Detail of a calendar page with dates

A week in security (Oct 16 – Oct 22)

Last week, we made two announcements: first, Malwarebytes teams up with the Breast Cancer Fund for Breast Cancer Awareness Month and, second, Malwarebytes acquires AdwCleaner, the go-to program when it comes to cleaning systems from adware.

We also reported on the latest Facebook hoax and about the day the Internet died (due to a DDoS attack), which happened very recently.

As there has been consistent interest in ransomware these past few months, Malwarebytes released a comprehensive infographic on the malware family’s global impact. The data used was based on the results of the survey report conducted by Osterman Research.

Lastly, Senior Threat Researcher Jérôme Segura documented changes with the Sundown, a piece of exploit kit that is known to target weaknesses in Internet Explorer, Adobe Flash, and Silverlight. He found that in one campaign, Sundown dropped Smoke Loader (a payload normally associated with the RIG EK), which then downloaded the Trojan banker, Kronos. Segura followed up his piece with another post on Sundown, particularly a possible variant found in the wild. In an unrelated piece, Segura provided us an anatomy of a tech support scam.

For our Mobile Menace Monday and PUP Friday posts of the week, you may visit these pages:



Below are notable news stories and security-related happenings:

  • Malware Targeting Cable Modems. “LuaBot – a malware targeting Linux platforms was quite active in last few months is trying to spread its wings transcending multiple attack vectors. It potentially also targets IoT devices and web servers turning these infected systems into bots within a larger botnet controlled by a perpetrator. As per some reports this malware is used as a part of the larger cyber crime scheme. This includes remote attackers exploiting the target devices in order to dump the device configurations and certificates.” (Source: Security Zap)
  • Hacking Voting Systems: A Reality Check. “Can the national election really be hacked? Anything is possible, but the likelihood of votes being changed is far lower than other methods of thwarting a fair and complete vote. First, we need to clarify the word “hacked.” If you’re hacking the vote, what are you trying to achieve? An attacker might try to influence the outcome of the voting process by compromising voting machines — something that’s improbable but not impossible. It would also be an extremely costly, high-risk, and incredibly complicated endeavor that would have to be executed flawlessly without detection within a very short window.” (Source: Dark Reading)
  • Flaw In Intel Chips Could Make Malware Attacks More Potent. “Researchers have devised a technique that bypasses a key security protection built into just about every operating system. If left unfixed, this could make malware attacks much more potent. ASLR, short for ‘address space layout randomization,’ is a defense against a class of widely used attacks that surreptitiously install malware by exploiting vulnerabilities in an operating system or application. By randomizing the locations in computer memory where software loads specific chunks of code, ASLR often limits the damage of such exploits to a simple computer crash, rather than a catastrophic system compromise.” (Source: Ars Technica)
  • Four Reasons Why Asia Is A Prime Target For Cybercriminals. “From attacks on Ukrainian power grids to central bank heists in Bangladesh and the leak of stolen information from the Democratic National Committee in the U.S., cybersecurity threats have escalated massively in recent years. Governments, companies and individuals are equally susceptible all over the world, but cybersecurity experts believe Asia is most vulnerable to such attacks.” (Source: CNBC)
  • PassCV Targets Pokémon Go, Online Gaming Platforms. “The PassCV group has mounted an ongoing offensive against online gaming platforms, including the Cocos2d gaming framework, used in popular mobile games such as Badland; and the Unity engine, a gaming engine licensed across multiple gaming platforms and recently used in popular mobile games like Pokémon Go. According to the Cylance SPEAR team, a large cluster of activity is being specifically targeted at game developers using malware containing code to harvest stored password information as well as log keystroke data. And, the group is using 18 previously undisclosed stolen Authenticode certificates, which were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia.” (Source: InfoSecurity Magazine)
  • Hackers Create More IoT Botnets With Mirai Source Code. “Malware that can build botnets out of IoT products has gone on to infect twice as many devices after its source code was publicly released. The total number of IoT devices infected with the Mirai malware has reached 493,000, up from 213,000 bots before the source code was disclosed around Oct. 1, according to internet backbone provider Level 3 Communications.” (Source: CSO)
  • Trump-Themed Malware Dominating Threat Campaigns This Election Season. “Would you click on a news article purporting to show a photo of a deceased Donald Trump laying on a stage after an apparent heart attack? Cybercriminals are betting that a good many of you will. It’s the reason for a recent ramp-up in the use of election-themed email and other online lures to try and distribute spam and malware.” (Source: Dark Reading)
  • Hackers Hide Stolen Payment Card Data Inside Website Product Images. “Attacks that compromise online shops to skim payment card details are increasing and growing in sophistication. The latest technique involves hiding malicious code and stolen data inside legitimate files. A Dutch researcher reported last week that almost 6,000 online shops, most of them built with the Magento content management system, have malicious code that intercepts and steals payment card data during online transactions. The online storefront of the U.S. National Republican Senatorial Committee (NRSC) was among those websites until earlier this month.” (Source: CSO)
  • Digital Privacy Can’t Survive On A Cracked Foundation. “With the looming election and all its painful uncertainty, the technology community is holding its breath to see how the political process will impact what is perhaps the most important issue to privacy advocates and technologists the world over: encryption. Although a U.S. President wouldn’t directly decide freedom of speech and information policy, they will play a key role in shaping the future of the debate. With wide discrepancies in cybersecurity and privacy policy, the US presidential candidates both leave unanswered the ultimate question of how to guarantee privacy.” (Source: The Christian Science Monitor)
  • ISACA, CynjaTech Team on Cyber-Awareness Training Game For Kids. “The game is included in the free CynjaSpace app, currently available for Apple iPad. The collaboration combines ISACA’s Cybersecurity Nexus (CSX) knowledge with the Cynja comic series to offer children a gamified, interactive way to learn digital survival skills. The game adapts ISACA’s content into not just a cool game for kids but also a resource for their parents. The game has been dubbed Dojo, because it’s meant to be a digital training ground of sorts.” (Source: InfoSecurity Magazine)
  • Is Machine Learning The Key To Solving Cybersecurity Problems? “Cyber threats have become more sophisticated and evolve faster than ever before, easily bypassing conventional cyber defences. Hence, the need for security skills and security technologies to evolve. One promising development, according to CrowdStrike, is machine learning. ‘What we are witnessing today is the increased effectiveness and application of machine learning for prevention and detection,’ says Mike Sentonas, Vice President of Technology Strategy, CrowdStrike.” (Source: Security Asia)
  • Millennials A Growing Target Of IT Support Scams. “More millennials are falling victim to tech support scams, surpassing senior citizens as the group most frequently tricked by fraudsters. This finding comes from a new study released by Microsoft and the National Cyber Security Alliance (NCSA) as part of National Cybersecurity Awareness Month. To identify tech scams and their effects on everyday consumers, researchers at IPSOS Public Affairs polled 1,000 adults around the world.” (Source: Dark Reading)
  • Fight Fraud: Scams, Identity Theft, Ransomware Attacks. “In an increasingly technology-oriented world, cybercrime has become all too common for both consumers and businesses. Internet crime takes many forms and includes everything from large-scale data breaches to consumer issues like identity theft and cyber-stalking to widespread scams and ransomware. In the third week of National Cyber Security Awareness Month (NCSAM), the National Cyber Security Alliance (NCSA), the U.S. Department of Homeland Security (DHS) and their industry, government and nonprofit partners are highlighting the different types of online crime and how people and businesses can better protect themselves.” (Source: Help Net Security)
  • 3.2M Payment Cards Affected In Massive Indian POS Breach. “One of the biggest breaches in India has compromised as many as 3.2 million payment cards as banks scramble to replace cards and request users to change security codes. Officials believe the breach originated from malware on the Hitachi Payment Services platform, which provides ATM and point of sale services, is responsible for the breach and said 2.6 million of the affected cards are on the Visa and MasterCard platform, according to The Economic Times.” (Source: SC Magazine)
  • Feds Catch Hacker Allegedly Responsible For LinkedIn Hack. “The hacker allegedly responsible for the 2012 hack on LinkedIn has been arrested in the Czech Republic. The Russian man, 29, whose name was not released, is wanted by the FBI to face charges in connection with hacking targets in the US. A police statement said he was arrested in the country’s capital, Prague, after Interpol issued a red notice earlier this month for the suspect’s arrest.” (Source: ZDNet)
  • Malvertising Trends: Don’t Talk Ad Standards Without Ad Security. “The launching of AdBlock Plus’ new Acceptable Ads Platform is indicative of how the conversation on ad governance has strayed off-course. There are reasons why people want ad-block, and reasons why they need it. But by allowing display ads that conform to their supposed guidelines, AdBlock Plus negated its own security benefit. Loath to support ad-blocking as a means of dealing with bad ads, Google has teamed up with other giants in the media and advertising industry to develop new global ad standards. Don’t get me wrong, this is all good. But aren’t we forgetting that bad ads also include malware ads?” (Source: Dark Reading)
  • Identity Theft Hits Low- To Moderate-Income Victims Hardest. “Some 30% of people who have reported criminal identity theft needed government assistance to get back on their feet, according to a new report from the Identity Theft Resource Center (ITRC). The 300-person sample came from those who used ITRC’s free services in the last year, many of whom are low- or moderate-income earners, according to Eva Velasquez, president and CEO. And while identity theft doesn’t hit these demographic segments more frequently, it does hit them harder because they lack the extra time and money often required to resolve identity theft problems, she says.” (Source: Dark Reading)
  • Routers Branded ‘Achilles Heel’ Of Home And Small Biz Security. “A worrying 15% of home routers are wide open to hackers through the use of default or easy-to-guess passwords, according to new research from Eset. The firm tested over 12,000 devices via its Home Network Protection feature and found them to be a gateway for malicious threats into the home and small business.” (Source: InfoSecurity Magazine)
  • Bastille Unveils List Of Top 10 Internet Of Radios Vulnerabilities. “Bastille, the leader in enterprise threat detection through software-defined radio, today released its list of “Top 10 Internet of Radios Vulnerabilities.” The Internet of Radios is the combination of mobile, wireless, bring your own device (BYOD), and Internet of Things (IoT) devices operating within the radio frequency (RF) spectrum. The Top 10 list coincides with National Cyber Security Awareness Month as well as the results of the recent “Bastille Internet of Radios Security Poll” that indicates widespread recognition of potential threats in the enterprise, but limited adoption and enforcement of security policies.” (Source: Business Wire)
  • Ransomware Family Count Surpasses 200. “Those are just some of the many different ransomware families that have been cataloged by the ID Ransomware service, launched in March by the security researchers known as MalwareHunterTeam. The researchers’ site allows victims to upload ransom notes or encrypted files to help them identify the ransomware that’s encrypted their data. This week, in an unfortunate cybercrime milestone, the number of ransomware families counted by the service reached 200.” (Source: Bank InfoSecurity)
  • “JapanLocker”: An Excavation To Its Indonesian Roots. “Fortinet has discovered a new open-source PHP ransom malware that has been targeting web sites using a simple encryption algorithm that is effective enough to really frighten web server owners. What is more interesting, however, is the information we have uncovered regarding the possible roots of the attacks/attackers. Basing only on the email address that it uses for ransom negotiations, ‘’, victims and researchers alike may make an obvious guess where the attacks may have come from. However, our investigation reveals otherwise. For this reason, researchers may need to use a more appropriate name besides ‘JapanLocker’.” (Source: Fortinet Blog)
  • Netflix Urging Subscribers to Change Passwords to Mitigate Possible Threat. “Security experts at Netflix were performing their regular security monitoring when they identified that there were some Netflix email addresses and passwords that matched the credentials released in another company’s breach. That’s why the company decided to send notifications to its subscribers via emails for changing their passwords. This is the standard procedure followed by Netflix every now and then but this time the company believes that they have every reason to ask their users for password resetting.” (Source: HackRead)
  • Give System Attackers the Boot. “Secure boot is a critical component of any embedded system. It assures that firmware, the brains of all embedded systems, is as intended by the maker of the system. Moreover, secure boot assures the safe and predictable operation of embedded systems. Its value is easily seen in systems whose failure can lead to potentially catastrophic consequences. Examples of such vital systems include heat controllers of home furnaces and range ovens, engine-control modules in vehicles, traffic-light controllers, therapy delivery systems in implanted medical devices, and controllers of unmanned trains.” (Source: Electronic Design)
  • Is Cybersecurity Broken? Building Walls Won’t Prevent Hacks, Predicting The Future Will. “From Github to the dark web, clues about where hackers will strike next are dropped like crumbs. We just need to find them. That was the take away line from Staffan Truvé’s talk at the inaugural WIRED Security event in Canary Wharf during which he explained how it is possible to predict the future online, and how the current methods of cyber defence aren’t working. Truvé is Recorded Future’s CTO. Recorded Future makes software that predicts what will happen next by analysing all of the text on the open web. ‘It’s a tricky business to be a defender of a system – we want to stop the attacks before they happen,’ said Truvé.” (Source: Wired)
  • Stupid Encryption Mistakes Criminals Make. “Writing secure code can be challenging, and implementing cryptography correctly in software is just plain hard. Even experienced developers can get tripped up. And if your goal is to swindle people quickly, not to wow them with the quality of your software, there are sure to be serious crypto mistakes in your code. Malware authors may provide significant lessons in how not to implement cryptography. Such was the upshot of research by Check Point’s Yaniv Balmas and Ben Herzog at the recent Virus Bulletin conference in Denver. Malware authors may be more likely to insert crypto doozies in their code than developers working on legitimate software because they may not care as much about code quality or design, said Balmas and Herzog.” (Source: InfoWorld)
  • Hacking 3D Manufacturing Systems Demonstrated By Researchers. “Researchers from three universities combined their expertise to demonstrate the first complete sabotage attack on a 3D additive manufacturing (AM) system, illustrating how a cyber attack and malicious manipulation of blueprints can fatally damage production of a device or machine. In their paper titled ‘Dr0wned,’ researchers from Ben-Gurion University of the Negev (BGU), the University of South Alabama and Singapore University of Technology and Design detail how to sabotage the quality of a 3D-printed functional part, which leads to the destruction of a device.” (Source: Help Net Security)
  • Israeli Phone Hackers Say They Can Rip Data From… Pokémon Go. “Cellebrite, a company that makes phone hacking and data extraction tools, is the go-to for law enforcement wanting to forensically examine mobile devices. But the Israeli firm recently announced a new feature that may split the contentious ‘going dark’ debate wide open: it can rip data from Pokémon Go. ‘Gain insights from the world’s most popular game—Pokémon Go,’ reads a document related to Cellebrite version 5.2, published in August. ‘Cellebrite’s latest release now provides support for the game that has gone viral—around the globe,’ it continues.” (Source: Motherboard)
  • Are Mobile Apps A Leaky Tap In The Enterprise? “In almost every enterprise, mobile and cloud represent a large and growing proportion of overall traffic. While they offer many advantages in productivity, they also bring about new challenges for organizations trying to simplify their infrastructures while maintaining critical security controls. The growing number of mobile devices, and the vast marketplace for self-serve apps, has opened the door to data loss and security breaches. In this blog, we will highlight some of the trends we’ve seen in the Zscaler cloud, particularly as they pertain to mobile privacy and data leakage.” (Source: Zscaler Blog)
  • New Ransomware Asks User To Play Click Me Game While Encrypting Data. “Karsten Hahn, a malware analyst at GData, has identified new ransomware that is currently in its developmental phase. According to Hahn’s analysis, the ransomware pretends to be a Click Me Game while its objective is the same, to encrypt the files present on a system. Bleeping Computer reports that as soon as the malware file is executed, a screen is launched that displays a Click Me button. When the user tries to click on it, it starts changing its position so that user has to move the mouse cursor to click. When all this is happening, the malware is silently encrypting files stored on the drive. This means the Click Me game is just added to keep the victim busy while the malware performs its job.” (Source: HackRead)

Safe surfing, everyone!

The Malwarebytes Labs Team