Security Alerts & News
by Tymoteusz A. Góral

History
#2179 Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server
A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used.

The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.

Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.
#2178 This book reads you - using JavaScript
On a previous post about ePub parsers (This book reads you - exploiting services and readers that support the ePub book format), I mentioned using scripting capabilities in ePub to perform local attacks against users.

Apple just released a fix for one issue I reported last year in iBooks that allowed access to files on a users system when a book was opened. iBooks on El Capitan would open an ePub using the file:// origin, which would allow an attacker to access the users file system when they opened a book. (CVE-2017-2426)

To help demonstrate how this could be used to perform attacks against users, I added a WebSocket client to a book, so that all users who open the book will connect back to a WebSocket controller server that will feed them arbitrary instructions. The WebSocket client in the ePub will allow access as long as the user has the book open (expectation is that it could be open for a long time, if the user is provided with something worth reading).
#2177 Flatbed scanners used as relay point for controlling malware in air-gapped systems
Scientists from two Israeli universities have come up with a way to use flatbed scanners as relay points when sending commands to malware installed on an air-gapped computer. Further research also revealed the scanner could also be used to relay stolen data to a nearby attacker.

The technique they come up with revolves around the idea that a beam of light could be interpreted as a binary 1 and the lack of visual stimulant can be considered a binary 0.

For this technique to work, two conditions must be met. First, the flatbed scanner lid must be left open in an upright position so an attacker can aim light beams at its sensors.
#2176 Let’s Encrypt issues certs to ‘PayPal’ phishing sites: how to protect yourself
The modus operandi for phishing attacks is straightforward: thieves spam out legitimate-looking messages with malicious links that, when clicked, dupe the victim into giving up passwords, credit card numbers and the like.

When they set up their sites, crooks need SSL certificates, and for the most part there’s no stopping them from getting one. Just as people fall for fake sites that look like something from their bank or HR department, the certificate provider can fail to tell the difference between the legitimate and fraudulent cert seeker.

Such is the case with Let’s Encrypt, a free, automated certificate authority that has issued 15,270 “PayPal” certificates to sites used for phishing.
#2175 VMware patches critical virtual machine escape flaws
VMware has released critical security patches for vulnerabilities demonstrated during the recent Pwn2Own hacking contest that could be exploited to escape from the isolation of virtual machines.

The patches fix four vulnerabilities that affect VMware ESXi, VMware Workstation Pro and Player and VMware Fusion.

Two of the vulnerabilities, tracked as CVE-2017-4902 and CVE-2017-4903 in the Common Vulnerabilities and Exposures database, were exploited by a team from Chinese internet security firm Qihoo 360 as part of an attack demonstrated two weeks ago at Pwn2Own.
#2174 Skype users hit by ransomware through in-app malicious ads
Several users have complained that ads served through Microsoft's Skype app are serving malicious downloads, which if opened, can trigger ransomware.

News of the issue came from a Reddit thread on Wednesday, in which the original poster said that Skype's home screen -- the first screen that shows up on consumer versions of the software -- was pushing a fake, malicious ad, purporting to be a critical update for the Flash web plug-in.
#2173 One of the most prolific botnets is back - and now it's being used for stockmarket scams
After three months of near inactivity, one of the world's most prolific mailing botnets has returned - apparently re-purposed to carry out different cybercriminal activity.

The Necurs botnet was one of the biggest distributors of malware during 2016, sending millions of malicious emails in an effort to spread Locky ransomware. Locky became the most high profile form of ransomware of 2016, before mysteriously appearing to cease operations in late December.
#2172 Unskilled group behind many junk ransomware strains
A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware.

The group's activity first came to light in March 2016, when various Magento stores were targeted and had their files locked with a Web-based ransomware called KimcilWare.
#2171 New IIS 6.0 0day exploited in live attacks since July 2016
Since July 2016, attackers have been using a zero-day in IIS 6.0 to compromise and take over Windows servers.

The zero-day was discovered by two Chinese researchers from the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China.

The two published proof-of-concept exploit code on GitHub two days ago, after Microsoft acknowledged the flaw, but said it couldn't patch it as it affected EOL products, for which it doesn't issue updates anymore.
#2170 Russian hacker pleads guilty in global botnet case
A Russian national has pleaded guilty to charges related to a botnet scheme that siphoned millions of dollars from victims worldwide.

On Tuesday, the US Department of Justice (DoJ) said that Maxim Senkh, from Velikii Novgorod, Russia, admitted to participating in what prosecutors call a "criminal enterprise that installed and exploited malicious computer software on tens of thousands of computer servers throughout the world."

The malware, known as Ebury, harvested OpenSSH login credentials from computers and servers that were infected. These stolen details were then used to create the Ebury botnet, a network of 'slave' computers and servers which all accepted instructions from Senkh and co-conspirators through a command and control (C&C) center.
#2169 About 90% of Smart TVs vulnerable to remote hacking via rogue TV signals
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.

The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks.
#2168 Someone is putting lots of work into hacking Github developers
Open source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.
#2167 Microsoft quietly patched Windows 0day used in attacks by Zirconium group
Without making too much fuss about it, Microsoft patched a zero-day vulnerability used in live attacks by a cyber-espionage group named Zirconium.

The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions.

According to Microsoft, a successful exploit would have resulted in a memory corruption and elevation of privileges (EoP) for the attacker's code, allowing him to escalate access to the machine and execute code with SYSTEM privileges.
#2166 PyCL ransomware delivered via RIG EK in distribution test
This past Saturday security researchers Kafeine, MalwareHunterteam, BroadAnalysis, and David Martínez discovered a new ransomware being distributed through EITest into the RIG exploit kit. As this ransomware was only distributed for one day and does not securely encrypt files, it makes me believe that this may have been a test distribution run.

While the colors and interface used by this ransomware have a striking resemblance to CTB-Locker/Critroni, it is written in a different language and there are no distinguishing strings in the ransom notes or executables. Since it's programmed in Python and the script is called cl.py, I will be referring to it as PyCL in this article.
#2165 One of the most dangerous forms of ransomware has just evolved to be harder to spot
One of the most common forms of ransomware is evolving a new technique in order to become even more effective and harder to detect - the ability to evade detection by cybersecurity tools which use machine learning to identify threats.

Rather than relying on specifically identified signatures of known threats, some cybersecurity defences employ machine learning in an effort to detect previously unknown malware and the methods used to deliver them to unsuspecting victims.
#2164 Potent LastPass exploit underscores the dark side of password managers
Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.

The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.
#2163 Humbled malware author leaks his own source code to regain community's trust
The author of the Nuclear Bot banking trojan has leaked the source code of his own malware in a desperate attempt to regain trust and credibility in underground cybercrime forums.

Nuclear Bot, also known as NukeBot and more recently as Micro Banking Trojan and TinyNuke, is a new banking trojan that appeared on the malware scene in December 2016, when its author, a malware coder known as Gosya, started advertising it on an underground malware forum.
#2162 Security? What security? Four million data records are stolen or lost every day
Nearly 1.4 billion data records were stolen by hackers or lost during 2016 - almost double the number which were comprised the previous year and indicating the ever growing threat posed not only by cyberattackers but accidental data breaches and malicious insiders.

Identifiable personal information including names, email addresses, passwords, dates of birth, IP addresses and even biometric data was stolen from or lost by organisations and websites throughout 2016.

The total of 1,378,509, 261 billion data records being lost or stolen is almost double that of 2015, according to figures published in Gemalto's Breach Level Index Report for 2016. The report is based on analysis of 1,792 data breaches across the year, which saw the equivalent of 3,776, 738 data records compromised every single day. According to the company more than seven billion data records have been exposed since 2013.
#2161 Ransomware scammers exploited Safari bug to extort porn-viewing iOS users
Ransomware scammers have been exploiting a flaw in Apple's Mobile Safari browser in a campaign to extort fees from uninformed users. The scammers particularly target those who viewed porn or other controversial content. Apple patched the vulnerability on Monday with the release of iOS version 10.3.

The flaw involved the way that Safari displayed JavaScript pop-up windows. In a blog post published Monday afternoon, researchers from mobile-security provider Lookout described how exploit code surreptitiously planted on multiple websites caused an endless loop of windows to be displayed in a way that prevented the browser from being used. The attacker websites posed as law-enforcement actions and falsely claimed that the only way users could regain use of their browser was to pay a fine in the form of an iTunes gift card code to be delivered by text message. In fact, recovering from the pop-up loop was as easy as going into the device settings and clearing the browser cache. This simple fix was possibly lost on some uninformed targets who were too uncomfortable to ask for outside help.
#2160 Apple pushes security update to OSX Yosemite and ElCapitan
Have you been thinking that you'd never see another update for your Mac that's stuck running OS X Yosemite and El Capitan? Well, Apple has a surprise for you.

