Detail of a calendar page with dates

A week in security (Aug 21 – Aug 27)

Last week, we talked about a Facebook phishing campaign, another technical support scam (this time with Chrome tricks up their sleeves), and sampled file-in-the-middle browser hijackers; responded to Systweak’s blog; revealed the digital lives of teens in the U.S.; and gave directions to readers on how to enable two-factor authentication in the PlayStation Network and how to secure remote workers (for businesses of all sizes, of course).

We also provided some deep-dive analyses about certain malware—specifically Korplug RAT (aka PlugX), the spyware that was once associated with Chinese APT groups but used to dox 400,000 members of Vietnam Airlines, and a mobile ransomware aptly named after the game currently sweeping the world, Pokémon Go—which are great references for your technical study.

Notable news stories and security related happenings:

  • The Mobile Banking Revolution Has Arrived But Cyber Heists May Ensue. “The Competition and Markets Authority (CMA) has announced changes in the banking industry that will enable customers to access the details of their entire finances through a single mobile phone app by 2018, raising inevitable security concerns. Not only will banks have to bolster security within their mobile banking applications, but they will also need to make sure that everyone within the supply chain meets the security requirements for these big changes in service provision, in order to mitigate the security risks.” (Source: IT Security Guru)
  • As Cyber Fears Rise, Smaller Firms Struggle to Cope. “Firms that have an in-house infosecurity team are generally safer from hackers than firms that outsource security work to a third party, said Erik Rasmussen, the cyber practice leader for risk consultant Kroll. Third-party vendors don’t always have the regulatory background necessary to understand and address firms’ needs. But building an in-house team can be costly.” (Source: LegalTech News)
  • WiFi Signals Can ID Individuals By Body Shape. “With the Internet of Things slated to have tens of billions of connected devices by 2020, one of the most crucial design considerations for internet-connected products is figuring out how to seamlessly integrate these devices into everyday life. In this respect, teaching machines how to identify the individuals they are interacting with is paramount—it will allow for the total personalization of everything that is promised by the IoT. Rather than just having internet-connected light bulbs and refrigerators that are sitting around waiting to get hacked, these devices will be able to recognize you and interface with you according to your preferences (something that devices like the Xbox One are already doing via facial recognition).” (Source: Motherboard)
  • Passwords, Biometrics And Multi-factor Verification: What Businesses Need To Know. “On the one hand, there’s the question of identity verification within your organization. You need to be sure only authorised staff are conducting financial transactions, and that access to wider business systems and information is for employees only. On the other hand, there’s the vital matter of confirming the identity of your customers, particularly if you give them an online account and take online orders or payments. Fraudulent payments cost UK industries £755m last year – and the trend is rising.” (Source: Help Net Security)
  • The Blurring Line Between Cyber And Physical Threats. “Every day, the line between cyber-threats and physical threats grows thinner – blurring the crucial distinction between attacks on networks and attacks on materials objects. 225,000 Ukrainians learned this in January of 2016 when they lost power following a cyber-attack on a Ukrainian power grid. The rise of the Internet of Things (loT) has expanded this threat from nation-state interactions out into the realm of cyber-enabled crime against companies and individuals. For example, cybersecurity researchers have shown how anything from sniper rifles to your car’s brakes can be hacked.” (Source: The Cipher Brief)
  • New Trojan Turns Linux Devices Into Botnet. “Linux is considered as one of the most secure operating systems but things seem to be changing as cyber criminals are equipping themselves with the latest tools. That’s why recently, researchers at Doctor Web have discovered a Linux Trojan that can turn an infected Linux device and websites into a P2P botnets. Usually, a malware is designed to infect devices in order to steal financial and personal data but ‘Linux.Rex.1’ malware has the ability to perform DDoS attacks from the infected device, send malicious messages and distribute itself to others networks.” (Source: HackRead)
  • Epic Games Forums Breached, Salted Passwords Nabbed. “Information on some 808,000 Unreal Engine and Unreal Tournament forum accounts, including email addresses, birth dates, and private messages, have been stolen from Epic Games. The games company says passwords were not compromised on the Unreal forums so account resets are not necessary. Salted passwords were breached for accounts active since July last year used on older game forums including legacy Unreal Tournament titles, Gears of War, and Infinity Blade.” (Source: The Register)
  • Hospitals More At Risk Than Ever With The New Locky Ransomware Wave. “The infamous Locky Ransomware, delivered by powerful cybercriminal distribution campaigns, is targeting American hospitals, using a new infection tactic. During the first half of August, FireEye security experts observed a step-up in the attempts of dropping the Locky threat with 50% of the targets being healthcare institutions. Cyber crooks are seeing hospitals as a low hanging fruit and their main target not only because IT plays an important role in the healthcare sector, but also because of the extremely valuable information they hold.” (Source: Virus Guides)
  • DetoxCrypto Ransomware-as-a-service Rears Its Ugly Head. “First detected by MalwareHunterTeam, the ransomware comes with a single executable that loads other executables and files. Those include Microsoft.exe, which performs the encryption process; a wallpaper background; an audio file; and another executable whose name varies based upon the variant.” (Source: Graham Cluley’s Blog)
