Detail of a calendar page with dates

A Week in Security (Apr 03 – Apr 09)

Last week, we touched on a Twitter spam that lures one to hack accounts, got personal with tech support scammers, witnessed another fake iPhone discount news, talked about an “advertisement downloader“, and brought to light a very odd spam.

Senior security researcher Jérôme Segura informed us that Adobe released a new patch for a 0-day vulnerability in Flash Player that was being exploited in the wild. One noted exploit kit (EK) that did this was Magnitude, which led to a Cerber ransomware infection.

Segura also posted a blog article on a distribution channel for the Neutrino EK that he spotted. These channels begin with malicious iframe injections, he said, and looking deeper revealed “an infrastructure set up to handle traffic from multiple geolocations, much like a Traffic Distribution System (TDS)”.

For the first PUP Friday post for April, we talked about SafeSoft Protector, a variant from the TechSnab family that misuses Privoxy, a legitimate, open source Web proxy software.

Notable news stories and security related happenings:

  • US Passport and Visa Database Open to Intrusion? “The Consular Consolidated Database (CCD), which contains over 290 million passport-related records, 184 million visa records, and 25 million records on US citizens living abroad, has been found to be vulnerable to cyber attack and possibly data tampering. The discovery was the result of an internal review of the US State Department’s cyber defenses performed several months ago and, according to a Department’s official, ‘visa-related gaps’ have already been fixed.” (Source: Help Net Security)
  • War on Multiple Fronts: A Holistic Approach to Cybersecurity. “Identifying the bad actors and the risks they present, however, can only go so far before becoming cost-prohibitive. Just as a healthy, well-maintained body is able to fend off all but the most pernicious viral and bacterial agents, so can an organization defend itself. The successful organization is one that adopts a holistic approach to managing cybersecurity threats on multiple fronts.” (Source: Legal Tech News)
  • Microsoft Account-hijacking Hole Closed 48 Hours After Bug Report. “British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attacker’s phishing quiver, save for the fact that Microsoft fixed it. Whitton quietly reported the flaw to Microsoft which pounced and took only two days to process and patch the flaw. The flaw meant attackers would have been able to set up phishing sites for Microsoft assets like Outlook and then capture tokens which could then be used through manipulated POST data to log into accounts.” (Source: The Register)
  • The Password In Your Eyes: Has Iris Identity Authentication Finally Arrived? “While the adoption of biometric technology is a new development, Antolino noted that ‘it’s not a particularly new technology,’ as it has been around for about 20 years. But the recent adaption of iris-based authentication solutions, he added, is due to a confluence of factors, starting with expiration of a key patent in 2006 that enabled many other players to enter the market.” (Source: Legal Tech News)
  • A Flaw in the Family of CISCO FirePower Firewall Devices Allows Malware to Bypass Detection Mechanism. “Cisco is releasing security updates to fix a critical vulnerability (CVE-2016-1345) that affects one of its newest products, the FirePower firewall. The flaw has been discovered by security researchers at Check Point Security. The vulnerability is related the improper input validation of fields in HTTP headers. The attacker can remotely exploit the flaw by sending a specifically crafted HTTP request to a vulnerable system.” (Source: Security Affairs)
  • Trojan Found in More Than 100 Android Apps on Google Play Store. “Researchers have uncovered a new strain of advertising spyware in more than 100 Android apps downloadable from the official Google Play Store. The research team at Russian security firm Doctor Web first added the Trojan, which they called Android.Spy.277.origin, to its virus database on April 1st, 2016.” (Source: Graham Cluley’s Blog)
  • Crypto Ransomware Targets Called by Name in Spear-phishing Blast. “For the past decade, spear phishing—the dark art of sending personalized e-mails designed to trick a specific person into divulging login credentials or clicking on malicious links—has largely been limited to espionage campaigns carried out by state-sponsored groups. That made sense. The resources it takes to research the names, addresses, and industries of large numbers of individuals was worth it when targeting a given organization that had blueprints or some other specific piece of data prized by the attacker. But why go through the trouble to spread crypto ransomware or banking Trojans to the masses when a single scam e-mail could do the trick?” (Source: Ars Technica)
