This malware will intercept specific data passing through the router, break it down into its binary format, and use a router LED to signal the data to a nearby attacker, with the LED turned on standing for a binary one and the LED turned off representing a binary zero.

An attacker with a clear line of sight to the equipment can record the blinking operation. This “attacker” can be a security camera, a company insider, recording equipment mounted on a drone, and various other setups where a video recording device has a clear sight of the router or switch’s blinking LEDs.
The more router LEDs, the higher the exfiltration speed

During their tests, researchers say they’ve tested various configurations for the video recording setup, such as optical sensors, security/CCTV cameras, extreme cameras, smartphone cameras, wearable/hidden cameras, and others.

The research team says it achieved the best results with optical sensors because they are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment.

Researchers say that by using optical sensors, they were able to exfiltrate data at a rate of more than 1000 bit/sec per LED. Since routers and switches have more than one LED, the exfiltration speed can be increased many times over if multiple LEDs are used for data exfiltration. Basically, the more ports the router and switch has, the more data the malware can steal from the device.

Source: Malware Uses Router LEDs to Steal Data From Secure Networks

On Wednesday, OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced it had suffered some form of breach. Although it’s not clear exactly what data has been taken, OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take.

“Today we detected unauthorized access to OneLogin data in our US region,” the company wrote in a blog post.

Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information.

“Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message.

The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be.

According to copies of those steps, users are being told to generate new API keys and OAuth tokens (OAuth being a system for logging into accounts); create new security certificates as well as credentials; recycle any secrets stored in OneLogin’s Secure Notes feature; have end-users update their passwords, and more.

“Dealing with aftermath,” one customer told Motherboard. “This is a massive leak.”

Source: Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.

Source: FIREBALL – The Chinese Malware of 250 Million Computers Infected | Check Point Blog