  • Most Asia Pacific Companies Lack Cyber-security Mind-set. “Most companies in the Asia Pacific (APAC), almost 60 per cent, the Philippines included, consider ’employees’ lack of knowledge’ as the main insider threat to cyber-security and less than one in ten companies in the region fully understand how cyber-attacks happen. This was the finding of global cloud security leader Trend Micro in its most recent survey of management and business executives across 13 APAC countries.” (Source: Manila Bulletin)
  • Workers Using Pokémon Go Expose Corporate Networks. “According to CloudLock, this phenomenon has sent users out of their homes and offices to participate in the game, where they are spending more time than they do browsing Facebook, Snapchat, Twitter or Instagram. In its second quarter Cloud Cybersecurity Report, CloudLock CyberLab focused on the accelerating growth of connected third-party cloud apps, surfacing one of the riskiest cloud attack vectors.” (Source: Enterprise Innovation)
  • Anatomy Of A Social Media Attack. “Social media threats are at an all-time high, ranging from account hijacking to impersonation attacks, scams, and new ways of distributing malware and executing phishing attacks. Sophisticated attacks target organizations of all sizes. For example, Microsoft was the victim of a series of social media hacks by nation-state threat actors. The attack campaign was extensive, affecting multiple Twitter accounts (principally Skype’s) and exposing corporate passwords and emails for dozens of Microsoft employees.” (Source: Dark Reading)
  • UK Becomes The World’s Second Most Targeted Nation For DDoS Attacks As Assaults Rise Over 220%. “Distributed denial of service (DDoS) attacks have increased by a whopping 220% in the last year “with no signs of abating”, fuelled by DDoS-for-hire services and the use of “hit-and-run” tactics, new data shows. According to cybersecurity firm Imperva’s annual “DDoS Threat Landscape Report”, DDoS attacks rose by 221% between April 2015 and March 2016, with the UK becoming the second most popular target in the world.” (Source: The International Business Times)
  • A Deeper Look At Business Impact Of A Cyberattack. “Few would dispute that cyberattacks are increasing in frequency and in intensity, and most organizations confirm they have now suffered at least one cyber incident. But do those organizations have a true sense of the full impact on the organization? After all, the direct costs commonly associated with a data breach are far less significant than the ‘hidden costs’ incurred. Indeed, the ‘hidden’ costs can amount to 90 percent of the total business impact on an organization, and will most likely be experienced two years or more after the event. These are among the findings of a recent study by Deloitte Advisory entitled, ‘Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts.'” (Source: CSO)
  • A Temperature-Check On The State Of Application Security. “While most IT and security leaders believe that application security problems are inherently more risky than network security issues, appsec still doesn’t get near the same kind of executive support and technical visibility that network security does, a new study out this week by Ponemon Institute shows. Fortunately, new trends in IT delivery like DevOps and continuous integration are making it possible to meet application security challenges that have hampered progress in the past.” (Source: Dark Reading)
  • A Quarter Of Banks’ Data Breaches Are Down To Lost Phones And Laptops. “One in four breaches (25.3 per cent) in the US financial services sector over recent years were due to lost or stolen devices, according to a new study. Cloud security firm Bitglass further reports that one in five recorded breaches over the last 10 years were the result of hacking. More than 60 financial sector organisations suffered recurring breaches in the last decade, including most major banks.” (Source: The Register)
  • Firms Could Target WhatsApp Users After Privacy Policy Change. “Businesses could soon be able to target WhatsApp users following changes to the messaging app’s privacy policy. With a renewed focus on revenue, it’s the first time the app has changed its policy since it was acquired by Facebook for $21.8bn two years ago. The updated terms will grant the social network access to users’ phone numbers and analytics data, facilitating better tailored ads on its core platform.” (Source: The Huffington Post)
  • IPhone Users Urged To Update Software After Security Flaws Are Found. “One of the world’s most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists. Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.” (Source: The New York Times)
  • Dropbox Prompts Certain Users To Change Their Passwords. “Dropbox is asking users who signed up before mid-2012 to change their passwords if they haven’t done so since then. The cloud storage service said it was asking users to change their passwords as a preventive measure, and not because there is any indication that their accounts were improperly accessed. Dropbox said it was taking the measure because its security teams learned about an old set of Dropbox user credentials, consisting of email addresses and hashed and salted passwords, which it believes were obtained in 2012 and could be linked to an incident the company reported around the time.” (Source: CSO)
  • Google To Rate Down Sites With Aggravating Pop-up Ads. “Annoying pop-up ads that get in the way of content are going to be the new lead balloons: Google’s planning to penalize mobile sites that use them by placing those sites lower in its rankings. In the web vernacular, interstitials/pop-ups are now a ranking signal for SEO (Search Engine Optimization). Similar to how Google in 2014 decided to push the web into being encrypted by using HTTPS as a ranking signal, this move could be an inflection point for how mobile sites go about advertising.” (Source: Sophos’ Naked Security Blog)
  • This Biohacker Wants To Implant Cryptographic Keys Beneath Your Skin. “One of those prototypes is UKI, a small, NFC-compliant security chip implanted under the skin that allows people to do things like integrate cryptographic keys into their bodies. Implantable chips could be useful if you lose your keys, but could also change how we grapple with privacy issues. Instead of being stored on external internet-connected devices, UKI allows users to carry cryptographic keys within their bodies, merging both your digital and physical identities.” (Source: Motherboard)

Safe surfing, everyone!

The Malwarebytes Labs Team