Security Alerts & News
by Tymoteusz A. Góral

History
#2027 Criminals monetizing attacks against unpatched WordPress sites
Criminals have inevitably begun to attempt to monetize attacks against WordPress sites still vulnerable to a severe REST API endpoint vulnerability silently patched in the recent 4.7.2 security update.

While more than one million websites have been defaced, researchers are now beginning to see some defacements leave behind links to rogue pharmaceutical websites trying to spam users into buying drugs or lure them into phishing scams for their payment card information.
#2026 Android ransomware requires victim to speak unlock code
Being a good listener is normally considered an admirable quality in a person; however, it isn’t a quality you necessarily want to find in a piece of malware. The latest variant of the Android ransomware threat Android.Lockdroid.E is a great listener. In fact, if you say the right things it might even give you back access to your phone. The threat uses speech recognition APIs and requires its victims to speak an unlock code instead of the traditional method of typing it in.

Once Android.Lockdroid.E infects a device it locks the user out using a SYSTEM type window and then displays a ransom note. The ransom note is written in Chinese and gives instructions on how to unlock the device. The note provides a QQ instant messaging ID to contact in order to receive further instructions on how to pay the ransom and receive an unlock code. Since the user’s device is locked, another device must be used to contact the cybercriminals behind the threat.
#2025 Cybercrime and other threats faced by the healthcare industry (PDF)
The healthcare sector has been the industry with the highest number of data breaches, followed by the government and retail sectors. In 2015, a total of 113.2 million healthcare-related records were stolen, which remains the highest number of stolen data from a breach in the healthcare industry so far. That year, however, was not the only time healthcare institutions were targeted. As early as 2012, healthcare institutions became victims of cyber attacks. The most common kind of attack is related to cybercrime in the form of data breaches. But there are other possible pathways for malicious actors to do harm to this poorly protected industry.

The biggest impact of health care record theft is noticeable in countries where most citizens have health insurance. In 2016, 91% of the U.S. population had health insurance. Therefore, any major breach in a healthcare organization in the U.S. could affect a great number of citizens.

One way that individuals are affected by a breach is when stolen personal data are used by cybercriminals to procure drugs, commit tax fraud, steal identities and commit other fraudulent acts. Victims of a data breach may not even be aware that their personal data has been stolen, or perhaps is being used in criminal acts.

The Internet of Things (IoT) simplifies a lot of processes and is celebrated as a great connector. However, this increased connectivity also has some pitfalls. With the help of Shodan, a search engine that lets you search for internet-connected devices, we explored what healthcare-related devices and networks are visible to practically anyone.

In this paper, we discuss several aspects of the healthcare threat surface. In the first part, we look at how the healthcare sector has evolved as a preferred target for cybercriminals. We try to understand how stolen medical records are monetized after a breach, what types of data are stolen, how much they are sold for on the underground markets, and how cybercriminals make use of them. The second part of this paper is dedicated to the analysis of Shodan scan data which reveals what healthcare-related devices and networks are connected to the internet and are visible to everyone, including cybercriminals.

Exposure on the internet, however, does not mean that these devices have been compromised or are even actually vulnerable to exploitation. In this research we purely show that certain devices are exposed online, which makes it easier to exploit if a vulnerability in the device software is found.
#2024 Read The Manual - a guide to the RTM banking trojan (PDF)
There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow.

The group discussed in this white paper is part of this new trend. We call this new group RTM it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.

In this paper, we cover the details of their tools, whom they target, and offer a rare glimpse into the type of operation they are carrying out.
#2023 Malware lets a drone steal data by watching a computer’s blinking LED
A few hours after dark one evening earlier this month, a small quadcopter drone lifted off from the parking lot of Ben-Gurion University in Beersheba, Israel. It soon trained its built-in camera on its target, a desktop computer’s tiny blinking light inside a third-floor office nearby. The pinpoint flickers, emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours. But in fact, that LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside.

That data-stealing drone, shown in the video below, works as a Mr. Robot-style demonstration of a very real espionage technique. A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over.
#2022 Bitcoin trader hit by "severe DDoS attack" as bitcoin price nears all-time high
Top Bitcoin trading platform Bitfinex was hit yesterday late night by what its experts categorized as a "severe DDoS attack."

The attack hit around 21:30 UTC and lasted for about an hour before the Bitfinex crew managed to get everything under control.

While the DDoS attack didn't affect the Bitfinex API in the beginning, it was affected later on when Bitfinex turned security protections to the max to mitigate the DDoS attack. All services, the trading platform and the API, are now functional.
#2021 Blizzard ends support for Windows XP and Vista
If you took all the remaining Windows XP and Vista users in the world—a surprisingly robust 10 percent—and placed them in a Venn diagram with those that play Blizzard games, the intersection would likely be very, very small.

And yet, despite Microsoft ending mainstream support for XP and Vista in 2009 and 2012 (Windows XP limped on with security updates until 2014), Blizzard has continued to support World of Warcraft, StarCraft 2, Diablo 3, Hearthstone, and even Heroes of the Storm under the decrepit operating systems.
#2020 Rogue Chrome extension pushes tech support scam
Given Google Chrome’s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputable ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.

In this post we look at a forced installation of such an extension that eventually leads to more adverts being force fed into Chrome. And once you spin the malvertising roulette, anything can happen.
#2019 New crypto-ransomware hits macOS
Crypto-ransomware has been very popular lately amongst cybercriminals. While most of it targets the Windows desktop, we’ve also seen machines running Linux or macOS being compromised by ransomware in 2016 with, for example, KillDisk affecting Linux and KeRanger attacking OS X.

Early last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in Swift, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12