Security Alerts & News
by Tymoteusz A. Góral

History
#2256 iCloud support scams
iCloud is an increasingly large target for scams of all kinds. It’s a common target for scams involving phishing e-mails. The goal of such scams is to get you to click a link that takes you to a fake iCloud login page, resulting in you submitting your iCloud login credentials to thieves. It’s also frequently attacked via brute-force guessing of weak passwords and weak security questions.

The results of such scams can vary. Some are interested in the purchasing power since iCloud accounts double as Apple IDs, which can be used to make purchases from the Mac App Store, iOS App Store, and even the online and brick-and-mortar Apple Stores.

Other scammers want access to your files – typically photos stored in iCloud – such as the “Celebgate” incident. Celebgate involved a number of celebrities who had their accounts compromised, resulting in the theft and subsequent publication of nude photos.
#2255 Healthcare CERT warns about ‘Mole’ ransomware – what you need to know
A few readers have asked us about a ransomware variant with the intriguing name of Mole.

Interest seems to have been sparked by a recent security advisory from CareCERT, the cybersecurity initiative set up for the UK’s National Health Service (NHS), currently the world’s fifth largest employer.

(You know you want to ask, so we’ll answer. Depending on whom you consult and how you count, the list goes something like this: US Department of Defense, PRC People’s Liberation Army, Walmart, McDonalds, NHS.)
#2254 Facebook tracks scary-specific details about your life. Here’s how to find what it knows
As the saying goes: “if you aren’t being sold, you are the product.” Nowhere is this more true than on Facebook.

The social network boasts nearly two billion users, and offers a staggering amount of free content that keeps most of us engaged hours each day. And in the future, it’s looking to further that effort to keep us on-site even longer, or in other Facebook-owned properties like Messenger, Whatsapp, and Instagram.
#2253 Linux Shishiga malware using LUA scripts
Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family have generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents a new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name: Linux/Shishiga. It uses 4 different protocols (SSH – Telnet – HTTP – BitTorrent) and Lua scripts for modularity.
#2252 Cyberespionage, ransomware big gainers in new Verizon breach report
Verizon released its tenth annual breach report this morning, and cyberespionage and ransomware were the big gainers in 2016.

Cyberspionage accounted for 21 percent of cases analyzed, up from 13 percent last year, and was the most common type of attack in the manufacturing, public sector, and education.

In fact, in the manufacturing sector, cyberespionage accounted for 94 percent of all breaches. External actors were responsible for 93 percent of breaches, and, 91 percent of the time, the target was trade secrets.
#2251 More LastPass flaws: researcher pokes holes in 2FA
Recently we’ve been writing about LastPass more than seems healthy.

March saw two rounds of serious flaws made public by Google’s Tavis Ormandy (quickly fixed), which seemed like a lot for a single week. Days ago, news emerged of a new issue (also fixed) in the company’s two-factor/two-step authentication (2FA) security.

To coin a phrase, all serious flaws are serious – but some are more serious than others.

This one matters for two reasons, only one of which will sound flippant: it wasn’t discovered by Tavis Ormandy, who at times has seemed to be writing a novella on flaw-hunting with the company’s name on it. That’s fine – researching vulnerabilities is his day job, after all.
#2250 FalseGuide malware victim count jumps to 2 million
An estimated 2 million Android users have now fallen victim to malware mistakenly downloaded from Google Play, which was initially reported to have affected approximately 600,000 users.

The malware, dubbed FalseGuide, was hidden in more than 40 guide apps for games, the oldest of which was uploaded to Google Play as early as November last year, security researchers from Check Point said.

"Since April 24, when the article below was first published, Check Point researchers learned that the FalseGuide attack is far more extensive than originally understood," Check Point said.
#2249 UK man gets two years in jail for running ‘Titanium Stresser’ attack-for-hire service
A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users.

Adam Mudd of Hertfordshire, U.K. admitted to three counts of computer misuse connected with his creating and operating the attack service, also known as a “stresser” or “booter” tool. Services like Titanium Stresser coordinate so-called “distributed denial-of-service” or DDoS attacks that hurl huge barrages of junk data at a site in a bid to make it crash or become otherwise unreachable to legitimate visitors.
#2248 How free hacking tools on the web could be leading kids into cybercrime
Gaming websites could be spawning a new breed of cybercriminals, according to new research which claims that young people are being indoctrinated into hacking crimes via free and easily-accessible internet pages.

Websites and forums which provide cheat codes and modifications for video games are making it increasingly easy for young people to develop criminal skills and become involved in hacking chat rooms, a report by the U.K.'s National Crime Agency (NCA) has said.

