A week in security (Dec 04 – Dec 10)

A week in security (Dec 04 – Dec 10)

Last week we launched Malwarebytes 3.0, our next-generation antivirus replacement.

We also touched on domain generating algorithms (DGA), went up-close and personal with a rootkit, and featured a fake “smart drug” news story.

Lead Malware Intelligence Analyst Jérôme Segura reported on another malvertising campaign, about which the group behind it is identified as AdGholas.

Below are notable news stories and security-related happenings:

  • Disttrack Wiper Malware Hits Saudi Arabia’s Aviation Agency. “Shamoon attackers with their Disttrack wiper malware have hit Saudi Arabian entities again. The Saudi government confirmed the latest breaches on Thursday, and for now the identity of only one target has been revealed: the country’s General Authority of Civil Aviation (GACA), which is the national institution in charge of aviation and related matters, as well as the operator of four international and 23 domestic airports within the country.” (Source: Help Net Security)
  • Exploit Company Exodus Sold Firefox Zero-Day Earlier This Year. “This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday. One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.” (Source: Vice’s Motherboard)
  • Ransomware As A Service Fuels Explosive Growth. “Believe it – you too can become a successful cyber criminal! It’s easy! It’s cheap! It’s short hours for big bucks! No need to spend years on boring things like learning how to write code or develop software. Just download our simple ransomware toolkit and we can have you up and running in hours – stealing hundreds or thousands of dollars from people in other countries, all from the comfort of your home office – or your parents’ basement. Sit back and watch the Bitcoin roll in!” (Source: CSO)
  • Researchers Warn Of Visa Payment Fraud Gaps. “Researchers have warned that deficiencies in Visa’s e-commerce payment network could allow attackers to brute force credit card details in as little as six seconds. A paper from Newcastle University’s Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel describes how they were able to launch a “distributed guessing attack” against Alexa top-400 online merchants’ payment sites to work out expiry dates and CV2 values.” (Source: InfoSecurity Magazine)
  • The Flowering Of Voice Control Leads To A Crop Of Security Holes. “‘Tis the season of cybersecurity threat predictions for 2017. Vendors’ glossy reports shower onto the desks of customers and journalists like gentle Christmas snow. But so many of these reports, like so many snowfalls, are nothing but slush. All year we’ve been hearing about the spreading plague of ransomware, and how the Internet of Things (IoT) will be a security nightmare. Remember the botnet made of video cameras? Vendors have been waving around phrases like ‘artificial intelligence’ and ‘machine learning’ and ‘threat intelligence sharing’ like magic wands.” (Source: ZDNet)
  • Facebook, Microsoft, Twitter And YouTube Team To ID Terror Content. “Facebook, Microsoft, Twitter and YouTube have teamed up to share their expertise spotting terrorism-related content, in order to crimp its spread. The four put their name to a joint statement in which they declare ‘There is no place for content that promotes terrorism on our hosted consumer services.'” (Source: The Register)
  • Reality Check: Getting Serious About IoT Security. “In an effort to curtail a new and disturbing cyberattack trend, the Department of Homeland Security has placed Internet of Things (IoT) device manufacturers on notice. The recent proclamation clarified how serious the agency is about the issue and how serious it wants corporate decision makers to be. In short, the DHS “Strategic Principles for Securing the Internet of Things” acknowledges the gravity of the current climate and the potential for greater harm by encouraging security to be implemented during the design phase, complete with ongoing updates based on industry best practices.” (Source: Dark Reading)
  • Verizon: Unknown Assets A Hacker’s Playground. “Service Provider & Enterprise Security Strategies — Merger and acquisition activity may be financially rewarding but it can actually create and contribute to enterprise security risks, Verizon Enterprise Solutions’ Christopher Novak warned today. The Risk Team director said many data breaches, including some that last for months, have targeted assets that are networked but not covered by company security solutions, often because the corporation is unaware of their existence.” (Source: Light Reading)
  • What Role Does Privacy Play In Your Digital Transformation Strategy? “If you are a senior leader in an organisation, I am sure you have been asked the question – ‘What is your digital strategy?’ You may also be getting tired of people telling you that new market entrants (especially millennials) are disrupting traditional business models and are forcing you to redefine the end to end customer experience. And here is another good one -‘Have you hired a digital transformation executive yet?’ While I make light of all the digital hype, this transformation is not a joke – it is a survival necessity.” (Source: IT Security Guru)
