Detail of a calendar page with dates

A week in security (Oct 30 – Nov 05)

Last week, we gave readers an overview of the latest cybersecurity report published by George Washington University proposing a way for public and private sector institutions on how to actively defend themselves against cyber threats.

We also introduced readers to a new malvertising campaign we internally call HookAds (based on a string within the delivery URL) wherein it leverages on decoy adult-themed portals in order to spread malware. Senior Security Researcher Jérôme Segura was the lead in uncovering the distribution channels and rogue infrastructures behind this campaign.

In a separate post, Segura revealed how tech support scammers abused a flaw in HTML5 to freeze up computers of target victims.

Lastly, Malware Intelligence Analyst Christopher Boyd discovered that the promoted tweet feature on Twitter can be used to spread phishing links that aim to snag user credit card information.

Below are notable news stories and security-related happenings:

  • A Big Law ‘Ethical Hacker’ On Preventing Cyberattacks. “Richard Lutkus was a tech enthusiast long before he ever became a lawyer. He wrote computer code as a high schooler and built websites and computers for his professors as an undergrad at Creighton University. Now a partner in Seyfarth Shaw’s San Francisco office, Lutkus still thinks of himself as a technologist first. ‘If you don’t have an innate passion for technology and some sort of raw talent for it, I think it’s much harder to learn technology than the law,’ he says.” (Source: Law.Com)
  • Researchers Spot Cyber-crooks Actively Upgrading Mirai Botnet. “An Arbor ASERT Team researcher spotted threat actors actively updating and customising the Mirai botnet source code that was leaked less than two weeks ago. The firm’s principal engineer Roland Dobbins noted relatively high concentrations of Mirai nodes which were observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain that included updates to remove erroneous Mirai bot backdoor reference, added Dyn post-mortem link, and refined descriptive verbiage, according to a 26 October blog post.” (Source: SC Magazine)
  • 130 Serious Firefox Holes Plugged This Year. “Mozilla has shuttered more than 130 serious vulnerabilities reported by community hackers this year. The browser-backing outfit announced the statistics in a post covering its bug bounty program and broader information security efforts. More than 500 million users ran Firefox at the close of 2015. It’s since become the world’s second-most-used browser.” (Source: The Register)
  • New DMCA Exemptions Give White Hats License To Hack Cars, Medical Devices. “A recent decision by the US Copyright Office to temporarily remove certain restrictions in the Digital Millennium Copyright Act (DMCA) paves the way for security researchers to look for vulnerabilities in connected cars and medical devices without fear of legal repercussions. The Copyright Office on Oct. 27 issued a set of long-awaited rules governing the circumvention of technological measures, such as encryption, that control access to copyright-protected material under the DMCA.” (Source: Dark Reading)
  • Google Security Engineer Claims Android Is Now as Secure as the iPhone. “It’s a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees—but of course he would. ‘For almost all threat models,’ Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, ‘they are nearly identical in terms of their platform-level capabilities.'” (Source: The Motherboard)
  • The Dark Web Isn’t Quite The Criminal Haven You May Think It Is. “It turns out the dark web isn’t as scary, lewd or dangerous as you may have thought, according to a newly released research report from intelligence firm Terbium Labs. Though illicit drug sales remain, nearly 55 percent of total dark web content is ‘legal’ in nature, the firm found. Terbium Labs defined legal as any activity or discussion that was not explicitly illegal based on U.S. law.” (Source: CyberScoop)
  • Facebook Won’t Let Insurers Probe Your Profile. “If there’s one thing insurance companies love more than careful people, it’s data. But one insurer’s attempt to gain extra insights from Facebook behavior has been stymied by the social network. The Financial Times reported that the U.K.-based insurance company Admiral had intended to launch a new product this week called Firstcarquote. The idea was that customers looking to buy automobile insurance for the first time could opt into a scheme in which their Facebook data would be analyzed to determine whether they were high or low risk. Prices would be discounted—but not inflated—accordingly.” (Source: MIT Technology Review)
  • Black Hat Europe: IoT Devices Can Hack Phones. “The Internet of things (IoT) has already been used to launch the biggest DDoS attacks ever, but now it represents a potential path for attackers to compromise cell phones. Flaws in Belkin WeMo devices – electrical switches, cameras, light bulbs, coffee makers, air purifiers, etc. – enabled Invincea Labs researchers to not only hack into the devices, but to use that access to attack an Android phone running the app that controls the WeMo devices.” (Source: Network World)
