Detail of a calendar page with dates

A Week in Security (Mar 27 – Apr 02)

Last week, we looked back on misleading advertising, gave an overview of what fileless infection is, alerted Steam users of a scam that allows them to download a NanoCore RAT, caught a new Netflix-themed spam campaign, and gave a rundown of top exploit kits last month.

Senior security researcher Jérôme Segura caught another whiff of a campaign hitting the popular social sites, Likes and LiveJournal (or LJ). He noted that the actors behind this campaign were the latest group to use domain shadowing and fingerprinting in an attempt to bypass security screenings and scanners. Both ad infections lead to the Angler exploit kit.

In another post, Segura documented a campaign (targeting adult, torrent, and streaming sites) that involved the Magnitude exploit kit, which he observed also began using fingerprinting in the form of an additional page users are redirected to before proceeding to the exploit page. This “special gate” checked for the presence of certain files within the computing environment its in, such as Fiddler, virtual machines, and security software.

Security researcher and reverse engineer Hasherezade released an in-depth analysis of Petya, a ransomware that doesn’t encrypt individual files but denies affected users access to their entire hard drive. Some reports noted that it targets HR employees, arriving as a resume file attached to spam.

Notable news stories and security related happenings:

  • Opening a New Front: Ransomware Hits Mobile Devices. “Much has been said about the rise of ransomware and breaches affecting organization’s networks and computers, but what about the devices held in their employee’s hands? According to Blue Point’s Mobile Malware Report, 2015 was the year that ransomware became a top threat to mobile devices. Mobile devices can be more prone to ransomware attacks given the ease and routine of downloading mobile apps. The report notes that many attacks are “self-inflicted” by users who download pirated or suspicious apps via unsanctioned app stores.” (Source: Legal Tech News)
  • No One Should Ever Pay tp Remove a Bitcoin Ransomware Infection. “Bitcoin ransomware has been a topic of substantial discussion in the media throughout 2015, and the year 2016 does not seem to be changing that any time soon. There have been numerous reports of this type of attack against companies and individual users, even though there are a few easy steps to avoid ransomware from infecting one’s device. Bitcoin is not to blame for these attacks by any means, only the people who create this software. Although the ones who pay the ransom are partially to blame as well.” (Source: Bitcoins Channel)
  • Facebook Safety Check Develops Glitch, Checks on People Far from Lahore Blast. “The social network has activated several times the Safety Check feature, which checks with people it detects are in the vicinity of a disaster whether they are safe or not, and alerts friends. It was most recently activated last week after deadly terror attacks in Brussels. In 2015, more than 950 million people are said to have received a notification that a friend or loved one was safe in a crisis.” (Source: CSO Online)
  • HTTPS May Not be as Safe as It Once was. “The reason that hackers were able to discover vulnerabilities in SSLv2 had to do with the fact that the protocol is contained within the OpenSSL software library. SSLv2 is open sourced, which means anyone can look at the source code and tool around with it. This is great for educational purposes, as it allows encryption experts to comb through lines of code to help plug holes. However, it also means more nefarious individuals get the chance to root around and discover vulnerabilities they could then exploit.” (Source: Trend Micro’s Simply Security)
  • New Alerts for Gmail Users Targeted by State-sponsored Attackers. “The new full-page warning says that Google can’t say how they know that the user’s account is being targeted by government-backed hackers, and urges the user to enable two-factor authentication and set up a Security Key on his or her account. Given that Gmail has surpassed the “1 billion monthly active users” mark in February 2016, the number of users targeted by state-sponsored attackers could therefore be as high as 1 million.” (Source: Help Net Security)
  • FBI Hack may Raise Questions about iPhone Security. “Digital rights group Electronic Frontier Foundation has asked that if the FBI has used a vulnerability to get into the iPhone, under a government policy for disclosing security vulnerabilities, called the Vulnerabilities Equities Process, there should be “a very strong bias” in favor of informing Apple of the vulnerability, which would help the company fix the flaw and secure its users.” (Source: CSO Online)
  • iOS 9.3 Web Links Bug Causes Apps To Crash. “Apple can’t seem to deliver a system update to its smartphones and tablets without causing some sort of problem somewhere. iOS 9.3, which Apple released last week, is giving iPhone and iPad owners fits thanks to a bug involving Web links. In this case, however, Apple may not be 100% to blame. Clicking on Web links on devices running iOS 9.3 can cause apps — including Safari, Chrome, Mail, Messages, Notes, and others — to freeze or crash altogether. The problem impacts pre-installed apps made by Apple as well as those made by third-party developers.” (Source: Information Week)
  • FireEye: Hackers are Racing to Infiltrate Retail POS Systems. “Hacking POS systems has proved profitable for cybercriminals. It’s easy to find so-called ‘carding’ forums where payment card details are priced according to how recently the data was stolen and the potential limit of the card. Cybercriminals have found so much low-hanging fruit that the price for stolen card details has actually fallen.” (Source: PC World)
  • Firewalls aren’t Going Anywhere. “A new study of nearly 600 IT practitioners by FireMon called the 2016 State of the Firewall Report has shown that while respondents recognise that the firewall needs to evolve, it still remains a central part of today’s security infrastructure.  Emerging infrastructure paradigms such as Software Defined Networking (SDN), cloud and micro-segmentation will drive this evolution.  In fact, 90 percent of respondents recognised that SDN has impacted or will impact networks, pointing to an important shift in the way they are secured.  And over two thirds said that firewalls were critical to securing their cloud services.” (Source: IT Security Guru)
