A Week in Security (Apr 05 - 11)

A Week in Security (Jun 07 – Jun 13)

Last week, we published a timely scam, a malvertising campaign, the final section of the 2-part piece of a certain exploit kit, and a complex obfuscation method found on malware that can run on Android devices.

When news of a roller coaster crash in Staffordshire, England erupted, majority of Internet users and those tuned in on the television waited in horror as images of the incident followed by live feeds of the aftermath began popping in our screens. Unfortunately, scammers can easily use news like this against the genuinely curious. Our researchers found a fake YouTube video claiming to be a video of the incident.

Popcash, a prolific pop-under ad network, was found to be used by online criminals to lead Internet users to sites serving exploit kits, which is this case is Magnitude EK. This kit is know to push ransomware. Based from the sample we have, it pushes CryptoWall, a notable ransomware that heavily encrypts personal files, thus, locking out their owner.

At the end of May, we published part 1 of a post entitled “Unusual Exploit Kit Targets Chinese Users”, wherein we talked about the basic behaviours of a certain exploit kit called Chinad that targets Chinese websites and its visitors. In part 2, our malware analysts discussed their findings of the kit’s four (4) component files.

Lastly, our mobile experts discussed an obfuscation technique used by an Android malware that we detect as Trojan.Dropper.RealShell. Hint: It had something to do with a file having the .lock extension.

Notable news stories and security related happenings:

  • MalumPoS Malware Targets Hotels, Scrapes Customer Credit Cards. “The point-of-sale (POS) malware targets sales systems in hotels and other industries in the United States in order to scrape valuable credit card data which can then be used to create cloned cards, empty victim bank accounts or be sold on the black market.” (Source: ZDNet)
  • Hacker Can Send Fatal Dose to Hospital Drug Pumps. “The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira—an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.” (Source: Wired)
  • Cybercrime Can Give Attackers 1,425% Return on Investment. “While security professionals often find it difficult to prove return on investment, a standard ransomware campaign could earn an attacker a 1,425 percent ROI, according to a report released today by Trustwave.” (Source: Dark Reading)
  • Social Media Security is Still a Low Priority. “80 percent of IT professionals believe social media is an easy way for hackers to gain access to corporate networks because it is often neglected in terms of security, and furthermore 36 percent even admit that their company could be breached by a hacker through one of their employees’ social media access at work.” (Source: Help Net Security)
  • Researchers Find CSRF Bug in Wind Turbine Software. “A security researcher named Maxim Rupp has discovered a cross-sire request forgery vulnerability in the operating system that runs wind turbines manufactured by XZERES. The vulnerability can allow an attacker to cut the power to all of the systems attached to the target system. The vulnerability exists in the operating system that runs the model 442SR wind turbines.” (Source: ThreatPost)
  • Fake Tech Support Scam Targets Macs. “Blue Coat researcher Chris Larsen has found three scam domains (macsupports.info, macworldservices1.com and macsecurityalerts.co), which, when visited, offer pop-up warnings about “dangerous viruses,” supposed malware and unauthorized access. Typically, the sites use Javascript to “lock” the browser, borrowing a classic ransomware tactic meant to freak out the victim and spur them to action. Individuals are then encouraged to call a number to have a technician guide them through the malware removal process—for a fee, of course.” (Source: InfoSecurity Magazine)
  • Tiny Tinba Malware Gets Tough, New Variants Infect European Banks. “Researchers at IBM Security Trusteer say that new and nasty variants of the Tinba Trojan, said to be the world’s smallest malware, are emerging, and they’re targeting European banks.” (Source: SC Magazine – UK)
  • US Government Switches to HTTPS for All Federal Websites. “This is not a silver bullet, however, and Scott warned that HTTPS can protect only communications, not the systems and services that transport them.” (Source: V3)
  • UK Government Not Doing Enough to Prevent Cyber Attacks, Say CTOs. “Three-fifths of UK chief technology officers (CTOs) believe the government is performing poorly in educating and protecting firms from cyber attacks, a survey of more than 200 C-level executives has revealed. However, CFOs and CEOs are more positive, according to the research on the economic consequences of cyber attacks by security firm Veracode and the Centre of Economics and Business Research (Cebr).” (Source: Computer Weekly)
  • Duqu 2.0 Espionage Malware Discovered. “Kaspersky Lab says it has discovered a new, advanced persistent threat that appears to have been launched by the gang behind the Stuxnet and Duqu malware families. But while security vendors typically unearth intrusions in their customers’ networks, in this case Kaspersky’s own networks also fell victim to the attack campaign, thanks in part to attackers employing a zero-day Windows exploit.” (Source: Data Breach Today)
  • Japanese Oil Association Hit by Cyber-attack. “Local sources reported that the voluntary organisation’s PCs had become infected by a virus, but appeared to suggest that no data had yet been seen in the wild. It is  not known how many machines were infected, or what the initial point of compromise was.” (Source: SC Magazine – UK)
  • ‘Your PC may be infected!’ Inside the Shady World of Antivirus Telemarketing. “EZ Tech Support sells a perpetual license for the program for $300. Agents also tell callers they can perform a one-time fix on their computers for them, which starts at $250. Callers can haggle for lower prices.” (Source: CSO Online)
  • Warning: Mass Scale ‘Zombifying’ Cyber-attack is Spreading. “More than 50 million people per month could be at risk of a mass-scale ‘malvertising’ cyber-attack that turns computers into Zombies, according to researchers at Raytheon|Websense.” (Source: IT Pro Portal)
  • 90% of DLP Violations Occur in Cloud Storage Apps. “90 percent of data loss prevention (DLP) violations occur in cloud storage apps, and a large percentage of these are for enterprise confidential intellectual property or customer or regulated data that the customer did not know or want to store there.” (Source: Help Net Security)

Safe surfing, everyone!

The Malwarebytes Labs Team