Security Alerts & News
by Tymoteusz A. Góral

#2214 The iCloud hackers' bitcoin ransom looks like a fake
A group of hackers who claimed to hold millions of iCloud accounts for ransom said on Friday they'd been paid. But one bitcoin expert says that's bogus.

The Turkish Crime Family grabbed headlines last month by claiming they had the stolen login credentials for more than 700 million, and accounts. They demanded increasing ransoms from Apple while threatening to wipe the data from devices connected to the affected accounts if it did not.

On Friday, the hackers tweeted that they had been paid US$480,000 in bitcoin. As proof, the group posted a link showing a transaction on, a popular bitcoin wallet.
#2213 Matrix ransomware spreads to other PCs using malicious shortcuts
Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.

Now that it is being distributed via a large campaign and an exploit kit, it was time to take a deeper dive into this ransomware to see what features it has. What was found is interesting as Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts and uploads stats about the types of files that are encrypted.
#2212 How to get admin credentials from TPLink M5350 3G/WiFi modem with a text message
A German security researcher discovered how to retrieve the admin credentials from a TP-Link M5350 3G/Wi-Fi modem with an evil text message

Some bugs are very strange and dangerous, this is the case of a flaw affecting the TP-Link’s M5350 3G/Wi-Fi router that can expose admin credentials to an evil text message.
#2211 Hacker caused panic in Dallas by turning on every emergency siren at once
We have seen hackers flooding 911 emergency service with rogue requests to knock the service offline for an entire state, but some hacking incidents are worse than others.

One such incident took place in Dallas on Friday night when hacker triggered a network of 156 emergency warning sirens for about two hours, waking up residents and sparking fears of a disaster.

The emergency warning sirens — designed to warn citizens of the Texas about dangerous weather conditions, such as severe storms and tornados — were activated around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday.
#2210 Thousands of fake Google Maps listings redirect users to fraudulent sites each month
Tens of thousands of fake listings are added to Google Maps each month, redirecting users to fraudulent websites selling phony or overpriced services, or part of some referral scam.

This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as "abusive" and added to Google Maps between June 2014 and September 2015.

Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles.
#2209 ShadowBrokers fails to collect 1M bitcoins – releases stolen information
ShadowBrokers finally made good on their promise to release the decryption key to unlock the stolen ‘auction’ file purportedly filled with NSA hacking tools.

Over the weekend, the hacking group ShadowBrokers released the decryption key for the ‘auction’ file that was included in the dump of information from last summer that the group claimed they acquired from Equation Group – reportedly a well-known hacking team responsible for highly sophisticated malware campaigns such as Flame and Stuxnet and possibly associated with certain 3-letter government agencies.

While the group’s get-rich-quick plan to sell the auction file for the astronomical asking price of 1M bitcoins (roughly $1,186,510,000.00 US Dollar as of today) may have ended with spectacular failure, the team has made good on their promise to ultimately release the stolen information should the requested payoff not be received. It’s difficult, if not impossible for us to verify the claims from the hackers or to place attribution to the appropriate group, but there are interesting bits of information contained within the archive and we will document some of the early discoveries here.
#2208 How criminals can steal your PIN by tracking the motion of your phone
Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analysing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70% accuracy on the first guess – 100% by the fifth guess - using just the data collected via the phone’s numerous internal sensors.
#2207 Adobe publishes security updates for Flash, Reader, Photoshop and Creative Cloud
Earlier today, Adobe has released security patches for several of its applications, including Adobe Flash Player, Adobe Campaign, Adobe Photoshop CC, the Creative Cloud Desktop Application, and Adobe Acrobat and Reader.

While all the Adobe security bulletins released today include important patches, the ones affecting Flash, Acrobat/Reader, and Photoshop, are worrisome, mainly due to the huge userbases those applications possess.
#2206 If you’re somehow still on Windows Vista, upgrade right now
Windows Vista was not a popular Microsoft release. We can just say it. Launched in 2007 (after a few delays), it was the first Windows overhaul since the well-loved XP release in 2001. Six years is a long time to make people wait, no matter how great the replacement. And Vista, well, was not great. A decade later, Microsoft’s finally pulling the plug on support tomorrow. Which means, if you’re somehow stuck with Microsoft’s least popular operating system, it’s time to move on. Like, now.
#2205 Dridex campaigns hitting millions of recipients using unpatched Microsoft 0day
This weekend saw multiple reports of a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.

This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails. While a focus on exploiting the human factor - that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks - remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day.
#2204 Critical Word 0day is only 1 of 3 Microsoft bugs under attack
A zero-day code-execution vulnerability in Microsoft Office is one of three critical flaws under active attack in the wild, Microsoft warned Tuesday as it rolled out a batch of updates that plug the security holes.

As Ars reported Monday night, attackers are exploiting the flaw to infect unsuspecting Word users with bank-fraud malware known as Dridex. Blog posts published Tuesday morning by security firms Netskope and FireEye reported that attackers are exploiting the same bug to install malware with the names Godzilla and Latenbot.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12