Security Alerts & News
by Tymoteusz A. Góral

History
#887 Updated CryptXXX ransomware big money potential
CryptXXX ransomware has received a major overhaul by its authors, putting it on the fast track to unseat Locky as top moneymaker for criminals.

Researchers at Proofpoint said that on May 26, cybercriminals released an updated CryptXXX 3.100 version of the ransomware that includes a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack. Proofpoint said StillerX targets the credentials of a wide range of applications such as casino software to Cisco VPN credentials.

Proofpoint researchers say CryptXXX authors have upped the ransomware’s feature set with a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack. Proofpoint said StillerX targets the credentials of a wide range of applications such as casino software to Cisco VPN credentials.

“It absolutely looks like CryptXXX is the hot new kid on the block,” said Kevin Epstein, VP of Threat Operations Center at Proofpoint in an interview with Threatpost. “With TelsaCrypt exiting the ransomware business, CryptXXX looks to soon rival Locky via infection rates and distribution.”
#886 NTP patches flaws that enable DDoS
The network time protocol, at the center of a number of high-profile DDoS attacks in 2014, was updated on Thursday to ntp-4.2.8p8. The latest version includes patches for five vulnerabilities, including one rated high-severity.

NTP, specifically the NTP daemon, synchronizes system clocks with time servers.

Vulnerable NTP servers were used two years ago with regular frequency to carry out amplification attacks against targets. High-bandwidth NTP-based DDoS attacks skyrocketed as attackers used vulnerable NTP implementations to amplify DDoS attacks much in the way DNS amplification has been used in the past. Some NTP amplification attacks reached 400 Gbps in severity, enough to bring down even some of the better protected online services.
#885 WordPress patches 0-day in WP Mobile Detector plugin
A WordPress plugin was patched Thursday night, close to a week after reports began to surface of public attacks against a zero-day vulnerability.

WP Mobile Detector was pulled from the WordPress Plugin Directory once the attacks went public. It was restored last night and users are urged to update to version 3.7 immediately. The plugin detects if a visitor to a WordPress site is using a smartphone and delivers a compatible theme.

Researchers at Sucuri said yesterday that attacks against WordPress sites running the plugin started on May 27. The zero-day was disclosed on Tuesday by Plugin Vulnerabilities, a WordPress security site. The flaw allows an attacker to upload arbitrary files.
#884 Does your website suck on mobile? Find out using Google's free new tool
Google has rolled out a new free online tool that tests how good or poor your website is for mobile devices, and then provides detailed recommendations on what to fix.

The new Test My Site service, hosted by Google's marketing-focused Think With Google, is the company's latest effort to encourage businesses to make their sites more mobile-friendly. Just type in the URL for a homepage and it will return a score out of 100 for mobile friendliness, mobile speed, and desktop speed.

Google says that people are five times more likely to leave a website that's not easy to use on mobile and that half of all visitors will ditch a page if it takes more than three seconds to load.
#883 Ransomware as a service, inside an organized Russian ransomware campaign (PDF)
In the course of monitoring an organized Russian ransomware campaign, Flashpoint analysts were able to gain significant visibility into the tactics, techniques, and procedures employed by a campaign boss operating a ransomware scheme out of
Russia.

As the Russian hacking community lowered the access requirements for unsophisticated Russian cybercriminals to engage in ransomware campaigns, corporations and individuals face a commensurately greater challenge of effectively protecting their data and operations from being held ransom.

Recent threats powered by ransomware campaigns which have surfaced in the Deep & Dark Web appear to be specifically aimed at the healthcare industry. Cybercriminals consider this industry in particular to be a valuable target due to the treasure trove of personally identifiable information their systems house. While prior efforts focused on stealing and reselling the data, now criminals are turning to ransomware to hold the data hostage.
#882 FastPOS: Quick and easy credit card theft
Businesses today pride themselves on responding quickly to changing conditions. Unfortunately, cybercriminals aren’t any different. A newly discovered malware family hitting point-of-sale (PoS) systems has been found which emphasizes speed in how the information is stolen and sent back to attackers. We called this attack FastPOS, due to the speed and efficiency of its credit card theft capabilities.

FastPOS is designed to immediately exfiltrate any stolen card data, instead of storing it locally in a file and periodically sending it to the attackers. This suggests that it may have been designed to target situations with a much smaller network environment. An example would be where the primary network gateway is a simple DSL modem with ports forwarded to the POS system.
#881 Marcher mobile bot adds UK targets, steps up banking fraud capabilities
According to X-Force intelligence, Marcher first appeared in the wild in late 2013. It is known to be a commercial offering sold in Russian-speaking underground forums by its supposed developer or distribution accomplices.

