Security Alerts & News
by Tymoteusz A. Góral

#1486 DDoS mitigation firm has history of hijacks
Last week, KrebsOnSecurity detailed how BackConnect Inc. — a company that defends victims against large-scale distributed denial-of-service (DDoS) attacks — admitted to hijacking hundreds of Internet addresses from a European Internet service provider in order to glean information about attackers who were targeting BackConnect. According to an exhaustive analysis of historic Internet records, BackConnect appears to have a history of such “hacking back” activity.

On Sept. 8, 2016, KrebsOnSecurity exposed the inner workings of vDOS, a DDoS-for-hire or “booter” service whose tens of thousands of paying customers used the service to launch attacks against hundreds of thousands of targets over the service’s four-year history in business.
#1485 Data-stealing Qadars Trojan malware takes aim at 18 UK banks
A three-year-old banking Trojan, believed to be the work of experienced and organised Russian cybercriminals, has now turned its attention to UK banks.

The Qadars Trojan has been active since 2013. Using several different versions, the malware has targeted banks in different regions, beginning with France and the Netherlands during 2013 and 2014, then Australia, Canada, the United States, and the Netherlands during 2015 and 2016.

Now, cybersecurity researchers at IBM X-Force Research -- who last month spotted malware attacking Brazilian banks ahead of the Olympics -- have observed the launch of a fresh version of Qadars and a new infection campaign.
#1484 Vulnerability patched in WordPress theme that allows unrestricted uploads
WordPress theme publisher DynamicPress fixed a flaw Monday that let anyone upload malicious files to sites running its business-themed Neosense WordPress templates, compromise the site and possibly the server hosting it.

Walter Hop, security researcher with Netherlands-based company, Slik, made the discovery last week. The flaw impacts version 1.7 of the Neosense theme. On Monday, DynamicPress released a 1.8 version update that patches the vulnerability. Hop publicly disclosed the vulnerability Monday.
#1483 324,000 payment cards breached, CVVs included
About two months ago, a Twitterer going by 0x2Taylor announced a sizeable data dump.

More than 300,000 credit card records were uploaded to the file sharing service Mega; the data has since been removed from Mega, but not before it was widely downloaded by many interested parties.

By some standards, 300,000 stolen records doesn’t sound very many these days.

That’s a sad state of affairs, of course, caused by the daunting size of some high-profile attacks that have hit the news recently.
#1482 Fake AV makes it onto Google Play
Every once in a while, a fake antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some ads for revenue, and you are given the false sense your phone isn’t infected—kind of a win-win unless you actually want malicious apps to be detected/removed.

These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad.

With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner.
#1481 Cisco IOS Software Checker
Use the Cisco IOS Software Checker tool to search for Cisco Security Advisories that apply to specific Cisco IOS and IOS XE Software releases and have a Security Impact Rating (SIR) of Critical or High. Note that the tool does not provide information about security advisories that have a SIR of Medium. In addition, the tool does not support Cisco IOS XR Software or interim builds of Cisco IOS Software.

To use the tool, choose a release from the drop-down list, enter the output of the show version command, or upload a text file that lists specific releases.
#1480 Untangling the Ripper ATM malware
Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.

That analysis gave an overview of the techniques used by the malware, the fact that it targets three major ATM vendors, and compared Ripper to previous ATM malware families. Their analysis was based on the file with MD5 hash 15632224b7e5ca0ccb0a042daf2adc13. This file was uploaded to Virustotal by a user in Thailand on August 23.

During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code offsets where possible for other researchers to follow on from our work.

In April of this year, Trend Micro’s Forward Looking Threat Research team and Europol EC3 collaborated on a comprehensive report on all ATM malware threats known at that point. We have been watching out for new families since then. The paper was made available to members of the Financial and Law Enforcement communities. If you are part of these industries, have not received a copy, and would like one, please contact Robert McArdle.
#1479 Ransomware's next target: Your car and your home
Ransomware is perhaps the biggest cybersecurity scourge of 2016, becoming increasingly problematic both for individuals and businesses of all sizes.

The concept is simple: the cybercriminal will trick a victim into opening a malicious file or a clicking on a link which causes their computer, tablet, or smartphone to be infected with malware that encrypts the data stored on the device. The cybercriminal then demands the victim pay a ransom -- often in Bitcoin -- in order to get their systems unlocked.

While the ransomware installs data-stealing malware on your system, getting infected with ransomware is more an annoyance more than anything. Yes, a business will lose money while its networks are locked down, but most cases it doesn't have any further 'real world' consequences, as the theft of personal data or banking information might.
#1478 Cisco warns of second firewall bug exposed by Shadow Brokers
Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls.

The latest weakness lies in the code that Cisco’s IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR.

“A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information,” the advisory says.
#1477 Mozilla patching Firefox certificate pinning vulnerability
Mozilla is expected tomorrow to patch a critical vulnerability in Firefox’s automated update process for extensions that should put the wraps on a confusing set of twists surrounding this bug. The flaw also affected the Tor Browser and was patched Friday by the Tor Project.

The vulnerability first saw light of day last week when a researcher who goes by the handle movrck published his disclosure. He said that a resourced attacker with the ability to steal or forge a TLS certificate for could put the entire Tor (and Firefox) ecosystem at risk to compromise.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12