Security Alerts & News
by Tymoteusz A. Góral

History
#2203 LMAOxUS ransomware: another case of weaponized open source ransomware
An Indian developer is playing around with an open source ransomware builder, which in the long run may end up causing serious problems for innocent users.

This developer, who goes by the nickname of Empinel and claims to be based in Mumbai, has forked the open source code of the EDA2 project, and with the help of another user, has removed the backdoor hidden in EDA2's original code.

His work started back in May 2016, when he tinkered with EDA2's source code and renamed the project to Stolich, modifying certain aspects of EDA2's encryption.

He received help in September 2016 when another "friendly" developer pushed a pull request to the Stolich repo that removed the EDA2 backdoor code.
#2202 Sathurbot: distributed WordPress password attack
This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.
#2201 Malvertising on iOS pushes eyebrow-raising VPN app
There is a preconceived idea that malvertising mostly affects the Windows platform. Certainly, when it comes to malicious adverts, Internet Explorer is a prime target for malware infections. However, malvertising can produce different outcomes adapted to the device the user is running.

Case in point, we discovered this scareware campaign that pushes a ‘free’ VPN app called My Mobile Secure to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is infected with viruses.
#2200 New malware intentionally bricks IoT devices
A new malware strain called BrickerBot is bricking Internet of Things (IoT) devices around the world by corrupting their storage capability and reconfiguring kernel parameters.

Detected via honeypot servers maintained by cyber-security firm Radware, the first attacks started on March 20 and continued ever since, targeting only Linux BusyBox-based IoT devices.

Right from the get-go, two different versions of BrickerBot were detected: BrickerBot.1 and BrickerBot.2.
#2199 Cybercriminals are building an army of things creating a tipping point for cybersecurity
Cybercrime is big business, and is growing at an exponential rate. British insurer Lloyd’s of London estimated the cybercrime market at $400 Billion in 2015. Today, just two years later, the World Economic Forum estimates that the total economic cost of cybercrime to currently be $3 trillion. And Cybersecurity Ventures is predicting that cybercrime will cost the world in excess of $6 trillion annually by 2021.

One of the forces behind this explosive growth of cybercrime is that illegal business can be safely conducted deep in a part of the Internet that most people have never seen, and have no idea how to access. The “darknet” lies beyond normal web browsers, is protected by layers of anonymity, and has become a haven for criminal commerce.
#2198 The top 5 dumbest cyber threats that work anyway
The common conception of cyber attacks is kind of like bad weather: ranging from irritating to catastrophic, but always unpredictable. Hackers are simply too sophisticated to draw any reliable judgments on and we shouldn’t try. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. Here’s a few.
#2197 WikiLeaks just dropped the CIA’s secret how-to for infecting Windows
WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

Friday's installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customized malware for Windows-based computers. The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.
#2196 Shadow brokers publish the password for the rest the stolen NSA hacking tools
The Shadow Brokers (TSB) are back, and they've released the password for the rest of the hacking tools they claim to have stolen from the NSA last year.

TSB is a mysterious group that appeared in the summer of 2016 when they dumped on GitHub and other sites a trove of files they claim to have stolen from the Equation Group, a codename given to a cyber-espionage group many cyber-security experts believe to be the NSA.
#2195 Critical Office 0day attacks detected in the wild
t McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.

This blog post serves as a heads-up for our customers and all Office users to protect against this zero-day attack.

The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January.
#2194 Payday lender Wonga confirms data breach
UK Payday lender Wonga has issued a statement instructing customers to contact their banks as a matter of urgency, after confirming a data breach earlier on Sunday.

"We believe there may have been illegal and unauthorised access to the personal data of some of our customers," a statement issued by the company reads.

Personal details from hundreds of thousands of accounts may have been illegally accessed, with reports indicating this number could affect up to 270,000 current and former customers.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12