The surprise comes in the form of Security Update 2017-001. What does it do? There's no information on the fixes it contains beyond a somewhat cryptic "Security Update 2017-001 is recommended for all users and improves the security of OS X."
#2159 Researcher says API flaw exposed Symantec certificates, including private keys
Flaws in the API used by Symantec partners would have allowed an attacker to retrieve certificates, including private keys, security researcher Chris Byrne said in a Facebook post published over the weekend.

The researcher said he discovered this issue two years ago, in 2015, and agreed to a process called "limited non-disclosure," as Symantec said it would take at least two years to fix the issues, during which they asked Byrne to not disclose any details to the public.

"I agreed to limited non-disclosure of the issue, unless I felt it was critically necessary, or it would be unethical or irresponsible for me not to disclose," said Byrne, "for example, if there were a threat to national security, or I discovered a compromise of a client, or any actual criminal compromise arising from it, etc.."
#2158 Alleged vDOS owners poised to stand trial
Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.
#2157 Nokia to smartphone owners: Malware infections are far higher than you think
Nokia no longer makes mobile devices but it's carving out a new business in mobile and Internet of Things security. Now new research from the unit is reporting a 83 percent rise in monthly smartphone infections in the second half of 2016.

Two years ago Verizon challenged assumptions about the spread of mobile malware, reporting that just 0.03 percent of smartphones on its network were infected with 'higher-grade' malware. It was much lower than the 0.68 percent infection rate estimated in Kindsight Security Labs' biannual report.

But a new report from Nokia, based on data from mobile networks that have deployed its NetGuard Endpoint Security, suggests infections are actually far higher.
#2156 Doxed by Microsoft’s Docs.com: Users unwittingly shared sensitive docs publicly
On March 25, security researcher Kevin Beaumont discovered something very unfortunate on Docs.com, Microsoft's free document-sharing site tied to the company's Office 365 service: its homepage had a search bar. That in itself would not have been a problem if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly.

Unfortunately, hundreds of them weren't. As described in a Microsoft support document, "with Docs.com, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing." But many users used Docs.com to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines.
#2155 Massive uproar on alleged Windows 10 built-in ‘keylogger’ feature
There is currently massive uproar on Reddit about a privacy setting of Windows 10. The privacy setting “Send Microsoft info about how I write to help us improve typing and writing in the future” is reportedly enabled by default and users now fear Windows 10 is one big keylogger.
#2154 Strengthening the Microsoft Edge sandbox
In a recent post, we outlined the layered strategy that the Microsoft Edge security team employs to protect you from vulnerabilities that could be used to compromise your device or personal data. In particular, we showed how Microsoft Edge is leveraging technologies like Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to break some of the techniques that hackers rely on when exploiting vulnerabilities to obtain Remote Code Execution (RCE). This is where the attacker seeks to escape from web code (JS and HTML) in the browser to run native CPU code of the attacker’s choosing. This lets the attacker violate all of the browser’s rules for the web, such as same-origin policy, and so it is important to web users that we try as hard as possible to block RCE attacks.

However, despite our best efforts, sometimes attackers get RCE anyway. In this post, we’ll explore some of the significant improvements we’ve made in the Windows 10 Creators Update to strengthen our next line of defense: the Microsoft Edge sandbox.
#2153 SmartTV hacking - Oneconsult talk at EBU Media Cyber Security seminar (VIDEO)
In a presentation to the European Broadcasting Union (EBU), Rafael Scheel (Senior Penetration Tester & Security Researcher at Oneconsult AG) gives an introduction to IoT cyber security and shows in a live hacking demo an attack which allows to remotely takeover bulks of smart TVs over the TV stream signal. About 90% of the TVs sold in the last years are potential victims of similar attacks.
#2152 GiftGhostBot attacks ecommerce gift card systems across major online retailers
Distil Networks has detected a sophisticated bot attack on its network affecting nearly 1,000 customer websites around the world and is recommending consumers check their gift card balances in case of fraud. The advanced persistent bot, named GiftGhostBot, automatically checks millions of gift card numbers to determine which have balances, and was detected on February 26, 2017 and is still attacking websites.
#2151 New attack XSSJacking combines clickjacking, pastejacking, and SelfXSS
Security researcher Dylan Ayrey detailed last week a new web-based attack named XSSJacking that combines three other techniques — Clickjacking, Pastejacking, and Self-XSS — to steal data from careless users.

Ayrey says XSSJacking can help attackers reach sensitive information for which they would normally need a more complex security flaw, such as a stored XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery), issues which most websites tend to fix when reported.

The attack is not fully-automated, as it still relies on social engineering, a reason why many of today's security bug bounty programs won't even consider it as a security flaw, Ayrey told Bleeping Computer in an email.
#2150 Symantec backs its CA
At Symantec, we are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.
#2149 Soundwaves used to produce fake data from accelerometers
How many tiny accelerometers do you depend on? There’s the one in your smartphone, telling it which way’s up, so it can adjust the screen horizontally or vertically (or track your footsteps or how fast you’re running, or for that matter, transform your iPhone into a seismometer).

For similar reasons, there’s one in your FitBit-type contraption too. Then there are devices like Microsoft’s Kinect and Nintendo’s Wii which use them to help track motion. And that’s not all. You can find them in toy remote control cars (and real cars, which use them to detect rapid deceleration and trigger your airbag) and even medical devices – where they might soon help control when and how much medicine you get.
#2148 A new trend in Android adware: abusing Android plugin frameworks
It is common for legitimate mobile apps to embed advertising SDKs or promote other apps. Showing ads or promoting other apps can generate revenue for legitimate app developers. However, we have recently observed an alarming trend in mobile ads communities where some adware programs in the Google Play store have become more aggressive by abusing the third-party DroidPlugin framework on Android.

In this posting we will outline how Unit 42 researchers have found aggressive adware that abuses the third-party DroidPlugin framework on Android. Our researchers have worked with Google to share our findings and have all apps that were found to violate Google’s terms of service removed from the Google Play store.
#2147 LastPass bugs allow malicious websites to steal passwords
LastPass patched three separate bugs that affected its Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website.

All bugs were discovered by Tavis Ormandy, a security researcher working for Google's Project Zero.

One bug affected the LastPass for Chrome extension, while the other two affected the company's Firefox add-on.
#2146 Winnti abuses GitHub for C&C communications
Developers constantly need to modify and rework their source codes when releasing new versions of applications or coding projects they create and maintain. This is what makes GitHub—an online repository hosting service that provides version control management—popular. In many ways, it’s like a social networking site for programmers and developers, one that provides a valuable platform for code management, sharing, collaboration, and integration.

GitHub is no stranger to misuse, however. Open-source ransomware projects EDA2 and Hidden Tear—supposedly created for educational purposes—were hosted on GitHub, and have since spawned various offshoots that have been found targeting enterprises. Tools that exploited vulnerabilities in Internet of Things (IoT) devices were also made available on GitHub. Even the Limitless Keylogger, which was used in targeted attacks, was linked to a GitHub project.
#2145 Lithuanian con artist scams two US tech giants out of $100 million
A man from Lithuania has been arrested after he conned two large technology firms out of $100 million in an elaborate phishing scheme.

The US Department of Justice (DoJ) said on Tuesday that Evaldas Rimasauskas orchestrated a phishing scheme which targeted US technology giants specifically, and he was able to swindle $100 million by pretending to be a legitimate business partner of at least one of the victims.

The 48-year-old allegedly opened a company with the same name as a legitimate Asian manufacturer in Latvia, alongside multiple bank accounts in both the Eastern European country and Cyprus.
#2144 Chinese crooks use fake cellular telephony towers to spread Android malware
Malware authors in China are using fake base transceiver stations (BTSs), which is equipment usually installed on cellular telephone towers, to send spoofed SMS messages that contain links to Android malware.

This is the first ever reported case when malware authors have used base stations to spread malware, a trend that Avast predicted in 2014, but which never came to fruition until now.
#2143 Hackers: We will remotely wipe iPhones unless Apple pays ransom
“I just want my money,” one of the hackers said.

