Security Alerts & News
by Tymoteusz A. Góral

History
#818 This sneaky botnet shows why you shouldn't use the same password for everything
While automated attacks by a networked army of computers aren't a new problem, the methods that botnets are using are getting more complex.

They're also increasing in number with the latest cybercrime report from ThreatMetrix suggesting that the number of attacks between January and March this year is up by over a third, compared with just the previous quarter. The report states that 311 million bot attacks were detected and stopped by its technology in the opening three months of 2016.

Botnet attacks used to just be large volume distributed denial of service (DDoS) or spam attacks, designed to overwhelm servers to the point of collapse or act as a distraction in order to allow cybercriminals to hack into the targeted system without being detected.

Now however, the cybersecurity researchers say that botnets are being used in a new way - to test stolen login details in a way which allows them to evade detection by security systems.
#817 SWIFT network doubles down on security
The SWIFT banking network on Friday updated financial institutions worldwide of new security resources it has developed in the wake of massive fraud. Officials also reminded banks of their role in securing their respective infrastructures.

Banks in Bangladesh, Vietnam and Ecuador have been infiltrated by attackers who stole credentials for the SWIFT system to move out tens of millions of dollars; Bangladesh Bank was the most egregious case where attackers were able to steal more than $80 million. It has been reported that the bank was not running a firewall and was using $10 commodity switches to manage computers connected to the SWIFT network.

SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication, is a private network used by financial organizations to send and receive transactions.

Hackers have been targeting banks with weak or non-existent security to steal credentials for the SWIFT network to make fraudulent transactions. In a May 13 statement after the attack on the Vietnamese bank, SWIFT hinted that insiders at the respective banks could also be involved.
#816 Google plans to bring password-free logins to Android apps by year-end
Google’s plan to eliminate passwords in favor of systems that take into account a combination of signals – like your typing patterns, your walking patterns, your current location, and more – will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google’s research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication.

As you may recall, Project Abacus was first introduced at Google I/O last year, where it was described as an ambitious plan to move the burden of passwords and PINs from the user to the device.

Today, secure logins – like those used by banks or in the enterprise environment – often require more than just a username and password. They tend to also require the entry of a unique PIN, which is generally sent to your phone via SMS or emailed. This is commonly referred to as two-factor authentication, as it combines something you know (your password) with something you have in your possession, like your phone.
#815 Persistent EITest malware campaign jumps from Angler to Neutrino
A two-year-old EITest malware campaign is still going strong, fueled by the fact it has shifted its distribution technique over time. Now, researchers at the SANS Institute’s Internet Storm Center, are reporting EITest is morphing again based on analysis of the malware campaign conducted earlier this month.

According to researcher Brad Duncan, the EITest malware campaign is being refueled by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.

“During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler,” Duncan wrote in an Internet Storm Center post.
#814 Two exploit kits spreading attacks for recent Flash Player zero day
Exploits for the most recent Adobe Flash Player zero-day vulnerability have been integrated into the Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains and a credential-stealing Trojan.

A French researcher who goes by the handle Kafeine told Threatpost that Neutrino has embedded a working exploit for CVE-2016-4117 while Magnitude has not fully implemented the exploit.

Kafeine said that Magnitude is firing exploits for Flash Player up to version 21.0.0.213, but the payloads are not executing, despite the presence of references to the vulnerable code. It could be that the exploit was not implemented correctly; Kafeine said that as of this morning the payloads were not working.

Detection rates on VirusTotal for the Neutrino exploit remains low, only five of 56 as of this morning.
#813 Windows 10 problem? Now everyone can gripe to Microsoft via Feedback Hub
If you've got a complaint about Windows 10 or suggestions for how to make it better, you can now tell Microsoft using the Feedback Hub app.

Until now, Feedback Hub has been available exclusively to Windows users who participate in Microsoft's Insider Program. But now, just ahead of this summer's Windows 10 Anniversary Update, Microsoft has opened it up to all 300 million Windows 10 users.
#812 Crooks used SQL injections to hack Drupal sites and install fake ransomware
Unknown attackers are leveraging a two-year-old vulnerability in Drupal installations to break into sites and install Web-based ransomware that hijacks the website's main page but fails to encrypt any files.

The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked" with a message that read:

“ Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content. ”

Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites for the presence of /CHANGELOG.txt (Drupal CMS specific file) and /joomla.xml files.

The attacker's scanning bot extracts the Drupal site's version, then uses the CVE-2014-3704 vulnerability to break into the affected websites and eventually change the admin user's password.

CVE-2014-3704 is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12