Security Alerts & News
by Tymoteusz A. Góral

#823 How RTF malware evades static signature-based detection
Rich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as CVE-2010-3333 and CVE-2014-1761 were caused by errors in implementing RTF parsing logic.

In fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. CVE-2012-0158 and CVE-2015-1641 are two typical examples of such vulnerabilities – their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.

Another type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.

Plenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.
#822 Will CryptXXX replace TeslaCrypt after ransomware shakeup?
The departure of TeslaCrypt from the ransomware circle has gone and made waves in the cybercriminal world. Bad guys appear to be jumping ships in hopes of getting a chunk out of the share that was previously owned by TeslaCrypt. In line with this recent event, indicators are pointing to a new strong man in the ransomware game: CryptXXX.

CryptXXX (detected as RANSOM_WALTRIX.C) has been the recipient of recent updates; one of which took place after a free decryption tool surfaced that allowed victims to disregard the ransom. Not only does it encyrpt files, recent CryptXXX variants now have a lockscreen technique that prevents users from accessing their desktops.
#821 Beware of keystroke loggers disguised as USB phone chargers, FBI warns
FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.

The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.
#820 Unraveling Turla APT attack against Swiss defense firm
Ever since hackers targeted Swiss defense contractor RUAG, government officials have been tight lipped about the breach. But on Monday Switzerland’s CERT (Computer Emergency Readiness Team) spilled the beans on the attack against the firm and the how perpetrators pulled it off.

While Monday’s report falls short when it comes to outlining the type of data stolen, it goes into rare detail on how it was taken. For example, central to the attack was malware from the Turla family and the use of a sophisticated mix of Trojans and rootkits. Additionally, security experts assert that RUAG computers were infected as early as 2014, according the report, making the attack slow and methodical.

It wasn’t until early May that the public even became aware of the attacks. That’s when Swiss defense minister Guy Parmelin went public about a breach against his government that took place in January during the World Economic Forum in Davos, Switzerland. Parmelin also revealed the attack included penetration of RUAG’s system where attackers breached the company’s servers stealing an undisclosed amount of data.
#819 SWIFT to unveil new security plan in the wake of Bangladesh heist
After learning how the organisation worked, the group of cyberattackers stole the Bangladeshi bank's SWIFT code and made a series of transaction requests for cash to be sent from the country's New York-based account to entities across Asia, mainly the Philippines and Sri Lanka.

The group had installed malware in systems at the banks' Dharka headquarters, which allowed them to spend several weeks spying upon the bank's systems and processes.

The breach was uncovered by accident, with an alert only raised as a result of a small spelling error on one of the transactions which blocked other queries that had not yet been processed.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12