Security Alerts & News
by Tymoteusz A. Góral

#632 Can Switzerland become a safe haven for the world's data?
As United States and European Union regulators debate a sweeping new data-privacy agreement, Switzerland is presenting itself as a viable neutral location for storing the world’s data thanks to strict privacy laws and ideal infrastructure.

The Swiss constitution guarantees data privacy under Article 13. The country’s laws protecting privacy are similar to those enacted by the E.U. Swiss data protections are also, in some cases, much stricter than those of the E.U., according to Nicola Benz, attorney at Swiss law firm Froriep. And since Switzerland is not part of the E.U., data stored there remains outside the reach of the union’s authorities.

“Swiss law contains things that we call blocking statutes,” Benz said, “which mean that foreign authorities can’t conduct their authority’s functions on Swiss soil unless they follow the proper judicial channels.” The country’s tight privacy laws could make the small nation more attractive to privacy-focused start-ups. And it already has tha
#631 Oracle fixes 136 vulnerabilities with April critical patch update
Oracle fixed 136 vulnerabilities across 46 different products this week as part of its quarterly Critical Patch Update. More than half of the CVEs, 72, could be remotely exploitable without authentication.

Fixes for a slew of products, including Oracle’s Database Server, E-Business Suite, Fusion Middleware, along with its Sun Products line, Java SE platform, and MySQL database, were pushed on Tuesday. The update is the company’s second batch of patches for 2016 and as far as the number of fixes goes, is much more in line with Oracle’s traditional patch updates compared to January’s mammoth CPU which was record-setting and addressed 248 patches.

#630 Latest TeslaCrypt targets new file extensions, invests heavily in evasion
TeslaCrypt, like many of its ransomware cousins, doesn’t sleep on past success. Researchers at Endgame Inc., have found two updates for the cryptoransomware in the past two weeks that invest heavily in obfuscation and evasion techniques, and also target a host of new file extensions.

These samples, researcher Amanda Rousseau told Threatpost, were found in attachments of large-scale spam campaigns purporting to be shipping delivery notifications.

Version 4.1A has been in circulation for about a week, Rousseau said, and targets a wide range of the usual file extensions, plus a handful of news ones that merit notice: .7z; .apk; .asset; .avi; .bak; .bik; .bsa; .csv; .d3dbsp; .das; .forge; .iwi; .lbf; .litemod; .litesql; .ltx; .m4a; .mp4; .rar; .re4; .sav; .slm; .sql; .tiff; .upk; .wma; .wmv; and .wallet. The use of spam to move TeslaCrypt is also a departure from recent outbreaks where exploit kits were infecting WordPress and Joomla websites and silently loading ransomware onto co
#629 DRAM bitflipping exploits that hijack computers just got easier
New research into the "Rowhammer" bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers.

The scenario is based on a finding that the Rowhammer vulnerability can be triggered by what's known as non-temporal code instructions. That opens vulnerable machines to several types of exploits that haven't been discussed in previous research papers. For instance, malicious Web applications could use non-temporal code to cause code to break out of browser security sandboxes and access sensitive parts of an operating system. Another example: attackers could take advantage of media players, file readers, file compression utilities, or other apps already installed on Rowhammer-susceptible machines and cause the apps to trigger the attacks.
#628 RansomWhere?: Generic ransomware detection comes to Apple OS X
Researcher Patrick Wardle, director of researcher at Synack and a known OS X hacker, today released his own generic OS X ransomware detector called "RansomWhere?". The utility monitors home directories on OS X machines for untrusted processes that are encrypting files. The user is presented with an alert while RansomWhere? blocks the process and waits for the user to decide whether to allow or terminate the process.

“I saw that existing approaches aren’t working,” Wardle said “Antivirus has its shortcomings. KeRanger was signed with a legitimate Apple developer ID certificate that passed it off as a legitimate application. Gatekeeper is not going to block that. You’ve got to think outside the box and take an approach that is not specimen specific."
#627 MULTIGRAIN – POS attackers make an unhealthy addition to the pantry
FireEye recently discovered a new variant of a point of sale (POS) malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.

