Security Alerts & News
by Tymoteusz A. Góral

History
#927 Google patches high severity browser PDF vulnerability
A high-severity vulnerability in Google’s Chrome browser that allows attackers to execute code on targeted systems via a PDF exploit has been patched by Google.

Researchers at Cisco said users were at risk if they were enticed to view a specially crafted PDF document with an embedded jpeg2000 image within Google’s Chrome default PDF viewer, called PDFium.

“Being fairly easy for an attacker to take advantage of this vulnerability, the most effective attack vector is for the threat actor to place a malicious PDF file on a website then redirect victims to the website using either phishing emails or even malvertising,” wrote the Cisco Talos team in a technical description of the vulnerability publicly disclosed on Thursday.
#926 More corporate shared folders in cloud filled with malware, research finds
Internet file sharing has long been a prime route for malware to spread. The situation is one of the reasons (aside from the exposure of proprietary data) that many companies restrict the use of cloud file sharing to corporate-approved systems. But it turns out that those enterprise cloud folders are just as bad. As more companies sanction the use of cloud applications for collaboration and sharing data—even just between individuals' computers and mobile devices—those cloud apps have increasingly become fertile ground for malware.
#925 CryptXXX ransomware jumps from Angler to Neutrino exploit kit
Crooks behind the revamped CryptXXX 3.100 ransomware have switched its distribution from the Angler Exploit Kit to the Neutrino Exploit Kit. The sudden change in distribution was spotted on Monday by researchers at the SANS Internet Storm Center.

“This is not the first time we’ve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK,” wrote Brad Duncan, handler at SANS Internet Storm Center. But he said the switch was noteworthy because SANS had not yet seen CryptXXX distributed by Neutrino.

The move comes as security experts report a resurgence of the CryptXXX ransomware that was recently revamped with new encryption algorithm and a new StillerX credential-stealing module that gives attackers additional capabilities to monetize an attack.
#924 A hacker claims to be selling millions of Twitter accounts
A hacker, who has links to the recent MySpace, LinkedIn, and Tumblr data breaches, is claiming another major tech scalp -- this time, it's said to be millions of Twitter accounts.

A Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained the database, which includes an email address (and sometimes a second email), usernames, and plain-text passwords.

Tessa88 is selling the cache for 10 bitcoins, or about $5,820 at the time of writing.
#923 Watch the full episode: 'State of Surveillance' with Edward Snowden and Shane Smith (VIDEO)
#922 Vawtrak banking malware – know your enemy
In December 2014, SophosLabs published a paper entitled Vawtrak – International Crimeware-as-a-Service, explaining how cybercriminals have adopted the “Pay As You Go” model that has become so popular in the mainstream technology industry.

Cybercrooks have provided services to one another for years, for example by trading spamming lists, writing malware programs to order, and finding and selling vulnerabilities.

But once you’ve provided another bunch of crooks with your malware source code files, or with access to your mailing lists, you can’t easily control what they do with them.
#921 Slicing into a Point-of-Sale botnet
Last week, KrebsOnSecurity broke the news of an ongoing credit card breach involving CiCi’s Pizza, a restaurant chain in the United States with more than 500 locations. What follows is an exclusive look at a point-of-sale botnet that appears to have enslaved dozens of hacked payment terminals inside of CiCi’s locations that are being relieved of customer credit card data in real time.

Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.
#920 Hackers could have changed Facebook Messenger chat logs
Here's a Facebook hack straight from the pages of the novel 1984: A way to rewrite the record of the past.

"Who controls the past controls the future: who controls the present controls the past," went the ruling party's slogan in George Orwell's dystopian novel.

Security researchers have found a way to control the past, by altering Facebook's logs of online chats conducted through its website and Messenger App.

Such modified logs could be used to control the future, the researchers suggest, by using them to commit fraud, to falsify evidence in legal investigations, or to introduce malware onto a PC or phone.
#919 University pays almost $16,000 to recover crucial data held hostage
Canada's University of Calgary paid almost $16,000 ($20,000 Canadian, ~£10,800) to recover crucial data that has been held hostage for more than a week by crypto ransomware attackers.

The ransom was disclosed on Wednesday morning in a statement issued by University of Calgary officials. It said university IT personnel had made progress in isolating the unnamed ransomware infection and restoring affected parts of the university network. It went on to warn that there's no guarantee paying the controversial ransom will lead to the lost data being recovered.
#918 uTorrent forums hacked, passwords compromised
The uTorrent community forums have been hacked, exposing the private details of hundreds of thousands of users. The hackers were able to get their hands on the user database, and a warning issued by the software maker says that passwords should be considered compromised.

With well over 150 million active users a month uTorrent is by far the most used BitTorrent client around.

In addition, the software also has a dedicated community forums with tens of thousands of visitors per day, and over 388,000 registered members.
#917 Windows BITS ‘notification’ feature used to deliver malware
Attackers have found a new way to exploit the Widows Background Intelligent Transfer Service (BITS) which is being used to infect and reinfect targeted PCs with malware even after the initial infection has been removed.

According to security researchers at Dell SecureWorks, attackers are exploiting a lesser-known BITS “notification” feature. The feature allows attackers to create a re-occurring task to download and install malware even after the original malware is extracted.

BITS is used by Windows Update and third-party software for application updates. The service has a long history of being abused by attackers dating back to 2007. And even up until today, BITS is still an attractive feature for hackers because the Windows component includes the ability to retrieve or upload files using an application trusted by host firewalls, said Matthew Geiger, Sr. security researcher for SecureWorks’ Counter Threat Unit.
#916 Belgium tops list of nations most vulnerable to hacking
A new “heat map of the internet” has revealed the countries most vulnerable to hacking attacks, by scanning the entire internet for servers with their front doors wide open.

Produced by information security firm Rapid7, the National Exposure Index finds that the most exposed country in the world is Belgium, followed by Tajikistan, Samoa and Australia. The US comes 14th and the UK 23rd.

The map of the internet was produced by Rapid7’s Project Sonar, a tool which allows the firm to scan every single public-facing IP address in a matter of hours, and look at which services they are offering to the wider internet.

Many, even most, of those services will be appropriate. For instance, a web server with an open port 80, the “door” through which HTTP web pages are sent through, is appropriate (even if the encrypted version, HTTPS, would be more secure). But eight of the top 10 services offered by servers on the internet are unencrypted, such as POP3, an outdated email protocol, and FTP, an insecure method of transferring files over the net.
#915 Bitdefender finds eavesdropping vulnerability in public cloud
Security firm Bitdefender has found a vulnerability in public cloud infrastructures which it said allows a third party to eavesdrop on communications encrypted with transport layer security (TLS) protocol.

The vulnerability is leveraged by Bitdefender for its own research purposes, developing a technique called TeLeScope, which is only effective against virtualised environments that run on top of a hypervisor.

According to Bitdefender, such infrastructures are provided by industry giants Amazon, Google, Microsoft, and DigitalOcean, with the security vendor flagging banks, companies dealing with either intellectual property or personal information, and government institutions as the sectors likely to be affected by the security flaw.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12