Security Alerts & News
by Tymoteusz A. Góral

History
#914 DDoS attacks increase over 125 percent year over year
The internet is under heavier attacks than ever. In Akamai's Q1 2016 State of the Internet - Security Report, the content delivery network (CDN) company found there's been a 125 percent increase in distributed denial of service (DDoS) attacks year over year.

But, wait, there's more. Much more. There's also been a 35 percent increase in the average attack duration. In the first quarter of 2015, the average attack lasted almost 15 hours. Now, they're up to just over 16 hours.

Adding insult to injury, truly massive DDoS attacks, 100 Gigabits per second (Gbps), are now more common than ever. The first quarter of 2016 saw 19 such attacks compared to 2015's eight assaults. That's an increase of 137.5 percent.

That last one is even worse than it sounds. In just the first three months of 2016, there were 19 100Gbps attacks. In 2015's last quarter there were only five.

All together in 2016's first quarter, Akamai witnessed 4,523 DDoS attacks. That's a significant increase from the previous quarter's 3,693 attacks. This increase was largely driven by repeat attacks on customers rather than cyber crooks going after more targets.
#913 Ransomware leaves server credentials in its code
While SNSLocker isn’t a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland façade hid quite a surprise. After looking closer at its code, we discovered that this ransomware contains the credentials for the access of its own server.

We also found out that they used readily-available servers and payment systems. This shows that the authors behind SNSLocker are in it for the same reason a lot of cybercriminals have moved to ransomware: easy setup of systems for massive infection, and quick return of income. However, they were either too quick or they aren’t investing that much on the operation when they left their credentials out in the open (the credentials have also been shared in social media by other security researchers). We have reported this finding to law enforcement agencies.
#912 Qarallax RAT: Spying on US visa applicants
Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).

US bound hopefuls who are looking for additional US Visa information might end up talking to cyber criminals who could send them a malicious file. We can see two entries from Skype when we try to search for the legitimate account. If you don’t have keen eyesight, you might choose the wrong account.
#911 Google to deprecate SSLv3, RC4 in Gmail IMAP/POP clients
Google said that it will initiate on June 16 a gradual deprecation of SSLv3 and RC4 for Gmail IMAP/POP mail clients.

Both the crypto protocols cipher are notoriously unsafe and are being phased out in big chunks of the Internet. Google, for its part, had already announced in May that it would no longer support SSLv3 and RC4 connections for Gmail SMTP.

“Unlike Gmail SMTP, this change will be rolled out as a gradual change, where it may take longer than 30 days for users to be fully restricted from connecting to Gmail from SSLv3 or RC4 connections; however, we recommend updating your clients soon in order to avoid any potential disruption,” Google said this week in an announcement.
#910 Many Lexus navigation systems bricked by over-the-air software update
An unknown number of Lexus automobiles have seen their infotainment and navigation head units broken by a bug in an over-the-air software update from Lexus.

The glitch, which was confirmed by a Lexus spokesperson, was delivered in a routine software update. In affected cars, it can cause the dashboard screen to spontaneously reset itself and, as a result, both the radio and navigation system can be unusable. It affects cars equipped with Lexus' Enform system with navigation.
#909 Firefox 47 fixes 13 vulnerabilities, removes click-to-activate plugin whitelist
Mozilla fixed 13 security issues, including two critical vulnerabilities that could have led to spoofing and clickjacking, among other issues, when it updated Firefox to the latest build, Firefox 47, this week.

One of the issues, a buffer overflow, could have resulted in a potentially exploitable crash according to an advisory published by the company on Tuesday. According a security researcher that goes by the handle firehack, the overflow could have popped up when the browser parsed HTML5 fragments in a foreign context. When a fragment was inserted into an existing document, it could’ve crashed the browser.

The second critical issue corresponds to not one, but several memory safety bugs reported by 14 different Mozilla developers and community members. The details of the bugs weren’t revealed, but according to the advisory the likeliness that some could be exploited to run arbitrary code was high enough that it warranted fixing.
#908 The new Apple App Store: subscription pricing, faster approvals, and search ads
“We’re doing something a little different this year. We’ve got a bunch of App Store/developer-related announcements for WWDC next week, but frankly, we’ve got a busy enough keynote that we decided we’re not going to cover those in the keynote. And rather, just cover them in the afternoon and throughout the week. We’re talking to people today for news tomorrow about those things, in advance of WWDC, and then developers can come and be ready for sessions about these things, with knowledge about them before the conference. We haven’t done this before, but we figured, what the heck, let’s give it a try.”, Phil Schiller.
#907 Unpatched DLink WiFi camera flaw remotely exploitable
D-Link is wrestling with a vulnerability in its DCS­930L Wi-Fi camera that was privately disclosed by security company Senrio.

The flaw exposes the cameras to remote code execution, a Senrio report says.

CEO Stephen Ridley told Threatpost that his company is working with D-Link on remediation. D-Link, meanwhile, said in a statement emailed to Threatpost:

“Security is the highest priority for D-Link and we are proactively working with the source of the report since receiving the inquiry to ensure that any vulnerabilities discovered are addressed. Once information and testing is completed, additional information will be made available to customers online at www.mydlink.com."
#906 Symantec: Fake gaming torrents lead to potentially unwanted applications
The availability of pirated content on torrent sites can come with hidden repercussions. Symantec research of popular torrent websites has observed a potentially unwanted application (PUA) distribution campaign. On several sites, we found fake torrents with the names of popular games, such as Assassin’s Creed Syndicate or The Witcher 3, which were used as bait to trick users into silently installing PUAs on their computer. Symantec believes this PUA distribution campaign abuses legitimate affiliate pay-per-install programs.

A PUA is a type of software that may impact security, privacy, resource consumption, or is associated with other security risks. There are several ways that a PUA might get installed on a computer or device. It may arrive as a freeware application or be bundled with third-party software. In many cases, user consent is required, but on some occasions a more intrusive PUA may perform a silent install that escapes attention.
#905 US warns banks of hacking threat to Swift system
US regulators have warned banks about potential cyber attacks linked to the interbank messaging system.

The statement came two weeks after the Federal Bureau of Investigations sent a notice cautioning US banks after the hacking of Bangladesh's central bank.

The FBI message warned of a "malicious cyber group" that had already targeted foreign banks.

In February, hackers stole $81m (£56m) from Bangladesh's account with the Federal Reserve Bank of New York.

The hackers used the Bangladesh central bank's Swift credentials to transfer money to accounts in the Philippines. Swift is the system banks use to exchange messages and transfer requests.

The hackers attempted to steal nearly $1bn, but several of their requests were rejected because of irregularities.
#904 FireEye uncovers phishing campaigns targeting Apple users
Security firm FireEye has found malicious phishing campaigns targeting Apple iCloud users through the use of phony Apple domains.

FireEye has reported that since January this year, several phishing campaigns have targeted the Apple IDs and passwords of Apple users in China and the United Kingdom.

An Apple ID is provided to all of Apple's customers, allowing users access to services such as iCloud, the iTunes Store, and the App Store. According to FireEye, anyone with access to an Apple ID, password, and some additional information, such as date of birth and device screen lock code, can completely take over the device and use the credit card information to impersonate the user and make purchases via the Apple Store.

One of the phishing kits found by FireEye, named zycode, targeted Apple users in China by mimicking over 30 Apple domains, appearing as an Apple login interface for Apple ID, iTunes, and iCloud designed to lure people into submitting their Apple IDs.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12