Security Alerts & News
by Tymoteusz A. Góral

#2064 Web cache deception attack
Did it ever cross your mind that accessing links such as or might expose your sensitive data, and even allow attackers to take control over your account?

Web cache deception is a new web attack vector that puts various technologies and frameworks at risk.

#2063 Dridex’s cold war: enter AtomBombing
IBM X-Force discovered that Dridex, one of the most nefarious banking Trojans active in the financial cybercrime arena, recently underwent a major version upgrade that is already active in online banking attacks in Europe.

A few weeks ago, our cybercrime labs detected a new major version of the Dridex banking Trojan, Dridex v4. The updated code features a new and innovative injection method based on a technique dubbed AtomBombing, which was first disclosed in October 2016 by security firm enSilo.

Dridex is the only banking Trojan we have encountered to use AtomBombing. This change is especially significant when it involves Trojans believed to be operated by an organized cybercrime gang because it’s likely to result in other codes adopting the same method in the future.
#2062 Decrypting after a Findzip ransomware infection
The Findzip ransomware was discovered on February 22, 2017. At that time, it was thought that files would be irreversibly encrypted by this ransomware, with no chance of decryption. Turns out, that’s not quite true.

For those who get infected with Findzip (aka Filecoder), it’s still true that the hackers behind it can’t give you a key to decrypt it. There’s no honor among these particular thieves, as they’re lying about their ability to help if you pay the ransom.

However, all hope is not lost! If you made the mistake of not having a backup, or if your backup was also compromised by the ransomware, there’s still a chance for you to recover. It will not be fast or easy, but by following the instructions in this article, you’ll be able to regain your files. These instructions will be daunting for many, so if you have any doubts about your ability to follow them, please seek help from someone with more experience.
#2061 Filecode ransomware attacks your Mac – how to recover for free
Last week, SophosLabs showed us a new ransomware sample.

That might not sound particularly newsworthy, given the number of malware variants that show up every day, but this one is more interesting than usual…

…because it’s targeted at Mac users. (No smirking from the Windows tent, please!)

In fact, it was clearly written for the Mac on a Mac by a Mac user, rather than adapted (or ported, to use the jargon term, in the sense of “carried across”) from another operating system.

This ransomware, detected and blocked by Sophos as OSX/Filecode-K and OSX/Filecode-L, was written in the Swift programming language, a relatively recent programming environment that comes from Apple and is primarily aimed at the macOS and iOS platforms.
#2060 Google security researcher finds hole in ESET's Mac antivirus
Mac users utilizing ESET's endpoint antivirus are advised to update to version as soon as possible in order to mitigate a serious issue that allows attackers to execute arbitrary code on their machines.

The issue, discovered by Google security researcher Jason Geffner, was caused by the usage of an old library inside ESET's antivirus source code.

Geffner says vulnerable versions of the ESET Mac antivirus used the POCO XML parser library version 1.4.6p1 from 2013-03-06, which in turn was forked from Expat XML parser library version 2.0.1 from 2007-06-05.

Recently, security researchers became aware of a vulnerability (CVE-2016-0718) in the Expat library that allowed for remote code execution via malformed XML content.

This Expat flaw trickled down to the ESET Mac antivirus, where developers had used POCO to parse XML content streams.
#2059 AWS goes down, and so do millions of websites, apps, and other services
Millions of small websites, app backends, and various high-profile services are offline or experiencing severe issues because of a mysterious problem that hit Amazon's S3 (Simple Storage Service) a few hours ago.

Current reports indicate that a large number of services have been affected and are completely offline. Many other services and websites are also loading very slowly, while others services report that multimedia content doesn't load at all, mainly because it was hosted on S3.

The list of affected AWS customers includes many of Adobe's apps and services, Docker, Giphy, Grammarly, Hacker News, IFTTT, Imgur, Mailchimp, Medium, Quora, Signal, Slack, Trello, Twilio, Twitch, and countless of smaller apps and websites.
#2058 AI learns to write its own code by stealing from other programs
OUT of the way, human, I’ve got this covered. A machine learning system has gained the ability to write its own code.

Created by researchers at Microsoft and the University of Cambridge, the system, called DeepCoder, solved basic challenges of the kind set by programming competitions. This kind of approach could make it much easier for people to build simple programs without knowing how to write code.

“All of a sudden people could be so much more productive,” says Armando Solar-Lezama at the Massachusetts Institute of Technology, who was not involved in the work. “They could build systems that it [would be] impossible to build before.”