  • Call For Privacy Probes Over Cayla Doll And i-Que Toys. “The makers of the i-Que and Cayla smart toys have been accused of subjecting children to ‘ongoing surveillance’ and posing an ‘imminent and immediate threat’ to their safety and security. The accusations come via a formal complaint in the US by consumer groups. They, along with several EU bodies, are calling for investigations into the manufacturers.” (Source: The BBC)
  • Hackers Launch Stealth Malvertising Campaign Exposing Millions Online To Spyware And More. “Millions of internet users visiting popular news sites over the past few months may have been exposed to a malicious malvertising campaign. The cybercriminals behind the campaign are distributing malicious ads, which redirect users to the Stegano exploit kit. Security researchers uncovered that the Stegano malvertising campaign, exploited several Flash vulnerabilities. The malicious ads came embedded with attack codes within individual image pixels. Stegano has been active since 2014, however, researchers noted a fresh campaign launched in October, which operates in an exceedingly stealthy manner to infect victims.” (Source: The International Business Times)
  • Hackers Get Easy Route To Patient Data. “Patients are being put at risk because most NHS trusts are using an obsolete IT operating system that no longer receives security updates, researchers have warned. The trusts’ use of the old Windows XP system could enable hackers to steal patient data or take control of hospital infrastructure. Criminals have already used cyberattacks to hold hospitals to ransom and an NHS trust in Lincolnshire and East Yorkshire said this week that an attack in October led to the cancellation of more than 2,800 patient appointments, including operations.” (Source: The Times)
  • TAG Awards First Group of “‘Certified Against Fraud’ Seals to Companies Meeting Strict Anti-Fraud Standards. “The Trustworthy Accountability Group (TAG), an advertising industry initiative to fight criminal activity in the digital advertising supply chain, today announced the initial group of companies to complete the review process and be awarded the TAG ‘Certified Against Fraud’ Seal, showing they have met TAG’s rigorous anti-fraud standards. The initial recipients of the TAG “Certified Against Fraud” Seal include Amobee; comScore; DoubleVerify; Dstillery; Google; WPP’s GroupM; Horizon Media; Integral Ad Science; Interpublic Group; Moat; Omnicom Media Group; OpenX Technologies, Inc.; ProData Media; Rocket Fuel Inc.; Sovrn; and White Ops, Inc.” (Source: Street Insider)
  • The Security Gift Guide. “Even more than most IT professionals, security professionals are asked for advice on a regular basis. We are supposed to know not just about computers in general, but how people can protect themselves both online and in the real world. Whether it is getting a printer working, or if it is safe to shop online, we are expected to have the answers. At the same time, shopping for gifts can be problematic. You’re never sure what people have. Some people provide gift lists, which are great. But in the absence of a specific request, you might as well give people something useful that might make things easier for you. This guide can be useful even if you are not a security professional. Also remember that security is not just about stopping hackers, but about providing confidentiality, integrity, and availability in all forms.” (Source: CSO)
  • Corporate Data Left Unprotected In The Wild. “A new survey conducted by YouGov has highlighted the risks to corporate data from poor encryption, and employee use of unauthorised and inadequately protected devices. The survey of British office workers found that 42% use devices not provided by their employer to work with corporate e-mails and files. Half (52%) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files – with only 34% saying they have never done so.” (Source: Help Net Security)
  • Small Businesses Underestimate The Cyber Threats Of Irresponsible Employee Actions. “Small companies (up to 50 employees) are significantly less concerned about employee activities leading to cybersecurity breaches than larger corporations. Only 36 per cent of small businesses worry about their staff’s carelessness while more than half of medium-sized and large enterprises consider it a major concern, says IT Security Risks Report 2016 by Kaspersky Lab. Uninformed or careless staff, whose inappropriate use of IT resources can put an organization’s cyberprotection in jeopardy, can harm businesses of any size. According to the survey, employee actions are among top three security challenges that make companies worldwide feel vulnerable. More than half (61 per cent) of the businesses experiencing cybersecurity incidents in 2016 admitted that careless and uninformed employee behavior has been a contributor.” (Source: Deccan Chronicle)
  • App Developers Not Ready For iOS Transport Security Requirements. “A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers don’t seem ready to embrace them, a new study shows. The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices in enterprise environments. The researchers looked at how well these apps conform to Apple’s App Transport Security (ATS) requirements.” (Source: CSO)
