Detail of a calendar page with dates

A week in security (Sep 25 – Oct 01)

Last week, we touched on security groups forming alliances to address chunks of cybersecurity issues currently affecting us, the latest of which is the Vendor Security Alliance (VSA). We also talked about the hardly-complex Komplex Mac backdoor malware discovered initially by Palo Alto Networks, and spotlighted on a new hardware from software company, Snapchat (now Snap, Inc.), which may further raise concerns on privacy.

Senior threat researcher Jérôme Segura discovered a malvertising campaign that plagued once more—the fourth time the said website had raised a flag in our telemetry—with the RIG exploit kit taking the lead this round.

Our other Labs researchers also discussed the lesser known tricks on spoofing file extensions and a fake browser extension pretending to be uBlock Origin, a popular content filter.

As a follow up to the PUPs associated with Nikoff Security, Director of Mac Offerings Thomas Reed offered us some victories (PUPs from said company were pulled from the Mac App Store) and defeats (sadly, similar PUPs remain on the said store) concerning fake antivirus and adware software.

Below are notable news stories and security-related happenings:

  • 10 Tips For Minimizing Cloud Security Risks. “Cloud computing service arrangements frequently require organizations to share employee or customer personal information and other confidential data with service providers. In some cases, organizations must also grant vendors access to their current IT systems for transition or other purposes. Engaging third parties to perform services that involve handling personal information or accessing an organization’s IT systems changes an organization’s data security risk profile.” (Source: Legaltech News)
  • Yahoo’s Compromised Records Likely Hidden Within Encrypted Traffic, Vendor Says. “As Derby Con was winding down, an interesting email hit Salted Hash’s inbox form Venafi. The security firm, known for their tools that secure digital keys and certificates, outlined a number of cryptographic issues at Yahoo. The email then claimed they’re not saying these flaws led to the massive data breach that impacted 500 million users. Yet, that’s exactly what their statements hint at. In Venafi’s experience, an emailed statement from Alex Kaplunov, Venafi’s vice president of engineering explains, breaches like the one suffered by Yahoo are often accompanied by weak cryptographic controls.” (Source: CSO)
  • Broadening The Scope Of Mobile Security. “Most enterprises, when addressing mobile security, focus on securing applications, such as the devices’ operating systems, or preventing the installation of malware. But the cybersecurity experts at the National Institute of Standards and Technology say organizations should take a much broader approach to ensuring mobile security. Referring to the need to address the risks posed by cellular networks and other elements of the mobile infrastructure, NIST Cybersecurity Engineer Joshua Franklin says: “There is this whole other side of a mobile device that has its own complex hardware, firmware, software and network protocols that need to be addressed.” Franklin co-authored the recently released draft report, Assessing Threats to Mobile Devices & Infrastructure: the Mobile Threat Catalogue.” (Source: GovInfoSecurity)
  • Over 850,000 Devices Affected By Unpatched Cisco Zero-Day. “A scan of Cisco networking devices from around the world has revealed that hundreds of thousands of devices are vulnerable to an unpatched security issue that allows attackers to retrieve data from the equipment’s memory. Cisco has recently acknowledged that a cyber-offensive toolkit leaked online by a group of unknown hackers is also affecting its current device models after initial analysis said that only older (discontinued) PIX firewalls were affected. The tool, named BENINGCERTAIN, leaked in August when a group calling themselves The Shadow Brokers put it online along with tens of other hacking utilities they claim to have stolen from the server of a cyber-espionage entity named the Equation Group, which some security vendors believe to be the NSA.” (Source: Softpedia)
  • Ellie Goulding Revealed As The UK’s Most Dangerous Cyber Celebrity Of 2016. “Singer and songwriter Ellie Goulding replaces Kelly Brook as McAfee’s most dangerous celebrity to search for online in the UK. Now in its tenth year, the study involves researching popular culture’s most famous people to reveal which of them generates the most dangerous search results. The McAfee Most Dangerous Celebrities™ study, published by Intel Security, revealed that searches for certain musicians and reality TV celebrities tend to expose internet searchers in the UK to more possible viruses and malware. This is Ellie Goulding’s first time in McAfee’s list of the most dangerous celebrities and by topping the poll, beating the likes of Charlotte Crosby (2), Rita Ora (3), Calvin Harris (4) and Geordie Shore star, Holly Hagan (5).” (Source: IT Security Guru)
  • Germany Says Facebook’s Collection Of WhatsApp Data Is Illegal. “Facebook and WhatsApp have been told to immediately stop the mass collection, storage, and sharing of data scooped up from 35 million WhatsApp users in Germany, just one month after Facebook-owned WhatsApp announced its decision to start harvesting and sharing user data with its parent company. The decision, made by the Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar, also forces Facebook to delete all data that has previously been shared with Facebook by WhatsApp since August. The privacy watchdog knocked the two companies for ‘misleading’ the public, and deemed the data sharing agreement illegal, as it constitutes an infringement of national data protection law in Germany.” (Source: Motherboard)
