Last week was an eventful one in security, keeping our research and intel teams on their toes. Multiple security researchers homed in on suspicious and malicious apps on Google Play, affecting thousands of Android users. A new variant of Mac malware Proton was also found in the wild, this time hijacking the Elmedia Player to create a Trojanized copy of the app on its official website. If you’re a Mac user and suspect that you might be infected, our Director of Mac and Mobile, Thomas Reed, provided helpful tips to clean up your computer.

We touched on how a business can create and foster an intentional culture of security, addressed why we need such a thing, and debunked some misconceptions surrounding it. We also looked into the Bring Your Own Device (BYOD) policy, the risks associated with it, and some mitigating factors to consider.

Independent security researcher Hasherezade analyzed the Magniber ransomware, which targets systems only in South Korea. She noted that this type of highly-targeted campaign is a first of its kind, as zeroing in on a single country is unusual. Not only that, the said malware was created with multiple checks to ensure that the language and country of systems are in South Korea.

419 scams are well-known, but not all threat actors behind them contact users via social media—in this case, Twitter—and offer millions in exchange for their children.

Last week KRACK, a flaw in the wireless protocol that protects modern Wi-Fi networks, was discovered. Short for Key Installation Attack, KRACK allows malicious actors (within Wi-Fi range) to insert themselves into the network and intercept traffic between users and the router. Android and Linux users are most affected by this vulnerability.

Lead Malware Intelligence Analyst Jérôme Segura wrote about the weaponization of an old Microsoft Office feature called Dynamic Data Exchange (DDE) in a malspam attack. This was a noted alternative to using exploits or taking advantage of macros.

Lastly, Director of Malwarebytes Labs Adam Kujawa explained why we detect CoinHive, a service that provides cryptocurrency miners and can be deployed on websites using JavaScript.

Below are other notable security stories from last week:

Latest updates for consumers

  • New Scam Impersonates VAT Form To Deliver Malware. “Trustwave explained that the body of the email encourages the user to click on an embedded image of a PDF doc citing an error in their recently submitted VAT return, taking the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file—inside is a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts. There is no actual attachment sent with the message.” (Source: InfoSecurity Magazine)
  • Hackers Exploit Adobe Flash Flaw to Install Infamous Spyware. “The vulnerability, which can trigger remote code execution, only came to light when security firm Kaspersky Lab noticed it as part of a hacking attempt against a customer last week.” (Source: PC Magazine)
  • ‘Worse Than KRACK’ – Google and Microsoft Hit by Massive 5-Year-Old Encryption Hole. “The problem in the Infineon chips is to do with the vendor’s implementation of the encryption, based in this case on the widely-used RSA standard. Thanks to the bugs, it’s possible to calculate someone’s private key by just having the public key.” (Source: Forbes)
  • WaterMiner – a New Evasive Crypto-Miner. “This post explains the nature of malicious cryptocurrency miners (cryptominers), dissects the newly discovered malware, and explains its evasive techniques and infection vectors that the adversaries employed to get around endpoint security tools. We also provide details about the identity of the person who is likely behind this campaign.” (Source: Minerva Labs Blog)
  • Simple Social Login for Users and Attackers. “It’s easy to see why social logins are so popular. For users, it’s a much easier mechanism. With a social login, they control one trusted identity and use it to log into other places in a trustworthy way. For site owners, it reduces friction in the signup process and feels more secure, as they don’t need to manage user passwords or store their credentials, and they know that a user’s email will be valid and won’t bounce.” (Source: InfoSecurity Magazine)
  • Are You Sharing the Same IP Address as a Criminal? Law Enforcement Call for the End of Carrier Grade NAT (CGN) to Increase Accountability Online. “The inability to identify Internet subscribers on the basis of an IP address has put the European judiciary and law enforcement communities in a difficult and complex situation, creating a public safety gap and putting the privacy of citizens at risk because it forces judiciary and law enforcement authorities to investigate many more individuals than would normally be necessary.” (Source: Europol)
  • A Look at Locky Ransomware’s Recent Spam Activities. “A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • Necurs Malware Will Now Take a Screenshot of Your Screen, Report Runtime Errors. “This Necurs downloader often gets ignored because it’s usually pretty small and insignificant. Recently, researchers from Symantec observed two major additions to the Necurs downloader.” (Source: Bleeping Computer)
  • Google Wants Bug Hunters to Probe Popular Android Apps for Bugs. “While the name of the program might suggest that bug hunters will be after vulnerabilities in Google’s official Android app market, in reality they will be asked to unearth bugs in all of Google’s apps available on Google Play, as well as a short list of other popular ones.” (Source: Help Net Security)
  • Malware in Firmware: How to Exploit a False Sense of Security. “When thinking about security, we generally take risk into account. It is well known that risk is a composition of likelihood and potential impact, so while a bootkit’s impact is undoubtedly hefty, what can be said about the likelihood of coming across such threat?” (Source: ESET’s WeLiveSecurity Blog)
  • Quarter of Emails Claiming to Be From Feds are Malicious, Unauthenticated, Says Cyber Firm. “In the report, Agari notes federal agencies will continue to suffer from excessive malicious emails without the usage of proper Domain-based Message Authentication (DMARC) monitoring policies. The company concluded that 90 percent of the 400 federal domains are vulnerable to these types of threats.” (Source: Fifth Domain)