  • Google Play Store Hardened: Here’s How To Protect Yourself. “In an ideal world, users will only install software from, usually a single, blessed source, like a repository or app store, containing only trustworthy and quality software. But we don’t live in an ideal world and even with app stores like Google Play or iTunes, some questionable apps still manage to get through the cracks. In an attempt to protect the integrity and image of its Play Store, Google has announced new security measures to weed out fraudulent or downright malicious apps. But users also have a role to play in protecting themselves from such ‘soft’ attacks.” (Source: Slash Gear)
  • As The Clocks Go Back, UK Apple Users Targeted By Smishing Campaign. “The clocks went back one hour at 2am here in the UK, as we vaguely recalled the four-day summer we had experienced earlier in the year and properly settled in for winter. And as most of us slept, the phishing gangs were up to their old tricks – spamming out SMS messages purporting to be warnings from Apple that our Apple IDs were due to expire today, and that we should act quickly.” (Source: Graham Cluley’s Blog)
  • The Battle With “Potentially Unwanted” Programs in the Enterprise. “In the beginning we just had adware. These were genuine software applications usually free to the user, but supported – or monetized – by advertising. Over time, the advertising has become more intrusive; and some adware has evolved into Potentially Unwanted Programs (PUPs) or Applications (PUAs). Advertising is still the most popular, but no longer the only, method of monetizing the software – but in the worst cases the application is designed to disguise the advertising rather than the advertising to support the application.” (Source: Security Week)
  • PC Users Still Failing To Patch Non-Microsoft Apps. “UK PC users are still struggling to patch non-Windows applications, exposing themselves to unnecessary risk, according to Secunia Research. The Flexera Software company’s latest round of country-level reports for Q3 2016 revealed that 12.8% of UK PC users had unpatched non-Microsoft programs in the quarter, up from 12.6% in the previous quarter and 11.3% a year ago. That means a growing attack surface for hackers to exploit, and could be a result of third party apps all requiring various different patching routines and systems, according to director of Secunia Research, Kasper Lindgaard.” (Source: InfoSecurity Magazine)
  • ‘Do Gooder Worm’ Changes Default Passwords In Vulnerable IoT Devices. “The challenge involved in securing millions of vulnerable home Internet of Things (IoT) devices like digital video recorders, routers, and IP cameras against threats like Mirai has prompted one security researcher to suggest a somewhat unusual approach to the problem. Leo Linsky, a software engineer with network monitoring firm PacketSled, has released code on GitHub for a worm he developed that is capable of infiltrating IoT products protected only with default credentials and changing those weak passwords.” (Source: Dark Reading)
  • Google Publicly Discloses Security Flaw In Adobe Flash, Microsoft Windows. “Google’s Threat Analysis Group recently discovered vulnerabilities in Adobe Flash and Microsoft’s Windows which allow malware attacks on the Chrome  web browser. The company made the discovery on Oct. 21 and has also disclosed it publicly today, which isn’t sitting well with Microsoft. Adobe has already issued a patch to fix the vulnerability this past Friday. However, Microsoft hasn’t released a patch yet which prompted Google to announce it to the public in order to warn its users.” (Source: International Business Times)
  • Dark Web Departure: Fake Train Tickets Go On Sale Alongside AK-47s. “Machine guns, class-A drugs, stolen credit cards and … a return ticket to Hastings. The shopping list of the “dark web” consumer, more used to a wild west better known for the highly illegal and illicit, appears to have taken a more ordinary diversion. At least that’s the impression left by an investigation into the sale of forged train tickets on hidden parts of the internet. BBC South East bought several sophisticated fakes, including a first-class Hastings fare, for as little as a third of their face value. The tickets cannot fool machines but barrier staff accepted them on 12 occasions.” (Source: The Guardian)
  • Twitter Election Bots Hide Tons of Reply Spam Behind Boring Themed Accounts. “A much-discussed research paper out of Oxford this month concluded that millions of tweets about the presidential election are generated by highly automated Twitter accounts. According to the authors’ analysis, about a third of pro-Trump traffic, and one-fifth of pro-Clinton tweets, is ‘driven by bots and highly automated accounts.’ The Oxford study pegged Twitter accounts as highly automated if they posted at least 50 times a day using any one of a group of election hashtags—such as #MAGA, #TrumpTrain, #ImWithHer, and #StrongerTogether—over a three-day period.” (Source: The Motherboard)