  • Mobile Fraud Changes Outlook For Multi-factor Authentication. “The writing is on the wall — and the Dark Web: SMS one-time passcodes are on their way out. As malware aimed at mobile banking and payment apps becomes more prevalent, authentication by SMS has proven to be too vulnerable. Cell networks are under attack, and mobile phones can be compromised in myriad ways: loss, physical theft, account hijacking, and crimeware (such as banking Trojans, adware, spyware, ransomware, etc.). If you want to see how bad it can get, read about Brazil’s ongoing nightmare with banking crimeware. In addition to a rash of banking Trojans, malware aimed at the country’s Boleto system for money orders has netted nearly $4 billion in the last two years.” (Source: Dark Reading)
  • Hospital Security Fears As Pagers Come Under Spotlight. “Healthcare organizations have been urged to immediately re-evaluate their use of pagers after a new report claimed unencrypted messages can be intercepted and spoofed with potentially life-threatening repercussions. Trend Micro claimed in its new Leaking Beeps report that a software-defined radio (SDR) and a $20 USB dongle is all that’s needed to decode pager messages. Doing so would enable remote hackers to spy on sensitive protected health information (PHI) being sent to and from facilities, including names and medical diagnoses.” (Source: InfoSecurity Magazine)
  • Adware Campaign Using Advanced Nation-State Obfuscation Techniques. “Adware makers are becoming more malicious and upping their obfuscation game, according to new research out from Carbon Black’s incident response and research team. In a report out late last week, they say that variants of well-known adware are now using evasion techniques first developed for nation-state attacks, including Operation Aurora. As the lead of the Advanced Consulting Team for Carbon Black, Benjamin Tedesco wrote about his experience running into the behavior early last week during an incident call with a customer.” (Source: Dark Reading)
  • Looking For An iOS Jailbreak? Beware Of Scammy Offers. “Users searching for a way to jailbreak an iDevice should be extremely careful not to fall for fake offers such as that on the website. TaiG is the name of a well-known untethered jailbreak for most devices on iOS 8.0-8.4, and scammers are exploiting the name to trick users into offering them donations […] The scammers have created a website spoofing that of TaiG (at, and claim that the Windows and Mac tools for the iOS 9.2.1 jailbreak will be released soon, but that the users can try a beta tool hat can execute a jailbreak through a browser of an iOS device.” (Source: Help Net Security)
  • Aussie Border Police Bust Dark Net Drug Dealer. “The Australia Border Force (ABF) has captured an important suspect in its investigation to bring down the gang responsible for importing and purchasing of drugs via the Dark Net, internet’s underworld. According to ABF’s Acting Commander Immigration and Customers Enforcement, Craig Palmer, the Australian law enforcement authorities are closely watching the importing of drugs from the dark net. Palmer further added that the authorities are ‘well aware’ of the scam and the methods through which controlled drugs are entering Australia.” (Source: Hackread)
  • EU Clamps Down On Sale Of Surveillance Tech To Despotic Regimes. “The European Commission has set out new measures to stop European companies exporting surveillance gear to despotic regimes. The proposal would also partially relax the rules on exporting cryptography tools. The proposal to overhaul the EU’s export controls on dual-use products—powerful technologies such as crypto software or rocket engines that can be used for good or evil—was presented on Wednesday and includes a new human rights dimension.” (Source: Ars Technica)
  • Clear And Present Danger: Combating The Email Threat Landscape. “Like it or loathe it, email is here to stay. Despite the ubiquity of file sharing services like OneDrive and Google Docs, email remains a fast and convenient way for users to review, communicate and collaborate. Almost 25 years since the first email attachment was sent, businesses around the globe remain heavily dependent on using email to send their files. Indeed, according to research firm Radicati, business emails are set to reach 116.4 billion a day before the end of 2016. It’s no wonder then, that email represents a major security threat vector. Because, as long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes. Cyber criminals have consistently proved adept at exploiting the ‘click first, think second’ behaviours of email-users, which have the potential to open the door to malware, or unintentionally expose the business to data loss.” (Source: Help Net Security)
