Detail of a calendar page with dates

A week in security (Sep 04 – Sep 10)

Last week, we debuted our first-ever Mobile Menace Monday post where we talked about a fake Pokémon Go app, which turned out to be a simple redirector app to random destinations like dating and sweepstakes sites. Triple M is published on a bi-weekly basis.

We also highlighted some changes to Google Safe Browsing, informing Web admins that it is now easier to figure out problems on their sites and what they can do to address them.

For our first PUP Friday in September, we talked about the MPlayerX, a software program for the Mac OSX that had the tendency to act maliciously, but after a deeper look, was found to be an unwanted program as it comes bundled with a known adware and other OSX junk apps.

Notable news stories and security related happenings:

  • Threat Alert: Cerber Ransomware V3 Spotted In The Wild. “A new version of the Cerber ransomware was released last week, and it is easy to identify based on the .cerber3 extension that it adds to all encrypted files. The move comes after crooks released version v1.5 and v2 in quick succession at the start of August. Before releasing Cerber v2, the crooks distributed v1 for more than six months, with very small updates, once in a while. The Cerber gang was forced to issue v2 in order to break a free decrypter provided by the infosec community that was hindering their profits by letting users recover files for free.” (Source: Softpedia)
  • Hacker Group For Hire Can Access Any Phone For $1.1M, Services Offered To Governments. “For those who have been following the news recently, the debacle involving an Israeli company of hackers called NSO Group breaking into iPhones might sound familiar. Now, reports regarding how much the group charges anyone who is interested in hacking smartphones, are circulating, and the amount is staggering. The New York Times reported that the Israeli company is actually offering their services via bundles. Those who want 10 iPhones hacked will need to pay $650,000 for the lot, and that’s just getting the actual results. The group will also charge another $500,000 for what they are calling a ‘setup fee.'” (Source: The Econo Times)
  • OurMine Hacker Group Briefly Takes Over Variety Website, Spams Subscribers With Dozens Of Emails. “Entertainment news site Variety was briefly taken over by the infamous hacker group OurMine, the same group responsible for infiltrating several high-profile figures’ social media accounts and media outlets in recent months. On Saturday (3 September) the hacking collective managed to break into Variety’s content management system at approximately 9 am PT and deface the LA-based publication’s site with a post of their own claiming responsibility for the attack.” (Source: The International Business Times)
  • New Report Shows 55% Of Websites Have Severe Vulnerabilities. “The Acunetix annual Web Application Vulnerability Report 2016 has found that high-severity vulnerabilities are on the rise and are now present in the majority of websites globally. The report looked at 45,000 website and network scans done on 5,700 scan targets from April 2015 to March 2016. Results show that not only do 55% of websites have one or more high-severity vulnerabilities, but this has significantly deteriorated in just one year, growing by 9% over 2015’s report.” (Source: IT Security Guru)
  • People, Please Don’t Store Private Data in Your Address Book. “There’s been some controversy over the data that Donald Trump’s campaign app collects. Though the America First app asks before accessing anything on both Android and iOS, it gathers and stores the data from smartphone address books as soon as it is granted permission. The situation probably doesn’t sound like a big deal, especially since the app requests consent, but if you store valuable private information in your contact lists—like security codes, passwords, health information, or social security numbers—it definitely poses a threat.” (Source: Wired)
  • Public Yawns At Threat Of Cyber Crime. “Has the public simply accepted cyberattacks as part of life? Not quite. Cybersecurity experts say people aren’t crying for protection because the attacks, for the most part, have yet to hurt them personally. There’s also lots of confusion about the nature of cybercrime, and little sense of how to fight it. Oh, and the topic is boring.” (Source: The San Diego Union Tribune)
  • Big Data Analytics Is Key To Stronger Cybersecurity. “The Ponemon Institute has released the Big Data Cybersecurity Analytics Research Report and it shows that traditional layered security systems are failing to protect ‘from the 1000 arrows’ fired – some get through […] It found that organisations using analytics to identify departures from known good behaviour are 2.25 times more likely to identify a security incident within hours or minutes. Those using Apache Hadoop found significant advantages to analysing cyber security incidents.” (Source: IT Wire)