Readily-available step-by-step tutorials for Remote Access Trojan (RAT) malware programs and distributed denial-of-service (DDoS) attacks are also making the skills barrier into cybercrime lower than it has ever been, the NCA suggests.
#2247 Hipchat resets user passwords after possible breach
HipChat has reset all its users' passwords after what it called a security incident that may have exposed their names, email addresses and hashed password information.

In some cases, attackers may have accessed messages and content in chat rooms, HipChat said in a Monday blog post. But this happened in no more than 0.05 percent of the cases, each of which involved a domain URL, such as company.hipchat.com.

HipChat didn't say how many users may have been affected by the incident. The passwords that may have been exposed would also be difficult to crack, the company said. The data is hashed, or obscured, with the bcrypt algorithm, which transforms the passwords into a set of random-looking characters. For added security, HipChat "salted" each password with a random value before hashing it.
#2246 Pawn storm abuses open authentication in advanced social engineering attacks
Pawn Storm is an active and aggressive espionage actor group that has been operating since 2004. The group uses different methods and strategies to gain information from their targets, which are covered in our latest research. However, they are particularly known for dangerous credential phishing campaigns. In 2016, the group set up aggressive credential phishing attacks against the Democratic National Convention (DNC), German political party Christian Democratic Union (CDU), the parliament and government of Turkey, the parliament of Montenegro, the World Anti-Doping Agency (WADA), Al Jazeera, and many other organizations.

This blog post discusses how Pawn Storm abused Open Authentication (OAuth) in advanced social engineering schemes. High profile users of free webmail were targeted by campaigns between 2015 and 2016.
#2245 Webroot 'mistakenly' flags Windows as malware and Facebook as phishing site
Popular antivirus service Webroot mistakenly flagged core Windows system files as malicious and even started temporarily removing some of the legit files, trashing user computers around the world.

The havoc caused after the company released a bad update on April 24, which was pulled after approximately 15 minutes. But that still hasn't stopped some PCs from receiving it, causing serious issues for not just individuals, but also companies and organizations relying on the software.

According to the reports by many customers on social media and Webroot's forum, hundreds and even thousands of systems were broken down after antivirus software flagged hundreds of benign files needed to run Windows and apps that run on top of the operating system.
#2244 More than 10,000 Windows computers may be infected by advanced NSA backdoor
Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.
#2243 Would you like a backdoor with that Linksys router, Sir?
Linksys says that 25 router models are vulnerable to remote hacking and could be taken over by an attacker if users still use their default admin credentials.

The company issued a security advisory this week, letting customers know that certain products are vulnerable to three vulnerabilities discovered by cyber-security firm IOActive.

Linksys, formerly part of Cisco, now a Belkin brand, says it's working on delivering a firmware update to mitigate all three flaws. In the meantime, the company issued a security alert as a warning for customers that might be vulnerable to attacks.
#2242 INTERPOL-led cybercrime operation across ASEAN unites public and private sectors
SINGAPORE – An INTERPOL-led operation targeting cybercrime across the ASEAN region has resulted in the identification of nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals.

The operation, run out of the INTERPOL Global Complex for Innovation (IGCI), brought together investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to share information on specific cybercrime situations in each country. Additional cyber intelligence was also provided by China.

Experts from seven private sector companies - Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Networks - also took part in pre-operational meetings in order to develop actionable information packages.

Information provided by the private sector combined with cyber issues flagged by the participating countries enabled specialists from INTERPOL’s Cyber Fusion Centre to produce 23 Cyber Activity Reports. The reports highlighted the various threats and types of criminal activity which had been identified and outlined the recommended action to be taken by the national authorities.
#2241 Android O will contain special feature to fight off ransomware
Google has removed a feature of the Android operating system that has been used in the past in ransomware attacks.

Starting with Android O (8.0), set to be released in the fall of 2017, Google plans to deprecate the following window types: TYPE_SYSTEM_ALERT, TYPE_SYSTEM_ERROR, and TYPE_SYSTEM_OVERLAY.

These are special "system" windows that are shown above any app on the user's screen. As you'd imagine, this is highly valued realty for ransomware developers, who often aim to obtain permissions to show content via these windows.

Once they manage to obtain such permission, they use these windows to block the user's access to the rest of his phone and show ransom notes.
#2240 The godfather of ransomware returns: Locky is back and sneakier than ever
The ransomware that drove last year's boom in file-encrypting malware is back, and this time it's even harder to detect.

Ransomware cost its victims some $1bn during 2016, with Locky one of the most widespread variants, infecting organisations across the globe.

However, the start of 2017 saw a sudden decline in the distribution of Locky, to such an extent that another form of ransomware -- Cerber -- has usurped Locky's dominance.