A hacker or group of hackers is apparently trying to extort Apple over alleged access to a large cache of iCloud and other Apple email accounts.

The hackers, who identified themselves as 'Turkish Crime Family', demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

"I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing," one of the hackers told Motherboard.
#2142 DoubleAgent: 0day code injection and persistence technique
We’d like to introduce a new Zero-Day technique for injecting code and maintaining persistency on a machine (i.e. auto-run) dubbed DoubleAgent.

DoubleAgent can exploit:

* Every Windows version (Windows XP to Windows 10);
* Every Windows architecture (x86 and x64);
* Every Windows user (SYSTEM/Admin/etc.);
* Every target process, including privileged processes (OS/Antivirus/etc.);

DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.

#2141 Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.

Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site's authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.
#2140 New LLTP ransomware appears to be a rewritten venus locker
A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.

In summary, the LLTP Ransomware has the ability to work in online or offline mode. So regardless of whether there is a connection to the Internet, the ransomware will still encrypt a victim's files. Furthermore, unlike most ransomware, this family assigns different extensions to encrypted files based upon the file's original extension.
#2139 Swearing trojan continues to rage, even after authors’ arrest
Researchers with Tencent Security recently disclosed details about Swearing Trojan, a mobile banking malware that attacked users in China. Swearing Trojan’s name comes from Chinese swear words found inside the malware’s code. The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.

Similar to mobile banking Trojans discovered previously, Swearing Trojan can steal personal data and it can bypass 2-factory authentication (2FA) security. Banking apps use two-factor authentication as a way to secure access by sending a one-time code to the user via SMS in addition to having a user enter his or her password. By replacing the original Android SMS app with an altered version of its own, Swearing Trojan can intercept incoming SMS messages, rendering two-factor authentication useless.
#2138 Bitcoin scams: Beware of crooks trying to steal your cryptocurrency with these schemes
Cybercriminals are taking advantage of the rising price and popularity of Bitcoin to try to steal the currency and distribute malware.

The cryptocurrency has become invaluable to cybercriminals who exploit its anonymous, decentralised nature as a tool for demanding ransomware payments and laundering various other ill-gotten gains.

This month social media Bitcoin scams have reached a new high, with over 125 million malicious links across Twitter, Facebook, and Instagram designed to attack victims and extort Bitcoin.

These Bitcoin scams target social media because it's full of people who might be interested in buying and selling Bitcoin, but don't know much about it -- making them prime targets to be taken advantage of by scammers.
#2137 Word document spreads macro malware targeting both Windows and macOS
After last month security researchers discovered the first-ever Word document spreading macro malware on macOS, last week, researchers from Fortinet spotted a Word document that contained macro scripts that distributed both Windows and macOS malware at the same time, depending on the OS it managed to infect.

Malicious Office files with attached macro scripts that download malware are usually referred in the infosec industry as "macro malware."

On Windows, macro malware has been around since the 90s. Even if Microsoft offered an Office version for Mac OS X (now macOS), weaponized Office files never contained macro scripts that could run on a Mac.
#2136 New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs
WikiLeaks today dumped a smaller subset of documents from its "Vault 7" collection of files from a CIA software developer server. Yet again, these documents are more important from the perspective of WikiLeaks having them than for showing any revelatory content. The exploits detailed in these new files are for vulnerabilities that have largely been independently discovered and patched in the past. The files also reveal that the CIA likely built one of these tools after seeing a presentation on the exploits of Apple's EFI boot firmware at Black Hat in 2012.

The latest batch of files, dramatically named "DarkMatter" (after one of the tools described in the dump), consists of user manuals and other documentation for exploits targeting Apple MacBooks—including malware that leveraged a vulnerability in Apple's Thunderbolt interface uncovered by a researcher two years ago. Named "Sonic Screwdriver" after the ever-useful tool carried by the fictional Doctor of Dr. Who, the malware was stored on an ordinary Thunderbolt Ethernet adapter. It exploited the Thunderbolt interface to allow anyone with physical access to a MacBook to bypass password protection on firmware and install one of a series of Apple-specific CIA "implants."
#2135 Inside the hunt for Russia’s most notorious hacker
On the morning of December 30, the day after Barack Obama imposed sanctions on Russia for interfering in the 2016 US election, Tillmann Werner was sitting down to breakfast in Bonn, Germany. He spread some jam on a slice of rye bread, poured himself a cup of coffee, and settled in to check Twitter at his dining room table.

The news about the sanctions had broken overnight, so Werner, a researcher with the cybersecurity firm CrowdStrike, was still catching up on details. Following a link to an official statement, Werner saw that the White House had targeted a short parade’s worth of Russian names and institutions—two intelligence agencies, four senior intelligence officials, 35 diplomats, three tech companies, two hackers. Most of the details were a blur. Then Werner stopped scrolling. His eyes locked on one name buried among the targets: Evgeniy Mikhailovich Bogachev.
#2134 Google, sister company Jigsaw offer cybersecurity to election groups
Weeks ahead of the national elections in France, Google and its sister company Jigsaw are helping news sites, NGOs, and other entities involved in the elections process protect themselves against digital threats.

The two companies have packaged a suite of "Protect Your Election" tools, which includes two-step verification and the Password Alert Chrome extension. It also includes access to Project Shield, a layer of defense against DDOS attacks.

"Free and fair elections depend on people having access to the information they need, and around the world the sources of that information are increasingly under attack," said Anne-Gabrielle Dauba-Pantanacce of Google France and Jigsaw's Jamie Albers in a blog post.
#2133 Full LastPass 4.1.42 exploit discovered
Tavis Ormandy, a prolific member of Google's Project Zero initiative, revealed that he discovered a new security issue in LastPass 4.1.42 (and maybe earlier).

Ormandy revealed that he discovered an exploit, but did not reveal it. Project Zero discoveries are reported to the companies who produce the affected products. The companies have 90 days to react, usually by creating a new product version that they make available publicly to all customers.
#2132 Flaws in Moodle CMS put thousands of e-learning websites at risk
Organizations that use the popular Moodle learning management system should deploy the latest patches as soon as possible because they fix vulnerabilities that could allow attackers to take over web servers.

Moodle is an open source platform used by schools, universities, and other organizations to set up websites with interactive online courses. It's used by more than 78,000 e-learning websites from 234 countries that together have more than 100 million users.
#2131 Google Nest: Unpatched bug lets intruders use Bluetooth to stop cameras recording
A researcher has flagged a bug in Google's Nest Cam and Dropcam Pro security cameras that allows an attacker within Bluetooth range to stop either device from recording.

Bluetooth range, of course, is exactly where a burglar would be when planning to ransack a home, and with attack code now publicly available, an intruder could knock Google's security cameras off a wireless network for 90 seconds.

That mightn't sound so severe, but since the camera is designed to only store recorded footage in the cloud, the loss of connectivity means the device loses its surveillance capabilities for this period.
#2130 New attack uses Microsoft's Application Verifier to hijack antivirus software
A new technique named DoubleAgent, discovered by security researchers from Cybellum, allows an attacker to hijack security products and make them take malicious actions.

The DoubleAgent attack was uncovered after Cybellum researchers found a way to exploit Microsoft's Application Verifier mechanism to load malicious code inside other applications.
#2129 New technology combines lip motion and passwords to authenticate users
Scientists from the Hong Kong Baptist University (HKBU) have developed a new user authentication system that relies on reading lip motions while the user speaks a password out loud.

The technology is a mixture of traditional authentication solutions with the new wave of biometrics-based solutions.

The new authentication scheme, dubbed "lip password" works by training a machine learning algorithm to recognize lip shape, texture, and motion for each user, while he speaks a password to a camera.
#2128 Old Linux kernel security bug bites
OK, hands up, who knows what High-Level Data Link Control (HDLC) is? It's an archaic networking data framing protocol that's used in modems, X.25, frame-relay, ISDN, and other now uncommon networking technologies. I know it because I used to work with them back in the day. You'll get to know it now because a researcher discovered a security hole hidden within the Linux kernel driver that implements it.
#2127 Firefox gets complaint for labeling unencrypted login page insecure
The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (update: the link is no longer public). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
#2126 Numbers show Locky ransomware is slowly fading away
Over the past six months, the number of Locky ransomware infections has gone down and is expected to reach an all-time low this month, in March.

Ever since the ransomware launched in mid-February 2016, Locky has been one of the most active and prevalent ransomware families on the Internet.
#2125 A simple command allows the CIA to commandeer 318 models of Cisco switches
Cisco Systems said that more than 300 models of switches it sells contain a critical vulnerability that allows the CIA to use a simple command to remotely execute malicious code that takes full control of the devices. There currently is no fix.

Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.
#2124 Polish authorities confirm hack of Bitcurex bitcoin exchange, launch investigation
Polish authorities in the town of Lodz have launched an official investigation into the closure of Bitcurex, a Bitcoin trading platform that launched in 2012, and closed earlier this year.

The timeline of events that led to Bitcurex's closure is complex and spans six months.
#2123 0day or feature? Privilege escalation / session hijacking all Windows versions
A privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any currently logged in user's session, without any knowledge about his credentials.
Terminal Services session can be either in connected or disconnected state.
#2122 GitHub awards researcher $18,000 for remote code execution flaw discovery
GitHub has awarded a researcher $18,000 for disclosing a security flaw in GitHub Enterprise which could have lead to remote code execution.

According to independent German researcher Markus Fenske, the code repository awarded him the amount for disclosing a serious security vulnerability in GitHub Enterprise, an on-premise version of GitHub designed for businesses looking to collaborate on coding but retain strict control of permissions and access to projects.
#2121 Alert: Cisco IOS and IOS XE software Cluster Management Protocol remote code execution vulnerability
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
#2120 Virtual machine escape fetches $105,000 at Pwn2Own hacking contest
Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.

According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."
#2119 US-CERT warns HTTPS inspection may degrade TLS security
Recent academic work looking at the degradation of security occurring when HTTPS inspection tools are sitting in TLS traffic streams has been escalated by an alert published Thursday by the Department of Homeland Security.

DHS’ US-CERT warned enterprises that running standalone inspection appliances or other security products with this capability often has a negative effect on secure communication between clients and servers.

“All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected,” US-CERT said in its alert.

HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server. A network administrator can only verify the security between the client and the HTTP inspection tool, which essentially acts as a man-in-the-middle proxy. The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
#2118 Another years-old flaw fixed in the Linux kernel
The Linux team has patched a "dangerous" vulnerability in the Linux kernel that allowed attackers to elevate their access rights and crash affected systems.

The security issue, tracked as CVE-2017-2636, existed in the Linux kernel for the past seven years, after being introduced in the code in 2009.

This is the fourth "years-old" security flaw discovered in the Linux kernel after similar flaws came to light last fall and winter.
#2117 Intel, Microsoft launch new bug bounty programs
Intel and Microsoft have launched new bug bounty programs with thousands of dollars on offer for the most dangerous bugs.

Intel revealed the new bug bounty program will be hosted on HackerOne at the CanSecWest security conference on Wednesday. While old hat for companies including Microsoft, Facebook, and Google, the scheme is the first of its kind for the tech giant.

"We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability," Intel said. "By partnering constructively with the security research community, we believe we will be better able to protect our customers."
#2116 MajikPOS combines PoS malware and RATs to pull off its malicious tricks
We’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America and Canada: MajikPOS (detected by Trend Micro as TSPY_MAJIKPOS.A). Like a lot of other PoS malware, MajikPOS is designed to steal information, but its modular approach in execution makes it distinct. We estimate that MajikPOS’s initial infection started around January 28, 2017.

While other PoS malware FastPOS (its updated version), Gorynych and ModPOS also feature multiple components with entirely different functions like keylogging, MajikPOS’s modular tack is different. MajikPOS needs only another component from the server to conduct its RAM scraping routine.

MajikPOS is named after its command and control (C&C) panel that receives commands and sends exfiltrated data. MajikPOS’s operators use a combination of PoS malware and remote access Trojan (RAT) to attack their targets, to daunting effects. MajikPOS is a reflection of the increasing complexity that bad guys are predicted to employ in their malware to neuter traditional defenses.
#2115 Revenge ransomware, a CryptoMix variant, being distributed by RIG exploit kit
A new CryptoMix, or CryptFile2, variant called Revenge has been discovered by Broad Analysis that is being distributed via the RIG exploit kit. This variant contains many similarities to its predecessor CryptoShield, which is another CryptoMix variant, but includes some minor changes that are described below.

As a note, in this article I will be referring to this infection as the Revenge Ransomware as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a new version of the CryptoMix ransomware family.
#2114 This laptop-bricking USB stick just got even more dangerous
Remember that USB stick that would destroy almost anything in its path, from laptops, photo booths, kiosks, to even cars?

Now there's a new version, and it's even more dangerous than before.

In case you missed it the first time around, a Hong Kong-based company built a weaponized pocket-sized USB stick, which when plugged into a device, will rapidly charge its capacitors from the USB power supply and then discharge, frying the affected device's circuits.

Dubbed the USB Kill stick, it fries almost any device with a USB port, though modern Apple hardware is apparently not affected.
#2113 New smartphone threat: Now attackers can use sound to hack your device
Researchers have shown that a malicious music file can trick an accelerometer into giving false readings.

Researchers from the University of Michigan and the University of South Carolina have revealed a handful of sonic hacks on sensors that might not seem dangerous today, but do show one more way that hackers could use the Internet of Things to cause physical harm.

The researchers demonstrated that acoustic signals at the right frequency can apply enough pressure on an accelerometer's sensing mechanism, a mass buoyed on springs, that it can spoof acceleration signals.
#2112 Hack brief: High-profile Twitter accounts overrun with swastikas
Last night, a swath of Twitter accounts with large followings—including Duke University, BBC North America, Forbes, and Amnesty International—tweeted out the same message, in Turkish, that included a swastika and hashtags that translate to “Nazi Germany, Nazi Holland.”

The hacked accounts, which apparently stem from increasing vitriol between Turkey and Holland, appear to have all been restored. They’re an unfortunate reminder, though, any Twitter account is only as safe as the apps you let access it.
#2111 Check Point discloses vulnerability that allowed hackers to take over hundreds of millions of WhatsApp & Telegram accounts
One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp, Telegram and other end-to-end encrypted chat applications. While this has yet to be proven, many end-users are concerned as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy. This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.

Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web. The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.
#2110 Russian hacker "Kolypto" who worked on Citadel trojan extradited to the US
Yesterday, a Russian national accused of helping develop the Citadel banking trojan was arraigned in front of a US judge for the first time, after being extradited from Fredrikstad, Norway.

The man's name is Mark Vartanyan, 28, known online as Kolypto. According to US authorities, Vartanyan allegedly developed, improved and maintained the Citadel malware, a banking trojan made available via a Malware-as-a-Service offering.
#2109 US charges two Russian agents with ordering hack of 500m Yahoo accounts
Federal prosecutors charged two Russian intelligence agents with orchestrating a 2014 hack that compromised 500 million Yahoo accounts in a brazen campaign to access the e-mails of thousands of journalists, government officials, and technology company employees.

In a 38-page indictment unsealed Wednesday, the prosecutors said Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43—both officers of the Russian Federal Security Service—worked with two other men—Alexsey Alexseyevich Belan, 29, and Karim Baratov, 22—who were also indicted. The men gained initial access to Yahoo in early 2014 and began their reconnaissance, the indictment alleged. By November or December, Belan used the file transfer protocol to download part or all of a Yahoo database that contained user names, recovery e-mail accounts, and phone numbers. The user database (UDB) also contained the cryptographic nonces needed to generate the account-authentication browser cookies for more than 500 million accounts.
#2108 Google’s Allo app can reveal to your friends what you’ve searched
Google’s mobile messaging app Allo can reveal your Google search history to people you message, which could have big privacy implications. The behavior appears to be a glitch.

I noticed the problem in a recent conversation with a friend, in which I was testing the app. Allo includes Google Assistant, the company’s latest version of its virtual assistant software.

Google recently announced plans to make Assistant available on Android phones. The feature has been available on Google’s own Pixel phone and Google Home, its competitor to Amazon’s wildly successful Echo.

A unique feature of Allo is that you can use Assistant while in the middle of a conversation with a friend. You could, for example, ask Assistant to search for restaurants in a certain area, while you’re talking to a friend about where to eat.
#2107 Video calls for Signal out of beta
We recently released encrypted video calling as an opt-in beta. We've spent the past month collecting feedback and addressing the issues that the Signal community found in order to get it production ready. Today's Signal release for Android and iOS enables support for end-to-end encrypted video calls by default, which also greatly enhances the quality of Signal voice calls as well.

We think it's a big improvement, and hope you will to.
#2106 CryptoBlock ransomware and its C2
CryptoBlock is an interesting ransomware to keep an eye on. We expect this to be a ransomware that is in development to eventually develop into a RaaS (Ransomware as a Service).

