A week in security (Dec 04 – Dec 10)

A week in security (Nov 27 – Dec 03)

Last week, we commented on Gooligan, homed in on a fake WhatsApp phishing email, and discussed about a rogue Chrome extension forcing itself to install in user browsers.

We also provided the second installment of three of our blog series on attribution, which you can read about here. We also featured Vindows [sic] Locker, another ransomware, and a unique calendar spam on Apple systems.

For Mobile Menace Monday, we pushed out a blog about Adups:

/blog/cybercrime/2016/11/mobile-menace-monday-adups-old-and-new/

Below are notable news stories and security-related happenings:

  • Tesco Bank Under Investigation For Possibly Ignoring Warning Of Potential Cyberattack. “A probe has been reportedly launched into Tesco Bank, in efforts to determine whether the bank failed to heed warnings of a security flaw in its payment systems, which may have allowed hackers to make away with millions of pounds. Authorities believe that the bank may have failed to act on a warning from Visa, issued out a year ago, according to reports. Investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) believe that the hackers used customised computers to leverage an alleged Code 91 glitch, which allowed them access to customers’ card data.” (Source: The International Business Times)
  • Passengers Ride Free On SF Muni Subway After Ransomware Infects Network, Demands $73k. “Hard-drive-scrambling ransomware infected hundreds of computers at San Francisco’s public transit agency on Friday and demanded 100 bitcoins to unlock data, The Register has learned. Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.” (Source: The Register)
  • Microsoft Partners State Agencies to Fight Piracy. “Microsoft has partnered with some government agencies to promote Cyber safety and anti-piracy awareness in Ghana. Microsoft in collaboration with the National Communication Authority, Ministry of Communication, and National Security Secretariat with the support from the US Government is hosted a week-long awareness drive on Cyber Security.” (Source: CitiFMOnline)
  • Online Christmas Shoppers Could Be Under Cyber Attack As Experts Warn Of “Wild West” Conditions. “Cyber-crooks are set to exploit “Wild West” conditions online as shoppers splurge record amounts in the run-up to Christmas. Experts warn that starting with today’s Cyber Monday sales frenzy, bargain hunters will have every scam in the book thrown at them.” (Source: The Mirror)
  • ATM Insert Skimmers: A Closer Look. “KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as “insert skimmers,” wafer-thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here’s a look at promotional sales videos produced by two different ATM insert skimmer peddlers. Traditional ATM skimmers are fraud devices made to be placed over top of the cash machine’s card acceptance slot, usually secured to the ATM with glue or double-sided tape. Increasingly, however, more financial institutions are turning to technologies that can detect when something has been affixed to the ATM. As a result, more fraudsters are selling and using insert skimming devices — which are completely hidden from view once inserted into an ATM.” (Source: KrebsOnSecurity)
  • Exclusive: Third Parties Leaking Email Addresses, Passwords From Leading Firms On Dark Web. “In August, security experts revealed that 68 million Dropbox user emails and passwords were leaked onto the dark web. For LinkedIn, the number was 167 million leaked credentials. For Yahoo: more than 500 million. Now, you may have heard about these breaches, but perhaps you haven’t considered how it involves you: What email did you use to sign up for these platforms? If you’re a law firm employee, and you used your company email address, you may have opened the law firm up to risk. If you use the same two or three passwords on multiple different accounts, particularly connected with your work log-in, this risk potential skyrockets.” (Source: LegalTech News)
  • National Lottery Accounts Feared Hacked. “About 26,500 National Lottery accounts are feared to have been hacked, according to its operator Camelot. The firm said it did not believe its own systems had been compromised, but rather that the players’ login details had been stolen from elsewhere. The company said that no money had been taken from or added to the compromised accounts.” (Source: The BBC)