But after being all but written off, Locky is staging a comeback. Cybersecurity researchers at Cisco Talos have observed a surge in emails distributing Locky, with over 35 thousand emails sent in just a few hours. This surge in distribution is being attributed to the Necurs botnet, which until recently focused on spamming pump-and-dump stockmarket scams.
#2239 BrickerBot author claims he bricked two million devices
ust like Wifatch and Hajime, the BrickerBot malware is the work of a vigilante grey-hat, who goes online by the name of Janit0r, a nickname he chose on the Hack Forums discussion boards.

If you're unfamiliar, BrickerBot is a new malware family that was first identified at the start of the month by Radware researchers. The malware made headlines because it was the first threat of its kind that intentionally bricked IoT and networking devices, by rewriting the flash storage space of affected devices with random data.

Such actions rendered troves of devices useless, many needing a firmware reinstall, but as many needing to be replaced altogether.
#2238 Beware! Dozens of Linksys WiFi router models vulnerable to multiple flaws
Bad news for consumers with Linksys routers: Cybersecurity researchers have disclosed the existence of nearly a dozen of unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today.

IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models.

Out of 10 security issues (ranging from moderate to critical), six can be exploited remotely by unauthenticated attackers.

According to the researchers, when exploited, the flaws could allow an attacker to overload the router, force a reboot by creating DoS conditions, deny legitimate user access, leak sensitive data, change restricted settings and even plant backdoors.
#2237 Location tracking Android spyware found in Google Play store
Android malware capable of accessing smartphone users' location and sending it to cyberattackers remained undetected in the Google Play store for three years, according to a security company.

Discovered by IT security researchers at Zscaler, the SMSVova Android spyware poses as a system update in the Play Store and was downloaded between one million and five million times since it first appeared in 2014.

The app claims to give users access to the latest Android system updates, but it's actually malware designed to compromise the victims' smartphone and provide the users' exact location in real time.
#2236 Windows bug used to spread Stuxnet remains world’s most exploited
One of the Microsoft Windows vulnerabilities used to spread the Stuxnet worm that targeted Iran remained the most widely exploited software bug in 2015 and 2016 even though the bug was patched years earlier, according to a report published by antivirus provider Kaspersky Lab.

In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year.
#2235 Credit card with a fingerprint sensor revealed by Mastercard
A payment card featuring a fingerprint sensor has been unveiled by credit card provider Mastercard.

The rollout follows two successful trials in South Africa.

The technology works in the same way as it does with mobile phone payments: users must have their finger over the sensor when making a purchase.

Security experts have said that while using fingerprints is not foolproof, it is a "sensible" use of biometric technology.
#2234 Researchers find commercial banking apps contain swarms of open-source bugs
Open-source projects have long proved a boon for software developers at large, but new research suggests that their use can compromise application security.

According to researchers from Black Duck Software, in the firm's 2017 Open Source Security and Risk Analysis (OSSRA) report, there are "significant cross-industry risks" in the use of open-source software. Namely, vulnerabilities found in such software and components are not being addressed as they should.

The Burlington, Mass.,-based firm says that due to lax security practices, this also presents a challenge for compliance -- and the results of the audit report should be a "wake-up call" for developers.
#2233 Report: Cybercriminals prefer Skype, Jabber and ICQ
The most popular instant messaging platforms with cyber criminals are Skype, Jabber and ICQ, according to a new report released this morning.

Meanwhile, consumer-grade platforms like AOL Instant Messenger and Yahoo IM have fallen out of favor, while newer, more secure consumer oriented platforms like Telegram and WhatsApp are also gaining popularity.

The newer platforms are more user-friendly and more convenient, but also offer greater security, said Leroy Terrelonge, Director of Middle East and Africa Research at Flashpoint, which recently released a report about the communication platforms cyber criminals have been using over the past four years.
#2232 New open source RAT uses Telegram protocol to steal data from victims
Someone has created a new Remote Access Trojan (RAT) that uses the Telegram protocol to steal user data from infected devices.

The RAT is written in Python and is currently available as a free download on a public code sharing portal.

The RAT's author, whose name we won't be sharing, claims to have embarked into creating this tool as a way to improve how most of today's RATs work.

The author highlights that the biggest problem with most RATs is that they don't use encryption and require that the attacker enable port forwarding on the victim's machine to control infected hosts.

The developer proposes his own tool, named RATAtack, which uses the Telegram protocol to support an encrypted channel between victims and their master, and does not need port forwarding, as the Telegram protocol also provides a simple method to communicate to the target without configuring port forward beforehand on the target.
#2231 Microsoft turns 2FA into one-factor by ditching password
Microsoft Authenticator is a pleasant enough two-factor authentication app. You can use it to generate numeric authentication codes for accounts on Google, Facebook, Twitter, and indeed, any other service that uses a standard one-time password. The login process is straightforward: first you sign in to each site with your username and regular, fixed password, then you use the code generated by the app.