Latest updates for businesses

  • Hacking Container Ships is Dead Easy, Warn Security Consultants. “At a shipping conference in Athens, Greece, Ken Munro, a security researcher at Pen Test Partners, said that maritime cybersecurity is facing similar challenges now to what industrial controls security in utilities started addressing several years ago.” (Source: SC Magazine)
  • Your Board of Directors Is Exposing You To Risk. “It’s commonly accepted that your users are the weakest link in your security chain. That is actually not true in a lot of cases, though. The reality is that your true Achilles heel is probably your board of directors.” (Source: Forbes)
  • Study: 61 Percent of Organizations Have Minimal Control Of SSH Privileged Access. “Cybercriminals can abuse SSH keys to secure and automate administrator-to-machine and machine-to-machine access to critical business functions. According to Venafi’s research, even though SSH keys provide the highest levels of administrative access, they are routinely untracked, unmanaged, and poorly secured.” (Source: Venafi Press Release)
  • Top UK Organisations Still Too Exposed to Cyber Threats According to New RiskIQ Research. “Unpatched web infrastructure and de-centralised web management practices are leaving UK organisations vulnerable to cyberattacks and high profile data breaches. New RiskIQ research reveals a loss of control amongst the FT30, expanding their digital attack surface and opening doors to cybercriminals.” (Source: Realwire)
  • Microsoft: Why Identity Protection Is the Key to Corporate Security. “Microsoft has long been the preferred choice of partner for many companies, with its Microsoft 365 platform offering a comprehensive, and more importantly, secure way to ensure data stays protected. But just exactly what goes in to ensuring millions of enterprises can leave the office each evening feeling assured that their data is safe?” (Source: IT Pro Portal)
  • Password Sharing, Unauthorized Access Are Rampant Problems in the Enterprise. “While cybersecurity experts recommend that organizations deploy a Privileged Access Management (PAM) solution—a tool that enables businesses to consolidate and track employee access to various accounts—BeyondTrust’s latest report suggests businesses are seriously lacking in their efforts to deploy a more robust security strategy.” (Source: PYMNTS.com)
  • Business Suffers As Over-zealous Security Tools Block Legitimate Work. “Most security teams utilise a ‘prohibition approach’—i.e. restricting user access to websites and applications—a tactic which is hampering productivity and innovation while creating major frustration for users, according to research conducted by Vanson Bourne.” (Source: Help Net Security)
  • 10 Social Engineering Attacks Your End Users Need to Know About. “Christopher Hadnagy, chief human hacker at Social-Engineer, adds that people should be aware that social attacks such as phone-based vishing where attackers try to steal money over the phone are becoming more prevalent.” (Source: Dark Reading)
  • Top Thoughts for GDPR Third-Party Management. “We see that there are three priorities for third-party management: understanding the different roles defined in GDPR; key contract elements to consider for GDPR processors; and assessing the applicable processors for compliance.” (Source: InfoSecurity Magazine)

Safe surfing, everyone!