  • Brave will Pay You to See Ads with Its Ad-blocking Browser. “Adblocking users want anonymity, privacy and security. Online content publishers, for their part, have been trying to squirm out from under ad blockers since they hit the scene. The Brave browser has a new idea: it’s going to line your pocket with Bitcoin in exchange for viewing ads.” (Source: Sophos’ Naked Security Blog)
  • Poll: People Don’t Mind Hacking to Fight Terrorism. “The Federal Bureau of Investigation’s solution to opening a locked iPhone used by a San Bernardino shooter reflects how public generally wants government policing to work, a new Morning Consult poll shows. Voters do, however, think law enforcement officials should tell manufacturers about any vulnerabilities they exploit during criminal investigations.” (Source: Morning Consult)
  • Emergency Adobe Flash Update Prepped as Hackers Actively Exploit Flaw. “Adobe has announced that it will be issuing an emergency security update for its widely-used Flash Player, after discovering hackers were actively exploiting a security hole to hijack control of computer systems. The one piece of good news is that if you have been doing a reasonably good job of keeping your systems updated then you may already be benefiting from a mitigation introduced in Flash Player that, according to Adobe, ‘currently prevents exploitation of this vulnerability.'” (Source: Graham Cluley’s Blog)
  • PayPal Vulnerabilities could have Allowed Phishing Emails. “A German researcher reportedly netted $500 (£354) from PayPal’s bug bounty programme for a vulnerability that could have allowed an attacker to carry out phishing and other attacks. The bug also could have allowed session hijacking, persistent redirecting to external sources and persistent manipulation of affected or connected service module context, the advisory said.” (Source: SC Magazine)
  • Apple Fixes iOS Lock Screen Bypass that Gives Access to Photos, Contacts. “The bypass technique was discovered by researchers from German security firm Evolution Security and takes advantage of Siri’s integration with apps like Twitter or Facebook and the new 3D Touch feature that’s only available on the iPhone 6s and 6s Plus models. On a locked device, attackers can call up Siri and ask to search for items that contain @ tags using Twitter, Facebook or Yahoo. Then they can locate a string like an email address and use the 3D Touch hard push to bring out the context menu for it.” (Source: PC World)
  • Official-sounding Calls About an Email Hack. “There’s a new twist on tech-support scams — you know, the one where crooks try to get access to your computer or sensitive information by offering to “fix” a computer problem that doesn’t actually exist. Lately, we’ve heard reports that people are getting calls from someone claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. They say they’ll have to take legal action against you, unless you let them fix the problem right away.” (Source: Federal Trade Commission)
  • FBI: $2.3 Billion Lost to CEO Email Scams. “The U.S. Federal Bureau of Investigation (FBI) this week warned about a ‘dramatic’ increase in so-called ‘CEO fraud,’ e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.” (Source: Krebs On Security)
  • FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen. “The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.” (Source: Kaspersky’s ThreatPost)
  • Thousands of Login Details Stolen from National Childbirth Trust by Cyber Thieves. “A London-based childbirth charity has admitted that over 15,000 parents have been caught up in a data breach after hackers were able to compromise usernames and passwords from its website. The National Childbirth Trust (NCT), which provides help and support to hundreds of thousands of parents during the childbirth process, has sent a message to those affected explaining their email addresses, usernames and passwords have been hijacked.” (Source: International Business Times)
  • Rio Olympics Expected to be a Cybercrime Bonanza. “Like all too many Brazilians, Graziela di Giorgio clicked where she shouldn’t have. And just like that, her credit card was cloned.” (Source: CBC News)
  • Millions of Child Support Records Stolen, D.C. Officials Want Answers. “In early February, a thief broke into several offices in Olympia, Washington to steal anything he could grab that was worth selling. In one locked drawer, the thief found a couple of external hard drives that he added to his haul of cash, cameras, electronics and laptops. The hard drives belonged to the local office of the Administration for Children and Families, part of the Department of Health and Human Services, and contained between two and five million records related to child-support audits.” (Source: CSO Online)