  • Dailymotion Urges Users To Reset Passwords In Wake Of Possible Breach. “Breach notification service LeakedSource has added information about over 87 million Dailymotion users to its search index. The information includes 87+ million email addresses, user IDs, and over 18 million associated passwords. It was apparently stolen in a breach that happened around October 20, 2016. The passwords have been put through the bcrypt hashing algorithm, so they can’t be easily cracked. LeakedSource said they won’t attempt to crack them, but told Bleeping Computer that ‘a determined hacker who wants to crack one person’s hash may still be able to.'” (Source: Help Net Security)
  • Standards Body Warned SMS 2FA Is Insecure And Nobody Listened. “The US National Institute of Standards and Technology’s (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security. Last July NIST declared that sending one-time passwords to mobile phones was insecure. The organisation wrote in its advisory that the likelihood of interception makes TXT unreliable.” (Source: The Register)
  • Hackers Gamify DDoS Attacks With Collaborative Platform. “A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to ‘gamify’ DDoS attacks in order to attract a critical mass of hackers working toward a unified goal. The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform.” (Source: Kaspersky’s Threatpost)
  • Researchers Find Fresh Fodder For IoT Attack Cannons. “New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.” (Source: KrebsOnSecurity)
  • Flash Exploit Found In Seven Exploit Kits. “A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future. The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was singled out by Microsoft for using separate Flash and Windows zero days in targeted attacks this year.” (Source: Kaspersky’s Threatpost)
  • Cybersecurity Gamification: A Shortcut To Learning. “Cybersecurity awareness trainings are usually a boring affair, so imagine my colleagues’ surprise when I exited the room in which I participated in a demonstration of the Kaspersky Interactive Protection Simulation (KIPS) game and told them: ‘You have to try this!’ This enthusiasm is apparently shared by the overwhelming majority of people who undergo one or more of the trainings that make part of Kaspersky Lab’s set of cybersecurity awareness products, game host Slava Borilin told me later.” (Source: Help Net Security)
  • What The Rise Of Social Media Hacking Means For Your Business. “A product marketing manager at your company just posted a photo on LinkedIn. The problem? In the background of the image, there’s a Post-It note that contains his network passwords. You can barely see it, but using artificial intelligence algorithms, hackers can scan for the publicly available image, determine there are network passwords, and use them for data theft. According to data security expert David Maynor, this is not rocket science. In fact, the AI program is easier to use than a search engine.” (Source: CSO)
  • Corporations Cite Reputational Damage As Biggest Cyber Risk. “Public businesses fear the possibility of losing customer or employee’s personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks, a new study published by the International Association of Privacy Professionals (IAPP) found. The IAPP Westin Research Center studied US Securities and Exchange Commission (SEC) Form 10-K disclosure statements from more than 100 publicly traded companies. The forms are where businesses share risk factors that could prove concerning to investors.” (Source: Dark Reading)
  • Law School Victim Of A Cyber Attack, Applicant Data Compromised. “The stress of applying to law school can be intense. The LSAT, the essay, the hassle of it all. Now there’s an additional stress factor — well, if you applied to the University of Wisconsin Law School in 2005-06. Last week Wisconsin Law experienced a cyber attack in which the personal information — including Social Security numbers — of 1,213 applicants from the 05-06 season was compromised. That’s a real… unexpected downside to applying to law school.” (Source: Above the Law)
  • Global Businesses In Firing Line As Hackers Target Christmas Gadgets. “F5 Networks (NASDAQ: FFIV) and Loryka today revealed the findings of a report examining the use of connected devices as cyber weapons by hackers. The report, entitled ‘DDoS’s Newest Minions: IoT Devices,’ was created by F5 Labs using data from F5 partner Loryka and shows that hackers are increasingly searching for products with network connectivity to manipulate for their own means. With one in three Brits set to give gifts leveraging the Internet of Things for Christmas this year, the influx of smart products will also provide a welcome present for hackers. The report, entitled ‘DDoS’s Newest Minions: IoT Devices,’ was created by F5 Labs using data from F5 partner Loryka and shows that hackers are increasingly searching for products with network connectivity to manipulate for their own means. With one in three Brits set to give gifts leveraging the Internet of Things for Christmas this year, the influx of smart products will also provide a welcome present for hackers.” (Source: IT Security Guru)