  • How The New Age Of Antivirus Software Will Protect Your PC. “Antivirus software ain’t what it used to be. The sneaky, sophisticated security threats your PC faces now have gone far beyond what traditional software can do. The future of protecting your PC will require a multi-pronged approach involving vigilant updates, bug bounties, and artificial intelligence. Like any software, antivirus is susceptible to bugs. Earlier this summer, Google’s Project Zero discovered serious flaws in enterprise and consumer products from Symantec that allowed malicious actors to take control of a computer. Symantec provided updates for the bugs, but some required manual installation from users, who needed to be in the know.” (Source: PC World)
  • 83% of Companies Have Released Applications They Know Are Unsafe. “Bug bounties have been on the rise and are widely regarded as a smart way to scale the testing of your security code. But a new survey shows that businesses may be over-reliant on them. The survey, from Veracode and Wakefield, found that businesses are dis-incentivized to invest in secure coding internally. A full 59% believe it’s more expensive to fix code flaws found in bug bounty programs than to secure code during development. No wonder that 83% of respondents said that they have released code before testing or resolving security issues for bugs.” (Source: InfoSecurity Magazine)
  • 5 Things You Should Know About Nigerian ‘Digital Check Washing’ Rings. “Nigerian 419 con artists have been around seemingly forever, relentlessly sucking funds out of the bank accounts of one duped individual victim at a time. You’ve probably heard of them. These gambits revolve around tricking the victim into thinking he or she can help transfer a large sum into a U.S. bank, and make a tidy profit on the side. But now some veteran Nigerian criminals have evolved—ripping off small- and medium-sized businesses on a grander scale. This is much more than a simple progression.” (Source: Inc.)
  • This Cybersecurity Firm Maps Hackers’ Lives By The Clues They Leave Online. “The digital underground, populated by hackers, drug dealers, and other criminals, is a vast space. The sheer number of forums, cybercriminal handles, and backroom dealings can be overwhelming to researchers or journalists. Some cybersecurity companies have devised ways to gain a bird’s-eye view on that space. Next month at the Black Hat Europe hacking conference, Christopher Ahlberg, CEO and co-founder of threat intelligence firm Recorded Future, will show how, by scraping vast quantities of posts from forums, it’s possible to reveal trends among different groups of users—such as hackers—and potentially generate leads to identify some of them too.” (Source: Motherboard)
  • CloudFlare Tells Court It Does Not Assist Pirate Sites: Report. “Perhaps the most difficult of all things to understand in the world in terms of law is online piracy. After all, who is to blame? One such case has been filed in the federal court of California and is likely to continue for a longer while than expected. Cloudflare has been alleged to be a facilitator of pirate sites by an entertainment publisher ALS Scan. It says the Content delivery network (CDN) services provided by Cloudflare are being used by pirate websites as well. Thus, it has reasons to believe that Cloudflare should be held guilty as it is not terminating its business with such clients who are running pirate websites.” (Source: Hackread)
  • Time To Kill Security Questions—Or Answer Them With Lies. “The notion of using robust, random passwords has become all but mainstream—by now anyone with an inkling of security sense knows that ‘password1’ and ‘1234567’ aren’t doing them any favors. But even as password security improves, there’s something even more problematic that underlies them: security questions. Last week Yahoo revealed that it had been massively hacked, with at least 500 million of its users’ data compromised by state sponsored intruders. And included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords—supposedly secret information like your favorite place to vacation or the street you grew up on. Yahoo’s data debacle highlights how those innocuous-seeming questions remain a weak link in our online authentication systems. Ask the security community about security questions, and they’ll tell you that they should be abolished—and that until they are, you should never answer them honestly.” (Source: Wired)
  • White House And The National Cyber Security Alliance Join Forces To Launch ‘Lock Down Your Login,’ A Stop. Think. Connect. ™ Campaign. “As called for in the President’s Cybersecurity National Action Plan, the White House, the National Cyber Security Alliance (NCSA) and more than 35 companies and NGOs today launched a new internet safety and security campaign, “Lock Down Your Login,” to empower Americans to better protect their online accounts. The goal is to encourage a move beyond usernames and passwords to a widespread adoption of strong authentication for key online accounts. The majority of Americans (72 percent) believe their accounts are secure with just usernames and passwords. 1 Usernames and passwords simply are not enough; hackers and cybercriminals continue to evolve their attack techniques, and users must improve their security to better protect their accounts.” (Source: Yahoo! Tech)
  • The Psychological Reasons Behind Risky Password Practices. “Despite high-profile, large-scale data breaches dominating the news cycle – and repeated recommendations from experts to use strong passwords – consumers have yet to adjust their own behavior when it comes to password reuse. A Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.” (Source: Help Net Security)

Safe surfing, everyone!

The Malwarebytes Labs Team