Detail of a calendar page with dates

A week in security (Nov 20 – Nov 26)

Last week, we took a look at a ransomware called PrincessLocker, of which researcher Hasherezade created its decryptor. At the same time, another team member created a decryptor for TeleCrypt.

We also gave a brief overview on how one can configure their Windows firewall and what malvertising on Mac devices may look like.

Below are notable news stories and security-related happenings:

  • Ransomware Success Creates Apathy Towards Traditional Antivirus Software. “In response to ransomware attacks, 67 percent of businesses globally have increased IT security spending, and 52 percent reported that they are changing their security strategies to focus on mitigation. Fifty-four percent also agreed that their organizations have lost faith in traditional cybersecurity, such as antivirus.” (Source: Help Net Security)
  • Facebook Working With Fact-checkers To Weed Out Fake News. “Returning to the controversy over fake news on the social networking site, Facebook CEO Mark Zuckerberg said over the weekend that the company was working with fact-checking organizations to put in place third-party verification of the authenticity of news on its site. Facebook has been criticized for fake news on its site, which is claimed to have tilted the recent U.S. presidential elections in favor of Republican candidate Donald Trump.” (Source: CSO)
  • Malicious Images On Facebook Lead To Locky Ransomware. “Researchers have discovered an attack that uses Facebook Messenger to spread Locky, a family of malware that has quickly become a favorite among criminals. The Ransomware is delivered via a downloader, which is able to bypass whitelisting on Facebook by pretending to be an image file. The attack was discovered on Sunday by malware researcher Bart Blaze, and confirmed later in the day by Peter Kruse, another researcher that specializes in internet-based crime and malware.” (Source: CSO)
  • Office Depot Accused Of Running A Real-World Tech Support Scam. “Office Depot employees have been selling unnecessary tech repair services after telling customers that their laptops and computers were infected with malware, reporters from Seattle TV station KIRO 7 said this week after being tipped off by a former employee. The whistleblower told KIRO 7 reporters that Office Depot employees were forced by internal procedures to run a PC diagnostics scan known as PC Health Check.” (Source: Bleeping Computer)
  • German Android Users Bombarded With Banking Malware Masquerading As Legitimate Apps. “Fortinet researcher Kai Lu warns of a fake email app that is capable of stealing login credentials from 15 different mobile banking apps for German banks.” (Source: Help Net Security)
  • Fraud Risk For Almost A Third Of Online Shoppers Looking For Christmas Bargains. “Financial Fraud Action UK (FFA UK) is urging consumers to be vigilant against fraudsters’ tactics and pause before clicking the “buy” button, ahead of shopping bonanzas Black Friday and Cyber Monday when retailers offer an array of limited time offers and discounts. t found 31 per cent of people who buy goods on the internet are more likely to take a financial risk, such as shopping on an unfamiliar or unsecure website, if they see an offer which appears to be a bargain.” (Source: Express)
  • Ask Toolbar Update Feature Hacked to Drop Malware. “The infamous Ask Toolbar is back in the news again. In the past, it received backlash from security firms for pushing third-party offers to users and making them download software without their consent or knowledge. It is a well-known fact that Ask toolbar has been categorized by security software vendors like Microsoft as a Potentially Unwanted Program. But, the latest report from an IT security firm Red Canary has revealed that attackers attempted to convert Ask Toolbar’s latest update into a malware.” (Source: HackRead)
  • Backdoor Found in Firmware of Some Android Devices. “Nearly three million Android devices are vulnerable to an attack that could allow a hacker to compromise over-the-air (OTA) updates to the devices and allow adversaries to remotely execute commands with root privileges. The problem stems from what researchers call an insecure implementation of an OTA mechanism used for updates associated with software made by Ragentek Group, a Chinese firm based in Pudong, Shanghai.” (Source: Kaspersky’s Threatpost)
  • Great. Now Even Your Headphones Can Spy on You. “Cautious computer users put a piece of tape over their webcam. Truly paranoid ones worry about their devices’ microphones—some even crack open their computers and phones to disable or remove those audio components so they can’t be hijacked by hackers. Now one group of Israeli researchers has taken that game of spy-versus-spy paranoia a step further, with malware that converts your headphones into makeshift microphones that can slyly record your conversations.” (Source: Wired)
  • How Social Security Numbers Became Skeleton Keys For Fraudsters. “Social Security numbers may be the worst kept secrets in America. But the originators of the individualized codes first distributed in 1936 by the Social Security Administration never intended them to become de facto identifiers relied on by hospitals, insurers, banks, cable companies, and even retailers.” (Source: The Christian Science Monitor)
  • Conficker Still On Top As Malware Jumps 5% In October. “Malware continued its inexorable rise in October with the number of attacks increasing 5% over the previous month, although UK and US users appeared to be insulated from the worst, according to new stats from Check Point. The vendor’s Global Threat Index also revealed a 5% increase in active malware families, highlighting the constantly evolving threat landscape.” (Source: InfoSecurity Magazine)
  • Twitter Is Fighting An Uphill Battle to Censor Sexualised Images Of Children. “Twitter has grappled with offensive or illegal content on its network. Whether it’s Islamic State supporters sharing graphic propaganda, or far-right racists harassing high profile users, the site has been often criticised for not doing enough to police its network. Last week, Twitter introduced new features designed to give users more protections from persistent abuse. But another, much overlooked aspect of Twitter is how it is being used to share sexualised images of children. On Monday, one Twitter user shared what they claimed to be the usernames of a slew of those who post child pornography on the network.” (Source: Motherboard)
