Security Alerts & News
by Tymoteusz A. Góral

History
#2149 Soundwaves used to produce fake data from accelerometers
How many tiny accelerometers do you depend on? There’s the one in your smartphone, telling it which way’s up, so it can adjust the screen horizontally or vertically (or track your footsteps or how fast you’re running, or for that matter, transform your iPhone into a seismometer).

For similar reasons, there’s one in your FitBit-type contraption too. Then there are devices like Microsoft’s Kinect and Nintendo’s Wii which use them to help track motion. And that’s not all. You can find them in toy remote control cars (and real cars, which use them to detect rapid deceleration and trigger your airbag) and even medical devices – where they might soon help control when and how much medicine you get.
#2148 A new trend in Android adware: abusing Android plugin frameworks
It is common for legitimate mobile apps to embed advertising SDKs or promote other apps. Showing ads or promoting other apps can generate revenue for legitimate app developers. However, we have recently observed an alarming trend in mobile ads communities where some adware programs in the Google Play store have become more aggressive by abusing the third-party DroidPlugin framework on Android.

In this posting we will outline how Unit 42 researchers have found aggressive adware that abuses the third-party DroidPlugin framework on Android. Our researchers have worked with Google to share our findings and have all apps that were found to violate Google’s terms of service removed from the Google Play store.
#2147 LastPass bugs allow malicious websites to steal passwords
LastPass patched three separate bugs that affected its Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website.

All bugs were discovered by Tavis Ormandy, a security researcher working for Google's Project Zero.

One bug affected the LastPass for Chrome extension, while the other two affected the company's Firefox add-on.
#2146 Winnti abuses GitHub for C&C communications
Developers constantly need to modify and rework their source codes when releasing new versions of applications or coding projects they create and maintain. This is what makes GitHub—an online repository hosting service that provides version control management—popular. In many ways, it’s like a social networking site for programmers and developers, one that provides a valuable platform for code management, sharing, collaboration, and integration.

GitHub is no stranger to misuse, however. Open-source ransomware projects EDA2 and Hidden Tear—supposedly created for educational purposes—were hosted on GitHub, and have since spawned various offshoots that have been found targeting enterprises. Tools that exploited vulnerabilities in Internet of Things (IoT) devices were also made available on GitHub. Even the Limitless Keylogger, which was used in targeted attacks, was linked to a GitHub project.
#2145 Lithuanian con artist scams two US tech giants out of $100 million
A man from Lithuania has been arrested after he conned two large technology firms out of $100 million in an elaborate phishing scheme.

The US Department of Justice (DoJ) said on Tuesday that Evaldas Rimasauskas orchestrated a phishing scheme which targeted US technology giants specifically, and he was able to swindle $100 million by pretending to be a legitimate business partner of at least one of the victims.

The 48-year-old allegedly opened a company with the same name as a legitimate Asian manufacturer in Latvia, alongside multiple bank accounts in both the Eastern European country and Cyprus.
#2144 Chinese crooks use fake cellular telephony towers to spread Android malware
Malware authors in China are using fake base transceiver stations (BTSs), which is equipment usually installed on cellular telephone towers, to send spoofed SMS messages that contain links to Android malware.

This is the first ever reported case when malware authors have used base stations to spread malware, a trend that Avast predicted in 2014, but which never came to fruition until now.
#2143 Hackers: We will remotely wipe iPhones unless Apple pays ransom
“I just want my money,” one of the hackers said.

A hacker or group of hackers is apparently trying to extort Apple over alleged access to a large cache of iCloud and other Apple email accounts.

The hackers, who identified themselves as 'Turkish Crime Family', demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

"I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing," one of the hackers told Motherboard.
#2142 DoubleAgent: 0day code injection and persistence technique
We’d like to introduce a new Zero-Day technique for injecting code and maintaining persistency on a machine (i.e. auto-run) dubbed DoubleAgent.

DoubleAgent can exploit:

* Every Windows version (Windows XP to Windows 10);
* Every Windows architecture (x86 and x64);
* Every Windows user (SYSTEM/Admin/etc.);
* Every target process, including privileged processes (OS/Antivirus/etc.);

DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.

#2141 Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site's authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.
#2140 New LLTP ransomware appears to be a rewritten venus locker
A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.

In summary, the LLTP Ransomware has the ability to work in online or offline mode. So regardless of whether there is a connection to the Internet, the ransomware will still encrypt a victim's files. Furthermore, unlike most ransomware, this family assigns different extensions to encrypted files based upon the file's original extension.
#2139 Swearing trojan continues to rage, even after authors’ arrest
Researchers with Tencent Security recently disclosed details about Swearing Trojan, a mobile banking malware that attacked users in China. Swearing Trojan’s name comes from Chinese swear words found inside the malware’s code. The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.

Similar to mobile banking Trojans discovered previously, Swearing Trojan can steal personal data and it can bypass 2-factory authentication (2FA) security. Banking apps use two-factor authentication as a way to secure access by sending a one-time code to the user via SMS in addition to having a user enter his or her password. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.
#2138 Bitcoin scams: Beware of crooks trying to steal your cryptocurrency with these schemes
Cybercriminals are taking advantage of the rising price and popularity of Bitcoin to try to steal the currency and distribute malware.

The cryptocurrency has become invaluable to cybercriminals who exploit its anonymous, decentralised nature as a tool for demanding ransomware payments and laundering various other ill-gotten gains.

This month social media Bitcoin scams have reached a new high, with over 125 million malicious links across Twitter, Facebook, and Instagram designed to attack victims and extort Bitcoin.

These Bitcoin scams target social media because it's full of people who might be interested in buying and selling Bitcoin, but don't know much about it -- making them prime targets to be taken advantage of by scammers.
#2137 Word document spreads macro malware targeting both Windows and macOS
After last month security researchers discovered the first-ever Word document spreading macro malware on macOS, last week, researchers from Fortinet spotted a Word document that contained macro scripts that distributed both Windows and macOS malware at the same time, depending on the OS it managed to infect.

Malicious Office files with attached macro scripts that download malware are usually referred in the infosec industry as "macro malware."

On Windows, macro malware has been around since the 90s. Even if Microsoft offered an Office version for Mac OS X (now macOS), weaponized Office files never contained macro scripts that could run on a Mac.
#2136 New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs
WikiLeaks today dumped a smaller subset of documents from its "Vault 7" collection of files from a CIA software developer server. Yet again, these documents are more important from the perspective of WikiLeaks having them than for showing any revelatory content. The exploits detailed in these new files are for vulnerabilities that have largely been independently discovered and patched in the past. The files also reveal that the CIA likely built one of these tools after seeing a presentation on the exploits of Apple's EFI boot firmware at Black Hat in 2012.

The latest batch of files, dramatically named "DarkMatter" (after one of the tools described in the dump), consists of user manuals and other documentation for exploits targeting Apple MacBooks—including malware that leveraged a vulnerability in Apple's Thunderbolt interface uncovered by a researcher two years ago. Named "Sonic Screwdriver" after the ever-useful tool carried by the fictional Doctor of Dr. Who, the malware was stored on an ordinary Thunderbolt Ethernet adapter. It exploited the Thunderbolt interface to allow anyone with physical access to a MacBook to bypass password protection on firmware and install one of a series of Apple-specific CIA "implants."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12