  • GET Pwned: Web CCTV Cams Can Be Hijacked By Single HTTP Request. “An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves devices wide open to hijacking, it is claimed. The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we’re told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on. Network cameras typically use UPnP to drill through to the public internet automatically via your home router.” (Source: The Register)
  • Newly Discovered Router Flaw Being Hammered By In-the-wild Attacks. “Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers. Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers.” (Source: Ars Technica)
  • Europol Takes Thousands Of Piracy And Fraud Sites Offline. “Law enforcement authorities from 27 countries, anti-counterfeiting associations and brand owner representatives participated in this huge action, which was coordinated and facilitated by Europol’s Intellectual Property Crime Coordinated Coalition (IPC³), the US National Intellectual Property Rights Coordination Center and Interpol.” (Source: InfoSecurity Magazine)
  • IRS Hires ‘White-hat’ Hackers To Help Protect IT Systems. “The IRS is employing a ‘white hat’ approach to improve its cybersecurity. The IRS awarded Synack Government a $2 million contract to provide penetration testing by ethical hackers or researchers with no knowledge of IRS systems.” (Source: Federal News Radio)
  • What Parents Don’t Get About Cyberbullying. “At a moment when many parents and school administrators are trying to deter internet bullying, at least one digital security expert called Mr. Trump’s online outbursts ‘a negative role model for America’s youth.’ But as educators, experts, and law enforcement agencies rush to try and thwart internet bullying, Nathan Fisk, a professor at the University of South Florida who studies the internet and youth culture, worries that some approaches may go too far. In his new book, ‘Framing Internet Safety: The Governance of Youth Online,’ he argues that kids still need safe and unsupervised spaces on the internet to figure out the right and wrong ways to communicate – without the prying eyes of parents or school officials.” (Source: The Christian Science Monitor’s Passcode)
  • What Will The Data Breach Landscape Look Like In 2017? “While many companies have data breach preparedness on their radar, it takes constant vigilance to stay ahead of emerging threats and increasingly sophisticated cybercriminals, according to Experian Data Breach Resolution. ‘Preparing for a data breach has become much more complex over the last few years,’ said Michael Bruemmer, VP at Experian Data Breach Resolution. ‘Organizations must keep an eye on the many new and constantly evolving threats and address these threats in their incident response plans.'” (Source: Help Net Security)
  • The Surprising Reason Why You Keep Getting Hacked. ” Cyber Monday is upon us — and one in four shoppers will get hacked this holiday season. If it’s already happened to you, the chances are that it will happen again. That’s because many people still aren’t motivated to protect their personal information, according to one new survey. The just-released 2016 Norton Cyber Security Insights Report, which surveyed 21,000 people in 21 countries found that seventy-six percent know they must actively protect themselves when they go online, but they still share passwords and engage in risky behaviors.” (Source: The NBC News)
  • PayPal Fixes OAuth Token Leaking Vulnerability. “PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. For its part, PayPal remedied the vulnerability about three weeks ago.” (Source: Kaspersky’s ThreatPost)
  • Cryptography Professor Warns About Android Security, Says Some Of It Is Six Years Behind The iPhone. “We are constantly barraged with sensationalist headlines of the “millions of Android phones are under threat” type that inform about this and that malware or security lapse that is usually pretty easy to avoid if you install decent apps from legit sources. The sole reason for so many Android security news, however, is that Android’s encryption is still not up to par, even the latest 7.0 Nougat version, reveals a cryptography professor from Johns Hopkins university.” (Source: Phone Arena)
  • How A Grad Student Found Spyware That Could Control Anybody’s iPhone From Anywhere In The World. “The night it happened, right after midnight on August 10, Bill Marczak and his girlfriend were staying up late to watch Star Trek reruns in their spare one-bedroom apartment, in El Cerrito, California, just north of the University of California at Berkeley campus. A trim Ph.D. candidate with dense brown hair and a disciplined beard, Marczak wasn’t just another excitable, fast-talking Berkeley grad student. He was a pioneering analyst in a new and unusual theater of cyber-warfare: the struggle between Middle Eastern freedom activists and authoritarian governments in countries such as Bahrain and Egypt.” (Source: Vanity Fair)