Using DNS for data exfiltration provides several advantages to the attacker. Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments. While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked.
#626 New crypto-ransomware JIGSAW plays nasty games
The evolution of crypto-ransomware in terms of behavior takes a step forward, and a creepy one at that. We have recently encountered a nasty crypto-ransomware variant called JIGSAW. Reminiscent to the horror film Saw, this malware toys with users by locking and deleting their files incrementally. To an extent, it instills fear and pressures users into paying the ransom. It even comes with an image of Saw’s very own Billy the puppet, and the red analog clock to boot.

It’s no longer a surprise that crypto-ransomware is the prevalent threat in today’s computing landscape, given its promise of quick ROI for the cybercriminals behind it. It’s also not surprising that many have joined this bandwagon. These days, the name of the crypto-ransomware game is to add “unique” features or “creative” ways to instill fear and put more pressure to users to pay up, despite the fact that, when it comes to their technical routines, there’s not much difference among these malware. JIGSAW joins notable
#625 CryptXXX: new ransomware from the actors behind reveton, dropping via Angler
Proofpoint researchers recently found a previously undocumented ransomware spreading since the end of March through Bedep after infection via the Angler Exploit Kit (EK). Combining our findings with intelligence shared by Frank Ruiz (Fox IT InTELL) lead us to the same conclusion: this project is conducted by the same group that was driving Reveton ransomware operations and is closely tied to Angler/Bedep. Dubbed "CryptXXX", this new ransomware is currently asking a relatively high $500 per computer to unlock encrypted files. Angler is the number one exploit kit by volume, making the potential impact of new ransomware in the hands of experienced actors with access to this vector quite significant.
#624 Python-based PWOBot targets European organizations
We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine Bitcoins via the victim’s CPUs and GPUs.

There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015.
#623 Netflix: VPN blockade backlash doesn’t hurt us
Netflix CEO Reed Hastings says that the recent crackdown on VPN and proxy users hasn't hurt the company's results. The VPN blockade only affects a small but vocal minority, according to Hastings, and there are no signs that hordes of subscribers are abandoning ship.

Earlier this year Netflix announced that it would increase its efforts to block customers who circumvent geo-blockades.

As a result it has become harder to use VPN services and proxies to access Netflix content from other countries, something various movie studios have repeatedly called for.

With the application of commercial blacklist data, Netflix already blocks IP-addresses that are linked to such services, something which also affects well-intentioned customers who merely use a VPN to protect their privacy.
#622 FBI tells congress it needs hackers to keep up with tech company encryption
A high ranking technology official with the FBI told members of Congress Tuesday that the agency is incapable of cracking locked phones and devices on its own, even with additional resources.

Amy Hess, the agency’s executive assistant director for science and technology told a panel of the House Energy and Commerce Committee that encrypted communications continue to pose a challenge to the American law enforcement, and to the safety of the American public. But when asked by lawmakers to provide a practical solution beyond the FBI’s talking points, she said that the cooperation of technology companies would be necessary.
#621 Security firm SurfWatch Labs discovers secret plan to hack numerous websites and forums
Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, makers of the IP.Board forum platform, now known as the IPS Community Suite.

The plan belonged to a malware coder known as AlphaLeon, who at the start of March this year started selling a new trojan called Thanatos.

Advertised as a MaaS (Malware-as-a-Service) rentable platform, to be attractive to its customers, Thanatos had to run on a very large number of infected hosts. In the infosec community this structure is called a botnet, and the bigger it is, the easier is to carry out all sorts of cyber-attacks.
#620 Google is partially dangerous - according to Google
Searching on might be dangerous—don't take my word for it, take Google's. The search giant's own Transparency Report for gives itself a current rating of "partially dangerous.'"

The reason for the "partially dangerous" status? According to the report, "Some pages on contain deceptive content right now."

Google's Safe Browsing technology scans Websites for potential risks to warn users before they visit unsafe sites. I first wrote about Safe Browsing a decade ago, back in 2006, when it was first included in Mozilla's Firefox 2.0 Web browser as a feature to help make the Web safer for us all.

The fact that Google Safe Browsing rates as partially dangerous is not scurrilous in any way; rather, it is a testament to Google's honesty and the integrity of its mission to do no evil.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12