  • Expert Questions Claim That St. Jude Pacemaker Was Hacked. “Last week, a controversial report claimed that pacemakers and other implantable heart devices made by the manufacturer St. Jude Medical have massive security flaws that leave them vulnerable to hacking. Now, medical device security expert Kevin Fu, an associate professor at University of Michigan, is questioning the accuracy of that report. The material presented in the report does not prove that hackers can cause a St. Jude device to crash, Fu told IEEE Spectrum in an interview. ‘The onus is on the claimant,’ Fu says. ‘We’re not saying the report is false, we’re saying the evidence is not strong.’ Fu says a screenshot presented as evidence of the hack could have come from a benign situation that was misinterpreted.” (Source: The IEEE Spectrum)
  • Pokémon-inspired Rootkit Attacks Linux Systems. “A new persistent stealthy malware that can give attackers full control over Linux servers has been discovered by researchers. Researcher Fernando Mercês with security vendor Trend Micro said the malware – a rootkit family – is named after a character in the Pokémon fantasy game called Umbreon. Umbreon is a dark Pokémon that hides in the night, an ‘appropriate characteristic for a rootkit,’ Mercês wrote.” (Source: IT News – Australia)
  • Going “Disposable” Could Save Hacking, ID Theft Nightmares. “Is there a way to avoid waking up one day and finding your credit card had been used to purchase $5000 worth of luxury goods? How can we create as many personal defences as possible without spending a bank breaking budget on cyber security? One starting point is adopting a ‘disposable’ identity for credit cards and email addresses. Having a disposable credit card via a service like EntroPay is a starting point.” (Source: Computer World)
  • Printers Now The Least-secure Things On The Internet. “The Internet of Things is exactly as bad a security nightmare as pessimists think it is, according to Bitdefender’s Bogdan Botezatu […] “We get a lot of telemetry in our vulnerability assessment labs,” he said. ‘The router is no longer the worst device on the Internet. It’s now the printer.’ That’s a pretty big claim to make, given that in in less than a month, we’ve discussed the no-we-won’t-fix-it Inteno router from Sweden and the record-setting Chinese surveillance router.” (Source: The Register)
  • Why Social Media Sites Are The New Cyber Weapons Of Choice. “Cyber criminals run rampant across every social network today. We often see headlines about social marketing fails and celebrity account hacks, but they’re just the tip of the iceberg. Far more nefarious activity takes place across these social channels, while most organizations remain oblivious and exposed. Companies’ poor social media security practices put their brands, customers, executives, and entire organizations at serious risk.” (Source: Dark Reading)
  • The CryLocker Ransomware Communicates Using UDP And Stores Data On “A new infection called the CryLocker Ransomware, which pretends to be from a fake organization called the Central Security Treatment Organization, has been discovered by security researcher MalwareHunterTeam.  When the Central Security Treatment Organization, or Cry, Ransomware infects a computer it will encrypt a victim’s files and then append the .cry extension to encrypted files. It will then demand approximately 1.1 bitcoins, or $625 USD, in order to get the decryption key.” (Source: Bleeping Computer)
  • Number Of Devices Sharing Private Crypto Keys Up Sharply. “Researchers at SEC Consult say the number of internet gateways, routers, modems and other embedded devices sharing cryptographic keys and certificates is up 40 percent since the Austrian consulting firm first looked at the problem in November. The report, posted Tuesday called ‘House of Keys,’ warns a sharp rise of devices using known private keys for HTTPS server certificates could easily spur an uptick in man-in-the-middle attacks that can lead to more extensive intrusions. Over the past nine months, that number has gone from 3.2 million (in November 2015) to 4.5 million today, SEC Consult reports.” (Source: Kaspersky’s Threatpost)
  • How Google Aims To Disrupt The Islamic State Propaganda Machine. “The internet is one of the most valuable tools for the Islamic State to spread its vision of radical Islam and lure recruits to the battlefields in Iraq and Syria. But the world’s most powerful search engine is taking steps that could soon blunt the group’s online propaganda machine. Jigsaw, the advanced research outfit created by Google, has developed a technology that would redirect anyone searching terms and phrases associated with supporting the Islamic State (known as IS or ISIS) to instead see antiextremist messages and videos.” (Source: The Christian Science Monitor)
