Detail of a calendar page with dates

A week in security (May 08 – May 14)

Last week, we saw spam posts suddenly appearing on a celebrity’s website, talked about a malvertising campaign on Blogger, dissected a fake KPN email that led to the CTB Locker ransomware, and unmasked several tech support scam actors to put a stop to criminals banking on the Malwarebytes brand.

Senior Security Researcher Jérôme Segura reported a hacking incident involving the official website of Pathé, a major French film production and distribution company, serving ransomware to its visitors, particularly CryptXXX. The site was taken down after the report, but the infection remained after it was back online.

Lastly, Segura also spotlighted on another malvertising campaign, this time on a top Chilean news site. It was serving the Angler exploit kit.

Notable news stories and security related happenings:

  • Six-year-old Patched Stuxnet Hole Still The Web’s Biggest Killer. “Many malware families exploit the vulnerability but users would be most likely to encounter it when faced with the Angler exploit kit which has maintained its dominance in the crimeware market since the demise of Black Hole in 2013.” (Source: The Register)
  • Five-Year Old Bug Lets Attackers View SMS And Call History On Qualcomm Android Devices. “The vulnerability originates from an open source software package maintained by Qualcomm that provided new APIs for a range of features. The bug has been confirmed on devices running Android 4.0.3 (Ice Cream Sandwich MR1) to Android 5.0 (Lollipop). Given how many Android devices use Qualcomm chips or code, the issue could affect hundreds of models of mobile phones released in the last five years.” (Source: Lifehacker)
  • Hotel Malware Caught Checking In. “The basic attack targeted a member of staff at the hotel by sending them a phishing email with what appeared to be a Word document attached. The email suggested that this was a booking form completed by a customer which is not an unusual document for any hotel to get via email. What was different about this is that while it looked like a Word document it was really an executable zip file.” (Source: Enterprise Times)
  • Internet Of Fail: How Modern Devices Expose Our Lives. “Should you sync your family’s calendar to your refrigerator or have it display photos? Samsung believes you should. They also think you need cameras that display the food inside, to help during shopping. Sure, these features can make life easier, but how would you feel about someone accessing this information? What could a stranger do if he knew you’re out of the house tomorrow night?” (Source: Help Net Security)
  • The Current State of Cyberthreats: An Unavoidable Business Risk. “Douglas Bloom, director of cybersecurity and forensics at PricewaterhouseCoopers (PwC) let the audience at PwC’s Law Firm Services Global Forum’s “Cyber Risk – A Growing Threat” session in on a hard truth — cyberattackers are hitting law firms and companies harder and more frequently than ever before. Attacks ‘increased by 42 percent last year — it went up to 58 million attacks per year in 2015,’ he said. ‘To put that into context, that’s a little over 150,000 attacks per day.'” (Source: Legaltech News)
  • Why Cyber Tools Are Not Total Solutions. “At RSA Conference, vendors are selling tools and they aren’t lacking for customers, but to what end? The majority of people I asked this question of replied simply that they wanted a tool to counter cyber threats or something to identify and counter the potential of an insider threat. Very few of the people I spoke with, however, could answer the basic and integral questions they should have been asking themselves all along…” (Source: Federal Times)
  • Ransomware, Phishing Attacks Rise as Cyber-Crime Increases. “Cyber-criminals are continuing to exploit human nature as they rely on familiar attack patterns such as phishing, and are increasing their reliance on ransomware, according to a recent report from Verizon. The report found most attacks exploit known vulnerabilities that have never been patched despite patches being available for months or even years.” (Source: eWeek)
  • 10 Years Of Human Hacking: How ‘The USB Way’ Evolve. “As a penetration tester, I hoped those who became victim to the exploit would learn a valuable lesson. Since then, my company has performed hundreds of similar tests, tempting users with USB devices in numerous ways. Needless to say, the results were always interesting.” (Source: Dark Reading)
  • Beware: Fake Emails Are Becoming More Realistic. “The messages purport to be shipping notices, refunds, speeding tickets, electricity bills and so on, and are increasingly sent selectively so that people normally receive messages that appear to be from organisations in their own country. In some cases malware is being programmed to target or avoid users in particular countries as determined by language or keyboard settings.” (Source: Business IT – Australia)
  • This Unusual Botnet Targets Scientists, Engineers, And Academics. “When attacking indiscriminately, Jaku infects the targeted system using malware which can be downloaded from a number of different sources — including poisoned Bit Torrents of pirated anime films and fake PNG image files — which once installed in the system, send messages home to a command and control system, and enable those behind it to gain access to additional machines and add it to the botnet network.” (Source: ZDNet)
  • Lost Door Remote Access Trojan Distributed via Facebook, YouTube, Blogspot. “Security experts from Trend Micro say OussamiO created the Lost Door RAT in 2007 and hasn’t shied away from advertising his software on the public Internet, unlike many of his fellow malware developers who like to keep their operations hidden from prying eyes. The main point of operation for OussamiO’s activity is his Blogspot blog, where he regularly publishes about new Lost Door versions, upcoming updates, usage tricks and tutorial videos, which he brazenly hosts on YouTube.” (Source: Softpedia)
  • Viking Horde: A New Type of Android Malware on Google Play. “The Check Point research team uncovered a new Android malware campaign on Google Play it calls Viking Horde. Viking Horde conducts ad fraud, but can also be used for other attack purposes such as DDoS attacks, spam messages, and more. At least five instances of Viking Horde managed to bypass Google Play malware scans so far.” (Source: Check Point)
  • Business Apps Remain Corporate Security ‘Blindspot’. “Wandera said that the OWASP (Open Web Application Security Project) test revealed the most common vulnerabilities are insecure data storage, insufficient transport layer protection, lack of binary protections and poor authorisation and authentication. Wandera found that all of the top 10 apps failed to use secure data storage to protect Personally Identifiable Information. It also tested a total of 28 business apps, and found all of the top apps contain at least five weaknesses.” (Source: TechWeek Europe)
  • Prince Of Pop Trash PerezHilton Pwned, Visitors Hit With Cryptxxx. “Cyphort researcher Nick Bilogorskiy says the site was once again smashed by Angler, which usually serves the Cryptxx ransomware, a dangerous cryptolocker variant, that – along with the exploit kit – is enjoying a boom in popularity.” (Source: The Register)

Safe surfing, everyone!

The Malwarebytes Labs Team