  • Inconsistent API Security Puts App Economy At Risk. “As APIs increasingly serve as the essential glue in today’s app economy, many enterprises are struggling to keep pace with a consistent API-security strategy, according to a survey out today by Ovum on behalf of Distil Networks. And with many APIs intentionally made public to the outside world, a lack of a singular strategy could be adding undue risk in the wake of innovation and open development communities.” (Source: Dark Reading)
  • 5 Ways to Become a Smaller Target for Ransomware Hackers. “Hacking for ransom is on the rise — on pace to beat out last year’s figures — and hits people where it hurts, locking them out of files, photos and critical records until they pay hackers a bounty to restore their access. Hackers bait users to click on infected email links or open infected attachments, or they take advantage of outdated and vulnerable systems.” (Source: The News and Advance)
  • An Overlooked Insider Threat? Many Fear Vendor-Related Breach: Survey. “Companies trust and increasing reliance on vendors belies apprehension over their cyberthreat exposure, according to Bomgar’s Vendor Vulnerability report, which surveyed 608 decision makers with IT roles in various companies across United Kingdom, the United States, Germany and France. The report found that while  almost all (92 percent) companies trust vendors, more than one-third noted they suffered a breach because of a vendor’s access to their networks and systems over the past year.” (Source: Legal Tech News)
  • 1 in 5 Enterprises Admit of Mobile Data Breach Resulting from BYOD. “A survey from conducted by Crowd Research Partners and sponsored by six data security vendors finds that nearly one out of five organizations (21 percent) experienced a security breach through the use of BYOD or corporate-owned mobile devices, primarily due to connections to malicious malware and Wi-Fi hotspots.” (Source: India Times)
  • Almost Half of Dropped USB Sticks will Get Plugged In. “People are still plugging in USB sticks scattered around parking lots, a new study has confirmed. This time, the researchers hail from the University of Illinois. They decided to test what they call the “anecdotal belief” that people pick these things up and plug them in, so they dropped 297 drives on the school’s Urbana-Champaign campus last year.” (Source: Sophos’ Naked Security Blog)
  • Who Owns Corporate Data? Employees Think They Can Just Take It. “A third of all employees believe they own – or share ownership of – the corporate data they work on, with half thinking they can take the data with them when they leave, according to Veriato. These findings likely result from a massive disconnect, or lack of education, on who owns the data or any consequences for taking it—with nearly 60 percent of the 400 random employees surveyed saying they have never signed a confidentiality agreement or they never even knew one existed.” (Source: Help Net Security)
  • Latest Tax-related Data Breach could Affect Employees and Their Children. “A breach notification letter, submitted on April 6 to California and Vermont, says that on March 8, a vendor hired to perform tax services for Whiting-Turner noticed suspicious activity on their systems. Around the same time, Whiting-Turner employees reported fraudulent tax filings in their names. The construction firm shutdown the vendor’s access to their systems and launched an investigation. The investigation is ongoing, but the notice was issued out of an abundance of caution, the company says.” (Source: CSO Online)
  • One in Two Children Hide Risky Online Behavior from Parents – Kaspersky Lab Research. “According to a survey conducted by Kaspersky Lab and the icon Kids & Youth agency, almost half of children (44%) hide potentially dangerous online activity from their parents. The older the child, the more he or she hides. At the age of 8-10 only a third (33%) of children do not inform their parents about incidents on the Web, but that number rises to 51% for teens aged 14-16.” (Source: Tempo)
  • WhatsApp Encryption A Good Start, But Far From a Security Cure-all. “WhatsApp’s addition of end-to-end encryption is a good start, but does not present users with a complete solution that protects against the prying eyes of intrusive governments and nosey third-parties. That’s the consensus among privacy and security experts that commend Facebook-owned WhatsApp for flipping the switch on end-to-end encryption for its one billion users worldwide. But they say there is more work to be done when it comes to securing digital communication.” (Source: Kaspersky’s Threat Post)

Safe surfing, everyone!

The Malwarebytes Labs Team