  • Hacker Sentenced To 29 months In Devious Photobucket Image Plot. “A 41-year-old Colorado hacker was sentenced Tuesday to 29 months in prison for selling code enabling blackmailers and others to scan Photobucket’s 10 billion images. Some of those images are of nude Photobucket customers who thought their content was stored privately. Photobucket is an image and video hosting service with as many as 100 million users who keep their content in either public or private accounts. The company is headquartered in Denver.” (Source: Ars Technica)
  • When Smartphone Upgrades Go Wrong. “As the holiday shopping season kicks into full gear around the world, industry analysts predict low prices, discounts and promotions will entice shoppers to buy the latest tech gadgets and electronics, including smartphones and tablets. 68 percent of mobile users plan to purchase a new smartphone during the holiday shopping season. But this proclivity to buy new smartphones and insecure mobile data practices will come with a steep data privacy price – both for smartphone owners and their employers, according to Blancco Technology Group.” (Source: Help Net Security)
  • Computer Virus Cripples UK Hospital System. “Citing a computer virus outbreak, a hospital system in the United Kingdom has canceled all planned operations and diverted major trauma cases to neighboring facilities. The incident came as U.K. leaders detailed a national cyber security strategy that promises billions in cybersecurity spending, new special police units to pursue organized online gangs, and the possibility of retaliation for major attacks. In a ‘major incident’ alert posted to its Web site, the National Health Service’s Lincolnshire and Goole trust said it made the decision to cancel surgeries and divert trauma patients after a virus infected its electronic systems on Sunday, October 30.” (Source: Krebs on Security)
  • Bitdefender Found Critical Vulnerabilities In IoT Cameras. “Bitdefender announced that it discovered critical vulnerabilities in an unidentified manufacturer’s Internet of Things (IoT) cameras that could threaten the privacy of their owners and enable distributed denial of service (DDoS) attacks.” (Source: Tom’s Hardware)
  • Indian Government Can Now Unlock Any Smartphone For Investigation: Cellebrite. “Soon the law enforcement agencies in India including the Indian Government would be able to unlock any Smartphone prior to investigation. This would be made possible by a technology that the Forensic Science Laboratory (FSL) present in Gandhinagar has finally dealt to buy from an Israeli security company named, Cellebrite. Cellebrite is the firm behind backing FBI in unlocking the iPhone in the recent Apple vs. FBI controversy over some privacy issues in the recent San Bernardino attack. Cellebrite is a 17-year-old firm and it has till now worked with a lot of law enforcement and intelligence agencies in a way to help them with unlocking some highly secured Smartphones.” (Source: InTabloid)
  • Protection Of White-hat Hackers Slow In Coming. “In the cybersecurity world, the law doesn’t always treat the good guys like good guys. As Harley Geiger put it in a talk titled, ‘Fighting for Legal Protection for Security Researchers’ at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, ‘doesn’t seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm.’ Yet laws at both the federal and state level, ‘tend to undermine that,’ he said.” (Source: CSO)
  • Hacker Finds Flaw In Gmail Allowing Anyone To Hack Any Email Account. “It is a well-known fact that Google loves to give novice programmers, white hat hackers and security researchers an opportunity to prove their skills and capabilities by participating in Google’s Vulnerability Reward program. Google invites researchers from all across the globe to find out flaws in its newest or existing applications, extensions, software and operating system that are available at Google Play, Chrome Web Store and/or iTunes. In return, the successful candidate is awarded prizes. The core objective of these programs is to make Google’s apps and systems more protected and secure.” (Source: HackRead)
  • The Evil Office Printer Hijacks Your Cellphone Connection. “Julian Oliver has for years harbored a strange obsession with spotting poorly disguised cellphone towers, those massive roadside antennae draped in fake palm fronds to impersonate a tree, or even hidden as spoofed lamp posts and flag poles. The incognito base stations gave him another, more mischievous idea. What about a far better-disguised cell tower that could sit anonymously in office, invisibly hijacking cellphone conversations and texts? Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages.” (Source: Wired)

Safe surfing, everyone!

The Malwarebytes Labs Team