Since the ransomware seems to be in development, we decided there might be some weak points and investigate if we could find one. Even though it is in development to be a RaaS, as it seems users have already been infected by this variant somehow.

After getting the name CryptoBlock, we decided to check at VirusTotal and see how many droppers for it we could find there, as well as to get some information on the ransomware. Finding a single dropper on VirusTotal, we noticed it was contacting the domain fliecrypter.in to send a key to and also to get a BTC wallet.
#2105 Security updates available for Adobe Flash Player
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
#2104 Microsoft security bulletin summary for March 2017
This bulletin summary lists security bulletins released for March 2017.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.
#2103 New Instagram credential stealers discovered on Google Play
Instagram users have been the target of several new credential stealers, appearing on Google Play as tools for either managing or boosting the number of Instagram followers.

Under the detection name Android/Spy.Inazigram, 13 malicious applications were discovered in the official Google Play store. The apps were phishing for Instagram credentials and sending them to a remote server.

While they appear to have originated in Turkey, some used English localization to target Instagram users worldwide. Altogether, the malicious apps have been installed by up to 1.5 million users. Upon ESET’s notification, all 13 apps were removed from the store.
#2102 New macOS Proton RAT available for sale on Russian hacking forum
A new remote access tool (RAT) targeting macOS users is currently being advertised on Russian underground hacking forums, a custom website, and through YouTube videos, security researchers from Sixgill have discovered.

Believed to have launched late last year, this new threat, named Proton RAT, comes with many features such as the ability to execute console commands, log keystrokes, take screenshots, access the user's webcam, open SSH/VNC remote connections, and show popups requestions additional info such as credit card numbers, login credentials, and others.
#2101 Spam campaign targets financial institutions with fake security software
Last month, Symantec detected a spam campaign mainly targeting financial institutions, which used social engineering to try trick victims into installing “virus detection software” that was in fact an information stealing Trojan (W32.Difobot).

The emails purported to come from HSBC, a banking and financial services company based in London, even displaying an @hsbc.com email address. The messages claimed that the virus detection software was Rapport from Trusteer, a legitimate security program designed to protect online bank accounts from fraud. However, the fake Rapport software is actually malicious and, if installed, does the opposite of what is claimed and steals information from the compromised computer. The malware also uses Windows GodMode in order to hide itself on infected computers.
#2100 Detecting and eliminating Chamois, a fraud botnet on Android
Google works hard to protect users across a variety of devices and environments. Part of this work involves defending users against Potentially Harmful Applications (PHAs), an effort that gives us the opportunity to observe various types of threats targeting our ecosystem. For example, our security teams recently discovered and defended users of our ads and Android systems against a new PHA family we've named Chamois.
#2099 Google launches invisible reCAPTCHA with no user interaction required
Google has launched the latest version of the reCAPTCHA service, which won't ask users to click a checkbox, as it did until now.

Google bought reCAPTCHA in 2009 and put its new acquisition to work right away when it combined it with its Google Books venture through which it was trying to scan and digitize all known books and newspapers.

For years, users had to enter two random words to solve the reCAPTCHA challenge, words which in reality were mangled texts resulted from the book and newspaper scanning process.

As the Google Books indexing process ended, Google then started pestering users with street names and street numbers, details from mangled Google Maps Street View photos.
#2098 0day exploits rarely discovered by more than one group, study finds
RAND Corporation has published possibly the most data-driven study into zero-day vulnerabilities and exploits yet.

Zero-days—vulnerabilities that are not known to the vendor of a product they affect, but that may be used by hackers to break into systems—are a polemic subject. Activists and many technologists say that keeping these vulnerabilities secret to only a small group of people, such as government hackers who use them, it puts the public's cybersecurity at risk.
#2097 Dahua, Hikvision IoT devices under siege
Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a broad swath of its products. The vulnerability allows anyone to bypass the login process for these devices and gain remote, direct control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.

On March 5, a security researcher named Bashis posted to the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server that is accessible via a Web browser.
#2096 New Linux malware exploits CGI vulnerability
Linux has long been the preferred operating system for enterprise platforms and Internet of Things (IoT) manufacturers. Linux-based devices are continually being deployed in smart systems across many different industries, with IoT gateways facilitating connected solutions and services central to different businesses. In connection to their widespread use, we’ve also seen the number of Linux-focused security threats on the rise. We previously reported on a string of Linux threats in 2016, the most high-profile of which was the Mirai malware (detected by Trend Micro as ELF_MIRAI family).

A new addition to the list of Linux threats is the recently detected Linux ARM malware ELF_IMEIJ.A (detected by Trend Micro as ELF_IMEIJ.A). The threat exploits a vulnerability in devices from AVTech, a surveillance technology company. The vulnerability was discovered and reported by Search-Lab, a security research facility, and was disclosed to AVTech on October 2016. However, even after repeated attempts by Search-Lab to contact the vendor there was no response.
#2095 How online gamers use malware to cheat
We typically think of malware as something used to steal data from corporations or knock down websites in politically motivated attacks. But if you’re a gamer, sometimes it’s simply a tool for winning.

SophosLabs threat researcher Tamás Boczán has been studying this trend, and recently gave a talk about it at BSides Budapest. This article reviews his findings and offers us a chance to share some of his presentation slides.
#2094 Preinstalled malware targeting mobile users
The Check Point Mobile Threat Prevention has recently detected a severe infection in 36 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.
#2093 Aggressive ad-displaying Google Play app tricks users into leaving high ratings
ESET researchers have observed an increased number of apps on Google Play using social engineering techniques to boost their ratings, ranging from legitimate apps, through adware to malware.

Among these falsely high-ranking apps, an aggressive ad-displaying trojan was spotted, installed by up to 5,000 users as a tool to download content from YouTube. The app, detected by ESET as Android/Hiddad.BZ, uses a number of deceptive methods to trick users into installing its intrusive ad-displaying component and, at the same time, secure a good rating in the store.

To achieve the latter, the app innovates the good old-fashioned method of begging for high ratings through nag screens – it displays aggressive ads and makes a false promise of removing them in exchange for a five star rating.
#2092 Facebook Lite infected with spy FakePlay
A version of the popular mobile app Facebook has been found to be infected with what we detect as Android/Trojan.Spy.FakePlay. Facebook Lite is a more compact version of the popular app that uses less data and claims to work in all network conditions (i.e. where network conditions are poor).
#2091 Cisco and Apache issue warnings over 0day flaw being targeted in the wild
Cisco's Talos says they've observed active attacks against a Zero-Day vulnerability in Apache's Struts, a popular Java application framework. Cisco started investigating the vulnerability shortly after it was disclosed, and found a number of active attacks.

In an advisory issued on Monday, Apache says the problem with Struts exists within the Jakarta Multipart parser.

"It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user," the warning explained.
#2090 Emsisoft releases a decryptor for the CryptON ransomware
Yesterday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable.
#2089 Another challenge for IoT: Open backdoors
Problems with hardcoded credentials are hitting consumer IoT devices, industrial SCADA devices, and even critical infrastructure. Despite the appeal on source code and firmware audition, this type of vulnerability recurs and threatens users’ privacy and data security.

Security researcher Elliot Williams posted on Hackaday that most GSM-to-IP devices made by DBLTek have a remotely accessible hardcoded credential which leads to a shell with root privileges. The finding was reported to the manufacturer, who didn’t really fix the underlying vulnerability. Instead, they implemented a workaround: they added an extra challenge-response process, whose algorithm can be obtained by reverse-engineering. Trustwave’s blog post summarizes the entire chain of events. A tool exploiting this vulnerability is also available on Github.
#2088 Apple has already fixed most of the iOS exploits the CIA used
WikiLeaks is back at it again, this time with more than 8,700 leaked documents apparently from inside the CIA’s Center for Cyber Intelligence. According to those documents, the CIA had knowledge of zero-day exploits it could use to hack iPhones. But Apple said many of those bugs have already been patched with the latest version of iOS.
#2087 Leaked docs suggest NSA and CIA behind Equation cyberespionage group
Purported CIA documents leaked Tuesday appear to confirm that the U.S. National Security Agency and one of CIA's own divisions were responsible for the malware tools and operations attributed to a group that security researchers have dubbed the Equation.

The Equation's cyberespionage activities were documented in February 2015 by researchers from antivirus vendor Kaspersky Lab. It is widely considered to be the most advanced cyberespionage group in the world based on the sophistication of its tools and the length of its operations, some possibly dating as far back as 1996.

