Security Alerts & News
by Tymoteusz A. Góral

History
#1990 Security and privacy guidelines for the Internet of Things (IoT)
"Lately, I have been collecting IoT security and privacy guidelines. Here's everything I've found"
#1989 Mirai widens distribution with new Trojan that scans more ports
Late last year, in several high-profile and potent DDoS attacks, Linux-targeting Mirai (identified by Trend Micro as ELF_MIRAI family) revealed just how broken the Internet of Things ecosystem is. The malware is now making headlines again, thanks to a new Windows Trojan that drastically increases its distribution capabilities.

We predicted last year that the propagation of Mirai-like malware for DDoS attacks is set to increase—but this new Trojan focuses on spreading Mirai itself and not any mimic. In 2015 and 2016, Mirai relied on a type of brute-force attack, with bots constantly pinging IP addresses to pinpoint more potential victims. This newly-identified Windows Trojan (detected by Trend Micro as BKDR_MIRAI.A) helps find potential Mirai victims, and amplifies the Mirai bots distribution.
#1988 Marcher - Android banking Trojan on the rise
The past months many different banking Trojans for the Android platform have received media attention. One of these, called Marcher, seems to be especially active with different samples appearing on a daily basis. This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6, which has technical improvements compared to the previous Android versions to prevent such attacks.

The main infection vector is a phishing attack using SMS/MMS. The social engineering message includes a link that leads to a fake version of a popular app, using names like Runtastic, WhatsApp or Netflix. On installation, the app requests the user to provide SMS storage access and high Android privileges such as Device Admin. Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn.
#1987 IBM integrates Watson into its security operations platform
IBM said Watson will be at the core of its cognitive platform for cybersecurity operations. In a nutshell, Watson will aim to ride shot gun with security analysts to defend against attacks.

Big Blue announced general availability of Watson for Cyber Security, an offering that has been tested with more than 40 customers over the last year. In that time, Watson has ingested more than 1 million security documents.

The aim is to help security analysts go through Watson's knowledge base with natural language. IBM is also integrating its X-Force Command Center network, which tracks security events.
#1986 Sage 2.0 ransomware delivered by Pandex spambot, mimics Cerber routines
Symantec Security Response has recently discovered the Sage 2.0 ransomware (Ransom.Cry) being delivered by the Trojan.Pandex spambot, which we have previously seen sending JS downloaders with spambots, banking Trojans, and ransomware as payloads. We have also recently observed Sage 2.0 sharing similar routines with the Cerber ransomware (Ransom.Cerber), although no link between the two malware families could be fully established.

Sage 2.0 evolved from Crylocker (Ransom.Cry), which emerged in September 2016, and continues to be used today. Sage was previously delivered through the Rig exploit kit (EK), but is now mostly delivered through spam. We have also seen Sage 2.0 being downloaded by the Trik botnet, which uses the Trojan.Wortrik malware to compromise computers.
#1985 New wave of cyberattacks against global banks linked to Lazarus cybercrime group
An aggressive campaign of malware attacks against dozens of banks across the globe has been linked to the notorious cybercriminal group known as Lazarus.

The hacking gang, active since 2009, has been involved in a number of aggressive cyberattacks against financial institutions, including the theft of $81m from the Bangladesh Bank's US Federal Reserve.

Now the group continues to be a thorn in the side of organisations across the globe as banks in 31 countries have been targeted in a new wave of attacks by Lazarus that began in October last year.

This latest wave of attacks came to light when a Polish bank discovered previously unknown malware on its network and shared indicators of compromise with other institutions, a number of which also found they'd fallen victim to the malware.
#1984 Now sites can fingerprint you online even when you use multiple browsers
Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers. This shatters a key defense against sites that identify visitors based on the digital fingerprint their browsers leave behind.

State-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings. For instance, the Electronic Frontier Foundation's privacy tool, known as Panopticlick, found that only one in about 77,691 browsers had the same characteristics as the one commonly used by this reporter. Such fingerprints are the result of specific settings and customizations found in a specific browser installation, including the list of plugins, the selected time zone, whether a "do not track" option is turned on, and whether an adblocker is being used.
#1983 Ultranationalist developer behind SerbRansom ransomware
An ultranationalist developer from Serbia is behind a series of malware strains, including a new ransomware family named SerbRansom, discovered yesterday by security researcher MalwareHunter.

The ransomware itself is not a big threat at the moment, as it doesn't appear to be part of a mass distribution campaign. Additionally, the quality of its source code is also inferior to most ransomware families we've seen in the past.
#1982 Firefox Focus privacy scandal
Firefox Focus: the privacy browser, is a free mobile browser for iOS devices by Mozilla designed to protect user privacy while browsing the web.

The app "improves the privacy and performance" of a user's mobile browsing experience by "blocking analytics, social, and advertising trackers" according to the product description on Apple's iTunes website. It furthermore enables you to erase the browsing history, passwords and cookies easily.

A content blocker by Mozilla, makers of Firefox and known proponents of user rights and privacy? That's got to be good, right?

What you may not expect from the app, especially since it is designed to block analytic trackers, is that it is collecting data itself, and transfers the data it collects to third-party company Adjust.
#1981 Attackers target dozens of global banks with new malware
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.

The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.

As reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.
#1980 ElcomSoft extracts deleted Safari browsing history from iCloud
Your browsing history represents your habits. You are what you read, and your browsing history reflects that. Your Google searches, visits to news sites, activities in blogs and forums, shopping, banking, communications in social networks and other Web-based activities can picture your daily activities. It could be that the browsing history is the most intimate part of what they call “online privacy”. You wouldn’t want your browsing history become public, would you?
#1979 Virally growing attacks on unpatched WordPress sites affect ~2m pages
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.

A rogues' gallery of sites have been hit by the defacements. They include conservative commentator Glenn Beck's glennbeck.com, Linux distributor Suse's news.opensuse.org, the US Department of Energy-supported jcesr.org, the Utah Office of Tourism's travel.utah.gov, and many more. At least 19 separate campaigns are participating and, in many cases, competing against each other in the defacements. Virtually all of the vandalism is being carried out by exploiting a severe vulnerability WordPress fixed in WordPress version 4.7.2, which was released on January 26. In an attempt to curb attacks before automatic updates installed the patch, the severity of the bug—which resides in a programming interface known as REST—wasn't disclosed until February 1.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12