  • Swift Admits Attacks Are “Here To Stay” – So What Can Banks Do? “There’s a cultural misconception that security equals lockdown in the financial sector; disclosure runs counter to that perception. Banks are less inclined to share intimate details of attacks because they don’t want to damage market confidence and that makes cyber security a major challenge for the sector. Swift has recently sent a letter out to customers admitting it had suffered further attacks and that the threat is ‘persistent, adaptive and sophisticated – and is here to stay’. It identified the weak point as bank environments themselves. Like an extreme form of invoice fraud, fraudulent payments have been submitted from these compromised networks, leading the payment provider to urge its members to up their security game.” (Source: Banking Tech)
  • Malware Fears As Pokémon Threats Go Social. “Cybercriminals are jumping on the huge popularity of AR app Pokemon Go to spread malware via social media scams, according to Proofpoint. The security firm claimed that its researchers had discovered 543 social media accounts related to the Japanese game across Facebook, Twitter and Tumblr – over 30% of which are fraudulent. Of these 167 phony accounts, 26% had links to download files – many masquerading as the Pokemon Go app, game guides or other related content.” (Source: InfoSecurity Magazine)
  • The Limits Of SMS For 2-Factor Authentication. “A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code. Mark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.” (Source: KrebsOnSecurity)
  • Stealing Login Credentials From A Locked PC Or Mac Just Got Easier. “Rob Fuller, a principal security engineer at R5 Industries, said the hack works reliably on Windows devices and has also succeeded on OS X, although he’s working with others to determine if it’s just his setup that’s vulnerable. The hack works by plugging a flash-sized minicomputer into an unattended computer that’s logged in but currently locked. In about 20 seconds, the USB device will obtain the user name and password hash used to log in to the computer. Fuller, who is better known by his hacker handle mubix, said the technique works using both the Hak5 Turtle ($50) and USB Armory ($155), both of which are USB-mounted computers that run Linux.” (Source: Ars Technica)
  • Sophisticated Mokes Backdoor Targets Mac Users. “A new malware targeting Macs has been discovered: the Mokes backdoor. Capable of making screenshots, recording keystrokes, capturing audio, and rifling through Office documents and removable storage devices, Mokes (aka Ekoms) can be also made to execute arbitrary commands on the system. Mokes’ existence doesn’t come wholly as a surprise, as it has been preceded earlier this year by a Linux and a Windows version, and it’s written in C++ using Qt, a cross-platform application framework.” (Source: Help Net Security)
  • The Dangers Of Connecting Phones To Connected Cars. “As smart, connected cars get more ubiquitous, they are often the only option you get when renting a car from a rental agency. With all the reports about car hacking, you might be worried whether someone could manipulate the vehicle you’re renting, but in the real world, that danger still seems far off. A more near and present danger is that of inadvertently sharing your personal data with the car, and therefore with its owners (at a minimum).” (Source: Help Net Security)
  • USBKill Power Surge Test Tool Can Blow Up And Damage Any PC, Laptop Or TV. “We had seen the proof-of-concept for a USB stick that would kill the port when plugged into any device but now the same has finally materialized and is up on sale. The USBKill stick turbocharges its capacitors from the USB power supply and discharges the same within seconds eventually disabling the hardware. This will not just disable the port but the surge in voltage will damage the entire machine. The takeaway here is that the exposed USB ports should be protected by a layer of hardware security else the same can be exploited by hackers and others. Worst things, the port can be used as a malicious actor to get access to the system.” (Source: TechPP)
  • New Linux Trojan Discovered Coded In Mozilla’s Rust Language. “The Trojan, which is coded in Rust, a programming language sponsored by the Mozilla Foundation, also integrates the ‘IRC’ Rust library by Aaron Weiss, in order to communicate via the IRC protocol to a remote IRC public channel. At the time of writing, the channel hardcoded in the Trojan’s configuration is offline. All Trojans that infect a target will automatically connect to this IRC channel and wait for commands. The hacker in control of this IRC channel can submit a message to the channel’s public chat, and all connected bots will parse this message and execute it.” (Source: Softpedia)
  • Attacking The Attackers: Facebook Hacker Tools Exploit Their Users. “For those who are looking to hack the Facebook accounts of others, there is a marketplace of Facebook Hacker tools that offer the promise of point-and-click ease. According to a new report from Blue Coat Elastica Cloud Threat Labs (BCECTL), the promise made by many Facebook Hacker tools is false. Rather than providing access to the Facebook accounts of others, BCECTL found that most Facebook Hacker tools only exploit the users of the tools.” (Source: eWeek)

Safe surfing, everyone!

The Malwarebytes Labs Team