Ultimately, the approach could allow non-coders to simply describe an idea for a program and let the system build it, says Marc Brockschmidt, one of DeepCoder’s creators at Microsoft Research in Cambridge, UK.
#2057 Ransomware for dummies: Anyone can do it
Among today’s fastest-growing cybercrime epidemics is “ransomware,” malicious software that encrypts your computer files, photos, music and documents and then demands payment in Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks in recent years comes from the proliferation of point-and-click tools sold in the cybercrime underground that make it stupid simple for anyone to begin extorting others for money.

Recently, I came across an extremely slick and professionally produced video advertisement promoting the features and usability of “Philadelphia,” a ransomware-as-a-service crimeware package that is sold for roughly $400 to would-be cybercriminals who dream of carving out their own ransomware empires.

This stunning advertisement does a thorough job of showcasing Philadelphia’s many features, including the ability to generate PDF reports and charts of victims “to track your malware campaigns” as well as the ability to plot victims around the world using Google Maps.
#2056 Pretzel: Email encryption and provider-supplied functions are compatible (PDF)
Emails today are often encrypted, but only between mail servers—the vast majority of emails are exposed in plaintext to the mail servers that handle them. While better than no encryption, this arrangement leaves open the possibility of attacks, privacy violations, and other disclosures. Publicly, email providers have stated that default end-to-end encryption would conflict with essential functions (spam filtering, etc.), because the latter requires analyzing email text. The goal of this paper is to demonstrate that there is no conflict. We do so by designing, implementing, and evaluating Pretzel. Starting from a cryptographic protocol that enables two parties to jointly perform a classification task without revealing their inputs to each other, Pretzel refines and adapts this protocol to the email context. Our experimental evaluation of a prototype demonstrates that email can be encrypted end-to-end and providers can compute over it, at tolerable cost: clients must devote some storage and processing, and provider overhead is roughly 5 x versus the status quo.
#2055 Google Play apps infected with malicious iFrames
Recently, we have discovered 132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone. Our investigation indicates that the developers of these infected apps are not to blame, but are more likely victims themselves. We believe it is most likely that the app developers’ development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. If this is this case, this is another situation where mobile malware originated from infected development platforms without developers’ awareness. We have reported our findings to Google Security Team and all infected apps have been removed from Google Play.
#2054 Is E2EMail a new beginning or the end for Google’s End-to-End?
Google’s end-to-end email encryption project that it started back in 2014 has left home. But has the Chrome extension really “flown the nest” as Google claimed last week? Or has it simply been abandoned and left to fend for itself?

Turn back the clocks to 2013. Google promises end-to-end encryption in an effort to regain users’ trust following Edward Snowden’s revelations about global surveillance conducted by government law-enforcement agencies.

And Google did made good on that promise in March 2014, switching Gmail to HTTPS only and encrypting emails internally too, shouting from the rooftops that these changes were
#2053 Expanding protection for Chrome users on macOS
Safe Browsing is broadening its protection of macOS devices, enabling safer browsing experiences by improving defenses against unwanted software and malware targeting macOS. As a result, macOS users may start seeing more warnings when they navigate to dangerous sites or download dangerous files.
#2052 Password-manager apps for Android (security analysis)
There are different policies for the generation of secure passwords. However, one of the biggest challenges is to memorize all these complex passwords. Password manager applications are a promising way of storing all sensitive passwords cryptographically secure. Accessing these passwords is only possible if the user enters a secret master password. At first sight, the requirements for a password manager application seem simple: Storing the passwords of a user centralized in a secure and confidential way. However, how is the reality on mobile, password manger applications, especially on Android? Applications vendors advertise their password manager applications as “bank-level” or “military-grade” secure. However, can users be sure that their secrets are actually stored securely? Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?

In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.
#2051 Crypt0L0cker ransomware is back with campaigns targeting Europe
The Crypt0L0cker ransomware, otherwise known as Torrentlocker or Teerac, was a common ransomware infection that mostly targeted Australia and European countries in 2014. Towards the middle of 2015, though, this ransomware slowly started dying off to the point that it was hardly distributed anymore.

Fast forward to the beginning of February 2017 where we are now seeing Crypt0L0cker making a strong come back and targeting European countries once again.
#2050 Yahoo says 32m user accounts were accessed via cookie forging attack
Yahoo has said that an unauthorised third party accessed the company's proprietary code to learn how to forge certain cookies, which it said resulted in an intruder accessing approximately 32 million user accounts without a password.

"The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016," Yahoo disclosed in its annual report, filed with the US Securities and Exchange Commission (SEC) on Wednesday.

"We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 security incident."
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12