  • 380,000 xHamster Account Details Traded On Digital Underground. “Account details belonging to hundreds of thousands of users of porn website xHamster are being traded on the digital underground. That’s according to Vice’s Motherboard, who claimed it received a database of almost 380,000 users from for-profit breach notification site LeakBase which included usernames, email addresses and what looks like poorly-hashed passwords.” (Source: InfoSecurity Magazine)
  • Spammers Bombard iCloud Users With New Deluge. “Government-backed awareness raising organization, Get Safe Online, has issued new guidance for users bombarded with iCloud calendar and photos sharing spam. The irritation has become particularly pronounced of late over the Black Friday shopping weekend, according to multiple reports.” (Source: InfoSecurity Magazine)
  • NetWire RAT Back, Stealing Payment Card Data. “The remote access Trojan NetWire is back and this time making the rounds pilfering payment card data. The move is a shift for attackers behind notorious NetWire, that was once thought to be the first multi-platform RAT. Over the last couple of years payment card breaches have been mostly synonymous with point of sale (POS) malware that scrapes memory from credit and debit cards swiped through the infected system. A new variant of NetWire RAT scrapes card data and also boasts an integrated keylogger that can sniff data from devices like USB card readers, according to researchers at SecureWorks, who detailed on Monday the latest version of the RAT they came across back in September.” (Source: Kaspersky’s ThreatPost)
  • Two Hackers Appear To Have Created A New Massive Internet Of Things Botnet. “The massive cyberattacks that in the last few weeks have crippled several popular services like Twitter and Spotify, the website of a noted security journalist, and many more, may be about to get worse. Two hackers appear to have created a new powerful zombie army of hacked Internet of Things devices with a modified version of the infamous malware Mirai. The cybercriminals are offering the powerful botnet to anyone who’s willing to pay to launch crippling distributed denial of service (DDoS) cyberattacks.” (Source: Vice’s Motherboard)
  • Report: Most Cybercriminals Earn $1,000 To $3,000 A Month. “Most cybercriminals make between $1,000 and $3,000 a month, but 20 percent earn $20,000 a month or more, according to a recent report. The data is based on a survey conducted by a closed underground community, said report author Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future.” (Source: Network World)
  • 600,000 Car-sharing Users’ Details Stolen In Cyber Attack. “The company Comuto Deutschland made the announcement on Tuesday, only a day after Telekom revealed that a cyber attack had knocked out the internet for almost a million of its customers. ‘We regret to inform you that there has been an illegal seizure of archives from the former platforms mitfahrgelegenheit.de and mitfahrzentrale.de,’ the statement read.” (Source: The Local)
  • Employees Rely Largely On Personally Owned Mobile Devices In The Workplace. “Mobile device adoption in the workplace is not yet mature, found a recent survey from Gartner. Although 80 percent of workers surveyed received one or more corporate-issued devices, desktops are still the most popular corporate device among businesses, with more than half of workers receiving corporate-issued desktop PCs. The survey findings are based on the 2016 Gartner Personal Technologies Study, which was conducted from June to August 2016 among 9,592 respondents in the U.S., the U.K. and Australia.” (Source: Help Net Security)
  • FriendFinder Networks Data Breach Demonstrates The Need For Passwords To Be Eliminated From The Security Puzzle. “The news that more than 412 million accounts and user credentials were exposed following the breach of FriendFinder Networks should serve as a reminder to both organisations and individuals about the weaknesses of passwords. Gideon Wilkins, VP of Sales and Marketing at Secure Cloudlink, believes that due to the high incentive for cyber-criminals to steal this information, passwords as a form of authentication should be eliminated completely from the security equation. According to LeakedSource, which acquired a copy of the leaked data set of the FriendFinder Networks breach, a million of the accounts have the password ‘123456’ and more than 100,000 have the password ‘password’.” (Source: IT Security Guru)
