recognition technology, presentation of the best tools to access, delete and download information; as well as certain special aspects for the youths.

More information available at Facebook

News from the rest of the week

Attackers take advantage of an error which Internet Explorer did not correct

They have identified that a 0-day in Internet Explorer (IE) is utilized in order to infect windows’ computers with malware. Qihoo 360 investigators confirm that they are utilizing it at a global scale by selecting targets through malicious Office documents loaded with what is called a “double-kill” vulnerability. The victims should open the Office document, in which will launch a malicious web page in the background to distribute malware from a remote server. According to the company, the vunerability affects the latest versions of IE and other applications that use the browser.

More information available at ZDNet

The release of an exploit for the new Drupal error puts numerous websites at risk

Barely hours after the Drupal team would publish the latest updates, they corrected a new remote code execution error in their system software from the content management; the attackers have already started exploiting this vulnerability on the Internet. The newly discovered vulnerability (CVE-2018-7602) affects the core of Drupal 7 and 8, and allows the attackers to remotely achieve exactly the same as what they would have discovered before in the error of Drupalgeddon2 (CVE-2018-7600), allowing them to compromise the affected websites.

More information available at The Hacker News

Firefox 60 will support Same-Site Cookies in order to avoid CSRF attacks

Last week Mozilla announced that the next version of Firefox 60 will implement new protection against Cross-Site Request Forgery (CSRF) attacks, providing support for the Same-Site cookie attribute. The experts will introduce the Same-Site cookie in order to prevent these types of attacks. These attributes can only have two values. When a user clicks on an incoming link in ‘strict’ mode from external sites from the application, they will initially be treated as ‘not logged in’, even if they are logged into the site. ‘Lax’ mode is implemented for applications that may be incompatible with strict mode.
In this way, the cookies from the same site will retain in the crossed domain’s sub-requests (for example, images or frames), they will send it provided that a user navigates from an external site, for example, by following a link.

More information available at Security Affairs