  • Elegant 0-day Unicorn Underscores ‘Serious Concerns’ About Linux Security. “Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says. One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance.” (Source: Ars Technica)
  • People Are Already Hacking Their Snapchat Spectacles. “Just weeks after they were introduced to the world, people have started investigating ways to hack their new Snapchat Spectacles. The new smart sunglasses offer a whole new experience in snapping, allowing filming from the point of view of the user. But going incognito requires some tweaking of the gadget — and techies and bloggers are already showing everyone how to do it.” (Source: Mashable)
  • Blacklist From RiskIQ Reveals Hundreds Of Potentially Malicious Black Friday Apps. “RiskIQ, the leader in digital risk management, today released the Black Friday eCommerce Blacklist, a cyber research study analyzing the results of keyword queries of their Global Blacklist and mobile app database for five of the leading eCommerce brands. The results revealed the methods cyberthreat actors could employ this Black Friday shopping season, as well as where they’re targeting malicious efforts.” (Source: Business Wire)
  • eSafety Commissioner To Organise Uniform Penalties For Revenge Porn. “Australian Prime Minister Malcolm Turnbull has announced the appointment of online safety expert Julie Inman Grant as Australia’s new eSafety commissioner. Inman Grant, who has worked at the intersection of the digital world, public safety, and public policy, will help bring the states and territories together to deliver consistent penalties for the distribution of non-consensual intimate images and videos — commonly referred to as ‘revenge porn’.” (Source: ZDNet)
  • Google Sends State-sponsored Hack Warnings To Numerous Journalists And Professors. “Numerous journalists and professors are taking to social media to report that they have received an alarming message regarding state-sponsored hacking when accessing their Gmail or other sites that use their Google account. Journalists who received the warning include Nobel Prize-winning economist and New York Times columnist Paul Krugman, New York magazine’s Jonathan Chait, Politico’s Julia Ioffe, GQ’s special correspondent Keith Olbermann, Vox’s Ezra Klein, Yahoo News’ Garance Franke-Ruta, and one of President Barack Obama’s former speechwriters, Jon Lovett.” (Source: The International Business Times)
  • Madison Square Garden Discloses Data Breach. “The Madison Square Garden Company, which operates the popular self-named arena in New York City among other properties, has disclosed a data breach affecting its customers. Thieves stole credit and debit card information from customers of its concession stands over a year-long period, the company revealed on Tuesday. The cause of the breach has since been resolved, the company said.” (Source: Fortune)
  • Smartphone App Flaw Leaves Tesla Vehicles Vulnerable To Theft. “Tesla cars can be tracked, located, unlocked and driven away by compromising the company’s smartphone app. Researchers at Norwegian app security firm Promon demonstrated how easy it appears to be to steal a Tesla. Benjamin Adolphi, mobile software developer at Promon, said he used ‘simple, known vulnerabilities’ that have been around for a long time. He created a fake free Wi-Fi hotspot that featured an ad targeted at Tesla owners, offering them a free burger at a local restaurant.” (Source: InfoSecurity Magazine)
  • Thai Computer Crime Law Raises Rights Concerns. “Amendments to Thailand’s controversial Computer Crime Act were debated in parliament this week, with rights groups expressing concerns that the law will bolster government efforts to restrict online freedoms and spy on users. The 2007 legislation was originally created to stop spam, identity fraud, hacking and other computer-related offenses.” (Source: InfoSecurity Magazine)
  • Asian And African Banks Are Attacked Using A Zero-day Vulnerability. “Kaspersky Lab has discovered attacks which appear to be using a zero-day exploit (a malicious programme allowing additional malware to be silently installed) for the InPage text editor. InPage is a software package used by Urdu- and Arabic-speaking people and organisations around the world. The exploit was used in attacks against banks in several Asian and African countries. InPage is widely used by media and print shops, as well as governmental and financial institutions, such as banks, that work with texts written in Perso-Arabic scripts. According to the InPage website, in addition to India and Pakistan, where the software is widely used, there are thousands of users in other countries such as the UK, the US, Canada, a number of countries in the European Union, South Africa, Bangladesh, Japan and other territories. The total number of InPage users is almost 2 million worldwide.” (Source: IT News Africa)
  • Personal Data For More Than 134,000 Sailors Was Breached, Navy Says. “The personal data of more than 130,000 sailors in a re-enlistment approval database was stolen from a contractor’s laptop, the Navy disclosed Wednesday. The Navy was notified in October by Hewlett Packard  Enterprise Services  that a computer supporting a Navy contract was ‘compromised,’ and that the names and social security numbers of 134,386 current and former sailors were accessed by unknown persons, the service said in a news release.” (Source: Navy Times)
  • Uber Portal Leaked Names, Phone Numbers, Email Addresses, Unique Identifiers. “A series of vulnerabilities in UberCENTRAL, a portal Uber started during the summer to help businesses facilitate rides for customers, could have leaked the names, phone numbers, email addresses, and unique ID of all Uber users. Kevin Roh, a student who actively hunts for bugs in his spare time, discovered the vulnerabilities when he, in September and October, used two techniques to enumerate Uber userUUIDs, or universally unique identifiers. A third issue he discovered revealed the name, phone number and userUUID associated with email addresses used to register for Uber.” (Source: Kaspersky’s Threatpost)

Safe surfing, everyone!

The Malwarebytes Labs Team