Security Alerts & News
by Tymoteusz A. Góral

#2049 New RaaS portal preparing to spread Unlock26 ransomware
A new Ransomware-as-a-Service (RaaS) portal named Dot-Ransomware is behind the Unlock26 ransomware discovered this past week.

First spotted two days ago, this ransomware operation is quite unique as it features a very minimal and direct style, with little-to-no instructions and simple-designed ransom notes and ransom payment portal.

Based on two messages left on the Dot-Ransomware homepage, this entire operation launched on Sunday, February 19, when the website was set up.
#2048 Creepy IoT teddy bear leaks >2 million parents’ and kids’ voice messages
A maker of Internet-connected stuffed animal toys has exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts.

The account data was left in a publicly available database that wasn't protected by a password or placed behind a firewall, according to a blog post published Monday by Troy Hunt, maintainter of the Have I Been Pwned?, breach-notification website. He said searches using the Shodan computer search engine and other evidence indicated that, since December 25 and January 8, the customer data was accessed multiple times by multiple parties, including criminals who ultimately held the data for ransom. The recordings were available on an Amazon-hosted service that required no authorization to access.
#2047 Google open-sources Chrome extension to make PGP encryption easier in Gmail
Late Friday, last week, Google announced a new tool for security-minded users, called E2EMail, a Chrome extension that simplifies the installation of PGP encryption for Gmail.

Initially created by Google engineers, E2EMail has now been open-sourced on GitHub, so other security experts can contribute and improve its effectiveness.

E2EMail is not yet available via the Chrome Web Store, and if you want to install it, you'll have to go through a series of complicated steps to build the extension and then load it in Chrome. Instructions are included in the GitHub repo.
#2046 Shamoon (malware): Multi-staged destructive attacks limited to specific targets
Recent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were launched by attackers conducting a much wider campaign in the Middle East. While the attackers have compromised multiple targets in the region, only selected targets in Saudi Arabia were infected with Shamoon.

On February 15, publications from IBM (The Full Shamoon) and Palo Alto (Magic Hound) separately discussed a persistent attack campaign operating primarily in the Middle East with links to Shamoon. This campaign was conducted by a group we identify as Timberworm. The group appears to have facilitated the third wave of destructive attacks involving Shamoon in January 2017. Timberworm operates in the Middle East and beyond. Only specific organizations affiliated with Saudi Arabia appear to have been earmarked for destructive wiping attacks.
#2045 More on bluetooth ingenico overlay skimmers
This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.

The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).
#2044 Google reports “high-severity” bug in Edge/IE, no patch available
A member of Google's Project Zero security research team has disclosed a high-severity vulnerability in Microsoft's Edge and Internet Explorer browsers that reportedly allows attackers to execute malicious code in some instances.

The vulnerability stems from what's known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge, Project Zero researcher Ivan Fratric said in a report that he sent to Microsoft on November 25 and publicly disclosed on Monday. The disclosure is in line with Google's policy of publishing vulnerability details 90 days after being privately reported. A proof-of-concept exploit Fratric developed points to data stored in memory that he said "can be controlled by an attacker (with some limitations)." Asked by a commenter how easy it would be to bypass security measures designed to prevent code execution, Fratric wrote: "I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline)."
#2043 Severe SQL injection flaw discovered in WordPress plugin (NextGEN Gallery) with over 1M installs
A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database.

The vulnerable plugin's name is NextGEN Gallery, a plugin so successful that it has its own set of plugins itself.

Two configuration options for NextGEN Gallery plugin installations open WordPress sites to attacks.
#2042 Siemens RUGGEDCOM NMS equipment vulnerable to CSRF, XSS
Enterprise network management equipment made by Siemens suffers from vulnerabilities that could allow an attacker to perform administrative actions.

Two flaws, a cross-site scripting (XSS) vulnerability and a cross-site request forgery (CSRF) vulnerability, exist in the company’s RUGGEDCOM NMS line of network management products.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned the vulnerabilities are remotely exploitable and would take a low skill level to exploit in an advisory published on Tuesday.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12