A Week in Security (Aug 02 - Aug 08)

Last week, we saw a fake Android alert that blames Chinese hackers, a peculiar Facebook phishing campaign that is after your government-approved ID, a “Payment Confirmation” spam that is actually carrying malware—about which we analyzed in-depth on a separate blog post—and a blatant copying and pasting of exploit code from the Hacking Team data leak by Chinese hackers into their own exploit files.

We also spotted and documented a huge malvavertising campaign that may have affected users and visitors of Yahoo!. The attackers had leveraged on Microsoft Azure websites to house the malicious scripts. Jérôme Segura, the senior security researchers responsible for this discovery wrote, “We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (Cryptowall).”

Thomas Reed, our Mac expert, documented a particular adware installer that was able to gain root access to an Apple MAC’s OS X by exploiting a vulnerability on DYLD_PRINT_TO_FILE.

Finally, we also published a complete study on Bunitu in collaboration with our security experts, hasherezade and Sergei Frankoff, a researcher with Sentrant. Bunitu, a proxy Trojan, has played a part in malvertising campaigns as payload for certain exploit kits, usually Neutrino. We wrote about Bunitu in-depth last July, identifying why it’s dangerous to have this malware installed on systems. You may want to read about that first before delving into the study. Note that both posts are technical.

Notable news stories and security related happenings:

Battery Attributes Can Be Used To Track Web Users. “A team of European security researchers has published a paper analyzing how the battery life of mobile devices could be used to track web browsing habits of Firefox users on Linux, using the HTML5 Battery Status API.” (Source: TechCrunch)
Business Resilience Lacking in Most Firms, Finds Accenture. “Nearly two-thirds of companies are hit by cyber attacks daily or weekly, yet only a quarter always incorporate measures in their technology and operating models to make them more resilient, a survey shows.” (Source: Computer Weekly)
Succinct Reference To Key Airport Cybersecurity Threats/Attacks. “The Guidebook on Best Practices for Airport Security, produced under the auspices of the National Academies and the FAA, contains an interesting high level summary of key threat actions against airports.” (Source: Threat Brief)
Thousands of Dubizzle Users Told to Change Passwords After ‘Security Breach’. “Thousands of Dubizzle users have been told to change their passwords after a “security breach” compromised some information stored on the online company’s database.” (Source: The National)
Hacking-as-a-Service Makes Everyone Attack Capable. “Perhaps more disconcerting is the fact that this type of model allows actors with no discernible hacking skills to purchase the capability, thereby enabling any individual to become a hacker, if the price is right.” (Source: Norse Corp’s Dark Matters Blog)
After Car Hack, Internet of Things Looks Riskier. “Last month’s revelation that hackers could remotely seize control of over a million Chrysler automobiles has delivered a stark warning that life in an ultra-networked world could be very dangerous, indeed.” (Source: The Boston Globe)
Researchers Create First Firmware Worm that Attacks Macs. “Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.” (Source: Wired)
Addressing the Continuing Challenges of Mobile Devices. “Organizations hoping to avoid the fate of so many others tripped up by device disasters must be perplexed regarding the course of action they should adopt. Given the critical role that such devices play in most business operations, few if any clients will likely ever be free from such challenges. Those challenges generally fall into three categories: data security, information retention, and e-discovery.” (Source: Legal Tech News)
79% of Companies Release Apps with Known Vulnerabilities. “The application development process is rampant with security risks due to current business pressures, according to new research released at Black Hat USA 2015 by Prevoty.” (Source: Help Net Security)
The Leading Cause of Insider Threats? Employee Negligence. “It can cost a U.S. company as much as $1.5 million and Germany companies €1.6 million in time wasted responding to security incidents caused by human error, according to the Ponemon Institute.” (Source: Help Net Security)
Social Engineering: 6 Commonly Targeted Data Points that are Poorly Protected. “Now in its sixth year, the Social Engineering village at DEF CON has always been an interesting location. Each year the village hosts talks and interactive lessons on human hacking, but the major draw is the Social Engineering Capture the Flag contest.” (Source: CSO Online)
Malvertising Attacks Increasingly Target Mobile Apps, Says RiskIQ Report. “Overall, the number of unique malvertisements jumped 260 percent in the first half of this year compared to the same period in 2014, based on nearly 2 billion websites and 10 million mobile apps RiskIQ monitors daily using a global proxy network and virtual user technology.” (Source: Fierce Mobile IT)
A Massive Security Bug Lets Criminals Install Bogus Apps on Your iPhone — and They Look Like the Real Thing. “The installations occur when users unwittingly click on web links that trigger the downloads. Bogus apps include malware versions of Twitter, Facebook, WhatsApp.” (Source: Business Insider)
Under Pressure, Google Promises To Update Android Security Regularly. “Last week researchers with Zimperium, a mobile security firm, said they’d discovered major flaws in the heart of the Android operating system (in a library called “libstagefright”). This bug would allow hackers to take over nearly 1 billion phones, just by sending an infected text message.” (Source: NPR)
500 Free Virgin Airlines Flights Being Given Away on Facebook? It’s a Scam. “Thousands of Facebook users had believed that the message, which claimed to offer 500 free flights with Virgin Airlines if you *just* clicked “Like”, left a comment and shared the post with their friends, was genuine.” (Source: Graham Cluley’s Blog)
Warning: Zero-day Vulnerabilities Found in Top-selling Amazon Smart Home Systems. “If left unpatched, some of the vulnerabilities revealed in VERT’s analysis could be exploited through malicious web pages or smartphone applications and execute commands with system level access.” (Source: IT Pro Portal)
Ad Firms are the Reason Adobe’s Flash Still Exists—Despite Its Many, Many Security Flaws. “Last month, Mozilla blocked Flash from its Firefox browser until Adobe released an update patching another security flaw. According to CVE Details, a database that tracks online vulnerabilities, there have been 511 reported Flash vulnerabilities since 2005, and the number has been rising in recent years, with 133 instances in the year to date alone.” (Source: QZ)
Senate Cybersecurity Bill Vote Delayed Again. “Despite attempts to vote on CISA prior to August recess, senators have agreed to revisit the bill in September with additional amendments.” (Source: Legal Tech News)
Oh No ZigBee, as Another Front Opens on Home Networking Insecurity. “Security researchers have exposed new flaws in ZigBee, one of the most popular wireless communication standards used by Internet of Things (IoT) devices.” (Source: The Registry)
New Malware Turns Your Computer into a Cellular Antenna. “A group of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet. They’ve figured out how to turn the computer into a cellular transmitter, leaking bits of data that can be picked up by a nearby low-end mobile phone.” (Source: PC World)
Boards’ Lack of Cybersecurity Knowledge Puts Companies at Greater Risk: Study. “Corporate board members that fail to employ adequate oversight on cybersecurity matters are compromising their company’s security defenses.” (Source: Legal Tech News)