But for Microsoft accounts, Redmond is offering something new: getting rid of that first password and using just the phone to authenticate. With phone-based authentication enabled, after entering your Microsoft Account e-mail address, you'll receive an alert on your phone. From that alert, you can either approve or reject the authentication attempt—no password necessary.
#2230 Hajime worm battles Mirai for control of the IoT
A battle is raging for control of Internet of Things (IoT) devices. There are many contenders, but two families stand out: the remains of the Mirai botnet, and a new similar family called Hajime.

Hajime was first discovered by researchers in October of last year and, just like Mirai (Linux.Gafgyt), it spreads via unsecured devices that have open Telnet ports and use default passwords. In fact, Hajime uses the exact same username and password combinations that Mirai is programmed to use, plus two more.
#2229 User-made patch lets owners of next-gen CPUs install updates on Windows 7 and 8.1
GitHub user Zeffy has created a patch that removes a limitation that Microsoft imposed on users of 7th generation processors, a limit that prevents users from receiving Windows updates if they still use Windows 7 and 8.1.

This limitation was delivered through Windows Update KB4012218 (March 2017 Patch Tuesday) and has made many owners of Intel Kaby Lake and AMD Bristol Ridge CPUs very angry last week, as they weren't able to install any Windows updates.

Microsoft's move was controversial, but the company did its due diligence, and warned customers of its intention since January 2016, giving users enough time to update to Windows 10, move to a new OS, or downgrade their CPU, if they needed to remain on Windows 7 or 8.1 for various reasons.
#2228 Ransomware Timeline: 2010 – 2017
Ransomware Timeline: 2010 – 2017
#2227 NSA-leaking Shadow Brokers just dumped its most damaging release yet
Important Update 4/15/2017 11:45 AM California time None of the exploits reported below are, in fact, zerodays that work against supported Microsoft products. Readers should read this update for further details. What follows is the post as it was originally reported.

The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits—just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.
#2226 A Russian hacker has created his own 'starter pack' ransomware service
A new kind of highly-customized ransomware recently discovered by security researchers allows individual criminals to deliver "ransomware-as-a-service".

What sets this ransomware apart from other kinds of file-locking software is that criminals who buy this specialized malware, dubbed Karmen, can remotely control the ransomware from their web browser, allowing the attacker to see at-a-glance a centralized web dashboard of their entire ransomware campaign.
#2225 This phishing attack is almost impossible to detect on Chrome, Firefox and Opera
A Chinese infosec researcher has reported about an "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet.

He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.

What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?
#2224 Oracle delivers a whopping 299 fixes in April 2017's critical patch update
Today, Oracle released their April 2017 Critical Patch Update, or CPU, that resolves a record breaking 299 vulnerabilities across all of their products. According to a report by ERPScan, this is the largest CPU released by Oracle.

Of these 299 vulnerabilities, over 100 are remotely exploitable without authentication. This means that it is possible to remotely exploit the vulnerability through malicious web sites or via a remote attack depending on the particular software. Once an attack successfully exploits a vulnerability, the attacker may be able to execute commands on the affected computer without the victim's knowledge or permission.

The three products with the most security updates are Oracle Financial Services Applications with 47 vulnerabilities and Oracle Retail Applications and Oracle MySQL, which are tied at 39 fixes. Java, which is notorious for being used by exploit kits to install malware on vulnerable systems had 8 new security fixes, with 7 of them being remotely exploitable.
#2223 The Callisto group
The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.

In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target’s webmail credentials.

In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained, as their final payload, the “Scout” malware tool from the HackingTeam RCS Galileo platform.

These spear phishing emails were crafted to appear highly convincing, including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing.

The Callisto Group has been active at least since late 2015 and continues to be so, including continuing to set up new phishing infrastructure every week.
#2222 Report: Cybercrime climate shifts dramatically in first quarter
The first quarter of 2017 brought with it some significant changes to the threat landscape and we aren’t talking about heavy ransomware distribution either. Threats which were previously believed to be serious contenders this year have nearly vanished entirely, while new threats and infection techniques have forced the security community to reconsider collection and analysis efforts.
#2221 Android trojan targeting over 420 banking apps worldwide found on Google Play Store
A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017, on Google Play Store.

Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world.
#2220 New processors are now blocked from receiving updates on old Windows
We knew Microsoft was planning to block installation of Windows 7 and 8.1 updates on systems with Intel 7th Generation Core processors (more memorably known as Kaby Lake) and AMD Ryzen systems; we just weren't sure when. Now, the answer appears to be "this month." Users of new processors running old versions of Windows are reporting that their updates are being blocked. The block means that systems using these processors are no longer receiving security updates.

