Security Alerts & News
by Tymoteusz A. Góral

#1336 Development version of the Hitler-ransomware discovered
It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers. This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware, that has been discovered by AVG malware analyst Jakub Kroustek. This ransomware shows a lock screen displaying Hitler and then states that your files were encrypted. It then prompts you enter a cash code for a 25 Euro Vodafone Card as a ransom payment to decrypt your files.

This ransomware appears to be a test variant based on the comments in the embedded batch file and because it does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown as shown in the lock screen below. After that hour it will crash the victim's computer, and on reboot, delete all of the files under the %UserProfile% of the victim. I hope this is not the actual code that this ransomware developer plans on using if it goes live.
#1335 Can good encryption be a double-edged sword for security in Australia?
If every exchange or communication of data on the web was encrypted, would it make our virtual world a more secure place in Australia? A report by PwC found Australia had the highest number of cyber security incidents in the previous 12 months amounting to 9434, more than double the previous year.

As the global traffic surpasses the one zettabyte mark by the end of 2016, it represents a rapid, global surge in Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption of websites, which until recently, was a security measure reserved largely for financial institutions and online checkout processes.

According to the 2016 Dell Security Annual Threat Report, in the fourth quarter of 2015, around 65 percent of total web connections worldwide were SSL/TLS encrypted. That means that every time a website is accessed, there’s a good chance SSL/TLS is being used. Overall, this is a positive trend that should create safer web interactions. Below the surface however, lurks a hidden threat that might take both you and your firewall by surprise.
#1334 Rex Linux trojan can launch DDoS attacks, lock websites, mine for cryptocurrency
What initially looked like a string of Drupal sites infected with ransomware (that didn't work properly) now looks like a professional cybercrime operation that relies on a self-propagating Linux trojan to create a botnet with various capabilities.

Last May, in a Softpedia exclusive, Stu Gorton, CEO and co-founder of Forkbombus Labs, revealed the existence of a new type of ransomware that targeted Drupal websites. That particular ransomware wasn't really that effective, and webmasters could easily go around it and restore their old websites.

Mr. Gorton didn't share all the details with Softpedia at that particular point in time, saying there was still much to analyze about the said piece of malware that was written in Go and used CVE-2014-3704 to hijack Drupal websites.

According to new research released by Stormshield and Dr.Web, that malware, which calls itself "Rex," has received many updates in the last three months since we first reported on it.
#1333 Anti-Google research group in Washington is funded by Oracle
The Google Transparency Project is a Washington, DC group that's laser-focused on letting Americans know about Google's lobbying efforts. To get its message out, GTP has worked with journalists at Re/Code and The Intercept, which have run stories about Google's many visits to the White House, the prevalence of ex-Googlers in the US Digital Service, and other links.

What wasn't known, until today, is who was paying the bills for research by the "nonprofit watchdog" group. "The folks running the Google Transparency Project won’t say who is paying for it, which is odd for a group devoted to transparency," noted Fortune's Jeff John Roberts, one of many journalists who the group reached out to in April.

Today, Roberts has published a followup, confirming that based on a tip, he found at least one funder—Oracle. That's the same company that lost a major copyright trial to Google and continues to spar with the search giant in court.
#1332 How the NSA snooped on encrypted Internet traffic for a decade
In a revelation that shows how the National Security Agency was able to systematically spy on many Cisco Systems customers for the better part of a decade, researchers have uncovered an attack that remotely extracts decryption keys from the company's now-decommissioned line of PIX firewalls.

The discovery is significant because the attack code, dubbed BenignCertain, worked on PIX versions Cisco released in 2002 and supported through 2009. Even after Cisco stopped providing PIX bug fixes in July 2009, the company continued offering limited service and support for the product for an additional four years. Unless PIX customers took special precautions, virtually all of them were vulnerable to attacks that surreptitiously eavesdropped on their VPN traffic. Beyond allowing attackers to snoop on encrypted VPN traffic, the key extraction also makes it possible to gain full access to a vulnerable network by posing as a remote user.
#1331 Multiple vulnerabilities identified in ‘utterly broken’ BHU routers
Researchers have identified a router so fraught with vulnerabilities and so “utterly broken” that it can be exploited to do pretty much anything. An attacker could bypass its authentication, peruse sensitive information stored in the router’s system logs and even use the device to execute OS commands with root privileges via a hardcoded root password.

Tao Sauvage, a Security Consultant with IOActive Labs purchased the device, a BHU WiFi router he nicknamed “uRouter” on a recent trip to China. The device’s web interface was in Chinese but after he opened the router, he was able to extract its firmware, get shell access and analyze its code. Once in, Sauvage reverse engineered some binaries and discovered that there were three different ways to gain administrative access to the router’s web interface.
#1330 New Brazilian banking trojan uses Windows PowerShell utility
Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated.

The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday.

The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12