From the start, the tools and techniques used by the Equation bore a striking similarity to those described in secret documents leaked in 2013 by former NSA contractor Edward Snowden. This relationship was further strengthened by the similarity between various code names found in the Equation malware and those in the NSA files.
#2086 Vault 7: WikiLeaks docs hint CIA could bypass 21 security products
One of the hidden gems included in the Vault 7 data, dumped yesterday by WikiLeaks, is a document detailing bypass techniques for 21 security software products.

The document is part of a data dump of nearly 9,000 other files, all documentation files and manuals for various hacking tools, which WikiLeaks claims belong to the CIA.

One particular document, labeled "Personal Security Products (PSPs)" lists 21 security products, each linking to a separate document, containing descriptions of various exploits and techniques that could be used to bypass the named security tools.

The list covers almost all major antivirus vendors, including Comodo, Avast, Kaspersky, AVG, ESET, Symantec, and others.

For most security products included in this list, the bypass/exploit technique has been redacted. Yesterday, when it announced the Vault 7 leak, WikiLeaks said it made 70,875 redactions in total, mainly to remove any harmful code and personal details, such as names and IP addresses.
#2085 China mulls national cryptocurrency in race to digital money
Eight years ago, bitcoin was an experimental technology of interest only to a handful of enthusiasts. Today, China – which contains one in every five internet users – is mulling the idea of a national cryptocurrency.

The People’s Bank of China (PBOC) has been trialling a national digital currency based on the same underlying technology as Bitcoin. Here’s a description of how the blockchain works, but in summary – it’s decentralized, transparent and secure.

Governments worldwide have had a problematic relationship with Bitcoin. The US has held federal hearings on it, while at a state level New York has heavily regulated the cryptocurrency with its Bitlicense. Ecuador, Bolivia and Russia have all moved to ban Bitcoin outright, while other countries have taken their time working out what to do with the cryptocurrency.
#2084 After CIA leaks, tech giants scramble to patch security flaws
Several tech giants have said they are examining a trove of documents leaked earlier this week that purport to show the CIA's ability to hack into phones, computers, and smart TVs.

The documents, released by WikiLeaks, did not contain exploit code that could be used by hackers to carry out attacks, but the documents do provide details of vulnerabilities that may help security researchers identify some flaws in tech products, including Android devices and iPhones.

Apple, Google, Microsoft, and Samsung were all named in the thousands of released documents, which are believed to have come from the CIA's Center for Cyber Intelligence.
#2083 Product Security Advisory – PSA0002 – dnaLIMS
Shorebreak Security penetration testers discovered seven serious vulnerabilities in the dnaLIMS web application during the course of a blackbox penetration test for a customer. This was by no means a comprehensive review of the web application, and it should be assumed that many other vulnerabilities exist in the application.

Shorebreak notified the vendor, who appears to have no interest in fixing his flawed software that is in use on the Internet at several other organizations.

Our recommendation is to isolate this web application as much as possible to reduce the exposure – most definitely remove it from the Internet.
#2082 Payments giant Verifone investigating breach
Credit and debit card payments giant Verifone [NYSE: PAY] is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions, according to sources. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted.

San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the swiping and processing of credit and debit card payments at a variety of businesses, including retailers, taxis, and fuel stations.

On Jan. 23, 2017, Verifone sent an “urgent” email to all company staff and contractors, warning they had 24 hours to change all company passwords.
#2081 Multiple unpatched vulnerabilities discovered in Western Digital NAS hard drives
Multiple Western Digital MyCloud Networked Attached Storage (NAS) devices are affected by several security flaws, varying in severity, that allow attackers to bypass authentication, execute code on the device, and upload or download user data.

Discovered by a security researcher who goes by the name of Zenofex, these security flaws have not been reported to Western Digital, are still unpatched, and with public exploit code is available for more than half of the vulnerabilities.
#2080 Android gets patches for critical OpenSSL, media server and kernel driver flaws
A five-month-old flaw in Android's SSL cryptographic libraries is among the 35 critical vulnerabilities Google fixed in its March security patches for the mobile OS.

The first set of patches, known as patch level 2017-03-01, is common to all patched phones and contains fixes for 36 vulnerabilities, 11 of which are rated critical and 15 high. Android vulnerabilities rated critical are those that can be exploited to execute malicious code in the context of a privileged process or the kernel, potentially leading to a full device compromise.
#2079 WordPress webmasters urged to upgrade to version 4.73 to patch six security holes
Another day, another important security update for WordPress. Oh boy.

If you administer your own self-hosted WordPress website then you must update the software as soon as possible, following the disclosure of six security holes that could be exploited by malicious attackers.

Version 4.7.3 of the immensely popular web-publishing software has been released, alongside a warning that if left unpatched websites could be vulnerable to various threats, including cross-site scripting and request forgery attacks:

* Cross-site scripting (XSS) via media file metadata.
* Control characters can trick redirect URL validation.
* Unintended files can be deleted by administrators using the plugin deletion functionality.
* Cross-site scripting (XSS) via video URL in YouTube embeds.
* Cross-site scripting (XSS) via taxonomy term names.
* Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
#2078 Satan ransomware: old name, new business model
Last month, we received a few queries asking about a strain of ransomware going by the name of Satan.

Those queries were along the lines of, “What do you detect it as?”

The simple answer is Troj/Ransom-ECZ, which is what we replied back then, but there’s a backstory to the Satan malware family that we thought was worth covering, too.

Cybercriminals have long used themes like the devil, the occult and what you might rather loosely call “the dark arts” as inspiration for malware names: Dark Avenger, Necropolis, Mydoom, Natas (which is Satan backwards) and SatanBug are just a few examples

But there’s one aspect of the Satan ransomware that isn’t old-school, and that’s what we’re looking at in this article: its business model.
#2077 Don’t let WikiLeaks scare you off of Signal and other encrypted chat apps
Of all the revelations to come out of the 9,000-page data dump of CIA hacking tools, one of the most explosive is the possibility that the spy agency can compromise Signal, WhatsApp, and other encrypted chat apps. If you use those apps, let’s be perfectly clear: Nothing in the WikiLeaks docs says the CIA can do that.

A close reading of the descriptions of mobile hacking outlined in the documents released by WikiLeaks shows that the CIA has not yet cracked those invaluable encryption tools.
#2076 WikiLeaks claims CIA could turn Samsung Smart TVs into listening devices
The CIA has developed a hacking tool named Weeping Angel that can turn Samsung smart TVs into covert listening devices.

This information came to the public's attention after WikiLeaks dumped today a treasure trove of documents, codenamed Vault 7, which the organization claims were taken from a "high-security network situated inside the CIA's Center for Cyber Intelligence."

The first part of the leak included only documentation files for hacking tools, exploits, zero-days, and malware, but no actual hacking tools. In total, WikiLeaks leaked 8,761 files, among which one stood out among the most.
#2075 LeakedSource clone pops up on Russian domain
A website surfaced online today, posing to be the infamous LeakedSource data hoarding service, which went down shrouded in mystery at the end of January 2017.

The original LeakedSource launched in late 2015, and it became known worldwide after it disclosed mega data breaches affecting services such as LinkedIn, MySpace, Dropbox, and many others.
#2074 This hard drive will self destruct. Data-wiping malware targets Europe
Shamoon—the mysterious disk wiper that popped up out nowhere in 2012 and took out more than 35,000 computers in a Saudi Arabian-owned gas company before disappearing—is back. Its new, meaner design has been unleashed three time since November. What's more, a new wiper developed in the same style as Shamoon has been discovered targeting a petroleum company in Europe, where wipers used in the Middle East have not previously been seen.

Researchers from Moscow-based antivirus provider Kaspersky Lab have dubbed the new wiper "StoneDrill." They found it while they were researching the trio of Shamoon attacks, which occurred on two dates in November and one date in late January. The refurbished Shamoon 2.0 added new tools and techniques, including less reliance on outside command-and-control servers, a fully functional ransomware module, and new 32-bit and 64-bit components.
#2073 Spammers expose their entire operation through bad backups
This is the story of how River City Media (RCM), Alvin Slocombe, and Matt Ferris, accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups.

The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.