  • Shamoon Malware Returns To Again Wipe Saudi-owned Computers. “Thousands of computers in Saudi Arabia’s civil aviation agency and other Gulf State organisations have been wiped by the Shamoon malware after it resurfaced some four years after wiping thousands of Saudi Aramco workstations. Security firms FireEye, CrowdStrike, McAfee, Palo Alto, and Symantec reported on the advanced sabotage malware which United States intelligence officials say is Iran’s handiwork.” (Source: The Register)
  • It Will Soon Be Illegal To Punish Customers Who Criticize Businesses Online. “Congress has passed a law protecting the right of US consumers to post negative online reviews without fear of retaliation from companies. The bipartisan Consumer Review Fairness Act was passed by unanimous consent in the US Senate yesterday, a Senate Commerce Committee announcement said. The bill, introduced in 2014, was already approved by the House of Representatives and now awaits President Obama’s signature.” (Source: Ars Technica)
  • Microsoft Silently Fixes Kernel Bug That Led To Chrome Sandbox Bypass. “Microsoft appears to have silently fixed a two-year-old bug in in Windows Kernel Object Manager that could have allowed for the bypass of privileges in Google’s Chrome browser. James Forshaw, a researcher with Google’s Project Zero first reported the issue in December 2014. Microsoft responded to Google a month later saying it didn’t consider the issue worthy of a fix. Forshaw and Google marked the issue as ‘WontFix’ and removed the view restriction on the disclosure. It’s been more or less on ice since then.” (Source: Kaspersky’s ThreatPost)
  • Europol Red-faced As Terror Data Appears Online. “Europol admitted on Wednesday that confidential information on terror investigations were accidentally put online, as it launched a probe into what it called a ‘very serious incident.’ Dutch investigative TV programme Zembla, which broke the story, said around 700 pages on terror investigations — particularly analysis on terror groups — appeared online, including the names and contact details of hundreds of people with terror links.” (Source: Security Week)
  • Facebook Denies Researchers’ Claim Ransomware Spreading Via Images. “Researchers at security firm Check Point Software Technologies warned social media users that online criminals have begun using specially crafted image files to spread ransomware using a weakness in some social media services. The report, posted to the company’s website, came as attackers used Facebook and other services to spread images containing links to sites that would try to trick users into downloading the Locky ransomware.” (Source: eWeek)
  • New ‘TV’ App From Apple Raises Security And Net Neutrality Concerns. “The app, also to be made available for iOS, offers a solution to the currently disjointed state of video streaming on the Apple TV. Presently, Apple TV owners must sign into and open individual streaming applications to see what new media is available to watch. This compartmentalization prevents users from easily comparing the live and on-demand offerings of competing apps, a problem that Apple TV users have been vocalizing since Siri’s integration in 2015.” (Source: IP Vanish)
  • Major Cybercrime Network Avalanche Dismantled In Global Takedown. “Law enforcement agencies have dismantled a major cybercriminal network responsible for malware-based attacks that have been harassing victims across the globe for years. The network, called Avalanche, operated as many as 500,000 infected computers on a daily basis and was responsible for delivering malware through phishing email attacks. Avalanche has been active since at least 2009, but on Thursday, authorities in the U.S. and Europe announced they had arrested five suspects allegedly involved with it.” (Source: CSO)
  • Travelers Are ‘Easy Targets’ For Online Financial Crime When Abroad. “As holiday season begins, many are looking forward to spending some much needed time away from home. Others will be on vacations abroad and spending money is inevitable. Travelers need to be wary of online financial operations. According to research from Kaspersky Lab, consumers – including holiday makers and business travelers, conduct a lot of financial operations online when abroad, putting themselves at risk when they are not properly protected.” (Source: IT News Africa)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR