Security Alerts & News
by Tymoteusz A. Góral

#1978 Google Project Zero: How we cracked Samsung's DoD and NSA-certified Knox
Google's Project Zero hackers have detailed several high-severity flaws that undermined a core defense in Samsung's Knox platform that protects Galaxy handsets in the enterprise.

Since launching Knox in 2013, the platform has been certified for internal use by UK and US government departments, including the US DoD and NSA. Given these certifications, defense-in-depth mechanisms should be rock solid.

But according to Project Zero's Gal Beniamini, who last year tore apart Android's full disk encryption, a Knox hypervisor designed to protect the Linux kernel during runtime can be subverted multiple ways.
#1977 AthenaGo RAT uses Tor2Web proxy system to hide C&C server
Compared to other RATs, Cisco researchers say that AthenaGo has a few features that stand out on its own. First and foremost, Athena Go is the first RAT written in the Go programming language, albeit not the first malware.

Go malware is a little bit rarer, especially on Windows, but it's as effective as malware written in other programming languages.

The only downside, as Cisco researchers explained in a technical analysis of AthenaGo, is that Go binaries include a little bit more details that helps out researchers in detecting the malware's capabilities much easier.
#1976 DynA-Crypt not only encrypts your files, but also steals your info
A new ransomware called DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim's computer. Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of steaming **** that just makes a mess of a victim's programs and data.

The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.
#1975 Newly discovered flaw undermines HTTPS connections for almost 1,000 sites
Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.

The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars.
#1974 Finding Ticketbleed
Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.

If you suspect you might be affected by this vulnerability, you can find details and mitigation instructions at (including an online test) or in the F5 K05121675 article.
#1973 Google let scammers post a perfectly spoofed Amazon ad in its search results
Anyone who used Google search to look for Amazon, the internet retail giant, on Wednesday was likely served a malicious ad -- and didn't even realize it.

The good news is that unlike other rogue ads, your machine wasn't infected or served malware in any way.

But anyone who clicked on it would not have been sent to as they would have hoped, but instead, they were pointed to a fake Windows support scam posing as Microsoft.
#1972 The startup paying people to legally hack Uber, Nintendo, and Starbucks just got another $40 million to keep growing
HackerOne, a marketplace where companies can pay hackers to spot and fix security flaws in their software, has raised another $40 million in venture capital funding in a round led by Dragoneer Investment Group.

The technical term for what HackerOne does is offer "bug bounties." Google, Apple, Microsoft, and even less tech-y companies like United Airlines pay out millions to amateur and professional hackers every year — it's cheaper than the massive damages caused when an undiagnosed flaw turns into a malicious hacker's entry point.
#1971 Fileless attacks against enterprise networks
During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.
#1970 Mirai gets a Windows version to boost distribution efforts
Security researchers have stumbled upon a Windows trojan that hackers are using to help with the distribution of the infamous Mirai Linux malware, used to infect IoT devices and carry out massive DDoS attacks.

The Mirai malware was initially developed in late 2015 and early 2016, and only became a massive threat in the summer and autumn of 2016, when it spread to hundreds of thousands of routers and DVRs (deployed with smart cameras and CCTV systems).

After crooks used a botnet of Mirai-infected devices to launch DDoS attacks on the KrebsOnSecurity blog, increased attention from law enforcement forced the malware's author to dump the Mirai source code online.

This move resulted in tens of Mirai variants popping up everywhere, which in turn helped hide the author's tracks, or so the author thought, until this Brian Krebs exposé.
#1969 This modular backdoor malware is now the most common threat to Android smartphones
It's taken a whole year for it to be dislodged, but Hummingbad has finally been overtaken as the leading form of mobile malware.

The Hummingbad Android malware is still likely making its creators hundreds of thousands of dollars a month, and continues to infect millions of devices, but the Triada malware has taken the top spot in the first month of the year, Check Point's Threat Impact Index for January has revealed.

Triada is a modular backdoor for Android which grants the malicious actor super-user privileges on the infected device, allowing them to download additional malware and spoof URLs. It's been the second most prolific malware behind Hummingbad for some time, but now crooks have been able to make it the most prolific form of mobile malicious software.
#1968 Mac malware, possibly made in Iran, targets US defense industry
Just because you’re using a Mac doesn’t mean you’re safe from hackers. That’s what two security researchers are warning, after finding a Mac-based malware that may be an attempt by Iranian hackers to target the U.S. defense industry.

The malware, called MacDownloader, was found on a website impersonating the U.S. aerospace firm United Technologies, according to a report from Claudio Guarnieri and Collin Anderson, who are researching Iranian cyberespionage threats.

The fake site was previously used in a spear phishing email attack to spread Windows malware and is believed to be maintained by Iranian hackers, the researchers claimed.

Visitors to the site are greeted with a page about free programs and courses for employees of U.S. defense companies Lockheed Martin, Raytheon, and Boeing.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12