The new policy was announced in January of last year and revised slightly a couple of months later: Kaby Lake and Ryzen processors, and all new processors on an ongoing basis, would only be supported in Windows 10. Windows 7 and 8.1 would continue to support older processors, but their chip compatibility was frozen.
#2219 OWASP Top 10 - 2017 RC1 - the ten most cirtical web application security risks (PDF)
Welcome to the OWASP Top 10 2017! This major update adds two new vulnerability categories for the first time: (1) Insufficient Attack Detection and Prevention and (2) Underprotected APIs. We made room for these two new categories by merging the two access control categories (2013-A4 and 2013-A7) back into Broken Access Control (which is what they were called in the OWASP Top 10 - 2004), and dropping 2013-A10: Unvalidated Redirects and Forwards, which was added to the Top 10 in 2010.

The OWASP Top 10 for 2017 is based primarily on 11 large datasets from firms that specialize in application security, including 8 consulting companies and 3 product vendors. This data spans vulnerabilities gathered from hundreds of organizations and over 50,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas – and also provides guidance on where to go from here.
#2218 Android O no! Android O causes problems for mobile ransomware developers
The first developer preview of Google’s latest mobile operating system, Android O, has been released. As usual, the newest version of Android has several new features and updates. One of those updates has a direct impact on many Android ransomware threats.

Android ransomware using system-type windows will no longer work on devices running Google’s latest mobile operating system, even if the relevant permission has been granted by the device’s user.
#2217 Five inmates built two PCs and hacked a prison from within
Five inmates from the Marion Correctional Institution (MCI) built two computers from spare parts, hid them in the ceiling of a training room closet, and used them to hack into the prison's network.

Their actions were discovered in July 2015, when the prison's IT staff switched internal proxy servers from Microsoft to WebSense (now part of Forcepoint).

These servers, designed to monitor and report suspicious traffic, immediately started reporting issues.
#2216 Microsoft kills off security bulletins after several stays
Microsoft this week retired the security bulletins that for decades have described each month's slate of vulnerabilities and accompanying patches for customers -- especially administrators responsible for companies' IT operations.

One patch expert reported on the change for his team. "It was like trying to relearn how to walk, run and ride a bike, all at the same time," said Chris Goettl, product manager with patch management vendor Ivanti.
#2215 CVE-2017-0199 Used as 0day to distribute FINSPY espionage malware and LATENTBOT malware
FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the technical details of this vulnerability as soon as a patch was made available.

In this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.
#2214 The iCloud hackers' bitcoin ransom looks like a fake
A group of hackers who claimed to hold millions of iCloud accounts for ransom said on Friday they'd been paid. But one bitcoin expert says that's bogus.

The Turkish Crime Family grabbed headlines last month by claiming they had the stolen login credentials for more than 700 million icloud.com, me.com and mac.com accounts. They demanded increasing ransoms from Apple while threatening to wipe the data from devices connected to the affected accounts if it did not.

On Friday, the hackers tweeted that they had been paid US$480,000 in bitcoin. As proof, the group posted a link showing a transaction on Blockchain.info, a popular bitcoin wallet.
#2213 Matrix ransomware spreads to other PCs using malicious shortcuts
Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.

Now that it is being distributed via a large campaign and an exploit kit, it was time to take a deeper dive into this ransomware to see what features it has. What was found is interesting as Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts and uploads stats about the types of files that are encrypted.
#2212 How to get admin credentials from TPLink M5350 3G/WiFi modem with a text message
A German security researcher discovered how to retrieve the admin credentials from a TP-Link M5350 3G/Wi-Fi modem with an evil text message

Some bugs are very strange and dangerous, this is the case of a flaw affecting the TP-Link’s M5350 3G/Wi-Fi router that can expose admin credentials to an evil text message.
#2211 Hacker caused panic in Dallas by turning on every emergency siren at once
We have seen hackers flooding 911 emergency service with rogue requests to knock the service offline for an entire state, but some hacking incidents are worse than others.

One such incident took place in Dallas on Friday night when hacker triggered a network of 156 emergency warning sirens for about two hours, waking up residents and sparking fears of a disaster.

The emergency warning sirens — designed to warn citizens of the Texas about dangerous weather conditions, such as severe storms and tornados — were activated around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday.
#2210 Thousands of fake Google Maps listings redirect users to fraudulent sites each month
Tens of thousands of fake listings are added to Google Maps each month, redirecting users to fraudulent websites selling phony or overpriced services, or part of some referral scam.

This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as "abusive" and added to Google Maps between June 2014 and September 2015.

Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles.
#2209 ShadowBrokers fails to collect 1M bitcoins – releases stolen information
ShadowBrokers finally made good on their promise to release the decryption key to unlock the stolen ‘auction’ file purportedly filled with NSA hacking tools.

Over the weekend, the hacking group ShadowBrokers released the decryption key for the ‘auction’ file that was included in the dump of information from last summer that the group claimed they acquired from Equation Group – reportedly a well-known hacking team responsible for highly sophisticated malware campaigns such as Flame and Stuxnet and possibly associated with certain 3-letter government agencies.

While the group’s get-rich-quick plan to sell the auction file for the astronomical asking price of 1M bitcoins (roughly $1,186,510,000.00 US Dollar as of today) may have ended with spectacular failure, the team has made good on their promise to ultimately release the stolen information should the requested payoff not be received. It’s difficult, if not impossible for us to verify the claims from the hackers or to place attribution to the appropriate group, but there are interesting bits of information contained within the archive and we will document some of the early discoveries here.
#2208 How criminals can steal your PIN by tracking the motion of your phone
Cyber experts at Newcastle University, UK, have revealed the ease with which malicious websites, as well as installed apps, can spy on us using just the information from the motion sensors in our mobile phones.

Analysing the movement of the device as we type in information, they have shown it is possible to crack four-digit PINs with a 70% accuracy on the first guess – 100% by the fifth guess - using just the data collected via the phone’s numerous internal sensors.
#2207 Adobe publishes security updates for Flash, Reader, Photoshop and Creative Cloud
Earlier today, Adobe has released security patches for several of its applications, including Adobe Flash Player, Adobe Campaign, Adobe Photoshop CC, the Creative Cloud Desktop Application, and Adobe Acrobat and Reader.

While all the Adobe security bulletins released today include important patches, the ones affecting Flash, Acrobat/Reader, and Photoshop, are worrisome, mainly due to the huge userbases those applications possess.
#2206 If you’re somehow still on Windows Vista, upgrade right now
Windows Vista was not a popular Microsoft release. We can just say it. Launched in 2007 (after a few delays), it was the first Windows overhaul since the well-loved XP release in 2001. Six years is a long time to make people wait, no matter how great the replacement. And Vista, well, was not great. A decade later, Microsoft’s finally pulling the plug on support tomorrow. Which means, if you’re somehow stuck with Microsoft’s least popular operating system, it’s time to move on. Like, now.
#2205 Dridex campaigns hitting millions of recipients using unpatched Microsoft 0day
This weekend saw multiple reports of a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.

This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails. While a focus on exploiting the human factor - that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks - remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day.
#2204 Critical Word 0day is only 1 of 3 Microsoft bugs under attack
A zero-day code-execution vulnerability in Microsoft Office is one of three critical flaws under active attack in the wild, Microsoft warned Tuesday as it rolled out a batch of updates that plug the security holes.

As Ars reported Monday night, attackers are exploiting the flaw to infect unsuspecting Word users with bank-fraud malware known as Dridex. Blog posts published Tuesday morning by security firms Netskope and FireEye reported that attackers are exploiting the same bug to install malware with the names Godzilla and Latenbot.
#2203 LMAOxUS ransomware: another case of weaponized open source ransomware
An Indian developer is playing around with an open source ransomware builder, which in the long run may end up causing serious problems for innocent users.

This developer, who goes by the nickname of Empinel and claims to be based in Mumbai, has forked the open source code of the EDA2 project, and with the help of another user, has removed the backdoor hidden in EDA2's original code.

His work started back in May 2016, when he tinkered with EDA2's source code and renamed the project to Stolich, modifying certain aspects of EDA2's encryption.

He received help in September 2016 when another "friendly" developer pushed a pull request to the Stolich repo that removed the EDA2 backdoor code.
#2202 Sathurbot: distributed WordPress password attack
This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.
#2201 Malvertising on iOS pushes eyebrow-raising VPN app
There is a preconceived idea that malvertising mostly affects the Windows platform. Certainly, when it comes to malicious adverts, Internet Explorer is a prime target for malware infections. However, malvertising can produce different outcomes adapted to the device the user is running.

Case in point, we discovered this scareware campaign that pushes a ‘free’ VPN app called My Mobile Secure to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is infected with viruses.
#2200 New malware intentionally bricks IoT devices
A new malware strain called BrickerBot is bricking Internet of Things (IoT) devices around the world by corrupting their storage capability and reconfiguring kernel parameters.

Detected via honeypot servers maintained by cyber-security firm Radware, the first attacks started on March 20 and continued ever since, targeting only Linux BusyBox-based IoT devices.

Right from the get-go, two different versions of BrickerBot were detected: BrickerBot.1 and BrickerBot.2.
#2199 Cybercriminals are building an army of things creating a tipping point for cybersecurity
Cybercrime is big business, and is growing at an exponential rate. British insurer Lloyd’s of London estimated the cybercrime market at $400 Billion in 2015. Today, just two years later, the World Economic Forum estimates that the total economic cost of cybercrime to currently be $3 trillion. And Cybersecurity Ventures is predicting that cybercrime will cost the world in excess of $6 trillion annually by 2021.

One of the forces behind this explosive growth of cybercrime is that illegal business can be safely conducted deep in a part of the Internet that most people have never seen, and have no idea how to access. The “darknet” lies beyond normal web browsers, is protected by layers of anonymity, and has become a haven for criminal commerce.
#2198 The top 5 dumbest cyber threats that work anyway
The common conception of cyber attacks is kind of like bad weather: ranging from irritating to catastrophic, but always unpredictable. Hackers are simply too sophisticated to draw any reliable judgments on and we shouldn’t try. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. Here’s a few.
#2197 WikiLeaks just dropped the CIA’s secret how-to for infecting Windows
WikiLeaks has published what it says is another batch of secret hacking manuals belonging to the US Central Intelligence Agency as part of its Vault7 series of leaks. The site is billing Vault7 as the largest publication of intelligence documents ever.

Friday's installment includes 27 documents related to "Grasshopper," the codename for a set of software tools used to build customized malware for Windows-based computers. The Grasshopper framework provides building blocks that can be combined in unique ways to suit the requirements of a given surveillance or intelligence operation. The documents are likely to be of interest to potential CIA targets looking for signatures and other signs indicating their Windows systems were hacked. The leak will also prove useful to competing malware developers who want to learn new techniques and best practices.
#2196 Shadow brokers publish the password for the rest the stolen NSA hacking tools
The Shadow Brokers (TSB) are back, and they've released the password for the rest of the hacking tools they claim to have stolen from the NSA last year.

TSB is a mysterious group that appeared in the summer of 2016 when they dumped on GitHub and other sites a trove of files they claim to have stolen from the Equation Group, a codename given to a cyber-espionage group many cyber-security experts believe to be the NSA.
#2195 Critical Office 0day attacks detected in the wild
t McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.

This blog post serves as a heads-up for our customers and all Office users to protect against this zero-day attack.

The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January.
#2194 Payday lender Wonga confirms data breach
UK Payday lender Wonga has issued a statement instructing customers to contact their banks as a matter of urgency, after confirming a data breach earlier on Sunday.

"We believe there may have been illegal and unauthorised access to the personal data of some of our customers," a statement issued by the company reads.

Personal details from hundreds of thousands of accounts may have been illegally accessed, with reports indicating this number could affect up to 270,000 current and former customers.
#2193 Hackers empty ATM by drilling one small hole
ATM thieves had drilled a small hole, wide of about 4 centimeters (1.5 inches), on the side of the ATM's PIN (numbers) pad. After dismantling a similar ATM in their laboratory, Kasperksy researchers realized this hole was right near a crucial ATM component, a 10-pin header.

This 10-pin header wasn't just any connector, but the header for connecting straight to the ATM's main bus, which interconnected all the other ATM's components, from the screen to the PIN pad, and from the internal cash store to the ATM dispenser.
#2192 Are you identifiable by extensions, logins and your browser?
Are you identifiable is a new web service that answers whether Internet sites may identify you based on your extensions, logins, and web browser.

Online privacy is a hot topic, and making sure that you you are not tracked or traced online may soon require a master's degree in privacy.

New technologies, the rise of HTML5 and all that came with it for instance, added new capabilities. As is the case with these things usually, they can be used for good and bad.

It is no longer enough to use a VPN, or a content blocker to keep some of your privacy while you are on the Internet. You also need to know and deal with new technologies such as WebRTC or intermediate CA caching, to avoid leaks or browser fingerprinting scripts.
#2191 No More Ransom adds 15 new decryption tools as record number of partners join global initiative
Nine months after the launch of the No More Ransom (NMR) project, an ever-growing number of law enforcement and private partners have joined the initiative, allowing more victims of ransomware to get their files back without paying the criminals.

The platform www.nomoreransom.org is now available in 14 languages and contains 40 free decryption tools. Since our last report in December, more than 10 000 victims from all over the world have been able to decrypt their affected devices thanks to the tools made available free of charge on the platform.
#2190 Report: 30% of malware is 0day, missed by legacy antivirus
At least 30 percent of malware today is new, zero-day malware that is missed by traditional antivirus defenses, according to a new report.

"We're gathering threat data from hundreds of thousands of customers and network security appliances," said Corey Nachreiner, CTO at WatchGuard Technologies. "We have different types of malware detection services, including a signature and heuristic-based gateway antivirus. What we found was that 30 percent of the malware would have been missed by the signature-based antiviruses."
#2189 Over The Air: Exploiting Broadcom’s WiFi stack (Part 1)
It’s a well understood fact that platform security is an integral part of the security of complex systems. For mobile devices, this statement rings even truer; modern mobile platforms include multiple processing units, all elaborately communicating with one another. While the code running on the application processor (AP) has been the subject of much research, other components have seldom received the same scrutiny.

