Security Alerts & News
by Tymoteusz A. Góral

#1436 Two-thirds of companies pay ransomware demands: But not everyone gets their data back
The majority of organisations which become infected by ransomware will give into the demands of cybercriminals for reasons ranging from the importance of the encrypted data to the perceived low costs of ransom payments.

However, some companies have discovered the hard way that cybercriminals are not to be trusted, with many only paying hackers to unencrypt their files only to find that they never get their data back.

The figures on reactions to ransomware from Trend Micro come following a surge in cyberattacks using the file encrypting malicious software over the last year which has resulted in it becoming the largest threat to cybersecurity, as demonstrated by some cases of Locky infections against high-profile targets.
#1435 Google shuts down potentially massive Android bug
The Android ecosystem may have dodged another Stagefright-type of vulnerability.

Google’s monthly Android Security Bulletin released on Tuesday not only patched the remaining Quadrooter vulnerabilities, but also fixed another wide-ranging flaw that could allow an attacker to easily compromise—or at least brick—any Android device dating back to version 4.2.

The key to staving off another Stagefright is that yesterday’s patch features a complete overhaul of the offending jhead library, mitigating the possibility of recurring critical bugs, which, for example, continue to plague Mediaserver on an almost-monthly basis.
#1434 The missing piece – sophisticated OSX backdoor discovered
Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB.
#1433 This nasty Android malware tries to bully its way past Marshmallow security features
The battle between hackers and mobile security continues as cybercriminals attempt to find a way around the tighter app security introduced with Android 6.0.

Kaspersky Lab is warning of a modification to the Gugi banking trojan that tries to force its way past new Android 6.0 Marshmallow security features designed to block phishing and ransomware attacks.

The company said the malware forces users into giving it the right to lay a new interface on top of those used by genuine apps, send and view SMS, make calls, and more. Kaspersky said between April and early August this year there was a ten-fold increase in its number of victims.
#1432 Million more devices sharing known private keys for HTTPS, SSH admin
Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications.

This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing widely known secrets is continuing unabated.

Devices and gadgets are still sharing private keys for their builtin HTTPS and SSH servers, basically. It is not difficult to extract these keys from the gizmos and use them to eavesdrop on encrypted connections and interfere with the equipment: imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack thousands of boxes at once.

SEC Consult senior security consultant Stefan Viehböck scanned the public internet and found that the practice of using known private keys has increased over the past nine months, with the number of net-accessible vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems around the world. That's up 40 per cent, or 1.3 million, from November, according to SEC Consult.
#1431 Modified USB ethernet adapter can steal Windows and Mac credentials
Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).

Fuller's attack is effective against locked computers on which the user has already logged in.

The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it's connected to.

The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

"Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed," Fuller explained.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
#1430 Critical flaws found in network management systems
Eleven critical vulnerabilities have been patched in network management systems (NMS) from four leading manufacturers: Cloudview, Netikus, Paessler and Opmantek. The flaws enable remote cross-site scripting and command-injection attacks.

Public disclosure of the vulnerabilities coincided with a technical description by Rapid7 released Wednesday; the research compliments earlier work on similar bugs found in 2015.

Each of the 11 vulnerabilities varied widely, however they shared the common technique allowing for the injection of malicious packets via Simple Network Management Protocol (SNMP) to gain control of NMS web console browser windows, said Tod Beardsley, principal security research manager at Rapid7 in a blog post.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12