Detail of a calendar page with dates

A week in security (Sep 11 – Sep 17)

Last week, we talked about HTA infections, brought to light some SMS phishing campaigns aimed at Bank of America (BofA) and Wells Fargo clients, and documented the latest HMRC-themed tax fraud scam scheme we spotted in the wild. We also enumerated ways on how some Internet users had made it difficult for phishers to execute their phishing schemes. Let’s not forget we received reports of a fake Malwarebytes product file in circulation claiming to be from us, but was actually DetoxCrypto ransomware in disguise.

Lastly, we saw a recent malvertising campaign pushed from adult websites via their side banners. From there, visitors are redirected to an Afraidgate campaign that then distributed the Neutrino exploit kit. Jérôme Segura, our expert on this type of online threat, said that “[t]his could very well be an ‘accidental’ malvertising case…or perhaps, and time will tell, attackers are focusing on such infrastructure as they know it will yield a greater return”.

Notable news stories and security-related happenings:

  • 911 Is Vulnerable To DDoS Attacks: Hackers Prove How Easy It Is! “America’s people centric and globally popular emergency helpline number 911 has been found to be easily vulnerable to Distributed Denial of Service or DDoS attacks. Mordechai Guri, Yisroel Mirsky, Yuval Elovici, researchers at the Cyber Security Research Centre of Ben Gurion University have revealed the threat in thoroughly researched paper which was published on September 9th, 2016. Interestingly, the threat of attack has previously been issued by Department of Homeland Security as well as the FBI. What alarms us is the fact that this attack need not be highly sophisticated and prevention of 911 service in any state can be managed with only 6K bots. In monetary terms, hardware worth $100 thousand can damage the life of millions natives for unknown number of days.” (Source: Aperture Games)
  • GM Recalls Millions Of Cars After Critical Bug Found. “General Motors has been forced to recall over four million cars following a software defect linked to at least one death. The bug forces the air bag sensing and diagnostic module (SDM) software to activate a diagnostic test if it encounters certain driving conditions, according to the National Highway Traffic Safety Administration (NHTSA). Doing so means the front air bags and “seat belt pretensioners” won’t deploy in the event of a crash, the agency claimed.” (Source: InfoSecurity Magazine)
  • Malware Writer Renames Ransomware After A Security Researcher. “In an attempt to ruin the reputation of Fabian Wosar – the man who bears the reputation as a ransomware decrypter, Apocalypse malware writers have renamed their ransomware after this Emsisoft security researcher as Fabiansomware. Cybercrime has been around as long as the Internet. The type of cyber crime that is most widespread today is ransomware. With each passing day, new variants and families of malware are popping up. Firms like Emsisoft Malware Lab has successfully managed to combat this growing menace. As such these establishments have the main target of ransomware developers and are, therefore, at the receiving end of hate from authors of such ransomware.” (Source: The Windows Club)
  • Why Backdoors Are Welcome Mats For Hackers. “This past March, a shocking public hazard was released into the world, one that threatened the security of millions of people. The worst part? It could have been easily avoided. I’m not talking about an airborne virus or flesh-eating bacteria. I’m talking about a company intentionally building a backdoor into millions of consumer devices, and then leaving the “keys” to that door lying out in the open for anyone to snatch up. For a tech giant, Microsoft certainly messed up in a giant way.” (Source: Geek Time)
  • Data Manipulation: An Imminent Threat. “An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks. To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos.” (Source: Dark Reading)
  • Take It From A Parent, Ask Your Kids Before You Post To Facebook. “Still, many parents appear to have a hard time guiding kids’ use of the internet. Studies have consistently shown kids and teenagers use at least one social media account their parents don’t know about. Research published by the Center for Cyber Safety and Education in 2015 revealed that 4 out of 10 middle schoolers admitted using the internet in ways their parents would not approve, and many kids lied about their age online. So, now that millions of students have headed back to school this week with smartphones in their pockets and backpacks, it’s the perfect time to talk with kids about what to share – and what not to share – online.” (Source: The Christian Science Monitor)
