Security Alerts & News
by Tymoteusz A. Góral

History
#2256 iCloud support scams
iCloud is an increasingly large target for scams of all kinds. It’s a common target for scams involving phishing e-mails. The goal of such scams is to get you to click a link that takes you to a fake iCloud login page, resulting in you submitting your iCloud login credentials to thieves. It’s also frequently attacked via brute-force guessing of weak passwords and weak security questions.

The results of such scams can vary. Some are interested in the purchasing power since iCloud accounts double as Apple IDs, which can be used to make purchases from the Mac App Store, iOS App Store, and even the online and brick-and-mortar Apple Stores.

Other scammers want access to your files – typically photos stored in iCloud – such as the “Celebgate” incident. Celebgate involved a number of celebrities who had their accounts compromised, resulting in the theft and subsequent publication of nude photos.
#2255 Healthcare CERT warns about ‘Mole’ ransomware – what you need to know
A few readers have asked us about a ransomware variant with the intriguing name of Mole.

Interest seems to have been sparked by a recent security advisory from CareCERT, the cybersecurity initiative set up for the UK’s National Health Service (NHS), currently the world’s fifth largest employer.

(You know you want to ask, so we’ll answer. Depending on whom you consult and how you count, the list goes something like this: US Department of Defense, PRC People’s Liberation Army, Walmart, McDonalds, NHS.)
#2254 Facebook tracks scary-specific details about your life. Here’s how to find what it knows
As the saying goes: “if you aren’t being sold, you are the product.” Nowhere is this more true than on Facebook.

The social network boasts nearly two billion users, and offers a staggering amount of free content that keeps most of us engaged hours each day. And in the future, it’s looking to further that effort to keep us on-site even longer, or in other Facebook-owned properties like Messenger, Whatsapp, and Instagram.
#2253 Linux Shishiga malware using LUA scripts
Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family have generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents a new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name: Linux/Shishiga. It uses 4 different protocols (SSH – Telnet – HTTP – BitTorrent) and Lua scripts for modularity.
#2252 Cyberespionage, ransomware big gainers in new Verizon breach report
Verizon released its tenth annual breach report this morning, and cyberespionage and ransomware were the big gainers in 2016.

Cyberspionage accounted for 21 percent of cases analyzed, up from 13 percent last year, and was the most common type of attack in the manufacturing, public sector, and education.

In fact, in the manufacturing sector, cyberespionage accounted for 94 percent of all breaches. External actors were responsible for 93 percent of breaches, and, 91 percent of the time, the target was trade secrets.
#2251 More LastPass flaws: researcher pokes holes in 2FA
Recently we’ve been writing about LastPass more than seems healthy.

March saw two rounds of serious flaws made public by Google’s Tavis Ormandy (quickly fixed), which seemed like a lot for a single week. Days ago, news emerged of a new issue (also fixed) in the company’s two-factor/two-step authentication (2FA) security.

To coin a phrase, all serious flaws are serious – but some are more serious than others.

This one matters for two reasons, only one of which will sound flippant: it wasn’t discovered by Tavis Ormandy, who at times has seemed to be writing a novella on flaw-hunting with the company’s name on it. That’s fine – researching vulnerabilities is his day job, after all.
#2250 FalseGuide malware victim count jumps to 2 million
An estimated 2 million Android users have now fallen victim to malware mistakenly downloaded from Google Play, which was initially reported to have affected approximately 600,000 users.

The malware, dubbed FalseGuide, was hidden in more than 40 guide apps for games, the oldest of which was uploaded to Google Play as early as November last year, security researchers from Check Point said.

"Since April 24, when the article below was first published, Check Point researchers learned that the FalseGuide attack is far more extensive than originally understood," Check Point said.
#2249 UK man gets two years in jail for running ‘Titanium Stresser’ attack-for-hire service
A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users.

Adam Mudd of Hertfordshire, U.K. admitted to three counts of computer misuse connected with his creating and operating the attack service, also known as a “stresser” or “booter” tool. Services like Titanium Stresser coordinate so-called “distributed denial-of-service” or DDoS attacks that hurl huge barrages of junk data at a site in a bid to make it crash or become otherwise unreachable to legitimate visitors.
#2248 How free hacking tools on the web could be leading kids into cybercrime
Gaming websites could be spawning a new breed of cybercriminals, according to new research which claims that young people are being indoctrinated into hacking crimes via free and easily-accessible internet pages.

Websites and forums which provide cheat codes and modifications for video games are making it increasingly easy for young people to develop criminal skills and become involved in hacking chat rooms, a report by the U.K.'s National Crime Agency (NCA) has said.

Readily-available step-by-step tutorials for Remote Access Trojan (RAT) malware programs and distributed denial-of-service (DDoS) attacks are also making the skills barrier into cybercrime lower than it has ever been, the NCA suggests.
#2247 Hipchat resets user passwords after possible breach
HipChat has reset all its users' passwords after what it called a security incident that may have exposed their names, email addresses and hashed password information.

In some cases, attackers may have accessed messages and content in chat rooms, HipChat said in a Monday blog post. But this happened in no more than 0.05 percent of the cases, each of which involved a domain URL, such as company.hipchat.com.

HipChat didn't say how many users may have been affected by the incident. The passwords that may have been exposed would also be difficult to crack, the company said. The data is hashed, or obscured, with the bcrypt algorithm, which transforms the passwords into a set of random-looking characters. For added security, HipChat "salted" each password with a random value before hashing it.
#2246 Pawn storm abuses open authentication in advanced social engineering attacks
Pawn Storm is an active and aggressive espionage actor group that has been operating since 2004. The group uses different methods and strategies to gain information from their targets, which are covered in our latest research. However, they are particularly known for dangerous credential phishing campaigns. In 2016, the group set up aggressive credential phishing attacks against the Democratic National Convention (DNC), German political party Christian Democratic Union (CDU), the parliament and government of Turkey, the parliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera, and many other organizations.

This blog post discusses how Pawn Storm abused Open Authentication (OAuth) in advanced social engineering schemes. High profile users of free webmail were targeted by campaigns between 2015 and 2016.
#2245 Webroot 'mistakenly' flags Windows as malware and Facebook as phishing site
Popular antivirus service Webroot mistakenly flagged core Windows system files as malicious and even started temporarily removing some of the legit files, trashing user computers around the world.

The havoc caused after the company released a bad update on April 24, which was pulled after approximately 15 minutes. But that still hasn't stopped some PCs from receiving it, causing serious issues for not just individuals, but also companies and organizations relying on the software.

According to the reports by many customers on social media and Webroot's forum, hundreds and even thousands of systems were broken down after antivirus software flagged hundreds of benign files needed to run Windows and apps that run on top of the operating system.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12