Detail of a calendar page with dates

A Week in Security (Mar 06 – Mar 12)

Last week, our resident Mac expert Thomas Reed commented on KeRanger, the first ransomware targeting the OSX platform. We also found the “least visually convincing” 419 spam mail to date.

In addition, we took apart Cerber, a new Ransomware-as-a-Service (RaaS) that others believe originated from the Russian underground. When it comes to RaaS, affiliates can distribute the malware and the criminals behind it gets commission.

Lastly, we looked at the Windows AppLocker feature, discussed how it works and how one can use it to stop execution of PUPs and malware.

Notable news stories and security related happenings:

  • Google Fixes Critical Android Mediaserver Bugs, Again. “Google today patched two critical holes in its problematic Android Mediaserver component which would allow an attacker to use email, web browsing, and MMS processing of media files to remotely execute code. With this latest vulnerability, Google has patched its Mediaserver more than two dozen times since the Stagefright vulnerability was discovered in August.” (Source: Kaspersky Labs’ Threat Post)
  • Password Sharing Habits Prioritize Convenience Over Security. “A new survey by LastPass on the password sharing habits of UK consumers reveals they favour convenience over security when it comes to sharing passwords. 55 per cent of UK consumers jeopardise their financial information by sharing with others, despite 75 per cent of respondents thinking sharing passwords is dangerous.” (Source: Help Net Security)
  • Beware Spear Phishers Trying to Hijack Your Website. “A simple trick of social engineering could result in you handing over control of your website to a malicious attacker. To show just how easy it is to fall for a spear phishing attack that could hijack your website’s DNS entries and even give hackers the ability to edit your webpages, read on…” (Source: ESET’s We Live Security Blog)
  • Sophisticated Banking Malware Targets Android Users. “The malware, targeting 20 of the largest banks in New Zealand, Australia, and Turkey, locks up the device’s screen unless users give up their login credentials. The malware can also capture text authentication codes sent out by banks – compromising two-factor authentication.” (Source: Christian Science Monitor)
  • Surprising Tips from a Super-hacker. “Mitnick has always emphasized the importance of social engineering for hacking, an emphasis that’s lacking in most security advice. He also focuses on how to get through to a public that struggles to appreciate the risks.” (Source: CSO Online)
  • 7 Tips for Securing the Internet of Things. “Intriguingly, we often like to poke fun at these devices – after all, what are you really going to do with an internet-enabled kettle? – and to remind everyone else that we don’t need them, even as we rush out and buy them because we like them.” (Source: Sophos’s Naked Security Blog)
  • Google Extends Right-to-be-forgotten Rules to All Search Sites. “Under the 22-month-old ruling, Google can snub any requests it receives to remove links from its search results. It’s then up to an individual to take their complaint to the relevant national data protection regulator within the EU. And any subsequent decision made at that level can be fought over in the courts.” (Source: Ars Technica)
  • Three More Firms Hit by Targeted Phishing Attacks Seeking W2 Data. “It’s happened again. Scammers have leveraged Phishing to gain access to W2 information at several firms, including technology powerhouse Seagate. No company is immune to these types of social attacks, and organizations both large and small have become victims to a finance-based scheme that has a long reach.” (Source: CSO Online)
  • LeapFrog Child’s Toy Found Susceptible to Attacks Leveraging Adobe Flash. “Security expert Mike Carthy explains in a blog post how he probed a LeapFrog LeapPad ULTRA that he recently purchased at a toy store. Carthy admits that it was his original intention to go out and buy a Hello Barbie, a Wi-Fi-connected iteration of the popular doll that suffers from its own security issues.” (Source: Graham Cluley’s Blog)
  • 3 in 5 Brits at Risk from Cyber Attack Through Poor Mobile Security. “Nearly two thirds of UK adults rely on ‘auto-fill’ to complete the login process for some or all websites, research has found. Security firm BullGuard commissioned a study exploring the login preferences of 2,000 UK adults when browsing the web on a phone or tablet.” (Source: Information Age)
  • Patch Insanity: Organizations are Overwhelmed by Vulnerability Fixes. “While IT professionals know that patch management plays a critical role in maintaining an adequate cybersecurity profile, reality tends to bite: IT teams all too often struggle to keep up with, or find themselves completely overwhelmed by, the sheer volume of patches that need to be applied on a weekly, if not daily, basis in enterprise environments.” (Source: Fierce IT Security)
  • Facebook Patches Bug That Let Anyone Hack Any Account. “One thing needs to be pointed out. Although it is not covered in the engineer’s post, an account set up with two-factor authentication (2FA) could potentially have foiled the exploit. If the beta site did recognize this feature at the time of the attack, a second layer of authentication could have forced the attacker to repeat the exploit, only this time, they would have needed to crack the security code before it expired in 30 seconds.” (Source: Graham Cluley’s Blog)
  • Ransomware Takes a Scary Turn Using JavaScript. “Security researchers have uncovered a new twist on ransomware-as-a-service with the discovery of what is being called Ransom32. While there have been several Web-based ransomware variants, including TOX and FAKBEN, this is a somewhat different development since it uses a popular JavaScript framework called NW.js.” (Source: Security Intelligence)
  • Mac and Linux Banking Malware could Soon be Here Thanks to Efforts by Brazilian Crime Gangs. “Are you a Mac or Linux user who has been feeling smug about the lack of malware on your operating system? Well, your days are numbered. Brazilian crime gangs are working to change this by packaging malware into Java archive (jar) files, which run across Macs, Linux, Windows and – in some circumstances – Android mobile devices.” (Source: International Business Times – UK)
  • 0-day Remote Code Exec Holes in Mobile Modems can Read SMS and HTTP. “Russian security tester Timur Yunusov has found critical vulnerabilities in routers and 3G and 4G modems from Huawei, ZTE, Gemtek, and Quanta. The flaws mean attackers could completely compromise machines and intercept SMS and HTTP traffic.” (Source: The Register)
  • Two Biggest Reasons Ransomware Keeps Winning. “Although ransom requests for individual machines are generally in the $300 to $500 range, some organizations are paying several thousand dollars at a time to recover systems. The details are not always known, because unlike data breaches, ransomware attacks do not need to be disclosed by law.” (Source: Dark Reading)
  • How to Stay Ahead of Cyber Criminals in the Data Breach Era. “Today, it takes financial firms an average of 98 days to detect a data breach; for retailers, this can take up to 197 days. Even Cisco’s mid-year security report warns that companies of all sizes must reduce time-to-detection in the wake of the latest wave of advanced attack vectors.” (Source: The Next Web)
  • How a Hacker’s Typo Helped Stop a Billion Dollar Bank Heist. “A spelling mistake in an online bank transfer instruction helped prevent a nearly $1 billion heist last month involving the Bangladesh central bank and the New York Federal Reserve, banking officials said. Unknown hackers still managed to get away with about $80 million, one of the largest known bank thefts in history.” (Source: Reuters)
  • CCTV Cameras: Security Gear which Doubles as Free DDoS Kit. “Cloud-based video surveillance company Cloudview has published new research showing that, while the majority of CCTV systems may protect an organisation’s physical assets, they provide an open door to cyber attackers.” (Source: SC Magazine)

Safe surfing, everyone!

The Malwarebytes Labs Team