  • New Report Shows That One In Five Businesses Don’t Test For Security Vulnerabilities. “Osterman Research and Trustwave today released a new report that shows many businesses fail to conduct frequent security testing despite believing that it’s critically important to securing their systems and data. Shockingly, one in five of businesses surveyed for the report admitted they don’t do any security testing, despite the fact that 95 percent of survey respondents reported encountering one of the dozen common security issues associated with security vulnerabilities.” (Source: Trustwave)
  • Study Finds Gamer Cyber Hygiene Stinks. “As online gaming grows in popularity ESET researchers found that cybersecurity measures haven’t kept pace as 36 percent gamers reported actively turning off security software if they found it was slowing down their computer. The study, conducted by Google Consumer Surveys, polled 500 gamers and found that 52 percent of respondents said they don’t even use security software on their gaming computers, according to a Sept. 13 blog post.” (Source: SC Magazine)
  • Apple Joins The Rush To Kill Off Outdated Crypto. “It’s been more than four years since legendary cypherpunk Moxie Marlinspike released a tool that made cracking the point-to-point tunneling protocol for virtual private networks a trivial endeavor. ChapCrack was released at DefCon in 2012 — and that was 14 years after grandaddy crypto-hacker Bruce Schneier showed how Microsoft’s implementation of the protocol could be broken — but PPTP has lingered. Now Apple’s latest operating system upgrades — Mac OS Sierra and iOS 10 — “will remove PPTP connections from any VPN profile when a user upgrades their device,” the company said in a blog post.” (Source: Fedscoop)
  • Microsoft Patches Zero Day Flaw Used In Two Massive Malvertising Campaigns. “Microsoft has patched a zero-day vulnerability in Internet Explorer that at least two threat actor groups have used for some time to serve malicious advertisements to between 1 million and 5 million users daily. Microsoft was first notified about the so-called information disclosure bug in September 2015, security vendor Proofpoint said in an alert this week. But a patch for it became available only after Trend Micro and Proofpoint reported the bug again to Microsoft more recently when researching a massive malvertising campaign being operated by a group called AdGholas, the alert noted. Proofpoint describes the vulnerability as one involving a Multipurpose Internet Mail Extension (MIME) type check for filtering systems with certain extensions like .py, .saz, and .pcap.” (Source: Dark Reading)
  • Even Google Search Suffers From XSS Flaws. “French security researcher Issam Rabhi has identified a cross-site scripting (XSS) vulnerability in Google’s Search interface, something that many have thought to be impossible after so many years of probing by other security experts. The reason why Rabhi managed to identify this “unicorn” is because the issue wasn’t in Google’s classic Search section, but in the custom widget the company introduced for the Rio Olympics. The company still uses the widget today to show final results from the recently concluded Olympic Games, but without the XSS issue, which they have patched in four days after it was disclosed.” (Source: Softpedia)
  • Hackers Probe Cyber Defences To Bring Down The Internet. “Hackers are probing the defences of critical internet infrastructure providers in what could be the beginnings of a campaign to take down the internet, according to a leading cyber security expert. Bruce Schneier, Chief Technology Officer at Resilient and security blogger, wrote in a post on his site that major firms were being hit by ‘probing’ attacks: attacks designed to test their defensive capabilities. Companies had been hit by distributed denial of service (DDoS) attacks which had started at a certain point and then been steadily ramped up before stopping. The attack would then resume at a higher point and continue.” (Source: CBR)
  • Double-dipping Malware Steals iOS Creds And Roots Android. “A newly-outed trojan is exploiting iOS and Android devices, ripping iCloud credentials abusing the trusted link between phones and PCs, says Palo Alto security researcher Claud Xiao. The attack appears to have failed in most circumstances, thanks to iOS’ sandboxing security controls, hardened modern Android operating systems, and the overt nature of the attack, and will flunk in all current attacks given the expiration of a certificate.” (Source: The Register)
  • Half Of UK Consumers Refuse To Do Business With Hacked Companies. “F5 Networks has released a new survey that sheds light on consumer attitudes towards cyber security, revealing that Brits are ready to take a tough stance on hacking and a majority refuse to do business with any company that has been hacked in the past. Of those surveyed, 50 per cent claimed they would not share their data with or purchase any products from a company that was previously hacked. F5’s survey also brought the conflicting views on cyber-crime out into the open, with one in ten UK consumers admitting that they viewed hackers as ‘the good guys’.  Surprisingly, these numbers doubled amongst French consumers (19 per cent) and 14 per cent of Germans acknowledged that they view hackers in a positive light.” (Source: IT Pro Portal)
  • Alibaba Fires Employees For Hacking Their Way To Free Mooncakes. “China’s Mid-Autumn Festival started today, as much of the world now knows due to a runaway inflatable moon incident reported yesterday (as seen below). Celebrated on the 15th day of the eighth month in the Han calendar—corresponding to the full moon closest to the Autumnal Equinox—the holiday is commemorated in Chinese culture through the exchange and sharing of moon cakes.” (Source: Ars Technica)
  • What Information People Most Fear Being Hacked. “People are most fearful of their credit cards or bank statements being hacked, with 78 percent of Americans and Germans ranking it a top concern. That number is even higher in the UK, where 85 percent of residents rank credit card and bank data as their biggest hack concern. The Centrify study, which surveyed 2,400 people across the US, UK and Germany, also found that consumers are very concerned about their financial investment information falling prey to hackers, with 58 percent in the US, 56 percent in the UK and 43 percent in Germany citing it as a top concern.” (Source: Help Net Security)
  • Hacked TalkTalk Data Used In Scamming People With Thousands Of Pounds. “Phone and online scams are increasing day by day and not just the younger lot but elderly ones are also facing the heat. The problem has become so adverse that the police department had to issue a public warning after a hundred people in Dorset became the target of scammers within a month’s time. According to the Economic Crime Unit’s Det. Sergeant Andrew Kennard stated that these scammers can scam ‘anyone-–regardless of someone’s age, background or where they live, particularly the elderly.'” (Source: HackRead)
  • Attack Leverages Windows Safe Mode. “Researchers warn the Windows diagnostic feature Safe Mode can be used as a remote attack vector by hackers who already have access to a compromised PC or server. The method of attack is unusual, researchers said, and places attention on the diagnostic tool used to fix PC problems and remove security threats. Researchers at CyberArk Labs say they have created several proof-of-concept attacks using the Windows Safe Mode tool as an attack vector that could allow a hacker to harvest credentials on PCs running Windows 10 as well as Windows servers. By using Safe Mode, an attacker could easily move laterally within a network without detection, researchers say.” (Source: Kaspersky’s Threatpost)
  • Students Unaware About Ransomware Costs, Impact. “In May, the FBI’s Internet Crime Complaint Center reported there were 2,453 reported ransomware incidents in 2015, resulting in losses to victims of over $1.6 million. But the majority of headlines around ransomware have highlighted businesses under threat. This may explain why students claim they would spend no more than what a nice meal would cost to ransom their information. According to the survey, students would pay on average $29 for a dating profile; $52 for a term paper; $78 for a banking log-in; and $86 for private photos. On average, students would pay $52 to access ransomed data, but in reality, consumers are paying a much higher amount.” (Source: Help Net Security)
  • Ransomware Getting More Targeted, Expensive. “I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” (Source: KrebsOnSecurity)
  • Pokémon Go Guide App With Half A Million Downloads Hacks Android Devices. “Security researchers have found a malicious application on Google Play that had over 500,000 downloads and was designed to gain complete control over Android devices. The application masqueraded as a guide for the popular Pokémon Go game and used multiple layers of obfuscation to bypass Google Play’s malware detection mechanisms, researchers from Kaspersky Lab said in a blog post. The app contains a malicious module that doesn’t execute immediately. Instead, the app waits for another application to be installed or uninstalled in order to determine if it’s running on a real device or in an emulated environment, like the ones used to detect malware.” (Source: CSO)

Safe surfing, everyone!

The Malwarebytes Labs Team