Detail of a calendar page with dates

A week in security (Aug 28 – Sep 03)

Last week, we discovered a technical support scam using an iPad error-type message to get potential targets’ attention; brought to light another malware that once again made the Transmission torrent client a launchpad for malware: in this case, the Keydnap backdoor; and explained the Website Protection module that is part of the Malwarebytes Premium product.

Senior threat researcher Jérôme Segura tackled the implications and mitigations of browser-based fingerprinting, a technique currently used by malware authors to hide their malicious activities from security researchers. Segura further added that “fingerprinting makes use of an information disclosure flaw in the browser that allows an attacker to read the user’s file system and look for predefined names.”

Segura also revealed a ransomware campaign he discovered that affected the official website of Mr. Chow, a popular restaurant known for its Chinese cuisine. Bad actors hacked the website to inject a Pseudo Darkleech script that triggered the Neutrino exploit kit, which then infected vulnerable systems with CrypMIC.

Notable news stories and security related happenings:

  • New Covert Malware Uses USB Drives To Jump Airgaps And Works On Almost Every Storage Device. “Researchers have developed a new malware, which is capable of bypassing airgaps to access information from systems. Dubbed USBee, the malware uses USB devices, converting them into data transmitters with no hardware modifications. USBee is designed to create electromagnetic emissions from a connected USB drive in efforts to transmit data from an air-gapped computer to an unmodified USB dongle, acting as a receiver, located a short distance from the targeted system. The malware is believed to be a marked improvement over the NSA-developed USB data retriever called CottonMouth, which first came to light after whistleblower Edward Snowden released classified NSA documents.” (Source: The International Business Times)
  • Keystroke Recognition Uses Wi-Fi Signals To Snoop. “A group of academic researchers have figured out how to use off-the-shelf computer equipment and a standard Wi-Fi connection to sniff out keystrokes coming from someone typing on a keyboard nearby. The keystroke recognition technology, called WiKey, isn’t perfect, but is impressive with a reported 97.5 percent accuracy under a controlled environment. WiKey is similar to other types of motion and gesture detection technologies such as Intel’s RealSense. But what makes WiKey unique is that instead of recognizing hand gestures and body movement, it can pick up micro-movements as small as keystrokes.” (Source: Kaspersky’s Threatpost)
  • Voter Records Get Hacked A Lot, And You Can Just Buy Them Anyway. “On Monday, Yahoo reported the FBI had uncovered evidence that foreign hackers had breached two US state election databases earlier this month. The article, based on a document the FBI distributed to concerned parties, was heavily framed around other recent hacks which have generally been attributed to Russia, including the Democratic National Committee email dump. The thing is, voter records are not some extra-special commodity that only elite, nation-sponsored hackers can get hold of. Instead, ordinary cybercriminals trade this sort of data, and some states make it pretty easy to obtain voter data through legal means anyway.” (Source: Motherboard)
  • Hackers Use BMW, Amazon And Chanel Brands To Launch Social Media Attacks. “A new report has found that fraudulent social media profiles for brands has increased by 150% over the last year. Proofpoint has just released its inaugural Social Media Brand Fraud report which investigates the current state of social media brand fraud to understand bad actors’ methods and how this business risk is evolving. From April through June 2016, Proofpoint researched the prevalence and different types of fraudulent social media accounts associated with 10 top global brands (including BMW, Amazon, Chanel, Capital One, Shell, Sony, Star Bucks).” (Source: IT Security Guru)
  • The Kelihos Botnet Shifts To Banking Trojans And Ransomware Distribution. “The MalwareTech security expert discovered that the Kelihos botnet, also known as Waledac, has started dropping banking Trojans and ransomware instead of its standard “pump-and-dump” spams while adding more and more new bots during the summer. Kelihos is one of the oldest botnets, first spotted way back in 2008, but it has managed to survive a couple of sinkhole attempts and it is still active. From when it first appeared and even until now, Kelihos has been the main distributor of “pump-and-dump” and pharma spamming campaigns. However, since these kind of threats are now quite easily detected, this business is not as lucrative as it used to be hence it started to sink.” (Source: Virus Guides)
  • Gotta Hack Em’ All: Pokémon Go, Security And Privacy Awareness. “Despite the potential security and privacy impact of this bug, there was no mass exodus of Pokémon Go players, or even if there was, it was inconsequential based on the number of players that started using the app post bug publication. At first glance, you might think that this paints a dire picture of how far we have to go to improve the security and privacy awareness of the general public, but it actually paints a slightly better picture, and in a way demonstrates that the average end user inherently understands the basic infosecurity risk management process.” (Source: InfoSecurity Magazine)
  • Facebook Fires Human Editors, Algorithm Immediately Posts Fake News. “Earlier this year, Facebook denied criticisms that its Trending feature was surfacing news stories that were biased against conservatives. But in an abrupt reversal, the company fired all the human editors for Trending on Friday afternoon, replacing them with an algorithm that promotes stories based entirely on what Facebook users are talking about. Within 72 hours, according to the Washington Post, the top story on Trending was about how Fox News icon Megyn Kelly was a pro-Clinton ‘traitor’ who had been fired (she wasn’t).” (Source: Ars Technica)