In the first year of its activity, Marcher did not target banks; initially, it was only used by its various operators to steal credit card information from infected victims. To do so, a phishing overlay screen was triggered when users accessed the Google Play app store, plastering a fake window on top of the app store’s activity to request users’ credit card number, expiration date and CVV2 code. In 2014, Marcher began targeting banks, starting with a large bank in Germany, PhishLabs reported.
#880 IRONGATE ICS malware: Nothing to see here... masking malicious activity on SCADA systems
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering (FLARE) team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE.

FLARE found the samples on VirusTotal while researching droppers compiled with PyInstaller — an approach used by numerous malicious actors. The IRONGATE samples stood out based on their references to SCADA and associated functionality. Two samples of the malware payload were uploaded by different sources in 2014, but none of the antivirus vendors featured on VirusTotal flagged them as malicious.

Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that IRONGATE is not viable against operational Siemens control systems and determined that IRONGATE does not exploit any vulnerabilities in Siemens products. We are unable to associate IRONGATE with any campaigns or threat actors. We acknowledge that IRONGATE could be a test case, proof of concept, or research activity for ICS attack techniques.

Our analysis finds that IRONGATE invokes ICS attack concepts first seen in Stuxnet, but in a simulation environment. Because the body of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) malware is limited, we are sharing details with the broader community.
#879 Stop Facebook tracking you across the web, change these settings
Facebook member or not, the social networking giant will soon follow you across the web -- thanks to its new advertising strategy.

From today, the billion-plus social network will serve its ads to account holders and non-users -- making one giant push in the same footsteps as advertising giants like Google, which has historically dominated the space.

In case you didn't know, Facebook stores a lot of data on you. Not just what you say or who you talk to (no wonder it's a tempting trove of data for government surveillance) but also what you like and don't like. And that's a lot of things, from goods to services, news sites and political views -- not just from things you look at and selectively "like" but also sites you visit and places you go.

Facebook now has the power to harness that information to target ads at you both on and off its site.
#878 Facebook’s new DeepText AI understands almost everything we write
“It’s raining! I need a ride!” somebody might wail on Messenger.

“Oh yea? I just got out of a taxi!” a friend might respond.

Wouldn’t it be nice (and, of course, revenue-producing) if Facebook’s algorithms could understand that the ride-needer needs a taxi, that he would probably say yes if Messenger prompted him to connect with Uber, and that his friend does not need a taxi since she just got out of one?

It can.

That’s exactly the scenario that Facebook’s trained its artificial intelligence (AI) language-processing to handle. Facebook announced its newest AI system, called DeepText, on Wednesday.

Facebook says that DeepText is a deep learning-based text understanding engine that can understand with near-human accuracy the textual content of thousands of posts per second, spanning more than 20 languages.
#877 Hacked TeamViewer users 'careless' in personal security
TeamViewer said, "the truth of the matter is TeamViewer experienced network issues because of the DoS-attack to DNS servers and fixed them, there is no security breach at TeamViewer, regardless of the incident, TeamViewer continuously works to ensure the highest possible level of data and user protection."

Instead, the company blamed recent account hack claims at the feet of "careless use of account credentials." As we've seen in the last year, countless credentials are now being traded and released online, and coupled with the fact many will use the same passwords across different services, one loose set can lead to the compromise of multiple accounts.

"In addition, users might unintentionally download and install malware programs," the company said. "Yet once a system is infected, perpetrators can virtually do anything with that particular system -- depending on how intricate the malware is, it can capture the entire system, seize or manipulate information, and so forth."
#876 FireEye: Organisations should stop playing malware whack-a-mole
When it comes to identifying malware infections, organisations tend to stop the fight there, in what Josh Goldfarb, FireEye CTO of emerging technologies, said is a frustrating practice.

According to Goldfarb, what many organisations are doing is re-imaging a laptop or cleaning up the malware, and putting it back into service without foresight to realise it will happen again.

"It's kind of a chicken or an egg situation where organisations are so busy playing whack-a-mole that they don't have time to come up for air, and try and understand why they're so busy playing whack-a-mole," Goldfarb explained to ZDNet.
#875 ​Former cyber defence head: Ethics should be at the core of cybersecurity
A trusted, ethical cybersecurity industry is vital to underpinning Australia's social and economic wellbeing, Major General Stephen Day, the former head of Cyber and Information Security at the Australian Signals Directorate, has said.

He also believes it is in the best interests of the country's national security to conduct business in such a way.

Speaking at the Intel Security Innovation Forum in Sydney on Thursday, Day said that all people involved in the area of security have a role to play in ensuring the industry goes forward in an ethical and trusted manner.
#874 Dropbox smeared in week of megabreaches
Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant Dropbox.com — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

Today’s post examines some of the missteps that preceded this embarrassing and potentially brand-damaging “oops.” We’ll also explore the limits of automated threat intelligence gathering in an era of megabreaches like the ones revealed over the past week that exposed more than a half billion usernames and passwords stolen from Tumblr, MySpace and LinkedIn.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12