While security practitioners are familiar with spammers and their methods, this story afforded Salted Hash with a rare opportunity to look behind the curtain and view their day-to-day operations.
#2072 SHA1 collision attack can serve backdoored torrents to track down pirates
A theoretical scenario that leverages the SHA1 collision attack disclosed recently by Google can serve backdoored BitTorrent files that execute code on the victim's machine, deliver malware, or alert copyright owners when their software has been pirated.

The theoretical attack, nicknamed BitErrant, is the work of Tamas Jos, a Hungarian security expert working for SWIFT, the company behind the SWIFT protocol used for international inter-banking transactions.

To understand the attack, users first need to understand how BitTorrent works. When someone creates a torrent file, they actually break up the original file into smaller chunks and save information about these chunks inside the torrent file.
#2071 Researcher breaks reCAPTCHA using Google's speech recognition API
A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Google's reCAPTCHA fields using another Google service, the Speech Recognition API.

The researcher, who goes online only by the name of East-EE, released proof-of-concept code on GitHub.
#2070 Free decryption tools now available for Dharma ransomware
Computer users who have been affected by the Dharma ransomware and have held onto their encrypted files can now restore them for free. Researchers have created decryption tools for this ransomware strain after someone recently leaked the decryption keys.

Dharma first appeared in November and is based on an older ransomware program known as Crysis. It's easy to recognize files affected by it because they will have the extension: .[email_address].dharma, where the email address is the one used by the attacker as a point of contact.
#2069 50 Google engineers volunteered to patch thousands of Java open source projects
A year ago, several Google engineers got together and lay the foundation of Operation Rosehub, a project during which Google employees used some of their official work time to patch thousands of open source projects against a severe and widespread Java vulnerability.

Known internally at Google as the Mad Gadget vulnerability, the issue was discovered at the start of 2015 but came to everyone's attention in November 2015 after security researchers from Foxglove Security showcased how it could be used to steal data from WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS Java applications.
#2068 Researchers uncover PowerShell Trojan that uses DNS queries to get its orders
Researchers at Cisco's Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.

The malware was first discovered by a security researcher (@simpo13) who alerted Talos because of one peculiar feature of the code that he discovered: it called out Cisco's SourceFire security appliances in particular with the encoded text, "SourceFireSux."
#2067 Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token
I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it.

Recently a bug I found in Slack was published on HackerOne and I wanted to explain it, and the method I used to discover it.
#2066 0patching a 0day: Windows gdi32.dll memory disclosure (CVE-2017-0038)
As you've probably noticed, the last Patch Tuesday didn't make it. Consequently a number of 0-days are getting published, with CVE-2017-0038 being the first one on the list. But don't worry, every cloud has a silver lining. I had some free time last week to look into the matter and as a result I can give you the very first 0patch for a 0-day.

CVE-2017-0038 is a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels provided by that file. If image dimensions are large enough the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed. An attacker could use this vulnerability to steal sensitive data that an application holds in memory or as an aid in other exploits when ASLR needs to be defeated.
#2065 Mike Pence used an AOL e-mail account for state business and it got hacked
As the US Republican vice presidential candidate, Mike Pence vigorously chastised Hillary Clinton for using a personal server to send and receive official e-mails while she was Secretary of State. Not only was the arrangement an attempt to escape public accountability, he said, it also put classified information within dangerous reach of hackers.

Now come revelations that Pence routinely used a private AOL account to conduct government business while he was governor of Indiana and that the account was hacked last summer, just months before he turned the heat on his Democratic rival over her personal e-mail server. Use of the AOL account for state business came to light in a 2,100-word article published Thursday evening by The IndyStar. The news outlet based its report on e-mails it received under a public records request. State officials declined to release an unspecified number of e-mails because the state considers them confidential and too sensitive to release to the public.
#2064 Web cache deception attack
Did it ever cross your mind that accessing links such as https://www.paypal.com/myaccount/home/stylesheet.css or https://www.paypal.com/myaccount/settings/notifications/logo.png might expose your sensitive data, and even allow attackers to take control over your account?

Web cache deception is a new web attack vector that puts various technologies and frameworks at risk.

#2063 Dridex’s cold war: enter AtomBombing
IBM X-Force discovered that Dridex, one of the most nefarious banking Trojans active in the financial cybercrime arena, recently underwent a major version upgrade that is already active in online banking attacks in Europe.

A few weeks ago, our cybercrime labs detected a new major version of the Dridex banking Trojan, Dridex v4. The updated code features a new and innovative injection method based on a technique dubbed AtomBombing, which was first disclosed in October 2016 by security firm enSilo.

Dridex is the only banking Trojan we have encountered to use AtomBombing. This change is especially significant when it involves Trojans believed to be operated by an organized cybercrime gang because it’s likely to result in other codes adopting the same method in the future.
#2062 Decrypting after a Findzip ransomware infection
The Findzip ransomware was discovered on February 22, 2017. At that time, it was thought that files would be irreversibly encrypted by this ransomware, with no chance of decryption. Turns out, that’s not quite true.

For those who get infected with Findzip (aka Filecoder), it’s still true that the hackers behind it can’t give you a key to decrypt it. There’s no honor among these particular thieves, as they’re lying about their ability to help if you pay the ransom.

However, all hope is not lost! If you made the mistake of not having a backup, or if your backup was also compromised by the ransomware, there’s still a chance for you to recover. It will not be fast or easy, but by following the instructions in this article, you’ll be able to regain your files. These instructions will be daunting for many, so if you have any doubts about your ability to follow them, please seek help from someone with more experience.
#2061 Filecode ransomware attacks your Mac – how to recover for free
Last week, SophosLabs showed us a new ransomware sample.

That might not sound particularly newsworthy, given the number of malware variants that show up every day, but this one is more interesting than usual…

…because it’s targeted at Mac users. (No smirking from the Windows tent, please!)

In fact, it was clearly written for the Mac on a Mac by a Mac user, rather than adapted (or ported, to use the jargon term, in the sense of “carried across”) from another operating system.

This ransomware, detected and blocked by Sophos as OSX/Filecode-K and OSX/Filecode-L, was written in the Swift programming language, a relatively recent programming environment that comes from Apple and is primarily aimed at the macOS and iOS platforms.
#2060 Google security researcher finds hole in ESET's Mac antivirus
Mac users utilizing ESET's endpoint antivirus are advised to update to version 6.4.168.0 as soon as possible in order to mitigate a serious issue that allows attackers to execute arbitrary code on their machines.

The issue, discovered by Google security researcher Jason Geffner, was caused by the usage of an old library inside ESET's antivirus source code.

Geffner says vulnerable versions of the ESET Mac antivirus used the POCO XML parser library version 1.4.6p1 from 2013-03-06, which in turn was forked from Expat XML parser library version 2.0.1 from 2007-06-05.

Recently, security researchers became aware of a vulnerability (CVE-2016-0718) in the Expat library that allowed for remote code execution via malformed XML content.

This Expat flaw trickled down to the ESET Mac antivirus, where developers had used POCO to parse XML content streams.
#2059 AWS goes down, and so do millions of websites, apps, and other services
Millions of small websites, app backends, and various high-profile services are offline or experiencing severe issues because of a mysterious problem that hit Amazon's S3 (Simple Storage Service) a few hours ago.

Current reports indicate that a large number of services have been affected and are completely offline. Many other services and websites are also loading very slowly, while others services report that multimedia content doesn't load at all, mainly because it was hosted on S3.

The list of affected AWS customers includes many of Adobe's apps and services, Docker, Giphy, Grammarly, Hacker News, IFTTT, Imgur, Mailchimp, Medium, Quora, Signal, Slack, Trello, Twilio, Twitch, and countless of smaller apps and websites.
#2058 AI learns to write its own code by stealing from other programs
OUT of the way, human, I’ve got this covered. A machine learning system has gained the ability to write its own code.

Created by researchers at Microsoft and the University of Cambridge, the system, called DeepCoder, solved basic challenges of the kind set by programming competitions. This kind of approach could make it much easier for people to build simple programs without knowing how to write code.

“All of a sudden people could be so much more productive,” says Armando Solar-Lezama at the Massachusetts Institute of Technology, who was not involved in the work. “They could build systems that it [would be] impossible to build before.”

Ultimately, the approach could allow non-coders to simply describe an idea for a program and let the system build it, says Marc Brockschmidt, one of DeepCoder’s creators at Microsoft Research in Cambridge, UK.
#2057 Ransomware for dummies: Anyone can do it
Among today’s fastest-growing cybercrime epidemics is “ransomware,” malicious software that encrypts your computer files, photos, music and documents and then demands payment in Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks in recent years comes from the proliferation of point-and-click tools sold in the cybercrime underground that make it stupid simple for anyone to begin extorting others for money.

