The Norton Core secure WiFi router comes with a one-year complimentary subscription5 to Norton Core Security Plus. This subscription includes unlimited IoT protection for connected devices, comprehensive parental controls and award-winning Norton Security that can be installed on up to 20 PCs, Macs, smartphones or tablets. There are no restrictions on the number of devices that can connect to Core.

If you don’t renew the Norton Core Security Plus subscription in the second year, Norton Core will continue to function as a high performance router. All network, IoT, and device level security, plus parental control features will be unavailable if the subscription is not renewed.

A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone:

Hackers hid malware in CCleaner software

Sep 18, 2017, 7:25am EDT

Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.

CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.

This is an unusual attack as software similar to CCleaner is trusted by consumers and meant to remove “crapware” from a system. “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates,” says Talos.

Earlier this year, Ukrainian company MeDoc was breached and its update servers used to distribute the Petya ransomware. Hackers appear to be targeting these types of distribution points to more easily spread malware, instead of the traditional way of attacking individual machines themselves. It’s a trend that many security researches will be monitoring closely, to catch the latest innovative ways that hackers are breaching multiple systems.

This is why you shouldn’t use texts for two-factor authentication

Researchers show how to hijack a text message

Sep 18, 2017

For a long time, security experts have warned that text messages are vulnerable to hijacking — and this morning, they showed what it looks like in practice. A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit.

The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn’t actually steal anyone’s bitcoin, although that would have been an easy step to take.

At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces.

Bitcoin wallets are a popular target for those attacks because of the irreversibility of Bitcoin transactions, but the attack work just as well on any other web service. As long as you’re getting confirmation codes over SMS, you’ll be vulnerable to this kind of attack. Other groups have pulled off less sophisticated version of the same hack by breaking into carrier accounts to set up call-forwarding.

There are a few concrete steps you can take to protect yourself from this kind of attack. On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you’ve got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click “Remove Phone.”

Still, the industry as a whole has been very slow in moving away from SMS as a second factor, which has severely weakened the overall security of the system. As long as SMS is included as an option for two-factor, we’ll continue to see attacks like this.

The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms

09.20.17

Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 20 tech firms.

Earlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. It wound up installed on more than 700,000 computers. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.

On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself. In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

Cisco says it obtained a digital copy of the hackers' command-and-control server from an unnamed source involved in the CCleaner investigation. The server contained a database of every backdoored computer that had "phoned home" to the hackers' machine between September 12 and 16. That included over 700,000 PCs, just as Avast has said in the days since it first revealed its CCleaner debacle. (Initially the company put the number much higher, at 2.27 million.) But the database also showed a list of specific domains onto which the hackers sought to install their secondary malware payload, as well as which ones received that second infection.

The secondary payload targeted 20 companies in all, but Williams notes that some companies had more than one computer compromised, and some had none. He declined to say which of the targets had in fact been breached, but Cisco says it's alerted all the affected companies to the attack.

Williams also notes the target list Cisco found likely isn't comprehensive; it appears to have been "trimmed," he says. It may have included evidence of other targets, successfully breached or not, that the hackers had sought to infect with their secondary payload earlier in the month-long period when the corrupted version of CCleaner was being distributed. "It’s very likely they modified this through the monthlong campaign, and it’s almost certain that they changed the list around as they progressed and probably targeted even more companies," says Williams.

In an update post Thursday morning, Avast backed Cisco's findings, and confirmed that eight of the 20 known target companies had been breached by the hackers. But it also wrote that the total number of victim firms "was likely at least in the order of hundreds."

That target list presents a new wrinkle in the unfolding analysis of the CCleaner attack, one that shifts it from what might have otherwise been a run-of-the-mill mass cybercrime scheme to a potentially state-sponsored spying operation that cast a wide net, and then filtered it for specific tech-industry victims. Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015.

Cisco concedes that code reuse alone doesn't represent a definitive link between the CCleaner attack and Axiom, not to mention China. But it also notes that one configuration file on the attackers' server was set for China's time zone—while still acknowledging that's not enough for attribution.

For any company that may have had computers running the corrupted version of CCleaner on their network, Cisco warns that its findings mean merely deleting that application is no guarantee the CCleaner backdoor wasn't used to plant a secondary piece of malware on their network, one with its own, still-active command and control server. Instead, the researchers recommend that anyone affected fully restore their machines from backup versions prior to the installation of Avast's tainted security program. "If you didn’t restore your system from backup, you’re at high risk of not having cleaned this up," Williams says.

Previously, researchers found no evidence that any of the computers infected by the booby-trapped version of the widely used CCleaner utility had received a second-stage payload the backdoor was capable of delivering. The new evidence—culled from data left on a command-and-control server during the last four days attackers operated it—shows otherwise. Of 700,000 infected PCs, 20 of them, belonging to highly targeted companies, received the second stage, according to an analysis published Wednesday by Cisco Systems' Talos Group.

From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable.

PureVPN’s Privacy Policy:


We do NOT keep any logs that can identify or help in monitoring a user’s activity.
You are Invisible – Even We Cannot See What You Do Online

We Do Not monitor user activity nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better