Security Alerts & News
by Tymoteusz A. Góral

History
#801 Master decryption key released for TeslaCrypt ransomware
The criminals behind the TeslaCrypt ransomware have closed up shop and publicly released the master decryption key that unlocks files encrypted by the malware.

The news is significant given the investment and constant innovation devoted to TeslaCrypt, which has been one of the most active crypto-ransomware strains since it debuted in February 2015.

Researchers at Bleeping Computer said that researchers had noticed hints that distribution TeslaCrypt was being phased out in favor of CryptXXX ransomware, even though criminals behind the respective ransomware are likely different. A researcher from ESET, Bleeping Computer’s Lawrence Abrams said, asked for the master decryption key on a TeslaCrypt support site and the attackers capitulated, posting the key along with a message that partially read: “Project closed.”
#800 France DGSE: Spy service sets school code-breaking challenge
France's external intelligence service, the DGSE, has sponsored a school competition to find the nation's most talented young code-breakers.

It is the first time the DGSE has got involved in such a project in schools.

The first round drew in 18,000 pupils, and just 38 competed in the final on Wednesday, won by a Parisian team.

A DGSE spokesman said the aim was to spread awareness about intelligence work. Security is a major concern after last year's jihadist attacks in Paris.

DGSE stands for Directorate-General for External Security. It has 6,200 staff - 63% of them civilians - and an annual budget of about €750m (£575m; $839m).
#799 Archive of historic BT 'email' hack preserved
An archive detailing a historic hack and its fallout has been handed over to the National Museum of Computing.

Previously, the cache of documents, press cuttings and letters had been kept by Robert Schifreen, who hacked BT's Prestel system in 1984.

He and Steve Gold took control of Prestel and penetrated the email inbox belonging to the Duke of Edinburgh.

The legal case around the hack helped define computer misuse laws in the UK and around the world.
#798 Robin Hood hacker donates $11,000 of stolen bitcoin to help fight ISIS
A Kurdish region of Syria that borders territory held by the Islamic State militant group (ISIS) has received an $11,000 donation in allegedly stolen bitcoin from a vigilante hacker.

The pseudonymous Phineas Fisher donated 25 bitcoins to a crowdfunding campaign set up by members of the Rojava region’s economic committee, described by Fisher as “one of the most inspiring revolutionary projects in the world.”
#797 Google fights French 'right to be forgotten' order
Google has appealed to France's highest court after the country's data watchdog ordered it to delete some of its search results globally.

In 2015, the Commission on Informatics and Liberty (CNIL) said Google should respect French "right to be forgotten" rulings worldwide.

But Google said the ruling could lead to abuse by "less open and democratic" countries.

The company is now appealing against a 100,000-euro (£76,000) CNIL fine.
#796 Android Qualcomm vulnerability impacts 60 percent of devices
A flaw in mobile chip maker Qualcomm’s mobile processor, used in 60 percent of Android devices, allows attackers to take control over a targeted phone or tablet under specific conditions. Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver, coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE).

This QSEE vulnerability, discovered by Gal Beniamini last week, is troubling because it impacts both old versions of the Android operating system and new Marshmallow versions. Google has issued a patch for the exploit, however Duo estimates only a small fraction of Android devices have received the fix.

Duo researchers are careful to give perspective to its analysis of the QSEE vulnerability (CVE-2015-6639) and stress that while a majority of Android devices are vulnerable to attack via this exploit, security concerns aren’t as dire as attacks from the similar and more malicious Stagefright.
#795 ESET releases new decryptor for TeslaCrypt ransomware
Have you been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt? If your encrypted files had the extensions .xxx, .ttt, .micro, .mp3 or were left unchanged, then ESET has good news for you: we have a decryptor for TeslaCrypt.
#794 Ransomware activity spikes in March, steadily increasing throughout 2016
Based on data from FireEye Dynamic Threat Intelligence, ransomware activity has been rising fairly steadily since mid-2015. We observed a noticeable spike in March 2016.
#793 Magento – unauthenticated remote code execution
The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.

The vulnerability assumes one of the RPCs (REST or SOAP) is enabled. As both are enabled by default, and one of them is actually required by the system, this assumption will not be a problem in the absolute majority of installations.
In this document I will use the SOAP API, as XML is more readable in this case.

This vulnerability works on both the Community Edition and Enterprise Edition of the system.
#792 Foreign hackers may be targeting presidential candidates
Foreign hackers may have the campaigns of U.S. presidential candidates in their sights, the nation's top intelligence official warned Wednesday.

The FBI and Homeland Security are working with the campaigns to tighten security and prevent the cyber intruders from penetrating their defenses, Director of National Intelligence James Clapper said.

Clapper warned that there are likely to be cyber attacks as Hillary Clinton and Bernie Sanders battle for the Democratic nomination and Donald Trump tries to rally Republican support for his candidacy. He did not say what actual attacks on the campaigns, if any, have already occurred.
#791 Updated Skimer malware infects ATMs worldwide
Researchers from Kaspersky Labs warn that the Skimer malware, first spotted in 2009, is once again infecting ATM machines worldwide. An improved version of Backdoor.Win32.Skimer has been discovered infecting machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine.

The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult.

Unlike other skimming malware programs, like Tyupkin, which becomes active in a specific time frame and is awakened by a ‘magic code’, Skimer may lie dormant for months until it is activated with the physical use of a ‘magic card.’ The magic card gives access control to the malware, which then offers a list of options that are accessed by inputting a choice on the pin pad.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12