Security Alerts & News
by Tymoteusz A. Góral

#2244 More than 10,000 Windows computers may be infected by advanced NSA backdoor
Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.
#2243 Would you like a backdoor with that Linksys router, Sir?
Linksys says that 25 router models are vulnerable to remote hacking and could be taken over by an attacker if users still use their default admin credentials.

The company issued a security advisory this week, letting customers know that certain products are vulnerable to three vulnerabilities discovered by cyber-security firm IOActive.

Linksys, formerly part of Cisco, now a Belkin brand, says it's working on delivering a firmware update to mitigate all three flaws. In the meantime, the company issued a security alert as a warning for customers that might be vulnerable to attacks.
#2242 INTERPOL-led cybercrime operation across ASEAN unites public and private sectors
SINGAPORE – An INTERPOL-led operation targeting cybercrime across the ASEAN region has resulted in the identification of nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals.

The operation, run out of the INTERPOL Global Complex for Innovation (IGCI), brought together investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to share information on specific cybercrime situations in each country. Additional cyber intelligence was also provided by China.

Experts from seven private sector companies - Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Networks - also took part in pre-operational meetings in order to develop actionable information packages.

Information provided by the private sector combined with cyber issues flagged by the participating countries enabled specialists from INTERPOL’s Cyber Fusion Centre to produce 23 Cyber Activity Reports. The reports highlighted the various threats and types of criminal activity which had been identified and outlined the recommended action to be taken by the national authorities.
#2241 Android O will contain special feature to fight off ransomware
Google has removed a feature of the Android operating system that has been used in the past in ransomware attacks.

Starting with Android O (8.0), set to be released in the fall of 2017, Google plans to deprecate the following window types: TYPE_SYSTEM_ALERT, TYPE_SYSTEM_ERROR, and TYPE_SYSTEM_OVERLAY.

These are special "system" windows that are shown above any app on the user's screen. As you'd imagine, this is highly valued realty for ransomware developers, who often aim to obtain permissions to show content via these windows.

Once they manage to obtain such permission, they use these windows to block the user's access to the rest of his phone and show ransom notes.
#2240 The godfather of ransomware returns: Locky is back and sneakier than ever
The ransomware that drove last year's boom in file-encrypting malware is back, and this time it's even harder to detect.

Ransomware cost its victims some $1bn during 2016, with Locky one of the most widespread variants, infecting organisations across the globe.

However, the start of 2017 saw a sudden decline in the distribution of Locky, to such an extent that another form of ransomware -- Cerber -- has usurped Locky's dominance.

But after being all but written off, Locky is staging a comeback. Cybersecurity researchers at Cisco Talos have observed a surge in emails distributing Locky, with over 35 thousand emails sent in just a few hours. This surge in distribution is being attributed to the Necurs botnet, which until recently focused on spamming pump-and-dump stockmarket scams.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12