  • Phishing Malware August Lures Customer Service Staff. “A new malware-laden phishing campaign, dubbed August, has been detected targeting customer service and managerial staff at retailers, according to a new report from Proofpoint. The clever ploy spreads through an email arriving in the inboxes of targeted individuals with subject lines referring to supposed purchases via the company’s website. Recipients are specifically selected who are appropriate reps to deal with customer issues. The message further dupes recipients by saying more detailed information is contained in the attached document.” (Source: SC Magazine)
  • New Call To Regulate IoT Security By Design. “A Washington, D.C. think tank whose mission is critical infrastructure security has joined the call for lawmakers to consider regulating the security of connected devices. In a report published this week, the Institute for Critical Infrastructure Technology pinned the blame for a rash of Mirai malware-inspired IOT botnet DDoS attacks on manufacturer negligence. The report points out the lack of security by design in devices such as DVRs and IP-enabled closed circuit TV cameras that are protected by weak or known default credentials as the root cause for the emergence of these attacks. Further, they caution that the availability of the Mirai source code has brought these large-scale attacks within reach of script kiddies, criminals and nation-states alike.” (Source: Kaspersky’s Threatpost)
  • Russia Proposes 10 Year In Prison Sentence For Hackers And Malware Authors. “The Russian government has introduced a draft bill that proposes prison sentences as punishment for hackers and cyber criminals creating malicious software used in targeting critical Russian infrastructure, even if they have no part in actual cyber attacks. The bill, published on the Russian government’s website on Wednesday, proposes amendments to the Russian Criminal Code and Criminal Procedure Code with a new article titled, ‘Illegal influence upon the critical informational infrastructure of the Russian Federation.'” (Source: The Hacker News)
  • Your Public Facebook Posts Might Still Be ‘Private’ In UK Cops’ Eyes. “Cops are all over social media, using monitoring tools to keep tabs on sporting events, protests, and more. These tools often aren’t just about gathering public posts or tweets; sometimes, they’re used to scrape metadata in aggregate and map out somebody’s movements over time too. But according to the UK’s National Police Chiefs’ Council (NPCC), which coordinates police forces across the country, you might have a reasonable expectation of privacy over your social media posts, even if they are public.” (Source: Vice’s Motherboard)
  • Fingerprint Passwords Not Theft-proof. “It sounds like a great idea: Forget passwords, and instead lock your phone or computer with your fingerprint. It’s a convenient form of security — though it’s also perhaps not as safe as you’d think. In their rush to do away with problematic passwords, Apple, Microsoft and other tech companies are nudging consumers to use their own fingerprints, faces and eyes as digital keys. Smartphones and other devices increasingly feature scanners that can verify your identity via these “biometric” signatures in order to unlock a gadget, sign into web accounts and authorize electronic payments.” (Source: Longview News Journal)
  • Threats Of Tomorrow: Using AI To Predict Malicious Infrastructure Activity. “The ever-increasing scale and complexity of cyber threats is bringing us to a point where human threat analysts are approaching the limit of what they can handle. We believe the next-generation of cyber threats must be tackled by a combination of machines equipped with artificial intelligence (AI) and human analysts — what we call centaur threat analysts. One example of this is presented here: a new approach to forecasting malicious IP infrastructure by using machine learning.” (Source: Recorded Future)
  • Tighe: Insider Threat Is Never Going Away. “The insider threat is never going to go away.  This statement, echoed by many in government and directly by Vice Adm. Jan Tighe, deputy chief of naval operations for information warfare and director of naval intelligence, is a recognition that the insider threat problem is virtually impossible to defend against.” (Source: C4IRSNet)
  • Researchers Question Security In AMD’s Upcoming Zen Chips. “As more computing heads to the clouds, security researchers are questioning the security of virtual machine control panels called hypervisors. One of the first hardware-based solutions to address these concerns will be deployed by chip manufacturer AMD, called Secure Encrypted Virtualization. The feature is part of its upcoming x86 AMD Zen server family of microprocessors, slated to be released in the second quarter of 2017.” (Source: Kaspersky’s Threatpost)