  • Businesses Turn Their Backs on Banks That Lack the Right IT Security. “Over two-thirds of companies prefer to bank with a provider who has a solid security reputation, according to a Kaspersky Lab survey. Those banks that make security a priority and take every effort to ensure measures are in place to safeguard against online financial fraud will have an advantage, when it comes to retaining existing customers and reaching new ones.” (Source: IT Security Guru)
  • When It Comes to Cybersecurity, Don’t Overlook Staff Education. “In April 2014, the FBI issued warnings about the healthcare industry’s vulnerability to cyberattacks. In particular, the agency called the possibility of increased cyberintrusions likely, given the combination of the shift to online systems and a lack of preparation by most organizations. Nearly two years later, the FBI has its hands full as those warnings have come to fruition.” (Source: Fierce Health IT)
  • Teens would Sell Their Personal Data Instead of Working. “IT services company Logicalis UK commissioned the survey from Realtime Generation. Realtime Generation surveyed some 1,000 13-17 year-olds over the course of 10 days in January, and the results are now out in a report titled ‘The age of digital enlightenment’. The survey posed specific scenarios to teens to find out what type of ‘better service’ or ‘deal’ they’d swap their e-selves for.” (Source: Sophos’ Naked Security Blog)
  • Chinese Scammers Take Mattel to the Bank, Phishing Them for $3 Million. “Mattel contacted law enforcement and their U.S. bank, but were told that it was too late – the money was gone. The thieves had hit Mattel at just the right time. A new CEO had just started and the company was getting ready for massive growth in China, so payments to the nation wouldn’t be out of order. To further their schemes, according to source who spoke to the Associated Press on the condition that they not be named, the thieves likely did some homework.” (Source: CSO Online)
  • Taiwan Targeted with New Cyberespionage Backdoor Trojan. “Dripion is custom-built, designed to steal information, and has been used sparingly in a limited number of targeted attacks. The attackers behind this campaign went to some lengths to disguise their activities, including using domains names disguised as antivirus (AV) company websites for their command and control (C&C) servers. These attacks have some links to earlier attacks by a group called Budminer involving the Taidoor Trojan.” (Source: Symantec Official Blog)
  • Are you Really Confident You could Spot a Phishing Scam? “The folks at Tripwire conducted a survey at the recent RSA security conference in San Francisco. They polled 200 security professionals about ransomware and phishing. I commented in their ransomware findings elsewhere, but I was also interested to see their stats on whether top-level managers were likely to spot a phishing scam. The survey found 52% of respondents were “not confident” that their company’s executives would spot a phishing scam. Does that number surprise you? It did me. Because I think it should be much much higher.” (Source: Graham Cluley’s Blog)
  • Protecting Identity could be Key to Enterprise Security. “In reality, it’s unfair to expect employees (or individual consumers) to deal with increasingly sophisticated attacks by a cabal of well-financed and highly trained hackers, social engineers and even con artists. These people have intricate systems in place to steal those valuable credentials and find their way inside the organization’s network and into the treasure trove of company intellectual property.” (Source: TechCrunch)
  • NASA Has a Cyber-Security Problem, Investigator Claims. “Jason Miller, executive editor for Federal News Radio, is saying that the National Aeronautics and Space Administration (NASA) has a severe patching problem that’s putting many of its systems at risk. Citing multiple inside sources and internal documents, Mr. Miller is saying that there are hundreds of thousands, if not millions of patches that haven’t been applied to NASA IT systems, exposing the company to potential attacks.” (Source: Softpedia)
  • FBI Warns of Rise in Schemes Targeting Businesses and Online Fraud of Financial Officers and Individuals. “FBI officials and various federal and local partners warn potential victims of the business e-mail compromise scam or “B.E.C.,” a scheme targeting American businesses that has resulted in massive financial losses. Officials also warn of scams targeting victims of online fraud, to include ‘Operation Romeo and Juliet,’ a series of cases involving American victims who are targeted when they subscribe to online dating services.” (Source: The FBI)
  • Commonly Used IoT Devices Vulnerable to Privacy Theft. “Researchers choose devices that were both popular and affordable in order to understand the security stance of each device. The team analysed the way each device connects to the internet and to the cloud, as well as the communication between the device and its corresponding mobile application. Three of the four IoT devices in question are currently still at risk, whereas one has been partially resolved…” (Source: Help Net Security)
  • Weak IRS Controls Leave Taxpayer Data Vulnerable, Report Says. “Just in time for tax season, the Government Accountability Office is warning that weak financial controls at the Internal Revenue Service leave taxpayer information at risk.” (Source: The Washington Post)
  • In Preventing Data Loss, More Businesses Turn to the Cloud for Backup: Survey. “Kroll Ontrack’s research examined the data backup practices of over 500 companies in North America, Asia and Europe that have suffered data losses. Released to coincide with World Backup Day, the survey found that among companies with no data backup plans, over half (51 percent) still consider hard drives for primary data backup, while nearly a quarter (23 percent) are considering shifting their backup data to the cloud.” (Source: Legal Tech News)
  • Reddit Deletes Surveillance ‘Warrant Canary’ in Transparency Report. “The scrubbing of the “canary”, which stated reddit had never received a national security letter ‘or any other classified request for user information,’ comes as several tech companies are pushing the Obama administration to allow for fuller disclosures of the kind and amount of government requests for user information they receive. National security letters are almost always accompanied by an open-ended gag order barring companies from disclosing the contents of the demand for customer data, making it difficult for firms to openly discuss how they handle the subpoenas. That has led many companies to rely on somewhat vague canary warnings.” (Source: Reuters)

Safe surfing, everyone!

The Malwarebytes Labs Team