Recently, I came across an extremely slick and professionally produced video advertisement promoting the features and usability of “Philadelphia,” a ransomware-as-a-service crimeware package that is sold for roughly $400 to would-be cybercriminals who dream of carving out their own ransomware empires.

This stunning advertisement does a thorough job of showcasing Philadelphia’s many features, including the ability to generate PDF reports and charts of victims “to track your malware campaigns” as well as the ability to plot victims around the world using Google Maps.
#2056 Pretzel: Email encryption and provider-supplied functions are compatible (PDF)
Emails today are often encrypted, but only between mail servers—the vast majority of emails are exposed in plaintext to the mail servers that handle them. While better than no encryption, this arrangement leaves open the possibility of attacks, privacy violations, and other disclosures. Publicly, email providers have stated that default end-to-end encryption would conflict with essential functions (spam filtering, etc.), because the latter requires analyzing email text. The goal of this paper is to demonstrate that there is no conflict. We do so by designing, implementing, and evaluating Pretzel. Starting from a cryptographic protocol that enables two parties to jointly perform a classification task without revealing their inputs to each other, Pretzel refines and adapts this protocol to the email context. Our experimental evaluation of a prototype demonstrates that email can be encrypted end-to-end and providers can compute over it, at tolerable cost: clients must devote some storage and processing, and provider overhead is roughly 5 x versus the status quo.
#2055 Google Play apps infected with malicious iFrames
Recently, we have discovered 132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone. Our investigation indicates that the developers of these infected apps are not to blame, but are more likely victims themselves. We believe it is most likely that the app developers’ development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. If this is this case, this is another situation where mobile malware originated from infected development platforms without developers’ awareness. We have reported our findings to Google Security Team and all infected apps have been removed from Google Play.
#2054 Is E2EMail a new beginning or the end for Google’s End-to-End?
Google’s end-to-end email encryption project that it started back in 2014 has left home. But has the Chrome extension really “flown the nest” as Google claimed last week? Or has it simply been abandoned and left to fend for itself?

Turn back the clocks to 2013. Google promises end-to-end encryption in an effort to regain users’ trust following Edward Snowden’s revelations about global surveillance conducted by government law-enforcement agencies.

And Google did made good on that promise in March 2014, switching Gmail to HTTPS only and encrypting emails internally too, shouting from the rooftops that these changes were
#2053 Expanding protection for Chrome users on macOS
Safe Browsing is broadening its protection of macOS devices, enabling safer browsing experiences by improving defenses against unwanted software and malware targeting macOS. As a result, macOS users may start seeing more warnings when they navigate to dangerous sites or download dangerous files.
#2052 Password-manager apps for Android (security analysis)
There are different policies for the generation of secure passwords. However, one of the biggest challenges is to memorize all these complex passwords. Password manager applications are a promising way of storing all sensitive passwords cryptographically secure. Accessing these passwords is only possible if the user enters a secret master password. At first sight, the requirements for a password manager application seem simple: Storing the passwords of a user centralized in a secure and confidential way. However, how is the reality on mobile, password manger applications, especially on Android? Applications vendors advertise their password manager applications as “bank-level” or “military-grade” secure. However, can users be sure that their secrets are actually stored securely? Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?

In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.
#2051 Crypt0L0cker ransomware is back with campaigns targeting Europe
The Crypt0L0cker ransomware, otherwise known as Torrentlocker or Teerac, was a common ransomware infection that mostly targeted Australia and European countries in 2014. Towards the middle of 2015, though, this ransomware slowly started dying off to the point that it was hardly distributed anymore.

Fast forward to the beginning of February 2017 where we are now seeing Crypt0L0cker making a strong come back and targeting European countries once again.
#2050 Yahoo says 32m user accounts were accessed via cookie forging attack
Yahoo has said that an unauthorised third party accessed the company's proprietary code to learn how to forge certain cookies, which it said resulted in an intruder accessing approximately 32 million user accounts without a password.

"The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016," Yahoo disclosed in its annual report, filed with the US Securities and Exchange Commission (SEC) on Wednesday.

"We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 security incident."
#2049 New RaaS portal preparing to spread Unlock26 ransomware
A new Ransomware-as-a-Service (RaaS) portal named Dot-Ransomware is behind the Unlock26 ransomware discovered this past week.

First spotted two days ago, this ransomware operation is quite unique as it features a very minimal and direct style, with little-to-no instructions and simple-designed ransom notes and ransom payment portal.

Based on two messages left on the Dot-Ransomware homepage, this entire operation launched on Sunday, February 19, when the website was set up.
#2048 Creepy IoT teddy bear leaks >2 million parents’ and kids’ voice messages
A maker of Internet-connected stuffed animal toys has exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts.

The account data was left in a publicly available database that wasn't protected by a password or placed behind a firewall, according to a blog post published Monday by Troy Hunt, maintainter of the Have I Been Pwned?, breach-notification website. He said searches using the Shodan computer search engine and other evidence indicated that, since December 25 and January 8, the customer data was accessed multiple times by multiple parties, including criminals who ultimately held the data for ransom. The recordings were available on an Amazon-hosted service that required no authorization to access.
#2047 Google open-sources Chrome extension to make PGP encryption easier in Gmail
Late Friday, last week, Google announced a new tool for security-minded users, called E2EMail, a Chrome extension that simplifies the installation of PGP encryption for Gmail.

Initially created by Google engineers, E2EMail has now been open-sourced on GitHub, so other security experts can contribute and improve its effectiveness.

E2EMail is not yet available via the Chrome Web Store, and if you want to install it, you'll have to go through a series of complicated steps to build the extension and then load it in Chrome. Instructions are included in the GitHub repo.
#2046 Shamoon (malware): Multi-staged destructive attacks limited to specific targets
Recent attacks involving the destructive malware Shamoon (W32.Disttrack.B) were launched by attackers conducting a much wider campaign in the Middle East. While the attackers have compromised multiple targets in the region, only selected targets in Saudi Arabia were infected with Shamoon.

On February 15, publications from IBM (The Full Shamoon) and Palo Alto (Magic Hound) separately discussed a persistent attack campaign operating primarily in the Middle East with links to Shamoon. This campaign was conducted by a group we identify as Timberworm. The group appears to have facilitated the third wave of destructive attacks involving Shamoon in January 2017. Timberworm operates in the Middle East and beyond. Only specific organizations affiliated with Saudi Arabia appear to have been earmarked for destructive wiping attacks.
#2045 More on bluetooth ingenico overlay skimmers
This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

The device featured here is a Bluetooth-based skimmer; it is designed to steal both the card data when a customer swipes and to record the victim’s PIN using a PIN pad overlay.

The Bluetooth component of the skimmer allows the thieves to retrieve stolen data wirelessly via virtually any Bluetooth enabled device — just by being in proximity to the compromised card terminal (~30 meters).
#2044 Google reports “high-severity” bug in Edge/IE, no patch available
A member of Google's Project Zero security research team has disclosed a high-severity vulnerability in Microsoft's Edge and Internet Explorer browsers that reportedly allows attackers to execute malicious code in some instances.

The vulnerability stems from what's known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge, Project Zero researcher Ivan Fratric said in a report that he sent to Microsoft on November 25 and publicly disclosed on Monday. The disclosure is in line with Google's policy of publishing vulnerability details 90 days after being privately reported. A proof-of-concept exploit Fratric developed points to data stored in memory that he said "can be controlled by an attacker (with some limitations)." Asked by a commenter how easy it would be to bypass security measures designed to prevent code execution, Fratric wrote: "I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline)."
#2043 Severe SQL injection flaw discovered in WordPress plugin (NextGEN Gallery) with over 1M installs
A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database.

The vulnerable plugin's name is NextGEN Gallery, a plugin so successful that it has its own set of plugins itself.

Two configuration options for NextGEN Gallery plugin installations open WordPress sites to attacks.
#2042 Siemens RUGGEDCOM NMS equipment vulnerable to CSRF, XSS
Enterprise network management equipment made by Siemens suffers from vulnerabilities that could allow an attacker to perform administrative actions.

Two flaws, a cross-site scripting (XSS) vulnerability and a cross-site request forgery (CSRF) vulnerability, exist in the company’s RUGGEDCOM NMS line of network management products.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned the vulnerabilities are remotely exploitable and would take a low skill level to exploit in an advisory published on Tuesday.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12