Over the years, as a result of the focused attention by security folk, the defenses of code running on the application processor have been reinforced. Taking Android as a case study, this includes hardening the operating system, improving the security of applications, and introducing incremental security enhancements affecting the entire system. All positive improvements, no doubt. However, attackers tend to follow the path of least resistance. Improving the security of one component will inevitably cause some attackers to start looking elsewhere for an easier point of entry.
#2188 Advanced Chinese hacking campaign infiltrates IT service providers across the globe
A Chinese hacking group with advanced cyber-espionage capabilities has been targeting managed IT services providers across the globe in a campaign to steal sensitive data.

The cybercriminal gang is using sophisticated phishing attacks and customised malware in order to infect victims' machines and then gain access to IT providers and their customer networks.

Dubbed Operation Cloud Hopper, the cyber-espionage campaign has been uncovered by security researchers at PwC, BAE Systems, and the UK's National Cyber Security Centre. The researchers say the campaign is "highly likely" to be the work of the China-based APT10 hacking group.
#2187 A free decryption tool is now available for all Bart ransomware versions
Users who have had their files encrypted by any version of the Bart ransomware program are in luck: Antivirus vendor Bitdefender has just released a free decryption tool.

The Bart ransomware appeared back in June and stood out because it locked victims' files inside ZIP archives encrypted with AES (Advanced Encryption Standard). Unlike other ransomware programs that used RSA public-key cryptography and relied on a command-and-control server to generate key pairs, Bart was able to encrypt files even in the absence of an internet connection.
#2186 Android beware: State-backed Pegasus spyware is found using phones to eavesdrop and grab data
A new version of one of the most sophisticated forms of mobile spyware has been discovered, and this time it's being used to spy on Android users.

Made public last summer, the Pegasus mobile spyware was used by a nation state to monitor iPhones belonging to activists in the Middle East. The spyware uses three separate iOS vulnerabilities, collectively known as Trident, to allow an attacker to remotely jailbreak a target's iPhone and install spyware capable of tracking every action on the device.
#2185 Google and Apple issue security updates for critical broadcom WiFi vulnerabilities
Owners of Android and iOS devices should pay special attention to security updates released by Google and Apple on Monday, as they contain fixes for a series of critical bugs affecting their phone's WiFi component.

The issues, discovered by Google Project Zero security researcher Gal Beniamini, affect the Broadcom WiFi SoC (Software on Chip), included with many Android and iOS smartphones, and for which both Google and Apple include custom firmware with their OS.
#2184 Latest WikiLeaks dump exposes CIA methods to mask malware
WikiLeaks may have dealt another blow to the CIA’s hacking operations by releasing files that allegedly show how the agency was masking its malware attacks.

On Friday, the site dumped the source code to the Marble Framework, a set of anti-forensic tools that WikiLeaks claims the CIA used last year.

The files do appear to show “obfuscation techniques” that can hide CIA-developed malicious coding from detection, said Jake Williams, a security researcher at Rendition InfoSec, who has been examining the files.

Every hacker, from the government-sponsored ones to amateurs, will use their own obfuscation techniques when developing malware, he said.
#2183 Facial recognition on Samsung’s new phone has already been cracked
Samsung’s last flagship phone went up in smoke, literally and figuratively.

So the company went for something a bit cooler with the Galaxy S8, and supposedly more secure – facial recognition.

The theory seem to be that if your phone can reliably recognise you via the front-facing camera as soon as you pick it up, then you don’t need to press or swipe any buttons for it to wake up and unlock.

In other words, you get frictionless convenience and security, rather than convenience at the expense of security.
#2182 An investigation of Chrysaor malware on Android
Google is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on one or a very small number of devices. This is known as a targeted attack.

In this blog post, we describe Chrysaor, a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices, and how investigations like this help Google protect Android users from a variety of threats.
#2181 Skype malvertising campaign pushes fake Flash Player
It appears that for at least one day, Skype has served malicious ads, which in turn pushed a fake Flash Player update onto users.

The malicious ads came to light after Reddit and Twitter users complained about Skype forcing a Flash Player update down their throat.
#2180 New evidence links a 20-year-old hack on the US government to a modern attack group
A UK company's vintage web server kept in storage for over 20 years connects the 'Moonlight Maze' attacks of the 90s to the 2000s hacker group Turla.

In September 1998, the US Department of Defense computer incident response team contacted a human resources company in London to say their web server had been hacked. Not only that—it had been hijacked and was being used to attack more than a thousand US government and military systems and steal massive volumes of data.

The DoD and FBI wanted to turn the server into a honeypot of sorts, and asked David Hedges, then an IT manager consulting for the company, to secretly record all the hacker's activity on the web server.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12