  • Website Down? New FairWare Ransomware Could Be Responsible. “Linux users are reporting a new ransomware called ‘FairWare’ played a part in taking down their websites. News of the ransomware first surfaced in a post on Bleeping Computer’s forums. According to the victim, attackers likely brute-forced or intercepted the password for their Linux machine. Once they acquired access, the baddies logged into the Linux servers for the website, deleted the web folder, and left a Pastebin message demanding a ransom payment of two Bitcoins for the return of the files.” (Source: Tripwire)
  • OneLogin Breached, Hacker Finds Cleartext Credential Notepads. “Password attic OneLogin has been breached, and it’s bad, because the service that suffered the breach is one often used by people to store credentials like admin password and software keys. The online credential manager says its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between 2 June and 25 August this year. Some 12 million customers use OneLogin.” (Source: The Register)
  • Vulnerabilities Found In Cars Connected To Smartphones. “In what is believed to be the first comprehensive security analysis of its kind, Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, and a group of students at George Mason University found vulnerabilities in MirrorLink, a system of rules that allow vehicles to communicate with smartphones. MirrorLink, created by the Connected Car Consortium, which represents 80 percent of the world’s automakers, is the first and leading industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems. However, some automakers disable it because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.” (Source: Help Net Security)
  • Mobile Ransomware Increases 200 Percent. “There’s been a startling 200 percent increase in mobile ransomware detection in Q2, according to Quick Heal. This amounts to nearly 50 percent of the ransomware detected in all four quarters of 2015 combined. Given the free and widespread reach of the internet, adware has become a cash-generating machine for hackers. Adware and PUAs are now being laced with destructive functionalities and are capable of damaging or crashing boot sector records of infected computers. Additionally, adware is increasingly used for delivering ransomware into targeted systems.” (Source: Help Net Security)
  • Email Still A Magnet For Cyber Criminal Activity, Costing Victims $3 Billion. “Business email compromises—when legitimate business email accounts are taken over by scammers in an effort to get their targets to send them money—have risen by 1,300 per cent since January 2015, resulting in over $3 billion in losses, according the Federal Bureau of Investigation. And that’s just one part of the changing online threat landscape, according to a report released earlier this week by IT security company Trend Micro. It says that ransomware scams—where malware locks a victims computer or encrypts their files until a “ransom” is paid—are also on the rise.” (Source: Techvibes)
  • Another IoT-Dominated Botnet Rises With Almost 1M Infected Devices. “Researchers shed light this week on a new million-endpoint botnet consisting almost exclusively of internet of things (IoT) devices. The discovery uncovers one more sign — among several in the last few months —  showing that the threat of IoT botnets is quickly moving from proof-of-concept to common strategy. This week’s find was made by the team at Level 3 Threat Research Labs, which put out a report on the BASHLITE malware family responsible for this particular botnet. Also known as Lizkebab, Torlus or gafgyt, the malware family has focused primarily on building out botnets for carrying out distributed denial of service (DDoS) attacks.” (Source: Dark Reading)
  • Orgs’ Security Hygiene Plummets Amid Ransomware Spikes. “Despite the rise of social engineering-based scourges like ransomware, just 39% of workers believe they take all appropriate steps to protect company data accessed and used in the course of their jobs. This is a sharp decline in security hygiene, down from 56% in 2014, according to a survey from the Ponemon Institute. Moreover, while 52% of IT respondents believe that policies against the misuse or unauthorized access to company data are being enforced and followed, only 35% of end-user respondents say their organizations strictly enforce those policies.” (Source: InfoSecurity Magazine)
  • New ‘Fantom’ Ransomware Poses As Windows Update. “IT managers have a new ransomware threat on their radar that comes camouflaged as a Critical Windows Update to trick enterprise users and consumers into clicking malicious links. Fantom, a recently released ransomware variant, was discovered by malware researcher at security software firm AVG, Jakub Kroustek, who spotted the attackers using the detailed disguise to steal information from Windows PCs.” (Source: Dark Reading)
  • Google Chrome Impersonator Trojan Doing Rounds. “If you’re a Google Chrome user, and suddenly your browser looks a bit off and shows you pages that you would never visit ordinarily, you’ve probably been hit with the Mutabaha Trojan. According to Dr. Web researchers, the Trojan is downloaded on victims’ computers by a previously installed dropper. The dropper contacts a C&C server which instructs it to download and install Mutabaha, and then the dropper removes itself. When running, the Trojan takes the form of Outfire, a special build of Google Chrome.” (Source: Help Net Security)
  • Last.fm Breach From 2012 Affected 43 Million Users. “Stolen data obtained from music site Last.fm back in 2012 has surfaced, and it looks like hackers made off with accounts belonging to more than 43 million users. That’s according to LeakedSource, a repository for data breaches that obtained a copy of the stolen data. Included in the trove are users’ names, email addresses and passwords secured with an aging hashing algorithm called MD5, LeakedSource reported in a blog post on Thursday.” (Source: CSO)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR