A week in security (Dec 11 – Dec 17)

Malwarebytes released our annual list of predictions for the year 2017. We claimed that ransomware will remain king—and personal. We also shared out thoughts on exploit kits, Internet of Things (IoT), password managers, and security in general.

Last week, we homed in on a tech support screen lockers, particularly VinCE, provided opinion on a ransomware campaign that encourages people to infect two more in order for them to get their decryptor, and provided deep analysis on Goldeneye, the rebranded Petya/Mischa partnership.

And finally, we looked into a scam-in-a-box company that offers intelligence leads.

Below are notable news stories and security-related happenings:

  • Exclusive: DHS Says Georgia Hack May Have Been Rogue Employee. “The Department of Homeland Security told members of congress Friday that a rogue federal employee may have been responsible for a November hack-attack that targeted the Georgia secretary of state’s system, LifeZette has learned. On Friday afternoon DHS initiated a conference call with members of Georgia’s congressional delegation to discuss the cyber-attack, a Capitol Hill staffer with knowledge of the call told LifeZette.” (Source: LifeZette)
  • Webroot Sheds Light On The Short, Sharp Lifecycle Of Phishing Websites. “Phishing websites have shorter lifecycles than ever before, but their numbers becoming much more prevalent – and Google, PayPal, Yahoo and Apple are the main targets, according to new Quarterly Web Update findings from Webroot. 84% of phishing sites exist for less than 24 hours, and the average life cycle is less than 15 hours, the company found. However, an average of more than 400,000 phishing sites are cropping up each month, and most of those are hidden within unused domains.” (Source: Security Brief Asia)
  • Yahoo Patches Critical XSS Vulnerability That Would Allow Hackers To Read Any Email. “Yahoo patches critical XSS vulnerability that would allow hackers to read any email – Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email. The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoo’s bug bounty program. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts among other things.” (Source: The Mirror)
  • Thieves Using Radio Jammers To Prevent Drivers From Locking Their Cars. “British police are warning drivers to check their doors after they use their remote key to lock their car because thieves may be using jammers to block door locking signals, leaving the vehicles unlocked. Thames Valley Police says that thieves have entered and stolen goods from 14 cars parked at motorway (highway) services stations.” (Source: Bleeping Computer)
  • Scammers Can Trick Microsoft Edge Into Displaying Fake Security Warnings. “Hopefully, by now, many readers will be aware of the scam messages that can pop up on your computer screen telling you that your computer may be at risk, and to call a special number for ‘technical support’. Of course, the scam warnings are not legitimate and the person you are calling is not a real Microsoft support engineer. And yet, many computer users have been fooled into making contact, and ended up either with an expensive and unnecessary bill or granting hackers access to their PC. The scams are more successful for the fraudsters the more convincing that their warning appears.” (Source: Bitdefender’s Hot For Security Blog)
  • ‘Proof of Concept’ Project Spawns Three Real-Life Ransomware Families. “Three new and real ransomware families have been spawned by the open-source CryptoWire ransomware project, which is uploaded as a ‘proof of concept’ on GitHub. The original of this ‘educational’ ransomware project was uploaded on GitHub in May this year by an anonymous user. CryptoWire contains a ZIP archive with the ransomware’s course code and a README file, in which the ransomware`s author is advertising their product`s features and capabilities. The project is still available for download.” (Source: Virus Guides)
  • Your Neighborhood ATM May Turn Into A Hacker’s Paradise. “The next time you queue up at the ATM for cash—an experience that has become increasingly onerous since demonetisation— it’s not just the long wait that should worry you. There’s a high probability the cash dispenser runs on software Microsoft stopped supporting more than two years back, thus making it vulnerable to hackers. Card details could be stolen—as they indeed were earlier this year–even as you fret about what to do with the solitary Rs 2,000 note the machine dispenses, if you’re lucky… About 70% of the 202,000 ATM machines in India run on Windows XP, for which Microsoft stopped offering security updates, patches and technical support in April 2014.” (Source: India Times)
  • Malicious Exploit Kit Targeting Internet Explorer Users, On Global Scale. “Researchers at ESET have discovered a new exploit kit spreading through the internet via malicious ads on reputable websites with high traffic. For the last two months, they’ve seen cybercriminals targeting users of Internet Explorer and scanning their computers for vulnerabilities in Flash Player. Hackers have been attempting to remotely download and execute various types of malware through loophole exploits.” (Source: Security Brief)
  • Scammers Spreading Celebrity Nude PDFs On Facebook, Pushing Malware Installation. “Google Chrome is one of the most used Internet browsers but lately, it is being used by cybercriminals and scammers to infect users with adware, malware and other malicious programs due to the low level of scrutiny on its web store. Recently, an Internet security firm Cyren discovered a malicious Chrome extension spreading nude celebrity PDFs all over the Internet including on Facebook. You might be thinking what’s the big deal about spreading PDFs? Well, that’s just a beginning of an irritating adware and malware campaign.” (Source: Hackread)
  • KFC Website Hacked, Colonel’s Club Loyalty Scheme Members Advised To Change Password. “Call in the Colonel! Popular fast food chain KFC has warned Colonel’s Club loyalty scheme members in the UK that its website has been targeted and multiple accounts may have been compromised. About 1.2 million members of the Colonel’s Club, which allows customers to collect Chicken Stamps and “earn their way to free food rewards,” recently received an email about the breach.” (Source: The International Business Times)
  • Connected Toys And Wearables For Christmas? Could Be A Cyber Security Risk. “ESET is warning consumers about connected gifts this Christmas season, as the popularity for devices such as wearables, connected toys and baby monitors continues to grow. The cyber security specialists warn these types of devices can be easily hacked by e-criminals, or turned into a threat to consumers’ privacy. ESET refers to a complaint that was lodged last week with the US Federal Trade Commission over internet-connected toys recording and transmitting kids’ conversations in violation of privacy rules.” (Source: NetGuide)
  • Nearly Half Of All Websites Pose Security Risks. “According to a new study of the top one million domains, 46 percent are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months. The big problem is that even when a website is managed by a careful company, it will often load content from other sites, said Kowsik Guruswamy, CTO at Menlo Park, Calif.-based Menlo Security, which sponsored the report, which was released this morning. For example, news sites — 50 percent of which were risky — typically run ads from third-party advertising networks.” (Source: CSO)
  • Zcash Mining Software Covertly Installed On Victims’ Machines. “Software ‘mining’ the recently established Zcash (ZEC) cryptocurrency is being foisted upon unsuspecting users, Kaspersky Lab warns. The actual software is not illegal, and not technically malware – it is meant to be used by individuals who are willing to dedicate their machine(s) and pay for the increased electricity usage that accompanies cryptocurrency mining. Unfortunately, there are unscrupulous individuals looking to get the coins without the cost, and they have been installing the software on users’ computers without permission.” (Source: Help Net Security)
  • Exclusive: SWIFT Confirms New Cyber Thefts, Hacking Tactics. “Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide. The messaging network in a Nov. 2 letter seen by Reuters warned banks of the escalating threat to their systems, according to the SWIFT letter. The attacks and new hacking tactics underscore the continuing vulnerability of the SWIFT messaging network, which handles trillions of dollars in fund transfers daily.” (Source: Reuters)
  • DDoS Attacks Have Gone From A Minor Nuisance To A Possible New Form Of Global Warfare. “In September 1996 an internet service provider (ISP) in New York was taken down by a flood of traffic. Computers elsewhere on the internet, controlled by hackers, were sending it up to 150 connection requests every second, far more than it could handle. It was the internet’s first major distributed denial-of-service, or DDoS, attack.” (Source: Quartz)
  • Hackers In Greater China Target Online Transactions, Building ‘Dossiers’ Of Information On Individuals, Expert Says. “Greater China is facing an increasing number of cyberattacks on online transactions, with e-commerce websites being the most vulnerable, according to a recent cybersecurity report. The increasing number of attacks on e-commerce websites come about as the trend of cross-border e-commerce continues to grow, with more consumers shopping online for the best deals, according to cybersecurity firm ThreatMetrix’s Q3 2016 cybercrime report.” (Source: Business Vancouver)
  • Forget The Home, Voice Assistants Are Invading The Workplace. “Much of the headlines about chatbots and digital assistants are focused either on the home or on social media platforms like Slack or Facebook. But what about the office? Are we going to stop talking to each other and start talking to bots? According to Spicework’s Future of IT report – surveying 560 IT pros globally – 19% of businesses are currently using intelligent assistants/chatbots for work-related tasks on company-owned devices, which another 30% are planning to use them in business over the next three years.” (Source: IDG Connect)
  • New Critical Fixes For Flash, MS Windows. “Both Adobe and Microsoft on Tuesday issued patches to plug critical security holes in their products. Adobe’s Flash Player patch addresses 17 security flaws, including one “zero-day” bug that is already actively being exploited by attackers. Microsoft’s bundle of updates tackles at least 42 security weaknesses in Windows and associated software. Half of the dozen patches Microsoft released yesterday earned its “critical” rating, meaning the flaws fixed in the updates could be exploited by malware or miscreants to seize remote control over vulnerable Windows computers without any help from users.” (Source: KrebsOnSecurity)
  • Filmmakers And Journalists To Camera Makers: Add Encryption. “More than 150 documentary filmmakers and photojournalists have a message for the world’s major camera companies: Build encryption features into your still and video cameras. The Freedom of the Press Foundation on Wednesday published an open letter signed by the likes of filmmaker and journalist Laura Poitras, director of the Oscar winning ‘Citizenfour’ and one of the people Edward Snowden first contacted with his NSA leaks, and Alex Gibney, who directed the acclaimed Scientology documentary ‘Going Clear’.” (Source: CNET)
  • ‘Secure the News’ Grades Media Sites On HTTPS—And Most Fail. “Before you enter your credit card into an unknown website, you probably (hopefully) check your browser for the padlock icon that means your connection to that site uses HTTPS encryption, which helps prevent hackers and eavesdroppers. But you probably don’t apply that same perfunctory padlock check to news sites, despite the fact that a media outlet’s lack of encryption can endanger journalists’ sources, expose your reading habits, and even allow censorship and tampering with stories. Now a new, constantly updated encryption ranking site performs that check for you—and may just help push more news organizations to better lock themselves down.” (Source: Wired)
  • Half Of The Web Is Vulnerable To Malware. “Menlo Security, a pioneer of malware isolation, today announced the availability of its State of The Web 2016 report. The surprising results reveal that nearly half (46%) of the Internet’s top 1 million web sites, as ranked by Alexa, are risky.  This is largely due to vulnerable software running on web servers and on underlying ad network domains. The results are significant because risky sites have never been easier to exploit, and traditional security products fail to provide adequate protection. Attackers have their veritable choice of half the web to exploit, allowing them to launch phishing attacks from legitimate sites.” (Source: IT Security Guru)
  • Reschedule The Holiday Party, Patch Tuesday Is Here And It’s A Big One. “Security patches for Windows, Mac OS, iOS and other Apple firmware, and a host of Adobe products, were emitted this week. The final scheduled patch dump of the year sees Microsoft deliver fixes for multiple products, while Apple has security updates for iOS, Mac OS, Safari, and iTunes, and Adobe patches nine products including Flash Player and InDesign.” (Source: The Register)
  • Twitch Rolls Out Automated Tool To Stem Wave Of Chat Harassment. “With messages flying by at speeds literally too fast for a human to read, manual moderation is an uphill battle on some of the most popular Twitch channels. That situation has led to plenty of instances where popular streamers have been deluged with waves of racist or sexist abuse that even quality human moderators can have trouble stemming. Twitch is offering a new tool in the fight against chat room trolls today in the form of AutoMod. Rather than relying on humans to flag and take down inappropriate messages after they’re posted (and quite possibly after the streamer has already read them), AutoMod tries to detect those messages automatically and preemptively send them to a moderation queue for approval or dismissal.” (Source: Ars Technica)
  • Affordable Android Phones Coming With Malware Injected In Stock Firmware. “Russian security company Dr. Web, which also makes a PC antivirus solution bearing the same name, warns that it discovered a total of 26 smartphone models running Android and infected with malware that’s injected in the stock firmware they are shipped with. Most of the models on the list, which you find in full at the end of the article, are smartphones sold on the Russian market and based on the MTK platform, which is a chipset developed by Taiwan-based MediaTek. The list includes phones sold by Prestigio, Irbis, MegaFon, and SUPRA.” (Source: Softpedia)
  • The Human Factor In Information Security. “No one can deny that cyberattacks are the new norm. Such risks will increasingly challenge our ability to operate our businesses. In the world of cybercrime, everyone — from individuals to nation-states — is a target. However, some targets are more alluring than others. Legal, accounting and other professional firms are increasingly targeted by cybercriminals and hackers who are intent on accessing the vast stores of data with which they are entrusted. Indeed, hackers focus a greater percentage of their attacks on the financial services and health care industries than other areas because of the large amounts of data they hold.” (Source: Legal Tech News)
  • Stop Using Netgear Routers With Unpatched Security Bug, Experts Warn. “A variety of Netgear router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices, security experts warned over the weekend. The critical bug allows remote attackers to inject highly privileged commands whenever anyone connected to the local Netgear network clicks on a malicious Web link, a researcher who uses the online handle Acew0rm reported on Friday. The link, which can be disguised to appear innocuous, then injects a command that routers run as root. The devices’ failure to properly filter out input included in Web requests allows attackers to run powerful shell commands.” (Source: Ars Technica)
  • Uber ‘God View’ Allowed Staff To Spy On High-profile Politicians, Ex-partners And Beyoncé, Court Hears. “Samuel Ward Spangenberg is suing his former employer, minicab firm Uber, claiming that he suffered age discrimination and retaliation after whistle-blowing on some of the company’s practices. As The Center for Investigative Reporting describes, Uber’s former forensic investigator claims that staff regularly snooped on customer records in order to spy on the movements of celebrity customers, ex-partners and spouses. One of those allegedly snooped upon was pop superstar Beyoncé.” (Source: Graham Cluley’s Blog)
  • The Rising Use Of Personal Identities In The Workplace. “90% of enterprise IT professionals are concerned that employee reuse of personal credentials for work purposes could compromise security. However, with 68% saying they would be comfortable allowing employees to use their social media credentials on company resources, Gemalto’s research suggests that personal applications (such as email) are the biggest worry to organisations. The enterprise and consumer worlds are merging closer together, with enterprise security teams under increasing pressure to implement the same type of authentication methods typically seen in consumer services, such as fingerprint scanning and iris recognition. 62% believed this was the case, with 63% revealing they feel security methods designed for consumers provide sufficient protection for enterprises. In fact, 52% believe it will be just three years before these methods merge completely.” (Source: Help Net Security)
  • Insecure Pagers Give Hackers An Entry Way Into Voice Mails, Conference Calls. “All it takes is a $20 dongle and some patience, and an attacker can listen into a company’s pager communications — including transcribed voice mail messages and dial-in instructions for conference calls. There are many voicemail services that automatically transcribe voice mail messages, according to a new report by Trend Micro. In some cases, those messages are forwarded to employees via their pagers.” (Source: CSO)
  • Nymaim Using MAC Addresses To Uncover Virtual Environments And Bypass Antivirus. “Nymaim, a malware family connected to several online ransom campaigns in recent years, is retrieving network card MAC addresses and using them to uncover virtual environments, thwarting automated antivirus analysis tools in the process. Virtualized environments are widely used in large organizations trying to simplify IT by only giving users a thin client, according to SophosLabs researcher Sandor Nemes. It’s also where antivirus researchers deploy the sandboxes they use for automated malware analysis. By going around virtualized environments, Nymaim loses potential targets. But it escapes the automated antivirus sandboxes, which can buy an attacker precious time, Nemes said.” (Source: Sophos’s Naked Security Blog)
  • BugSec, Cynet Discover Critical Flaw Allowing Attackers To Read Private Facebook Messenger Chats. ‘The root of the vulnerability was a cross-origin problem in Facebook’s implementation, which would allow an attacker to bypass Facebook’s origin checks and access messages from an external website. “This security flaw meant that the messages of 1-billion active monthly Messenger users were vulnerable to attackers,’ said Stas Volfus, Chief Technology Officer of BugSec. To exploit the vulnerability, the victim would have to visit a malicious website controlled by the attacker. From that moment, all messages sent or received by the victim would be accessible to the attacker. Said Volfus, ‘This was an extremely serious issue, not only due to the high number of affected users, but also because even if the victim sent their messages using another computer or mobile, they were still completely vulnerable. Facebook realized the potential severity, and responded quickly, verifying the flaw and fixing it.’” (Source: PR Web)
  • Cyber Criminals Are Getting Smarter But Businesses Only Act When Targeted, Experts Warn. “As the dissemination of data and information becomes more and more advanced – the rise of the digital age makes a lot of tasks a whole lot easier, but so does the risk of cyber-attacks. Cyber-attacks can come in many forms, however, the most prevalent target for these criminals are collecting confidential information and stealing money.” (Source: Malaysian Digest)
  • Say Good-bye To Microsoft Security Bulletins. “This is the last month we’ll see security bulletins from Microsoft—and I can’t wait. Patch numbers are currently interlocked, with security bulletins referencing KB numbers that aren’t available in the Windows 10 cumulative updates or in the Windows 7/8.1 security-only or monthly rollup patches. But hang in there, it will get less complicated next month. I hope.” (Source: InfoWorld)
  • Non-Malware Attacks On The Rise, In The Shadow Of Ransomware. “2016 saw attackers holding data for ransom at an alarming rate; but in conjunction with the rise of ransomware and the continued ubiquity of mass malware, attackers are increasingly utilizing non-malware attacks in an attempt to remain undetected and persistent in organizations’ networks. According to Carbon Black data, these non-malware attacks are capable of gaining control of computers without downloading any files and are using trusted, native operating system tools (such as PowerShell) and exploiting running applications (such as web browsers and Office applications) to conduct malicious behavior.” (Source: InfoSecurity Magazine)
  • Hackers Get Around AI With Flooding, Poisoning And Social Engineering. “Machine learning technologies can help companies spot suspicious user behaviors, malicious software, and fraudulent purchases — but even as the defensive technologies are getting better, attackers are finding ways to get around them.Machine learning technologies can help companies spot suspicious user behaviors, malicious software, and fraudulent purchases — but even as the defensive technologies are getting better, attackers are finding ways to get around them. Many defensive systems need to be tuned, or tune themselves, in order to appropriately respond to possible threats.” (Source: CSO)
  • The Economics Of Ransomware Revealed. “70 percent of businesses infected with ransomware have paid ransom to regain access to business data and systems. In comparison, over 50 percent of consumers surveyed said they would not pay to regain access back to personal data or devices aside from financial data, according to IBM Security. IBM X-Force surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value placed on different types of data.” (Source: Help Net Security)
  • The Government Body That Oversees The Security Of Voting Systems Was Itself Hacked. “The U.S. Election Assistance Commission, which is responsible for testing and certifying voting systems, among other things, was hacked around the time of the election, security outfit Recorded Future reports. The EAC confirmed a ‘potential intrusion’ in a statement issued to TechCrunch. This isn’t a smoking gun for a stolen election or anything like that; the EAC doesn’t actually run the elections, nor does it handle voter information. But it is a shameful display all the same, especially considering how loudly and frequently the hacking threat has been bruited by officials this year.” (Source: TechCrunch)
  • Ashley Madison Settles Charges Over Its Massive Data Breach. “Ashley Madison is paying the price for the hack that exposed the info of 36 million customers, and we don’t just mean through executive departures. The owners of the cheat-on-your-spouse site, Ruby Corp, have settled charges from both the US Federal Trade Commission and 13 states alleging that it both misled users and didn’t do enough to protect their info. The actual fine is small — Ashley Madison was intended to pay a total of $17.5 million, but can only afford to pay just over $1.6 million. However, the reforms may go a long way toward solving some of the underlying problems that led to both the breach and shady business practices.” (Source: Engadget)
  • Contactless Payments: Addressing The Security Issues. “The emergence of contactless payments on mobile phones is changing the way transactions are authenticated and secured, says Jeremy King, international director of the PCI Security Standards Council. In a contactless environment, on mobile devices in particular, biometrics authentication can replace the need to use PIN entry as an additional authentication layer, King says in this interview conducted at Information Security Media Group’s recent Fraud & Breach Prevention Summit in London.” (Source: InfoRisk Today)
  • New ‘Giveaways’ Target Shoppers Searching For Hatchimals And Other Hot Toys. “During the holiday season, parents scrambling at the last minute to purchase toys at the top of their children’s wish lists will often go to great lengths to deliver. Scammers are taking advantage of this and are promoting fake Hatchimal giveaways to trick parents into disclosing bank information and other personal data, warns social media security company ZeroFOX. Fake coupons, merchandise and gift card generators are also being used to target shoppers.” (Source: Forbes)
  • Cerber Ransomware Spreads via Fake Credit Card Email Reports. “Just in time for the Christmas holiday shopping spree, the group behind the Cerber ransomware has launched a spam campaign that uses fake credit card reports to trick users into opening a Word file that under certain circumstances will download and install the deadly Cerber ransomware. Detected by the staff of the Microsoft Malware Protection Center, the emails in this spam campaign pretend to be pending payments for MasterCard credit cards.” (Source: Bleeping Computer)
  • Malvertising Campaign Targets Routers And Every Device Connected To Router. “Well this is just peachy – cybercriminals are actively using a malvertising campaign that infects routers and even Android devices. If the router is pwned, then every device connected to that router is pwned. Proofpoint researchers warned that cyber thugs are using a new and improved version of the DNSChanger exploit kit (EK) for this malvertising campaign. Generally, malvertising involves an attacker injecting malware into ads which can infect via browsers and attack a victim’s computer after simply visiting an affected page.” (Source: Computer World)

Safe surfing, everyone!

The Malwarebytes Labs Team

https://blog.malwarebytes.com/feed/