Security Alerts & News
by Tymoteusz A. Góral

#1691 Disassembling a mobile trojan attack
In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved.
#1690 China’s new cybersecurity law is bad news for business
The Chinese government has passed new cybersecurity regulations Nov. 7 that will put stringent new requirements on technology companies operating in the country. The proposed Cybersecurity Law comes with data localization, surveillance, and real-name requirements.

The regulation would require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited.” Real name policies restrict anonymity and can encourage self-censorship for online communication.

The law also includes a requirement for data localization, which would force “critical information infrastructure operators” to store data within China’s borders. According to Human Rights Watch, an advocacy organization that is opposing the legislation, the law does not include a clear definition of infrastructure operators, and many businesses could be lumped into the definition.
#1689 Fake shopping apps are invading the iPhone
For tech-focused scammers, knocking off sneakers and handbags is so last decade.

Thieves in the digital age are slamming consumers right in the app.

A slew of knockoff shopping apps have quietly infiltrated Apple’s App Store in recent months, looking to lure unsuspecting iPhone owners with bogus deals on everything from jewelry to designer duds.

The fake apps mimic the look of legit apps — and have proliferated since this summer, experts said.

It didn’t help that earlier this month, Apple introduced search ads in its App Store. The fake apps are buying search terms, it would appear, to increase their exposure to consumers.
#1688 Clever Gmail hack let attackers take over accounts
Google patched a hole in its Gmail verification system last week that allowed an attacker to hijack a targeted Google Gmail account.

The discovery was made by Ahmed Mehtab, a security researcher and founder of Security Fuse. The hack is simple to execute and requires less than dozen steps to pull off.

The hack exploits an authentication or verification bypass vulnerability in a Gmail feature that allows you to send email from a second Gmail account. Mehtab said the attack is “similar to account takeover but here I — as an attacker — can hijack email addresses by confirming the ownership of email (account).” Exploiting the hack, an attacker can send email as if it was being sent from the compromised account. In addition, the attacker could have email forwarded to the compromised Gmail address.
#1687 Adobe patches nine code execution flaws in Flash Player
Two weeks after rushing out an emergency patch for a zero-day vulnerability, Adobe today released another Flash Player security update.

The new release patched nine vulnerabilities, all of which expose the host system to remote code execution. Adobe said it is not aware of public exploits against any of the vulnerabilities.

Adobe said desktop versions and earlier are affected on Windows and Mac platforms, as well as Google Chrome and Microsoft Edge and Internet Explorer 11 on Windows 10 and Windows 8.1.
#1686 Google stops AdSense attack that forced banking trojan on Android phones
Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware.

Over a two-month span, the campaign downloaded the Banker.AndroidOS.Svpeng banking trojan on about 318,000 devices monitored by Kaspersky Lab, researchers from the Moscow-based anti-malware provider reported in a blog post published Monday. While the malicious installation files weren't automatically executed, they carried names such as last-browser-update.apk and WhatsApp.apk that were designed to trick targets into manually installing them. Kaspersky privately reported the scam to Google, and engineers from the search company put an end to the campaign, although the timing of those two events wasn't immediately clear.
#1685 TrickBot banking trojan adds new browser manipulation tools
The TrickBot banking Trojan, a close relative to Dyre, has a growing target list and new browser manipulation techniques, experts at IBM X-Force said.

“We expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts,” wrote Limor Kessem, executive security advisor with IBM in a security bulletin Tuesday.

TrickBot, Kessem said, has matured quickly over the past three months during its testing and development stage. She added, the banking Trojan has also implemented two of the “most advanced browser manipulation techniques observed in banking malware in the past few years.”
#1684 IPv4 addresses exhausted, networking standards must support IPv6
The slow move to IPv6 has crept past another milestone, with the Internet Architecture Board (IAB) stating on Monday that the pool of unassigned IPv4 addresses have been allocated.

"As a result, we are seeing an increase in both dual-stack (that is, both IPv4 and IPv6) and IPv6-only deployments, a trend that will only accelerate," the IAB said in a blog post. "Therefore, networking standards need to fully support IPv6."
#1683 Google releases supplemental patch for dirty COW vulnerability
Google’s November Android Security Bulletin, released Monday, patched 15 critical vulnerabilities and addressed 85 CVEs overall. But conspicuously absent is a fix for the Linux race condition vulnerability known as Dirty Cow (Copy-on-Write) that also impacts Android.

While Google didn’t issue an official fix for the Dirty Cow vulnerability (CVE-2016-5195), it did release “supplemental” firmware updates for its Nexus and Pixel handsets. According to Michael Cherny, head of security research at Aqua Security, Samsung also released the fix for Dirty Cow this month (SMR-NOV-2016), while other handset makers have not.
#1682 Microsoft patches zero-day disclosed by Google
Microsoft followed through and today patched a zero day vulnerability being exploited in public attacks that was publicly disclosed by Google researchers nine days ago.

The victims have yet to have been identified, but Microsoft did accuse the Sofacy APT gang of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.

Google’s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12