Security Alerts & News
by Tymoteusz A. Góral

#1093 DLink WiFi camera flaw extends to 120 products
A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company.

Researchers at Senrio, who found the original vulnerability, disclosed today additional details of product vulnerabilities related to the component after collaborating with D-Link. Senrio said the flaw also puts D-Link Connected Home products at risk, including other cameras, routers, models and storage devices.

Patches are yet unavailable despite indications from D-Link to Senrio that they would be ready July 1. A request for comment from D-Link was not returned in time for publication.
#1092 10 million Android phones infected by all-powerful auto-rooting apps
Security experts have documented a disturbing spike in a particularly virulent family of Android malware, with more than 10 million handsets infected and more than 286,000 of them in the US.

Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300 million per month in revenue. The success is largely the result of the malware's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android. The Check Point researchers have dubbed the malware family "HummingBad," but researchers from mobile security company Lookout say HummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had already infected a large number of devices.

For the past five months, Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways, including by infiltrating the command and control servers it uses. The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers. HummingBad does this by silently installing promoted apps on infected phones, defrauding legitimate mobile advertisers, and creating fraudulent statistics inside the official Google Play Store.
#1091 CryptXXX ransomware updates ransom note, payment site
For the second time since June 1, the handlers of CryptXXX ransomware have changed their ransom note and Tor payment site. More importantly to those developing detection signatures and administrators, this update no longer makes changes to the file extensions of encrypted files.

“To make it more difficult for administrators, this release no longer uses special extensions for encrypted files,” said researcher Lawrence Abrams on the BleepingComputer website. “Now an encrypted file will retain the same filename that it had before it was encrypted.”

Researcher and SANS Internet Storm Center handler Brad Duncan found the latest update to CryptXXX, in particular to post-infection activity. Duncan found the changes on a Windows machine compromised by the Neutrino Exploit Kit involved in the pseudo-Darkleech campaign.
#1090 Android KeyStore encryption scheme broken, researchers say
The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.

In a an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.

KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device.

Mohamed Sabt and Jacques Traoré, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is “non-provably secure,” and could have “severe consequences."
#1089 Symantec: Latest Intelligence for June 2016
The Latest Intelligence page has been refreshed through June 2016, providing the most up-to-date analysis of cybersecurity threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Here are some key takeaways from this latest batch of intelligence.

This month the Angler toolkit dropped nearly 30 percentage points in June, making up 22.7 percent of all toolkit activity. The toolkit hasn't disappeared completely, but by the end of June activity was 16 times lower than its peak in May.

Meanwhile the Neutrino toolkit increased almost 10 percentage points in June. This toolkit was particularly active in the later part of the month, around the same time Angler saw its deepest decline. This decline in Angler activity follows the disappearance of the Nuclear and Spartan toolkits from our top five list over the past two months, along with a lull in activity from a number of threat groups.

Manual Sharing continues to dominate social media scams, increasing more than 20 percentage points. Fake Offers decreased in June, down from 25.68 percent in May to 12.17 percent in June.
#1088 New OSX/Keydnap malware is hungry for credentials
ESET analyzes multiple samples targeting OS X every day. Those samples are usually potentially unwanted applications that inject advertisements into browser displays while the victim is browsing the web.

For the last few weeks, we have been investigating an interesting case where the purpose of the malware is to steal the content of the keychain and maintain a permanent backdoor. This article will describe the components of this threat and what we know about it so far.

It is still not clear how victims are initially exposed to OSX/Keydnap. It could be through attachments in spam messages, downloads from untrusted websites or something else.

What we know is that a downloader component is distributed in a .zip file. The archive file contains a Mach-O executable file with an extension that looks benign, such as .txt or .jpg. However, the file extension actually contains a space character at the end, which means double-clicking the file in Finder will launch it in Terminal and not Preview or TextEdit.
#1087 After hiatus, in-the-wild Mac backdoors are suddenly back
After taking a hiatus, Mac malware is suddenly back, with three newly discovered strains that have access to Web cameras, password keychains, and pretty much every other resource on an infected machine.

The first one, dubbed Eleanor by researchers at antivirus provider Bitdefender, is hidden inside EasyDoc Converter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When double clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac's file system and webcam, making it possible for attackers to download files, install new apps, and watch users who are in front of an infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them from being taken down or being used to identify the attackers.

"This type of malware is particularly dangerous as it's hard to detect and offers the attacker full control of the compromised system," Tiberius Axinte, technical leader of the Bitdefender Antimalware Lab, said in a blog post published Wednesday. "For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices."
#1086 European Union’s first cybersecurity law gets green light
The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Inc. to report attacks.
#1085 Criminals winning 'cyber arms race' - UK National Crime Agency
Businesses and law enforcement agencies are losing the "cyber arms race" with online criminals, the UK's National Crime Agency has warned.

The technical capabilities of criminal gangs are outpacing the UK's ability to deal with their threat, the NCA added.

It said there were 2.46 million "cyber incidents" last year, including 700,000 frauds - with the biggest threat coming from "a few hundred" criminals.

The government is to spend £1.9bn over the next five years on cyber-defences.

The NCA's annual assessment of cybercrime found a key threat to the UK comes from international gangs.

Some are so well-developed they run call centres and employ translators.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12