Security Alerts & News
by Tymoteusz A. Góral

History
#2011 IoT botnet bogs down college campus network
Verizon’s annual Data Breach Investigations Report is scheduled to come out soon, but the team released an incident involving a college campus being hit by an internet of things (IoT) botnet — a botnet that took control of 5,000 systems.

The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies annually. In 2015, Verizon's team was retained to investigate more than 500 cybersecurity incidents occurring in over 40 countries. (See last year's cases.) As a sneak peek of its latest report, Verizon released a case of an unnamed university attacked by a botnet.

Senior members of the university’s help desk had been receiving an increasing number of complaints from students across campus about slow or inaccessible network connectivity. Even with limited access, the help desk had found a number of concerns. The name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood, according to the Verizon report.
#2010 A glimpse into how much Google knows about Russian government hackers
A 2014 leaked private report from Google shows how much the internet giant knows about government hacking groups.

In October of 2014 an American security company revealed that a group of hackers affiliated with the Russian government, dubbed APT28, had targeted Georgia and other Eastern European countries in a wide-ranging espionage campaign. Two and a half years later, APT28—also known as "Fancy Bear" or "Sofacy"—is a household name not just in the cybersecurity industry, but in the mainstream too, thanks to its attack on the US Democratic party and the ensuing leaks of documents and emails.
#2009 Researchers discover self-healing malware that targets Magento stores
Dutch malware experts have found a new malware strain that targets online shops running on the Magento platform, which can self-heal using code hidden in the website's database.

While this is not the first web malware that hides code in the website's database, this is the first one that's written in SQL, as a stored procedure, in this case, a Mangeto database trigger operation.
#2008 Android phone hacks could unlock millions of cars
In the era of the connected car, automakers and third-party developers compete to turn smartphones into vehicular remote controls, allowing drivers to locate, lock, and unlock their rides with a screen tap. Some apps even summon cars and trucks in Knight Rider fashion. But phones can be hacked. And when they are, those car-connected features can fall into the hands of hackers, too.

That’s the troubling result of a test of nine different connected-car Android apps from seven companies. A pair of researchers from the Russian security firm Kaspersky found that most of the apps, several of which have been downloaded hundreds of thousands or over a million times, lacked even basic software defenses that drivers might expect to protect one of their most valuable possessions. By either rooting the target phone or tricking a user into installing malicious code, the researchers say, hackers could use any of the apps Kaspersky tested to locate a car, unlock it, and in some cases start its ignition.
#2007 Penetration testing tools cheat sheet
Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.

The focus of this cheat sheet is infrastructure / network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration.
#2006 A corporate inbox receives 4.3 times more malware than a regular inbox
Corporate email addresses are 4.3 more likely to receive malware compared to personal accounts, 6.2 times more likely to receive phishing lures, and 0.4 times less likely to receive spam.

These are statistics gathered by the Google Research team from analyzing over one billion emails that passed through Gmail, results that were presented yesterday at the RSA security conference in San Francisco.

The results of the study aren't that surprising, as corporate inboxes tend to contain more valuable information, which can be much more easily monetized on the Dark Web.
#2005 German parents told to destroy Cayla dolls over hacking fears
An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.

The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.

Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

But the UK Toy Retailers Association said Cayla "offers no special risk".

In a statement sent to the BBC, the TRA also said "there is no reason for alarm".
#2004 USB Killer now lets you fry most Lightning and USB-C devices for $55
Remember the USB Killer stick that indiscriminately and immediately fries about 95 percent of devices? Well, now the company has released a new version that is even more lethal! And you can also buy an adaptor pack, which lets you kill/test devices with USB-C, Micro USB, and Lightning ports.
#2003 Google discloses another unpatched Windows vulnerability
Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016.

The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however.

Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. He described methods back then that would allow attackers to exploit an issue in the dynamic link library. The issue was that records failed to perform exhaustive sanitization.
#2002 Permadelete: remove files securely on Windows PCs
Permadelete is a new open source program for Microsoft Windows devices that you may use to remove files securely from the PC.

The delete operation on Windows does not really do what the majority of users expects it to do. Instead of removing the contents of a file and its reference from the system, delete simply removes the reference but leaves the contents on the disk.

The parts of the disk are set to write again, so that data may overwrite the deleted file eventually. Until that is the case though, file recovery tools may recover the deleted files completely or partially.
#2001 Mongoaudit helps you secure MongoDB databases
A new tool developed by engineers at Stampery can help database administrators audit the security features of their current MongoDB installations, and take precautionary measures to prevent future exploitation.

The tool, named mongoaudit, was launched two weeks ago and works on Mac, Linux, and Windows 10, through the Bash for Windows 10 feature.

Mongoaudit is a CLI tool, so you'll have to be comfortable using console terminals in order to install and launch the application.
#2000 CyberX discovers large-scale cyber-reconnaissance operation targeting Ukrainian organizations
CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”
#1999 PHP becomes first programming language to add modern cryptography library in its core
The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default.

The proposal to embed Libsodium (also known as Sodium) into the PHP standard library came from Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a man that has campaigned for stronger cryptography in PHP CMSes in the past.
#1998 Trends in Android ransomware (PDF)
2016 brought some interesting developments to the Android ransomware scene Ransomware is currently one of the most pressing cybersecurity issues across all platforms, including the most popular mobile one.

Authors of lock-screen types as well as file-encrypting “crypto-ransomware” have used the past 12 months to copycat effective techniques from desktop malware, as well as develop their own sophisticated methods specialized for targets running Android devices.

In addition to the most prevalent scare tactics used by lock-screen “police ransomware”, cybercriminals have been putting an increased effort into keeping a low profile, by encrypting and burying the malicious payload deeper into the infected apps.

In 2015, ESET observed that the focus of Android ransomware operators shifted from Eastern European to US mobile users However, last year demonstrated a growing interest by the attackers in the Asian market, as evidenced by the Jisut lock-screen, which began using a localized Chinese ransom message This increased activity can also be seen in the growing prevalence of this now notorious malware family, doubling in the previous 12 months.

In the first part of this paper, we provide a definition of ransomware, take a look at ESET’s detection telemetry to see the current trend for this cyber threat, and analyze malware specifics that apply to ransomware on Android The main section details the most noteworthy Android ransomware examples since 2014 The final chapter offers advice to Android users
#1997 EU privacy watchdogs say Windows 10 settings still raise concerns
European Union data protection watchdogs said on Monday they were still concerned about the privacy settings of Microsoft's Windows 10 operating system despite the U.S. company announcing changes to the installation process.

The watchdogs, a group made up of the EU's 28 authorities responsible for enforcing data protection law, wrote to Microsoft last year expressing concerns about the default installation settings of Windows 10 and users' apparent lack of control over the company's processing of their data.

The group - referred to as the Article 29 Working Party -asked for more explanation of Microsoft's processing of personal data for various purposes, including advertising.
#1996 Lazarus’ false flag malware
We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12