  • Phishing From The Middle: Social Engineering Refined. “Phishing attacks have long been associated with malicious emails that spoof well-known institutions in order to trick users into coughing up credentials to banks accounts, email accounts, or accounts for major online services. Phishes that exploit the good name of trusted brands familiar to users have also been known to deliver ransomware, backdoors, and other malicious software designed to compromise the companies and organizations those users work for. Spoofing well known institutions and brand names is old hat, though, and users have become increasingly wary of emails claiming to hail from familiar companies and organizations. In response, the bad guys have been refining their use of social engineering, the key to any successful phishing campaign.” (Source: Spiceworks)
  • ‘We Could Not Deliver Your Parcel’ Email Could Be Scam. “As Christmas approaches, experts suggest an extra dollop of caution before clicking on email package delivery notices. Fake notifications are proliferating, bringing not holiday cheer — but holiday ransomware. The holiday phishing season began just before Thanksgiving and will likely extend until after Christmas, said Caleb Barlow, vice president for IBM Security.” (Source: USA Today)
  • Software Salesman Pleads Guilty To PoS Scam. “A Washington state man has pleaded guilty to wire fraud for selling revenue-suppression software (RSS) to hospitality and retail businesses for tax evasion purposes in a scam that cost the US government more than $3.4 million. The US Department of Justice (DoJ) says John Yin sold a software program called Tax Zapper that allowed users to portray inaccurate sales figures, thus lowering their tax obligations.” (Source: Dark Reading)
  • Child Porn On Government Devices: A Hidden Security Threat. “Daniel Payne, director of the Pentagon’s Defense Security Service, admitted this spring to encountering “unbelievable” amounts of child pornography on government computers. The comment came during an event in Virginia where military and intelligence officials gathered to address threats posed by federal workers. Mr. Payne, who spent much of his career in senior CIA and intelligence community roles before taking the Pentagon post, wanted to stress the value of monitoring employees’ systems to ensure they remained fit to handle top-secret information.” (Source: The Christian Science Monitor’s Passcode)
  • 15 Under 15: Rising Stars In Cybersecurity. “Kids born after the year 2000 have never lived a day without the internet. Everything in their lives is captured in silicon chips and chronicled on Facebook. Algorithms track how quickly they complete their homework; their text message confessions and #selfies are whisked to the cloud. Yet the massive digital ecosystem they inherited is fragile, broken, and unsafe. Built without security in mind, it’s constructed on faulty code: From major companies such as Yahoo to the US government, breaches of highly sensitive or personal files have become commonplace. The insecurity of the internet is injecting itself into presidential politics ahead of the November election. In the not too distant future, digital attacks may set off the next war.” (Source: The Christian Science Monitor’s Passcode)
  • Malaysia To Establish Cybersecurity Academy. “The Malaysian Digital Economic Corporation (MDEC) and Protection Group International (PGI) have signed an agreement to work together to develop a cybersecurity academy in Malaysia. It will be known as the UK-APAC Centre of Security Excellence and will see PGI and MDEC collaborate, generate and formulate awareness and strategies to regularly promote bilateral cybersecurity research and investment opportunities. PGI will provide strategic advice on the design of the academy’s cybersecurity courses, infrastructure and resources.” (Source: InfoSecurity Magazine)
  • Facebook Begins Asking Users To Rate Articles’ Use Of ‘Misleading Language’. “A survey asking users about “misleading language” in posts is the latest indication that Facebook is facing up to what many see as its responsibility to get a handle on the fake news situation. At least part of its solution, it seems, is to ask users what they think is fake. The “Facebook Survey,” noticed by Chris Krewson of Philadelphia’s Billy Penn, accompanied (for him) a Philadelphia Inquirer article about the firing of a well-known nut vendor for publicly espousing white nationalist views. (It’s a small town, everyone knows everyone.)” (Source: TechCrunch)
  • Nintendo Teams Up With HackerOne To Secure 3DS Via Bounty Program. “Security vulnerabilities are a nightmare for a console company.  Piracy and inappropriate content are particularly troublesome to Nintendo, so it’s teamed up with the web site HackerOne to find information on possible exploits of the 3DS platform.  This is being done by offering a bounty for any security issues found in that hardware family specifically, with rewards starting at $100 and going all the way up $20,000 for any major issues that are discovered.  The rewards are currently focused on discovering problems in the 3DS hardware or Nintendo-published titles, so vulnerabilities in, for example, the general eShop structure or exploits from bugs in non-Nintendo games would be exempt.” (Source: Hardcore Gamer)

Safe surfing, everyone!

The Malwarebytes Labs Team