Security Alerts & News
by Tymoteusz A. Góral

History
#2103 New Instagram credential stealers discovered on Google Play
Instagram users have been the target of several new credential stealers, appearing on Google Play as tools for either managing or boosting the number of Instagram followers.

Under the detection name Android/Spy.Inazigram, 13 malicious applications were discovered in the official Google Play store. The apps were phishing for Instagram credentials and sending them to a remote server.

While they appear to have originated in Turkey, some used English localization to target Instagram users worldwide. Altogether, the malicious apps have been installed by up to 1.5 million users. Upon ESET’s notification, all 13 apps were removed from the store.
#2102 New macOS Proton RAT available for sale on Russian hacking forum
A new remote access tool (RAT) targeting macOS users is currently being advertised on Russian underground hacking forums, a custom website, and through YouTube videos, security researchers from Sixgill have discovered.

Believed to have launched late last year, this new threat, named Proton RAT, comes with many features such as the ability to execute console commands, log keystrokes, take screenshots, access the user's webcam, open SSH/VNC remote connections, and show popups requestions additional info such as credit card numbers, login credentials, and others.
#2101 Spam campaign targets financial institutions with fake security software
Last month, Symantec detected a spam campaign mainly targeting financial institutions, which used social engineering to try trick victims into installing “virus detection software” that was in fact an information stealing Trojan (W32.Difobot).

The emails purported to come from HSBC, a banking and financial services company based in London, even displaying an @hsbc.com email address. The messages claimed that the virus detection software was Rapport from Trusteer, a legitimate security program designed to protect online bank accounts from fraud. However, the fake Rapport software is actually malicious and, if installed, does the opposite of what is claimed and steals information from the compromised computer. The malware also uses Windows GodMode in order to hide itself on infected computers.
#2100 Detecting and eliminating Chamois, a fraud botnet on Android
Google works hard to protect users across a variety of devices and environments. Part of this work involves defending users against Potentially Harmful Applications (PHAs), an effort that gives us the opportunity to observe various types of threats targeting our ecosystem. For example, our security teams recently discovered and defended users of our ads and Android systems against a new PHA family we've named Chamois.
#2099 Google launches invisible reCAPTCHA with no user interaction required
Google has launched the latest version of the reCAPTCHA service, which won't ask users to click a checkbox, as it did until now.

Google bought reCAPTCHA in 2009 and put its new acquisition to work right away when it combined it with its Google Books venture through which it was trying to scan and digitize all known books and newspapers.

For years, users had to enter two random words to solve the reCAPTCHA challenge, words which in reality were mangled texts resulted from the book and newspaper scanning process.

As the Google Books indexing process ended, Google then started pestering users with street names and street numbers, details from mangled Google Maps Street View photos.
#2098 0day exploits rarely discovered by more than one group, study finds
RAND Corporation has published possibly the most data-driven study into zero-day vulnerabilities and exploits yet.

Zero-days—vulnerabilities that are not known to the vendor of a product they affect, but that may be used by hackers to break into systems—are a polemic subject. Activists and many technologists say that keeping these vulnerabilities secret to only a small group of people, such as government hackers who use them, it puts the public's cybersecurity at risk.
#2097 Dahua, Hikvision IoT devices under siege
Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a broad swath of its products. The vulnerability allows anyone to bypass the login process for these devices and gain remote, direct control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.

On March 5, a security researcher named Bashis posted to the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server that is accessible via a Web browser.
#2096 New Linux malware exploits CGI vulnerability
Linux has long been the preferred operating system for enterprise platforms and Internet of Things (IoT) manufacturers. Linux-based devices are continually being deployed in smart systems across many different industries, with IoT gateways facilitating connected solutions and services central to different businesses. In connection to their widespread use, we’ve also seen the number of Linux-focused security threats on the rise. We previously reported on a string of Linux threats in 2016, the most high-profile of which was the Mirai malware (detected by Trend Micro as ELF_MIRAI family).

A new addition to the list of Linux threats is the recently detected Linux ARM malware ELF_IMEIJ.A (detected by Trend Micro as ELF_IMEIJ.A). The threat exploits a vulnerability in devices from AVTech, a surveillance technology company. The vulnerability was discovered and reported by Search-Lab, a security research facility, and was disclosed to AVTech on October 2016. However, even after repeated attempts by Search-Lab to contact the vendor there was no response.
#2095 How online gamers use malware to cheat
We typically think of malware as something used to steal data from corporations or knock down websites in politically motivated attacks. But if you’re a gamer, sometimes it’s simply a tool for winning.

SophosLabs threat researcher Tamás Boczán has been studying this trend, and recently gave a talk about it at BSides Budapest. This article reviews his findings and offers us a chance to share some of his presentation slides.
#2094 Preinstalled malware targeting mobile users
The Check Point Mobile Threat Prevention has recently detected a severe infection in 36 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12